Crypto-service providers can expect to face significant scrutiny from local and regional regulators until June 2020.
Innovative technologies offer compelling ways to revolutionize the financial sector. The development of cryptocurrencies seems to have provided users with a unique array of potentials, together with corresponding risks and costs. Due to the distinctively unregulated nature of the cryptocurrency market, it has been frequently used by a wide variety of “bad actors.” Consequently, in June 2019, the Financial Action Task Force (FATF) issued a Guidance for a risk-based approach to virtual assets and virtual asset service providers (Guidance) as guidelines on how to prevent misuse of cryptocurrencies, blockchain, and similar technologies that will give countries 12 months to adopt the guidelines, with a review set for June 2020.
What is the scope of the Guidance?
Guidance focus on Virtual Asset (VA), a “digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes,” and Virtual Asset Service Provider (VASP). Digital representations of fiat currencies, securities, and other financial assets are excluded in this regard. VAs are characterized by their global reach, capacity for rapid settlement, ability to enable P2P-transactions, and potential for increased anonymity and obfuscation of transaction flows. Further on, VASP is a business that acts as exchanger, wallet provider, broker, or provider of financial services for initial coin offerings.
How will the cryptocurrency industry change in the future?
Guidance introduces a set of new measures for both the public and private sectors in order to mitigate the money laundering (ML) and terrorist financing (TF) risks in the scope of VA products or services and to make VASPs comply with the same full set of obligations as financial institutions or as a Designated Non-Financial Business and Profession. Furthermore, FATF specifies that VASPs shall be supervised or monitored by a competent authority, not a self-regulatory body.
FATF set-ups a one-year period during which it will monitor how both the public and private sectors are implementing its standards. These standards concern specific risk indicators, licensing considerations, the types of activities and operations related to VAs, and examples of approaches in several jurisdictions. During this phase, both parties should implement risk-based approach (RBA) to identify potential leaks for criminal activities. RBA implies that measures should commensurate with the risks identified, meaning the analysis of VASPs should be conducted on several levels.
For example, a higher risk associated with virtual-to-virtual transactions, is that VAs may be traded so they move value into or out of a fiat currency. Additionally, if a VASP operates entirely online or in person (e.g., platform-based vs. kiosk-based exchanges), it internalizes different risks for covered VA activities. Moreover, VASP business models are associated with different risk potential, (e.g., centralized vs. decentralized) and consequently introduce or exacerbate specific risk. Likewise, it is necessary to scrutinize VA accounts, products, and services, their payment channel, and connections to several jurisdictions.
Summarized, every element that is linked to VA, be it an operational activity, business model, or customer-related, requires a thorough RBA and national coordinated risk assessment.
What preventive and monitoring measures are expected from VASPs?
Firstly, VASPs are required to register or get licensed at a competent authority designated from the country. At a minimum, VASPs should be required to be licensed or registered in the jurisdiction where they are created or rather their business is located. However, additional license or registration could be required if the VASP conducts operations from or offers products and services to customers in further jurisdictions.
Secondly, VASPs are required to implement an adequate customer due diligence procedure. Consequently, it is necessary to obtain and understand customer related information among others consisting of customer identity, their beneficial owner, and purpose and nature of the business relationship. The information conducted should be encountered in a customer risk profile in a way that it allows VASPs and authorities to determine the level and type of ongoing monitoring and, if necessary, take freezing actions or prohibit transactions with designated persons or entities.
Finally, VASPs are required to obtain, hold and transmit originator and beneficiary information of any VA transfer above USD/EUR 1 000 in the cross-border wire-transfer framework. Moreover, they are obliged to get and to pass their customer’s information to each other when transferring funds and to take freezing actions and prohibiting suspicious transactions just as credit institutions or other financial institutions are required to do, which is often referred to as the “Travel Rule.”
The cryptocurrency industry will significantly change both the private and public sector. Naturally, this will be accompanied with challenges that will take time to overcome. VASPs must build a sustainable compliance and audit trail system. Potential lies in the offering of suitable software solutions that enable the ordering and beneficiary institutions to comply with its AML/CFT obligations. For example, a solution for obtaining, holding, and transmitting the required information. Smart contracts, multiple-signature, or any other technology could enable VASPs to follow the new requirements in an effective and efficient way.
Povilas Randis is a senior consultant and regulatory expert in Capgemini Invent. You can contact him at firstname.lastname@example.org or 0031615650411.