The Financial Action Task Force (FATF) is the inter-governmental body that sets global standards relating to anti-money laundering and combating the financing of terrorism (AML/CFT).
Earlier this month, FATF released its Second 12-Month Review of the Revised FATF Standards on Virtual Assets and Virtual Asset Service Providers, two years after the FATF finalized AML/CFT requirements on virtual assets (VAs) and Virtual Asset Service Providers (VASPs), including cryptocurrency exchanges. In this latest release, FATF evaluates progress that jurisdictions and the private sector have made in adopting the requirements since the first 12-month review, as well as monitoring for any changes in the typologies, risks and the market structure of the virtual assets sector.
There are several key takeaways from the report that we will discuss below, but one section is particularly notable: a comparison of data on peer-to-peer (P2P) transactions – transactions that do not involve a VASP – provided by seven different blockchain analysis providers.
Based on the charts FATF provided, the data provided by the blockchain analytics companies varied significantly. So significantly, in fact, that FATF noted it was “difficult to draw clear conclusions from the graphs.”
For context, FATF’s Standards do not currently apply to P2P transactions. The body reached out to Chainalysis and other blockchain analysis providers for data to better understand the extent to which virtual asset transfers occur with a VASP or without (i.e. P2P transactions), whether this has changed since the FATF revised its Standards in June 2019, and the ML/TF risk associated with P2P transactions. FATF ultimately concluded that they did not see a clear shift towards P2P transactions.
Below are the charts that include data from blockchain analysis providers. Please note that none of the data points here align with data Chainalysis has previously published relating to illicit activity. FATF used providers’ raw data and their own calculation methods to reach these conclusions.
Proportion of bitcoin transactions which occur without a VASP between 2016-2020 (left: number of transactions; right: USD value)
Proportion of identified illicit bitcoin transactions between 2016-2020 (left: number of transactions; right: USD value)
Proportion of identified illicit bitcoin transactions with a VASP / without a VASP between 2016-2020 (left: number of transactions, right: USD value)
As far as we know, this is the first public instance in which data from blockchain analytics companies have been compared directly. While FATF declined to attribute specific metrics to their providers, the key takeaway is that there is dramatic variation among the providers. As FATF notes, “each company has its own methodology, analytical tools, techniques, proprietary data and expertise.” Nonetheless, the charts imply a wide range of data quality among data providers.
While FATF may not be planning on applying their Standards to P2P transactions at this time, VASPs should be aware of the potential risks associated with them, and take steps to mitigate those risks, including through the use of blockchain analytics.
As this exercise brings to light, VASPs should take into consideration the quality of data when selecting a blockchain analytics provider for their AML/CFT purposes. It is important to have complete and accurate data in order to meet AML/CFT regulatory compliance requirements and file accurate reports. The quality of data is crucial in allowing VASPs to meet their obligations and avoiding fines or other regulatory actions.
Chainalysis has identified more entities operating on the blockchain than anyone else. With that information, we are able to provide the most effective AML/CFT transaction monitoring capability available for cryptocurrency. If you’re not using Chainalysis, we will help you benchmark your transactions and uncover what you’ve been missing. Reach out today to turn our data advantage into your unique edge.
Below are three more takeaways from the review.
Progress has been made
58 jurisdictions reported that they introduced the necessary legislation to implement the revised FATF Standards. 52 of these jurisdictions have a regulatory regime permitting VASPs, while 6 of these jurisdictions prohibited VASPs. 26 of the other 70 reporting jurisdictions that have not yet implemented the standards are in the process of implementing regulations for VASPs by legislation or rule-making.
Having supervision of cryptocurrency businesses promotes consumer confidence in the industry, enables VASPs to operate with the security knowing what they are and are not permitted to do and what their regulatory obligations are, and allows for the safe growth of the cryptocurrency ecosystem.
There are still large gaps in implementation of FATF Standards that need to be addressed
Of particular concern to FATF is the implementation of Recommendation 16, more commonly referred to as “the Travel Rule.” The Travel Rule dictates that VASPs must identify the originators and beneficiaries of cryptocurrency transactions initiated by their users above a certain size. In cases where the counterparty of those transactions is also a VASP, the original VASP must then transmit that user information to the second VASP. Many jurisdictions have struggled to implement this particular Recommendation.
Some progress on the Travel Rule has been made over the past year, with 10 jurisdictions now implementing and enforcing the Travel Rule, and another 14 jurisdictions having introduced requirements, but not yet enforcing them.
As FATF notes, one of the challenges in implementing the Travel Rule is technological solutions, which did not exist when it issued its Standards. Now, however, there are various technologies and tools available that could enable VASPs to comply with the travel rule, including Chainalysis’ integration with Notabene, which allows cryptocurrency businesses to automate transactions with trusted counterparties, while providing them with the data they need to detect suspicious activity and meet their regulatory requirements.
Mitigating the risk of ransomware-related cryptocurrency use is a priority
FATF is right to be concerned about the alarming increase in ransomware attacks. In a recent report, Chainalysis noted that no other category of cryptocurrency-based crime had a higher growth rate in 2020 and that this trend has continued in 2021.
While there have been some law enforcement successes in recovering ransomware payments, such as in the Colonial Pipeline attack, this is not always the case. In order to address the issue of ransomware, companies must improve their cybersecurity measures in order to prevent attacks from occuring in the first place, the public and private sectors must work together to detect attacks when they do occur and share information in a timely manner, and investigators must have the resources they need, such as blockchain analytics, which will allow them to trace ill-gotten cryptocurrency proceeds to their cash out points and garner other important information about the ransomware supply chain.
What comes next?
FATF has outlined three next steps in the process of setting standards for cryptocurrency regulation.
- In October 2021, FATF plans to publish their revised Guidance on Virtual Assets and VASPs for the Public and Private Sectors. This Guidance will include updates on “the definition of virtual asset and VASP, so-called stablecoins, P2P transactions, registration and licensing of VASPs, the travel rule and international co-operation amongst VASP supervisors, which will aid with implementation.”
- By November 2021, FATF plans to release Principles for Information-Sharing and Co-Operation amongst VASP Supervisors.
- FATF is developing online training for its membership and the broader Global Network on virtual assets and VASPs to “inform policy makers, competent authorities and assessors about...FATF Guidance and best practice documents and the results of mutual evaluation reports.” They plan to launch this training in the second half of 2021.
This review emphasizes that FATF is serious about mitigating the AML/CFT risks associated with cryptocurrencies. After October, when FATF finalizes the next guidance on cryptocurrencies, we will likely see an increase in FATF jurisdictions engaged in rulemaking or legislative processes in order to implement the new guidance.
It is important that cryptocurrency businesses and financial institutions are prepared for these changes and have strong AML/CFT programs in place that allow them to flourish in this environment. Contact us now to learn more about how Chainalysis KYT and Reactor can help your organization remain compliant and meet reporting requirements.