First Look: Updated FATF guidance proposals for VASPs

The FATF’s release of draft updated VASP guidance for public consultation provides some detailed insights into how the global regulator will be approaching the industry in the near future. 

Here’s our quick monthly industry update on what we learned from the proposed guidance: 

In March, the FATF released an updated draft guidance for Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs). These key changes propose a number of new updates that we will be exploring in more detail over the next few months, including: 

• New clarifications and guidance on the Travel Rule
• Stablecoins are VAs and FATF Standards apply to them
• DEXs and crypto escrow services should be considered VASPs.
• NFTs that can be used for money laundering (ML) and terrorism financing (TF) are VAs
• VASPs should be responsible  for assessing and mitigating proliferation financing (PF) risks
• Best practices VASPs conducting counterparty due diligence
• Options for mitigating peer-to-peer transaction risks

The updated guidance makes some detailed clarifications on how the FATF’s Recommendation 16 - the so-called Travel Rule - should be applied with regards to VASPs. These include:

• Originator VASPs must require Travel Rule compliance from beneficiaries through their contractual agreements or individual business protocols.
• Any VASP that has not implemented Travel Rule guidelines should be considered high risk by its regulating authorities.
• Originator and beneficiary identifying information can be submitted in batches, as long as it happens immediately and securely. Transmitting Travel Rule information should not be permitted after a transaction has occurred. 
• VASPs that accept transactions with private or unhosted wallets still need to collect Travel Rule information from the owner of the wallet. As mentioned above, these types of transactions can be considered high risk by individual jurisdictions. 
• VASPs are responsible for carrying out counterparty due diligence before facilitating a transaction and transmitting the required transactional information. The FATF recommends VASPs employ a three-phase approach: 

1. Determining whether the transfer will be made to a counterparty such as another VASP, or if it will be to a private wallet or other entity.
2. Identify the counterparty
3. Assess whether the counterparty is eligible to receive transactional data and whether it is possible to enter a business relationship and with it. 

The key takeaway from this particular update is the requirement for an originator VASP to conduct KYC to know who the beneficiary VASP is before they transmit the relevant user information. This is not an easy task as:

(a) wallet addresses do not fundamentally contain the owner details, unlike SWIFT codes which do contain this information, and 

(b) it may require building a library of approved VASP wallet addresses in order to quickly and effectively comply.

It would be prudent for VASPs to start looking into solutions now rather than later as the FATF seems to be ramping up its language for stricter enforcement of Travel Rule compliance.