In June 2019, the Financial Action Task Force (the “FATF”) published the Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (“VASPs”) to clarify how FATF’s existing standards on anti-money laundering and countering the financing of terrorism (“AML/CTF”) (the “Recommendations”) apply to virtual assets and VASPs. As per its ongoing monitoring of the rapid development, increasing functionality, and growing adoption of the virtual assets and VASPs, on 28 October 2021, the FATF published an updated version of the guidance (as updated, the “Guidance”).
The Guidance mainly aims to aid private sector entities engaging with virtual asset activities or operations and help them to understand and comply with their AML/CTF obligations. Within this scope, in the Guidance, the FATF clarifies the definitions of virtual assets and VASPs and addresses new areas concerning virtual asset space, such as non-fungible tokens, stablecoins, peer-to-peer transactions, and decentralized finance. The Guidance further sets out the requirements for VASPs and suggestions for countries to adopt to oversee compliance with such requirements in their jurisdictions.
In this bulletin, we touch on only some of the notable matters elaborated under the Guidance.
Virtual Assets and VASPs
The Recommendations define a virtual asset as “a digital representation of a value that can be digitally traded or transferred and can be used for payment or investment purposes”, and a VASP as “any individual or legal entity (a) who is not otherwise specified under the Recommendations (e.g., a financial institution), and (b) who conducts one or more of the following activities or operations for, or on behalf of, other individuals or legal entities:
(i) Exchange between virtual assets and fiat currencies;
(ii) Exchange between one or more forms of virtual assets;
(iii) Transfer of virtual assets;
(iv) Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and
(v) Participation in, and provision of financial services related to, an issuer’s offer and/or sale of a virtual asset.”
In addition to reiterating these definitions, the Guidance addresses several concepts and arrangements, and elaborate on the terms of assessment to determine whether they qualify as virtual assets or VASPs as defined by the FATF.
Non-Fungible Tokens (“NFTs”)
The Guidance explains that NFTs, depending on their characteristics, generally do not fall within the FATF’s virtual asset definition. However, as per the Guidance, when assessing whether an NFT is a virtual asset or not, the nature of the specific NFT in question needs to be considered. Regardless of its name, where an NFT is used for payment or investment purposes, it may be deemed as a virtual asset. Accordingly, the FATF encourages understanding an NFT’s utilization and function when assessing its classification and, therefore, suggest that countries consider the application of the Recommendations to NFTs on a case-by-case basis.
Stablecoins and Peer-To-Peer (“P2P”) Transactions
As per the Guidance, stablecoins, having a central developer or governance body can, in general, be covered by the Recommendations, either as a financial institution or a VASP. In each case, such entities will need to undertake AML/CFT risk assessments before the launch or use of the stablecoin and take necessary measures to mitigate the risks before launch. However, depending on whether the entity is classified as a VASP or a financial institution, the explicit rules that will apply may vary. Even if it is not likely, sometimes, a stablecoin may not have an identifiable central body that qualifies as a VASP or financial institution. If this is the case, the Guidance suggests that countries carefully consider the risks that the subject stablecoin poses and adopt the necessary measures for mitigating such risks.
The Guidance emphasizes that as stablecoins have the potential for mass adoption, the transfer/exchange of stablecoins without the use of VASPs, by way of P2P transactions, may elevate the risk of money-laundering and terrorism financing. That said, P2P transactions are trackable through the public ledgers of the used blockchains and, unless the referred P2P transactions are not carried out through anonymity-enhancing technologies, such ledgers can be used for financial analyses and law enforcement investigations.
The Guidance suggests that based on the assessed risk pertaining to P2P transactions, countries may consider (i) implementing controls facilitating visibility of P2P activities, (ii) conducting risk-based supervision of VASPs and other entities with a focus on unhosted wallet transactions, (iii) obliging VASPs to facilitate transactions only to/from VASPs and other obliged entities, (iv) placing additional AML/CFT requirements on VASPs that allow transactions to/from non-obliged entities, (v) issuing guidance for VASPs regarding customers that engage in, or facilitate, P2P transactions, supported by risk assessment, indicators or typologies publications where appropriate and (vi) issuing public guidance and advisories and conducting information campaigns to raise awareness of risks posed by P2P transactions.
Decentralized Finance (“DeFi”)
The Guidance specifies that DeFi applications, meaning the underlying software or technology, are not VASPs under the Recommendations. Creators, owners, operators, or other persons maintaining control or sufficient influence in the DeFi arrangements may fall under the definition of VASPs. To distinguish owners/operators of DeFi arrangements, the FATF suggests assessing, among other factors, the relationship of a party to the activities being undertaken and whether a party benefits from the service or can set or change its parameters.
The Guidance further explains that DeFi arrangements calling themselves decentralized does not necessarily mean they are not controlled or sufficiently influenced by a centralized entity or individual. If a DeFi arrangement is not truly decentralized and its owners/operators meet the definition of a VASP, such owners/operators need to perform AML/CFT risk assessments before the launch or use of the software and take necessary measures continually to mitigate the risks.
The Guidance further establishes that there may be DeFi arrangements without the involvement of any legal entities or individuals that meet the VASP definition. The FATF recommends that countries monitor risks posed by such arrangements, for instance, by requiring that a regulated VASP be involved in its activities.
Requirements for VASPs
As per the Guidance, individuals and entities engaging in virtual assets activities and VASPs are required to take necessary measures to comply with the same set of AML/CTF standards that apply to financial institutions, in general. These measures include customer due diligence, record-keeping and suspicious transaction reporting. Also, in parallel with financial institutions, VASPs need to be licensed or registered, at a minimum where they were created and, if they are individuals, then in the jurisdiction where their business is located.
VASPs divert from the financial institutions in terms of the designated threshold above which they are required to conduct customer due diligence; the referred threshold is designated as USD/EUR 1,000 for VASPs, as opposed to USD/EUR 15,000 for financial institutions.
Another difference is that the FATF amends the wire transfer rule applicable to the financial institutions recognizing the unique technological properties of virtual assets and introduces its modified form to be applied to virtual asset transfers, under the name ‘travel rule.’ As per the travel rule, VASPs are required to collect and store information regarding originator and beneficiaries of virtual transactions, including their full names, account numbers/wallet addresses, physical addresses, and national ID numbers.
Requirements for Countries
The Guidance sets forth that countries, at their discretion, may prohibit or limit virtual asset activities or VASPs based on their risk assessments and national regulatory context to support their policy goals (e.g., customer and investor protection, safety, or monetary policies). Such prohibitions and limitations can include general/specific bans on products or services that may pose unacceptable levels of money-laundering and terrorism financing risks.
As per the Guidance, each country needs to designate at least one authority to be responsible for the licensing and registration of VASPs and have a mechanism identifying individuals and legal entities that carry out virtual asset activities.
Guidance’s Excepted Effects Over Turkey
In April 2021, the first piece of legislation under Turkish law concerning virtual assets, the Regulation Prohibiting the Use of Crypto Assets in Payments, was adopted. The regulation refers to crypto-assets and roughly defines them but, with its limited scope, does not address virtual assets and VASPs in general. In May 2021, the Regulation on Prevention of Laundering of Crime Revenues and Financing of Terrorism was amended to include crypto asset service providers among the obliged parties within the scope of the Law on Prevention of Laundering of Crime Revenues. Despite these legislative developments within the last year, referring to crypto-assets and crypto asset service providers, Turkish law does not provide any legal framework concerning virtual assets, VASPs, and the specific requirements that they must meet. The Ministry of Treasury and Finance of the Republic of Turkey stated that they have been conducting preliminary work together with numerous governmental bodies, including the Capital Markets Board, Central Bank of the Republic of Turkey, and Banking Regulation and Supervision Agency on a comprehensive law that addresses crypto-related matters and relevant AML/CTF obligations. The referred law is expected to clearly define the relevant notions, introduce regulations on VASPs such as minimum capital and licensing requirements, and tax-related aspects of the matter.
In the Guidance, the FATF urges countries to take immediate action to mitigate the money-laundering and terrorism financing risks presented by virtual asset activities and VASPs, given the global and cross-border nature of virtual assets. As the name implies, the Guidance is not a legally binding document, and it merely intends to guide countries to adopt its suggested structure into their national legislations. Even though it is not binding, considering that over 200 jurisdictions contributed to the preparation of the Guidance by leading individuals from various countries’ governmental bodies, it is bound to have a significant effect in the global arena. Accordingly, we expect that the upcoming legislation to be introduced in Turkey will be in line with the Recommendations and the Guidance.