The all-pervading global Financial Action Task Force (FATF) will bare its teeth soon.

by Edmund Yong

The Financial Action Task Force (FATF) was created in 1989 by the Group of Seven (G7) and is based in Paris. It is an independent inter-governmental body that develops and promotes policies to protect the global financial system against money laundering and terrorist financing (ML/TF), and financing of proliferation of weapons of mass destruction. As it stands in 2018, there are 36 member jurisdictions and includes the main crypto hotspots in Asia like Japan, Korea, China, Hong Kong, Singapore and Malaysia.

While FATF Recommendations are not necessarily binding, they are recognized as the global standard for anti-money laundering (AML) and counter-terrorist financing (CFT) and intended for universal application – member countries will legislate and implement them as legally binding measures. Its new cryptocurrency guidelines, announced by president Marshall Billingslea, is expected to be out in June 2019 and will serve as advisory parameters for regulators and governments to follow and cascade to compliance operations in their respective locations.[1] The ambit of these Recommendations is on AML/CFT rather than the traditional areas of investor protection and financial stability.

Specifically, the Recommendations will clarify exactly which businesses and activities in “virtual assets” (the new standardized term by FATF) are subject to them. The “virtual asset service providers” or VASPs such as exchanges and wallet providers will be required to implement AML/CFT controls, and to be licensed or registered, and supervised or monitored by the respective national authorities. Even issuers of Initial Coin Offerings (ICOs) are added into the glossary and not exempt.[2] FATF member jurisdictions have the flexibility to decide which AML/CFT category of regulated activities that VASPs fall under e.g. financial institutions, designated non-financial business persons or professionals (DNFBP), or as another distinctive category.

The rapid rise of virtual assets has caught the gaze of regulators and galvanized FATF to provide guidance urgently. Virtual assets are vulnerable to ML/TF because:

  • Virtual asset platforms can be accessed anywhere online (including via mobile phones) to make cross-border payments and fund transfers; and they are generally characterized by non-face-to-face relationships and permit anonymous funding i.e. no proper identity of funding source.
  • Law enforcement cannot target one central location or entity (administrator) for investigative or asset seizure purposes. Customer and transaction records may be held by different entities, often in different jurisdictions, making it more difficult for law enforcement to access them.
  • Furthermore, virtual assets commonly rely on complex infrastructures that involve several entities, often spread across several countries, for transactions. This segmentation of services means that responsibility for compliance and enforcement may be unclear.
  • Components of a virtual asset platform may be located in jurisdictions that do not have adequate controls. A centralized platform that is complicit in money laundering could deliberately seek out jurisdictions with weak AML/CFT regimes or strategic deficiencies.

The ‘risk-based approach’ (RBA) is at the core of FATF Recommendations. It ensures that countries identify and understand the unique risks they are exposed to, allowing them to prioritize their resources and risk management structures on areas where ML/TF threats are at the highest. For service providers, RBA also recognizes that the risks will vary across their customers, geographic, products and services, transactions and distribution channels; and require their discretionary application of procedures, systems and controls to mitigate ML/TF based on the nature, scale, complexity and risk profile of the business operations.

The RBA entails two risk-based assessments at both the business level and relationship level. Very broadly speaking, a risk assessment needs to be performed for the enterprise to determine its level of exposure, impact and appetite. To this end, the VASP should formulate specific parameters and risk control measures that address and are proportionate to the ML/TF factors identified.  At the relationship level, the VASP has to perform risk profiling on their customers. The appropriate customer due diligence measures (standard or enhanced) have to be conducted in respect of each customer e.g. high, medium or low, on an ongoing basis as the case may be.

The entire RBA process needs to be properly documented and applied by the VASP as part of its standard operating procedures, reported to the authorities and justified for its rationale or approach, and updated continuously in light of new risk developments or regular monitoring.

Some FATF member jurisdictions have enforced their own rules and regulations for virtual currencies based on an earlier guidance issued in 2015.[3] Nevertheless, those that haven’t can expect to be given a directive from FATF this year. For instance, the Fifth Money Laundering Directive (MLD5) by the European Parliament and European Council extends AML/CFT obligations to exchanges and wallet providers by capturing them under the definition of “obliged entities” and subject them to the same compliance and reporting duties as regulated financial institutions. EU member states have 18 months from the date MLD5 is published (June 2018) to implement its provisions into national law.

The intent of FATF regulation is not curb crypto activity but to manage it effectively, since the new digital economy does bring many advantages over cash. As FATF Executive Secretary David Lewis puts it, “Pushing customers back to the cash economy exasperates financial exclusion and significantly raises the risk of ML/TF by making it much more difficult to detect, track and investigate money flows”.[4] Cash is still the first choice of launderers and terrorists, evidently.

Disclaimer: The opinions expressed in this article are the author’s own. Readers should do their own due diligence before taking any actions related to the content.