A quick analysis of FATF’s 2021 draft cryptocurrency guidance

An undemocratic process results in stronger calls for even more mass warrantless surveillance

The Financial Action Task Force (FATF) has released an updated draft of its “Guidance for a Risk-based Approach to Virtual Assets and Virtual Asset Service Providers (VASPs).” Several proposed changes are problematic from a privacy and innovation standpoint. Here’s what you need to know in brief.

What is FATF and what is this guidance?

FATF is a global intergovernmental organization. Its membership includes most major nation-states and the EU. The FATF is not a democratically elected body; it is made up of appointed representatives from member states. These members work to develop recommendations for how member states should form anti-money laundering and other financial surveillance policies. While these so-called recommendations are non-binding, if a member nation was to refuse to implement them, severe diplomatic and financial consequences could result.

The document released last week is a draft update to FATF’s guidance on virtual assets (cryptocurrencies, stablecoins, etc.). That guidance was first released in 2015, updated in 2019, and has generally mirrored existing policies from the U.S. AML regulator FinCEN. As we said at the time, the 2019 guidance, while still calling for mass warrantless surveillance, at least placed cryptocurrency businesses on a level playing field with traditional financial institutions and, generally speaking, imposed no stricter nor more privacy-invasive policies than existing regimes like the policies we have had in place here in the U.S. since 2013 under the Bank Secrecy Act and FinCEN’s guidance. The new updated guidance changes that dramatically.

What’s problematic in the new draft guidance?

There are at least three issues with the new guidance:

  1. Surveillance Obligations for non-custodial entities. The draft advocates for an expanded definition of VASPs (the persons and businesses obligated to register and conduct AML surveillance) that could include non-custodial participants in cryptocurrency networks, such as multi-sig minority keyholders and various participants in smart contract and “layer two” mechanisms (potentially including decentralized exchange software developers or contract participants, and Lightning Network node operators). If finalized as drafted, the recommendations would be a fundamental break with the existing FinCEN policy and global consensus that Coin Center has helped develop over the last five years, which holds that only persons with ‘independent control’ over customer funds are treated as regulated money transmitters. Classification as a VASP would obligate these non-custodial persons to register with the local regulator, collect and report to government masses of information about their activities and the activities of others, and to know the names and physical addresses of everyone with whom they transact. Those requirements may be reasonable for banks and other financial institutions where most money laundering takes place, but they are absolutely inappropriate for private persons participating in open computer networks. The penalties for non-compliance are extreme and the bulk data collection would destroy personal privacy and constitutional rights against warrantless surveillance.
  2. Scrutiny of peer-to-peer transactions and privacy-enhancing technologies. The draft subtly advocates against peer-to-peer transactions and transactions involving privacy-enhancing technologies (e.g. Taproot, Zcash, Monero). It argues that regulated VASPs should limit support for transactions with non-regulated parties (so-called “unhosted” wallets), and insists that developers of new protocols should limit the availability of private and peer-to-peer transactions by design.
  3. Customer Counterparty Identification. The draft recommends that VASPs should subject all transactions to “travel rule” (i.e. FATF Recommendation 16) recordkeeping requirements even though, under existing U.S. law, the travel rule only applies to transactions between regulated entities. This would obligate exchanges to collect specific information about who their customers are paying or being paid by. This is similar to the proposed counterparty identification requirements in FinCEN’s ongoing “midnight” rulemaking. It is problematic for all of the same reasons we’ve given in our three comments to FinCEN in that rulemaking.

What is to be done?

FATF is accepting public comments on the new draft language through April 20th. Unlike democratically accountable institutions like Congress andour executive agencies, FATF is under no statutory or constitutional obligation to consider public feedback or to balance the privacy interests of citizens against the fruits of mass surveillance. Nonetheless, we will still be commenting and encourage concerned members of the public to do so as well. This current document remains a non-authoritative draft and FATF’s members will continue to make further amendments throughout its private meetings this summer. There’s still an opportunity to improve the proposed policies, and, if that fails, there will be further opportunities to further advocate against the implementation of any problematic recommendations by member nations themselves.