Can the Implementation of FATF Standards on Cryptoassets be Strengthened?

At its February plenary, which marked four years since the Financial Action Task Force (FATF) embraced cryptoassets in its standards, FATF President T Raja Kumar spoke of the implementation challenges faced by countries and announced a new ‘roadmap’ to speed up and strengthen the implementation of controls.

The details of this roadmap have not been made public but based on the authors’ analysis of 30 mutual evaluation reports (MERs) and follow-up reports published between December 2021 and December 2022, it is clear that jurisdictions face five standout challenges that need to be urgently overcome.

Five Bumps in the Road

First, countries are still challenged by effectively identifying the financial crime risks emerging from cryptoasset-related activities. Given the relative youth of the cryptoasset industry, countries have limited reports of crime related to cryptoassets to inform their understanding of risks and develop mitigation strategies. As products within the cryptoasset ecosystem are also constantly changing, so too are the ways in which criminals are exploiting them, making it even more challenging to understand where the priority risks lie.

Second, to comply with the FATF standards, countries must have an accurate understanding of the cryptoasset businesses operating in their jurisdictions governed by appropriate licensing. Identifying which businesses are operating in a given jurisdiction, however, is not a simple task. Firms should come forward and apply for a licence with the appropriate authority, but some do not. Identifying these unlicensed operators requires regulators to manually search for firms, usually by trawling the internet or, in higher-capacity jurisdictions, using tools such as blockchain intelligence to identify transaction flows within jurisdictions associated with an unlicensed entity. Along with this, some countries face the challenge of identifying the individual behind the illicit cryptoasset business operating within their jurisdiction to halt the activity.

This leads to the third problem: the need to clarify registration obligations for cryptoasset businesses. The FATF standards encourage jurisdictions to clarify the procedure for licensing cryptoasset businesses, specifically requiring the business to register where it is created or where its place of business is located. However, implementation is proving easier said than done, as countries work to identify the best practice for this licensing regime. For instance, in one country’s evaluation, assessors noted that it was unclear if a cryptoasset business created in the jurisdiction but physically present in another is required to be licensed. Furthermore, where a cryptoasset business is created and physically present in one jurisdiction but operating elsewhere, the licencing requirements are also unclear.

Fourth, the FATF requires jurisdictions to ensure that criminals and their associates should not hold or own a significant interest in a cryptoasset business or hold a management function of such a business. In reviewing recent MERs it appears that this criterion is often overlooked by jurisdictions or is not being universally implemented due to differences in national beneficial ownership rules and related access to identification information.

The fifth and most glaring weakness in the implementation of the FATF Standards on cryptoassets to date, however, has been the implementation of the ‘Travel Rule’. The Travel Rule was adopted by the FATF from the traditional finance wire transfer rule and requires firms to collect information on the sender and recipient of payments to enhance the integrity of financial flows. Although relatively simple to do in the traditional financial world, in the instant and pseudonymic world of cryptoassets, this has been much more challenging.

This challenge has been compounded by a lack of interoperability between technology solutions and the lack of a data standard for what type of information can be collected. As of June 2022, only 30% of jurisdictions assessed on the FATF’s crypto-focused requirements have passed laws pertaining to the Travel Rule, leading to what is referred to as the ‘sunrise issue’ where countries which have not implemented the rule create an opportunity for non-compliance. A related issue is the inconsistency of Travel Rule thresholds applied between countries. For example, while the EU will apply the Travel Rule to all transactions, the UK will only do so on transactions over $1,000. Such a patchwork of thresholds will make operating in a global industry challenging.

Overcoming the Growing Pains

As the FATF brings in its roadmap to improve implementation of Recommendation 15, what can be done to assist countries with the implementation of controls?

Countries and the private sector must start by improving the risk assessment process and share learnings to raise standards around the world. To determine jurisdictional, product and delivery channel vulnerabilities, countries should conduct risk assessments that take into account a wide range of financial crime risks, built on information from reports from international organisations, criminal investigations and engagement with the private sector.

In addition, jurisdictions should develop working groups and cryptoasset-focused questionnaires to send to reporting entities. These working groups should be cross-sector and include cryptoasset businesses to identify risks not only within the industry but also at the points at which it interacts with other parts of the economy. Crucially, this must include traditional financial institutions. By taking a pragmatic and collaborative approach, countries can aid in the development of a risk-based approach to mitigate abuse of the system without regulating the industry out of existence.

Next, international cooperation is key. Countries must acknowledge the cross-border nature of this sector and work with one another to understand the risks they are exposed to. Here, the FATF and the FATF-style regional bodies could provide a useful forum to share such information. Additionally, supervisors of cryptoasset businesses should also have a legal basis for sharing information with foreign counterparts. According to the FATF, even countries where cryptoasset businesses are prohibited need to fulfil the requirement for exchanging information on related issues, as needed.

It is also important to note that there are inexpensive measures that countries can implement to better identify unlicensed crypto businesses. For instance, countries that have successfully addressed this challenge have done so by implementing simple procedures such as regular internet searches and checking social media and messengers. Often, crypto businesses market their business on social media or provide customer support through channels on encrypted messenger applications. Along with web scraping, jurisdictions can set up a website or email address for citizens to identify and report fraudulent activity related to cryptoassets. Another key part of identifying unapproved crypto businesses is information sharing between law enforcement agencies. Finally, an output of the February plenary was new guidance on Recommendation 24 on Beneficial Ownership which will aid in identification of individuals behind businesses. By implementing these techniques, countries can more easily identify and locate the individuals behind illicit operations and administer dissuasive measures.

The next few years will be pivotal for the success of the Travel Rule as countries with significant cryptoasset sectors begin to implement and enforce the standard. Here, the private sector has a crucial role to play in building the right attitude towards this requirement, testing and refining the use of tools to implement it and feeding back to supervisors its experience of doing so. Policymakers and regulators also have a responsibility to show the impact of this rule, putting the data they collect from it to work and using it to inform supervisory activity and ultimately increasing the impact on illicit finance in the sector.

The Way Ahead

At the heart of all of these efforts must be lesson sharing in open and collaborative forums. In an industry that is evolving as quickly as cryptoassets, it is essential that jurisdictions and the private sector share their experiences of implementing these standards so that best practices can be identified, established and shared. In doing so, higher-capacity countries must prioritise building initiatives that bring less-capable countries up to the required standard. The road to achieving effective controls in the cryptoasset industry may be long, but as long as those involved (the FATF, jurisdictions and the industry) are all driving in the same direction, the bumps should be overcome.

The views expressed in this Commentary are the authors’, and do not represent those of RUSI or any other institution.

Have an idea for a Commentary you’d like to write for us? Send a short pitch to commentaries@rusi.org and we’ll get back to you if it fits into our research interests. Full guidelines for contributors can be found here.