The Financial Action Task Force (FATF) has applied its anti-money laundering (AML) and counter-financing of terrorism (CFT) standards to virtual assets and virtual asset service providers (VASP) since 2019. The intergovernmental body has noted that virtual assets have “the potential to radically change the financial landscape” but that regulators must also become familiar with a “new vocabulary” in order to effectively address the criminal threats that the technology brings.
The FATF has issued periodic updates and guidance on how its standards should be applied to virtual assets and VASPs, with a heavy focus on Recommendation 16, also known as the ‘Travel Rule’. Recommendation 16 requires private sector institutions to trace both the originators and recipients of funds when they are sent across borders, and maintain suitable records of those transactions.
In practice the Travel Rule requires firms to implement suitable Know Your Customer (KYC) measures, including capturing names, addresses, and account numbers in order to establish the identity of customers and counterparties. In the context of virtual assets, service providers must ensure they collect this information despite the anonymity challenges associated with cryptocurrency transactions.
As of 2022, the FATF noted that the vast majority of jurisdictions had not passed the relevant laws necessary to implement the Travel Rule for virtual assets. A 2022 FATF report revealed that, since June 2021, of 98 responding jurisdictions only 29 had passed virtual asset Travel Rule legislation and only 11 had implemented any enforcement or supervisory measures. The report suggests that the level of Travel Rule implementation amongst non-reporting FATF jurisdictions is likely to be slower than reporting jurisdictions.
The FATF found that the delay in the implementation of the Travel Rule in some jurisdictions was a result of undeveloped or in-progress virtual asset regulatory regimes, or a lack of domestic expertise in Travel Rule compliance.
Travel Rule Implementation
Both the FATF’s research and open source reports suggest that the private sector has led in the implementation of the Travel Rule, often going beyond requirements for the public sector. Private sector VASPs are taking advantage of novel technological solutions to achieve Travel Rule compliance, with a focus on interoperability with other AML/CFT solutions, and the need to scale with global solutions implemented by counterparts.
Despite the private sector progress, the FATF has highlighted a number of challenges affecting Travel Rule implementation. These include:
- Some Travel Rule compliance solutions are only compatible with certain types of virtual assets.
- Some VASPs, along with counterparties or third-party service providers, require approval over Travel Rule compliance solutions.
- A lack of consensus over which solution (or solutions) will meet FATF and local compliance obligations.
- A lack of shared and clear information about VASP Travel Rule obligations from official sources.
The FATF has acknowledged that many VASPs are still in the very early stages of Travel Rule implementation. In order to accelerate that process, the FATF has emphasised the need to engage with jurisdictional authorities and the private sector, and encourage the further development of solutions “that are global, interoperable, and can accommodate for nuances across national requirements.”
Emerging Issues and Risks
The need for VASPs to implement the Travel Rule has grown more urgent as a result of developments on the cryptocurrency landscape. The FATF has set out some of the key emerging risks and market developments:
FATF research suggests that decentralised finance (DeFi) markets have grown significantly from 2021-22, with increasing use of stablecoins and cross-chain bridge software. The FATF has stated that it will continue to monitor DeFi developments to ensure that AML/CFT standards remain relevant.
Like DeFi markets, use of non-fungible tokens (NFT) has also increased, along with opportunities for criminals to use them to launder money. The FATF notes that the increase in active wallets trading in NFTs and disparities in the way NFTs are defined across jurisdictions has created new AML/CFT risks.
The FATF has noted that peer-to-peer (P2P) payments of virtual assets potentially fall outside the scope of the AML/CFT recommendations – and will continue to monitor emerging risks.
As stablecoin liquidity increases, so do the potential risks to consumers. The FATF has stated that it will “continue to facilitate discussion between jurisdictions and other standard setting bodies” on VASP regulation implementation issues as they relate to stablecoins.
The FATF has recognised the potential for the anonymity of virtual assets to aid attempts at sanctions evasion – although liquidity limitations have prevented this happening on a large scale. With that in mind, the FATF has noted that the Travel Rule is vital in helping VASPs identify counterparties involved in transactions.
The criminal use of virtual assets is often linked to ransomware money laundering, with criminals using non-compliant VASPs to transform illegal proceeds. In addition to implementing the Travel Rule, the FATF has highlighted opportunities to use blockchain analytics technology to trace ransomware-related money laundering.
VASP Compliance: Next Steps
The FATF has urged member states and jurisdictions to “lead by example” in order to promote the implementation of the Travel Rule by encouraging VASPs to share knowledge and good practices. In particular, the FATF has highlighted the importance of technological solutions in achieving Travel Rule compliance and especially in cross-border compliance. Similarly, the FATF suggests that the private sector should work to “facilitate interoperability across Travel Rule technological solutions”.
In order to comply with the Travel Rule, and adapt to the changing landscape of virtual asset regulations, VASPs and other obligated entities must implement suitable risk management solutions to analyse vast amounts of customer and transaction data. Ripjar’s Labyrinth platform is designed with that requirement in mind, integrating advanced screening software and machine learning systems capable of capturing data in real time from across the world – and ensuring that your organisation is informed as soon as its risk exposure changes.