Here’s the good, bad, and ugly

After a half-year delay, the Financial Action Task Force (FATF) is back with crypto guidance. The good news is that it’s not as bad as last spring and even includes some specific changes that Coin Center recommended. The bad news is it remains far too vague and verbose to actually create reasonably clear and narrow limits for surveillance obligations. We’ll discuss all that below, but first, let’s review the issue.

FATF is the international body that standardizes financial surveillance rules amongst member nations. It’s an informal organization, not created by treaty or law, and it does not have the power to create binding laws or policies. However, FATF can apply substantial pressure on non-compliant member states in the form of blacklists and failing grades in policy audits.

Last April, FATF issued new draft guidance for crypto-related surveillance rules that would expand both the scope of surveillance obligations (who is and is not a surveillance-obligated “virtual asset service provider,” or “VASP”) and the amount of data to be surveilled (under the “wire transfer rule” or “travel rule” here in the US). Our three-point response was unequivocal:

  1. The scope of the definition of “VASP” can have grave implications for human rights and FATF must avoid a so-called “expansive approach” to its interpretation.
  2. FATF should not call for prohibitions on VASPs making peer-to-peer and privacy enhanced transactions; such limitations would only drive criminals underground and harm persons using this technology for good.
  3. FATF should not apply travel rule obligations to transactions between VASPs and non-VASPs (so-called “unhosted” wallets).

Coin Center’s full comment letter from last April is available here. We had a small victory last June when FATF postponed issuing final guidance because of the outpouring of criticism from crypto advocates. Today that guidance is upon us.

The Good

In describing who may qualify as a VASP and therefore must surveil their customers, the new guidance removes all references to persons merely “facilitating” or “governing” transfers and instead focuses, as we asked, on persons with “control of assets.” We’ve worked since 2014 to get regulators to focus on the easily understood and reasonably cabined category of “control” rather than vague terms (like “facilitate”) that have no clear meaning in the technology. We’re gratified that FATF, like FinCEN and the ULC before, have now also agreed to this subtle but important clarification of who is and is not included within the regulatory sphere.

The new guidance has a new paragraph that explicitly states that persons who “merely provide ancillary infrastructure” including “verifying the accuracy of signatures” will not be within the scope of surveillance obligations.

With respect to new assets created by crypto protocol developers, FATF provides better clarity that merely publishing software that creates new virtual assets or new virtual asset networks is not an activity that triggers surveillance obligations.

The new guidance removes some proposed language that would cover persons who launch a software-based decentralized exchange tool but “give up control after launching it.” As we’ve repeatedly argued (in our comments to FATF as well as our report on the subject) merely publishing code, even smart-contract code that will enable peer-to-peer exchange, cannot be an activity that triggers surveillance obligations and requires developers to seek permission before publication. The new guidance also removes the absurdly vague term “doing business development” from the list of potentially qualifying activities, as we recommended.

Next, here’s what’s good about the travel rule language. The new guidance concedes that the “full requirements of [the travel rule] apply to [a traditional wire transfer] and [a virtual asset transfer between two VASPs] but not [a virtual asset transfer between a VASP and an “unhosted wallet”].” It clarifies that fees paid to miners and validators are not subject to travel rule originator and beneficiary information collection.

The Bad

Now here’s the bad news. First, the travel rule changes don’t go far enough. We argued in our comment that existing law in the US and elsewhere rightly limits travel rule coverage entirely to transactions between VASPs, and never requires any travel rule compliance for transactions between a VASP and a non-VASP. When a cryptocurrency transaction is not bookended by two regulated parties it more closely resembles a cash transaction and should be treated accordingly. In cash transactions institutions can report information about their customer but have no ability or right to obtain and report information about persons who are not their customers. We’re gratified that the FATF now agrees that the “full requirements” of the travel rule don’t apply to these transfers but would stress that, in fact, no travel rule requirements apply because these transactions are not wire transfers and are, indeed, nothing like wire transfers.

Second, the guidance on the VASP definition remains extremely verbose. We are gratified that most of its many pages now focus primarily on persons who have some actual control over the virtual assets of their customers. However, there’s still too much ink spilled over purported edge cases.