FATF’s mandate is to create a global legal and surveillance infrastructure to combat money laundering (“ML”) and terrorist financing (“TF”). Technological innovation introduced by virtual asset, have the potential to spur financial innovation, efficiency and improve financial inclusion, but they also create new opportunities for criminals and terrorists to launder their proceeds or finance their illicit activities.
FATF has seen new illicit financing methods emerging and increased attempts to obfuscate transactions via use of virtual-to-virtual layering schemes such as mixers and tumblers, anonymity-enhanced cryptocurrencies (AECs) and services that enable or allow for reduced transparency and increased ML/TF risks, including fraud and market manipulation risks.
FATF Guidance introduced in June 2019, requires the same detailed “know your customer” or “KYC” rules that apply to banks, will similarly apply to any entity who is intermediating in the virtual asset ecosystem. FATF “recommends” the adoption of Travel Rule, which is part of the Bank Secrecy Act (BSA) that requires all financial institutions to pass on certain information to the next financial institution, in certain funds or wire transfers. Accordingly, Virtual Asset Service Providers (“VASPs”), e.g. exchanges, custodians and facilitators of virtual or digital assets (“VA”), will be required to determine the beneficial owner of both, sender and recipient in any such VA transfer and pass this information along to each other when transferring the funds.
Recommendation 15 Paragraph 7(b) R16 introduced, states that:
“…VASPs or other obliged entities that engage in VA transfers, … obligations to obtain, hold and transmit required originator and beneficiary information in order to identify and report suspicious transactions, monitor availability of information, take freezing actions and prohibit transactions with designated persons and entities… required and accurate originator (sender) information and required beneficiary (recipient) information and submit this information to beneficiary institutions…”
Travel Rule is just one part of 1 of 40 recommendations. So it’s by no means the only thing that is affecting VASPs, the other KYC rules and Travel Rule was established to help law enforcement agencies to detect, investigate and prosecute money laundering and other financial crimes by preserving an information trail about persons sending and receiving funds through funds transfer systems, including the value transfer of VA.
Effect of non-compliance
According to FATF, countries and VASPs need to:
- Understand ML and TF risks that the sector faces and implement measures to mitigate risks and protect investors;
- License or register the Virtual Asset Service Providers (“VASP”) requiring them to obtain, hold and securely transmit originator and beneficiary information when making VA transfers;
- Supervise the sector as it does with other financial institutions — Implementing the same preventive measures, including customer due diligence, record keeping and reporting of suspicious transactions.
Whilst FATF’s Recommendations are non-binding and does not prosecute non-compliance, FATF puts the onus on its 200+ member countries to ensure that their local VASPs are compliant with its latest recommendations. Otherwise, FATF reserve the option, by adding non-compliant countries to high-risk monitoring list (grey list) or non-compliance list (blacklist).
Countries can decide to ban virtual assets altogether, an approach taken by countries such as Saudi Arabia, Vietnam, Pakistan, Bangladesh and countries such as China, India, and Egypt forbid virtual assets from being traded or used for payments.
Singapore’s Position
Singapore being one of the leading lights in the virtual asset regulatory world, has adopted FATF’s Recommendations and implemented a regulatory framework around its Payment Services Act (“PSA”), which together with supplementing notices (PSN02) and guidelines, puts in place a robust AML/CFT controls to detect and stop the illegal flow of funds through Singapore and implement its Travel Rule Singapore has further plans to introduce a new Omnibus Act for Financial Sector, which will align Singapore’s regulations even closer with the FATF in their supervision of VASPs.
Accordingly for VASPs who are conducting regulated activities, which involve the transfer of VA, such entities will need to establish an AML/CFT control framework and compliance with the Travel Rule.
If any VASP, who are conducting regulated activities on digital assets and are operating or present in Singapore, does not comply with AML/CFT controls and the Travel Rule, such VASP can expect a swift and strong response from MAS or other applicable regulators and expect punitive measures that prohibit them from operating its business.
What information must VASPs share?
According to FATF Guidelines, the VASP initiating the VA transfer needs to send to the receiving VASP the following information, immediately and securely:
Originator’s Information
- name, address or ID or date/place of birth and account info. / VA wallet address.
Beneficiary’s Information
- name and account info. / VA wallet address.
If there’s an intermediary in the transaction, the Intermediary Institution is required to pass on everything it receives from the Ordering Institution to the Beneficiary Institution, but has no general duty to collect more than it receives.
Do you have to send this KYC information to the Regulators?
How long must a financial institution keep these records?
When does the Travel Rule become effective?
When FATF first introduced Travel Rule for VA transfer in June 2019, it was pushing adoption by countries to implement its Recommendation 16, by June 2020 and suggested it will then conduct a review. FATF has since, completed a 12-month review period on July 2020.
Overall, the Report finds that, both the public and private sectors have made progress and substantial number of countries (32 out of 54 reporting jurisdictions) have implemented FATF Standards in regulating VASPs, whilst three countries prohibit the operation of VASPs. Singapore is one of the 32 countries which has taken steps to implement the requirement and requires all financial institutions dealing with VA transfers to comply with the Travel Rule. The other 19 jurisdictions have not yet implemented the revised FATF Standards in their national law.
FATF has found evidence of progress in the development of technological solutions to enable the implementation of Travel Rule for VASPs, even though there remain issues to be addressed. Accordingly, FATF has agreed to continue its focus on VA and undertake the following actions:
- continue enhanced monitoring of VA, VASPs and undertake a second 12-month review of the implementation of the revised FATF Standards on VA and VASPs by June 2021;
- release updated Guidance on VA and VASPs, addressing issues including so-called stable coins, anonymous peer-to-peer transactions and Travel Rule implementation;
- continue to promote the understanding of ML and TF risks involved in transactions using VA and the potential misuse of VA for money laundering and terrorist financing purposes by publishing Red Flag indicators on October 2020;
- continue engagement with the private sector, including VASPs, technology providers, technical experts and academics, through its Virtual Assets Contact Group; and
- continue its program of work to enhance international cooperation amongst VASP supervisors.
Given that banks took several years in implementing SWIFT, it would hardly be a surprise if the implementation of Travel Rule will take several more years and the industry as a whole, including all stakeholders will have to collaborate and navigate through a myriad of obstacles and challenges. Some of these challenges and sunrise issues posed will be covered in subsequent articles.
