Progress and Challenges in Implementing FATF Standards on Virtual Assets and VASPs

The Financial Action Task Force (FATF) has extended its global standards on anti-money laundering and counter-terrorist financing (AML/CFT) to include virtual assets (VAs) and virtual asset service providers (VASPs) in the past four years. While some virtual asset markets have implemented or are in the process of implementing AML/CFT regulations, there is a serious concern regarding the level of compliance with FATF standards.

According to FATF’s assessments, 75% of jurisdictions reviewed are only partially or non-compliant with these standards, indicating a lag in compliance compared to other areas of the financial sector. However, there have been some positive developments in the private sector, with certain players collaborating to improve Travel Rule compliance tools. This demonstrates a willingness to enhance industry compliance, even if shortcomings remain.

Implementation Review of FATF Standards on VAs and VASPs

In this context, a recent report by FATF provides a fourth targeted review of the implementation of FATF Standards on VAs and VASPs, including the Travel Rule, and an update on emerging risks and market developments in this area. Since the adoption of these standards, global implementation has been relatively poor, and compliance remains behind most other financial sectors. Based on 98 mutual evaluation and follow-up reports conducted by FATF, 75% of jurisdictions are only partially or not compliant with the FATF standards.

Jurisdictions continue to struggle with fundamental requirements. Out of 151 respondents to a March 2023 survey on the implementation of Recommendation 15 (R.15), over one third have not conducted a risk assessment. The results of mutual evaluation and follow-up reports show that 73% jurisdictions are not conducting adequate risk assessments. Almost one third of survey respondents have not yet decided if and how to regulate the VASP sector. While 60% of respondents decided to permit VAs and VASPs, 11% report opting to prohibit VASPs.

Mutual evaluation and follow-up results indicate that effectively prohibiting VASPs is difficult; only one jurisdiction taking this approach has been assessed as largely compliant with the FATF requirements. It is further unclear to what extent the decision to prohibit VASPs is the result of a thorough risk assessment.

Challenges in Travel Rule Implementation

The FATF’s Targeted Update highlights the ongoing challenges surrounding the implementation of the Travel Rule by member jurisdictions. Based on the survey conducted by FATF, many member states are still in the early stages of adopting these measures, resulting in fragmented and sub-par implementation across jurisdictions. This continues to expose the virtual assets sector to ML/TF risks. This has been often referred to as the “sunrise issue”. Effectively resolving the sunrise issue for the Travel Rule would require global adherence to the FATF Standards, says Kokila Alagh, Founder and CEO of KARM Legal Consultants.

Jurisdictions have made insufficient progress on implementing the Travel Rule, leaving VAs and VASPs vulnerable to misuse. More than half of the survey respondents (73 of 135, excluding those that prohibit VASPs) have taken no steps towards Travel Rule implementation, and this group is expected to be even larger in reality as it is likely to include the additional 54 jurisdictions that did not respond to the FATF’s survey.

Two-thirds (25 of 38 respondents) of the jurisdictions who assessed VAs/VASPs as high risk and do not take a prohibition approach have not yet passed legislation implementing the Travel Rule. Even among jurisdictions implementing the Travel Rule, supervision and enforcement is low: only 21% (13 of 62 respondents) have issued findings or directives or taken enforcement or other supervisory actions against VASPs focused on Travel Rule compliance.

The private sector now offers a range of technological tools to enable VASPs to implement the Travel Rule. However, these tools generally do not fully comply with all the FATF’s Travel Rule requirements. Limited progress has been made since last year to improve interoperability between Travel Rule compliance tools, although interoperability is not a precondition for Travel Rule implementation under the FATF Standards. Some jurisdictions and private sector participants believe that enforcement of Travel Rule violations may be a necessary step to push progress in this area.

Some Progress as European Union Takes Action

The situation is evolving with some progress being made as the European Union (EU) passed legislation that establishes a regulatory framework for VASPs and implements the travel rule. This brings the number of jurisdictions that have passed legislation or regulation to implement the travel rule to 58, reflecting more significant progress since 2022, although global compliance remains unsatisfactory.

On April 20, 2023, the EU Parliament approved legislation aimed at tracing transfers of crypto-assets, with the goal of enabling traceability and blocking suspicious transactions. The new legislation, called the Transfer of Funds Regulation (TFR), is an updated version of the existing regulation on information accompanying fund transfers. It expands the scope of the regulation to include Crypto Asset Service Providers (CASPs), in line with the FATF Recommendation 16, commonly known as the “travel rule.”

The TFR aligns the EU’s approach with the FATF’s standards on preventing money laundering and terrorism financing. The regulation was published in the EU Official Journal on June 9, 2023, and came into force on June 29, 2023. It will be fully enforceable throughout the EU by December 30, 2024.

The TFR is applicable to fund transfers involving at least one payment service provider or CASP that is based in the EU. It covers all transfer of funds transactions, including both fiat and cryptocurrencies, regardless of the transaction amount. In cases where CASPs and self-hosted wallets are involved, CASPs are required to gather information on both the sender and recipient. Additionally, transfers exceeding EUR 1000 necessitate verification of self-hosted wallets.

Efforts in the MENA region to Embrace FATF Standards

According to Kokila, the UAE and Bahrain have taken legislative/regulatory steps to incorporate the Travel Rule into their frameworks. In the UAE, practitioners can seek approval from regulators or consult law firms with connections to regulators for guidance, ensuring adherence to the travel rule in principle.

Indeed Soham Panchamiya, an Associate at Reed Smith Soham has acknowledged that the UAE is fortunate in having prominent regulators who actively engage with firms and take decisive positions on crypto-related matters. These regulators have been involved in discussions regarding policies, the travel rule, and technological capabilities, fostering open and transparent communication between regulators and firms. This approach allows firms to express their limitations when dealing with certain Virtual Asset Service Providers (VASPs) and helps minimize compliance challenges.

VARA’s “Virtual Assets and Related Activities Regulations 2023” and its Compliance and Risk Management Rulebook, released on February 7, 2023, establish a comprehensive regulatory framework for virtual assets in Dubai. The rulebook covers licensing, customer due diligence, risk management, and compliance with the Crypto Travel Rule. Virtual Asset Service Providers (VASPs) in Dubai must demonstrate Travel Rule compliance during the licensing process. They need to submit policies and controls to VARA and include a plan for Travel Rule compliance in jurisdictions where it is not mandatory, addressing the “sunrise issue.” The minimum threshold for Travel Rule compliance in Dubai is AED 3,500.

Additionally, VASPs are required to gather Originator and Beneficiary information before initiating outbound transactions and granting access to funds from inbound transactions. VARA advises VASPs to manage risks associated with self-hosted wallets, but does not provide specific guidelines on handling these risks. VASPs must also perform risk-based due diligence on counterparty VASPs to mitigate AML/CFT risks. The Compliance and Risk Management Rulebook explicitly acknowledges the “sunrise issue” and emphasizes the need for VASPs to include a Travel Rule compliance plan for virtual asset service providers in jurisdictions where it is not legally required.

Bahrain has made significant progress in enhancing its measures to combat money laundering and terrorist financing. As a result, several FATF standards have been re-rated to reflect the improved compliance. FATF recommendations 1, 5, 6, 7, and 23 have been upgraded from Partially Compliant to Largely Compliant, while Recommendations 2 and 18 have been elevated from Largely Compliant to Compliant. Additionally, Recommendation 15 has been re-rated as Largely Compliant. Currently, Bahrain is considered “Compliant” on 9 recommendations, “Largely Compliant” on 30, and “Partially Compliant” on 1 out of the total 40 recommendations. Despite these advancements, Bahrain remains under Enhanced Follow-Up.

However, Qatar has faced criticism from FATF for weaknesses in the supervision of its digital currency industry, with the FATF highlighting the need for increased monitoring of digital asset usage. Loopholes in Qatar’s anti-money laundering (AML) rules have exposed the country to risks related to terrorism financing, smuggling, fraud, and drug running, potentially leading to a downgrade to the FATF’s grey list. The report also noted that Qatar’s lenient handling of AML violations and low compliance with the FATF’s travel rule for virtual currency transactions were areas of concern. However, the FATF commended Qatar’s efforts in confiscating assets linked to criminal proceeds. Qatar’s central bank defended itself, emphasizing its commitment to combating illicit financing.

Emerging Risks and Concerns

Recent reports raise serious concerns about the threat posed by the Democratic People Republic of Korea’s (DPRK) illicit VA-related activities, including ransomware attacks and sanctions evasion, for financing the proliferation of weapons of mass destruction. This activity has enabled an unprecedented number of recent launches of ballistic missiles (including inter-continental ballistic missiles).

This threat is significant given both the scale of the funding (USD 1.2 billion worth of stolen VAs since 2017, including VAs stolen from DeFi arrangements) and the serious consequences of proliferation financing. Virtual assets are also posing increasing terrorist financing risks, including for fundraising by ISIL, Al Qaeda and right-wing extremist groups, although the vast majority of terrorist financing still takes place using fiat currency.

“The failure of a centralized exchange has led to an influx of decentralized exchanges and decentralized exchanges”, says Gilson Costa, CEO of VAF Compliance. “The money laundering and terrorist financing risk posed by Decentralized Finance (DeFi) is relatively low but requires ongoing assessment”, he added.

Some jurisdictions reported challenges in mitigating the risks posed by DeFi and unhosted wallets. These challenges include identifying specific persons responsible for VASP obligations in DeFi arrangements, assessing the illicit finance risks associated with unhosted wallet transactions including P2P transactions, and filling data gaps.

 As the VA ecosystem continues to evolve, and more VASPs implement AML/CFT controls, the risks posed by DeFi and P2P transactions could increase. This is particularly the case if VAs are mass-adopted and more commonly used for payments (without needing to access fiat currency). Both jurisdictions and the private sector should strengthen efforts to monitor these risks, share approaches, and identify challenges to mitigate such risks, in addition to implementing the FATF Standards.

“The Targeted Update serves as a much-needed wake-up call to all member states. It is a step in the right direction to harmonise the frameworks and to ensure security in virtual asset transactions”, says Kokila.