The long-awaited FATF crypto guidance is not as bad as it could have been, but still flawed

Here’s the good, bad, and ugly

After a half-year delay, the Financial Action Task Force (FATF) is back with crypto guidance. The good news is that it’s not as bad as last spring and even includes some specific changes that Coin Center recommended. The bad news is it remains far too vague and verbose to actually create reasonably clear and narrow limits for surveillance obligations. We’ll discuss all that below, but first, let’s review the issue.

FATF is the international body that standardizes financial surveillance rules amongst member nations. It’s an informal organization, not created by treaty or law, and it does not have the power to create binding laws or policies. However, FATF can apply substantial pressure on non-compliant member states in the form of blacklists and failing grades in policy audits.

Last April, FATF issued new draft guidance for crypto-related surveillance rules that would expand both the scope of surveillance obligations (who is and is not a surveillance-obligated “virtual asset service provider,” or “VASP”) and the amount of data to be surveilled (under the “wire transfer rule” or “travel rule” here in the US). Our three-point response was unequivocal:

  1. The scope of the definition of “VASP” can have grave implications for human rights and FATF must avoid a so-called “expansive approach” to its interpretation.
  2. FATF should not call for prohibitions on VASPs making peer-to-peer and privacy enhanced transactions; such limitations would only drive criminals underground and harm persons using this te”chnology for good.
  3. FATF should not apply travel rule obligations to transactions between VASPs and non-VASPs (so-called “unhosted” wallets).

Coin Center’s full comment letter from last April is available here. We had a small victory last June when FATF postponed issuing final guidance because of the outpouring of criticism from crypto advocates. Today that guidance is upon us.

The Good

In describing who may qualify as a VASP and therefore must surveil their customers, the new guidance removes all references to persons merely “facilitating” or “governing” transfers and instead focuses, as we asked, on persons with “control of VAs [Virtual Assets].” We’ve worked since 2014 to get regulators to focus on the easily understood and reasonably cabined category of “control” rather than vague terms (like “facilitate”) that have no clear meaning in the technology. We’re gratified that FATF, like FinCEN and the ULC before, have now also agreed to this subtle but important clarification of who is and is not included within the regulatory sphere.

The new guidance has a new paragraph that explicitly states that persons who “merely provide ancillary infrastructure” including “verifying the accuracy of signatures” will not be within the scope of surveillance obligations.

With respect to new assets created by crypto protocol developers, FATF provides better clarity that merely publishing software that creates new virtual assets or new virtual asset networks is not an activity that triggers surveillance obligations.

The new guidance removes some proposed language that would cover persons who launch a software-based decentralized exchange tool but “give up control after launching it.” As we’ve repeatedly argued (in our comments to FATF as well as our report on the subject) merely publishing code, even smart-contract code that will enable peer-to-peer exchange, cannot be an activity that triggers surveillance obligations and requires developers to seek permission before publication. The new guidance also removes the absurdly vague term “doing business development” from the list of potentially qualifying activities, as we recommended.

Next, here’s what’s good about the travel rule language. The new guidance concedes that the “full requirements of [the travel rule] apply to [a traditional wire transfer] and [a virtual asset transfer between two VASPs] but not [a virtual asset transfer between a VASP and an “unhosted wallet”].” It clarifies that fees paid to miners and validators are not subject to travel rule originator and beneficiary information collection.

The Bad

Now here’s the bad news. First, the travel rule changes don’t go far enough. We argued in our comment that existing law in the US and elsewhere rightly limits travel rule coverage entirely to transactions between VASPs, and never requires any travel rule compliance for transactions between a VASP and a non-VASP. When a cryptocurrency transaction is not bookended by two regulated parties it more closely resembles a cash transaction and should be treated accordingly. In cash transactions institutions can report information about their customer but have no ability or right to obtain and report information about persons who are not their customers. We’re gratified that the FATF now agrees that the “full requirements” of the travel rule don’t apply to these transfers but would stress that, in fact, no travel rule requirements apply because these transactions are not wire transfers and are, indeed, nothing like wire transfers.

Second, the guidance on the VASP definition remains extremely verbose. We are gratified that most of its many pages now focus primarily on persons who have some actual control over the virtual assets of their customers. However, there’s still too much ink spilled over purported edge cases.

The guidance still has vague and inconsistent statements about multi-sig arrangements. It does now appear to exclude multi-sig wallets where the customer retains the exclusive ability to control their funds: “if a person maintains unilateral control of their assets at all times, this may indicate that the service provider is not providing a qualifying service.” This would likely mean that wallet providers who retain mere back-up keys are not covered. However, the language waffles: “it could still fall under [the definition of VASP] where it actively facilitates the transfer.” We still don’t know what is intended by “actively facilitates.” This phrasing is perhaps better than the previous draft which was simply “facilitates” on its own, but the addition of “actively” merely gives us a slightly different flavor of uncertainty about who is meant to be included.

With respect to DeFi the new guidance remains overbroad. In particular “any party profits from the service or has the ability to set or change parameters” is still treated as potentially included in the definition of VASP.

Additionally, the guidance has a puzzling section about persons who launch automated tools and therefore have obligations before automation presumably takes over: “prior to the launch or use of the software or platform and take appropriate measures to manage and mitigate these risks in an ongoing and forward-looking manner.” We suspect this language remains because of residual discomfort over Facebook’s proposed Diem (née Libra) and the insistence that it not launch before AML risks are addressed in regulation. If this is merely about centralized platforms with corporate control, then so be it. But we would not want this misinterpreted to mean that a person writing smart contract code must seek permission before publishing that code. That would plainly be a prior restraint on speech and therefore a violation of constitutional rights here in the US.

Finally, there’s new language about “control of a VASP” that is “available for purchase to the public, for instance through governance tokens.” That’s an extremely vague and confusing sentence from a technological standpoint. The nature of the legal obligations and liabilities of governance token holders is, in most jurisdictions, as of yet utterly undefined in law. Indeed I’m not sure there is any consistency in the cryptocurrency ecosystem regarding what is and is not a governance token or what control it affords or doesn’t afford token holders. The new guidance does suggest that at least some “governance token” holders are not going to qualify as VASPs: “An individual token holder in such a scenario does not have such responsibility if the holder does not exercise control or sufficient influence over the VASP activities undertaken as a business on behalf of others.” However, “sufficient influence” is hardly a justiciable standard.

Given uncertainty in the realm of so-called “governance tokens,” no determinative policy should be made through the extra-legal and supra-national channels inherent in FATF recommendations and guidance. These are complicated and novel questions of law and consequence that are best left for democratically elected officials within FATF member states. These questions should be answered after, and only after, lawmakers engage in careful consultation with their constituencies and careful consideration of the constitutional and fundamental rights of their citizens. To immediately treat the holder of a token that bears some inconsistent relationship to control or profits from a blockchain-based smart contract as if that person was clearly no different from a typical financial institution (e.g. a money transmitter or a VASP) is to short circuit that important process of uncovering just laws in a new and complex field.

The Ugly

This is a very long document. It continues to advocate for an “expansive” approach and repeatedly uses vague weasel words like “actively facilitates” and “may qualify.” It would be inappropriate for anything like these non-specific and confusing standards to replace the current law and regulations we have on the books here in the US. The penalties for failure to obey financial surveillance obligations in the US are severe, including felony criminal liability, substantial fines, and jail time. It is, therefore, inappropriate for a law with such unforgiving penalties to be drafted with such circumspect and uncertain terms.

As a silver lining, remember that this guidance document is entirely non-binding. FATF is not a creature of law or treaty and nothing that they release is self-executing. Moreover, only the FATF “recommendations,” themselves, (rather than their “guidance” publications) are intended to set standards that member states should adopt into actual law. Those recommendations have not been changed by this recent release from FATF. In the US, at least, our existing rules from FinCEN are already sufficient to implement the FATF recommendations. Therefore, this guidance does not and should not necessitate any new policy from our AML regulators here in the US.

We, therefore, hope that policymakers here and abroad will ignore the uncertain aspects of this guidance and continue to utilize a justiciable and clear standard for MSB classification: e.g. FinCEN’s “independent control” interpretation of its existing MSB regulations. Clear standards such as FinCEN’s are the only way forward that both maximizes anti-money laundering compliance while minimizing intrusions upon the autonomy, privacy, and dignity of persons who have done nothing wrong.