The Financial Stability Institute of the Bank for International Settlements has published a policy paper on supervising crypto-assets for money laundering. The paper highlights that the supervision of crypto-asset service providers (CSPs) remains nascent and while anti-money laundering requirements and standards have been in place for some time, most jurisdictions have only just begun to implement and enforce them.
Substantive work and international coordination is required to keep pace with and manage the risks associated with the growth of crypto-assets.
The Financial Stability Institute paper1 seeks to contribute to the debate by assessing emerging regulatory approaches and supervisory practices and identifying policy priorities to address common challenges faced by financial authorities with regards to crypto-assets.
The challenges start with the lack of a universally agreed definition of crypto-assets which can be defined, broadly, as a type of digital asset that depends primarily on cryptography and distributed ledger or similar technology. This definition, which is used by the Financial Stability Board, includes digital means of exchange and other digital tokens, such as security tokens, asset-linked tokens and utility tokens.
The Financial Action Task Force (FATF) uses a slightly different definition for the term “virtual assets” which is “a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes” and is not limited to digital assets that rely on cryptography and distributed ledger technology. Both definitions encompass, among others, Bitcoin and so-called stablecoins.
The regulation (or otherwise) of crypto-assets is dependent on whether or not the asset is deemed to be within the regulatory perimeter in a particular jurisdiction and an assessment of the risks associated with the crypto-asset itself. Supervisory authorities consider a number of factors to understand the nature of and assess the risks posed by crypto-assets. These include, but are not limited, to:
- nature of the issuer (e.g., identifiable, non-identifiable; public, private; regulated, unregulated);
- intended use of the crypto-asset (e.g., used as a means of raising funds, of investment, of payment, granting rights to services/products in a company’s network or ecosystem);
- holders’ rights (e.g., claim to the delivery of an underlying asset, to a granted interest, to access or use a service in a network or platform);
- claim redemption (e.g., contractual claim, fixed redemption claim, dependent on price development);
- control over the ledger (e.g., open to the public, open to specific parties, closed to a limited number of authorised parties);
- validation of the ledger (e.g., permissioned, permissionless); and
- mechanism to transfer the crypto-asset’s ownership (e.g., centralised, peer-to-peer, decentralised)
The challenges then move onto the varying classification and definition of what constitutes a CSP, the crux of the issue then being the application of rulebooks (anti-money laundering requirements expressly included) to the CSP. A number of activities can be performed with crypto-assets. These include activities which by nature may be mapped to the ones performed in traditional financial markets (such as providing money transfer) and others which are completely new to the financial system (such as mining).
Aiming for a comprehensive view of all services and actors involved, crypto-asset-related activities may be mapped to the life cycle of the crypto-asset itself, resulting in three categories by which crypto-asset-related activities may be classified:
- Primary market activities: relate to the issuance and distribution of assets (e.g., issuer and investor onboarding, deal structuring, risk assessment, asset registration, distribution of the asset to market participants).
- Secondary market activities: comprise trading (e.g., admission of the asset to trading, price discovery, order matching, asset transmission), clearing and settlement and servicing (e.g., asset management, custody).
- Tangential activities: aimed at supporting and ensuring that primary and secondary market activities are conducted in an efficient manner (e.g., infrastructure services, ancillary services).
One practical upshot is CSPs have to comply with different regulatory requirements within and across jurisdictions. These may include requirements related to authorisation, capital requirements, risk management, governance, security, operational resilience, reporting, market conduct and financial integrity. These requirements may vary depending on the nature of the service provided or the perceived risks posed by the features of the crypto-asset for which the service is provided.
There are substantive divergences in the international approach to crypto-assets. That together with the lack of implementation of, in particular, FATF’s standards related to wire transfers (the travel rule) despite it being a binding obligation, is seen as a key risk on the prevention of money laundering.
Compliance tips and next steps
Crypto-assets have great potential to make payments and transfers more efficient but the speed of transactions, reach, potential for anonymous activity and the potential for transactions to take place without financial intermediaries also make crypto-assets vulnerable to misuse and heighten the risk of money laundering.
It is already estimated that the scale of illicit use of crypto-assets is “significant” further increasing the urgency of the challenges with regards to the consistent international approach to anti-money laundering and counter terrorist financing regulation, supervision and enforcement.
A consistent approach is only possible when crypto-assets are defined and regulated on a consistent basis. Equally, the effectiveness of standards depends on effective implementation by national authorities, and the paper concludes that the “supervision of crypto-asset service providers remains nascent globally”.
The Financial Stability Institute paper is a call to action. Specifically, a call to action on three policy priorities:
- Defining the regulatory perimeter and detecting unlicensed activities – there appears to be some confusion on the part of jurisdictions about which firms, activities and services should be captured by the regulatory perimeter under their existing regulations and minimum standards, particularly when novel instruments and operating models that do not conform to existing definitions are concerned. The cross-border nature of crypto-asset services further exacerbates this problem, as firms offering services in one jurisdiction may be located and legally domiciled elsewhere. Work under way at the FATF to address these questions may be helpful to mitigate uncertainties and close potential gaps in risk coverage. Consistent implementation of the FATF standards would also contribute to deterring unlicensed activity.
- Implementing the travel rule – despite it being a binding obligation under FATF, most jurisdictions have not implemented the travel rule. This is in part because many authorities consider there are no technological solutions that would allow a convenient and sustainable implementation. A few jurisdictions have implemented and enforced compliance with the travel rule for CSPs, demonstrating that it is possible. Those that have implemented this requirement “could serve as an example to those that have yet to do so”.
- Understanding and mitigating risks posed by P2P transactions – P2P transfers are a primary concern for numerous jurisdictions. This is because these transactions would typically not involve any entity subject to AML/CFT requirements. Therefore, understanding the risks posed and adopting mitigation measures for P2P transactions based on thoughtful risk assessment, or innovative applications of technology, may be needed.
The point is also made that there is a “critical need” for swift implementation of international standards. The nature of crypto-assets lends itself to regulatory and supervisory arbitrage. Jurisdictions cannot fully mitigate their risks, as long as they are exposed to weaknesses and inconsistencies across borders. Consistent implementation of the standards, especially those defined by the FATF, is “essential”.
Firms that have any exposure to, or dealings with crypto-assets, need to remain up-to-date with the evolving approach to policy and, in particular, the developing regulatory perception of the risks and challenges. One area where firms may wish to (re)consider their immediate approach is with regards to FATF’s travel rule – the potential difficulties are significant with the infrastructure available to support compliance for banks being generally lacking for CSPs, making compliance for them technically feasible but much less efficient than for banks.
Another challenge is the interoperability of possible travel rule solutions. Even if a feasible solution is developed, it is likely the integration of two or more different solutions will be far from straightforward. Private industry efforts are continuing to develop a solution or protocol that would enable travel rule compliance although international cooperation in this area seems key to achieving a solution.
This article was originally published on Thomson Reuters Regulatory Intelligence.