Adan’s position on FATF’s updated guidance for a risk-based approach
Adan welcomes the FATF adaptations of its guidance based on previous recommendations issued by Adan. The Association strongly supports the development of appropriate KYC-AML measures to prevent money laundering and financing of terrorism-related risks (“ML/FT risks”) and more broadly any illicit use of virtual/crypto-assets.
However Adan thinks that some areas of improvements remain to build an appropriate and proportionate AML-CFT framework for markets in crypto-assets:
A broad interpretation of the notions of virtual assets and VASPs, whose regulatory/legal consequences are irrelevant or even counterproductive:
- Almost all NFTs qualify as virtual assets, and thus fall within the scope of the AML/CFT.
- Many people (including natural persons) involved in the development of DeFi applications are considered as VASPs.
- Adan agrees with the FATF’s definition on stablecoins. However, associating stablecoin governance bodies and central developers with VASPs is neither appropriate (they are not providing services on crypto-assets) nor useful as these actors do not have a direct relationship with their users and therefore cannot carry out AML/CFT requirements. Furthermore this is inconsistent with the MiCA approach.
Decentralised finance (DeFi) must comply with the traditional AML/CFT rules, without further adaptations and granularity:
- If a legal person has sufficient influence on the operation of the protocol, it may qualify as a VASP and will have to comply with AML/CFT obligations towards the users of the protocol. However, the “sufficient influence” concept is unclear and may create discrepancies of interpretation between jurisdictions and qualify many VASPs if this interpretation is too broad.
- The possibility for a national competent authority to require – if there is no identifiable underlying entity to the protocol – that an entity be created in order to qualify as a VASP may distort the intrinsic substance of this ecosystem, while being in practice unfeasible.
- Ultimately, only certain protocols – whose founders would remain anonymous, with a particularly decentralised DAO and no central entity – could be excluded from the definition of VASP.
Obligation of VASPs to apply the travel rule, which should not be rushed or too broad:
- The flexibility granted in the implementation of the travel rule by States threatens a harmonised implementation between Member States, to the detriment of actors from the most virtuous jurisdictions.
- Even if the FATF requirement is less strict, the travel rule is imposed on VASPs in the scenario of transactions involving a non-hosted wallet (considered by the FATF as a non-obliged entity). However, there is neither exchange of information possible as there is only one VASP, nor data collection possible.
- The application of the travel rule is currently hampered by the lack of information exchange channels compatible with the FATF requirements: a European solution must first be developed.
- The obligation for VASPs to systematically verify that the initiator and the beneficiary of a transaction are not subject to sanctions, and the possibility to suspend the transfer during this verification, appears extremely restrictive for the crypto-asset sector and goes against the principle of technological neutrality (indeed, there is no such obligation in the case of transfers of funds in legal tender).
Adan provides detailed analyses and recommendations on all these points in this document.
On 28 October, the FATF published its updated guidance. This update guidance comes in a particular context: in March 2021, the FATF published a first proposal for revised guidance targeting Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs) and, in parallel, opened a one-month consultation with industry players. Adan responded to this public consultation, highlighting various issues relating to the definition of VA and VASP and the implementation of the Travel Rule.
The new revised Guidance seems to have taken into account the recommendations made by the industry and adjusts the definitions by proposing additional measures to prevent money laundering and terrorist financing risks in the digital assets sector.
Adjustments proposed by the FATF since the consultation that they launched are the following:
- Firstly, the updated guidance clarifies the definitions of VA and VASP and promotes a broad interpretation of them.
- The FATF defines non-fungible tokens (NFTs) as collectible assets that are not in themselves virtual assets. But if NFTs are used for payment or investment purposes, they can be treated as VAs. Moreover, NFTs that are digital representations of other assets (e.g. tokenised financial assets) would not be considered virtual assets, but covered as such financial assets.
- The FATF has also expressed its opinion on whether central bank digital currencies (CBDCs) should be considered as virtual assets. For the FATF, they are not VA because they are simply digital representations of fiat currencies.
- Lastly, the FATF excludes from the definition of VASP certain actors who do not exercise direct control over virtual assets such as hardware wallet manufacturers, providers of unhosted wallets, miners or cloud services providers.
- Also, in this new draft guidance, FATF has attempted to revise its approach to decentralised finance protocols, while leaving broad interpretation to national authorities. FATF explains that DeFi protocols (e.g. the decentralised application itself) are not VASPs but, if a legal entity has a “sufficient influence” over the operation and provision of services offered by the protocol, then that legal entity may be a VASP. Furthermore, if no VASP is identified due to the absence of an underlying entity created by the protocol operators, countries may require the protocol to create an entity that will qualify as a regulated VASP. In general, the FATF wants a broad interpretation on the qualification of VASPs. Paragraph 80 of the guidance states that “the FATF envisages very few VA arrangements without VASPs being involved at some point if countries apply the definition correctly”.
- In addition, the FATF states that stablecoins should be treated as either VAs or securities under the existing regulatory framework. Operators of stablecoins that have a sufficient level of influence on the development and launch of the stablecoin may be treated as a VASP.
- Finally, concerning the Travel Rule, the FATF recalls the need for States to proceed with the implementation of the Travel Rule in the virtual assets sector. Some requirements have been added, including that institutions must verify that originators and beneficiaries are not subject to sanctions (§183). As this verification takes time and may be completed after settlement, this may require measures such as placing a hold on transfers until that time (§194).
I – Revision of the VASP and VA definitions with regard to NFTs and decentralised finance (DeFi)
A – An assimilation of NFTs used for payment or investment purpose to virtual assets
As a matter of principle, the FATF considers that non-fungible tokens (NFTs) are “digital assets that are unique, rather than interchangeable, and that are in practice used as collectibles rather than as payment or investment instruments”. According to the FATF in paragraph 53, a NFT is – in principle – not a virtual asset, but if they are used for payment or investment purposes, they can be treated as a virtual asset. In addition, NFTs that are digital representations of other assets (e.g. tokenised assets which are not a digital representation of value) would not be considered as virtual assets, but covered as such assets by FATF guidelines.
Adan advocates adaptations to the regulation of NFTs based on their intrinsic characteristics. According to Adan, NFTs offer a myriad of use cases that require a casuistic regulatory approach. The willingness to include a broad definition of NFTs, while establishing certain criteria for their inclusion, is a good approach in order to integrate these new assets in an AML/CFT system as well as possible.
However, some clarifications are required on how an NFT used for payment or investment purposes should be interpreted. The borderline between NFTs used for payment or investment -purposes and NFTs used for other purposes is sometimes much blurrier than it seems. An unclear separation could be difficult to enforce by the crypto-asset industry. Most of the time, an NFT is purchased with the objective (even secondary) of making a profit. Therefore, regarding the FATF criteria, it would seem that most NFTs could qualify as virtual assets (even those whose underlying asset is an asset already covered by the previous FATF guidelines).
The “payment or investment -purposes” criteria is not appropriate to help classify NFTs. A more granular case-by-case analysis and distinction of NFTs should rely on the underlying asset. Adan is preparing a detailed legal analysis on NFTs and recommending a methodology to qualify such assets.
B – An exclusion of DeFi protocols from the definition of VASP
According to the FATF in paragraph 67, decentralised finance protocols (i.e. software programs developed on blockchain networks providing financial services) are not qualified – in themselves – as VASPs. However, the FATF considers that “creators, owners and operators or some other persons who maintain control or sufficient influence in the DeFi arrangements, even if those arrangements seem decentralized, may fall under the FATF definition of a VASP where they are providing or actively facilitating VASP services.”
This was confirmed in paragraph 84 which states that “a person that creates or sells a software application or a VA platform (i.e., a software developer) may therefore not constitute a VASP, when solely creating or selling the application or platform”. Nevertheless, “using the application or platform to engage in VASP functions, as a business on behalf of others, however, would change this determination”.
Adan welcomes the FATF’s position to exclude decentralised finance protocols – programs developed on a blockchain network – from the definition of VASP (at §67).
Adan also agrees with the FATF provision (§84) that a person that creates or sells a software application or a VA platform may not constitute a VASP, when solely creating or selling the application or platform. According to Adan, it is wrong to think that launching a smart contract on a decentralised infrastructure to offer VASP services is the same as offering them, and exercising direct control over the users. In many cases, control of these decentralised applications is left by the creators of the protocol to a decentralised autonomous organisation (DAOs).
However, in our view, the second sentence of paragraph 67 of the guidance seems problematic. We understand that the Recommendations are aimed at including any entity that retains significant control over assets and operations, and the current definition includes individuals such as creators, owners, developers. According to us, these people have, most of the time, no significant control over these operations and are therefore not in a position to implement AML/CFT measures.
Adan recommends that the second part of paragraph 67 of the FATF updated guidance be deleted. The paragraph would read as follow :
“A DeFi application (i.e. the software program) is not a VASP under the FATF standards, as the Standards do not apply to underlying software or technology (see paragraph 82 below).
However, creators, owners and operators or some other persons who maintain control or sufficient influence in the DeFi arrangements, even if those arrangements seem decentralized, may fall under the FATF definition of a VASP where they are providing or actively facilitating VASP services. This is the case, even if other parties play a role in the service or portions of the process are automated. Owners/operators can often be distinguished by their relationship to the activities being undertaken. For example, there may be control or sufficient influence over assets or over aspects of the service’s protocol, and the existence of an ongoing business relationship between themselves and users, even if this is exercised through a smart contract or in some cases voting protocols. Countries may wish to consider other factors as well, such as whether any party profits from the service or has the ability to set or change parameters to identify the owner/operator of a DeFi arrangement. These are not the only characteristics that may make the owner/operator a VASP, but they are illustrative. Depending on its operation, there may also be additional VASPs that interact with a DeFi arrangement.“
II – Identification of a VASP underlying the DeFi protocol
|Decentralised finance requires an alternative regulatory approach
1.Traditional regulatory frameworks are designed for centralised activities, not for decentralised use cases According to Adan, decentralised finance services, which are not based on central entities and are developed on distributed ledger technologies, require a drastic revision of the commonly accepted approach to regulating financial actors. Indeed, the traditional finance system is based on a centralised architecture, which has gradually led to regulation based on the supervision and responsibility of the intermediary (e.g. bank, insurance, and others). With regard to decentralised finance, an important issue needs to be resolved: determining the criteria for making an authority competent to supervise a decentralised finance protocol. Indeed, financial regulation is built around the territorial application of rules. However, many decentralised finance protocols have no registered company, and no effective directors (e.g. some creators of decentralised finance protocols remain anonymous). It is therefore difficult for a national authority to establish the affiliation of decentralised finance protocols, and it seems necessary, before obliging the actors, to establish clear legal criteria of affiliation. As a consequence, in our view, it is difficult to envisage an effective and long-term legal framework for decentralised finance if it is not designed around the principles inherent in these applications. A regulation that is not adapted to these new services could be ineffective and considerably limit the exponential growth of the players in this industry.
2. The risk profile of DeFi activities is different from traditional finance and very heterogeneous If the ML-FT risk in the DeFi ecosystem is there, the level and the materialisation is very different from the centralised financial system, and from one protocol to another:
Funds used are not swapped into fiat currency. They will be swapped back into fiat currency when they are transferred back to a centralised platform. This is exactly the point at which the money laundering infraction will be established.
→ There must be a focus on the crypto to fiat swap.
When assets do not leave the chain, the advantage in DeFi is that they remain traceable. Only decentralised mixers – such as Tornado Cash – cannot be subject (for the moment) to a precise transactional analysis by analytical tools such as Chainalysis or Scorechain.
→ Use and sophistication of blockchain analysis tools will be key to manage risks in the DeFi ecosystem.
Over the past years, decentralised finance protocols have been subject to a wide variety of attacks, stolen funds being usually laundered or use for illicit activities thereafter. DApps (decentralised applications) used to attempt to launder criminal proceeds from such attacks are cross-chain bridges, decentralised exchanges and decentralised mixers. Indeed such DApps are generally used as “layering” tools, to introduce artificial complexity to transactions in order to make it more difficult for authorities to trace funds. However, all other kinds of protocols – used to deploy lending services, insurance services, decentralised derivatives, aggregators, conflict mitigation, etc. – are not useful for criminals wanting to launder their illicit “funds”. Only decentralised mixers – such as Tornado Cash – cannot be subject (for the moment) to a precise transactional analysis by analytical tools such as Chainalysis or Scorechain.
→ Specific rules must target DApps where the ML-FT risk can materialize (so-called “layering tools”) while they are not so relevant for other protocols.
The current approach taken by the FATF is a significant extension of covered entities’ definitions and operations. The FATF provides for: (A) The ability to identify a VASP underlying the DeFi protocol ; (B) The ability to require a DeFi protocol to create an entity that will qualify as a VASP ; (C) The necessity to include a VASP for every VA arrangements.
A – The possibility to identify and qualify an entity underlying the DeFi protocol as VASP
The FATF explains that if a natural or legal person “maintains control or sufficient influence” for the protocol, it may be considered as a VASP, if they are providing or actively facilitating the services.
Indeed, the paragraph is drafted as follows: “In order to qualify a VASP, Competent Authorities will need to verify, inter alia, the level of control or sufficient influence over the assets or certain aspects of the service protocol, and the existence of an ongoing commercial relationship between them and users, even if this is exercised through a smart contract or, in some cases, voting protocols. Countries may also wish to consider other factors, such as whether a party is profiting from the service or has the ability to set or change parameters that identify the owner/operator of a DeFi device.”
Adan questions the interpretation that should be given to the term “sufficient influence”. From Adan’s point of view, it is necessary to explain in more detail the situations in which a person would be seen as exercising such influence on the functioning or governance of the protocol. Indeed, there is a risk of divergent interpretations between States, which would lead to an unharmonised framework.
The level of involvement depends on each protocol and the influence exerted by those active on these applications can sometimes vary greatly (depending on the level of immersion of an entity in the affairs of the protocol, the number of active participants in the DAO and their level of involvement, etc.). The establishment of clearer criteria detailing precisely how the influence exerted by a person on the protocol is judged to be significant enough to qualify as a VASP would be welcome.
In the coming AML-CFT framework, a binary dichotomy “control/influence vs. no control/no influence” is wrong. The analysis of various criteria, such as the following examples, should help build a more precise rating:
- The transactions sent by the clients to the protocol or smart-contract are controlled or supervised by the deployer / developer.
- The deployer / developer has, in practice, retained the control over the smart-contract or the governance of the protocol.
- The deployer / developer is the sole beneficiary of the transaction fees paid by the users.
- The smart-contract or protocol can only be used in conjunction with another business operated by the deployer / developer and that is not operated on the blockchain.
- The protocol can only be used through an interface that is controlled by the developer / deployer.
B – The possibility to order the protocol to create an entity that will qualify as a VASP
In paragraph 69, the FATF accepts that if no VASP is identified over a DeFi protocol, there may not be a central owner/operator that meets the definition of a VASP. Countries should monitor for the emergence of risks posed by DeFi services and arrangements in such situations, including by engaging with representatives from their DeFi community.
Also, the FATF explains that the competent authorities have the power to “require that a regulated VASP be involved”. If no VASP is identified due to the lack of an underlying entity created by the managers of the protocol, the authority may direct the protocol to create an entity that will qualify as a VASP.
According to Adan, this provision seems to be very restrictive for decentralised finance actors. The objective of DeFi is to allow greater access to financial services traditionally offered by banks and financial institutions, without a trusted third party but through a decentralised infrastructure. Requiring a DeFi protocol to constitute a central entity which will then be qualified as a VASP seems to be in contradiction with the nature of this decentralised ecosystem. Besides, the formulation in the revised guidance brings the question of which national authority can be deemed competent to make this requirement.
Such a requirement would be somewhat more realistic for the most important protocols in the ecosystem since most of the important DeFi applications already have an underlying entity that provides a significant level of control for the operation of the platform. While these entities could easily be identified and qualify as VASPs, the same cannot be said for all protocols.
However, Adan would like to draw the attention of the FATF on the difficulty for DeFi protocols to put in place KYC (Know Your Customer) and CDD (Customers Due Diligence) measures. Users of these applications use unhosted wallets and have, to date, no means of implementing customer identification. De facto, decentralised finance protocols cannot be expected to comply with the same AML/CFT requirements as centralised actors (such as centralised exchanges).
Adan’s recommandation :
Adan proposes that the FATF focus exclusively on protocols that allow money launderers to add a layer of complexity to the transaction model to make the tracking of funds more complex and tools to add a layer of anonymisation to transactions.
C – The willingness to include a VASP for every VA arrangements
In order to bring as many entities as possible under the definition of VASP, the FATF wishes to extend its guidelines considerably to digital asset activities. Indeed, according to paragraph 80 of the guidance, “the FATF envisions very few VA arrangements without VASPs involved at some stage if countries apply the definition correctly”.
From this paragraph, it appears that DeFi protocols and all other systems allowing the transfer of virtual assets are not considered as VASPs as such, but, in order to fulfil their AML/CFT obligations, they will need a legal entity qualified as a VASP (and thus subject to AML/CFT requirements).
According to Adan, this provision seems too large and ambitious given the youth of this ecosystem. Most decentralised finance protocols are developed at the initiative of coders who do not necessarily have the financial and human resources to create a real structure and set up an AML/CFT system, which is particularly complex to set up, especially in the digital assets sector.
As a consequence, Adan proposes to delete this paragraph which appears very broad and practically incorrect.
III – Control of stablecoins and their operators
A – An assimilation of stablecoins to VA
Paragraph 54 of the updated guidance states that stablecoins must be identified as VAs or financial securities according to the regulations in force in the member country. As a consequence, in Europe, stablecoins need to be understood as virtual assets or crypto-assets.
Adan agrees with the FATF’s position that in Europe, the proposed Market in Crypto-Assets (MiCA) Regulation defines stablecoins as a subcategory of crypto-asset and regulates them to that effect by establishing a specific regulatory regime for their issuance.
B – The debatable qualification of stablecoin control bodies as VASPs
In this update, FATF recalls the AML/CFT risks posed by stablecoins. According to the Gafi, where a stablecoin is held by a “central developer or governance body” that is responsible for the management and development of the stablecoin (e.g., determine the functions of the stablecoin, managing the stabilisation solution), that body will fall within the definition of VASP. On the other hand, if a stablecoin has some party that conducts the “development and launch” of the stablecoin, that party could fulfill the function of a VASP. Similarly, a party that has decision-making power over the structure could qualify as a VASP.
Adan questions the pertinence of qualifying a stablecoin control body as a VASP. Indeed, in our view, issuers or central bodies related to the governance or issuance of a stablecoin – such as Circle – have no relationship with the end users of those crypto-assets and as such we do not see how they would be able to ensure compliance with an AML/CFT framework.
IV – Application of the Travel Rule d
The FATF guidance reminds that Recommendation 16 (requirements applicable to wire transfers) applies independently of whether transfers are denominated in fiat currency or virtual assets and goes on to provide detail on how this recommendation applies in the VA context (the “Travel Rule”).
A – The introduction of additional requirements for compliance with the Travel Rule
According to paragraph 179, AML/CFT requirements apply in the same way as traditional transactions to VA transfers between a VASP and another obligated entity (VASP or other Financial institution). This means that the originating institution must collect and verify the originator’s name, account number (or wallet address in the VA context) and either address, ID number, customer identification number or date/place of birth. It must also collect, but not verify, the beneficiary’s name and account number (i.e. wallet address). For the beneficiary institution, the verification obligations are reversed: they can rely on the information provided for the originator but must verify the ones related to the beneficiary.
In addition, the FATF adds in paragraph 183 that VASPs should verify that originators and recipients are not subject to sanctions and, as this verification takes time and may be completed after settlement, paragraph 194 a. states that this may require measures such as putting transfers on hold until that time.
According to Adan, these additional control requirements could considerably constrain the players in the implementation of the Travel Rule. On the other hand, it is – in our view – not economically acceptable nor technologically feasible to suspend a transaction between two users to ensure control over the recipients and whether they are not subject to any sanctions. Besides, this obligation does not apply to every transaction in the traditional financial sector – where ongoing screening is done on a periodic basis on client databases rather than on every individual transaction – and this would risk breaching the technology neutrality principle.
B – The establishment of a staged approach for the implementation of the Travel Rule m
Furthermore, paragraph 200 of the guidance recognises that implementing the rule may be fraught with difficulties and thus “countries may wish to take a staged approach to enforcement of travel rule requirements to ensure that their VASPs have sufficient time to implement the necessary systems”.
Adan welcomes the FATF’s commitment to a staged approach to implementation of travel rule. According to Adan, this will allow regulators to be flexible in the initial deployment, recognising the real problems that VASPs and service providers have reported to them
Furthermore, Adan would like to draw the attention of the FATF to the risks associated with the progressive implementation of the Travel Rule in the crypto-asset sector. Indeed, some countries are moving at different speeds and this inevitably results in some of them requiring VASPs to comply before other jurisdictions (the “sunrise issue”), leaving VASPs in the difficult position of not knowing how to deal with VASPs in jurisdictions where the rule is not in place. It will thus be key to see how national regulators go on about implementing the rules and what expectations they place on their VASPs, notably to acknowledge the technical and security challenges that the rule’s implementation brings.
In the future AML-CFT framework, Adan proposes to give sufficient time to the actors to implement TR with a definitive deadline or at least the same progressive approach for all in order to avoid any disparity between actors in different states in the implementation of TR. In our view, a poorly harmonised implementation of TR would risk making its implementation particularly complex.
C – Limitations to the implementation of the travel rule
1. The implementation of a “limited application” of the Travel Rule for unhosted wallets
In this update guidance, FATF affirms that transactions involving unhosted wallets are also covered by the travel rule. Indeed, at paragraph 179, the FATF states that “The requirements of Recommendation 16 apply to VASPs whenever their transactions, whether in fiat currency or VA, involve: […] (c) a VA transfer between a VASP and a non-obliged entity (i.e., an unhosted wallet) […].” The paragraph precises in contrast that full requirements of Recommendation 16 shall not apply to a virtual asset transfer between a VASP and an unhosted wallet.
In addition, due to the difficulties in implementing the travel rule in transactions involving non-custodial wallets, at paragraph 204 FATF states that the application of recommendation 16 may be different where the transaction involves a non-VASP (like transactions to/from unhosted wallets). In these cases, while the FATF does not expect VASPs to submit information to individuals who are not obliged entities, it does expect that VASPs obtain information on originators and beneficiaries from customers in cases involving transfers to/from non-VASP entities (e.g from an individual VA user to an unhosted wallet).
According to Adan, the application of the Travel Rule seems particularly complex with unhosted wallets because these wallets allow individuals to trade virtual assets on a peer-to-peer basis, which means that there is not necessarily an obligated entity involved in each transaction. As a consequence, Adan agrees that the draft guidance does not require full implementation of the Travel Rule for transactions involving a VASP and a non-obligated entity such as unhosted wallets. In our view, the adaptation of the Travel Rule to transactions involving an unhosted wallet needs to be further developed. Adan therefore proposes not to apply the Travel Rule to transactions involving an unhosted wallet.
2. The implementation of the Travel Rule raises important risks in terms of protecting the personal data of virtual asset users
In fine, in paragraph 188, the FATF states that as long as this is met and the information is available to authorities, the data does not need to be part of the transfer or be registered in the blockchain.
In view of the risks posed by the Travel Rule in terms of the protection of personal data of VASP customers, paragraph 294 precises that : “VASPs should have recourse to altered procedures, including the possibility of not sending user information, when they reasonably believe a counterparty VASP will not handle it securely while continuing to execute the transfer if they believe the AML/CFT risks are acceptable. In these circumstances, VASPs should identify an alternative procedure, whose control design could be duly reviewed by their supervisors when requested”.
The Travel Rule requires the sharing of information with other VASPs when transferring VA. These VASPs may be located in countries outside the European Union that do not provide equivalent safeguards for the protection of personal data. This is, according to Adan, the main concern with sharing personal data with these foreign VASPs. Indeed, the latter may have different levels of security standards, a less demanding framework in terms of AML/CFT and data protection. In Europe, the General Data Protection Regulation (GDPR), which came into force on 25 May 2018, provides a particularly protective framework for the protection of European citizens’ personal data. It is therefore necessary to implement a Travel Rule guaranteeing an equivalent level of protection for users of crypto-assets. It is therefore necessary to coordinate with national authorities (taking into account the regulatory framework applicable to each State) to develop stringent international standards than ensure safe transmission of personal data, while guaranteeing that technological solutions that emerge to ensure compliance are interoperable
Furthermore, according to Adan, in terms of practical modalities, the expectation is that the date is submitted “immediately” (thus excluding ex post submission) and “securely” raises questions about the guarantees to protect the personal data thus transferred.
Read Adan’s position paper:2021-10-02-Adan-position-FATF-Updated-guidance-VASP-1