The commercial case for mitigating counterpart risk in crypto
Why counterpart due diligence is imperative for a healthy crypto business.
Recommendations 13 and 16 from the Financial Action Task Force (FATF) to perform due diligence on counterpart virtual asset service providers (VASPs) are a critical aspect of the global crypto regulatory landscape.
Although the industry often views it as a solely legislative requirement, it is a proactive measure that:
In this article, we explore the multifaceted nature of counterpart VASP due diligence and examine its significance in the context of regulatory developments.
By choosing regulated, compliant counterparts, organisations can dramatically reduce the risk of inadvertently engaging with criminals or supporting illicit activities.
Even if it is not explicitly illegal, indirect involvement with unregulated entities with poor AML/CFT controls that are at a higher risk of handling the proceeds of crime and terrorist financing may expose businesses to irreversible reputational damage, legal consequences and financial losses. Reputational damage may also make it more difficult for a business to secure access to financial services and licenses or registrations in additional jurisdictions to expand activities. In certain cases, it may even increase the likelihood for a regulator to revoke a firm’s existing license.
Robust internal due diligence processes are essential to ensure direct engagement with reputable and trustworthy counterpart VASPs.
Law enforcement agencies recognise that news of unregulated institutions with weak AML/CFT controls spreads quickly among criminals. Establishing business relationships with VASPs that indirectly support or facilitate transactions for bad actors undermines the integrity of the crypto industry and efforts to develop a compliant ecosystem.
Organisations should recognise their responsibility to conduct thorough due diligence and ensure that counterparts with good intentions are not inadvertently aiding illicit activities. This contributes to the overall security and credibility of the digital asset space and protects the wider community from potential harm.
The regulatory landscape for counterpart VASP due diligence is slowly but surely evolving, and in many jurisdictions, requirements are on the horizon.
The United Kingdom, South Korea and a handful of other jurisdictions have implemented a Travel Rule that dictates a required level of data transmission based on the jurisdiction of the counterpart VASP and, in some cases, mandates comprehensive due diligence practices.
Regulatory authorities are increasingly counting on firms to evidence that efforts to adhere to the Travel Rule are underway. While they may currently exercise some forbearance, it is essential for businesses to demonstrate they are taking steps to prepare for the lifting of these leniencies.
By implementing robust controls and due diligence procedures today, organisations can ensure compliance with current and future regulatory requirements and avoid potential penalties and disruptions to their operations in the future.
In addition, VASPs dealing with data of residents in the European Economic Area (EEA) or other jurisdictions with similar data protection requirements are required to adhere to GDPR data-sharing standards. This prevents them from sharing data with institutions outside of their risk appetite and is a Travel Rule-related legal requirement that many firms are not considering.
To account for compliance with GDPR, Europe’s Transfer of Funds Regulation (ToFR) permits crypto-asset service providers (CASPs) to withhold information transfer in exceptional circumstances. Enforcement actions for failure to comply with GDPR include fines of up to 4% of company revenues or €20 million.
FATF’s Travel Rule guidance recommends that VASPs transmit mandated data to counterparts and screen the data they receive back. If they receive incorrect, misleading or incomplete data from a counterpart, VASPs are obligated to consider whether or not the transfer falls within their risk appetite.
If VASPs opt to send or receive money from self-hosted wallet addresses or unregulated entities that capture questionable personally identifiable information (PPI) data, the desired “paper trail” effect of the Travel Rule may be rendered ineffective. Although transfers between self-hosted wallets are transparent and immutable on a public blockchain, VASPs will obfuscate parties to transfers by way of internal, off-chain ledgers. This is a fact well known to criminals who use such service providers to ‘wipe the slate’ in cases where assets have passed through blacklisted wallets.
When considering which wallet addresses are associated with criminality or have a high risk of ML, TF or weapons proliferation, it is insufficient only to consider addresses involved with direct transfers. How many degrees back do crypto businesses need to look to ensure assets haven’t passed through an address associated with the dark web, ransomware or other such nefarious activities? It is a challenge unique for crypto businesses, as traditional financial institutions rely on due diligence measures instituted at upstream intermediaries.
Counterpart VASP due diligence is a multifaceted process that is much more than just a legislative requirement. Organisations must do what they can internally to safeguard their business interests and reputation. Simultaneously, they should consider the broader community impact and work towards preventing good counterparts from indirectly enabling bad actors. As regulations evolve to demand more stringent due diligence measures, legal compliance is both inevitable and inescapable and cannot be overlooked.
By embracing counterpart VASP due diligence, businesses contribute to the overall integrity and security of the digital asset ecosystem and protect their own interests in an ever-changing regulatory landscape.
 Recommendation 16 and in some jurisdictions, also Recommendation 13.