Crypto Regulations | July 31, 2023

FATF highlights compliance gaps and emerging risks

by Mariam Giorgadze

Crystal Regulatory & Compliance Team

75% of FATF-assessed jurisdictions struggle with fundamental requirements 

 In June 2023, the Financial Action Task Force (FATF) updated its anti-money laundering and counter-terrorist financing (AML/CFT) measures for virtual assets (VA) and virtual asset service providers (VASPs) to prevent criminal and terrorist misuse of the sector.  

While some significant virtual asset markets have implemented or are in the process of implementing AML/CFT regulations, there is a serious concern that 75% of assessed jurisdictions continue to struggle with fundamental requirements and are only partially or non-compliant with the FATF’s requirements.  

The FATF provides guidance for risk assessments, discourages cryptocurrency bans, and urges monitoring of VASPs. Still, challenges exist in licensing VASPs, posing money laundering risks. Market developments show VAs are used for proliferation and terrorist financing. DeFi entities and P2P transactions also present risks. NFTs remain a concern with varying regulations. Key recommendations include comprehensive risk assessments and active monitoring. The FATF is working to enhance implementation and track progress by mid-2024. Continuous monitoring, risk assessment, and information sharing are crucial to address risks associated with virtual assets and service providers. 

Such requirements include undertaking risk assessments, enacting legislation to regulate VASPs, and conducting a supervisory inspection.  

Jurisdictions are encouraged to refer to the FATF’s 2021 guidance. 

Here, I take a look at the FATF’s guidance in more detail. 

Banning crypto is not the best approach 

Many countries are still deciding how to regulate the VA sector. While most jurisdictions have chosen to permit the use of VAs and the operation of VASPs, the proportion of jurisdictions that ban VASPs has increased slightly. The decision to prohibit VASPs is not solely based on AML/CFT concerns but can be influenced by factors such as resource management and risk assessment. 

Implementing a prohibitive approach for VASPs is challenging. To implement a prohibitive approach effectively, jurisdictions must undertake a comprehensive risk assessment, actively identify and sanction unauthorized VASP activity, and have robust international cooperation mechanisms.   

However, many jurisdictions with a prohibitive approach have yet to conduct a risk assessment, and a significant portion still need to take supervisory or enforcement action against illegal VASPs operating within their jurisdictions. 

Ensuring compliance with AML/CFT requirements 

Only 30% of assessed jurisdictions require VASPs to be licensed or registered, and fewer jurisdictions have licensed or registered VASPs in practice.  

Unlicensed or unregistered VASPs operating without proper oversight create ML/TF risks and complicate law enforcement efforts.  Jurisdictions facing difficulties in licensing/registration need to improve supervision and sanctioning for non-compliance. 

Regardless of the approach, jurisdictions should monitor or supervise their VASP population and enforce compliance with AML/CFT obligations.  Successful jurisdictions with established registration or licensing regimes are progressing well in supervising and enforcing VASPs’ AML/CFT obligations.  Jurisdictions must continue monitoring and supervising VASPs, regardless of their regulatory approach, to ensure compliance with AML/CFT requirements. 

Market developments and emerging risks 

A) Use of VAs for proliferation and terrorist financing 

In March 2023, the UN Panel of Experts for North Korea  issued a report on funding streams for the Democratic People Republic of Korea’s (DPRK). 

It highlighted serious concerns about the DPRK’s illicit activities to finance the proliferation of weapons of mass destruction.Cybercriminals, including those from the DPRK, employ advanced techniques to steal VAs through cyber heists and ransomware attacks.  

Fraudulent non-fungible tokens (NFTs) are also used for illegal revenue generation. Additionally, VAs areexploited for terrorist financing by groups like ISIL and Al Qaeda, including extreme right-wing terrorism. Urgent implementation of FATF standards and continuous monitoring of VA-related activities are necessary to mitigate these risks. 

B) Decentralized finance (DeFi) 

Jurisdictions need help identifying and regulating DeFi entities, as control or influence over these arrangements is hard to determine.  

Many advanced jurisdictions require specific DeFi arrangements to be licensed or registered as VASPs, while others study risks or engage with the private sector. Identifying unlicensed/unregistered DeFi entities that qualify as VASPs is challenging, and only a few jurisdictions have successfully taken supervisory or enforcement action. 

Jurisdictions consider various factors, such as administrative key holders, governance structures, application managers, promoters, and profit/fee structures, to determine control or influence over DeFi arrangements. The FATF will continue to share experiences and developments among its members and the private sector to ensure existing guidance remains relevant and reflective of best practices. 

C) Unhosted wallets and peer-to-peer (P2P) transactions 

P2P transactions, where individuals transact directly with each other without intermediaries, pose specific risks in terms of money laundering, terrorist financing, and proliferation financing. The share of illicit transactions appears higher for P2P transactions than those with regulated virtual asset service providers (VASPs).  

Unhosted wallets used in P2P transactions can be exploited to bypass anti-money laundering and counter-terrorism financing controls, which may grow as more VASPs implement AML/CFT measures. 

Although P2P transactions fall outside the scope of the FATF Standards, their risks can still be mitigated  by implementing the sStandards. The FATF provides guidance for jurisdictions to address P2P transaction risks, such as improving market metrics, using blockchain analytics tools, and imposing additional AML/CFT requirements on VASPs facilitating transactions with non-obliged entities.  Some jurisdictions assess and monitor P2P transaction risks, while others implement measures to manage risks associated with unhosted wallets. 

However, data gaps and differences between jurisdictions make it challenging to assess the overall risks posed by P2P transactions effectively. Regulators and VASPs are implementing measures to manage potential risks, such as collecting information about transactions to unhosted wallets and treating transactions with unhosted wallets as higher risk. 

Continued monitoring, risk assessment, and information sharing among jurisdictions and the private sector are necessary to address the risks associated with P2P transactions and unhosted wallets. 

D) Non-fungible tokens (NFTs) 

NFTs continue to present risks for money laundering and terrorist financing, although some jurisdictions have observed a decrease in risk levels following the market boom in 2021 

Regulation of NFTs varies across jurisdictions, depending on their classification and use. Some jurisdictions have revised guidelines to determine if specific NFTs fall under the definition of VAs in their regulatory framework. NFTs can also represent tokenized versions of physical assets like real estate or precious metals. Most advanced jurisdictions that regulate VASPs  treat NFTs as VAs where appropriate, while a minority of jurisdictions do not apply their AML/CFT framework to NFTs. No jurisdiction was reported regulating NFTs as art or cultural objects. 

Enhancing VAs and VASPs compliance: key recommendations for the public and private sectors  

The main recommendations for the public and private sectors are:: 

  1. Jurisdictions should conduct comprehensive risk assessments of VAs and VASPs using available resources, such as the FATF’s 2021 guidance and the Community Workspace on Virtual Assets.
  2. Jurisdictions permitting or prohibiting VAs and VASPs should actively monitor, supervise, and enforce compliance with VASP population and impose sanctions on illicit VASPs. 
  3. Take immediate action to mitigate terrorism financing and proliferation financing risks related to VAs by implementing FATF Recommendation 15 (R.15) and adopting other risk-based measures, such as enhancing cybersecurity. 

Jurisdictions should continue sharing information, expertise, and technical assistance to improve compliance, as outlined in the FATF’s roadmap. It is crucial for jurisdictions to assess their risks, even if they have imposed a prohibition on VAs or VASPs. However, many jurisdictions still face challenges in assessing and mitigating money laundering and terrorist financing risks associated with VAs and VASPs due to a lack of reliable data and guidance. 

Charting the path forward: FATF’s next steps for virtual assets regulation  

The FATF is actively working on enhancing Recommendation 15 implementation through its Virtual Assets Contact Group (VACG) and engagement with jurisdictions facing capacity limitations.  

By mid-2024, the FATF plans to release a progress table, tracking the efforts of member jurisdictions and others with significant VASP activities. The FATF and VACG will exchange information and address challenges related to DeFi, unhosted wallets, and P2P transactions, while monitoring market trends for potential future actions.  

To learn how Crystal can transform your approach to compliance with its services and solutions, book a demo or email our regulatory and compliance team at [email protected] 

Be the first to get news from Crystal