Financial Action Task Force (FATF) public consultation on updated guidance for virtual assets and virtual asset service providers

In late March 2021, the FATF launched a public consultation on updating its “Guidance for a Risk-Based Approach – Virtual Assets and Virtual Asset Service Providers” (the Guidance) originally published in June 2019.

The public consultation closes on 20 April 2021. The changes in the draft updated Guidance centre on six key areas:

• Clarifying the definitions of “virtual assets” (VAs) and “virtual asset service providers” (VASPs) to make clear that these definitions are expansive and there should not be a case where a relevant financial asset is not covered by the FATF Standards (either as a virtual asset or as a traditional financial asset).

• Providing guidance on how the FATF Standards apply to “so-called stablecoins”.

• Providing additional guidance on the risks and potential risk mitigants for peer-to-peer transactions.

• Providing updated guidance on the licensing and registration of VASPs.

• Providing additional guidance for the public and private sectors on the implementation of the "travel rule".

• Including Principles of Information-Sharing and Co-operation Amongst VASP Supervisors.

This alert focuses on the expansive interpretation of the definition of VASPs and the FATF’s position that a financial asset is either a VA or a “traditional financial asset”.

Expansive interpretation of VASPs

The updated Guidance does not amend the definition of a VA or a VASP. However, it does clarify that the categories of VASP business activities (including those undertaken by natural persons) should be interpreted broadly. The categories of virtual asset services under the VASP Act are covered in our overview article on the VASP Act.

Under the updated Guidance, VASPs are explicitly not “financial institutions” or intermediaries covered by other FATF Standards. As we identified previously, Cayman entities licensed by CIMA under other regulatory acts (for example banks or insurance companies) that provide or propose to provide virtual asset services must notify CIMA through the REEFS portal. Entities that are registrants (for example an entity that is a Registered Person under the Securities Investment Business Act) must make an application to operate as a VASP.

The updated Guidance provides some non-exhaustive examples of how to interpret virtual asset services, including:

Exchange: a virtual asset service can involve providing even one element of the exchange activity, such as acting as a principal, as a central counterparty for clearing or settling transactions, as an executing facility or as another intermediary facilitating the transaction.

Transfer: a virtual asset service involves any service allowing users to transfer ownership or control of a VA to another user, which extends to a party having custody or ownership of a VA and the ability to pass control of it to others or having the ability to benefit from the VA’s use. This interpretation includes:

o Custodian services which require multi-signature processes to complete transfers.

o Services allowing VAs to be sent to others as a personal remittance payment, payment for non-financial goods or services, or payment of wages.

o Entities involved with decentralised applications (but not the application itself), such as the owner/operator (as they are conducting the exchange or transfer as a business on behalf of a customer, even if other parties play a role in the service or portions of the process are automated), and a person that conducts business development for a decentralized application (as they are facilitating or conducting the exchange or transfer activities). Here the FATF notes that “the decentralisation of any individual element of operations does not eliminate VASP coverage if the elements of any part of the VASP definition remain in place”.

o VA escrow services which have custody over funds (regardless of the use of any intermediating smart contracts), brokerage services, order-book exchanges, margin/algorithimic trading services and Bitcoin ATMs.

Safekeeping and/or administration includes any entity that provides or facilitates control of assets or governs their use, which captures:

o Holding private keys on behalf of a customer.

o Custodial wallet service providers.

o Professional service providers such as lawyers who offer VA escrow services.

Financial services includes services provided by the issuer of a VA (although this is a separate VASP activity under the VASP Act) and services provided by a VASP affiliated or unaffiliated with the issuer in the context of issuance, offer, sale, distribution, ongoing market circulation and trading of a VA (eg, including book building, underwriting, market making, etc.):

o The licensor of relevant software may not be covered by this limb, but an entity that provides software to facilitate an issuance and actually performs such a service (such as procuring purchasers for a VA) will be a VASP.

o The natural and legal persons facilitating a VA issuance may provide services that involve exchange or transfer activity as well as issuance offer and/or sale activity.

The updated Guidance may also apply to software developers if they deploy programs on behalf of customers which offer virtual asset services, although writing and developing the software itself will not be a virtual asset service. Similarly, the FATF explicitly does not seek to regulate as VASPs those who provide ancillary services or products to a VA network, such as ancillary services to hardware wallet manufacturers or non-custodial wallets, operators of validator nodes, miners and network infrastructure providers, even if such activities are conducted as a business.

As can be seen, direct and indirect provision of virtual asset services by way of business will likely constitute a virtual asset service under the updated Guidance, requiring careful analysis on the precise nature of a business’ activities to determine whether it falls within the scope of the VASP Act.

Financial assets are either a VA or a “traditional financial asset”, and businesses are either a VASP or a “financial institution” The FATF emphasises that in the updated Guidance that “no asset should be interpreted as falling entirely outside the FATF Standards”. Accordingly, any asset is either a VA or a “traditional financial asset”, and businesses involved with such assets are either VASPs or “financial institutions”. In each case, relevant FATF Standards and FATF Recommendations apply.

The definition of VAs explicitly excludes digital representations of fiat currencies (ie central bank digital currencies), securities, and other financial assets already covered elsewhere in the FATF Recommendations, and which lack (a) an inherent ability to be electronically traded or transferred; and (b) the “possibility” to be used for payment or investment purposes. In practice, any transferrable digital token could possibly be used for payment or investment if there is a willing counterparty, so the only digital assets which won’t be VAs are likely to be non-transferrable “closed-loop” tokens with no secondary market, such as airline miles, credit card rewards or similar loyalty rewards or points.

For example, this expanded interpretation of VAs and VASPs can be applied to non-fungible tokens (NFTs). NFTs are not primarily intended to be used as a means of payment, nor to function as an investment (in the traditional sense when compared to securities). However, under the updated Guidance they must either be a VAs or a “traditional financial asset”. NFTs clearly meet the first limb of the VA definition (a digital representation of value that can be digitally traded or transferred) and broadly meet the second limb of the definition (they can be used for payment or investment purposes), therefore they are likely to be considered to be VAs and related businesses will be VASPs requiring licensing or registration under the VASP Act.

How will the draft updated Guidance be implemented under Cayman law?

We are cautiously assuming that the draft updated Guidance is likely to be adopted largely unchanged by the FATF during its plenary in late June 2021.

Once the updated Guidance is adopted, Cayman law (including the VASP Act) may not need amending, as the key concepts and definitions derived from the original Guidance remain unchanged. Instead, the Cayman Islands Monetary Authority (CIMA) may choose to issue updated local regulatory guidance, or directly apply the updated Guidance when assessing registration or licensing applications and considering or taking enforcement action against relevant businesses operating without VASP licensing or registration

We do not yet know if CIMA will allow a grace period to allow businesses to apply for VASP registration or licensing before taking enforcement action based on the updated Guidance.

What do Cayman Islands non-VASP virtual asset businesses need to do?

Some businesses involved in virtual assets that were not previously considered to be VASPs may well be captured by the expanded interpretation of a VASP in the updated Guidance. Such businesses should revisit their regulatory analysis as they may need to be registered, licensed as a VASP with CIMA (or approved to so operate if an existing licensee) on or before July 2021 to avoid the risk of potential enforcement action.

We are happy to be engaged to provide a legal and regulatory review or analysis of your token and business activities.