Skip to main content

FATF Finalizes Crypto Guidelines, Recommends Exchanges Share Client Data

The FATF’s guidelines for combating cryptocurrency money laundering and terrorism financing could strike a blow against user privacy.
FATF Finalizes Crypto Guidelines, Recommends Exchanges Share Client Data

The Financial Action Task Force (FATF), an intergovernmental regulatory organization, has finalized its recommendations for combating cryptocurrency money laundering and terrorism financing. In short, it wants to blow back the veil on user privacy.

What Are the FATF Crypto Guidelines?

The FATF released the final draft of its highly anticipated recommendations for cryptocurrency service providers today, June 21, 2019. The agency released snippets of its guidance in previous drafts, which were met with exasperation and discontent from crypto faithfuls. The G20, a consortium of some of the world’s most powerful governing bodies including the EU, prematurely agreed to adopt the guidance last December.

In its final form, the FATF’s guidance, which it stresses “is non-binding and does not overrule the purview of national authorities,” isn’t particularly surprising as it includes many of the provisions listed in previous drafts. The document primarily takes aim at cryptocurrency exchanges — both crypto-to-crypto and fiat-to-crypto (and vice versa) — though it also encompasses all cryptocurrency businesses.

More Stringent KYC Requirements

Overall, the FATF recommends that cryptocurrency service providers implement stringent know-your-customer (KYC) requirements since cryptocurrencies “have certain characteristics that may make them more susceptible to abuse by criminals, money launderers, terrorist financiers, and other illicit actors.”

This includes conducting “customer due diligence” (basically, identity verification and confirmation of where and to whom funds are being sent) for any amount over $1,000 or 1,000 euros (the FATF recommends this as the minimum threshold, though it encourages regulators to lower the bar if they’d like). Now, such KYC diligence is par for the course for most licensed exchanges for incoming transactions, but the new guidelines would require this for all outbound transactions, as well.

So, notably, the FATF wants cryptocurrency service providers to share this information among themselves — and, in extreme cases, with law enforcement. The provisions require crypto businesses to establish the identity of each customer in order “to obtain, hold, and transmit required originator and beneficiary information in order to identify and report suspicious transactions, monitor the availability of information, take freezing actions, and prohibit transactions with designated persons and entities.”

This information primarily includes the identity of the “sending customer,” the account from which the transaction originated (e.g., a wallet or exchange account), the sender’s address (or some other identifier like “national identity number” or customer ID), the name of the transaction’s recipient and the recipient’s account information (e.g., wallet or exchange account). These requirements would be crypto’s equivalent of the Bank Secrecy Act’s “Travel” rule, which mandates that banks must pass along certain customer information between each other when transferring funds.

Keeping Record

The FATF’s crypto guidelines also recommend that service providers keep transaction records for up to five years at least, alongside relevant ID information. If the case arises that authorities request this info, it would be more beneficial than network data, the FATF argues, as “reliance solely on the blockchain or other type of distributed ledger underlying the [cryptocurrency] for recordkeeping is not sufficient for compliance.”

In the same vein as business-to-business cooperation, the FATF calls for international “co-operation and co-ordination with respect to AML/CFT [anti-money laundering and countering the financing of terrorism] policies.”

The document reads, “Countries should consider putting in place mechanisms, such as interagency working groups or task forces, to enable policymakers, regulators, supervisors, the financial intelligence unit (FIU), and law enforcement authorities to co-operate with one another and any other relevant competent authorities in order to develop and implement effective policies, regulations, and other measures to address the ML/TF risks.”

Should a service provider or government official detect any wrongdoing, “[c]ountries should also freeze without delay the funds or other assets … of designated persons or entities and ensure that no funds or other assets … are made available to or for the benefit of designated persons or entities in relation to the targeted financial sanctions related to terrorism and terrorist financing.”

It also mandates that service providers should “be licensed or registered in the jurisdiction(s) where they are created” to make keeping tabs on operations by relevant authorities feasible.

No Service Is Safe

If the report’s nomenclature for crypto companies as “virtual asset service providers” sounds purposely nebulous, that’s because it is.

Under the FATF’s definition, basically any service, company or application that deals with cryptocurrencies is subject to its guidance. Centralized exchanges are the FATF’s primary concern, but nothing is free from its guidance’s purview — including decentralized exchanges and mixing services.

“In particular, the virtual asset ecosystem has seen the rise of anonymity-enhanced cryptocurrencies (AECs), mixers and tumblers, decentralized platforms and exchanges, and other types of products and services that enable or allow for reduced transparency and increased obfuscation of financial flows,” the report reads.

So if you thought that Wasabi, Samourai, Bisq and Hodl Hodl would be free from scrutiny, sorry, the FATF wants them to kowtow, too. LocalBitcoins has already demonstrated that so-called “decentralized” exchanges aren’t immune to the whims and pressures of regulators.

Reactions to the FATF Crypto Guidelines

While the FATF wants these services to take heed of their guidance, how governments will realistically enforce some of these rules — and how feasible and effective they will be — is up for debate.

Chainalysis COO Jonathan Levin and global head of policy Jesse Spiro, for example, wrote in a letter responding to the FATF’s original draft that its proposals have a number of limitations and could entail unintended consequences. Specifically, it wouldn’t be feasible to always obtain information on a transaction recipient because the cryptocurrency service provider wouldn’t always know whether a transaction is sent to a personal wallet or another service provider.

“There is no infrastructure to transmit information between VASPs [virtual asset service providers] today,” the letter explains, “and no one has the ability to change how virtual asset blockchains work. Forcing onerous investment and friction onto regulated VASPs, who are critical allies to law enforcement, could reduce their prevalence, drive activity to decentralized and peer-to-peer exchanges, and lead to further de-risking by financial institutions. Such measures would decrease the transparency that is currently available to law enforcement.”

Levin and Spiro also question whether “the same rules [should] apply to all VASPs, regardless of their business models.” They also think the $1,000/1,000 euro threshold is too low.

Dutch bitcoin broker Bitonic echoed Chainalysis’s sentiment, calling the FATF’s enforcements “practically undoable,” while also raising privacy concerns.

“Experts in the European investigation field also call this proposal by the FATF unnecessary and ‘overkill’ … We believe that it is undesirable from a privacy perspective that the U.S. are forcing the EU to endorse such an alarming obligation, which is not just relevant for companies that are active in the virtual currency space.”

The FATF plans to issue a report by this time next year to evaluate the implementation of its guidelines by countries and service providers.