VASPs — Assemble!
The Financial Action Task Force (“FATF”) — a multi-national group of 36 countries responsible for developing recommendations related to Money Laundering and Terrorist Financing — is expected to finalize and adopt its most rigorous Recommendation regarding virtual assets on June 21st. The Recommendation compels Virtual Asset Service Providers (“VASPs”, which include Exchanges, Custodians, and Hedge Funds) to collect data such as Legal Names and Physical Addresses of Senders & Receivers of virtual asset transactions over $/€1,000 and to transmit this data amongst each other, as banks currently do with wire transfers.
This guidance places new requirements on VASPs which are technically infeasible (due to the architecture of virtual assets) and could likely have significant unintended consequences, such as driving virtual asset activity underground where transactions are even more opaque. It will also require VASPs to cooperate with each other in unprecedented ways, and there is currently no infrastructure for such cooperation.
Despite technical limitations on enforcement, the G20 Financial Ministers and Central Bank Governors reaffirmed its support for FATF’s guidance in a Communiqué published by the Japanese Ministry of Finance on June 9th, following the G20 meeting held in Fukuoka the prior day:
We reaffirm our commitment to applying the recently amended FATF Standards to virtual assets and related providers for AML and CFT. We look forward to the adoption of the FATF Interpretive Note and Guidance by the FATF at its plenary later this month.
Never has it been clearer that a Self-Regulatory Organization (“SRO”) for VASPs is needed to develop and implement sensible AML/CFT (“Anti-Money Laundering” / “Combating the Financing of Terrorism”) rules which are applicable to the unique nature of blockchain virtual assets.
Recommendation 15
FATF’s Recommendation 15 was amended in October 2018 to include virtual assets:
To manage and mitigate the risks emerging from virtual assets, countries should ensure that virtual asset service providers are regulated for AML/CFT purposes, and licensed or registered and subject to effective systems for monitoring and ensuring compliance with the relevant measures called for in the FATF Recommendations.
This just means that VASPs are required to adhere to the same AML/CFT regulations that traditional financial institutions in FATF’s member countries currently do. The controversial part is in Paragraph 7(b) of FATF’s Interpretative Note to Recommendation 15, published on February 22, 2019.
Paragraph 7(b)
Paragraph 7(b) requires VASPs to not only collect & verify certain customer information on virtual asset transfers exceeding $/€1,000, but to transmit this information to counterparty VASPs and to make the information available to authorized government agencies upon request.
Paragraph 7(b) of FATF’s Interpretative Note to Recommendation 15 states:
With respect to preventative measures, the requirements set out in Recommendations 10 and 21 apply to VASPs, subject to the following qualifications:
(b) R.16 — Countries should ensure that originating VASPs obtain and hold required and accurate originator information and required beneficiary information on virtual asset transfers, submit the above information to beneficiary VASPs and counterparts (if any), and make it available on request to appropriate authorities. It is not necessary for this information to be attached directly to virtual asset transfers. Countries should ensure that beneficiary VASPs obtain and hold required originator information and required and accurate beneficiary information on virtual asset transfers, and make it available on request to appropriate authorities. Other requirements of R.16 (including monitoring of the availability of information, and taking freezing action and prohibiting transactions with designated persons and entities) apply on the same basis as set out in R.16.
FATF clarifies that beneficiary information need not be attached directly to virtual asset transfers; rather, VASPs are required to collect and retain this information for transmission to beneficiary VASPs/counterparties and appropriate authorities upon request. FATF does not, however, specify the amount of time that VASPs are required to retain this data.
The challenge with “taking action and prohibiting transactions with designated persons and entities” is that VASPs cannot reject incoming virtual asset transactions (with some exceptions for compliant Stable Coins such as USDC which have this control built-in). Furthermore, reverting funds back to an Originator address does not guarantee that the Originator will receive the funds back, as is the case where the Originator is another VASP which batches customer withdrawals together; in this situation, the Originator VASP would not know which customer account to credit.
A VASP can freeze withdrawals of funds in addresses under the VASP’s control, but even then it cannot prevent deposits to the frozen address.
According to CoinLore, there are 2,384 virtual assets in the world, and there will certainly be more by the time you read this. Distributed Ledger Technology is being developed at a much more rapid pace than Regulators can keep up with, and there is a growing focus on privacy. Just last month, Vitalik Buterin proposed an on-chain Ether mixer, and Ernst & Young (EY) open sourced its Nightfall solution for private Ethereum transactions:
Nightfall integrates a set of smart contracts and microservices, and the ZoKrates zk-snark toolkit, to enable standard ERC-20 and ERC-721 tokens to be transacted on the Ethereum blockchain with complete privacy. It is an experimental solution and still being actively developed.
These are just some of the technical realities of virtual assets which make the FATF Recommendation a square peg in a round hole.
The Travel Rule
FATF’s Recommendation applies what is known in the U.S. as the “Travel Rule” — which requires financial institutions to collect, verify, and transmit Originator and Beneficiary information for electronic funds transfers — to virtual assets. The Travel Rule requires financial institutions to collect and transmit data such as the Sender and Recipient’s Legal Name, Physical Address, and Bank Name for funds transfers (usually wire transfers) equal to or greater than $3,000.
The Travel Rule is designed to ensure that financial institutions (and the law enforcement agencies they cooperate with) are able to trace and identify individuals involved in a funds transfer of $3,000 or more for AML/CFT purposes. It makes sense when applied to centralized financial institutions that have the infrastructure and resources to comply.
The challenge with applying the Travel Rule to cryptocurrency transactions is the fact that “Travel Rule Data” (Legal Names, Physical Addresses, Bank Names & Accounts, etc.) is not readily obtainable, verifiable, or transmittable with cryptocurrency transactions. That is due to the fact that, as the blockchain analytics firm Chainalysis aptly puts it in its public response to FATF, “Virtual Assets are designed to provide a way to move value without the need to identify the participants in a transaction.”
Indeed, the only thing needed to move value on a blockchain is a pair of alphanumeric cryptographic keys, known as public and private keys. A “public key” — more commonly known as the “address” — is the destination of the virtual asset, and the “private key” is a type of authentication which executes the transfer. Neither of these keys contains the requisite Travel Rule Data.
Illustrating the Problem
Here is a typical form that needs to be completed for wire transfers:
Contrast that with the information required for a bitcoin transfer:
While transaction addresses and amounts are visible on public blockchains such as Bitcoin and Ethereum (for now), the same is not true for privacy-oriented virtual assets such as Monero or Grin.
For example, here is a typical bitcoin transaction containing the Originator & Beneficiary addresses and amount transacted:
Compare that with a confidential transaction on Monero, which excludes Originator & Beneficiary address information and transaction amounts:
Monero does have the ability to include a “view key” which, if granted by the Originator, reveals the addresses and amounts involved. However, Monero transactions are confidential by default with transparency as an opt-in option.
The fact of the matter is that some virtual assets feature privacy architectures that simply render compliance with FATF’s Recommendation impossible.
Identifying VASPs on the Blockchain
Blockchain forensics firms such as Chainalysis and Elliptic specialize in aggregating and analyzing blockchain data in order to identify VASPs and other entities such as darknet markets and peer-to-peer exchanges.
For example, here’s what the recent Binance hack looks like under the lens of proprietary software developed by Chainalysis:
VASPs will need to leverage blockchain forensics to gain insight into whether the counterparty to a virtual asset transaction is a VASP. That said, these tools are only effective with certain virtual assets and can be easily thwarted by using one or more non-custodial wallet(s) as the intermediary between two VASPs, as illustrated below:
Negative Implications
In its response to FATF, Chainalysis highlights the symbiotic relationship between VASPs and Law Enforcement, and makes the case that strict enforcement of the FATF Recommendation will encourage the use of more opaque systems like decentralized and peer-to-peer exchanges:
Forcing onerous investment and friction into regulated VASPs, who are critical allies to law enforcement, could reduce their prevalence, drive activity to decentralized and peer-to-peer exchanges, and lead to further de-risking by financial institutions. Such measures would decrease the transparency that is currently available to law enforcement.
There are also significant privacy implications which might put the FATF Recommendation in direct conflict with GDPR; GDPR aims to give individuals more control over their personal data, which does not jive well with the FATF requirement for VASPs to retain and transmit personal data tied directly to financial transactions.
Self-Regulation
There are varying degrees of industry self-regulation, but in this context I intend it to refer to the idea of members in an industry leveraging their expertise to lead the development of regulations, but to continue to leave the enforcement of those regulations up to the appropriate authorities. While industry members are often afforded a “comment period” to provide feedback on proposed regulation — as is the case with the FATF Recommendation — these comment periods are often too short for the tidal wave of responses to be fully absorbed or given full consideration.
Distributed Ledger Technology is highly intricate and rapidly evolving. Few have greater insight into the actual issues and challenges than those with their boots on the ground — the VASPs themselves. VASPs can leverage transaction monitoring to identify emerging risks in terms of AML/CFT compliance, and are motivated to do so by independent audits and exams.
Global Digital Finance is a promising nonprofit Self-Regulatory Organization (“SRO”) that develops and promotes best practices for VASPs and Distributed Ledger Technologies in a shared forum with industry members, policymakers, and Regulators. It has an AML/CFT Working Group which was initially established in May 2018 to provide feedback ahead of FATF’s September 2018 Plenary. The Working Group now has over seventy members — including top exchanges, law firms, and technology developers — who meet weekly to fulfill the following remit:
- Respond to consultations, including request for input from FATF.
- Develop an AML/CFT Code of Conduct in line with the existing codes developed by the Global Digital Finance community.
- Develop best practice guides to support VASPs in creating a baseline industry standards with regards to the detection and prevention of money laundering and terrorist financing.
Global Digital Finance’s response to FATF’s request for input on Paragraph 7(b) is a work of art and a prime example of good-faith efforts at self regulation; it is over twenty pages and discusses in great detail the challenges of complying with the FATF Recommendation while offering alternative solutions which satisfy its spirit and intent.
Conclusion
Technology almost always develops more rapidly than Regulators can keep up with — and this is especially true with Distributed Ledger Technology. The tension between new financial technologies and AML/CFT compliance lies in the difficult balance of fostering innovation while controlling for money laundering and terrorist financing risks. Compliance-minded VASPs — such as the members of Global Digital Finance — are allies in the fight against money laundering and terrorist financing. These VASPs have unique insights into the actual AML/CFT challenges and are in the best position to lead the development of sensible regulations, while leaving the enforcement of those regulations up to the Regulators.
VASPs — Assemble!
