Financial Action Task Force updates its Virtual Asset Service Providers guidance

24 November 2021

On 28 October 2021, the Financial Action Task Force (“FATF”) published updated guidance relating to Virtual Assets (“VAs”) and Virtual Asset Service Providers (“VASPs”). This builds upon guidance published in 2019 and aims to help countries to understand and implement money laundering and terrorist financing obligations relating to this continually growing sector.

In particular, the updated guidance focusses on six discrete aspects of the VASP landscape:

  1. Providing greater clarity on the definition of VAs and VASPs and, crucially, which types of these are in scope for national money laundering and terrorist financing obligations;
  2. Setting out more granular guidance relating to “stablecoins” (i.e. VAs or financial instruments tethered to a physical asset, such as a fiat currency, to reduce its level of volatility and thus increase mass-market attractiveness and usability);
  3. Detailing additional guidance relating to the risks associated with peer-to-peer (“P2P”) VA and VASP transactions, and tools and techniques which could be adopted by countries to mitigate these;
  4. Indicating details about the licensing and registration of VASPs which should occur at national level for supervisory purposes;
  5. Providing guidance targeted at both the public and private sector with respect to the “travel rule,” which places obligations on both beneficiary and remitter institutions; and
  6. Setting out guidance as to how national VASP supervisors can communicate and collaborate effectively to share intelligence and support investigations.

The FATF strongly encourages nations to ensure that VASPs are appropriately licensed and/or registered to capture them within the supervisory remit. This applies both in the jurisdiction(s) where the VASPs are created/primarily operate or in other host jurisdictions where VASPs offer their products/services.

Therefore, as the regulatory scrutiny enhances on both VASPs and institutions seeking to engage with the VA sector, in this article we discuss our top three considerations for market participants to keep on their radar. We also explore the impact of increasing VA and VASP popularity on the UK market in particular and what could be coming down the track in our home market.

Key considerations and actions which the market should be taking

Money laundering and terrorist financing risks associated with stablecoins

Stablecoins are VAs which are tethered to physical assets, such as a fiat currency or high value goods. This renders them considerably less volatile and more predictable than other forms of VA and, as a result, gives them the most potential for mass adoption by both individual and institutional investors. While mass adoption brings benefits for consumers, such as ease of free exchange and increased liquidity, these characteristics of stablecoins are also attractive to criminals seeking to exploit them for illicit purposes. For example, criminal users may attempt to take advantage of the global reach and transaction speed that VAs (and particularly stablecoins) offer. This is further compounded by uneven or (in some cases) inadequate regulation/supervision of VA activities and providers across jurisdictions, which creates an inconsistent legal and regulatory playing field in the VA ecosystem.

As the popularity of stablecoins continues to increase, the FATF suggests that various measures could be considered to seek to mitigate risks. These include:

  1. National governments should firstly determine whether stablecoins are considered, and thus regulated, as a VA or a financial instrument. The national legislative framework should then be updated accordingly in line with FATF guidance pertaining to the type of structure opted for. Legislation should take a two-pronged approach, whereby provisions cover the obligations for VASPs themselves but also requirements aimed at other types of institution (such as banks) when engaging with VAs and/or VASPs;
  2. Countries, entities regulated for anti-money laundering purposes and VASPs (both regulated and unregulated) should take a proactive approach with respect to money laundering and terrorist financing horizon scanning. This may pose significant challenges given that some VASPs have an extensive geographical footprint spanning jurisdictions with varying levels of anti-money laundering effectiveness. Risks should be identified and assessed prior to the launch of any stablecoin, and steps should be taken to mitigate risks both prior to and after such launch.

The FATF guidance demonstrates the importance of collaboration between regulators and both the public and private sectors to anticipate risks associated with stablecoins before they crystallise. Parties across multiple sectors and disciplines need to work together in a proactive manner to harness the benefits of technological advancements in a safe and sustainable manner.

Putting Peer-to-Peer (“P2P”) transactions under the microscope

P2P transactions occur between parties without the need for an intermediary (such as a regulated banking institution or VASP). While transactions of this nature are desirable for legitimate reasons, such as to increase efficiency and lower the costs associated with transferring value, these same attributes increase exposure to criminal exploitation.

The FATF notes that, as VAs become more widely accessible and popular, and nations seek to regulate and supervise VASPs, there may be a surge in P2P transactions. This is because criminals may seek to purposely circumvent regulated institutions in the knowledge that this will likely evade rigorous anti-financial crime controls, creating the potential for more transactions (both legitimate and illicit) to fly under the supervisory radar. 

To address this risk, the FATF urges countries to understand what types of P2P transactions pose higher or lower risks, as well as what drives the occurrence of P2P transactions so as to identify their different risk profiles and typologies. This could be done through outreach to the private sector as well as implementing tools such as blockchain analytics to understand P2P market metrics. Once the risks have been fully identified and understood, controls can then be put in place at national level to mitigate these, such as increasing the transparency and visibility of P2P transactions that take place between regulated and non-regulated market participants.

Enhancing the rigour around non-P2P VA transactions

In order to elevate money laundering and terrorist financing risk up the VASP agenda, the FATF urges countries to consider evolving their VASP supervisory approach to ensure the right compliance behaviours and practices are encouraged. Examples of such enhancements may include:

  • Implementing robust, risk-based supervision of regulated VASPs targeted on pockets of highest risk exposure;
  • Placing restrictions on VA-related transactions, such as requiring VASPs to only execute transactions to/from other regulated entities or placing additional requirements on VASP transactions involving non-regulated parties; and
  • Issuing further guidance relating to risk and control to enhance knowledge and understanding in the sector. For example, supervisors should raise awareness in relation to emerging VA-related risk typologies; expectations around the design and operation of anti-financial crime controls; and practical examples of the concept of a risk-based approach.  

In addition, the implementation of the “travel rule” seeks to bring greater transparency around VA transactions involving VASPs. In essence, the “travel rule” refers to the application of wire transfer regulations in the VA world. It applies both when a VA is transferred between a VASP and another obliged entity (such as another VASP or a financial institution) or when a VA is transferred between a VASP and a non-obliged entity (such as an unregulated wallet). It only applies to the collection of information about the transaction beneficiary and remitter, not recipients of any transaction fee that may be applied. The below table sets out a summary of obligations required under the “travel rule”.


Originator information

Beneficiary information

Ordering institution

(i.e. the originator's VASP) must obtain and hold and submit the following information to beneficiary institution(s)

Required and accurate originator information

Required beneficiary information

Beneficiary institution

(i.e. the beneficiary’s VASP or other financial institution)

Required originator information

Required and accurate beneficiary information

Required information is considered to be the following:

  • Originator - name, account number, address (or NI number/customer number/date and place of birth)
  • Beneficiary – name, account number

There are clear signals from the FATF that both VASPs and financial institutions should pay close attention to their risk-based approach to scrutinise VA relationships and transactions. Firms should seek to implement strong anti-financial crime controls to prevent them from becoming a target for exploitation through being a weak link in the chain. For example, the extent to which VASPs have implemented the “travel rule” may be indicative of the strength of its domestic national supervisory landscape, and therefore this should be taken into consideration by parties engaging with VAs when designing their own risk-based approach.

In addition, the “travel rule” presents certain challenges relating to the operation of anti-money laundering controls. In particular, both ordering and receiving VASPs will need to establish information pertaining to both sides of the transaction. As such, VASPs may need to enhance aspects of their Customer Due Diligence (“CDD”) policies and procedures; train and upskill staff in relation to these; and put in place appropriate governance and oversight mechanisms. Data security also becomes a key consideration, as “travel rule” RegTech solution providers are likely to rise in popularity in response to the rapid expansion of VA transactions involving VASPs. Differing standards and protocols amongst multiple interfacing industry players could pose challenges to controlled information exchange.

Finally, the “travel rule” only applies to VASPs which are regulated/licenced. While many users store their VA in custodial wallets which require VASPs to execute transfers, as noted above, many transactions occur outside the VASP environment (such as P2P transactions) and thus are not obliged to be subject to the same rigorous KYC standards.

UK perspectives and impact

Under the 2019 Amendments to the UK’s Money Laundering Regulations (“MLRs”), the regulatory scope has increased to now include cyptoasset exchange providers and custodian wallet providers. In addition, in December 2020 the Financial Conduct Authority (“FCA”) established the Temporary Registration Regime (“TRR”) for cryptoasset businesses. Relevant firms were required to register for the TRR to apply to undergo a fit and proper test by the FCA. The FCA intended to complete these assessments by 9 July 2021, however extended this to 31 March 2022. As of November 2021, there were:

  • 18 cryptoasset firms which have been assessed by the FCA as fit and proper. These are now subject to the UK MLRs and thus should maintain proportionate and risk-based anti-financial crime policies, procedures and controls to meet their obligations; and
  • Over 50 more which are still to be assessed. Through the FCA’s assessment process, these will need to demonstrate to the FCA that they have designed and operate an appropriate framework to tackle financial crime and make a positive contribution to the UK economy.

The UK has not yet legislated the “travel rule”, however the UK Government ran a consultation ending in October 2021 which (amongst other things) discussed the national implementation of the “travel rule” and how the FATF provisions should be reflected in updates to the MLRs. Specifically, a focus is likely to be on the technological infrastructure requirements to facilitate effective implementation. Firms should be prepared for new statutory instruments to include obligations pertaining to the “travel rule” and, in particular, uplifted remitter and beneficiary KYC and due diligence requirements.

How can BDO help?

Our Economic Crime Advisory team work closely with anti-money laundering regulated firms across a wide range of sectors including both financial services and cryptoassets firms. We have a deep understanding of their businesses and the specific environments in which they operate, enabling us to act as a strategic partner, providing clear advice which is both balanced and constructive.

We have experience in reviewing and helping firms across the end-to-end deal chain to enhance their economic crime frameworks, including risk assessments; due diligence measures; governance and training; and transaction monitoring controls. Our services range from providing consultancy services with respect to industry practices pertaining to control environment design and operation, developing and deploying training for all/any lines of defence as well as Senior Management; and undertaking independent control framework reviews or gap analyses to provide tailored recommendations for increased alignment to regulatory requirements and expectations.

Please contact a member of our Economic Crime Advisory team if you have any questions regarding how the updated FATF VASP guidance may affect your anti-money laundering framework.