A global watchdog group has issued the first ever broad international recommendations to cover virtual value with financial crime compliance rules, including stringent requirements to capture and share customer data with related crypto-enabled entities, risk assess customers and businesses for illicit inclinations, monitor for aberrant activity and file reports to law enforcement.

In much-anticipated guidance, the Paris-based Financial Action Task Force (FATF), which sets global anti-money laundering (AML) and counter financing of terror (CFT) standards, issued a framework for how financial crime compliance rules should ensconce crypto exchanges and an individual, entity or company exchanging virtual value to fiat currency and back for others and as a business.

In the roughly 60 pages of text, FATF has ushered in a new order for the nascent sector, in some ways helping in its search for legitimacy, in other ways making new challenges as firms of all sizes must now create, staff, run, report on and remediate AML programs – and have those programs graded by applicable regional regulatory authorities.

The guidance and related interpretative note to its recommendations covers virtual asset (VA) activities and virtual asset service providers (VASPs) – think formal crypto currency exchanges – and even smaller operations, which could face difficulties in capturing, analyzing and sharing the details of customers and users with other service providers, brick-and-mortar institutions and investigators.

“The threat of criminal and terrorist misuse of virtual assets is serious and urgent,” FATF said in a public statement, adding that the group expects all countries to “take prompt action to implement the FATF Recommendations,” giving countries 12 months to implement and abide by the guidelines, with a review set for June 2020.

The key pieces of the guidance include:

• Virtual asset exposure, risk assessments: Obligations requiring countries to assess and mitigate their risks associated with virtual asset activities and service providers.
• Licensing, registration regulatory reviews: License or register service providers and subject them to supervision or monitoring by competent national authorities – notably, countries will not be permitted to rely on a self-regulatory body for supervision or monitoring – and implement sanctions and other enforcement measures when service providers fail to comply with their AML/CFT obligations.
• Multi-country, agency cooperation, coordination: The guidance also underscores the importance of international cooperation. Some countries may decide to prohibit virtual asset activities based on their own assessment of the risks and regulatory context, or to support other policy goals.

U.S. Treasury Secretary Mnuchin: Crypto transactions can’t be secret

FATF, which is closing out a very successful and influential U.S. Presidency, put the finial on its Plenary in Orlando, Fl. with a visit from U.S. Treasury Secretary Steven Mnuchin, who stated that the world must follow in America’s footsteps by having crypto operations by subject to the same AML obligations as other financial institutions.

“By adopting the standards and guidelines agreed to this week, the FATF will make sure that virtual asset service providers do not operate in the dark shadows,” he said in front of hundreds of delegates from FATF member countries.

“This will enable the emerging FinTech sector to stay one-step ahead of rogue regimes and sympathizers of illicit causes searching for avenues to raise and transfer funds without detection,” Mnuchin said, a clear nod to rogue regimes like Iran and North Korea, which have used virtual worlds to evade ever-more aggressive U.S. sanctions.  

“We will not allow cryptocurrency to become the equivalent of secret numbered accounts,” he said. “We will allow for proper use, but we will not tolerate the continued use for illicit activities. We must work together to ensure that virtual assets are no longer a safe haven for illicit actors to end-run around established AML/CFT safeguards.”

Under these new measures, virtual asset service providers will be required to implement the same AML/CFT requirements as traditional financial institutions, Mnuchin, saind, including:

• Identify who they are sending funds on behalf of, and who is the recipient of those funds;  
• Develop processes where they are required to share that information with other providers of virtual assets, and law enforcement;  
• Know their customers and conduct proper due diligence to ensure they are not engaging in illicit activity; and,    
• Develop risk-based programs that account for the risks in their particular type of business.

Cruising in a crypto world? Get a license

The guidance “highlights the key elements required to qualify as a VASP, namely acting as a business on behalf of the customers and actively facilitating VA-related activities,” according to FATF, adding that it reviews the five types of activities covered by the VASP definition and provides examples of VA-related activities that would fall within the VASP definition and others that would be specifically excluded.

At the heart of the guidance are requirements for operations captured by compliance rules that they must also determine where and how they touch the jurisdictions they operate as they also need to apply and be licensed in those countries – even though, at present, those countries may not know what regulator will do the examining or have a licensing regime in place.

The guidance clearly puts more pressure on countries to determine what VASPs touch their jurisdiction and in what way, requiring them to act as the official or de facto regulator.

At a minimum, VASPs need to register and be licensed “where they were created; or in the jurisdiction where their business is located in cases where they are a natural person, but jurisdictions can also choose to require VASPs to be licensed or registered before conducting business in their jurisdiction or from their jurisdiction.”

The guidance “further underlines that national authorities are required to take action to identify natural or legal persons that carry out VA activities without the requisite license or registration. This would be equally applicable by countries which have chosen to prohibit VA and VA activities at national level."

Regarding VASP supervision, the guidance makes “clear that only competent authorities can act as VASP supervisory or monitoring bodies, and not self-regulatory bodies."

And these regulators should also cooperate aggressively with foreign or regional examiners.

Regulators “should conduct risk-based supervision or monitoring, with adequate powers, including the power to conduct inspections, compel the production of information and impose sanctions. There is a specific focus on the importance of international co-operation between supervisors, given the cross-border nature of VASPs’ activities and provision of services.”

Knowing the identities, risks of customers  

But in order for VASPs and related operations to even risk assess users for financial crime vulnerabilities, they must engage in baseline customer due diligence (CDD), know-your-customer (KYC) and similar customer identification initiatives.

For instance, the guidance notes that VASPs must when occasional transactions breach the USD/EUR 1,000 threshold, exchanges must engage in CDD, with the “obligation to obtain, hold, and transmit required originator and beneficiary information, immediately and securely, when conducting VA transfers.”

FATF VASP guidance parallels FinCEN findings

Similar to the FATF guidance, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) last month also released guidance covering the crypto coinage sector, focusing on some of the more nuanced areas of where AML rules can be tripped.

The core of the FinCEN missive is this: If you use a person-to-person (P2P) crypto exchange and transfer virtual coins into money and back for others as a business, you are a money transmitter and must have a financial crime compliance program.

If you are the administrator of an exchange that allows people to do this, you are likely also a “money services business” for fincrime compliance purposes.

But if you are a person who “infrequently” trades value on a P2P exchange without attempting to make a profit, you haven’t officially tripped AML rules under the U.S. Bank Secrecy Act (BSA) while transacting in the convertible virtual currency (CVC) sector.

FinCEN also detailed “red flags” for crypto exchangers – formal exchanges and platforms that allow individuals to buy and sell with each other – to understand when transactions could be tied to illicit groups or darknet sites, with further transactional tells to help financial institutions uncover that an account is tied to a crypto exchange, but the operation never told the bank.

The guidance came on the heels of a key U.S. penalty in the crypto space in April.

FinCEN in its first foray against a peer-to-peer crypto exchange, fined a tiny, one-person operation $35,000 for buying and selling millions of dollars in Bitcoin over a roughly two-year period for a bevy of individuals with virtually no financial crime compliance program to speak of – including failing to file on any large or risky transactions.

The guidance could have prevented such a failing.

Through 30 pages of guidance, the central prevailing theme is that if you take money, change it into digital coinage, and make money doing it, and the inverse of that scenario, you are likely caught by federal AML rules.

This is true whether you are a formal exchange, individual or attempting to create a new avenue of virtual value – such as initial coin offerings (ICOs) – if you take fiat funds, and exchange it for crypto funds, regardless of the name and value, and vice versa, you would “generally” become a money services business (MSB) for AML purposes, specifically a money transmitter.

As such, that operation, or even that individual, would need to register with FinCEN as a money transmitter and create the four-pronged AML program, including policies and procedures, a compliance officer, AML training and independent auditing, with the addition of more recent formally finalized tangs, a customer risk assessment and transaction monitoring system.  

“A natural person operating as a P2P exchanger that engages in money transmission services involving real currency or CVCs must comply with BSA regulations as a money transmitter acting as principal. This is so regardless of the regularity or formality of such transactions or the location from which the person is operating,” according to FinCEN.

To read ACFCS coverage of the FinCEN guidance, click here. To read the FinCEN guidance itself, click here.  

Guidance also exhorts banks to review VASP customers

The guidance is quick to point out that these VASP operations don’t operate in a vacuum.

Their main nexus to the real world are traditional financial institutions. As a result, FATF in the guidance is urging banks to ensure their VA and VASP customers are upholding their end of the bargain by querying these operations on their programs, customer, geographic and related risks.

Other stakeholders, including FIs and other obliged entities that provide banking services to VASPs “should also consider the aforementioned factors,” FATF said. “FIs should apply a risk-based approach when considering establishing or continuing relationships with VASPs or customers involved in VA activities, evaluate the ML/TF risks of the business relationship, and assess whether those risks can be appropriately mitigated and managed.”