Virtual currencies are often associated with criminal activity, due to the anonymity and flexibility they afford. With organised crime groups generating sufficient proceeds from their crime, virtual currencies such as Bitcoin can also provide an opportunity launder the proceeds of crime and effectively ‘cash out’ while evading authorities. In addition to money laundering, virtual currencies can also provide a means to fund terrorist activities around the world.
In order to effectively mitigate the money laundering and terrorism financing (ML/TF) risks associated with virtual currencies, a key consideration is the regulation of virtual asset service providers, such as digital currency exchanges (DCEs). A DCE is a business that allows customers to trade digital currencies for other assets, such as conventional fiat money or other digital currencies.
The FATF provides a number of important recommendations in its paper ‘International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation’.
The key recommendation relating to virtual asset service providers is Recommendation 15, which reads as follows:
15. New technologies
Countries and financial institutions should identify and assess the money laundering or terrorist financing risks that may arise in relation to (a) the development of new products and new business practices, including new delivery mechanisms, and (b) the use of new or developing technologies for both new and pre-existing products. In the case of financial institutions, such a risk assessment should take place prior to the launch of the new products, business practices or the use of new or developing technologies. They should take appropriate measures to manage and mitigate those risks.
To manage and mitigate the risks emerging from virtual assets, countries should ensure that virtual asset service providers are regulated for AML/CFT purposes, and licensed or registered and subject to effective systems for monitoring and ensuring compliance with the relevant measures called for in the FATF Recommendations.
Interpretive Note to FATF Recommendation 15
The FATF has been working on an Interpretive Note to Recommendation 15, setting out more detailed implementation requirements for effective regulation and supervision/monitoring of virtual asset services providers.
The new Interpretive Note will be formally adopted as part of the FATF Standards in June 2019. Paragraph 7(b) of the Interpretive Note has not yet been finalised because it will benefit from private sector consultations to be conducted in May.
The Draft Interpretive Note as of 22 February 2019 reads as follows:
Draft Interpretive Note to FATF Recommendation 15
- For the purposes of applying the FATF Recommendations, countries should consider virtual assets as “property,” “proceeds,” “funds”, “funds or other assets,” or other “corresponding value”. Countries should apply the relevant measures under the FATF Recommendations to virtual assets and virtual asset service providers (VASPs).
- In accordance with Recommendation 1, countries should identify, assess, and understand the money laundering and terrorist financing risks emerging from virtual asset activities and the activities or operations of VASPs. Based on that assessment, countries should apply a risk-based approach to ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate with the risks identified. Countries should require VASPs to identify, assess, and take effective action to mitigate their money laundering and terrorist financing risks.
- VASPs should be required to be licensed or registered. At a minimum, VASPs should be required to be licensed or registered in the jurisdiction(s) where they are created.1In cases where the VASP is a natural person, they should be required to be licensed or registered in the jurisdiction where their place of business is located. Jurisdictions may also require VASPs that offer products and/or services to customers in, or conduct operations from, their jurisdiction to be licensed or registered in this jurisdiction. Competent authorities should take the necessary legal or regulatory measures to prevent criminals or their associates from holding, or being the beneficial owner of, a significant or controlling interest, or holding a management function in, a VASP. Countries should take action to identify natural or legal persons that carry out VASP activities without the requisite license or registration, and apply appropriate sanctions.
- A country need not impose a separate licensing or registration system with respect to natural or legal persons already licensed or registered as financial institutions (as defined by the FATF Recommendations) within that country, which, under such license or registration, are permitted to perform VASP activities and which are already subject to the full range of applicable obligations under the FATF Recommendations.
- Countries should ensure that VASPs are subject to adequate regulation and supervision or monitoring for AML/CFT and are effectively implementing the relevant FATF Recommendations, to mitigate money laundering and terrorist financing risks emerging from virtual assets. VASPs should be subject to effective systems for monitoring and ensuring compliance with national AML/CFT requirements. VASPs should be supervised or monitored by a competent authority (not a SRB), which should conduct risk-based supervision or monitoring. Supervisors should have adequate powers to supervise or monitor and ensure compliance by VASPs with requirements to combat money laundering and terrorist financing including the authority to conduct inspections, compel the production of information, and impose sanctions. Supervisors should have powers to impose a range of disciplinary and financial sanctions, including the power to withdraw, restrict or suspend the VASP’s license or registration, where applicable.
- Countries should ensure that there is a range of effective, proportionate and dissuasive sanctions, whether criminal, civil or administrative, available to deal with VASPs that fail to comply with AML/CFT requirements, in line with Recommendation 35. Sanctions should be applicable not only to VASPs, but also to their directors and senior management.
- With respect to preventive measures, the requirements set out in Recommendations 10 to 21 apply to VASPs, subject to the following qualifications:
(a) R.10 – The occasional transactions designated threshold above which VASPs are required to conduct CDD is USD/EUR 1 000.
(b) R.16 – Countries should ensure that originating VASPs obtain and hold required and accurate originator information and required beneficiary information2 on virtual asset transfers, submit the above information to beneficiary VASPs and counterparts (if any), and make it available on request to appropriate authorities. It is not necessary for this information to be attached directly to virtual asset transfers. Countries should ensure that beneficiary VASPs obtain and hold required originator information and required and accurate beneficiary information on virtual asset transfers, and make it available on request to appropriate authorities. Other requirements of R.16 (including monitoring of the availability of information, and taking freezing action and prohibiting transactions with designated persons and entities) apply on the same basis as set out in R.16
8. Countries should rapidly, constructively, and effectively provide the widest possible range of international cooperation in relation to money laundering, predicate offences, and terrorist financing relating to virtual assets, on the basis set out in Recommendations 37 to 40. In particular, supervisors of VASPs should exchange information promptly and constructively with their foreign counterparts, regardless of the supervisors’ nature or status and differences in the nomenclature or status of VASPs.
 References to creating a legal person, include incorporation of companies or any other mechanism that is used.
 As defined in INR.16, paragraph 6, or the equivalent information in a virtual asset context