The aftermath of FATF’s fourth implementation update on VAs and VASPs

A lack of progress highlights the importance of regulatory data, interoperability and industry-driven due diligence standards.



On 28 June 2023, the inter-governmental body responsible for setting global standards against money laundering and terrorist financing, the Financial Action Task Force (FATF), released its fourth Targeted Implementation Update on Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs).

Since VAs and VASPs were brought into the scope of FATF Recommendations in October 2018, the report is issued annually to highlight the progress the 210 countries and territories in the FATF network have made in implementing requirements plus any challenges, risks or areas of concern. Here are our key takeaways from this year’s update.

Since last year’s report, virtual asset regime implementation has shown little progress.

FATF indicated that 75% of jurisdictions assessed against the revised VA and VASP standards in the mutual evaluation and follow-up reports are only partially or non-compliant with requirements.

According to research from VASPnet, nearly half (44%) of the 210 FATF jurisdictions have not yet started to implement a regime for virtual assets. Although 87 jurisdictions have a regulatory regime for VAs in place, the majority remain only partially compliant, and at least 11% have not yet issued a licence or authorisation in practice.

The FATF report also indicates that of 151 surveyed respondents, more than half self-reported that no steps have been taken to implement the Travel Rule, the FATF requirement for VASPs to share originator and beneficiary information with each transaction. Only 13 jurisdictions indicated they actively supervise the Travel Rule. Since last year’s update, only five more jurisdictions reported implementing the Travel Rule, and two more reported implementation is in progress. FATF made clear that this is insufficient progress.

Without counterpart VASP due diligence, VASPs are non-compliant.

The FATF report acknowledges the Travel Rule compliance challenges experienced by both public and private sectors with a specific emphasis on counterpart due diligence. The Travel Rule requirement to implement and enforce counterpart VASP due diligence has been left on the back burner by most jurisdictions, and due to the lack of domestic regulation, VASPs have yet to attempt to comply. But FATF has made its stance clear, VASPs need to conduct due diligence on their counterparts before conducting both domestic and cross-border transactions to achieve full compliance with the Travel Rule.

As gatekeepers of the crypto ecosystem, VASPs have a legal responsibility to meet AML/CFT obligations, protect consumers, prevent the use of products and services for illicit purposes and ensure the community and relevant authorities are made aware of other VASPs responsible for facilitating money laundering, terrorist financing and proliferation financing. In the absence of an effective counterpart due diligence programme, VASPs may be subject to the following consequences:

  • Legal repercussions and reputational damage for being associated with or facilitating illicit activities.
  • Regulatory scrutiny due to non-compliance with AML/CFT obligations.
  • Significant financial loss due to regulatory penalties, law enforcement fines, and poor client retention.

The VA industry will struggle to comply without access to regulatory data on VASPs.

The FATF report highlighted the difficulties faced by the industry due to a lack of publicly accessible data on the regulatory status of virtual asset service providers (VASPs). Of the 87 jurisdictions with VA regimes in place, more than 26% have public authorities that still do not make complete regulatory data accessible or public to the industry.

Public authorities will need to maintain and publicise information on VASPs licenced or registered in their jurisdiction to facilitate compliance with the Travel Rule requirement for financial institutions to verify whether or not they are dealing with a licenced or registered VASP and effectively mitigate risk.

Often overlooked but of equal importance are the lists of entities no longer authorised or explicitly not authorised to conduct VA activities.

As the market consolidates and VASPs lose licences or authorisations, understanding which VASPs have gone out of business or have demonstrated an unwillingness or inability to comply with regulations becomes increasingly important for counterpart VASP due diligence purposes.

Firms conducting VA activities illegally that are explicitly not authorised represent an even higher risk for counterpart entities. The report notes that of the 13 jurisdictions that have banned crypto-asset activity, only one has adequately addressed ML/TF risks and that a greater level of supervision is required. FATF calls on public authorities to take action to sanction illicit VASPs and the industry to develop better tools to identify the VASP population and monitor unregulated activity.

Travel Rule Solution Providers need to achieve greater compliance and interoperability for VASPs.

FATF urged the private sector to demonstrate tangible progress in achieving a seamless data exchange between VASPs and other obliged entities (facilitated by a technical integration between VASPs and/or Travel Rule Solution Providers), noting limited progress since the last targeted update in June 2022.

The FATF report acknowledged that having a Travel Rule Solution Provider (TRSP) does not ensure full compliance with the Travel Rule and “does not remove the need for VASPs to independently verify the information and ensure all relevant domestic obligations are met.”

In addition, most TRSPs only allow VASPs to identify and communicate with counterparties that use the same tool (i.e., those in the same network). There does not yet exist a solution that enables transactions and communication between a variety of different tools and networks. Intermediary solutions are needed to provide more robust due diligence and data interchange services.

Industry-driven data and due diligence standards are required.

The interVASP messaging standard IVMS 101 remains a fundamental enabler in facilitating the seamless interchange of Travel Rule data. It establishes a common language among market participants that ensures a degree of semantic interoperability. Entities can accurately interpret received data according to the intentions of the originating VASP.

However, FATF acknowledges that, due to the complex multitude of intra-governmental, local and institutional Travel Rule requirements, standards will inevitably diverge among institutions based on their risk appetite and legislative obligations. Adopting industry-driven due diligence standards is a potential avenue for greater alignment. The publication of the Wolfsberg-style questionnaire by GBBC Digital Finance (GDF) is one example of a promising framework that may foster consistency and harmonisation.

In addition, the lack of high-quality reference data, which uniquely and universally identifies counterpart and intermediary VASPs (both at a brand or trading name and legal entity level), remains a significant hurdle for true organisational interoperability. Recognising the importance of addressing this challenge, domain-specific data solutions such as VASPdata aim to contribute to resolving this issue.