FATF Public Consultation:
CryptoUK comments on the draft revised VASP Guidance
CryptoUK (CUK) welcomes the opportunity to comment on the recently published revised guidance on virtual assets (VA’s) and virtual asset service providers (VASP’s). Our membership met as a group to discuss how the community views the guidance of which updates the following 6 areas:
- Clarify the definitions of VA and VASP to make clear that these definitions are expansive and there should not be a case where a relevant financial asset is not covered by the FATF Standards (either as a VA or as a traditional financial asset),
- Provide guidance on how the FATF Standards apply to so-called stablecoins,
- Provide additional guidance on the risks and potential risk mitigants for peer-to-peer
- Provide updated guidance on the licensing and registration of VASPs,
- Provide additional guidance for the public and private sectors on the implementation of the ‘travel rule’ and
- Include Principles of Information-Sharing and Co-operation Amongst VASP Supervisors.
CryptoUK is the United Kingdom’s (UK) trade body for the cryptoasset industry. We believe in the transformative potential of digital and cryptoassets and the underlying blockchain technology. We promote accountable self-governance whilst advocating for fit-for-purpose legislation and regulatory frameworks for crypto and digital assets in the UK. We achieve our vision by establishing and fostering productive partnerships between digital and cryptoasset industry participants with legislatures, policymakers, and regulatory agencies to educate and nurture an environment that fosters innovation, job creation and investment.
Below is a collective response to the questions posed by FATF from our 60 members.
Question 1. Does the revised Guidance on the definition of VASP (paragraphs 47-79) provide more clarity on which businesses are undertaking VASP activities and are subject to the FATF Standards?
With regard to the updated guidance for VASPS’s we note that FATF has moved from the position that a decentralised application (DApp) or software program is not a VASP, as the previous definitions do not apply to software. However, we understand that entities involved in a DApp may be a VASP under the new FATF definitions. Furthermore, under the new definitions, the owner or operator will likely fall into scope “conducting the exchange or transfer of VA’s as a business on behalf of a customer – even if others (the community) play a role”.
Our members felt that this broad definition seeking to capture new technologies and new product/service offerings was not in step with the FATF philosophy of “risk-based approach” towards money laundering and terrorist financing in Decentralized Finance (DeFi). We question whether the guidance is proportional in “regulating the risks” in a manner that is appropriate at this early stage in an area of innovation both product and technological.
We assume that it has not escaped the FATF’s or any of the “contact groups” notice that DeFi is inherently peer-to-peer, in that you are swapping one token for another, thereby not transacting in the traditional sense. This action removes the involvement of counterparties. So the logic of existing centralised finance doesn’t apply.
Beyond the difficulties of practical enforcement, we also see an existential threat. Our view is that the FATF concludes that the risks associated with DeFi are greater than its societal benefits,
which include the following:
1. Access by anyone, anywhere at any time
2. No financial barriers to entry
3. Currency and country agnostic
4. A user can participate in the governance and decision making, offering similar incentives to a traditional shareholder however, with far greater flexibility and efficient management of voting systems
5. Increase wealth for all
6. Increase tax revenues for governments
7. New financial innovations
8. Allows for many to understand and educate themselves as to how financial systems, markets and products function and operate
9. Improve on existing friction, such as price slippage in an order book model versus a liquidity pool
10. Value creators can release themselves from the shackles of existing corporate systems to
increase access to wealth generation
11. More stable and regular interest payments on token pairs and staking than most financial
12. Permanent liquidity for low market capitalisation projects
13. Transparency of trading activity, with algorithmic trading as opposed to depending on opaque centralised market makers
14. The code is public, verifiable and not prone to human error
15. Decentralisation can last forever
Therefore, we recommend that governments do everything possible to stop non-intermediated digital asset-related financial innovation. In many cases this is not practical for a decentralised
autonomous organisation (DAO) and could and will most likely result in some unintended
Our membership explored the following developments that could result in a worse overall outcome for society:
1. A two tier system
– A compliant VASPs will not be able to take comfort with the destination of an unknown, perhaps non-complaint FATF VASP and will therefore block any such transaction.
– This will result in many users not engaged in ML or TF (see below reference to Mr
Michael Morrells (ex CIA) report of Bitcoin in Illicit Finance) choosing to not use these
VASPs resulting in a reduction in oversight.
2. More difficulty for law enforcement and blockchain analytics firms to follow transactions and identify ultimate wallet addresses of suspicious transactions as more transactions will go off chain.
3. As a result of DAO’s not wishing to be caught within the VASP definition (for a multitude of reasons vastly unrelated to a desire to engage in criminal activity), enforceability will reduce as 100% pseudo anonymous services (whereby the developers are unknown and the project has no physical residence) such as Sushi Swap proliferate.
Historically, the guidelines the FATF issue are relevant for intermediaries that had the actual and
legally relevant control over certain assets owned by third persons. This control is important as the assetThankscan be transferred to other beneficial owners. This does not exist in a DAO.
In the introduction of the latest FATF update, acting “on behalf” of someone is a defining criterion for VASPs. FATF envisions very few VA arrangements will not fall into the definition of VASPS. Furthermore the definitions expand to when customers can access a financial service, it
stands to reason that a party has provided this service – even if this act is temporary or shared.
We note in the guidance that FATF offers the following questions to competent authorities as to
how they should define a VASP. After each question our members wished to address a handful of
1. Who profits from the service or asset
2. Who established it and can change the rules
3. Who can make decisions affecting operations
4. Who generated and drove the creation and launch of the service
5. Who possesses and controls the data of the operation
6. Who could shut it down
In many cases once a project has become decentralised enough, i.e control and governance is
handed over by the initial development team / promoters to the community, all of the answers to
the above will be many, thousands, and everybody. Therefore, it follows that competent authorities should (ignoring grandfathering of existing fully DAO’s) will look to force the initial development team to adhere to the Travel Rule. We refer FATF to the Securities and Exchange Commission (SEC) proposed “safe harbour rule 2.0”, which seeks to ensure the natural maturity and evolution of a decentralised platform allowing it to flourish thus supporting innovation.
We advocate strongly that all stakeholders work together in a thoughtful, practical, considered and un-rushed manner. Our members considered alternative approaches which would strike a more balanced approach than that within the proposed guidance, ensuring prevention of economic crime and associated societal harms and the benefits listed in the 14 points above:
i. A Honeymoon phase or best efforts approach to additional VASP definitions
– For example, this could look like a Phase 1 roll out where centralised VASPs would
only be required to collect data on transactions – in essence keeping their own
ii. Bring together experts in fields such as advanced cryptography and enhanced privacy
– For example, zero knowledge proofs have the potential to at some point in the not
too distant future, enable individual tokens to allow for providence without infringing
on privacy concerns.
– This area is very focussed, however is growing in size and advancement as
cryptographic academics find that their expertise is useful in commercial
applications as seen in the development of DAO’s.
iii. Benefits to governments
– Taxable income from new business models and additional wealth generation
– Private sector innovation in payments can support government improvements to
their citizens (CBDC’s).
The industry is working to address the Travel Rule in regards to the centralised VASP community. We assume that the FATF has become aware that this challenge is not easy to solve. There are many groups working with the industry to provide solutions and guidance such as the Travel Rule Information Sharing Alliance (TRISA), US Travel Rule Working Group (USTRWG), Intervasp Messaging Standard (IVSM101), to name a few. None of these groups are close to fully solving the Travel Rule requirements for VASPs, and these groups have been working on this diligently since the initial 2019 guidance.
Therefore, we should be mindful that these requirements fall onto a very niche and nascent subset of the blockchain and crypto ecosystem. This will require continued development of new financial innovations, which should be encouraged and nurtured by competent authorities. Finally, we encourage the FATF to take every reasonable step to ensure that decisions are made not from qualitative data, that is perhaps led by fear, but rather that of fact and empirical quantitative data, such as the conclusions drawn in the recently published report by Michael Morell, previous acting director for the CIA titled “An Analysis of Bitcoin’s Use in Illicit Finance”.
Question 2. What are the most effective ways to mitigate the money laundering and terrorist financing (ML/TF) risks relating to peer-to-peer transactions (i.e., VA transfers conducted without the use or involvement of a VASP or other obliged entity, such as VA transfers between two unhosted wallets) (see paragraphs 34-35 and 91-93)?
We note that the FATF has observed that peer to peer crypto transactions via unhosted wallets,
without involvement of a virtual asset service provider (VASP) or a financial institution, is a key
potential AML/CFT risk.
Therefore, peer to peer exchangers are individuals or entities offering to exchange VA’s with other VA’s. The unhosted or non-custodial wallet refer to wallets which are not provided by a financial institution or a VASP, residing instead on a user’s computer or offline, on a USB device. By contrast, “hosted” wallets refer to custodial wallets provided by a financial institution or a VASP on behalf of account holders typically online or through mobile applications.
However, we believe that peer to peer crypto transactions pose less illicit finance risk than
commonly believed by regulators. Blockchain data from Chainalysis shows three clear trends
related to unhosted wallets that suggest their primary uses by individuals and organizations are to
either store their virtual assets for investment purposes, or move them between regulated trading
venues. As an illustration, in Q2 2020, 79% of the bitcoin sent from one unhosted wallet to another originally came from an exchange in a regulated environment. Only 5% of bitcoin sent to unhosted wallets came from higher risk services or an illicit source.
The primary use of non-custodial wallets is one of security for the holder of cryptoassets – not as a means to obfuscate the owner or their transactions as suggested within the guidance. Non-custodial wallets offer cryptoasset storage offline, which has less risk of being hacked on compromised versus assets held online within an exchange, resulting in a significant loss of client funds.
Our members also discussed that hardware wallets are often given out as promotional merchandise at trade shows. As an example, in this case proving providence of ownership would be impossible as no receipt or any record of a purchase transaction exists. Does it then fall on the hardware manufacturer to conform to the VASP requirements? We note that hardware wallet provided have been listed as out of scope in this updated guidance. However, members were concerned with additional guidance updates increasing the in-scope actors to include hardware manufacturers much like software development was out of scope, however is now in scope.
Question 3. Does the revised Guidance in relation to the travel rule need further clarity (paragraphs 152-180 and 256-267)?
4. Does the revised Guidance provide clear instruction on how FATF Standards apply to so-called stablecoins and related entities (see Boxes 1 and 4 and paragraphs 72-73, 122 and 224)?
5. Are there any further comments and specific proposals to make the revised Guidance more useful to promote the effective implementation of FATF Standards?
We again thank you for this opportunity to comment on the consultation and hope you find our response helpful. This is a new and technical area and we stand by ready to answer any further questions, and provide such further input as you may desire.