red 
Today the Financial Action Task Force (FATF), the global anti-money laundering and countering the financing of terrorism (AML/CFT) standard setter, published its second 12-month review of virtual assets (you can read our summary of the first report from July 2020 report here ).
The FATF report provides an overview of the progress governments around the world and private sector virtual asset service providers (VASPs) are making in implementing the FATF guidelines on virtual assets such as Bitcoin.
The report also contains a significant market metrics study of key trends in virtual asset transactions based on blockchain analytics. Elliptic was privileged to contribute our data and analysis to the FATF study, along with several of our colleagues.
Here’s our summary of the three key lessons from FATF’s review, which is a must-read for anyone in the AML/CFT compliance space.
1. Blockchain analytics show that changing FATF standards to cover peer-to-peer (P2P) transactions is not currently necessary. However, VASPs must still be alert to the risks associated with P2P transfers.
A key question facing the FATF is whether it should fundamentally change its approach Standards to address the specific characteristics of virtual assets.
In particular, the FATF questioned whether its Standards, which focus AML/CFT control measures on regulated intermediaries such as VASPs, need to be amended to take into account the P2P nature of virtual assets. Because virtual assets allow other parties to conduct P2P transactions without the presence of a regulated entity, the FATF has suggested that it may need to amend its Standards to allow for direct regulatory oversight of P2P activities in virtual assets.
In its new report, the FATF questions whether it should now undertake such a thorough review of its standards. To help answer that question, the FATF commissioned a market metrics study to assess the extent of P2P activity in virtual assets and to assess the associated risks.
Elliptic provided data for the study, as did six other blockchain analytics firms. The study examined five years of transactions in Bitcoin, Ethereum and Tether – the three largest virtual assets.
The FATF’s conclusion based on the study is clear and straightforward: there is currently insufficient evidence to suggest that the FATF needs to revise its standards to directly address P2P transactions.
First, there is no clear evidence that P2P transactions are becoming more important than before. VASPs remain an essential part of the virtual asset ecosystem, suggesting that placing regulation on intermediaries remains the optimal approach for now.
Second, there is no clear evidence that criminals are relying more on P2P transactions than in the past. While the blockchain analysis data used in the study suggests that fully P2P transactions involve a slightly higher proportion of illegal activity than transactions involving VASPs, there is no indication that this is becoming more difficult over time.
As the Elliptic in particular demonstratedeven when criminals use intermediary unhosted wallets, they cash their illicit Bitcoin proceeds through VASP more than 80% of the time. Policy measures targeting P2P transactions are therefore misguided, as VASPs may end up reporting suspicious activity on funds they handle that have passed through intermediary wallets.
FATF’s use of blockchain analytics to inform decision-making on key policy issues is also an important sign that policymakers are realizing the potential of blockchain data as a source of important information about virtual assets. Although the FATF makes clear in its report that it may still revise its Standards in the future to directly cover P2P activities, its decision not to do so at this time is welcome and conducive to innovation.
However, the FATF report raises concerns about the use of unhosted wallets for illegal purposes that VASPs and FIs should take into account. The report points out that ransomware revenue is often funneled through unhosted wallets, including privacy wallets, which Elliptic’s research it has shown that they are rapidly growing in popularity among criminals.
According to the FATF, these risks are significant and could become increasingly serious over time, so “jurisdictions and private sectors need to proactively consider ways to identify and mitigate the risks posed by P2P”.
Fortunately, blockchain analytics solutions allow VASPs and Fis to do this already. Elliptic’s business tier wallet overview and transaction tracking solutions enable VASPs and FIs to identify high-risk wallets associated with activities such as ransomware, sanctions, financing of terrorismand other activities.
The FATF report states that an approach to blockchain analysis solutions – and indeed a multi-solution approach to avoid “over-reliance on a single source of analysis” – can help identify and mitigate these risks.
2. Many countries fail to implement the FATF standards for virtual assets, which undermines the international AML/CFT regime. VASPs in these countries represent high risks that require monitoring and due diligence.
The FATF study notes a doubling of the number of countries that have implemented its virtual asset standards over the past year (58 currently, compared to 33 countries in July 2020) and an increase in the number of countries undertaking enforcement actions against companies that break the rules (18 today, compared to 8 countries in July 2020). But his review highlights an obvious problem: too many countries have yet to implement FATF standards.
According to FATF’s review, 70 of the 128 countries surveyed have yet to implement comprehensive AML/CFT requirements for the virtual assets sector. According to the report, this means that “there is not yet sufficient implementation of the revised FATF standards to enable a global AML/CFT regime for virtual assets and VASPs”. The chart below from the report breaks down these numbers.
This gap in the international framework presents opportunities for criminals. As the report states, “Certain VASPs take advantage of this advantage to operate in jurisdictions that lack effective implementation of anti-money laundering and terrorist financing regulations and oversight, or expand their operations across multiple jurisdictions while offering services with extremely weak or non-existent anti-money laundering controls.” money laundering and terrorist financing. . Illegal actors are exploiting poor CDD and screening processes within these VASPs for PN/TF purposes.”
Research from Elliptic confirms this finding. For example, ours recent analysis of major ransomware attacks shows that cybercriminal gangs behind ransomware attacks systematically launder ransomware proceeds through VASPs with no or poor AML/CFT controls located in jurisdictions without AML/CFT regulations.
As the FATF further notes, this has major implications for the international AML/CFT regime: “SCAs with weak or non-existent AML/CFT programs remain one of the key virtual asset risks. . . The global nature of the underlying virtual asset technology and the ease and speed with which VASPs can establish or relocate operations around the world means that a jurisdiction that does nothing could become a ‘safe haven’ for unregulated VASPs.”
Closing this gap will be a top priority for the FATF in the coming year, and it intends to announce updated instructions by November 2021 to allow countries to accelerate the implementation of their standards. In the meantime, regulated VASPs and financial institutions (FIs) must be aware of the significant risks they may face from working with unregulated VASPs in jurisdictions that do not have virtual asset regulations.
Elliptical Discoveryour database of more than 200 VASPs worldwide can help reduce risk. Discovery contains information such as where VASPs are registered or licensed, as well as the quality of their AML/CFT controls. Your business may use this information to determine whether you should do business with certain VASP partners.
3. The private sector continues to make progress on the Travel Rule – but implementation and adoption of the solution needs to be accelerated.
The FATF report highlights another important development: the private sector has made important strides in implementation Travel rule. In particular, the industry has been successful in developing technology solutions that enable compliance with travel regulations.
According to the report, “There appears to have been more progress in the development of travel rules technology since July 2020” – referring to the many travel rules compliance solutions that have come to market in the past year.
While this is positive, FATF’s review highlights a major problem: compliance with travel rules remains fragmented and uneven in the private sector, precisely because many governments around the world have yet to make it a requirement. This created the so-calledthe question of sunrise” – where the failure of all governments to simultaneously implement the Travel Rule means that not all VASP solutions that are available are implementing them.
According to FATF, “two years after FATF revised its standards, the vast majority of jurisdictions have not introduced travel rule requirements. This has acted as a disincentive for the private sector, particularly VASPs, to invest in the necessary technology solutions and compliance infrastructure to comply with the travel rule.” The FATF intends to help countries implement the Travel Rules as soon as possible with its planned guidelines for November 2021.
While wider implementation of the Travel Rules by governments around the world is certainly essential, VASPs should not wait to start implementing solutions. VASPs in some countries, such as Singapore and the US, already face Travel Rule requirements, so they must be able to comply now.
To assist VASPs in this endeavor, Elliptic has partnered with leading providers of travel policy solutions CoolBitX and Notabene to provide comprehensive capabilities for identifying counterparty wallets and ensuring compliance with the Travel Rule. Using these integrated solutions, your business can demonstrate compliance with travel regulations to regulators in those countries where this is already a requirement.
Contact us to learn more about how your business can take advantage of our leading Travel Rules integrations.
Ensuring your business is prepared for FATF’s next steps
The FATF report makes clear that virtual assets will remain a key international priority in the fight against money laundering and terrorist financing for some time to come – and that the implementation of its standards needs to continue and improve.
With their planned updated guidance due to be released in November, VASPs and FIs should begin taking steps to ensure they have the capabilities to address key compliance challenges such as VASP due diligence, Travel ruleand identifying high-risk wallets.
Contact us today to learn more about how we can help your business successfully address the key requirements set by the FATF.
