Governments at the highest levels (G20) commissioned an organization called FATF to come up with international regulations for cryptos. They are using international law frameworks that supersede national legislation and will force every country in the world to comply.
Their main goal is to keep crypto activity restricted to licensed and regulated service providers.
A long list of ordinary crypto activities are now labeled a “risk.” Engaging in them will result in increased scrutiny and possible difficulties accessing the wider financial system.
It remains to be seen how this will affect the crypto world. Over time, it could likely split the crypto space in fully regulated (semi) centralized, and unregulated decentralized projects. The winners will be the projects that thrive in either of those. The losers are those fitting in neither.
The worlds’ wealthiest nations are aiming for cryptos, restricting, amongst others, the following:
Private wallets (cold storage, phone and desktop apps);
Privacy (privacy coins, mixers, Decentralized exchanges, use of TOR and I2P);
Former ICOs and Future Projects (DeFi, NFT, smart contacts, second layer solutions, and much more).
In addition, these new regulations intend to:
Force those active in crypto to be licensed and regulated as banks (responsible for KYC and transaction tracking);
Create full transparency for ALL transactions;
Exclude and freeze assets of persons, activities, and countries labeled a “risk;”
Force the inclusion of user information with all transactions;
Revoke the license of those who don’t comply.
short: they want to change the way the space can operate. As you’ll
discover, the regulation rolled out aim to create a system of complete
transparency and control.
At the same time, regulatory clarity could pave the way for the next stage of adoption.
What Can You Get from This Due Diligence
years, we wondered if governments would “ban Bitcoin.” As it turns out,
they will not. Instead, they intent to simply absorb cryptos into the
existing regulated financial system.
due diligence is based on new international regulations. This DD
reveals exactly what the coming regulations mean for cryptos, who is
behind them, and how they will be implemented. Next, this DD highlights
the most revealing and stunning clauses. And finally, it summarizes
which activities are likely to thrive and which are bound to suffer and
what you can do next to protect yourself.
2018, the news that Facebook was creating a crypto currency shocked
international regulators. Until then, they didn’t see cryptos as a risk
to the stability of the global financial system. However, Libra, the
coin Facebook proposed, was a so-called stablecoin; it maintains its
value relative to the USD. They quickly realized what would happen when a
company with a billion users creates an instant payment system that is
cheaper, faster and more user-friendly than the current financial
topic was discussed at the highest levels of government; the G20, an
international forum for the governments and central bank governors from
19 countries and the European Union. They engaged an organization called
the Financial Action Task Force (FATF).
organization has passed similar legislation for banking and financial
service providers around the world. They are responsible for the fact
that all crypto-currency exchanges where fiat is exchanged for cryptos
have the same KYC and anti-money laundering requirements as banks. Now,
they are going to use this framework to focus on the elements of the
industry currently outside their control, and declare what is, and isn’t
New Guidance on Bitcoin and Cryptos
The latest draft guidance of the FATF, to be implemented in July 2021, is called “Guidance for a risk-based approach to virtual assets and VASPs” (GVA) . This DD is based on this GVA.
you will learn, they have a deep understanding of what is happening in
the space. Moreover, they take the expansive view that “most arrangements currently in operation,”including “self-categorized P2P platforms” may have a “party involved at some stage of the product’s development and launch” who will be covered by this new legislation. (GVA, p29)
Why do the FATF regulations have global reach?
FATF isn’t an official government agency of any country, they cannot
create law. They issue what is known as “soft-laws”: recommendations and
guidance. Only when this guidance is implemented in the laws of the
countries, they become “hard-laws” with real power.
theory, they are thus subjected to the formal law-making process of
law-giving countries. However, countries that don’t participate are
placed on a list of “non-cooperative jurisdictions.” They then face
restricted access to the financial system and ostracism from the
international community. For this reason, almost all nations implement
also must be said that national governments, especially in the Western
world, highly value this kind of international cooperation and the power
it gives them. Many such treaties are passed into law with little
opposition or delay.
these treaties are accepted, they become part of a body of law called
international law, a type of law in many cases superseding national
laws. Unknown to the general public, international law is increasingly
being used as a backdoor for passing invasive regulations such as these.
must be noted that people working for this Paris-based organization are
faceless bureaucrats who have not been elected, their procedures and
budget are not subjected to democratic oversight, and they are almost
impossible to remove from power. Like most international organizations,
they fall under the Vienna Conference on Diplomatic Intercourse and
Immunities. As such, they enjoy immunity for their actions, are exempt
from administrative burdens in the countries they are active, such as
taxes, and free from most COVID travel restrictions.
When will this “Guidance” be Implemented?
GVA was published in March to be subjected to public consultation. This
gives it the appearance of the public having a say in the
implementation of it, but when you read it carefully they will consider
feedback only on “relevant issues” they themselves selected. Other
feedback might be considered in the next review in 12 months (by then,
most current recommendations will likely have been passed into law). In
other words, this will be it, with minor adjustments.
2021 FATF reviews all feedback and after the July 2021 meeting these
new “recommendations” will become official. There are no fixed days yet.
However, from July 2021 onwards, we can expect these recommendations to
start being implemented in the national legal systems, and as such,
start affecting our lives.
process has been successfully used in the banking system and tax
systems―it is now coming for crypto. It is worth noting that individual
countries might decide on even more specific or explicit prohibitions on
top of this. It is also worth noting that these regulations do not
apply to central bank-issued digital currencies.
How Will Cryptos Be Regulated?
we can understand how FATF proposes to regulate cryptos, we must learn
what they mean when they talk about a Virtual Asset:
virtual asset is a digital representation of value that can be
digitally traded, or transferred, and can be used for payment or
investment purposes. Virtual assets do not include digital
representations of fiat currencies, securities and other financial
assets that are already covered elsewhere in the FATF Recommendations.” (GVA, p98)
will not be outright banned. They will be regulated via an indirect
method; those who facilitate virtual asset transactions, are designated
as a Virtual Asset Service Provider, or VASP.
all VASPs will be subjected to similar regulation as banks. The
definition of VASP is so wide that most current projects in the crypto
space are covered by it.
Definition of a VASP:
*“*VASP: Virtual asset service provider means any natural or legal person who [...] as
a business conducts one or more of the following activities or
operations for or on behalf of another natural or legal person:
exchange between virtual assets and fiat currencies;
exchange between one or more forms of virtual assets;
of virtual assets (In this context of virtual assets, transfer means to
conduct a transaction on behalf of another natural or legal person that
moves a virtual asset from one virtual asset address or account to
safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and
participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.” (GVA, p18)
Many Organizations and Individuals Will Be Designated as VASPs:
A VASP is any natural or legal person, and “the
obligations in the FATF Standards stem from the underlying financial
services offered without regard to an entity’s operational model,
technological tools, ledger design, or any other operating feature.” (GVA, p21)
The expansiveness of these definitions represents a conscious choice by the FATF. “Despite
changing terminology and innovative business models developed in this
sector, the FATF envisions very few VA arrangements will form and
operate without a VASP involved at some stage.” (GVA, p29)
For those wondering if they are a VASP, the following general questions can help guide the answer:
“who profits from the use of the service or asset;
who established and can change the rules;
who can make decisions affecting operations;
who generated and drove the creation and launch of a product or service;
who possesses and controls the data on its operations; and
who could shut down the product or service.
Individual situations will vary and this list offers only some examples.” (GVA, p30)
What Are VASPs Obliged to Do?
VASPs will be forced to implement KYC legislation and monitor
transactions. They become fully regulated entities who need to obtain a
license. Individuals can also be labeled a VASP.
real kicker is that all activities not part of the regulated system are
labeled as “high-risk.” And as such, those performing such activities
become high-risk persons, which could have repercussions for accessing
the wider financial system.
is important to understand that most peer-to-peer activities themselves
will not be banned (although individual countries may do so on their
transactions with a “high-risk” background will be tainted and
scrutinized. Exchanges risk losing their license if they deal with them,
and many will simply choose not to allow them. It might get to a point
where proceeds from certain peer-to-peer transactions or private wallets
are no longer usable in the financial system, at least not without
extensive due diligence.
New Government Organizations for Overseeing the Crypto Market
country should assign a “competent authority” to monitor the crypto
space and communicate with competent authorities in other countries: “VASPs
should be supervised or monitored by a competent authority, not a
self-regulatory body (SRB), which should conduct risk-based supervision
or monitoring.” (GVA, p45)
This can be an existing regulatory body, such as a central bank or a tax authority, or a specialist VASP supervisor. (GVA, p91)
What Activities Will Be Regulated?
This chapter highlights crypto activities, currently considered completely normal, and details how they are to be regulated.
Peer-to-Peer transactions: transactions
without the involvement of a VASP. They are not subjected to
regulation, but are a “risk.” That’s why the FATF recommends increased
monitoring and restriction of this kind of activity, and possibly reject
licensing VASPs that engage in it.
considered a major risk because they think they are more likely to
reach mass adoption. They may be targeted at the level of the central
developer or governance body, which will be held accountable for the
implementation of these recommendations across their ecosystem.
Unhosted Wallets: Commonly used private wallets are called: “unhosted wallets.” As mentioned, the FATF suggests denying licensing VASPs “if they allow transactions to/from non-obliged entities (i.e., private / unhosted wallets).” (GVA, p37) VASPS should also “treat such VA transfers as higher risk transactions that require enhanced scrutiny and limitations.”(GVA, p60)
Client Information to Collect by VASPs: all
VASPs should collect information on their clients such as the
customer’s name and further identifiers such as physical address, date
of birth, and a unique national identifier number (e.g., national
identity number or passport number). VASPs should conduct ongoing due
diligence on the business relationship and the customer’s financial
Travel Rule: FATF
recommends applying traditional bank wire transfer requirements on
crypto currency transactions; this is called the travel rule.
includes the obligation to obtain, hold, and transmit required
originator and beneficiary information associated with VA transfers in
order to identify and report suspicious transactions, take freezing
actions, and prohibit transactions with designated persons and entities.
Information accompanying all qualifying transfers should always contain:
“the name of the originator;
the originator account number where such an account is used to process the transaction;
the originator’s address, or national identity number, or customer identification number, or date and place of birth;
the name of the beneficiary; and
the beneficiary account number where such an account is used to process the transaction.” (GVA, p53)
Instant transfer of ID information tied to transactions: Obliged
entities should submit the required information simultaneously with the
batch VA transfer, although the required information need not be
recorded on the blockchain or other Distributed Ledged Technology (DLT)
Categorize Clients and Activities According to their level of Risk: VA
and VASP activity will be subject to a “Risk-Based Approach.” In
practice, this means that each client and activity is categorized by
their risk level. Risk levels are determined based on a variety of
factors. Persons or activities considered a risk can see enhanced due
diligence and even their ability to use VASPs reduced.
Ongoing Transaction Monitoring: Every customer is assigned a risk profile. Based on this profile, customer transactions will be monitored to determine
whether those transactions are consistent with the VASP’s information
about the customer and the nature and purpose of the business
Transactions tight to Digital IDs: In the future, VA transactions might need to be subject to digital identity regulations, also being developed by the FATF.
Freezing of Assets: Cryptos
can be frozen when the holder is suspect of a crime, as part of other
investigations, when the VA is related to terrorist financing, and when
related to financial sanctions. The freezing of VAs will happen
regardless of the property laws of national legal frameworks, and it
will not be necessary that a person be convicted of a crime.
Anonymity-Enhanced Cryptocurrencies (AECs) and Privacy Tools: The
GVA specifically targets tools intended to improve privacy, such as:
anonymity-enhanced cryptocurrencies (AECs) such as Monero, mixers and
tumblers, decentralized platforms and exchanges, use of the Internet
Protocol (IP) anonymizers such as The Onion Router (TOR), the Invisible
Internet Project (I2P) and other darknets, which may further obfuscate
transactions or activities.
This includes “new illicit financing typologies” [Author: DeFI?], and the increasing
use of virtual-to-virtual layering schemes that attempt to further
obfuscate transactions in a comparatively easy, cheap, and secure
manner” [Author: Lighting, Schnorr, Taproot?]. (GVA, p6)
And if a VASP “cannot
manage and mitigate the risks posed by engaging in such activities,
then the VASP should not be permitted to engage in such activities.” (GVA, p51)
Obligations to get a License for all VASPs: The GVA intends to subject all VASPs to a licensing scheme: “at a minimum, VASPs should be required to be licensed or registered in the jurisdiction(s) where they are created.” (GVA, p40)
Moreover, each jurisdiction might require licensing for those servicing clients in their jurisdiction.
bears repeating that a natural person can also be designated as being a
VASP and be required to obtain a license to work on a crypto project.
Moreover, the competent authorities get to determine who can and cannot
become a VASP, and monitor the Internet for unlicensed activities by
engaging in “chain
analysis, webscraping for advertising and solicitations, feedback from
the general public, information from reporting institutions (STRs), non
public information such as applications, law enforcement and
intelligence reports.” (GVA, p41)
Bitcoin ATMs: “Providers
of kiosks—often called “ATMs,” bitcoin teller machines,” “bitcoin
ATMs,” or “vending machines”—may also fall into the above definitions.
Decentralized Exchanges: According
to the GVA, the concept of a decentralized exchange doesn’t exist,
since these regulations are technology neutral. As such, those running
the exchange can be held liable for implementing these regulations.
Multisig Contracts: In
case of partial control of keys, like a multisig or any kind of shared
transaction, the providers of such services could be subjected to this
regulation as well.
Regulation of Future Developments: Countries
should identify and assess the money laundering and terrorist financing
risks relating to the development of new products and business
practices. The result might be that the development of new projects need
some sort of approval process.
International Cooperation of Competent Authorities: And
finally, the FATF Recommendations encourages competent authorities to
provide the fullest range of international co-operation with other
What Will Not Be Regulated?
good news is that what makes crypto, crypto, remains unregulated;
peer-to-peer transactions themselves, small transactions and ecommerce,
open source development, and cold storage (USB wallets) will remain
exempt are persons facilitating the technical process, such as miners
and nodes (called validators), and those that host, facilitate and
develop the network. In addition, small transactions under 1.000 USD/EUR
are exempt, although basic identity information will be recorded when
done through a VASP.
What Will Be the Outcome of These Regulations?
regulation, like many of its kind, will have (un)intended consequences.
The stated goal of increased transparency in the space might very well
be achieved, reveling the proceeds of certain crimes.
a secondary goal is clear for those understanding these kinds of
open-ended legislation; controlling what can and cannot be done with
crypto in the real world by labeling certain activities and undesired
persons as “high risk.”
will be increasingly difficult to deal with proceeds from the “wrong”
activities, especially for people from high-risk countries, engaged in
high-risk activities, or just being considered a high-risk person.
addition, it will become expensive and technologically challenging to
comply with this legislation. Small companies with unique business
models might find it impossible to survive. Only the large regulated
entities might remain in existence. This is a common result of
regulation that is welcomed by regulators; a few large companies are
easier to regulate than one thousand small ones. In some cases, the
large participants welcome regulations as well, as it reduces
competition. The same happened in the banking sector, for example.
downsides are that such regulations smother many otherwise beneficial
technological projects in the crib and criminalize perfectly legal
activities and the innocent citizen performing them. The loss of privacy
will also increase security risks, especially for those living in
The Crypto World at a Crossroads:
is hard to determine how specific projects and the crypto space in
general are going to be affected; especially since this is not the final
guidance. Each national government will have a slightly different
interpretation of these regulations, as well as existing laws and
precedent in their own country. In addition, individual VASPs will
interpret these regulations according to the viewpoint of their legal
departments, as well. Cryptos will become a regulatory minefield.
natural consequence of these regulations is that projects and
participants in the crypto space will be divided into two categories:
those who do/can meet these regulations, and those who do/cannot.
will be those that will fully comply with these regulations. In terms
of participants, these will be the big exchanges and onramps, banks, and
institutional investors. A lot of participants exclusively use
exchanges (VASPs) already for their coins anyway, and for them nothing
changes. In fact, additional regulations might help institutional
adoption, an idea supported by the fact that the Bank of International
Settlements issued new guidance for banks on the prudential treatment of
assets which might succeed in such an environment are projects that
have focused on transparency and KYC from the start, or those who are
already established too decentralized and operate without any historic
there are the activities that are specifically targeted by this
regulation; peer-to-peer transactions, privacy coins, decentralized
exchanges, decentralized finance, and other peer-to-peer systems. It
appears that such projects have only one option and that is to go fully
decentralized. Which could actually make them attractive for some.
is worth repeating that in principle, peer-to-peer systems are not
against the law. Those participating in them should however accept that
part of their assets and proceeds exist outside the regulated financial
system, and that by engaging in them they might be labeled a “risk.”
there will be projects that fall in between: they are either too
centralized to become fully decentralized and considered too “high-risk”
to be licensed. Such projects will experience significant headwind.
Think about the aforementioned stablecoins, certain decentralized
finance applications, certain self-hosted wallets (especially when
facilitating exchange functions), and future ICOs.
projects that are still too centralized are a big question mark.
Especially those who have leading individuals still in control of
“road-maps,” or those relying on “governing councils.” Those persons
might suddenly be designated a VASP and forced to monitor the
individuals and transactions on their network (a big downside as
compared to the projects already decentralized).