On June 30, the Financial Action Task Force (FATF), the global standard-setter on anti-money laundering and combating the financing of terrorism (AML/CFT) measures, released a report on the application of its cryptoassets guidelines. The release of the report marks three years after the FATF first released its Guide to Cryptoassets and Cryptoasset Service Providers (VASPs) in 2019.
The FATF report is essential reading for compliance teams in crypto-asset businesses and financial institutions. It provides FATF’s view on regulatory matters facing the global crypto industry and regulators. By reading the report, compliance teams can prepare for the challenges of upcoming regulatory developments that could impact the crypto industry in the coming months.
DeFi: Cross-chain flows are increasingly risky
A major issue highlighted by the FATF in its report is the growth of decentralized finance (DeFi). In its updated guidance, published in October 2021, the FATF called on countries to implement AML/CFT requirements for those who can control DeFi services such as decentralized exchanges (DEXs). This is a priority that the FATF has identified, in part in response to the rise in DeFi-related crime.
In its latest report, the FATF noted that the DeFi industry has grown even in just eight months since it issued its guidance last year. According to the FATF, the rapid growth and evolution of the DeFi industry is concerning as it could lead to a further acceleration and proliferation of risks.
The FATF’s first concern is that, despite its call for states to regulate DeFi, most DeFi protocols and decentralized applications operate outside the purview of regulation. While some regulators have begun taking enforcement action against non-compliant DeFi protocols, most have yet to regulate the space. This is seen as a loophole by the FATF as it allows criminals to freely use DeFi services.
The FATF’s second concern with DeFi is the increasing use of mixers for money laundering in the DeFi space, with cybercriminals including North Korean hackers increasingly using mixing services to try to cover their Illegal activities, such as Tornado Cash, the most beloved mixer among hackers.
Third, the FATF highlighted the increasing risks associated with cross-chain activities in the DeFi space. According to the FATF: “DeFi protocols can be used to perform ‘hop-chaining,’ which can make transactions harder to trace.” Hop-chaining is when criminals exchange funds between different cryptoassets in order to confuse law enforcement with tracking funds. practice. In the DeFi ecosystem, this is achieved using cross-chain bridges, where users are able to move funds seamlessly between blockchains.
Cross-chain bridges are becoming an increasingly important part of the “criminal ecosystem”. Illegal actors — such as ransomware attackers and hackers — can use these services to launder money between different blockchains. Additionally, funds that are cross-chain via cross-chain bridges are vulnerable to hackers. In the first six months of 2022 alone, hackers have stolen over $1 billion in crypto assets from several cross-chain bridges.
The FATF’s focus on these issues sends a clear message: illicit activity involving DeFi mixers and cross-chain bridges will be an area of growing regulatory concern in the second half of 2022.
So to address the increasing risks of DeFi, VASPs and financial institutions should ensure that they use blockchain analytics to detect risks associated with DeFi mixers and cross-chain bridges.
Another issue that the FATF mentioned in its report is the ever-controversial issue of non-custodial wallets.
The FATF has highlighted what it sees as the risk of non-custodial wallets: they allow users to transact without the presence of a regulated entity that can KYC check users. Recently, the U.S. Deputy Secretary of the Treasury called non-custodial wallets a specific illicit financial risk of concern because they allow users to transact outside the regulatory perimeter. The EU and UK have also recently made proposals to address the risks of non-custodial wallets.
The FATF’s latest report highlights that many other countries are still determining what steps to take to reduce the risk of non-custodial wallets. However, the FATF noted that some countries see blockchain analysis as a core part of the work.
In anticipation of increased regulatory scrutiny of non-custodial wallets, VASPs should ensure they have implemented a blockchain analytics solution that can help them identify non-custodial wallets that are at high risk of illicit finance.
NFTs: Painting a Picture of Growing Risks
Like DeFi, non-fungible tokens (NFTs) are another crypto innovation that has developed in recent years, and the FATF believes that risks are constantly changing due to rapid market growth.
In particular, the FATF believes that the expansion of NFTs into non-financial markets and the increasing number of active wallets buying and selling NFTs may affect risk dynamics. Additionally, the FATF noted that NFTs present certain regulatory challenges as they are difficult to classify within the legal framework. Depending on their purpose and characteristics, they may be securities, artworks, or cryptoassets, which can determine the nature of the regulation that should apply. Most countries have yet to clarify their regulatory arrangements for regulating the NFT market, which could exacerbate AML/CFT risks.
NFTs can pose many financial crime risks. In particular, the NFT market is at risk of fraud, wash trading and manipulation, vulnerable to hacking and theft, and possibly even sanctions risks.
As the FATF and regulators begin to examine risks in the NFT space, compliance teams should ensure they can mitigate financial crime risks.
For example, VASPs can leverage transaction screening solutions to identify if they are processing payments related to NFT fraud and theft, and can also use multi-currency forensics tools to conduct in-depth analysis of payments in crypto assets such as Ethereum, whether they are related to illegal payments Use NFTs to support criminal associations.
Transfer Rules: Necessary to Fight Sanction Evasion and Ransomware
In October 2018, FATF began calling on countries to apply the Travel Rule (a long-term compliance requirement for traditional financial institutions) to VASPs. At its core, the transfer rules require VASPs to identify the originator and beneficiary of transactions exceeding a certain amount, and to securely transmit information and data to their VASP counterparties. The purpose of the rule is to help law enforcement detect and investigate money laundering and other financial crimes in the crypto asset space.
The FATF’s Latest Report provides a stark warning to member states and VASPs that have not implemented the Transfer Rules – countries should impose information and data sharing requirements on VASPs in accordance with FATF standards. The FATF believes that the current pace of implementation of travel rules by countries and the private sector is too slow, and further delays would pose significant risks to the international financial system.
According to the report, since the FATF issued the Guidelines three years ago, only 29 of the 98 countries surveyed by the FATF have made the transfer rule a local requirement for VASPs, and only 11 are actively enforcing and monitoring it.
Despite the existence of transfer rule compliance solutions on the market, the lack of urgency in countries can inhibit VASP compliance.
The report identified two areas of risk that pose particular risks if transfer rules are not implemented:
The first has to do with sanctions compliance. The FATF noted that “the rapid implementation of the FATF’s transfer rules is an important part of supporting effective counterparty identification and effective sanctions screening.”
The second is ransomware. Since ransomware attackers often cash out their criminal proceeds on unregulated exchange platform services in countries that fail to implement FATF standards, the enforcement of stronger transfer rules will – in theory – ensure that VASPs collect information about counterparties. Additional information that will assist law enforcement.
The report also noted that blockchain analysis is an important method for disrupting ransomware. According to the FATF: “Blockchain tools support and inform successful law enforcement cases, targeted financial sanctions, and other actions to disrupt ransomware financing.”
Further scrutiny by the FATF will prompt countries to speed up the implementation of transfer rules, and compliance teams should take steps to ensure they are prepared to comply.
A new FATF report identifies key issues that will be at the top of the regulatory agenda in the second half of 2022 and beyond. Cross-chain DeFi, non-custodial wallets, NFTs and transfer rule compliance will be the top priority for the VASP compliance team.
Make sure you have blockchain analytics capabilities that allow you to detect and manage cross-chain DeFi activity and risk from DeFi mixers like Tornado Cash. Leverage blockchain analytics to identify non-custodial wallets associated with sanctioned actors, ransomware gangs, and other illegal actors. Detect transactions related to the illegal use of NFTs. Learn about transfer rules solutions and prepare for compliance.