FATF Crypto Guidance Is Out: Here's What Has Changed

The Financial Action Task Force, the international body that coordinates financial transaction standards among 39 country and regional members, today issued updated guidelines for countries to assess and reduce risk associated with cryptocurrencies.

The "Updated Guidance for a Risk-Based Approach for Virtual Assets and Virtual Asset Service Providers" replaces previous guidance issued in April 2020. The service providers, or VASPs, in the title refer to cryptocurrency exchanges and money transmitters that handle digital assets. 

The new guidance makes at least two major changes.

First, it revises the definition of who qualifies as a VASP. It states that the current definition "is meant to exclude ancillary participants that do not provide or actively facilitate any of these covered activities, such as entities which provide Internet or cloud services." In short, VASPs must control cryptocurrency, not just facilitate its use by, for example, creating computer code for a decentralized finance application.

Second, it updates the "travel rule," which requires financial institutions to record and report information about senders and receivers of electronic fund transfers worth at least $3,000, as it applies to crypto transactions. That's been clarified to apply to transfers between VASPs, but not transfers to a private wallet.

Coin Center, a cryptocurrency think tank applauded the changes but urged the FATF to go further. Crypto transactions, wrote Research Director Peter Van Valkenburgh, are more like cash transactions than wire transfers when "not bookended by two regulated parties." In such cases, he says, the travel rule shouldn't apply at all.

Van Valkenburgh also targeted the guidance's "verbose" language and said the guidance toward decentralized finance (DeFi)—applications that allow people to save, borrow or swap crypto without a financial intermediary—"remains overbroad."

While the guidance clarifies that a decentralized application itself is not a VASP, it states that "creators, owners and operators or some other persons who maintain control or sufficient influence in the DeFi arrangements, even if those arrangements seem decentralized, may fall under the FATF definition of a VASP." In other words, it makes the case that merely calling a project decentralized does not necessarily make it so—and gives member jurisdictions leeway to make its own determination.

The publication's title hints at its intention—these aren't rules or regulations but rather standards members are expected to follow in order to combat money laundering and terror financing. Those who don't comply can find themselves blacklisted and outside the global financial system.

A July 2021 report on jurisdictions' efforts to implement the standards found that "significant progress has been made, but global implementation still has very large gaps that need to be addressed."