Digital assets are susceptible to illicit activities, including money laundering and financing of terrorism (ML/FT) (read in our previous article more about the reasons). In the traditional financial services industry, effective anti-money laundering and combating the financing of terrorism (AML/CFT) frameworks and measures are considered crucial to mitigate these risks. Deriving from this, the Financial Action Task Force (FATF) — an inter-governmental body established to set global AML/CFT standards (the so-called FATF Recommendations) and to promote the effective implementation of respective legal, regulatory, and operational AML/CFT measures — adopted in October 2018 amendments to its Recommendations, which made explicit that the FATF Recommendations also apply to activities involving Virtual Assets (VAs) and likewise cover Virtual Asset Service Providers (VASPs) and other entities engaged in VA activities, such as banks, securities broker-dealers, and other financial institutions. Please note, the FATF uses its own terminology for VA and VASP — have a look at it here.
Obligations posed by the FATF Recommendations
Broadly speaking, these amendments state that the same measures should apply in the same manner to VAs as to traditional assets and that VASPs should fulfill the same obligations as traditional financial institutions (with two exceptions: Recommendations 10 & 16 — see below for further information). To achieve this, duties are posed on the jurisdictions (Section F of the FATF Recommendations) as well as VASPS and other obliged entities:
Jurisdictions are required to:
- Conduct a national risk assessment of the VA sector to understand the national money laundering and terrorist financing risks the sector faces
- Licence or register VASPs and impose AML/CFT obligations on them
- Adequately supervise the sector, monitor compliance, and appropriately sanction unlicensed/unregistered VASPs as well as failures to comply with AML/CFT obligations
VASPs and other obliged entities are required to:
- Conduct a risk assessment to identify and assess the specific risks they face, considering all relevant risk factors, which may include among other aspects: types of involved services, products, or transactions; types of involved VAs; customer related factors; and geographical factors
- Apply all the preventive measures outlined in Recommendations 9–21 (Section D of the FATF Recommendations), whereases the extend of these measures is determined by the conducted risk assessment (so called risk-based approach — RBA).
A closer look at how these obligations apply to VASPs
In the following, we will have a closer look at some of these preventive measures (not conclusive). Please note, countries that are part of the FATF are obliged to transfer the FATF Recommendations into their national law — thus, national legislations have to be consulted for the applicable specifics.
Customer Due Diligence (Recommendation 10)
This recommendation states that “financial institutions should be prohibited from keeping anonymous accounts or accounts in obviously fictitious names”. To comply with this, VASPS are required to undertake customer due diligence (CDD) measures when: (i) establishing business relations; (ii) carrying out occasional transactions above USD 1’000 (Note here the special requirement for VASPs: The threshold for other entities covered by the FATF Recommendations is USD 15’000); (iii) suspecting a case of ML/TF; and/or (iv) doubting the veracity or adequacy of previously obtained customer identification data.
Example of such CDD measures are (applicability and extend follows RBA):
:: Identifying the customer and verifying the customer’s identity using reliable and independent source documents, data or information
:: Identifying the beneficial owner and taking reasonable measures to verify the identity of the beneficial owner; for legal persons this should include understanding the ownership and control structure
:: Understanding and obtaining information on the purpose and nature of the business relation
:: Conducting ongoing due diligence on the business relation and analysing transactions undertaken during the business relation to validate that these transactions are consistent with the entity’s knowledge of the customer/business
Record-Keeping (Recommendation 11)
This recommendation requires VASPs to keep all necessary records on domestic and international transactions, records obtained through CDD, account files and business correspondence, and results of any analysis undertaken, for at least five years. Such records must be kept in a way to be able to comply swiftly with information requests from authorities.
Politically exposed persons (PEPs) (Recommendation 12)
VASPs must take reasonable measures to determine whether a customer or beneficial owner is a politically exposed person (PEP), either domestic or foreign. Once a PEP is identified, VASPs are required to apply additional measures to the above described CDD measures, such as identifying the source of wealth/fund and conducting enhanced ongoing monitoring of the business relation.
Wire Transfer Rules (Recommendation 16)
In the context of VA, this Recommendation is known as the ‘travel rule’. In short, it requires originator VASPs to obtain and hold required and accurate originator information and required beneficiary information and then submit these information to beneficiary institutions with VA transfers and related messages immediately and securely. On the other hand, beneficiary VASPs are required to obtain and hold the required originator information as well as the required and accurate beneficiary information on the VA transfer. Additionally, originator VASPs and beneficiary VASPs are required to screen these information to confirm that neither the originator nor the beneficiary are a sanctioned name as well as to monitor transactions and report when they raise suspicion. The detailed foreseen requirements for VASPs are outlined in the Interpretive Note to Recommendation 16 and the Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers.
Reporting of Suspicious Transactions (Recommendation 20)
This Recommendation outlines that VASPs should have the ability to monitor and subsequently flag for further analysis any unusual or suspicious transaction. Such a monitoring system may include the VA ML/TF red flag indicators outlined in the FATF Report Virtual Assets — Red Flag Indicators of Money Laundering and Terrorist Financing. If a VASP suspects or has reasonable grounds to suspect illicit (financial) activities, it is required to report its suspicion to the respective authorities.
Have a look at the the FATF Recommendations for the whole list of Recommendations.
Would you like to stay up-to-date?
Subscribe to our Medium page. Follow us on Twitter and connect on LinkedIn.