Financial Action Task Force (FATF)

The FATF's core framework, first issued in 1990 and revised in 2012, provides a comprehensive set of measures for countries to implement. Key pillars include:

• Risk-Based Approach: Countries and entities must assess and mitigate risks.
• Customer Due Diligence (CDD): Identifying and verifying customers, including beneficial owners.
• Record Keeping: Maintaining transaction records for at least five years.
• Reporting Suspicious Transactions: Mandatory reporting to Financial Intelligence Units (FIUs).

A critical standard for Virtual Asset Service Providers (VASPs), mandating the sharing of originator and beneficiary information for cryptocurrency transfers. For transfers over USD/EUR 1,000, VASPs must obtain and transmit:

• The originator's name, account number, and physical address.
• The beneficiary's name and account number. This rule aims to bring crypto transactions in line with traditional wire transfer transparency.

The FATF monitors compliance through a rigorous peer-review process. Countries undergo mutual evaluations to assess their anti-money laundering (AML) frameworks. Non-compliant jurisdictions can be placed on lists:

• Grey List (Increased Monitoring): Jurisdictions with strategic deficiencies.
• Black List (High-Risk Jurisdictions): Countries with severe, unaddressed flaws, calling for enhanced due diligence and potential counter-measures.

In 2019, the FATF extended its standards to the crypto sector, defining virtual assets and Virtual Asset Service Providers (VASPs). A VASP is any business conducting exchange, transfer, safekeeping, or issuance of virtual assets. This classification brings exchanges, custodians, and some DeFi protocols under the same regulatory obligations as banks, including licensing, CDD, and the Travel Rule.

The FATF's influence is amplified through nine associate members, known as FSRBs, which promote implementation at a regional level. Key bodies include:

• Asia/Pacific Group on Money Laundering (APG)
• Financial Action Task Force of Latin America (GAFILAT)
• Middle East and North Africa Financial Action Task Force (MENAFATF) These bodies conduct their own mutual evaluations and help tailor FATF standards to regional contexts.

FATF Recommendations directly shape domestic laws. Non-compliance risks a country's access to the global financial system. Key legislative outcomes include:

• The USA PATRIOT Act (Bank Secrecy Act amendments)
• EU's Anti-Money Laundering Directives (AMLDs)
• National laws establishing Financial Intelligence Units (FIUs) and mandating Suspicious Activity Reports (SARs). The FATF is often described as setting the 'de facto global standard' for AML/CFT.

The FATF Recommendations are the international benchmark for AML/CFT frameworks. This process involves:

• Periodic review and revision to address new threats like virtual assets.
• Developing Interpretive Notes and Guidance for specific sectors.
• Establishing risk-based approach principles for implementation. The 40 Recommendations cover legal systems, preventive measures for financial institutions, transparency, and international cooperation.

A rigorous peer-review process where FATF and FATF-Style Regional Bodies (FSRBs) assess a country's compliance with the Recommendations.

• On-site visits by a team of legal, financial, and law enforcement experts.
• Production of a detailed Mutual Evaluation Report (MER) rating technical compliance and effectiveness.
• Results can lead to placement on the FATF's 'grey list' (Increased Monitoring) for jurisdictions with strategic deficiencies.

The FATF identifies jurisdictions with severe strategic deficiencies through two public lists:

• Call for Action ("Black List"): Jurisdictions with critical, unaddressed flaws. Countries are called upon to apply enhanced due diligence and counter-measures.
• Increased Monitoring ("Grey List"): Jurisdictions actively working with the FATF to address identified deficiencies. Listing is a powerful tool for applying diplomatic and financial pressure to drive reform.

The FATF conducts ongoing research to identify money laundering (ML) and terrorist financing (TF) methods and vulnerabilities.

• Publishes typologies reports on specific threats (e.g., illicit art trade, ransomware, proliferation financing).
• Risk-Based Approach Guidance helps countries and private sectors prioritize resources.
• This intelligence-driven process ensures the standards evolve to counter emerging risks like decentralized finance (DeFi) and non-fungible tokens (NFTs).

A cross-cutting process essential for the FATF's mission. It includes:

• Membership and FSRB Network: Coordinating with over 200 countries through its 39 members and 9 associate FSRBs.
• Outreach to the Private Sector: Engaging with financial institutions, virtual asset service providers (VASPs), and other businesses for feedback and implementation support.
• Collaboration with other International Bodies: Working with the IMF, World Bank, UN, and Egmont Group of Financial Intelligence Units.

The FATF's core framework consists of 40 Recommendations for AML and 9 Special Recommendations for CFT. For crypto, the most critical is Recommendation 15, which mandates that Virtual Asset Service Providers (VASPs) must comply with the same AML/CFT obligations as traditional financial institutions, including:

• Customer Due Diligence (CDD) and Know Your Customer (KYC)
• Suspicious Activity Reporting (SAR)
• Record-keeping of transactions This is the legal foundation for global crypto compliance.

The FATF Travel Rule is a specific requirement under Recommendation 16 that obligates VASPs to share originator and beneficiary information for cryptocurrency transactions above a certain threshold (typically $/€1,000). This means:

• Originating VASPs must obtain and transmit required sender data.
• Beneficiary VASPs must receive and verify required beneficiary data.
• The rule aims to make crypto transactions as traceable as wire transfers, creating significant technical and operational challenges for decentralized or non-custodial services.

The FATF defines a Virtual Asset Service Provider (VASP) as any natural or legal person conducting one or more of the following activities as a business:

• Exchange between virtual assets and fiat currencies.
• Exchange between one or more forms of virtual assets.
• Transfer of virtual assets (custodial wallets).
• Safekeeping and/or administration of virtual assets or instruments enabling control over them.
• Participation in and provision of financial services related to an issuer's offer and/or sale of a virtual asset. This broad definition encompasses centralized exchanges, many wallet providers, and some DeFi protocols.

The FATF monitors global compliance through a peer-review process and publicly identifies jurisdictions with strategic deficiencies:

• High-Risk Jurisdictions ("Black List"): Countries with serious, ongoing strategic deficiencies (e.g., North Korea, Iran). Financial institutions are urged to apply enhanced due diligence.
• Jurisdictions Under Increased Monitoring ("Grey List"): Countries actively working with the FATF to address identified strategic deficiencies (e.g., the UAE, Philippines, Nigeria). Being listed can affect a country's credit rating and increase scrutiny on transactions involving its VASPs.

The FATF's 2021 Updated Guidance clarified its stance on Decentralized Finance (DeFi) and unhosted (non-custodial) wallets:

• DeFi Protocols: If a project has any "owners or operators" who can control or influence the protocol, they may be considered a VASP and subject to regulation. Truly decentralized protocols remain a compliance challenge.
• Unhosted Wallets: Transactions between a VASP and an unhosted wallet are subject to standard CDD/KYC. Transactions between unhosted wallets are not directly regulated, but VASPs may be required to identify their customers' unhosted wallet addresses and monitor those transactions.

The FATF's standards are implemented globally through a network of associate members and regional bodies:

• FATF-Style Regional Bodies (FSRBs): Groups like the Asia/Pacific Group (APG), Council of Europe's MONEYVAL, and the Eastern and Southern Africa Anti-Money Laundering Group (ESAAMLG).
• These bodies promote effective implementation of FATF standards in their member countries through mutual evaluations and technical assistance.
• For a blockchain company, understanding the specific FATF assessment of the jurisdictions in which it operates (conducted by these bodies) is crucial for compliance planning.

The Risk-Based Approach (RBA) is a core FATF principle requiring countries and regulated entities to identify, assess, and understand their money laundering and terrorist financing risks. They must then deploy resources to mitigate the highest risks. For crypto, this means:

• Enhanced Due Diligence (EDD): For higher-risk customers or transactions (e.g., from high-risk jurisdictions, large amounts, privacy coins).
• Simplified Due Diligence: For lower-risk scenarios, where permitted.
• Ongoing Monitoring: Continuous transaction monitoring for suspicious activity.

The FATF has clarified that entities involved in Decentralized Finance (DeFi) may still be considered VASPs if any persons maintain control or sufficient influence over the service. This targets:

• Protocol Developers & Governance: Those who create, maintain, or govern a DeFi protocol with control over assets or operations.
• DApp Front-ends: Interfaces that facilitate user access to DeFi services. The guidance challenges the 'fully decentralized' narrative, asserting that if a natural or legal person can be identified as an owner/operator, AML/CFT obligations apply.

AML/CFT refers to the legal and regulatory framework designed to prevent criminals from disguising illegally obtained funds as legitimate income (money laundering) and to stop the financing of terrorist acts. Key components include:

• Customer Due Diligence (CDD): Verifying customer identity (KYC).
• Transaction Monitoring: Identifying unusual or suspicious patterns.
• Suspicious Activity Reports (SARs): Mandatory reporting to Financial Intelligence Units (FIUs).
• Record Keeping: Maintaining transaction records for a minimum period (typically 5+ years). The FATF sets the international standards that national AML/CFT laws are built upon.