red 
On December 7, Elliptic hosted a webinar with Financial Action Task Force (FATF) Virtual Asset Contact Group (VACG) co-chair, Mr. Takahide Habuchi and Mr. Jonathan Fishman, for Fireside Chat.
The discussion unpacked the October 2021 update FATF Guidance on a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (VASP) and outlined the practical and operational implications for crypto companies and financial institutions.
The session covered many topics, including stablecoins, peer-to-peer activities, non-fungible tokens (NFTs), derisking and due diligence. Here are six key things you can implement in your business right away:
1. Apply a risk-based approach (RBA) to identify and mitigate risks relevant to your business. Be sure to maintain an open and ongoing dialogue with regulators about what this means.
VASPs are expected to mitigate risks such as money laundering, fraud, scams and illicit trade by initiating a mandatory risk assessment of their business, products and services. According to the co-chairs, it is impossible to apply RBA without establishing a baseline of products, services and customers. Financial institutions and crypto companies should ask themselves what are the most serious abuse risks for our company?
Once a comprehensive risk assessment has been carried out, firms should consider what an appropriate mitigation strategy should look like. The starting point should therefore be a thorough and careful risk assessment associated with a well-designed overall anti-money laundering program that responds to and effectively mitigates those risks to which the firm is most exposed.
Fundamental items and considerations mirror those of banking and include:
-
the possibility of reporting suspicious activity;
-
transaction tracking;
-
having the appropriate license and registration as required; and
-
trained staff.
A firm that performs a risk assessment based on a robust and coherent methodology will certainly be well on its way to mitigating specific risks in this area.
2. Determine what VASP due diligence looks like for your firm.
The due diligence of a virtual asset service provider is effectively summarized in the image below, extracted from FATF Guidelines (p. 63) further discussed in detail by the FATF co-chairs in the webinar recording. The figure shows how the general VASP due diligence process can be designed and implemented in three phases:
-
Determine whether the transaction is with a third-party vasp or a non-hosted wallet;
-
Identify the other party’s VASP independently, for example by reference to nationally registered VASP lists or a compilation of private sector VASPs, such as Elliptic Discovery;
-
Assessment of whether the VASP counterparty is a qualified counterparty to send customer data to and a preferred partner to conduct a business relationship with.
Elliptical Discovery addresses challenges related to counterparty verification and VASP due diligence. Discovery maintains an updated risk profile for major VASPs globally, including relevant information such as registration, headquarters location and blockchain analytics reflected in the Elliptic Score. Crypto companies, financial institutions, banks and regulators use this dynamic database to make decisions based on due risk analysis.
3. FATF’s clear message to banks and financial institutions regarding wholesale de-risking of VASPs — don’t do it!
The FATF’s general guidance for all financial actors and stakeholders is to use a risk-based approach when making individual decisions regarding the abandonment of an account or the termination of a relationship with a client that appears to be high risk. This is also known as the practice of derisking. The de-risking practice has affected crypto firms struggling to open and maintain accounts with major financial institutions and banks.
According to the guidelines, financial institutions (FIs) should make individual decisions based on characteristics, but not general blanket decisions about entire industries, including the digital asset space. The VASP due diligence process, carried out by the FI, can and should work to the maximum extent possible to look at clients in the most targeted way, to make the most individual possible decision and determine if and how product-specific risks can be mitigated. and services offered by VASP.
Crypto firms should invest time in getting to know the banks and help the banks become familiar with VASP products and offerings. Investing time in getting to know the business, clearly answering questions about your business, and building mutual relationships with bankers will help VASPs demonstrate the breadth and depth of their compliance controls and risk mitigation strategies.
4. If you are involved in decentralized finance (DeFi), the FATF guidelines probably apply to you.
The FATF guidelines do not take a firm position on the application of the regulatory framework to DeFi projects, but provide criteria for what is considered a centralized or decentralized project. If centralization is demonstrated, then VASP is assumed to be involved, in which case the entire VASP guidance applies. So what considerations should innovators keep in mind when trying to assess whether or not their project is truly decentralized?
-
Does anyone continue to profit from the project?
-
Are there ongoing customer relationships?
-
Can someone change the underlying protocol or algorithm rules?
-
Is there someone who maintains ownership of the project, such as a company or other ownership arrangement?
If you can really say no to these kinds of questions, then your program might be decentralized. The co-chairs were very clear in noting that the use of automated controls does not mean decentralization, just as going to an ATM does not mean the bank is not involved. Exercising control via a smart contract is treated the same as direct and is not decentralized. The FATF guidelines also assume that very few, if any, projects will be truly decentralized, so VASP will almost always be involved.
For additional information and reading, please consult Elliptic’s DeFi: Risk, Regulation and the Rise of Decriminalization report.
5. Assess how your non-fungible token (NFT) project may be regulated.
When it comes to NFT projects, the first consideration must be to assess what the function of the NFT is. If you are developing a project that will primarily be a financial asset, i.e. “a way you pay for things, a form of money, or a security that meets the security test, then that item should be governed by the same rules that govern the type of financial asset you’re thinking of.” it looks like”. In these cases, these projects will be regulated as financial means.
If you are developing a project that is not intended to be a store of value, a medium of exchange, a unit of account or a security, then it should be regulated in the same way that art or consumer goods are regulated.
The co-chairs considered a few examples: “I’m a musician who sells NFTs of music, primarily intended for ownership, as an original copy. This is not a financial asset, but if I plan to mint hundreds of these things, they are not collectibles, but are exchanged for other goods and services or traded on the secondary market, then this is a financial asset.”
When it comes to NFT, the circumstances of the project and the intent should prompt its categorization as a charge or form of payment. The intended use will determine how it is regulated and in turn what types of regulatory obligations a crypto firm may have to comply with.
Elliptic’s software suite is designed to meet regulatory and compliance requirements and we invite you to contact us and book a demo today.
6. Liaison with regulators: FATF monitors new technologies and developments in financial crime and encourages a two-way flow of crypto industry communication. We all have a role to play.
Since 2019, the FATF has been proactively engaging with the industry and informing its standards and guidelines regarding virtual assets and virtual asset service providers. FATF’s Risk Trends and Methods Group (RTMG) monitors trends in illicit finance and works to share new typologies identified by country delegations and publishes advice. Industry members also have the opportunity to participate in this discourse and share feedback and observations.
VACG meets on a regular basis and invites presentations from the private sector. The Contact Group also distributes a number of updated reports on relevant cases, including those focusing on the evolution of criminal typologies of illicit financing.
Mutual evaluations they offer insight into what countries are witnessing. Virtual assets are more strongly included in national risk assessments at the global level, and actors from the private sector are an integral part of the national consultative risk assessment process. The US, for example, will publish an updated national risk assessment, including dedicated information on digital assets, including input from the private sector.
The Co-Chairs made it clear that the FATF is always interested in remaining engaged in the private sector, as the industry is the first to spot and identify new or different typologies of financial crime and the most serious threats to the market.
Contact us to learn more about how your business can effectively combat VASP due diligence and comply with anti-money laundering regulations.
