On July 5, 2021, the Financial Action Task Force (FATF) had completed its second 12-month review of the implementation of its updated Standards on virtual assets and virtual asset service providers or VASPs.
A review from CipherTrace examines how different jurisdictions and the private sector have implemented these updated Standards following the FATF’s initial 12-month review.
The FATF’s first 12-month review report reveals that, overall, the public and private sectors have made substantial progress in incorporating the updated FATF Standards, but considerable work still remains for the revised FATF Standards to be “effectively implemented globally,” the CipherTrace team noted in a blog post published on July 7, 20201. As such, this second 12-month review “focuses on the continued implementation of the FATF Standards.”
Although the second 12-month review shows that considerable progress was made in the implementation of the Revised FATF Standards, after 2 years many jurisdictions “still do not have the basic regulatory framework for VASPs,” the update from CipherTrace noted.
The blockchain security firm also mentioned that FATF covers over 200 countries and jurisdictions, but less than half (45%) of the 128 reporting jurisdictions “reported that they have passed the necessary laws/regulations to permit or prohibit VASPs.”
The CipherTrace team pointed out that the number of jurisdictions whose AML/CFT regime for VASPs is currently operational is “even lower.” The blockchain firm added that most jurisdictions and most VASPs are “not complying with the travel rule with only 10 jurisdictions reporting that they have implemented and are enforcing Travel Rule requirements for VASPs.”
The company further noted that it’s “assumed that the majority of jurisdictions that did not provide a response to the FATF in this report have made even less progress in the implementation of the Revised FATF Standards.”
As noted by CipherTrace, the Travel Rule is the “most focused” on issue in terms of VASPs’ compliance with the updated FATF Standards. But only 10 jurisdictions “reported that they are actively enforcing Travel Rule requirements for VASPs,” the update from CipherTrace noted while adding that an additional 14 jurisdictions “reported that they have introduced Travel Rule regulations but were not yet enforced the requirements.” No jurisdictions “reported being aware of any VASP that fully complied with all elements of the Travel Rule,” the company added.
It also mentioned that there are various technologies and tools “available that enable VASPs to comply with the Travel Rule, yet compliance with the Travel Rule continues to be reported as challenging due to ‘the lack of one unified technology to support it,’ the CipherTrace team noted while referencing the FATF report.
As explained by the CipherTrace team, since FATF’s initial 12-Month Review, there has been considerable progress in Travel Rule-related tech development. Several key standards and protocols—like the Travel Rule Information Sharing Architecture (TRISA)—may now help “enable interoperability between solutions and, when enhanced by blockchain analysis tools such as in CipherTrace Traveler, can also safely identify VASPs to exchange Travel Rule data.”
The report added:
“The lack of Travel Rule implementation globally is a major obstacle to effective global AML/CFT mitigation and undermines the effectiveness and impact of the revised FATF Standards. For this, the FATF has indicated that one of its major next steps will be to accelerate the implementation of the Travel Rule globally.”
The report also reveals that many different jurisdictions have been making signficant progress in implementing the updated FATF Standards.
As noted by CipherTrace:
“Out of the 128 reporting jurisdictions that responded to the FATF’s questionnaire—triple the number that responded to the first 12-month review—52 jurisdictions claimed to now regulate VASPs, 6 jurisdictions prohibit the operation of VASPs, and the other 70 jurisdictions have not yet implemented the revised Standards in their national law.”
These gaps in implementation mean that there is “not yet a global regime to prevent the misuse of virtual assets and VASPs for money laundering or terrorist financing,” the company added while noting that for context, in the last 12-month review, 32 jurisdictions “reported having existing regulations for Virtual Asset Service Providers, 13 jurisdictions reported having regulations in development, and 5 jurisdictions indicated the prohibition or potential near future prohibition of VASPs.”
The increase in jurisdictions that now regulate VASPs “suggests that significant progress has been made, however global implementation still has very large gaps that need to be addressed,” the report noted. It also mentioned that merely 35 of the 58 jurisdictions that “claimed to now regulate or prohibit VASPs reported that their regime was currently operational.”
As stated in the report:
“For jurisdictions that have yet to prohibit or regulate VASPs, 26 jurisdictions reported that they were in the process of passing the necessary legislation in order to regulate or prohibit VASPs; 12 jurisdictions reported that they had already decided which approach they intended to take on VASPs but had not yet commenced the necessary legislative/regulatory process; and 32 jurisdictions reported that they had not yet decided what approach to take for VASPs.”
Of the 52 jurisdictions that reported that they have introduced regulatory guidelines allowing VASPs, merely 6 of these jurisdictions advised that they have begun licensing and registering of VASPs.
Only 32 reported jurisdictions have “extended their regime to included VASPs incorporated overseas but which offer products/services to customers in their jurisdiction,” the report revealed while adding that in total, these jurisdictions have “reported that they have so far licensed or registered 2,374 VASPs—more than double the reported number of registered/licensed VASPs recorded in the first 12-month review.”
The CipherTrace team added:
“The FATF calculates implementation of FATF Standards through a self-assessment by participating jurisdictions and is not an official assessment of the level of actual compliance with the FATF Standards.”
By assessing or evaluating jurisdictions via the Mutual Evaluation and Follow-Up Report (MER/FUR) process, the FATF determined that no jurisdictions with published reports have “received a compliant (C) rating.” Most jurisdictions have “received a partially compliant (PC) rating or above” and two jurisdictions have been “assessed as having a non-compliant (NC) rating.”
The FATF says that the primary barrier to compliance seems to be “a lack of action by jurisdictions.” A third of jurisdictions with FURs/MERs assessing Recommendation 15 have “taken no or minimal action to implement the requirements,” the report added while noting that the other two thirds of jurisdictions “have taken action, but have not implemented the requirements fully—such as omitting Travel Rule regulations.”
In the FATF Report, 36 jurisdictions offered Suspicious Transaction Report (STR) data from VASPs. According to these 36 jurisdictions, VASPs had “filed 146,704 STRs between 2019 and 2020.” Some jurisdictions said that they had found an increasing number of STRs last year as more VASPs “entered the market, knowledge of AML/CFT grew in the sector, and VASPs developed their reporting systems.” Of the 146,704 STRs reported, “55,118 were from 2019 and 91,586 were from 2020,” the review from CipherTrace noted.
As stated in the update:
“Data collected by the FATF from several blockchain analysis companies, including CipherTrace, indicates the share of illicit transactions appears higher for peer-to-peer transactions than in transactions with VASPs.”
There were considerable differences in the data offered by the different blockchain analytic firms leading to the FATF being unable to evaluate or assess with certainty “the size of the peer-to-peer sector and its associated ML/TF risk.” The report “therefore does not find clear evidence of a shift towards peer-to-peer transactions,” the CipherTrace team noted.
It also mentioned that the inconsistency of results from blockchain analytics firms “is indicative of inconsistent definitions, double counting and data quality issues.”
As stated in CipherTrace’s blog post:
“All jurisdictions need to implement the revised FATF Standards, including Travel Rule requirements, as quickly as possible.”
According to the Second 12-Month Review, the FATF’s next steps will be to:
- accelerate the implementation of the Travel Rule;
- finalizing the revised FATF Guidance on virtual assets and VASPs by November 2021; and
- monitor the virtual asset and VASP sector, but not further revise the FATF Standards at this point in time (except to make a technical amendment regarding proliferation financing).
You may check out FATF’s complete report here.