Skip to main content

Clifford Chance

Clifford Chance

Regulatory Investigations and Financial Crime Insights

Crypto exchanges have 12 months to implement FATF anti-money laundering standards

FATF Recommendation 15 means that crypto exchanges and other virtual asset service providers must share originator and beneficiary information during transactions between exchanges.

The Financial Action Task Force (FATF) Recommendation 15 has now been formally adopted at the third and last Plenary of the FATF under the US Presidency of Marshall Billingslea. FATF Recommendation 15 sets out more detailed implementation requirements for what FATF considers effective regulation and supervision/monitoring with respect to anti-money laundering (AML) and counter financing of terrorism (CFT) for virtual asset services providers (VASPs). It also sets out how the FATF standards apply to activities or operations involving virtual assets.

"Virtual assets" and "virtual asset service providers" (VASPs)

FATF defines a virtual asset to be a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes (i.e. a crypto asset or crypto currency). A virtual asset service provider or VASP means any natural or legal person who as a business conducts one or more of: i) exchange between virtual assets and fiat currencies; ii) exchange between one or more forms of virtual assets; iii) transfer of virtual assets; iv) safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and v) participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

FATF now requires countries to require VASPs to be licensed or registered, and to subject VASPS to adequate regulation and supervision or monitoring for AML/CFT.

Application of the travel rule to VASPs

The most problematic part of the requirements is that contained in paragraph 7(b) of the Interpretative Note to FATF Recommendation 15:

"Countries should ensure that originating VASPs obtain and hold required and accurate originator information and required beneficiary information on virtual asset transfers, submit the above information to beneficiary VASPs and counterparts (if any), and make it available on request to appropriate authorities. It is not necessary for this information to be attached directly to virtual asset transfers. Countries should ensure that beneficiary VASPs obtain and hold required originator information and required and accurate beneficiary information on virtual asset transfers, and make it available on request to appropriate authorities."

This effectively applies what is often called the "travel rule" to crypto exchanges and means that crypto exchanges and other VASPs must share originator and beneficiary information during transactions between exchanges.

While the travel rule (which is a rule under the US Bank Secrecy Act that requires traditional financial institutions to pass on certain information to the next financial institution, in certain funds transmittals involving more than one financial institution) makes sense in a context where all financial transactions are sent through intermediaries, virtual asset transactions can occur not just through crypto exchanges or other businesses, but also from person to person, person to machine, machine to machine, via smart contracts and through multiple other combinations and potential endpoints.

Those in the industry are understandably sceptical about how these recommendations will apply to crypto. Implementation of systems to collect and then transmit the information which it is required that VASPs exchange will be an onerous task. Arguments have been made that the inclusion of this "travel rule" will drive users of virtual assets, and therefore criminal users of such assets, underground. High profile critics include the former FATF President Roger Wilkins AP, who was quoted in a report by industry media outlet Cointelegraph Japan:

“What we are hearing from industry is that the new rules may have the opposite effect to which they were intended, effectively forcing crypto transactions off the controlled platforms, which are currently one of the best avenues we have in gaining visibility over financial crime.

Countries are required to make not only VASPs, but also their directors and senior management, subject to sanctions for failure to comply with this and other AML/CFT requirements.

Implementation of FATF Recommendation 15

It may be called a recommendation, but the fact that FATF's recommendations are not binding international law does not mean they can be ignored. FATF includes all the key financial systems, and those systems will implement FATF recommendations as law. It is inconceivable that the US and UK would not implement them – and where they go financial services has to follow. Jurisdictions who do not bring their systems into line with FATF's standards risk being placed on the FATF grey list, which is a yellow card on the way to the black list. In the worst-case scenario, a country on the grey list could face issues such as economic sanctions or problems getting loans from international institutions (e.g. the IMF). While this may not be the case, at the least being added to the grey list is an indicator to the global financial and banking system about heightened risks in transactions with that country. As such, while it may take some countries longer than others to implement the Recommendations, VASPs looking to use regulatory arbitrage to relocate their operations to a more favourable regime may reach the end of the road in due course once the Recommendations have been more widely implemented under FATF pressure to do so.

The G20 reaffirmed it would align with the FATF standards earlier in the month. Member States have been quick to endorse the Recommendation.

In the US, Treasury Secretary Steven Mnuchin stated:

"The [FATF] Interpretive Note adopted this week includes virtual asset standards that are binding to all countries. By issuing updated guidance, the FATF is enhancing financial transparency and setting expectations. This will enforce a level playing field for virtual asset service providers, including cryptocurrency providers, and traditional financial institutions. Under these new measures, virtual asset service providers will be required to implement the same AML/CFT requirements as traditional financial institutions. They will need to: - Identify who they are sending funds on behalf of, and who is the recipient of those funds; - Develop processes where they are required to share that information with other providers of virtual assets, and law enforcement; - Know their customers and conduct proper due diligence to ensure they are not engaging in illicit activity; and, - Develop risk-based programs that account for the risks in their particular type of business. By adopting the standards and guidelines agreed to this week, the FATF will make sure that virtual asset service providers do not operate in the dark shadows."

In the EU, member states are considering how to implement the Fifth Money Laundering Directive (5MLD) which will come into force on 10 January 2020. 5MLD introduces regulation for crypto-to-fiat exchanges and custodian wallet providers, who must now be registered with the competent authority where they are domiciled. While 5MLD does not require member states to apply AML obligations to exchanges more broadly (contrast the FATF definition of VASPs) it is expected that some members states will be considering whether a broader approach in their national legislation is needed, particularly in light of the FATF Recommendation. For example, in the UK, a consultation by HM Treasury indicates that there will be significant gold-plating of the 5MLD requirements when they are implemented into national law, such that regulation is likely to be applied to all digital assets and not just cryptocurrencies, to exchanges more broadly (and not just crypto-to-fiat) and extra-territorially to those providing services to people in the UK, even where the provider is based outside the UK.

The Asia-Pacific region has become the centre of gravity for digital assets. Although there is no single set of AML/CFT rules that apply to the 40+ countries and jurisdictions, the Asia/Pacific Group on Money Laundering (APG), which is a FATF-style regional body and an associate member of the FATF, will require its members to implement the FATF recommendations according to their own particular constitutional framework (as stated in the APG's Terms of Reference). It is likely that the Interpretive Note to FATF Recommendation 15 will be further discussed in the upcoming annual meeting of the APG in September 2019 in Australia; and jurisdictions that are considered more crypto-friendly (such as Japan or Thailand) may move faster in rolling out the relevant local AML rules.

FATF will give countries 12 months to abide by the Recommendation, with a review set for June 2020. Those who fall within the definition of VASPs need to find the technological solutions to align with the FATF standards fast if they are to keep up with this deadline.

Contributions from Megan Gordon (Partner, Washington D.C.) and William Wong (Consultant, Hong Kong).

More information

Megan Gordon, Ellen Lake and Jesse Overall (Associate, New York) were interviewed by Reuters for their views on this topic. See Megan's comments in Reuters' coverage here.

FATF's Public Statement on Virtual Asserts and Related Providers of 21 June 2019, together with links to the Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers, can be found here.