A Guide to Anti-Money Laundering for Crypto Firms

Oh FUD! FATF gets tough on virtual assets and their service providers

Regulation Crypto Knowledge & Training

Back in October 2018, the Financial Action Task Force (FATF) provided a definition of “virtual assets” a.k.a. cryptocurrencies and said they would produce guidance in June 2019 on how to treat these.

Last week, at their February Plenary the group issued a draft “Interpretive Note” to FATF Recommendation 15 which gives a strong indication of what this guidance will look like. If crypto fans and operators were expecting to be able to continue in their unregulated utopia, they will be sorely disappointed.

The Interpretive Note brings in 8 new provisions which impact both competent authorities and obliged entities. The provisions are summarized below:

For countries & competent authorities:

Identifying risk:

  • Countries must identify the risks associated with virtual assets and their service providers (VASPs), applying a risk based approach to combating identified AML/CFT risks.

Monitoring & supervision:

  • Countries must ensure that VASPs are adequately regulated and supervised in line with the current 40 FATF recommendations, meaning that they must be supervised by a competent authority.
  • Supervisors and monitors should have the power to impose sanctions if they find a VASP breaching compliance standards – sanctions must also be available to punish directors and the senior management of said VASP.

Information sharing

  • FATF urges all competent authorities to have provisions in place for the rapid exchange of information between authorities on VASPs. They make the interesting point that this should be done regardless of the “status and nomenclature” of VASPs in different jurisdictions.

For obliged entities:

  • VASPs must register or be licensed by competent authorities in the country in which they were created, or if a person, in the country in which they operate. Countries may also require service providers who operate within them, but were not created there, to also register in their jurisdiction.
    • Competent authorities will have to somehow ensure that “criminals and their associates” do not have a vested interest in a VASP.
  • Once licensed, VASPs will be subject to monitoring by competent authorities, so they must see to it that they are “ensuring compliance with national AML/CFT requirements”.
  • What this means in practice is that they must comply with FATF Recommendations 10-22 when occasional transactions are above EUR/USD 1000.  
    • This broadly translates as having a process in place for Customer Due Diligence (CDD), PEP screening, identifying high risk third countries and other high risk sectors, reporting suspicious activity and preventing tipping off.
  • In the case of transactions over EUR/USD 1000, VASPs must also obtain and hold accurate information on the sender and beneficiary of a transaction. VASPs will need to be able to send this information to the receiving VASP – effectively removing anonymity from virtual assets. This requirement is based on the current conditions of FATF Recommendation 16 for wire transfers.   

What does this mean for virtual assets and their service providers?

FATF has gone pretty much as far as it can to manage AML/CFT risk in the cryptosphere. In doing so they will remove the factors that make virtual assets notable: anonymity and lack of supervision. The Note may borrow from established crypto regimes, such as those in Japan and Australia, but the treatment of transactions as if they were wire transfers is a new perspective which is likely to be highly controversial. Deriving sender and beneficiary information in a traditionally anonymous world will prove challenging and could be a serious barrier to the success of this guidance. Fortunately, FATF is consulting on this point (submissions will be accepted until April 8th) so VASPs will have the opportunity to challenge this stipulation. If this Interpretive Note is adopted and transposed into domestic legislation VASPs will likely find themselves as regulated as a traditional bank.

If you are a virtual asset service provider and would like to learn more about how ComplyAdvantage can help you comply with the FATF 40 recommendations click here to get in touch.

 What else happened at the FATF Plenary:

  • Cambodia was added to the FATF grey list of countries with a “strategic deficiency” in AML/CFT controls. The country has developed an action plan with the group to help it overcome these weaknesses. In the meantime, Enhanced Due Diligence (EDD) measures should be applied to all interactions with Cambodian entities.
  • Despite efforts to remove itself, Pakistan remained on the FATF grey list. The country was placed on the list this time last year and has been trying to get off it ever since. India is rumoured to have taken a hard line on Pakistan’s position on the list in light of the deadly terrorist attacks in Kashmir earlier this month which killed over 40 Indian soldiers.
  • Iran was given a six month extension on its action plan which still has 6 points outstanding. If it fails to fulfill these it could risk the reimposition of countermeasures. FATF acknowledged the progress the country has made but advised obliged entities to continue to apply EDD measures to all dealings with the country.
  • Full Mutual Evaluation Reports for China and Finland will be released in April.


Originally published February 27, 2019, updated November 17, 2021

Disclaimer: This is for general information only. The information presented does not constitute legal advice. ComplyAdvantage accepts no responsibility for any information contained herein and disclaims and excludes any liability in respect of the contents or for action taken based on this information.

Copyright © 2022 IVXS UK Limited (trading as ComplyAdvantage).