Professional Documents
Culture Documents
I N T E R N A T I O N A L M O N E T A R Y F U N D
Names: Schwarz, Nadine. | Chen, Ke (Financial Sector Expert). | Poh, Kristel. | Jackson,
Grace. | Kao, Kathleen. | Fernando, Francisca. | Markevych, Maksym. | International Mon-
etary Fund, publisher.
Title: Virtual assets and anti-money laundering and combating the financing of terrorism
(2): effective anti-money laundering and combating the financing of terrorism regulatory
and supervisory framework—some legal and practical considerations / prepared by Nadine
Schwarz, Ke Chen, Kristel Poh, Grace Jackson, Kathleen Kao, Francisca Fernando, and
Maksym Markevych.
Other titles: FinTech notes (International Monetary Fund).
Description: Washington, DC : International Monetary Fund, 2021. | October 2021. | Fin-
tech notes | Includes bibliographical references.
Identifiers: ISBN 9781513593821 (paper)
Subjects: LCSH: Money laundering—Prevention—Law and legislation. | Terrorism—Pre-
vention—Law and legislation. | Digital currency—Law and legislation.
Classification: LCC HV6768.S393 2021
DISCLAIMER: Fintech Notes offer practical advice from IMF staff members to pol-
icymakers on important issues. The views expressed in Fintech Notes are those of the
author(s) and do not necessarily represent the views of the IMF, its Executive Board, or
IMF management.
Abbreviations v
Introduction 1
Conclusion 10
Annex 1. FATF Standards Related to VAs and VASPs 11
AI Artificial Intelligence
FI Financial Institution
ML Money Laundering
TF Terrorist Financing
VA Virtual Asset
documents/12-month-review-virtual-assets-vasps.html. Some known Financing of Terrorism (AML/CFT)— Some Legal and Practical
cases of misuse can be found in “Virtual Assets - Red Flag Indica- Considerations”.
tors” published by the FATF. 5The IMF Fintech Note, “Regulation of Crypto Assets,” discusses
3The FATF is an intergovernmental body established in 1989 some issues pertaining the broader regulatory framework for
to set standards and promote effective implementation of legal, VAs and VASPs.
businesses and professions (DNFBPs) as defined by the AML/CFT requirements are appropriately sanctioned.
FATF, with some adjustments for the virtual context. This is likely to require amendments of jurisdictions’
The purpose of this note is to discuss the necessary legal frameworks to ensure that institutional measures
AML/CFT measures and provide examples of practical (for example, the designation of a supervisory author-
solutions to implement them. In June 2020, the FATF ity) and new requirements (for example, licensing and
noted that both the public and private sectors have preventive measures) are established on a sound legal
made progress in the implementation of VA standards, basis (see the discussion in “Virtual Assets and Anti–
particularly through updates to national laws and the Money Laundering and Combating the Financing of
development of solutions to assist with the travel rule. Terrorism (AML/CFT)— Some Legal and Practical
However, challenges remain. Many VASPs are only Considerations” in relation to legal foundations).
beginning to adopt the required AML/CFT mea-
sures, a number of jurisdictions are yet to implement
the standards for VAs, and those that have are at the Licensing/Registration of VASPs
early stages of developing a supervisory regime for Like other professionals subject to AML/CFT mea-
VASPs.6 At the time of drafting, no country had been sures (and unless VA activities are prohibited), VASPs
assessed against the new standards and many country require some form of official permission to operate.
authorities were in the process of establishing how Jurisdictions have the option of submitting VASPs to
best to incorporate the new standards in their AML/ either licensing or registration processes:8
CFT framework. For these reasons, this note does • Licensing generally relies on certain criteria being
not refer to specific country examples. References to met for the licensee to initiate and continue its
specific products and projects are made for illustrative activities.9 A regulatory assessment is conducted
purposes only and do not constitute an endorsement ex-ante (that is, before the applicant is granted a
of these initiatives. This note, like the one on “Virtual license) and generally includes an assessment of
Assets and Anti–Money Laundering and Combating whether the applicant meets the criteria for carrying
the Financing of Terrorism (AML/CFT)— Some Legal out the regulated activities. These criteria would typ-
and Practical Considerations,” is based on the FATF ically include a minimum level of resource require-
standards and guidance, particularly those aspects that ments (such as financial capital, human resources,
pertain to VAs and VASPs.7 and physical location), corporate governance, inter-
nal controls and financial integrity requirements,
and financial reporting and disclosure requirements.
Effective Regulatory and Supervisory AML/CFT In the context of AML/CFT, it is particularly
System—Legal and Practical Considerations important for the licensing/registration process to
As with any other financial business, a strong screen out criminals from holding, or being the ben-
regulatory and supervisory framework is key to the eficial owner of, a significant or controlling interest
soundness of the VASP industry. As a starting point, or holding a management function in a VASP.
jurisdictions should ensure that all VASPs are properly • Registration generally entails no or few prerequi-
licensed or registered and subject to adequate AML/ sites. In many instances, a regulatory assessment is
CFT obligations. They should then ensure that VASPs conducted ex-post (that is, after an entity has been
are adequately supervised for AML/CFT purposes and
that unauthorized VASPs and failure to comply with 8The terms “licensing” and “registration” are not spelled out by the
FATF, but in the traditional sense, they reflect different forms of offi-
cial authorization, with the licensing regime (traditionally reserved
6“12 Month Review of Revised FATF Standards - Virtual for financial institutions) being a more stringent and more intrusive
Assets and VASPs.” https://www.fatf-gafi.org/publications/ regulatory approach than a registration regime. More rarely, some
fatfrecommendations/documents/12-month-review-virtual-assets countries have combined the two (that is, adopted a hybrid system
-vasps.html (. in which entities, beyond being registered mandatorily, can obtain
7See: http://www.fatf-gafi.org/publications/fatfrecommendations/ optional licenses that come with more stringent conditions and obli-
documents/fatf-recommendations.html and http://www.fatf-gafi.org/ gations but also with greater credibility backed by the regulator).
publications/fatfrecommendations/documents/guidance-rba-virtual 9On the legal complexities of licensing, and in particular the
-assets.html. At the time of publication of this note, the current distinction between licensing criteria and procedure, see Bossu,
FATF guidance on the Risk-Based Approach to Virtual Asset Service W., and Chew, D., “But we are different! 12 Common Weak-
Providers was being updated and the revised version expected to be nesses in Banking Laws and What to Do about Them.” IMF,
published towards the end of 2021. WP/15/200, pp. 18–22.
registered), which will include the consideration of supervision of VASPs. Amendments to the existing
similar issues as noted previously. legal framework may be necessary in both instances
to ensure that there is an appropriate legal basis for
The choice between a licensing and a registration licensing or registration, monitoring implementa-
regime depends on a jurisdiction’s supervisory objec- tion of AML/CFT requirements, and sanctioning
tives and its approach to market entry. In addition to failure to comply with these requirements. Though
preserving financial integrity, such objectives include self-regulatory bodies could play an important role,
safeguarding the stability of the financial sector and they may not be sufficient as they are not established
providing consumer protection. Regardless of whether by governments and often have an advocacy role that
the jurisdiction adopts a licensing or a registration may conflict with supervisory duties. Unlike conven-
regime, it is imperative that it subjects VASPs to AML/ tional financial institutions (for example, banks), where
CFT obligations and that the purpose of regulation prudential or conduct supervisors often play the lead
and supervision (for example, AML/CFT only or role in the licensing process, VASPs are often not sub-
AML/CFT and prudential) be made clear. ject to other requirements so AML/CFT supervisors
Given the virtual and borderless nature of VA activi- will need to play a greater role in licensing or registra-
ties, licensing or registration in at least one jurisdiction tion. All the supervisors involved should be prepared
is key to ensuring that no VASP falls into a regulatory in terms of knowledge and resources before launching
gap. Traditional financial institutions are authorized the framework. Where there is a large exisiting VASP
where they operate, but the internet-based and bor- population, careful planning is required to roll out the
derless nature of VA activities often makes it difficult framework smoothly.
to determine where VASP operations take place. To Jurisdictions should also be proactive in the enforce-
avoid potential regulatory gaps, the FATF established ment of the regulatory framework. This notably
a minimum locus for licensing or registration, which requires outreach and engagement with VASPs to
varies depending on the type of VASP: (i) VASPs that ensure that they understand their AML/CFT obli-
are natural persons are, at a minimum, to be regulated gations. The approach should also include proactive
based on their place of business;10 (ii) VASPs that are identification of unauthorized VA-related activities by
legal persons should, at a minimum, be licensed or the relevant authorities. To this effect, all stakeholders,
registered in the jurisdiction where they are “created,” including the Financial Intelligence Unit (FIU) and
either through incorporation or any other mechanism law enforcement agencies, should work alongside the
used. Beyond the minimum standard, jurisdictions authority designated to supervise VASPs. A range of
may go further by regulating VASPs that are offering techniques and resources can assist in the identifica-
services in the jurisdiction to their citizens or residents, tion of unauthorized activities.11 Enforcement action
even if the VASPs are located overseas. They may also against unauthorized operators should be wide-ranging
extend their regime to include VASPs that are not to ensure credible deterrence. Enforcement actions typ-
created in their jurisdiction but conduct operations ically include issuing warnings and alerts to the public
from their jurisdiction. As a result, it is likely that, in about unauthorized firms and individuals; prohibiting
many instances, a single VASP operating in multiple and suspending individuals from carrying on unautho-
jurisdictions will be subject to multiple licensing or rized VA activities; deactivating the associated websites;
registration regimes. imposing regulatory fines; and bringing (criminal)
Jurisdictions need to designate one or more agen- charges. Oftentimes, however, it may be challenging
cies for the authorization and subsequent supervision to take enforcement action, particularly when oper-
of VASPs. They may decide to leverage on existing ators are based abroad, with no focal point (that is,
regulatory and supervisory structures and designate one purely online operations). In such cases, jurisdictions
or more existing agencies to authorize and super- should conduct joint operations with relevant overseas
vise VASPs, or create a new agency dedicated to the
Figure 1. Actions Envisaged Under Policy Decisions on Whether to Authorize or Ban VASPs
Licensing
Guidance
• Outreach to
preexisting VASPs Market Prescription Supervision
Authorize
entry of preventive & Enforcement
VASPs • Public controls measures monitoring
communication
Risk
assessment Registration • Identify
unauthorized
VASPs
• Sanction
Ban VASPs
unauthorized
VASPs
• Outreach to
preexisting VASPs
• Public
communication International cooperation
for Virtual Assets or VASPs,” “To the extent that relationships in the
money or value transfer services; identifying, assess- anonymity-enhancing features, or whether they plan
ing, and mitigating the ML/TF risks that may arise in to offer services such as mixers or tumblers. These
relation to new technologies; wire transfers; reliance features may present higher risks (as discussed in
on third parties; internal controls and foreign branches “Virtual Assets and Anti–Money Laundering and
and subsidiaries; higher-risk jurisdictions; report- Combating the Financing of Terrorism (AML/
ing of suspicious transactions; and tipping-off and CFT)— Some Legal and Practical Considerations”
confidentiality; and ensuring that no funds or other ) by potentially obfuscating transactions or under-
assets—including VAs—are made available to or for mining a VASP’s ability to undertake CDD and
the benefit of designated persons or entities in relation mitigate their ML/TF/PF risks. Once the risks are
to the targeted financial sanctions related to terrorism, identified and understood, VASPs need to design
TF, and PF.14 Jurisdictions must ensure that secrecy and implement commensurate preventive controls
laws do not inhibit VASPs from implementing AML/ to stop ML/TF/PF from occurring and detect it
CFT obligations and certain preventive measures that when it does. VASPs may use technological solu-
deal with DNFBPs that engage in VASP activities. tions to assist in performing enterprise-wide risk
The main substance of and principles behind these assessment as well as implementation of AML/CFT
obligations are the same for all three types of reporting control measures.
entities (financial institutions, DNFBPs, and VASPs). • Establishing Risk-Based CDD Measures: Customer
The following paragraphs focus on some aspects where risk assessments must be carried out in all cases. The
greater adaptation to the virtual space is needed. While starting point involves collecting information to
the discussion that follows focuses on VASPs, it also determine the purpose and intended nature of the
applies to financial institutions when they are carrying customer relationship that assists in understanding
out the activities of a VASP. the associated ML/TF/PF risks. Once the extent
of ML/TF/PF risk a specific new customer poses
Setting Up Risk-Based Controls has been established, VASPs need to determine the
Knowing and adapting to the risks is key. To be extent to which CDD measures should be carried
effective, the preventive framework should be com- out. This includes identifying and verifying the
mensurate to the risks. For VASPs, this means contin- beneficial owner(s) for customers who are legal per-
uously modulating their approach on a risk basis, more sons. Certain heightened risk factors (for example,
specifically when: customers who are PEPs or are from high-risk juris-
• Establishing internal controls: This requires VASPs dictions)15 will require enhanced measures, while
to identify and understand the ML/TF risks, as well proven low risks may justify simplified measures.
as the risks of potential breaches, non-implementa- To ensure that CDD measures remain appropri-
tion, or evasion of the targeted financial sanc- ate and to establish whether additional measures
tions related to PF (“PF risk” hereafter) prior to are required, VASPs will need to revisit customer
establishing how they intend to implement their risk assessments at regular intervals (the frequency
AML/CFT obligations. To do so, VASPs need to depending on the level of risk associated with a
carry out and document an enterprise-wide ML/ customer) or based on the detection of a trigger
TF/PF risk assessment that notably considers the event, such as a change in customer behavior/profile.
following factors: customer, products and services, The non-face-to-face environment in which VASPs
geographical regions, and delivery channels. In typically operate requires specific changes to the way
particular, the VASP should consider the specific customer identification is usually performed.
types of virtual assets that the VASP offers and any • Monitoring the business relationship will be neces-
unique features of VAs, such as whether they have sary in all cases to establish whether specific transac-
tions fall outside the customer’s normal pattern and
VASP sector currently have or may in the future have characteristics
are potentially suspicious. But the intensity of that
similar to cross-border correspondent banking relationships, coun-
tries should implement the preventive measures set out in Recom- 15See, in particular, “FATF High Risk and
mendation 13 to VASPs (and other obliged entities operating in the Non-Cooperative Jurisdictions” https://www.fatf-gafi.org/
VA space) that develop such relationships.” publications/high-riskandnon-cooperativejurisdictions/
14In some jurisdictions, lists of sanctioned Bitcoin addresses have more/more-on-high-risk-and-non-cooperative-jurisdictions.
been released. html?hf=10&b=0&s=desc(fatf_releasedate).
Box 1. Digital ID
The FATF published guidance on digital identi- mentary/physical or digital) that identity evidence can
fication (“digital ID”), which clarifies how and the take. The key element rests on ensuring that, in the
extent to which a digital ID is appropriate for use for digital context (as in the nondigital context), “reliable,
customer due diligence purposes. The guidance high- independent source documents, data or information”
lights that financial institutions (including VASPs) can are being used, which means potentially assessing these
use “documents” as well as “information or data” when “new” forms of identification on a case by case basis to
conducting customer identification and verification, ensure that they meet this standard.
and that there are no restrictions on the form (docu-
monitoring will vary depending on the customer’s VASP will need to be in a position to demonstrate how
risk ranking. it verifies that the transaction(s) are only conducted on
an occasional (one-off) rather than a more consistent
basis. VASPs must also conduct CDD where there is a
Customer Identification suspicion of ML/TF or where they doubt the veracity
In an increasingly non-face-to-face environment, or adequacy of previously obtained CDD information.
new methods of identification and verification of Certain information must be obtained for all cus-
potential customers are emerging. Traditional means tomers, even those who carry out occasional transac-
of carrying out CDD typically involve face-to-face tions below US$/EUR 1,000.17 The threshold for an
engagement with the customer and the submission occasional transaction may be a single operation or in
of physical identification documentation. These do several operations that appear to be linked. As such,
not work well in a virtual environment. Jurisdictions VASPs will need to collect certain customer informa-
should therefore consider the appropriateness of new tion for all transactions, even those below the threshold
methods (for example, electronic and biometric iden- for an occasional transaction to effectively link trans-
tification) as suitable alternatives. VASPs should seek actions.18 For example, in the scenario where there is
to utilize all available information to carry out CDD. a nonrecurring request from a customer to a VASP to
For example, as a starting point, unique user codes convert VAs to cash that falls below US$/EUR 1,000,
that may be linked to a customer can be used. Before certain customer information (for example, name) will
relying on this information, however, controls should need to be obtained to ensure that there is a mecha-
be in place to confirm the integrity of the informa- nism to track the customer’s transactions and detect if
tion, and once the code has been linked to a customer, the customer reaches (on a linked basis) the occasional
further steps should be taken to verify the identity of transaction threshold, at which point full CDD mea-
the customer. sures must be applied.19
VASPs must undertake CDD in a range of situ-
ations. A VASP may open and maintain customer Targeted Financial Sanctions
accounts, and, as a result, these customers will usually Like other reporting entities, VASPs play a key role
fall into the category of a business relationship. CDD in ensuring that terrorists and proliferation financiers
must be performed when a VASP enters into a business are barred from accessing the financial system. The
relationship with a customer and when it performs framework for targeted financial sanctions for terror-
an occasional (one-off) transaction for non-customers ism, TF, and PF applies in the context of VAs to the
above a certain threshold, which should be of US$/
EUR 1,000 or less.16 Recognizing the particular risks 17Interpretive Note to FATF Recommendation 15.
posed by virtual assets, this threshold is lower than 18While certain VASPs may determine that unique identifiers are
effective for the purpose of linking transactions, this is not the case
the applicable threshold for financial institutions. The
for implementing targeted financial sanctions, which require the
screening of person or entity names.
16Competent authorities are free to set a lower threshold if 19In the context of this activity, obtaining certain customer infor-
same extent as in the context of traditional assets. information along with a trail to trace all transactions.
VASPs, like financial institutions (FIs) and DNFBPs, However, reliance solely on the DLT is not sufficient.
are required to implement measures to prevent funds VASPs must “connect the dots” and link the transac-
or other assets being made available, directly or indi- tion information available on the DLT to the relevant
rectly, to or for the benefit of, any person or entity on customer/beneficiary. The information available and
designated lists.20 This means VASPs should ensure level of accessibility will depend on the specific DLT
that all transactions are screened against designated being utilized. Therefore, before the use of DLT, or any
lists to prevent such actors from gaining access to the technological solution, VASPs should ensure that they
financial system. This screening will involve controls to have a thorough understanding of the specific technol-
detect any positive matches, the capability to freeze the ogy along with any limitations to ensure that compen-
account and/or stop the transaction immediately, and satory controls are implemented, where necessary, so as
the mechanisms to report these matches to the relevant to enable them to “connect the dots.”
authorities and file a suspicious transaction report (per
the requirements of the national framework). Wire Transfer Rules and the So-Called “Travel Rule”
Total anonymity interferes with the effective Preventing and detecting ML/TF/PF requires VASPs
implementation of targeted financial sanctions. While to know who the originator and beneficiary of that
certain VAs and VASPs seek to provide greater privacy, transaction are. As a result, some information, such as
this should not interfere with the implementation of the identity of both parties, must “travel” with the VA,
targeted financial sanctions measures. Total anonymity similar to how it accompanies a wire transfer between
is therefore not an option for VASPs. While there is a banks—this is commonly called the “travel rule” but
threshold for conducting CDD on occasional transac- these rules apply in an amended manner to reflect the
tions, such a threshold is not applicable in the context specific nature of VA transactions.21 When transferring
of targeted financial sanctions screening. All transac- VAs, VASPs must therefore obtain, hold, and transmit
tions must be screened to ensure that funds or other required originator and beneficiary information. This
assets are not made available, directly or indirectly, to requirement poses several challenges for VASPs, includ-
or for the benefit of, any person or entity on desig- ing implementing secure mechanisms for the transfer
nated lists. Consequently, the names of the originator of information and ensuring that the required infor-
and beneficiary of transactions must be obtained in mation accompanies the transfer in “real time.” There
all instances to carry out this screening effectively. are various technologies and tools available that could
Although full CDD measures are not necessarily enable VASPs to comply with aspects of the travel rule
required, certain additional information (for exam- requirements. At the moment, however, there are not
ple, proof of identity documentation, information, or sufficient technological solutions that enable VASPs to
data) must also be obtained to verify the accuracy of comply with all aspects of the travel rule in a holistic,
the names that have been collected and subsequently instantaneous, and secure manner. Work is currently
checked against the various lists. underway, and a few initiatives are being developed
that could potentially assist VASPs in finding a
Record-Keeping solution.22 Absent a global solution to implement the
Information on customers and their transactions “travel rule” (akin to the SWIFT messaging system in
must remain available to competent authorities if and
when necessary. Like other reporting entities, VASPs 21Discussions are underway, including in the context of the public
should maintain that information. For information consultation held by the FATF on what these obligations entail in
the context of the transfer of VAs and the potential data protection
on transaction, the obligation may be easier with the and privacy complications. The revised “Guidance for a Risk-Based
use of digital ledger technology (DLT), since the latter Approach to Virtual Assets and Virtual Asset Service Providers”
acts as an immutable ledger and, if properly main- (forthcoming) will provide further clarification.
22For example, the interVASP’s IVMS-101 Messaging Standard
tained, holds the capabilities to record comprehensive (developed by a Joint Working Group established by industry
bodies), has the potential to assist with meeting the travel rule
20Any person or entity designated (i) by, or under the authority requirements through operating as a universal common language
of, the United Nations Security Council (UNSC) under Chapter VII between VASPs, who could then design their own technological
of the Charter of the United Nations, including in accordance with solution to implement the standard or engage a third party to assist
resolution 1267 (1999) and its successor resolutions; or (ii) pursuant in the development of the required technological solution. https://
to UNSC resolution 1373 (2001). intervasp.org/ (accessed 08/25/2020).
the banking sector), a key challenge will be to ensure required to facilitate VASPs and other reporting enti-
the interoperability of different systems. ties submitting information specific to VA activities.
New technologies may significantly enhance the
Monitoring and Reporting of Suspicious detection of suspicious activity. Artificial intelligence
Transactions (AI) and machine learning capabilities are increas-
Careful monitoring of the customer’s behavior and ingly used to facilitate and speed up the detection of
transactions is key as it will enable the identification potential suspicious activities. With AI’s continually
of potential suspicious activity. A robust system for the evolving algorithms and real-time decision-making
monitoring and detection of ML/TF activity should be abilities, such solutions may assist when dealing with
implemented with a level of sophistication commensu- large quantities of information and in identifying pat-
rate to the size and scale of the VASP’s activities along terns or trends of suspicious behavior. However, FIUs
with the level of exposure to ML/TF risk. The system and supervisors should stay on top of the evolution of
should include VA ML/TF red flag indicators that these technologies and there remains a need for VASPs
are based on ML/TF typologies associated with VA and supervisors to ensure that such solutions are
activities (see Annex 2). VASPs should not overly rely challenged/assessed on an ongoing basis to ensure that
on the identification of single indicators and remain they remain fit for purpose. For instance, AI solutions
cognizant that a typology will often involve multiple are only capable of recognizing known suspicious
red flags that, in aggregate, may lead to a suspicion of patterns and thus need to be enriched on an ongoing
potential ML/TF. basis to keep up with the new patterns or schemes
VASPs should then report suspicious transactions used by criminals. As such, caution should be exercised
to the FIU. To bring suspicious activity to the atten- when using new technologies to assist in the detection
tion of the FIU, VASPs and other reporting entities of suspicious activity to prevent an overreliance on
that engage in VA financial activities or operations or such technology. Further, VASPs must ensure that an
provide VA products or services need to ensure that adequate level of knowledge of any such tools is main-
there is a mechanism in place for the timely report- tained in-house at both the commencement of use and
ing of suspicions. In addition, jurisdictions will need on an ongoing basis thereafter. VASPs must identify
to determine, for VASPs operating across multiple and assess the ML/TF risks that may arise in the use of
physical jurisdictions, which FIU in which jurisdiction new or developing technologies.
should be the recipient(s) of these reports. The quality
of information provided is crucial, as it is based on this
information that an initial determination is made by Supervision/Monitoring of VASPs’ Compliance with AML/
the FIU as to whether further investigation is war- CFT Requirements
ranted. A suspicious transaction report (STR) should Effective implementation of AML/CFT require-
contain all relevant details relating to the suspicion ments can only be achieved when all stakeholders,
raised, including information relating to the custom- including supervisors and VASPs, work closely with
er(s); the date(s) of the transaction(s); a rationale to one another. Supervisors should work with other com-
support raising the suspicion; and all other relevant petent authorities and the private sector to understand
information. Unless this is already included in the the ML/TF/PF risks and help VASPs understand their
reporting template,23 FIUs should also determine own risks. Supervisors should clearly communicate
whether there are additional forms of information that their regulatory expectations and provide guidance
may be unique to VA activities that could assist in the and feedback to the VASP sector through different
assessment of suspicious activity, for instance, device means, including ongoing dialogue with the sector and
identifiers, VA wallet addresses, and transaction hashes. VASP-specific AML/CFT guidance. Where there are
Accordingly, jurisdictions should consider whether multiple supervisors for VASPs, it is also important
updates to existing reporting mechanisms or forms are that these bodies collaborate and share information
to ensure a coordinated and consistent approach to
supervising VASPs.
23See “Virtual Assets and Anti–Money Laundering and Com-
Like supervisors of other regulated entities, VASP
bating the Financing of Terrorism (AML/CFT)— Some Legal and supervisors should apply a risk-based approach to
Practical Considerations,” page. [16]. AML/CFT supervision. Before they can effectively do
so, they need to develop a thorough understanding of A good understanding of ML/TF/PF risks enables
the ML, TF, and PF risks posed by the VASP sector the determination of the most appropriate supervisory
compared to other sectors, as well as the risks within strategy. Guided by their understanding of ML/TF/
the VASP sector (if necessary, by ranking VASPs into PF risks, supervisors should target resources toward
sub-categories) at the VASP-entity level. Such assess- the higher-risk VASPs, which could involve enhanced
ments should be informed by the risks identified at offsite and onsite supervisory engagement strategies.
the national level (and a developed understanding of An enhanced strategy could involve more frequent
VASPs’ business models and operations).24 Under- and in-depth inspections and closer offsite monitoring
standing of risks is a dynamic exercise and should be through desk-based reviews of materials on a regular
kept up-to-date. Supervisors can draw from several and ad hoc basis. Supervisors should stay vigilant in
sources to inform their understanding of the risks. seeking out emerging risks or issues across the sector
They may distribute supervisory returns to VASPs and address them, including by conducting thematic
requesting information on their business model and inspections.
associated AML/CFT systems and controls. In addition The modalities of supervisory inspections for VASPs
to information shared by the FIU and law enforce- might be different from those applicable to traditional
ment agencies, AML/CFT supervisors can gain useful FIs. In the context of FIs, onsite inspections essentially
insights from data on interbank settlements related to allow supervisors to test how well an entity’s AML/
VASPs and crypto asset blockchain explorers as well as CFT internal controls work in practice. Supervisors
public information, among others. should expect to see an AML/CFT control framework
In assessing the risks at the entity level, supervisors that is adequately tailored to address the specific risks
should have regard to the inherent risks to which a that the VASP faces. It should, at a minimum, include
specific VASP is exposed as well as the robustness of AML/CFT policies, procedures, and processes that are
its AML/CFT controls. The assessment of inherent implemented to mitigate ML/TF/PF risk. Supervisors
risks should notably consider four main groups of risk must challenge the adequacy of such frameworks and
factors: customers, products and services, geographic ensure that VASPs implement controls that are fit for
regions, and delivery channels. These should include purpose, including by the “live testing” of systems or
but are not limited to higher-risk factors in each group technological solutions that are described in policies
(for example, foreign PEPs) that must be met with and procedures. Supervisors themselves should also
enhanced CDD. Supervisors should seek to capture all adapt the modalities of inspection to a VASP in light
major ML/TF/PF risks faced by VASPs, for example, of its specific characteristics, including, for instance,
risks associated with products with enhanced anony- the type of its business (for example, exchange, custo-
mous features, including internet protocol anonymizers dian services, and so on) and corporate structure (for
or features that undermine the operators’ ability to example, whether it is a new standalone entity or part
identify customers and beneficial owners (such as mix- of an existing financial group). For conventional finan-
ers and tumblers),25 or links to multiple jurisdictions cial institutions, inspections often involve onsite visits
in terms of clientele or operations that would tend to to the premises of the institution, while for VASPs
mean higher risks by virtue of a wider spread of expo- this might not be necessary or effective. The greater
sures and possibly fragmentation of the whole picture. involvement of technology in VASPs’ operations
When assessing the quality of a VASP’s AML/CFT and their internal controls means that most of these
controls, regards should be given to its business model tests would have to be conducted depending on the
and whether the controls are commensurate with the technological solutions employed, possibly remotely
level of risks in the VASP, for instance, whether robust rather than onsite. Where necessary, supervisors may
controls are applied to remote customer identification/ consider engaging third-party experts to ensure there
verification and authentication. is adequate knowledge and expertise to challenge and
assess business models, complex systems, and associ-
24See “Virtual Assets and Anti–Money Laundering and Com- ated IT solutions.
bating the Financing of Terrorism (AML/CFT)— Some Legal and Supervisors may be faced with new types of AML/
Practical Considerations,” p. [14].
25These are commonly understood as services that may further
CFT controls used by VASPs. While the AML/CFT
obfuscate transactions or undermine the VASP’s ability to implement requirements for VASPs are the same as those that
CDD measures. apply to more traditional sectors, the means by which
a VASP meets such requirements may look different the AML/CFT framework of multiple jurisdictions,
and include, for example, digital ID for customer especially in the context of so-called global stablecoins,
onboarding or using smart contracts for transaction given their potential mass adoption across the globe.
execution. VASPs may further rely on “off-the-shelf ” or At the licensing or registration stage, regulators may
“custom-built” regulatory technology (RegTech) solu- wish to consult foreign counterparts who have autho-
tions, including blockchain analytic software to assist rized or rejected an application of the particular VASP
in meeting AML/CFT requirements. Supervisors will to understand its regulatory history and activities
need to ensure that VASPs maintain adequate oversight overseas. Similarly, supervisors can benefit from their
and control of such solutions so that they are regularly foreign counterparts’ experiences with the particu-
tested, renewed, and updated. Supervisors should assess lar VASP and its compliance record. Establishing
the appropriateness and adequacy of such oversight on AML/CFT supervisory colleges has proved useful for
a case-by-case basis and challenge VASPs to demon- supervisors of traditional financial sectors and would
strate how they are meeting AML/CFT requirements be a powerful mechanism to facilitate information
and managing ML/TF/PF risks. Where a VASP sharing and exchange of views among supervisors of
outsources large portions of its framework, supervisors VASPs to tackle the supervisory challenges associated
should test that the VASP maintains adequate oversight with entities operating in multiple jurisdictions. More
of such arrangements and implements a robust pro- generally, sharing of knowledge and experiences on
gram of assurance testing and compliance monitoring. VASPs among jurisdictions would help enhance their
Supervisors should ensure that they have the necessary capacities to understand and mitigate the ML/TF/PF
resources, skills, and capabilities to fulfill these tasks. risks in the sector.
They may need to invest in training, personnel, or
other resources to gain the required experiences, tools,
and expertise. Conclusion
Noncompliance with AML/CFT requirements The new FATF standards for VAs constitute major
should be met with dissuasive, proportionate, and progress. The 2018 and 2019 changes to the stan-
effective sanctions. When warranted by the severity of dards provide much needed clarity on what regulation
violations, consideration should be given to suspen- and supervision of VASPs should look like. This is
sion or revocation of the license or removal from the key in ensuring greater consistency in jurisdictions’
registration and sanctioning of directors and senior approaches to mitigating the financial integrity risks of
managers.26 Supervisors would need a thorough under- VAs and limiting regulatory arbitrage. By subjecting
standing of the VASP’s business model and its AML/ VASPs to measures similar to those already applicable
CFT internal control systems to be able to identify to FIs and DNFBPs, FATF has ensured that the new
the individuals who should be held accountable for a actors in the virtual space are treated fairly and that
breach, which is more challenging in the VA context similar risks are addressed equally. It has also increased
with fewer human interventions, such as in the context the VASPs’ chances of interaction with the traditional
of smart contracts. As VASPs often operate across bor- financial sector, including the banking sector—several
ders, supervisors should consider publicizing the results VASPs have indeed indicated that the benefits of
of their enforcement actions and alerting their foreign implementation of sound AML/CFT systems outweigh
counterparts. the costs, notably because it has reassured banks that
the ML/TF/PF risks were sufficiently mitigated to
enable them to engage in banking activities.
Regulatory and Supervisory Cooperation But implementation is challenging. As noted previ-
The often cross-border and online nature of VA ously, while both the public and private sectors have
activities makes international cooperation key to made progress in the implementation of the standards
the success of effective regulation and supervision of for VAs, challenges remain, and, overall, implemen-
VASPs. In practice, specific VASPs may be subject to tation of the new standards is uneven.27 In addition,
27“12 Month Review of Revised FATF Standards—Virtual
26See
the FATF Guidance on “Effective Supervision and Enforce- Assets and VASPs.” https://www.fatf-gafi.org/publications/
ment By AML/CFT Supervisors of the Financial Sector and Law fatfrecommendations/documents/12-month-review-virtual-assets
Enforcement” for more detailed guidance on enforcement. -vasps.html.
with the emergence of so-called global stablecoins, monitor the financial integrity risks related to VAs with
AML/CFT supervisors are likely to face increased chal- a view to ensuring that the standards remain appropri-
lenges (for example, with a greater number of VASPs ate. Sustained efforts are needed to assist jurisdictions
to supervise, greater business volume among existing in their implementation of the standards and address
VASPs, or greater market scale, hence the greater rel- issues that may arise from the uneven implementation
ative importance of the VASP sector). While encour- of and multiplicity of regulatory frameworks. In this
aging innovation associated with VASPs, jurisdictions respect, the FATF has committed to issue more guid-
should make sure that they are ready to mitigate the ance (for example, on so-called stablecoin, anonymous
financial integrity risks by ensuring that VASPs are peer-to-peer transactions, the “travel rule,” and red
subject to appropriate AML/CFT measures and that flags for potential ML/TF); promote the understanding
supervisors have the know-how, powers, and resources of ML/TF/PF risks specific to VAs; engage with the
to monitor compliance effectively. private sector; work to enhance international coopera-
Protecting the financial system from the criminal tion among VASP supervisors; and to take stock peri-
misuse of VA requires continued focus and enhanced odically of the implementation of the standards on VA
efforts. Going forward, jurisdictions and VASPs will and VASP across the globe. Nonetheless, further guid-
need to step up their efforts and, for the most part, put ance would be useful, for instance on the inspection of
in place the necessary measures and ensure their effec- VASPs. IMF staff is committed to assist its members as
tive implementation to protect the financial system appropriate in all its relevant workstreams, including
from ML/TF/PF activities and prevent regulatory arbi- through capacity development activities, with a view to
trage. The international AML/CFT community will strengthen financial integrity in the VA space.
also need to remain engaged, notably by continuing to
Annex 1. FATF Standards Related to licensed or registered in the jurisdiction where their
VAs and VASPs place of business is located. Jurisdictions may also
Although the entire Financial Action Task Force require VASPs that offer products and/or services
(FATF) standards apply in the context of virtual to customers in, or conduct operations from, their
asset (VA) activities, some specific provisions were jurisdiction to be licensed or registered in this
introduced in 2018 and 2019 to address explic- jurisdiction. Competent authorities should take the
itly some VA- and virtual asset service provider necessary legal or regulatory measures to prevent
(VASP)-related aspects: criminals or their associates from holding, or being
the beneficial owner of, a significant or controlling
interest, or holding a management function in, a
Recommendation 15 “New Technologies,” VASP. Countries should take action to identify nat-
second paragraph: ural or legal persons that carry out VASP activities
“To manage and mitigate the risks emerging from without the requisite license or registration and
virtual assets, countries should ensure that virtual asset apply appropriate sanctions.
service providers are regulated for [anti–money laun- 4. A country need not impose a separate licensing or
dering/combating the financing of terrorism] AML/ registration system with respect to natural or legal
CFT purposes, and licensed or registered and subject persons already licensed or registered as financial
to effective systems for monitoring and ensuring institutions (as defined by the FATF Recommen-
compliance with the relevant measures called for in the dations) within that country, which, under such
FATF Recommendations.” license or registration, are permitted to perform
VASP activities and which are already subject to the
full range of applicable obligations under the FATF
Interpretive Note to Recommendation 15: Recommendations.
1. For the purposes of applying the FATF Recom- 5. Countries should ensure that VASPs are subject to
mendations, countries should consider virtual assets adequate regulation and supervision or monitoring
as “property,” “proceeds,” “funds,” “funds or other for AML/CFT and are effectively implementing
assets,” or other “corresponding value.” Countries the relevant FATF Recommendations, to miti-
should apply the relevant measures under the FATF gate money laundering and terrorist financing
Recommendations to virtual assets and virtual asset risks emerging from virtual assets. VASPs should
service providers (VASPs). be subject to effective systems for monitoring
2. In accordance with Recommendation 1, countries and ensuring compliance with national AML/
should identify, assess, and understand the money CFT requirements. VASPs should be supervised
laundering and terrorist financing risks emerging or monitored by a competent authority (not a
from virtual asset activities and the activities or [self-regulatory body] SRB), which should conduct
operations of VASPs. Based on that assessment, risk-based supervision or monitoring. Supervi-
countries should apply a risk-based approach to sors should have adequate powers to supervise or
ensure that measures to prevent or mitigate money monitor and ensure compliance by VASPs with
laundering and terrorist financing are commen- requirements to combat money laundering and ter-
surate with the risks identified. Countries should rorist financing including the authority to conduct
require VASPs to identify, assess, and take effective inspections, compel the production of information,
action to mitigate their money laundering and and impose sanctions. Supervisors should have pow-
terrorist financing risks. ers to impose a range of disciplinary and financial
3. VASPs should be required to be licensed or regis- sanctions, including the power to withdraw, restrict
tered. At a minimum, VASPs should be required or suspend the VASP’s license or registration,
to be licensed or registered in the jurisdiction(s) where applicable.
where they are created.1 In cases where the VASP 6. Countries should ensure that there is a range
is a natural person, they should be required to be of effective, proportionate, and dissuasive sanc-
tions, whether criminal, civil, or administrative,
1References to creating a legal person include incorporation of available to deal with VASPs that fail to comply
companies or any other mechanism that is used. with AML/CFT requirements, in line with Rec-
ommendation 35. Sanctions should be applicable tations of fiat currencies, securities and other financial
not only to VASPs, but also to their directors and assets that are already covered elsewhere in the FATF
senior management. Recommendations.
7. With respect to the preventive measures, the Virtual Asset Service Providers: Virtual asset
requirements set out in Recommendations 10 to 21 service provider means any natural or legal person
apply to VASPs, subject to the following qualifica- who is not covered elsewhere under the Recommenda-
tions: (a) R.10 – The occasional transactions des- tions, and as a business conducts one or more of the
ignated threshold above which VASPs are required following activities or operations for or on behalf of
to conduct CDD is USD/EUR 1 000. (b) R.16 another natural or legal person: (i) exchange between
– Countries should ensure that originating VASPs virtual assets and fiat currencies; (ii) exchange between
obtain and hold required and accurate originator one or more forms of virtual assets; (iii) transfer of
information and required beneficiary informa- virtual assets;4 (iv) safekeeping and/or administration
tion2 on virtual asset transfers, submit3 the above of virtual assets or instruments enabling control over
information to the beneficiary VASP or financial virtual assets; and (v) participation in and provision of
institution (if any) immediately and securely, and financial services related to an issuer’s offer and/or sale
make it available on request to appropriate author- of virtual assets.
ities. Countries should ensure that beneficiary
VASPs obtain and hold required originator informa-
tion and required and accurate beneficiary informa-
tion on virtual asset transfers and make it available
on request to appropriate authorities. Other
requirements of R.16 (including monitoring of
the availability of information and taking freezing
action and prohibiting transactions with designated
persons and entities) apply on the same basis as set
out in R.16. The same obligations apply to financial
institutions when sending or receiving virtual asset
transfers on behalf of a customer.
8. Countries should rapidly, constructively, and
effectively provide the widest possible range of
international cooperation in relation to money
laundering, predicate offences, and terrorist financ-
ing relating to virtual assets, on the basis set out in
Recommendations 37–40. In particular, supervisors
of VASPs should exchange information promptly
and constructively with their foreign counterparts,
regardless of the supervisors’ nature or status and
differences in the nomenclature or status of VASPs.
Glossary
Virtual Asset: A virtual asset is a digital represen-
tation of value that can be digitally traded, or trans-
ferred, and can be used for payment or investment
purposes. Virtual assets do not include digital represen-
It is not necessary for this information to be attached directly to transaction on behalf of another natural or legal person that moves a
VA transfers. virtual asset from one virtual asset address or account to another.