New FATF Draft Guidance to Regulate P2P Transfers, DeFi, DEXs, NFT and Stablecoins

Table of Contents

  • Introduction
  • Main proposed FATF updates
  • Peer-to-Peer Transfers
  • Six Main Regulatory Areas to be Updated
  • FATF’s private sector consultation period
  • Industry feedback: FATF areas of focus 
  • How to provide feedback to FATF


The Financial Action Task Force (FATF) has published a new 99-page draft guidance proposal on 19 March 2021 to further clarify and define its June 2019 risk-based-approach (RBA) to Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs) Guidance

The FATF has not yet approved the Public Consultation on FATF Draft Guidance on a Risk-Based Approach to VAs and VASPs, which can be viewed here, and will make further amendments at its June 2021 meetings. The public consultation period will run until 20 April 2021.

While it’s still early days and many sections in the document are crossed out, some highly controversial changes are being proposed that will come as a shock to the surging crypto sector, which we’ll address in a follow-up article. 

The 2019 guidance placed clear anti-money laundering and financing of terrorism (AML/CFT) obligations on VAs and VASPs.  In July 2020, at its first 12-month Travel Review, the FATF committed to update the 2019 guidance and report to G20 on so-called stablecoins, which it has now delivered on.

Main proposed crypto regulation updates

The 2021 draft guidance on VAs and VASPs certainly doesn’t pull many punches, with these main proposed updates up for discussion: 

1) Stablecoins are virtual assets and will be subject to the FATF Standards, however central bank digital currencies (CBDCs) are not considered to be VAs.

2) The following entities are considered to be VASPs:

  • decentralized exchanges (DEXs), 
  • certain decentralized application (dApp) owners and operators
  • crypto escrow services (alluding to DeFi protocols), and 
  • certain non-fungible tokens (NFTs) that could facilitate money laundering and terrorism funding (ML/TF)activities. 

3) Introduction of:

  • best practice guidelines for counterparty VASP due diligence
  • obligations for VASPs to assess and mitigate proliferation financing (PF) risks
  • options for mitigating peer-to-peer (P2P) transfer risks such as unhosted wallet transfers
  • further FATF Travel Rule guidance and clarifications

Peer-to-peer (P2P) transfers

Following FinCEN’s controversial December 2020 Notice of Proposed Rulemaking (NPRM) to regulate crypto transfers between self-hosted wallets and exchanges, there has been much anticipation to see if the FATF would adopt the U.S. federal regulator’s latest proposal.

According to the FATF draft publication, P2P transactions are not explicitly subject to FATF’s AML/CFT obligations as its Recommendations usually only obligate intermediaries between individuals and the financial system, not the individuals themselves. 

However, the FATF recognizes the “heightened ML/TF risk” that P2P transactions can pose to avoid AML/CFT controls imposed on VASPs and obliged entities. If they gain widespread mainstream traction and usage without VASP intermediation, they could possibly lead to systemic ML/TF vulnerabilities in some jurisdictions and full maturity of their protocols could challenge the effectiveness of the FATF Recommendations. 

FATF puts P2P transaction onus on VASPs and Countries

  1. VASPs to consider whether any VAs or products they plan to launch, or transact with, will enable P2P transactions and, if so, how ML/TF risks should be mitigated. This should be done in the design or development phase. 
  2. VASPs to consider the extent to which their customers may engage in, or are involved, in P2P activity. 
  3. Countries to consider how the ML/TF risks of P2P transactions for some VAs may be mitigated through, for example, blockchain analytics. 

Six Main Regulatory Areas to be Updated

The FATF’s revised document has been updated to reflect the passage of time and the publication of other relevant FATF reports. 

The document provides updated guidance in six main areas to:

(1) clarify the definitions of VA and VASP to make clear that these definitions are expansive and there should not be a case where a relevant financial asset is not covered by the FATF Standards (either as a VA or as a traditional financial asset), 

(2) provide guidance on how the FATF Standards apply to so-called stablecoins, 

(3) provide additional guidance on the risks and potential risk mitigants for peer-to-peer transactions, (4) provide updated guidance on the licensing and registration of VASPs, 

(5) provide additional guidance for the public and private sectors on the implementation of the ‘travel rule’ and 

(6) include Principles of Information-Sharing and Co-operation Amongst VASP Supervisors. 

According to the publication, FATF aims to maintain a level playing field for VASPs, based on the financial services they provide, in accordance with current standards that apply to  financial institutions and other AML/CFT-obliged entities, and to also minimize the opportunity for “regulatory arbitrage” between sectors and countries.

FATF to consult with private sector stakeholders until 20 April

The FATF’s 2019 PSCF in Vienna

As it has done in 2019 with its Private Sector Consultative Forum (PSCF) in Vienna, in which CoolBitX participated, the FATF will once again engage with the private sector stakeholders before finalising the revisions to its 2021 guidance. The 2019 PSCF was marred by strong industry discontent, which did little to stop the FATF from amending regulations like the Recommendation 16 on Wire Transfers and officially adding it to its FATF Standards only a few months later. 

The FATF will give the private sector until 20 April 2021 to comment, and is in particular seeking feedback and views from:

  • representatives from the VA community, including academics and policy bodies
  • virtual asset service providers
  • technology developers and providers, particularly in relation to the travel rule (such as Sygna Bridge)
  • other regulated entities (such as banks)
  • authorities

CoolBitX will be working with Global Digital Finance (GDF) and participating in both US and Asia working group calls in order to help issue a strong industry response.

Second 12-Month Review

Independent from the commenting process, the FATF is also presently considering through a second 12-month review whether the implementation of the revised FATF Standards on VAs and VASPs and further updates are necessary

Relevant issues highlighted through the public consultation may be considered through that review which will be reported to and considered by FATF at its June 2021 plenary.

Industry feedback: FATF areas of focus 

The FATF has asked the private sector to provide feedback on the following areas before it finalizes its new guidance.

1. Does the revised Guidance on the VASP definition better clarify which businesses are undertaking VASP activities?

(see paragraphs 47-79) 

  • Is further guidance needed on how the FATF Standards apply to various business models, as stated in paragraphs 56-59? 
  • How should the Guidance further address the challenges in applying the definition of VASP to businesses which decentralize their operations across multiple parties?
  • Is more guidance necessary on the phrase ‘for or on behalf of another natural or legal person’ in the FATF definition of VASP? 
  • What are the challenges associated with applying the business-customer relationship concept in the VASP context?
  • Do the clarifications on the ‘expansive’ approach to the definition of VASP in identifying and policing the ‘regulatory perimeter’ for VASPs provide countries and the private sector with enough guidance? 
  • What additional clarity can be given to make the perimeter clearer?

2. What are the most effective ways to mitigate the ML/TF risks relating to P2P transactions? 

(see paragraphs 34-35 and 91-93)

  • How are peer-to-peer transactions being used for ML/TF purposes and what options are available to identify how peer-to-peer transactions are being used? 
  • What role and implications (e.g., benefits) do peer-to-peer transactions and unhosted wallets have in VA ecosystems?
  • What specific options are available to countries and VASPs to mitigate the ML/TF risks posed by peer-to-peer transactions?
  • Are the risk mitigation measures proposed in the Guidance in paragraphs 91-93 appropriate, sufficient and feasible?

Peer-to-peer transactions are considered by FATF to be virtual asset transfers conducted without the use or involvement of a VASP or other obliged entity, for example VA transfers between two unhosted or private wallets (referred to by FinCEN in its December NPRM as “self-hosted wallets”)

3. Does the revised Guidance in relation to the Travel Rule need further clarity?

(see paragraphs 152-180 and 256-267)

  • Are there issues relating to the travel rule where further guidance is needed? If so, where? 
  • Does the description of counterparty VASP due diligence clarify expectations, while remaining technology neutral and not prescribing how VASPs must undertake this process (see paragraphs 172-177 and 261-265)?

4. Does it provide clear instruction on how FATF Standards apply to so-called stablecoins and related entities? 

(see Boxes 1 and 4 and paragraphs 72-73, 122 and 224)

  • Is the revised Guidance sufficient to mitigate the potential risks of so-called stablecoins, including the risks relating to peer-to-peer transactions?

5. Are there any further comments and specific proposals to make the revised Guidance more useful to promote the effective implementation of FATF Standards?

How to provide feedback to FATF

Respondents can reply to [email protected] with the subject-line “Comments of [author] on the draft revised VASP Guidance” by 20 April 2021 (18:00 UTC).

 Respondents must indicate the  following:

  • name of their organisation, 
  • nature of their business (VASP, technology provider, academic, policy body, other regulated entity), and contact details. 
  • The contact information respondents provide will be used for the purpose of this public consultation only and won’t be shared with third parties without the respondent’s consent.

CoolBitX and Elliptic Release Sygna Bridge Wallet Address Filter For Private Wallet Transaction Discovery

The 4 FATF Travel Rule Lenses to Assess AML Compliance Solutions (Part 1)