Policy & Regulation

FATF Regulatory Guidance Is Here. Now What?

On Friday, the Financial Action Task Force (FATF), the inter-governmental body that sets global standards relating to anti-money laundering and combating the financing of terrorism (AML/CFT), published its much anticipated guidance on how its 200+ member and observer states will have to start regulating virtual asset markets in their jurisdictions.

As we’ve written previously, this will have a major impact on the cryptocurrency industry. FATF’s guidance represents the first major step toward global regulatory clarity. Countries suffer serious economic consequences if they are evaluated to be deficient regarding AML/CFT during mutual evaluation.

FATF detailed which types of virtual asset (VA) activities must be regulated and the minimum requirements it expects from regulators, which far surpasses current efforts in most countries. The guidance can be used as an aid to implement existing FATF recommendations for other financial instruments.

Long-term, this regulatory guidance will formalize AML/CFT best practices and help the cryptocurrency industry mature and achieve more mainstream adoption. In the short-term, regulators, financial institutions (FIs), and industry participants will need to further invest in mitigating the risk of money laundering in line with previous recommendations for other value transfer mechanisms.

Key takeaways

  • FATF guidance is technically non-binding, but it is being treated as binding
    G-20 members have said they will apply the guidance directly. Secretary Mnuchin of the US Treasury stated on Friday at the FATF Plenary Session that the Interpretive Note adopted this week includes virtual asset standards that are “binding to all countries.”
  • FATF has instructed its 200+ member and observer countries to implement the guidance and will begin evaluations within a year
    While FATF recommendations went into effect as of last week, countries won’t be assessed on compliance until FATF adopts revised methodology for mutual evaluations. We expect that methodology to be drafted by October, and then assessed by FATF for adoption. After adoption, countries will be assessed on the new guidance in their next mutual evaluation. Additionally, 3rd and 5th year follow up reports will also be assessed for VA compliance, regardless of when their next evaluation will be executed.
  • VASP definition remains broad and technology neutral
    With technology still evolving, guidance is based on the activity rather than industry terms. If you are involved in transferring value in the “chain of transactions,” you will likely fall under the definition of Virtual Asset Service Provider (VASP). It applies equally to natural persons involved in conducting this activity on behalf of others.
  • Automated transaction monitoring and customer risk scoring are essential components of an effective AML program
    FATF acknowledges that automation is the only realistic way to monitor fiat and VA transactions at scale.
  • Recommendation 16 (formerly INR 15-7(b)), which mirrors the “Travel Rule” in the U.S., requires VASPs to send originator and beneficiary information to other VASPs or FIs party to transactions over 1000 EUR/USD
    There is a substantial technical obstacle to implement the “secure” and “immediate” transfer of information to other obliged entities. Chainalysis can help VASPs and FIs identify counterparties in real time, one of the most difficult challenges to meet this requirement.
  • Countries need to regulate and monitor VA activity
    A competent authority needs to register / license VASPs. Financial Intelligence Units (FIUs) need to modernize their Suspicious Transaction Report (STR) forms, have competency to do further investigations, and have a regime to freeze and seize accounts when necessary.
  • FIs must not de-risk VASPs or customers active in VA activities
    FIs, including retail and corporate banks, should instead apply the risk-based approach and find ways to mitigate risks associated to VA activities.
  • VASPs need to have customer due diligence (CDD) and enhanced due diligence (EDD) procedures in place, and include that information in their reporting
    Regulators must be able to receive and investigate Suspicious Activity Reports generated from FIs and VASPs from their compliance efforts.
  • AML compliance needs to be consistent with local privacy laws
    FATF calls upon countries to coordinate and ensure that recommendations are compatible with national data protection and privacy rules.
  • Anonymity enhancing cryptocurrencies (AECs) were highlighted for higher AML risk
    Expect greater attention from both regulators and FIs on AECs. VASPs that “cannot mitigate the risk for AECs should not list them.”
  • Not all DEXs, DApps are equal
    Guidance leaves room for truly decentralized exchanges and applications with no natural person connected to them to be excluded. However, many will not meet this bar.
  • International information sharing is a major factor in mitigating risk of money laundering
    International coordination efforts to reduce regulatory arbitrage and speed up information sharing on suspicious activity is necessary to mitigate risk when payments move across borders seamlessly and instantaneously.


What happens next

Regulations by jurisdiction

Each of FATF’s member and observer states will now leverage its guidance as a framework for developing or augmenting their own regulations for their individual jurisdictions.

In some jurisdictions, like the United States, where regulations are already well established and similar to FATF’s guidance, we expect to see stricter enforcement.

In fact, FinCEN recently issued interpretive guidance that builds on their 2013 guidance to help clarify the application of existing regulations to the sector.

Other countries like South Africa and Chile, where cryptocurrency regulation has not been formally rolled out, may issue new regulations before FATF conducts its mutual evaluations of those countries in the coming months.

Mutual evaluations

FATF conducts peer reviews of each member on an ongoing basis to assess levels of implementation of the FATF Recommendations, providing an in-depth description and analysis of each country’s system for preventing criminal abuse of the financial system.

The first evaluation will be conducted in October in Japan. Japan will likely not be measured on this guidance in their next evaluation, but countries should take a proactive approach in modifying or introducing their cryptocurrency regulations prior to their onsite evaluations.

Following Japan, the Slovak Republic, Vietnam, Georgia, Chile, New Zealand, and Egypt will be evaluated in the near future.

What VASPs should do now

Despite current technical challenges to complying with Recommendation 16, regulators take into account proactive, risk-based approaches to compliance. If they aren’t already, exchanges should:

  • Develop risk-based programs tailored for their organization’s particular business, even if the details in your local jurisdiction will be determined in coming months
  • Implement know your customer (KYC) and enhanced due diligence processes
  • Implement a transaction monitoring solution and customer risk scoring
  • Implement dynamic systems to ensure compliance with sanctions laws
  • Establish clear communication with customers about prohibited activities
  • File detailed STRs where possible with your local FIU
  • Explore options to implement information sharing as per Recommendation 16


How Chainalysis helps

Chainalysis is an integral part of any AML risk mitigation strategy for countries, FIs, and cryptocurrency businesses.

First, Chainalysis KYT (Know Your Transaction) provides VASPs and FIs with automated transaction monitoring with custom risk models to satisfy VA transaction monitoring obligations. Furthermore, using KYT, VASPs and FIs can identify VASP counterparties in real time. This is critical for implementing Recommendation 16 for cryptocurrencies. But it isn’t the full solution. We do not collect personally identifiable information (PII); that is a part of exchanges’ KYC responsibilities. The mechanism for the transmission of that PII is to be determined.

Second, we assist FIs to build risk mitigation strategies with respect to Virtual Assets, allowing them to open accounts for VASPs and identify suspicious activity from retail customers. With our in-depth knowledge of illicit and normal activity in cryptocurrencies, banks are able to deal with cryptocurrencies with confidence.

Finally, Chainalysis provides investigation software to track the flow of funds in cryptocurrencies. This is an essential tool for regulators and law enforcement agencies that combat money laundering.

We are working to support our large network of exchanges comply with Recommendation 16. As such, we want to hear from our customers in compliance about how a technology vendor might be able to help solve this problem. If you have ideas or comments, please submit them here