FATF Update on Emerging Risks; Cross-Chain; DeFi & Unhosted Wallets

by Hedi Navazan Head of Compliance

Travel Rule implementation issues while minimizing risks from unhosted wallets, NFTs, ransomware, and DeFi with the use of blockchain analytics

On June 30, 2022, the FATF (Financial Action Task Force) published its updated report on implementing the FATF Standards on Virtual Assets (VAs) and Virtual Asset Service providers (VASPs).  

In this targeted update, the FATF highlights the status of implementation of the Travel Rule, market developments and emerging risks from DeFi (decentralized finance), unhosted wallets (self-custody wallets) and NFTs (non-fungible tokens).  

The Crystal Blockchain compliance team has prepared a key summary of the update. 

Travel Rule Implementation 

It is reported that the vast majority of jurisdictions have not yet fully implemented the Travel Rule requirement. While 29 out of 98 responding jurisdictions reported having passed Travel Rule legislation, only 11 jurisdictions have started enforcement and supervisory measures.  

Some of the challenges observed in the implementation of the Travel Rule result from the “sunrise issue” (jurisdictions that regulate VAs and VASPs, and those that do not), as well as the approach to unhosted wallets, and the challenges around data protection and privacy. The figure below illustrates the Jurisdiction Implementation & Enforcement of the Travel Rule by the FATF/FSRB (FATF-style regional bodies) per region (image source: FATF survey). 

Position of FATF with regards to emerging risks from… 

Unhosted Wallets: Requiring VASPs to collect relevant beneficiary information on unhosted wallets from their own customer and implementing it has been so far challenging in various jurisdictions.  

In FATF consultations to date, several jurisdictions indicated they are addressing this issue by requiring VASPs to use blockchain analytic services to mitigate some of the ML (money-laundering) /TF (terrorist financing) risks of unhosted wallets.  

NFTs: NFTs markets have continued to grow. FATF’s recent outreach to the industry suggests that “decentralized” currently can be a marketing term rather than a technical description and that even in so-called decentralized arrangements, often there continue to be persons and centralized aspects that may be subject to AML (anti-money-laundering) /CFT (counter financial-terrorism) obligations.   

The various usage of NFTs has made it challenging to regulate them under specific regulatory frameworks. Therefore a look at a case-by-case approach has been suggested in the FATF update in cases the NFTs count as VAs (virtual assets) or other assets or identify high-risk NFTs.   

Ransomware: There continues to be a significant threat of ransomware actors misusing VAs to facilitate payments, and ransomware cybercriminals continue to rely on a small group of non-compliant VASPs and privacy coins to move funds.  

DeFi: The increasing use of stablecoins in DeFi protocols is commensurate with the growth in the DeFi market, as they are used to facilitate trading or as collateral for DeFi protocols, and the increase in cross-chain bridges (bridges from one blockchain to another) is likely to impact the materiality of relevant DeFi platforms. 

Chain hopping, mixers and privacy coins 

Chain-hopping refers to moving from one VA into another, often in rapid succession, and evading attempts by investigators to track these cross-chain asset movements.  

In the newly targeted update by the FATF, it is acknowledged that the use of privacy coin chain-hopping via non-compliant VASPs, and unhosted wallets would bring challenging threats going forward. 

For this reason, it is important that both jurisdictions and the private sector implement the FATF’s Standards on VAs and VASPs, including the Travel Rule, to enable the private sector to detect illicit actors and suspicious transactions. 

The role of blockchain analytics in combating financial crime  

To combat the threats above and to prepare for emerging risks, both jurisdictions and industry, in recent consultations, have recognized the opportunities of blockchain analytics to help trace ransomware-related money laundering.  

Blockchain tools have supported and informed successful law enforcement.  

Below is an example of Crystal Blockchain investigation capabilities to trace the stolen funds from the Californian cryptocurrency firm Harmony by an unidentified hacker group (stolen funds are estimated to be worth more than USD $100 million). 

Next steps 

The FATF and its VACG (Virtual Assets Contact Group) will continue to monitor market trends for material developments that may necessitate further FATF work, including how FATF standards apply to DeFi and NFTs.  

In addition, the FATF will work with its members over the next year to raise awareness of common trends in ransomware payments and related ML through VAs and VASPs.  

Our Regulatory & Compliance team at Crystal Blockchain comprises experts from financial services and regulators. We are hands-on professionals with experience in helping you to transform regulation into effective risk management.  

 For any queries and questions on crypto compliance regulation, do contact our regulatory affairs team at