It’s that time of year again when the Financial Action Task Force (FATF) issues its annual targeted update on the implementation of its Virtual Asset (VA) and Virtual Asset Service Provider (VASP) standards since they were introduced in 2019.
On 27 June 2023, the FATF published its fourth report on country compliance with Recommendation 15 (R.15) – including the Travel Rule – and updated information on emerging risks and market developments. Not surprisingly, global implementation and compliance remain relatively poor and lag behind most other financial sectors.
Poor compliance with FATF standards
Key findings in the FATF report include:
- In total, 75% of the 98 jurisdictions remain partially or non-compliant with FATF requirements.
- Furthermore, 34% of the 151 respondents to the R.15 implementation survey did not perform a risk assessment.
- Almost the same number have not yet decided whether and how to regulate the VASP sector.
- The results of the peer review and follow-up reports show that 73% – 71 out of 98 jurisdictions – do not conduct adequate risk assessments.
- More than 50% of respondents – excluding those who ban VASP – have taken no steps towards implementing the Travel Rules.
- Among those that have, oversight and enforcement is low with only 21% having issued findings, directives, or taken enforcement or oversight actions.
Implementation of travel rules remains problematic
Specifically for the Travel Rule, although the private sector now offers a number of technological tools, they generally do not fully meet all the requirements of the FATF Travel Rule.
The FATF has identified two key challenges faced by such tools – compliance with the requirements of the FATF Travel Rules and friction due to the lack of interoperability between different solutions. However, it must be noted that the uneven pace of adoption in the various jurisdictions in which VASPs can operate – a problem identified by the FATF itself – compounds the challenges facing the private sector.
Examples of deficiencies highlighted by the FATF include:
- The tools only allow transmission of the transaction ID instead of the sender’s wallet address.
- The tools do not require the VASP to send information immediately or before the transaction is executed.
- The Tools cannot transmit transaction information for all types of VAs and/or transactions of any amount.
- The Tools do not allow downloading or retention of transmitted information for record keeping or transaction tracking.
- The tools do not allow the VASP to locate the other VASP party for all VA transfers and provide a communication channel for due diligence.
The FATF report also included useful guidance questions for VASPs and jurisdictions to engage with travel rule solution providers.
New and recurring risks
In terms of emerging risks, the threat posed by the Democratic People’s Republic of Korea’s (DPRK) illicit blockchain activities for proliferation and terrorist financing (PF/TF) received top billing.
The FATF highlighted a March 2023 report by the UN Panel of Experts on North Korea on funding flows to the DPRK involving cyber-enabled heists from VASPs to generate revenue for its illicit WMD and ballistic missile programs. Significantly, “greater value than [virtual] he stole the property [DPRK] actors in 2022 than in any previous year” – findings supported by Elliptic’s analysis.
Other sanctioned groups such as ISIS, Al-Qaeda and affiliates are also turning to using VAs, including anonymity-enhanced coins, to finance terrorism. In addition, VAs are increasingly used as a typology through crowdfunding platforms to finance far-right terrorism.
Risks that reappear in this year’s report from last year include:
- Decentralized Finance (DeFi) – jurisdictions face difficulties in identifying regulated entities in DeFi arrangements and determining whether they qualify as VASPs.
- Unhosted wallets (including peer-to-peer transactions) – most respondents have not yet assessed the specific risks posed by unhosted wallets or P2P transactions.
- Non-Fungible Tokens (NFTs) and Stablecoins.
The focus on PF/TF risks in VA is not surprising, given that it was mentioned during the April private sector engagement session organized by the FATF. Nevertheless, this highlights the urgency for jurisdictions and the private sector to address the issue through appropriate identification and mitigation measures.
If you would like to understand how Elliptic’s solutions can help you properly assess and mitigate the risks identified by the FATF in its latest targeted update, please contact us to speak with one of Elliptic’s experts.
Regulation Financial Services Global