The Illusion of Simplicity: Which Virtual Currencies Businesses are Subject to Money Laundering Rules?

Since 1989, the intergovernmental Financial Action Task Force (FATF) has been the international standard-setter in combating money laundering and, since 2001, terrorist financing. As the world of finance changes, so too must the FATF Recommendations cover new terrain. Increasingly, that landscape is digital, and populated with previously unknown forms of business life.

Virtual currencies, such as Bitcoin, were conceived to enable users to transfer value among themselves (peer-to-peer) without involvement of banks or other financial intermediaries. The FATF Recommendations, however, rely precisely on requiring certain businesses to collect information about their customers and report suspicious activities to law enforcement. By bypassing banks and other financial institutions, virtual currencies could therefore slip through the net of FATF rules.

Fortunately for the regulators, this vision of complete decentralisation did not come to pass. In truth, unless you are a happy owner of a cryptocurrency ‘mining farm’ or an intelligence operative, you are likely to depend on specialised businesses to trade in virtual currencies. Due to their role, those businesses can be brought inside the regulatory perimeter and required to police their users’ behaviour.

It is thus unsurprising that, in October 2018, the FATF introduced two changes to its Recommendations, which bring these ‘virtual asset service providers’ – VASPs – within the regulated fold. The FATF’s Glossary lists five categories of activities that, when conducted as a business on behalf of another person, define a VASP. Last month, the FATF issued an interpretive note clarifying that, subject to two qualifications, VASPs should abide by the same set of regulations as financial institutions.

But, with the virtual currency universe being so unlike the familiar one of high-street banks or even the more challenging world of money service businesses, how does one know a VASP when one sees it? Deciding whether some of the newly evolved business models qualify as VASPs can be challenging for several reasons.

The first reason is uncertainty as to whether their activities are sufficiently similar to those covered by the FATF definition. Think, for instance, of cloud mining. One way to acquire bitcoin and certain other virtual currencies is to ‘mine’ them. In essence, mining involves contributing the computing power that is necessary to process virtual currency transactions. As a reward for this ever more resource-intensive activity, miners are compensated with some of the newly created units of currency (coins).

Due to the increasing difficulty of mining bitcoins, which are the most popular virtual currency, doing so on one’s own is no longer economical. Some users therefore pool their computing power and divide the proceeds. Other companies take this idea one step forward and engage in ‘cloud mining’. In this model, users do not contribute any computing power of their own but, in effect, invest in a company that mines bitcoins and distributes the proceeds.

Apart from investor protection concerns, risks of money laundering arise if such cloud mining companies accept money from investors without ascertaining its lawful origin. The VASP definition covers the activities of ‘exchange between virtual assets and fiat currencies’. Cloud mining companies arguably do precisely that, but in an indirect way. As a result, there is room for debate as to whether they are VASPs.

Other parts of the virtual currency world pose not definitional, but practical challenges. For instance, the development of decentralised exchanges (DEXs) has caused some concern among law enforcement agencies, including Europol. A centralised exchange holds a user’s private key and transacts on his or her behalf. In contrast, a DEX matches its users so they can transact peer-to-peer amongst themselves. Depending on its architecture, a DEX may be able to monitor their activities but not prevent transfers.

The bigger worry for regulators and law enforcement is the possible emergence of a DEX that is ‘decentralised’ in a very different way. Such a DEX would use technological infrastructure that is spread across many countries and, once set up, is not controlled by a single organisation or individual – much like the internet or Bitcoin.

With no one in charge, there is no one to regulate. And, with no single server where the exchange is hosted, no state alone can shut it down. In the 18th century, Edward Thurlow, Britain’s Lord Chancellor, worried about the rise of corporations because they, in his famous words, ‘have neither bodies to be punished, nor souls to be condemned’; one can only wonder what he would have said of truly decentralised DEXs, with not even a server to take down.

That said, the road to full decentralisation has yet to be built. For instance, in November 2018, IDEX, one of the largest DEXs, began implementing ‘know your customer’ rules and was cited as saying: ‘Decentralization exists on a spectrum, and unless your system or application lacks any centralized parts it can be subject to regulation. … IDEX will be implementing KYC/AML policies in order to comply with sanctions and money laundering laws’.

From an anti-money laundering perspective, fully decentralised VASPs are a threat on the horizon; for cypherpunks, they may be a tempting mirage. For now, a more immediate challenge is posed by ‘mixers’, which make transactions taking place on a transparent blockchain more difficult to track. To do so, they take a user’s virtual currency, mix it with a huge pool of other users’ coins and then send to a designated wallet coins whose origins cannot be ascertained. Mixers often require a 1–10% fee for their services. The coins they process have no traceable transaction path on the blockchain.

Since the stated aim of mixers is to enhance anonymity, their business model is incompatible with the anti-money laundering requirements to know their customers and report suspicious activity. Subjecting them to anti-money laundering obligations might therefore appear a fool’s errand. But doing so can equip governments with the legal wherewithal to tackle the activities of those mixers that facilitate money laundering. Hence the suggestion in August 2018 by Kenneth Blanco, the director of FinCEN, the US financial intelligence unit, that mixers are money transmitters and must follow US anti-money laundering rules.

In short, implementing the FATF Recommendations in relation to virtual currencies is unlikely to be a simple copy-paste exercise for domestic regulators. In deciding how far they should cast the regulatory net, they will need to weigh both definitional and practical challenges. As if that were not enough, other policy considerations will inevitably add complexity. These include the fostering of innovation and the vexed issue of how much financial privacy users should have.

These challenges are inevitable and do not mean that the FATF definition of VASPs is in any way wanting. But as the FATF continues its work on virtual currencies and prepares an update of its 2015 guidance on risk-based approach to virtual currencies, it would do well to ensure that it reflects the diversity of VASPs and the issues this poses. It is not only the how of complying with the FATF Recommendations that regulators and businesses will wonder about, but also who is covered in the first place.

The views expressed in this Commentary are the authors', and do not necessarily reflect those of RUSI or any other institution.