Public Consultation on FATF Draft Guidance: A Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers
20 April 2021
We appreciate the opportunity to provide comments on the Financial Action Task Force’s (FATF) draft guidance on a risk-based approach (RBA) to virtual assets (VA) and virtual asset service providers (VASP).
In principle, we support the FATF’s overarching objectives of updating its pre-existing Guidance in a manner that maintains a level playing field for VASPs, minimizes opportunities for regulatory arbitrage, and preserves the intended technological neutrality of the FATF Standards. However, in our view, further revisions are required to ensure that the updated guidance achieves these objectives without going beyond the requirements of the FATF Standards or introducing elements that will have undesirable or intended consequences. Our comments on the specific areas of focus identified in the consultation document are outlined below.
In addition, while outside the scope of this consultative process, we encourage the FATF to consider updating its 2015 ML/TF risk assessment before giving consideration to further updating the FATF Standards in relation to VAs and VASPs. An improved, common understanding of the inherent ML/TF risks of VAs and VASPs is fundamental for both the private sector and countries to effectively manage and mitigate ML/TF risks in the sector.
1. Does the revised Guidance on the definition of VASP provide more clarity on which businesses are undertaking VASP activities and are subject to the FATF Standards?
We appreciate the FATF’s efforts to clarify its ‘expansive’ approach to the definition of VASP to help better identify the regulatory perimeter for VASPs. While the draft guidance represents an improvement, a number of concepts would benefit from further refinement to assist countries and the private sector to better understand the scope of application of the FATF Standards to VASPs.
As per the expanded definition and attempt to clarify what a VASP may be, we see inconsistencies in the way in which a VASP is being presented. The overall guidance discusses at length the concept of key signers or holders of a private key who may be involved in the signing of messages on behalf of smart contracts that are responsible for the movement of assets or data. Paragraphs 61-63, as an example, should have greater clarification as in their current form seems to imply that Decentralized Autonomous Organizations (DAO’s) that have key signers would now place those key signers in the territory of being a VASP. Key signers in this role do not have explicit control over the decision making process, nor do they have an obligation to cease the transference of assets that are being transmitted from the DAO. Rather the role is to ensure security procedures of the smart contracts governance are being fulfilled at the request of voting threshold requirements of the smart contract’s community. This does not give the key signer explicit control to determine whether transmission of funds is acceptable, or allowed, and also does not place the key signer in a controlling position to which they have custodial rights over any of the assets that are placed in that smart contract on behalf of the decentralized community and its governance requirements. With this, we suggest a clarification over the definition of explicit control as to make a distinction between key signers that lack the ability to be a part of the governance decision to transmit assets, and smart contracts that are explicitly under the governance direction of the key signers (a custodial obligation).
We see unintended consequences from this that could move to eliminate key signers from these processes which can further lead to security vulnerabilities at the smart contract level (putting innocent users of these systems at risk), and could introduce innovative obfuscation techniques that further eliminate governance methods that are important roles in transparency and functionality.
It should be noted that in the case of social governance (ie. community run asset pools in protocols such as DEFI) the key signing entities do not have the ability to verify the destinations of fund transmission, and at times these signing parties, through randomization, are involved in blind transmission of assets through autonomous routes.
To apply requirements on parties where the assets move across autonomous, non-user controlled midpoint destination applications (ie. a smart contract like a DAO could have a function for key signers to be community-requested to transmit assets into a multitude of autonomous smart contracts that only after several hops, routes, and movements in and out of other use cases and dapps, eventually land in entirely unknown users wallets) eventually landing in a user’s control, where the key signers sole role is to act on behalf of a community that is requesting the initial hop into a new use case which then eventually end up in another application environment that is user controlled, would become an impossible measure to effectively prevent against, determine risks at the key signer level against, and would be impossible to determine the end destination with any accuracy prior to the end user gaining control or access to those assets. This type of situation is frequent in DeFi applications today and based on the current language and approach in these sections of the guidance, would lead to so much complexity in terms of who is responsible and how that VASP mitigates risks of that transaction that it would be nearly impossible to implement with any level of effectiveness.
We propose a review of the definition of control and the role of key signers entirely in the process of transmission in order to prevent confusion and layers of immense complexity that impedes effective regulatory implementation, other than outright attempts to ban - the level of complexity in practice that this, as demonstrated by the example above, would likely lead to, would likely make bans an easier practice for regulators rather then incentivizing the enablement of technological solutions from within the industry that can provide effective risk mitigation techniques native to the technology itself.
The FATF should look to work in collaboration with the industry at this stage to develop and deploy regulatory protocol infrastructure which can solve for the risks these new technologies pose. The industry has infrastructure that can enable solutions to these issues instead of only looking to add more regulations. With this, we would also propose to have the FATF allow us to demonstrate technology based solutions such as opt-in KYC and identity smart contract tooling that can create compliant liquidity pools and compliant smart contracts that would also allow us to better create effective methods of risk mitigation across the entire infrastructure that is, smart contract and key signer reliant.
The general view in relation to “developers” is very unclear, and the distinction between development companies in contrast to the open source software developers that are individuals, creates a broad view that this paper is set to capture all definitions of the term “developer”.
Oftentimes, individuals all come together to build software and deploy that software. Those individuals are often granted allocations of an amount of the assets upon the software’s deployment. It is unclear as to whether the allocation, which constitutes a financial reward in the future, would imply that even individual persons who have created a monetary benefit from the open use of that system would therefore be considered VASPs.
Through this concept, which is standard across nearly all projects in the industry (dating back to Satoshi Nakamoto), the FATF would capture all independent parties that are developers coming to work on aspects of an open source software project as VASPs in perpetuity as they are directly, or indirectly, apart of enablement of that system. It should be noted that in the event this were to be true, even public protocols that are being designed today to solve FATF guidance and travel rule requirements would therefore be VASPs. This would lead to a massive slow down in current timelines and the ability for the industry to utilize smart contract native systems in enabling effective methods of risk mitigation for regulatory purposes.
This leads to the question of whether or not effective implementation of the open source projects that are being designed to assist the FATF in its efforts to effectively implement these systems, would have the same impact in being effective.
We recommend a redrafting of areas that describe “developers”, in order to make a clear distinction between development companies and individuals who are paid on a transactional fee basis versus other methods.
We also note that the discussion in the draft guidance of the ‘level-playing field’ principle (para 22(c)) appears to contradict the initial risk assessment discussion (para 28). Paragraph 22(c) suggests that countries should treat all VASPs on an equal footing from a regulatory and supervisory perspective when they provide similar services regardless of the business model used. It also indicates that an assessment of risks, based on the nature of the products and services offered, should guide countries in imposing regulation and supervision.
In contrast, paragraph 28 notes that overall risk at a national level should be determined by individual jurisdictions through an assessment of the VASP sector and that different entities within the sector may pose a higher or lower ML/TF risk based on a variety of factors, including business models. This approach is consistent with the FATF Guidance on Risk-Based Supervision, which recommends that supervisors ensure supervisory strategies are kept under regular review to inter alia develop a better understanding of the ML/TF risk profiles of the business models used by regulated entities (para 76).
2. What are the most effective ways to mitigate the money laundering and terrorist financing (ML/TF) risks relating to peer-to-peer transactions
We understand that peer-to-peer (P2P) transactions between unhosted wallets pose a unique challenge given the general approach in the FATF Standards of placing obligations on jurisdictions and intermediaries rather than individual users of financial products and services. While the FATF is concerned that P2P transactions could pose heightened ML/TF risks if used to circumvent AML/CFT controls placed on VASPs and other obliged entities, this is predicated on P2P transactions gaining widespread acceptance as a means of payment and/or investment.
In our view, the measures and controls in the draft guidance will do little to mitigate the ML/TF risks that may emerge should P2P transactions gain widespread acceptance. The majority of proposed measures would see additional obligations or restrictions placed on VASPs and other obliged entities, which would have minimal impact mitigating the ML/TF risks of P2P transactions between unhosted wallets.
We support the recommendation in paragraph 35 that countries should consider how ML/TF risks of P2P transactions may be mitigated through blockchain analytics and encourage the FATF to further explore with the private sector (e.g., through targeted consultations) how blockchain analytics and other innovative technological solutions can be used to provide greater visibility over P2P transactions between unhosted wallets and to incorporate relevant findings into this guidance. P2P transactions, unlike cash, have inherent features that can be used to mitigate risks and these mitigating measures do not have to be preventive and regulatory in nature, but rather could be in support of the development of financial intelligence and in investigations by law enforcement.
3. Does the revised Guidance in relation to the travel rule need further clarity?
With respect to the travel rule, further clarity is required around the FATF’s expectations of VASPs when transacting with unhosted wallets. The current drafting of the guidance suggests that these transactions should be treated as higher risk without providing any supporting rationale.
As travel rule solutions go into effect, the risks and identification of non-custodial wallets will further decline as more visibility into the verified intermediaries that currently may be wrongly tagged by analytics tools occurs. As we continue to deanonymize and verify through travel rule obligations on intermediaries and onchain analytics we will have even greater insights into unhosted wallets and will be able to solve a vast majority of the issues present today surrounding the identification of transfer to unhosted wallets. It is our recommendation that we allow time for the industry to get verified and incontrovertible data into these wallets prior to making assumptions on the risk profiles of these wallet types.
We already know today that the vast majority of liquidity enters the ecosystem through the VASPs and then exits again through these onramps at a later date.
We also rely on VASPs today to properly act as the verifying entities of the largest amount of KYC’d users in the space. A change to the liquidity flows of these venues will lead to new methods of onboarding that may lack compliance controls and centralized data storage. This can lead to an inability for law enforcement and FIU’s to rely on the data and reporting of licensed VASPs as the primary onramps into the ecosystem.
We propose that the FATF allow time for travel rule solutions to work directly on unhosted wallet discovery as well as VASP discovery before determining risk profiles and mitigation methods that may inaccurately assume the risk and therefore hinder growth.
To add to the overall discussion of the unintended consequences of VASP to unhosted wallet interaction, we believe that we could face liquidity issues if restrictions on the deposit and withdrawal of assets were to be limited. To enable the blocking of liquidity deposits and withdrawals could lead to severe systemic risks in the underlying liquidity of spot venues that currently act as essential data services to things like ETF’s and other market functions. As institutional adoption has greatly accelerated over the last 12 months, efforts to block liquidity onramps could create unknown consequences that could cripple financial markets that are now relying on global, compliant, spot market liquidity flows.
The inability for spot market liquidity to properly move in and out of VASPs can lead to consumer protection risks in traditional capital markets, as well as will further lead to hurting consumers as liquidity imbalances reduce proper price discovery in markets. This would also further create the push towards less centralized vasp liquidity pool indexes, which would have very bad consequences in complaint liquidity pool regulation (this moves liquidity into dex’s as the primary spot market benchmark).
Moreover, a number of the possible mitigations proposed in the draft guidance do not seem appropriate or justified (e.g., denying licenses to VASPs that transact with unhosted wallets (para 91(c)), prohibitions on unhosted wallets (para 180)) and should not be implemented by jurisdictions before carrying out a thorough assessment of the inherent ML/TF risks as required under Recommendation 1 (as noted in the FATF’s various risk-based guidance including the recent guidance on risk-based supervision). Only once such an assessment has been completed should jurisdictions consider what mitigations are appropriate to address identified higher risks.
More broadly, we submit that the draft guidance places an over-emphasis on the use of preventive measures, in general, and relation to unhosted wallets, in particular, without giving full consideration to the full toolkit available to authorities (e.g., financial intelligence generated by the FIU and the role of law enforcement agencies) to address relevant ML/TF risks. Coupled with the severe nature of some of the proposed mitigations contained in the guidance, we are concerned that the FATF’s efforts may create perverse incentives for VA users to shift away from regulated entities and increase use of P2P transactions further limiting the line-of-sight authorities would have on illicit VA-related activities.
4. Does the revised Guidance provide clear instruction on how FATF Standards apply to so-called stablecoins and related entities?
The revised FATF Guidance is generally helpful in confirming the applicability of VASP regulations to stablecoin issuers. However, when it comes to the specific details of comparing stablecoin issuers to other VASPs, particularly for the purpose of conducting an AML/CFT risk assessment, there are several aspects of the Guidance which appear to reflect a misunderstanding of how centrally administered stablecoins function. We believe that conducting an accurate risk assessment of stablecoins is contingent upon having a thorough understanding of how these products currently function, in practice.
- Re: Purpose of Stablecoins (Box 1)
In the first sentence of “Box 1”, a suggestion is made that “stablecoins purport to overcome the price volatility issues associated with VAs by maintaining a stable value relative to some reference asset or assets.” This may be an accurate description of one of the features of stablecoins, but it is certainly not the purpose of stablecoins, nor the reason they exist. The reason for their growth and adoption is simple: relative to traditional cross-border banking, stablecoins offer a superior product (speed, reliability) at a much lower cost. By suggesting that the purpose of stablecoins is to address a problem with virtual assets, when in reality they were explicitly created to overcome problems with cross-border banking, the Guidance has relegated itself to a discussion only of the cons (risks).
- Re: Characterization Stablecoin Issuers (Para. 72-73)
The Guidance suggests that multiple entities in any given “stablecoin arrangement” could be classified as a VASP and thus also have AML/CFT obligations. It is not clear at all why related entities other than the customer-facing entity, which collects customer data to comply with AML/CFT regulations and conducts transfers and services, should be considered a VASP for the purpose of this Guidance. For entities that perform stablecoin functions such as treasury management: (1) there are no comparable AML/CFT risks related to this activity; (2) most VASP responsibilities such as performing KYC, CDD, EDD, filing SARs, and documenting these processes are not pertinent; and (3) registration with a local regulator would serve no purpose with respect to transferring any information respecting AML/CFT risks.
In our view, it should only be necessary for the legal entity which performs compliance functions to be classified as a VASP and be registered with a pertinent authority. This would allow: (1) for all customers to be verified; (2) for all customers, transfers and counterparties to be risk rated; (3) for SARs to be filed when appropriate; (4) for these processes to be documented; and (5) for relevant information to be transferred between VASPs or pertinent authorities and for all other relevant FATF recommendations to be observed. Forcing irrelevant persons or entities to be labeled VASPs and therefore to register with pertinent authorities would amount to a waste of time and resources not only for the private sector, but for the public sector as well.
We believe that such a position is rooted in a misunderstanding of how existing centrally-administered stablecoins function today, particularly with regards to the “stabilization mechanism”.
- Re: “Stabilization Mechanism” (Para. 122)
The revised Guidance distinguishes stablecoins from other virtual assets based on the existence of a “stabilization mechanism” and makes reference to the ML/TF risks associated with this mechanism. While we certainly agree that the distinguishing feature of stablecoins can be accurately described as a “stabilization mechanism”, the revised Guidance uses language that appears to reflect a misapprehension of how this process works in the context of currently operational and prominent centrally administered stablecoins. Since the Guidance requires that the “stabilization mechanism” be considered when performing an assessment of the risks associated with stablecoins, we believe it is important that this mechanism is adequately explained and understood. The following points will resolve the apparent confusion surrounding this concept:
First and most fundamentally, the Guidance describes the stabilization mechanism as a “technical feature” of stablecoins. This might be an accurate way to describe the “stabilization mechanism” of “algorithm-backed” stablecoins, but the stabilization mechanism of currently operational and prominent centrally administered stablecoins is a decidedly non-technical feature. Technology is undoubtedly involved, but the “stabilization mechanism” itself is not a mechanical process or set of rules, but rather a system of market-driven incentives that is generally known as “market-based price discovery”.
The “stabilization mechanism” of currently operational and prominent centrally administered stablecoins is best described by considering its two parts: (1) the ability to be issued and redeem tokens from the issuer (Primary Market), and (2) a decentralized, market-based system of incentives (Secondary Market). Strictly speaking, it is interactions between Primary and Secondary markets that keep prices stable in these latter markets, with the issuer’s peg being what keeps prices stable in the Primary Market. The Secondary Markets are where most trading occurs, but what keeps prices stable in these markets is the independent participation by Primary Market participants, who are incentivised to seek arbitrage profits.
Only prices in the Primary Market can be said to be “managed” by the stablecoin issuer (by processing issuances and redemptions at the pegged rate). But most trading occurs in Secondary Markets, where prices are kept stable by the arbitrage activity of Primary Market participants. This is neither a “managed” nor “delegated” process. It is a decentralized process that can be carried out by anyone who can participate in both markets (users who are KYC-verified with the issuer and thus can participate in the Primary, as well as Secondary markets). Importantly, there is neither coercion nor contractual reliance on any single Primary Market participant.
Since these users must all be KYC verified by the stablecoin issuer, this aspect of centralized stablecoins is already fully covered by existing AML/CFT laws. As such, the “stabilization mechanism” of centrally administered stablecoins does not require any special attention or additional consideration by domestic law makers who are working to address AML/CFT concerns. The reserve assets held by stablecoin issuers are analogous to those held by other VASPs. If anything they would be safer, due to the lower proportion of digital assets, and higher proportion of fiat assets, being held by the stablecoin issuer. As well, many stablecoin issuers offer varying examples of transparency of their reserves that no other VASPs or financial institutions offer.
Given this apparent misunderstanding of how the most popular existing stablecoins function, FATF is perhaps not in a position to make any more specific determination then that stablecoin issuers are VASPs. Moreover, the designation of stablecoin issuers as VASPs is sufficient to ensure that they adhere to AML/CFT controls outlined in the FATF Recommendations.
- Re: Risk Assessment of Stablecoins (Para. 224 & Box 4)
The Guidance suggests that stablecoins may pose a higher risk than other virtual assets, but it is unclear as to why this might be the case. The only explanation offered for this heightened risk is the prospect of widespread adoption. While we agree with the general idea that should risk exist, it would be greater with more widespread adoption, this reasoning cannot substitute for an analysis and description of the risk itself. In the context of AML/CFT, there is nothing about stablecoins that would cause them to pose any greater risk than other virtual assets. The Guidance acknowledges that the stabilisation mechanism is the distinguishing feature of stablecoins but, as explained above, there are no additional AML/CFT concerns associated with this characteristic.
While we appreciate efforts by regulators to be forward-looking, we believe, as mentioned above, that the rule-making process should be primarily based on how the currently existing stablecoins function. Recommendations should not be designed to suit one hypothetical business model of a large technology, telecommunications or financial firm. While the business model highlighted in Box 4 might result in widespread adoption, it is not clear that this would happen in jurisdictions with modern financial service infrastructures. Importantly, this business model is not pertinent to currently operational and prominent centrally administered stablecoins, which is predominantly geared towards the trading of virtual assets.
Stablecoin issuer risks respecting AML/CFT are best mitigated by individual jurisdictions using a risk-based approach: creating more controls only when warranted by the risks posed by stablecoin issuers. We believe that proposing regulations for all stablecoins based on the hypothetical business model in box 4 is tantamount to regulating technology (by regulating a stabilization mechanism that is in actuality non-technical) and is inconsistent with both a risk-based approach and the principle of a level playing field.
Is the revised Guidance sufficient to mitigate the potential risks of so-called stablecoins, including the risks relating to peer-to-peer transactions?
Our position is that the risks of stablecoins and their issuers are analogous to the risks of VAs and other VASPs, and that prior guidance was already sufficient to mitigate these potential risks. New recommendations by the FATF necessitate an updated risk assessment of this sector. As for the risks related to peer-to-peer transactions, please refer to our response to Question 2 above.
5. Further comments and specific proposals to make the revised Guidance more useful to promote the effective implementation of FATF Standards
Licensing or Registration of VASPs
In accordance with paragraph 3 of the Interpretive Note to Recommendation 15 (New Technologies), VASPs should be required to be licensed or registered in the jurisdiction(s) where they are created. Jurisdictions may also require VASPs that offer products and/or services to customers in, or conduct operations from, their jurisdiction to be licensed or registered in this jurisdiction.
Paragraph 119 of the draft guidance suggests that authorities may impose conditions on VASPs seeking a license or registration to be able to effectively supervise the VASPs. Suggested conditions, depending on the size and nature of the VASP activities, include requiring a resident executive director, a substantive management presence, specific financial requirements and/or certain disclosure requirements for marketing materials.
In our view, the suggested conditions proposed in the draft guidance are a mis-adaptation of prudential and market conduct requirements for traditional financial institutions and are not fit for purpose in an AML/CFT context for the VASP sector. Moreover, imposing residency requirements on VASPs does not maintain a level playing field with other AML/CFT-obliged entities, particularly, persons that provide money or value transfer services (MVTS). As with MVTS providers, VASPs may have no physical presence in the country where a transaction is sent or received.
In this scenario, rather than imposing residency requirements, the FATF Guidance on a RBA for MVTS encourages competent authorities in the host and home jurisdictions to liaise as appropriate to ensure any ML/TF concerns are adequately addressed. We believe that this would be a more appropriate approach in the VASP context that would ensure a more level playing field among AML/CFT-obliged entities and would reinforce the FATF’s principles of information-sharing and co-operation amongst VASP supervisors set out in Section VI of the draft guidance.
Assessing ML/TF Risks of VAs and VASPs
We note that the draft guidance reaffirms the FATF’s requirements under Recommendation 1 that both countries and private sector entities identify, assess and understand ML/TF risks and ensure that those risks are mitigated effectively. However, the relevant sections of the draft guidance (Initial Risk Assessment – para 28 onwards and Application of the Recommendations in the Context of VAs and VASPs) seem overly focused on the perspective of countries and on the mitigation of risks. It is also unclear at times whether the guidance is referring to inherent or residual risks.
At this stage, there is little new information in the guidance that would help the private sector (and competent authorities) to identify, assess and understand their ML/TF risks. In our view, the FATF’s 2015 ML/TF risk assessment in the context of Virtual Currencies no longer provides a sufficient basis and, as such, an expanded discussion of the inherent ML/TF risks of VAs and VASPs in the draft guidance would be beneficial for both the private sector and countries to be able to appropriately consider, develop and apply the mitigating measures described therein. This consideration is particularly important for the rapidly growing and evolving VASP sector, which, unlike the traditional financial sector, has not benefited from the development of effective controls taking place over several decades as countries’ and the private sector’s understanding of ML/TF risks matured.
Industry stakeholders are initiating a risk assessment exercise and would welcome dialogue with the FATF before the completion of new guidance or further requirements for the VASP sector.
Supplementary Views and Additional Points
As it pertains to the overall topic of DeFi, and the approach to effective regulation, we believe that the FATF will likely need a fundamentally different approach to regulation. When it comes to decentralized systems and smart contracts that do not, and cannot, centralize the data collection and compliance processes that traditional intermediaries hold, we need to look at new approaches to compliance and KYC verification.
Systems are being built today that allow us to decentralize or passport the identities and KYC data sets of users across smart contracts and noncustodial wallets. We believe that the only way to effectively enable compliance in this new realm is to allow for data-collecting centralized intermediaries, to be able to represent users and act as data custodians of that data, while allowing users to passport across decentralized applications. These systems can allow us to have source nexus points for user validation and onboarding, but still allow those users (represented by the public addresses they use today to move assets) to utilize smart contract applications while leveraging reliance on the source data stores and validating onboarding entities. This will be the future of how compliant opt-in systems work across this ecosystem, and can solve many of the largest risks and threats that are inherent from a AML/CFT perspective.
While this infrastructure is currently being developed in systems like Shyft Network among others, we believe that users should not be required to take on compliance or sanctions obligations directly. These systems, when they are solely in the non-custodial realm, are extensions of bearer instruments like cash, and effective regulation needs to focus its efforts on the on-ramps and off-ramps (like that of the traditional financial system) without requiring innocent civilians to take on compliance obligations and the responsibility of sanctions requirements.
Decentralized systems should be looked at largely as public utilities and enhancements to the utilization of digital bearer instruments that are designed to invoke user freedom and the betterment of individual choice, while still ensuring law enforcement has the ability to effectively address illicit activity. Our ability to ensure these networks do not unintentionally transition to deeper levels of obfuscation is critical in this current time to ensure we can maintain visibility and transparency into how these networks publicly function. Regulations can help maintain this visibility in collaboration with this technology, or hinder it if we do not act collaboratively and cautiously to nurture its benefits.
We welcome the opportunity to further discuss and demonstrate new technology solutions and methods being designed and developed that may offer technological supplements and alternatives to this guidance. New infrastructure coming into the market presently will help the FATF to mitigate the risks, while also ensuring the global economy can capture the benefits this new technology has to offer.