Interpretation of the latest FATF report: Which areas will become the focus of regulatory attention in the second half of the year?

On June 30, the Financial Action Task Force (FATF), the global standard setter for anti-money laundering and countering the financing of terrorism (AML/CFT) measures, published a report on the application of its crypto-asset guidance. The publication of the report marks the third anniversary of the FATF’s Guidance on Crypto-Assets and Crypto-Asset Service Providers (VASPs), which was first published in 2019.

The FATF report is essential reading for compliance teams at crypto asset businesses and financial institutions. It provides FATF's perspective on regulatory matters facing the global crypto industry and regulators. By reading the report, compliance teams can prepare to meet the challenges of upcoming regulatory developments that may affect the crypto industry in the coming months.

DeFi: The risks of cross-chain flows are growing

One of the main issues highlighted by the FATF in its report is the growth of decentralized finance (DeFi). In its Updated Guidance published in October 2021, the FATF called on countries to implement AML/CFT requirements for those who can control DeFi services such as decentralized exchanges (DEX). This is a priority that the FATF has identified, in part, in response to the growth of DeFi-related crimes.

In its Latest Report, FATF noted that even in just eight months after issuing its guidance last year, the DeFi industry has grown and proliferated. According to FATF, the rapid growth and evolution of the DeFi industry is worrisome as it could lead to further acceleration and proliferation of risks.

The first concern of FATF is that despite its call for countries to regulate DeFi, most DeFi protocols and decentralized applications operate outside the regulatory scope. Although some regulators have begun to take enforcement actions against non-compliant DeFi protocols, most regulators have not yet regulated the field. This is a loophole in the eyes of FATF because it allows criminals to use DeFi services freely.

FATF's second concern about DeFi is the increasing use of mixers in the DeFi field to achieve money laundering. Cybercriminals, including North Korean hackers, are increasingly using mixing services to try to cover up their illegal activities, such as Tornado Cash, the mixer most favored by hackers.

Third, FATF highlighted the growing risks associated with cross-chain activities in the DeFi space. According to FATF: “DeFi protocols can be used to perform ‘chain hopping’, which can make transactions more difficult to trace.” Chain hopping refers to the practice of criminals swapping funds between different crypto assets to confuse law enforcement. In the DeFi ecosystem, this is achieved using cross-chain bridges, which enable users to seamlessly transfer funds between blockchains.

Cross-chain bridges are becoming an increasingly important part of the "criminal ecosystem." Illegal actors — such as ransomware attackers and hackers — can use these services to launder money between different blockchains. In addition, funds that cross chains through cross-chain bridges are vulnerable to hacker attacks. In the first six months of 2022 alone, hackers stole more than $1 billion in crypto assets from several cross-chain bridges.

The FATF’s attention to these issues sends a clear message: illicit activity involving DeFi mixers and cross-chain bridges will become an area of ​​increasing regulatory attention in the second half of 2022.

So to combat the growing risks of DeFi, VASPs and financial institutions should ensure that they use blockchain analytics capabilities to detect risks associated with DeFi mixers and cross-chain bridges.

Non-custodial wallets

Another issue that FATF mentioned in its report is the ever-controversial issue of non-custodial wallets.

The FATF has highlighted what it sees as the risks of non-custodial wallets: they allow users to conduct transactions without the presence of a regulated entity that can perform KYC checks on users. Recently, the US Treasury Undersecretary called non-custodial wallets a particular illicit financial risk of concern because they allow users to conduct transactions outside of regulatory oversight. The EU and UK have also recently put forward recommendations to address the risks of non-custodial wallets.

The FATF’s latest report highlights that many other countries are still determining what steps to take to mitigate the risks of non-custodial wallets. However, the FATF notes that some countries see blockchain analysis as a core part of this effort.

As regulatory scrutiny of non-custodial wallets is expected to increase, VASPs should ensure that they have implemented blockchain analytics solutions that can help them identify non-custodial wallets that present a high risk of illicit finance.

NFTs: Painting a picture of growing risk

Like DeFi, non-fungible tokens (NFTs) are another crypto innovation that has developed in recent years, and FATF believes that the risks are constantly changing due to the rapid growth of the market.

In particular, FATF believes that the expansion of NFTs into non-financial markets and the increasing number of active wallets buying and selling NFTs may affect risk dynamics. In addition, FATF points out that NFTs present certain regulatory challenges because they are difficult to classify within the legal framework. Depending on their use and characteristics, they may be securities, works of art, or crypto assets, which can determine the nature of the regulation that should apply. Most countries have not yet clarified their regulatory arrangements for regulating the NFT market, which may exacerbate AML/CFT risks.

NFTs may pose many financial crime risks. In particular, the NFT market is at risk of fraud, wash trading, and manipulation, is vulnerable to hacker attacks and theft, and may even be subject to sanctions risks.

As the FATF and regulators begin to examine risks in the NFT space, compliance teams should ensure they are able to mitigate financial crime risks.

For example, VASPs can leverage transaction screening solutions to identify whether they are processing payments associated with NFT fraud and theft, and can use multi-currency forensics tools to conduct in-depth analysis of payments in crypto assets such as Ethereum to see if these payments are related to the illicit use of NFTs to support criminals.

The Travel Rule: A Must-Have to Fight Sanctions Evasion and Ransomware

In October 2018, FATF began calling on countries to apply the Travel Rule, a long-standing compliance requirement for traditional financial institutions, to VASPs. At its core, the Travel Rule requires VASPs to identify the initiators and beneficiaries of transactions exceeding a certain amount and to securely transmit information and data to their VASP counterparties. The purpose of the rule is to help law enforcement agencies detect and investigate money laundering and other financial crimes in the field of crypto assets.

FATF's latest report issued a stern warning to member countries and VASPs that have not implemented the "travel rule" - countries should impose information and data sharing requirements on VASPs in accordance with FATF standards. FATF believes that the current implementation of the travel rule by countries and the private sector is too slow, and further delays will bring significant risks to the international financial system.

According to the report, since the FATF issued its Guidance three years ago, only 29 of the 98 countries surveyed by the FATF have adopted the Travel Rule as a local requirement for VASPs, and only 11 are actively enforcing and monitoring it.

While travel rule compliance solutions exist in the market, a lack of urgency among countries will inhibit VASP compliance.

The report identifies two risk areas where failure to implement the travel rule poses particular risks:

The first is related to sanctions compliance. The FATF noted that “rapid implementation of the FATF Travel Rule is an important component to support effective counterparty identification and effective sanctions screening.”

The second is ransomware. Since ransomware attackers often cash out their criminal proceeds on unregulated exchange services in countries that fail to implement FATF standards, strengthening the implementation of the Travel Rule would – in theory – ensure that VASPs collect additional information about counterparties, which would help law enforcement.

The report also points to blockchain analysis as an important method for disrupting ransomware. According to the FATF: “Blockchain tools have supported and informed successful law enforcement cases, targeted financial sanctions, and other actions to disrupt ransomware financing.”

Further scrutiny by the FATF will prompt countries to accelerate implementation of the travel rule, and compliance teams should take steps to ensure they are ready to comply.

Summary of key points

The new FATF report identifies key issues that will be at the top of the regulatory agenda in the second half of 2022 and beyond. Cross-chain DeFi, non-custodial wallets, NFTs, and travel rule compliance will be top of mind for VASP compliance teams.

• Make sure you have blockchain analytics capabilities that enable you to detect and manage cross-chain DeFi activity and the risks of DeFi mixers like Tornado Cash.

• Leverage blockchain analytics capabilities to identify non-custodial wallets associated with sanctioned actors, ransomware gangs, and other illicit actors.

• Detect transactions related to illegal use of NFTs.

• Learn about travel rule solutions and prepare for compliance.