In the 10 years since inception, virtual assets have often been associated with the risk of illegitimate transactions and the shadow economy. While a majority of virtual asset holders acquire and use the assets for legitimate reasons, this association has been hard to shake.
This perception is why many regulatory bodies, including the FATF, have been attempting to introduce greater AML and CTF scrutiny to the sector.
The FATF’s guidance and requirements for VASPs to address AML and CTF risks are on par with those by the Society for Worldwide Interbank Financial Telecommunication – which most people know as a ‘SWIFT code’ and enables seamless payment between international banks. This means VASP standards should equal other regulated FS institutions. However, AML/CTF is often looked at as just another third-party system to be integrated, rather than a foundation for organizational strategy on tackling money laundering and terrorism financing risks. To overcome this, a good practice we have observed is to conduct a combined ‘customer and product risk assessment’, defining the likelihood and impact of AML/CTF risks based on the target customer segment and products offered.
All regulatory policies and procedures must be supported by clear accountability within each organization. It is therefore positive to see that significant investment and recruitment is happening at VASPs related to compliance. We are now seeing many compliance and governance functions headed by senior officers with long-term experience in areas such as AML/CTF programs in traditional FS institutions.
Under this leadership, all staff members should be part of a regular training regime to ensure a clear understanding of AML/CTF requirements. Ongoing review and audits should be implemented to ensure key risks are identified and mitigated, and compliance remains intact.
We have implemented new and very strict processes for ongoing improvements in our AML and KYC capabilities. Not surprisingly, there are still gaps in the data we capture from third party vendor solutions and we are using a number of vendor integrations as well as new, in-house built solutions, to strengthen our procedures and reduce various AML/CTF related risk vectors.
At KPMG, we have observed the same challenge with third party AML/CTF services. While some virtual asset specific risks, such as high-risk wallets or high-risk transactions, can be analyzed and flagged through these services, some unusual customer behaviors are not picked up. Therefore, VASPs should implement an effective monitoring system that connects with necessary third-party monitoring systems for a more holistic approach.
The Travel Rule
Another area for a strong AML/CTF approach is to follow the FATF’s Recommendation 16, also known as the Travel Rule, requesting that the originators and beneficiaries of all transfers of virtual assets must exchange identifying information such as their name, account number, and address.1 This rule must be complied with by all licensed and regulated VASPs in any of the 38+ FATF member jurisdictions.
However, the rule also poses challenges. This is because VASPs have not yet had a widely accepted industry service like SWIFT that has mandatory data fields to ensure compliance with the rule, while protecting client and business relationship information.
Therefore, the industry has established several cooperative efforts, including the now broadly accepted IVMS101 (inter-VASP messaging) to streamline data collection across different jurisdictional requirements. In addition, VASP’s and traditional FS institutions are collaborating to build messaging solutions such as the Travel Rule Protocol.2 No single solution will suffice, and therefore, there is a need for interoperability and multi-party service integration.
From a customer perspective, we expect to see significant impacts to the onboarding and deposit and withdrawal experience, because additional information and documentation could be required with each transaction.
As regulations for digital assets evolve, users of virtual assets exchanges need to be able to obtain accurate reporting of their digital asset holdings and activities for their respective jurisdictions (e.g. for tax reporting, which can be done with the help of KPMG Crypto Tax Estimator). VASPs need to be able to provide their customers with data such as the original cost basis of an asset, sales proceeds, realized gains/losses, and deposits and withdrawals. In certain jurisdictions, exchanges may be required to provide this information directly to the relevant tax authority.
Overall, it is clear that there are some substantial regulatory compliance challenges for VASPs, however, investment in compliance, and particularly in AML/CTF programs, will be a significant competitive differentiator. Getting this right should be an attractive drawcard for institutional investors.
1 Virtual assets and virtual asset service providers (PDF 1.96 MB)
2 Travel Rule Protocol