Policy & Regulation

FATF’s Proposed Updated Guidance for Cryptocurrency Regulation: Everything You Need to Know

On March 19, 2021, the Financial Action Task Force (FATF) released proposed updates to its 2019 guidance for how member jurisdictions should regulate and supervise the cryptocurrency ecosystem. If adopted by FATF and implemented by member jurisdictions, the new guidance would expand the definition of Virtual Asset Service Providers (VASPs) to include many non-custodial cryptocurrency businesses, making them subject to AML/CFT regulations. While Chainalysis is in favor of regulations that effectively prevent financial crime, we believe parts of the proposed guidance overreach by placing an unreasonable regulatory burden on new and emerging cryptocurrency markets where no evidence of criminal activity exists today, which would ultimately stifle future innovation.

FATF’s proposed guidance takes a more technology-agnostic approach to cryptocurrency regulation, and would designate cryptocurrency businesses as VASPs based solely on whether they facilitate the transfer or exchange of assets regardless of how they do so at the technical level. Under this proposal, non-custodial services like DeFi protocols would be regulated as VASPs if they enable users to exchange or transfer funds. FATF would even apply this regulatory framework to cryptocurrency businesses that in the future utilize new innovations that don’t exist today, and require them to follow VASP regulations before launch. In addition, the guidance would have implications for non-fungible tokens (NFTs), self-hosted wallets, and the Travel Rule. Below, we’ll summarize the changes and lay out the implications should they be enacted.

DeFi, P2P exchanges, and NFTs

Many have argued that DeFi protocols such as decentralized exchanges (DEXes) aren’t VASPs subject to AML/CFT regulations, as they don’t take custody of users’ funds and can run autonomously without human intervention. FATF’s proposed guidance would contradict that. Paragraph 57 of the proposed rules document has the key language:

“A DApp itself (i.e. the software program) is not a VASP under the FATF standards, as the Standards do not apply to underlying software or technology… However, entities involved with the DApp may be VASPs under the FATF definition. For example, the owner/operator(s) of the DApp likely fall under the definition of a VASP… The decentralization of any individual element of operations does not eliminate VASP coverage if the elements of any part of the VASP definition remain in place.” 

In other words, the new rules wouldn’t designate DeFi protocols themselves as VASPs, but would instead give that designation to the protocols’ “owners and operators.” The distinction may seem small, but the message from FATF is that even decentralized, non-custodial services can be treated as VASPs if there’s a central group of people — the owners and operators — managing them. Paragraph 77 expands a bit on who owners and operators might refer to in this context:

“When there is a need to assess a particular entity to determine whether it is a VASP or evaluate a business model where VASP status is unclear, a few general questions can help guide the answer. Among these would be who profits from the use of the service or asset, who established and can change the rules, who can make decisions affecting operations, who generated and drove the creation and launch of a product or service, who possesses and controls the data on its operations, and who could shut down the product or service.”

While the guidance doesn’t provide an exact criteria for who would be designated as a VASP in this scenario, it suggests that regulators should look to the person or group of people who control and profit from a service like a DeFi protocol. FATF is proposing that even if a service’s underlying technology may not meet the VASP standard, if it functions as a VASP, someone associated with it must be designated as a VASP and held accountable for compliance. This of course would apply to nearly all of the major DeFi platforms currently operating, as well as any new ones entrepreneurs seek to build in the future.

The proposed guidance applies similar logic in designating peer-to-peer (P2P) exchanges as VASPs. Paragraph 75 reads:

“For self-described P2P platforms, jurisdictions should focus on the underlying activity, not the label or business model. Where the platform facilitates the exchange, transfer, safekeeping or other financial activity involving VAs… then the platform is necessarily a VASP conducting exchange and/or transfer activity as a business on behalf of its customers.”

While a P2P exchange may technically only be facilitating direct transactions between users without taking custody of funds, if those transactions amount to VASP activity, then the exchange would be treated as a VASP under the new rules.

Paragraph 78 lays out a similar argument for designating non-standard currencies as virtual assets (VAs). The relevant section says in part:

“Some items—or tokens—that on their face do not appear to constitute VAs may in fact be VAs that enable the transfer or exchange of value or facilitate ML/TF. Secondary markets also exist in both the securities and commodities sectors for “goods and services” that are fungible and transferable. For example, users can develop and purchase certain virtual items that act as a store of value and in fact accrue value or worth and that can be sold for value in the VA space.”

This definition would almost certainly apply to one of the hottest new asset types in cryptocurrency today: non-fungible tokens (NFTs). While NFTs may not resemble traditional cryptocurrencies, if they can be transferred between users and exchanged for other currencies, then they would be subject to the same regulations as other VAs under the proposed rules. This definition would also likely apply to things like video game currencies, which can be exchanged for in-game goods but also for cash on certain secondary marketplaces. While that may seem  unreasonable, the authorities have already dealt with cases of video game currencies being used by organized crime groups for money laundering, exemplifying why FATF would want them subject to standard compliance procedures.

Stablecoins

FATF’s proposed guidance reiterates its previous recommendation that stablecoins be regulated as virtual assets. However, there’s a new wrinkle. Similar to how the owners and operators of DeFi protocols would be treated as VASPs should the proposed guidance go into effect, so too would the governing board or central developers of any given stablecoin issuer — who gets designated is based on the exact roles that group fulfills. According to Paragraph 72,  anyone who manages the reserves backing a stablecoin, controls its price stabilization mechanisms, or facilitates its integration into exchanges or other VASP platforms would be designated as a VASP and subject to the associated regulations.

Paragraph 73 elaborates on the regulatory framework behind the stablecoin proposal, saying:

“Again, this is not meant to implicate those developing software code, but rather the decision-making entity that controls the terms of the financial service provided.”

Similar to the reasoning behind designating DeFi protocol operators and P2P exchanges as VASPs, FATF is proposing that if a stablecoin is fulfilling a VASP function, then the people driving its strategy and operations will be regulated as VASPs.

Self-hosted wallets

FATF’s new proposed recommendations wouldn’t change self-hosted wallets’ regulatory status. They would still not be considered VASPs, and transactions between them would not be subject to any compliance obligations. However, FATF makes it clear that they consider self-hosted wallets especially risky, claiming that some jurisdictions could face “systemic [money laundering and terrorism financing] vulnerabilities” if self-hosted wallet transactions become mainstream. The proposed rules ask VASPs to look for ways to minimize the risk from self-hosted wallets if their platforms allow transactions with them, and suggest jurisdictions use blockchain analysis to measure and mitigate the risks brought on by self-hosted wallets.

Additionally, in Paragraph 91, FATF suggests jurisdictions consider imposing stronger rules for VASPs that allow transactions with self-hosted wallets if the AML/CFT risks associated with them are “unacceptably high.” Those rules can include:

  • Requirements that VASPs file currency transaction reports (CTRs) for transactions with self-hosted wallets.
  • Enhanced supervision for VASPs allowing users to transact with self-hosted wallets
  • Additional compliance requirements for VASPs allowing transactions with self-hosted wallets
  • Denial of licensing for VASPs allowing transactions with self-hosted wallets

We should note that we objected to the rule requiring VASPs to file CTRs for transactions involving self-hosted wallets when the U.S. Department of the Treasury proposed it in December (the comment period on this proposal is still open), and many of the rules FATF suggests for jurisdictions go much further than that.

What’s important to note here is that the proposed guidance would give jurisdictions the flexibility to determine the strictness of their VASP regulations based on their own risk assessments. However, such flexibility would likely come with a catch. If a jurisdiction was perceived as enacting regulations that are too lenient, they could be considered riskier as a result, which could in turn make it more difficult for VASPs within that jurisdiction to do business with those located in other jurisdictions with more stringent regulations.

Travel Rule adjustments

FATF’s proposed guidance reiterates the Travel Rule but leaves it largely unchanged, save for four minor amendments:

  • Under the proposed guidance, the Travel Rule would apply to more transactions because more cryptocurrency businesses would be treated as VASPs with the addition of DeFi protocols and P2P exchanges.
  • The proposal would require VASPs to conduct sanctions screening on customers’ counterparties as part of their Travel Rule compliance processes.
  • Transactions between VASPs and self-hosted wallets would be subject to a data collection requirement, meaning that VASP users transacting with a self-hosted wallet would have to provide information on the owner of that self-hosted wallet.
  • VASPs would have to conduct counterparty due diligence before transmitting the required customer information to other VASPs on Travel Rule transactions.

The proposed guidance also notes that VASPs will likely need to adopt blockchain analysis and other tools in order to conduct the counterparty due diligence demanded by the Travel Rule. Chainalysis recently partnered with compliance platform Notabene to offer an integrated solution that enables VASPs to meet those requirements.

Innovation impact

Finally, FATF’s proposed guidance includes provisions that could have a significant impact on future innovation in cryptocurrency. Specifically, it would call on anyone developing new technologies that could facilitate cryptocurrency transactions to consider themselves VASPs from the moment development begins, and to start implementing VASP compliance standards before a product is launched.

Paragraph 68 contains relevant language:

“A person that develops or sells either a software application or a VA platform (i.e., a software developer) may therefore not constitute a VASP when solely developing or selling the application or platform. They may however be a VASP if they also use the new application or platform to engage as a business in exchanging or transferring funds or conducting any of the other financial activity described above on behalf of another natural or legal person. Moreover, a party directing the creation and development of the software or platform and launching it for them to provide financial services for profit likely qualifies as a VASP, and is therefore responsible for complying with the relevant AML/CFT obligations. It is the provision of financial services associated with that software application or platform, and not the writing or development of the software itself, which is in scope of the VASP definition.”

Paragraph 90 goes on to note that anyone building a service that will fulfill the functions of a VASP would need to be able to meet compliance requirements before launch:

“Where there is a central developer and governance body which is a FI or a VASP at any stage of development, it is critical that national AML/CFT supervisors ensure that the body is taking adequate steps to mitigate the ML/TF risks, before launch where the preparatory activities mean that the entity is a FI or a VASP, and on an ongoing basis.”

FATF’s proposed guidance here takes the logic behind the designation of DeFi protocols and P2P exchanges as VASPs, and applies it to any new cryptocurrency technologies and business models that may be developed in the future. The message is clear and consistent with the rest of the document: Under the proposed guidance, any application that fulfills the functions of a VASP for users would be regulated as a VASP regardless of the underlying technology. That means anyone developing new technology not yet explicitly covered under FATF guidance would need to start meeting VASP regulatory requirements while still under development if the creator has any intention of releasing it as a product or service.

If adopted, this provision could severely hamper future innovation in cryptocurrency and fintech. Creators of new technologies have historically been most successful in environments initially free from such guardrails and controls, as this gives them the greatest freedom to put new ideas into practice. If the creators of Bitcoin had been forced to meet the compliance requirements of traditional finance from the outset of the project, it’s unlikely that cryptocurrency would exist at all. The cryptocurrency industry should keep that in mind during the public comment period for the proposed guidance.

Working together to foster sensible regulation

Overall, FATF’s proposed guidance suggests the task force plans to move cryptocurrency regulation in a more technology-agnostic direction, and regulate cryptocurrency businesses based solely on the functions they fulfill. While this is a reasonable goal, we believe that applying that standard to as yet non-existent business models and requiring developers to demonstrate regulatory compliance before launch could hamper innovation in cryptocurrency.

We look forward to submitting a formal response to FATF while the public comment period is open and encourage others in the industry to do so as well. If you have questions on any regulatory matters or want to learn more about how blockchain analysis can help cryptocurrency businesses remain compliant, please contact Chainalysis here.