On June 21, 2019, the Financial Action Task Force (“FATF”) released Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers as well as a Draft Interpretive Note to FATF Recommendation 15 addressing virtual assets (together, the “FATF Guidance”). The FATF Guidance clarifies a risk-based approach to virtual assets (“VAs”) and virtual asset service providers (“VASPs”) for anti-money laundering (“AML”) and counter terrorism financing (“CTF”) purposes. The FATF have provided member countries (which include Canada) with 12 months to adopt these guidelines, with a review set for June 2020.
The most recent FATF Guidance builds upon previous statements by the organization that its requirements apply to VAs and VASPs. This coincides with a global current of regulatory interest in such assets. For example, in the US, the Financial Crimes Enforcement Network (FinCEN) recently issued guidance on how its regulations apply to money transmission involving convertible virtual currencies and an Advisory on Illicit Activity Involving Convertible Virtual Currency (see our blog post here). Likewise, in Canada (which is a member of the FATF), recent amendments to the regulations (“PCMLFTR”) to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the “PCMLFTA”) were recently finalized (see our legal update here), expanding the scope of the PCMLTFA to dealers in virtual currency.
Virtual assets and virtual asset service providers
The FATF Guidance continues the expansion of regulatory interest from virtual currencies specifically to virtual assets more broadly. The FATF defines VAs as digital representations of value that “can be digitally traded, or transferred, and can be used for payment or investment purposes.” The related definition of VASP includes any entity which, on its own account or on behalf of another, engages in:
- exchange between virtual assets and fiat currencies;
- exchange between one or more forms of virtual assets;
- transfer of virtual assets;
- safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and
- participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.
The VASP definition is broad enough to include VA exchanges and transfer services, wallet providers, providers of financial services relating to the issuance, offer, or sale of VAs such as via an ICO, and virtual to virtual transactions.
Likewise, in Canada, the definition of “virtual currency” was expanded in the recent PCMLTFR amendments to include “a digital representation of value that can be used for payment or investment purpose”, expanding the scope beyond simply payment use cases.
Purpose and scope of FATF guidance
The FATF Guidance has two purposes. First, it is intended to assist national regulators in the development of supervisory frameworks for VA activities and VASPs. Second, it is intended to help private sector entities seeking to engage in VA activities, in understanding their AML/CTF obligations and steps necessary to comply with regulatory requirements. This includes:
- Understanding and implementing a risk-based approach to VA activities or operations;
- Supervision or monitoring of VASP activity for AML/CTF purposes;
- Licensing or registration based on each applicable jurisdiction’s requirements;
- Preventive measures, such as customer due diligence, recordkeeping, and suspicious transaction reporting, among others;
- Understanding risk indicators that should specifically be considered in a VA context because they could obfuscate transactions or inhibit VASPs’ ability to identify customers; and
- International cooperation for enforcement measures.
Obligations applicable to virtual asset service providers
The basic principle underlying the FATF Guidelines is that VASPs are expected to “identify, assess, and take effective action to mitigate their ML/TF risks” with respect to VAs.
This begins with a requirement that a VASP be licensed or registered where its place of business is located. If a VASP wishes to offer services in more jurisdictions, it should be required to register or apply to a license with the relevant authority. Countries are encourage to actively investigate unlicensed VASPs by using web-scraping and open-source information monitoring to target online advertising. Furthermore, the FATF Guideline provides that criminals and their associates may not hold or own a significant or controlling interest in a VASP.
VASPs are also expected to have “effective systems for monitoring and ensuring compliance with national AML/CTF requirements” such as having qualified Compliance Officers, written policies and procedures, documented risk assessments, ongoing training, and measures of the effectiveness of the compliance program. These programs should be subject to regular auditing. In Canada, for example, dealers in virtual currency will be subject to such requirements pursuant to the recent PCMLTFR amendments.
Travel rule and other information requirements
The FATF Guidance includes a number of recommendations relating to the collection of information, such as those relating to the collection of Know-Your-Client information. In particular, the FATF Guidance reiterates the applicability of the so-called “travel rule” to virtual asset transactions, noting that:
“[A]ll of the requirements set forth in Recommendation 16 apply to VASPs or other obliged entities that engage in VA transfers, including the obligations to obtain, hold, and transmit required originator and beneficiary information in order to identify and report suspicious transactions, monitor the availability of information, take freezing actions, and prohibit transactions with designated persons and entities. Countries should therefore ensure that ordering institutions (whether a VASP or other obliged entity such as a FI) involved in a VA transfer obtain and hold required and accurate originator information and required beneficiary information and submit the information to beneficiary institutions (whether a VASP or other obliged entity such as a FI), if any. Further, countries should ensure that beneficiary institutions (whether a VASP or other obliged entity) obtain and hold required (not necessarily accurate) originator information and required and accurate beneficiary information (…).”
The FATF Guidance further prescribes that the information required to be collected should include the following:
- originator’s name (i.e., the sending customer);
- originator’s account number where such an account is used to process the transaction (e.g., the VA wallet);
- originator’s physical (geographical) address, or national identity number, or customer identification number (i.e., not a transaction number) that uniquely identifies the originator to the ordering institution, or date and place of birth;
- beneficiary’s name; and
- beneficiary account number where such an account is used to process the transaction (e.g., the VA wallet).
Given the nature of the transactions and underlying decentralized and pseudo-anonymous blockchain technology used for most virtual asset transactions, the collection of such information could present some challenges. The FATF does not prescribe how such information is to be collected but provides the following as examples of technologies that could be used to collect such information (i) public and private keys, (ii) transport layer security/ secure sockets layer (TLS/ SSL) connections, (iii) X.509 certificates by certificate authorities that use the X.509 PKI standard, (iv) X.509 attribute certificates attached to X.509 certificates, (v) API technology and (vi) other commercially available technology or potential software or data sharing solution.
In the US, FinCEN recently confirmed the applicability of the travel rule to transmissions of funds involving virtual currency.
In Canada, the travel rule applies to prescribed electronic funds transfers which applies to, among others, money services businesses. Furthermore, the recent amendments to the PCMLFTR regulations will require the collection of “virtual currency exchange transaction tickets” where virtual currency is exchanged for funds, funds are exchanged for virtual currency or one virtual currency is exchanged for another. These transaction tickets are required to include:
- the date of the transaction;
- in the case of a transaction of $1,000 or more, the name and address of the person or entity that requests the exchange, the nature of their principal business or their occupation and, in the case of a person, their date of birth;
- the type and amount of each type of funds and each of the virtual currencies involved in the payment made and received by the person or entity that requests the exchange;
- the method by which the payment is made and received;
- the exchange rates used and their source;
- the number of every account that is affected by the transaction, the type of account and the name of each account holder;
- every reference number that is connected to the transaction and has a function equivalent to that of an account number; and
- every transaction identifier, including the sending and receiving addresses.
AML regulators at both the domestic and global level continue to grapple with the evolving virtual currency and virtual asset industry and underlying technologies. In Canada, the FATF Guidance coincides with the issuance of the recent PCMLTFR amendments relating to virtual currency. Further guidance from Financial Transactions and Reports Analysis Centre of Canada (“FINTRAC”) will follow providing further colour on these amendments. Entities operating in the virtual asset space should pay close attention to both the recent amendments and the forthcoming guidance.
By Ana Badour and Arie van Wijngaarden
 The FATF is an intergovernmental policy-making body that was established in 1989. The FATF sets standards and promotes the implementation of legal, regulatory, and operational measures to combat threats to the integrity of the international financial system, including money laundering and financing terrorism.
Latest posts by McCarthy Tétrault LLP (see all)
- IIROC Publishes Notice Regarding Ransomware Attacks - March 29, 2021
- CPPA: De-identifying provisions - March 22, 2021
- Clarification on cross-border transfers of personal information - February 24, 2021