On 14 September 2022, K2 Integrity hosted a webinar on considerations in the digital assets space. K2 Integrity Board Member Christopher Brummer and AML/CFT experts Mariano Federici and Alex Levitov discussed the current digital assets landscape, illicit financing threats and vulnerabilities, international standards for virtual asset service providers, and navigating regulatory uncertainty while managing risks. This article summarizes the key points and analysis from the event. To watch a recording of the full webinar, click here.
Digital assets, ranging from cryptocurrencies and stablecoins to non-fungible tokens (NFTs) and central bank digital currencies, hold the power to transform the world of traditional finance. But with such tremendous opportunities come increased risk.
The promise of digital assets
Digital assets, and the technology that it leverages, provides a number of potential advantages.
- Payments at the speed of the Internet – With the traditional financial system, it can take days to clear payments, particularly when those payments are going cross border and require the involvement of a number of intermediaries. Digital assets can be transmitted at the speed of the Internet, vastly improving transaction processing time.
- Fractionalization and increased access to previously illiquid assets – Fractionalization of illiquid assets is something that has been done in traditional financial practice for some time, but digital assets technology promises to bring those fractionalized assets to a much broader set of retail investors and consumers, allowing individuals to purchase small fractions of real estate assets, with ownership rights registered on the blockchain.
- High security and privacy assurances – The public, decentralized nature of the blockchain means that the history of every digital asset transaction is recorded on a shared accounting ledger, stored in multiple copies on a network of computers around the world—ensuring a common record of transactions verified by an accepted consensus protocol. At the same time, the owners of individual wallet addresses are not required to reveal their true identity to other blockchain participants, allowing users to maintain privacy and protect their personal information.
- Increased transparency through a shared and immutable record on the distributed ledger – The same, public features of the blockchain mean that no longer does a single individual, or small group of individuals, have ownership over financial records and data.
- Reduced transaction costs – Digital assets can be transmitted at reduced transaction costs due to the shift away from multiple intermediaries throughout a cross-border transaction chain to near instantaneous peer-to-peer transactions.
- Financial inclusion – Digital assets promise to reduce barriers to entry, bring more people into financial system, and create greater inclusivity and access to different types of financial instruments that may have not been available on a truly global basis.
- Circumvention of capital controls and financial surveillance – There is political interest in the digital asset space as a way of circumventing capital controls or forms of financial surveillance that have been imposed by authoritarian regimes or other government actors to restrict inflows from abroad or the movement of funds to foreign jurisdictions.
One use case example is that digital assets have been used to provide greater access to stable dollar-like assets in particular countries that may be suffering from currency devaluation and/or high rates of inflation. We have seen a lot of interest in stablecoins in Argentina and Turkey where direct access to dollars can be difficult and there are black markets for that currency.
Key regulatory and risk management issues
There are a number of regulatory and risk management issues for consideration. One of the larger conversations in this space is the question of when a digital asset is a security and what that registration and licensing process should look like given the particularities of a digital asset. There are always new questions that arise throughout the financial ecosystem given the particularities of digital assets. Consumer protection advocates are really interested in whether or not there is an adverse relationship with consumers, which sometimes dovetails with larger investor protection questions around disclosures. Finally, there is the issue of countering illicit finance through anti-money laundering, combatting the financing of terrorism and the proliferation of WMD, and countering sanctions violations and sanctions evasion. Each of these items push on the boundaries of how surveillance has traditionally been conducted, the kinds of assumptions one makes about the identity of individuals, and the accessibility of information and transactions.
What makes digital assets vulnerable to abuse? It is estimated that cyber criminals may have laundered approximately $10 billion worth in digital assets in 2021. This is attributed to the complexity, anonymity, decentralization, irreversibility, high transaction values and throughput, weak regulatory structure, and immature risk and compliance programs of digital assets.
Criminal actors can exploit these vulnerabilities through frauds and scams, trade in banned goods (e.g., darknet marketplaces), hacks or theft, laundering of criminal proceeds generated in fiat currency, sanctions evasion, and financing of terrorism and WMD. Scams alone accounted for 55 percent of cryptocurrency-based crime in 2021.
International standards and the role of virtual asset service providers (VASPs)
The following international standard setters work to establish requirements, expectations, guidelines, and best practices in the digital asset space: the Basel Committee on Banking Supervision (BCBS), the International Organization of Security Commissions (IOSCO), the Financial Stability Board (FSB), and the Financial Action Task Force (FATF). The FATF has been forward leaning in addressing illicit finance risks presented by digital assets, focusing on the role of virtual asset service providers (VASPs) as critical intermediaries in the virtual asset ecosystem, serving as the on and offramps between fiat currencies and virtual assets. The FATF Standards set a global minimum with which all countries worldwide are expected to comply and against which they are routinely assessed by the FATF.
According to the FATF Standards, VASPs must be regulated for AML/CFT purposes, licensed or registered, and subject to effective monitoring and supervision. Specifically, VASPs are required to apply AML/CFT controls or “preventive measures” that are substantially similar to those expected of traditional financial institutions (FIs) with respect to risk assessment and the application of a risk-based approach, customer due diligence (CDD) and enhanced due diligence (EDD) measures, funds transfer recordkeeping and the “travel rule,” and suspicious transaction reporting.
Recognizing that virtual asset transfers are “functionally analogous” to wire transfers undertaken by traditional Fis, the FATF has extended its traditional wire transfer requirements to VASPs, subject to certain technical modifications. Often referred to as the “travel rule,” these requirements state that:
- Originating VASPs must obtain and hold required and accurate originator information on virtual asset transfers, submit this information to the beneficiary VASP or financial institution (if any) immediately and securely, and make it available on request to appropriate authorities.
- Beneficiary VASPs must obtain and hold required originator information and required and accurate beneficiary information on virtual asset transfers and make it available on request to appropriate authorities.
The travel rule is a key FATF requirement that enables the private sector to comply with sanctions requirements and detect suspicious transactions. Yet according to the FATF’s June 2022 Targeted Update on the Implementation of the FATF Standards on Virtual Assets and Virtual Asset Service Providers, jurisdictions have made only limited progress in implementing the travel rule. While 29 out of 98 responding jurisdictions reported having passed travel rule legislation, only 11 jurisdictions have started enforcement and supervisory measures. 36 of 98 have not even begun the process of introducing the relevant legislation. Private sector implementation has, in some cases, progressed ahead of public sector requirements, including through solutions such as the Travel Rule Universal Solution Technology (TRUST), which assists VASPs in identifying VASP counterparties and securely transmits travel rule data between TRUST members.
In the U.S, VASPs are required to register as money services businesses (MSBs) with the Financial Crimes Enforcement Network (FinCEN) and comply with applicable state-level licensing requirements. MSBs are subject to the Bank Secrecy Act (BSA) and are required to maintain an effective written AML program and comply with recordkeeping, reporting, and transaction monitoring obligations under the BSA.
Regulators and lawmakers continue to discuss the appropriate regulatory classification of various digital assets, the outcome of which could bring certain assets under the jurisdiction of the Securities and Exchange Commission (SEC) or the Commodity Futures Trading Commission (CFTC).
Regulation beyond VASPs
There are a number of challenges with respect to the regulation of decentralized exchanges, protocols, self-hosted wallets, and other participants in the digital asset system that do not necessarily classify and VASPs under global standards and are not currently regulated as MSBs in the United States. These include:
- DeFi exchanges that never take custody of virtual assets.
- If a virtual asset is a security, who (or what) is the broker-dealer in the DeFi context?
- If a virtual asset a commodity, who (or what) is the futures commission merchant or introducing broker in the DeFi context?
- Can a protocol have compliance obligations (see also: Tornado Cash)?
- NFT marketplaces, which may serve functions more closely resembling an art dealer or online marketplace than a financial institution.
- Yet how can crypto-based marketplaces such as NFT platforms comply with sanctions obligations and other counter-illicit finance compliance responsibilities without knowing the true identities of their customers and users?
- Self-hosted wallets, which allow for peer-to-peer transactions without the intermediation of a VASP or other regulated entity.
- Do stablecoins further minimize the need for a fiat offramp?
- Mixers, including sanctioned protocols such as Tornado Cash.
- How can VASPs and other ecosystem participants manage the risks of transactions downstream from interaction a designated address?
- Should all mixers be subject to heightened scrutiny or blocked altogether in the face of the Tornado Cash designation
- The digital asset space holds a lot of promise in creating an accessible and equitable space for a variety of users to securely engage with this financial system at a lower cost.
- As the digital asset space matures, we see promising developments in the fight against digital asset related crime, ensuring users can transact safely and criminal cannot access these new assets.
- Digital assets are vulnerable to abuse due to the complexity of the system, anonymity of users, decentralization, and immature risk and compliance programs. Criminal actors can conduct scams, using Ponzi schemes and “rug pulls,” where developers create new tokens and promote them to investors before unexpectedly abandoning the project and draining funds from the liquidity pools.
- Digital assets are used in sanctions evasion. Recently Russia’s Finance Ministry and Central Bank announced plans to legalize the use of virtual currencies in international trade in an effort to counteract the effect of multilateral sanctions against Russia.
- International standards has been put in place, led by FATF, with the United States and other leading jurisdictions issuing regulations under this global framework, which focuses on the role of VASPs as a critical intermediary of the virtual asset ecosystem.
- There are a number of open regulatory considerations beyond VASPs that the international and US communities are working through as this continues to be a rapidly changing landscape.