News & Insights

Client Alert

November 23, 2021

A One-Way Rachet: FATF Regulation of Cryptocurrency and Decentralized Finance

As cryptocurrency, decentralized finance (DeFi)[i], and other uses of blockchain technology continue to proliferate, global regulators are grappling with how best to regulate their use. We have previously written about the developing international regulatory landscape and the efforts of key jurisdictions to extend existing anti-money laundering frameworks to crypto-currency.[ii] Now, the Financial Action Task Force on Money Laundering (“FATF”) has updated its “Guidance for a Risk-based Approach for Virtual Assets and Virtual Asset Service Providers.”[iii] FATF first issued this guidance in 2019, and this long-awaited update advances clarity in the anti-money-laundering and combatting the financing of terrorism (AML/CFT) space. While FATF guidance is not binding until individual countries adopt the rules, its recommendations are recognized as the global standard for AML/CFT compliance.[iv]

Key Updates to the FATF Guidance

The updated Guidance expands on prior FATF Recommendations and Guidance around the regulation of cryptocurrency. Key updates include:

  • A clarification of the definitions of virtual asset (“VA”) and virtual asset service provider (“VASP”);
  • The categorization of non-fungible tokens (NFTs) with respect to VA regulation;
  • Standards for classifying entities engaged in stablecoin activities;
  • Recognition of the money laundering risks of peer-to-peer transactions;
  • Guidance on VASP licensing and registration; and
  • Further guidance on the travel rule.[v]

Broad Definitions of Virtual Assets and Virtual Asset Service Providers

FATF significantly updates its 2019 guidance by expanding the definitions of VA and VASP and clarifying that the definitions should be interpreted expansively.[vi] The goal is to prevent a scenario in which a relevant financial asset is not covered by FATF standards, whether as a VA or another financial asset.[vii] Additionally, any entity that has the ability to exercise control over VAs may qualify as a VASP under the new definition.[viii] The use of an automated process, such as a smart contract, to carry out VASP functions may not excuse a party from their anti-money laundering obligations. [ix]

The updated Guidance defines a VA as a digital representation of value that can be digitally traded or transferred, and can be used for payment or investment purposes. The updated Guidance further clarifies that a VASP is,

any natural or legal person who is not covered elsewhere under the Recommendations and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person: i. Exchange between virtual assets and fiat currencies; ii. Exchange between one or more forms of virtual assets; iii. Transfer of virtual assets; iv. Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and v. Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.[x]

Notably, the definition of VASP does not, on its face, include DeFi applications, which by definition imply the absence of a “natural or legal person.”[xi] However, the updated Guidance is clear that an entity’s categorization as decentralized should follow an investigation, and not merely self-identification, because arrangements labelling themselves as DeFi often include a person with a sufficient level of control to be considered a VASP.[xii] The FATF appears intent on identifying a responsible “natural or legal person” wherever possible.

Categorization of Non-Fungible Tokens (NTFs) as Virtual Assets

NFTs are described in the updated Guidance as “digital assets that are unique, rather than interchangeable, and that are in practice used as collectibles rather than as payment or investment instruments.”[xiii] The FATF’s latest update clarified that NFTs do not necessarily constitute VAs, and their categorization as such should be assessed on a case-by-case basis by looking at factors such as whether they are, like VAs, to be used for payment or investment purposes in practice.[xiv] This functional approach to NFT categorization means that while NFTs are not VAs per se, they still may implicate anti-money laundering concerns depending on their use, and regulators have flexibility in designing their approach.

Standards for Classifying Entities Engaged in Stablecoin Activity

Stablecoins are cryptoassets that “aim to maintain a stable value relative to a specified asset, or a pool or basket of assets to other assets.”[xv] Like VAs, stablecoins (deemed a “global risk” by FATF in 2019) create money laundering risks, which may be heightened with mass adoption. The updated Guidance explains that central governance bodies of stablecoins will generally be considered either a VASP, or a financial institution, both of which are covered by the FATF standards.[xvi] Countries are advised to the extent possible to identify entities in stablecoin arrangements that are obliged to comply with FATF standards and conduct a risk-based assessment to mitigate money laundering risks.[xvii]

Money Laundering Risks of Peer-to-Peer Transactions

According to FATF, peer-to-peer transactions—VA transfers conducted without the use or involvement of a VASP or other entity obliged to comply with FATF standards—create a heightened risk of money laundering or terrorist funding.[xviii] The updated Guidance advises countries to conduct private sector outreach, train regulators and law enforcement personnel, and encourage the development of blockchain analytics tools to assist in understanding AML risks in peer-to-peer transactions.[xix] To mitigate these risks, the updated Guidance further advises countries to implement controls that facilitate visibility into peer-to-peer activity, engage in ongoing risk-based enhanced supervision of VASPs with a focus on unhosted wallet transactions, and encourage VASPs to implement additional recordkeeping requirements.[xx]

Additionally, consistent with the recommendation for an expansive interpretation of the definitions of VASPs, the updated Guidance encourages regulators to evaluate the underlying activity of peer-to-peer platforms, and not their label or business model.[xxi] The FATF notes that at some point in the development or launch of a peer-to-peer platform, an entity may have been involved that constitutes a VASP, therefore subjecting the platform to regulation.[xxii]  

Guidance on Virtual Asset Service Provider Licensing and Registration

The updated Guidance recommends that countries designate at least one authority with the responsibility to license and register VASPs.[xxiii] Countries can be flexible in how they implement this recommendation, creating a completely new authority, or simply merging the responsibility with an existing agency.[xxiv] At a minimum, VASPs should be registered in the country in which they are created, or in the case of a natural person, in the jurisdiction where the place of business is located.[xxv] Countries are encouraged, although not mandated under the standards, to also require registration of VASPs that can be accessed in or are made available to people in their jurisdiction.[xxvi] In order to qualify for a license, VASPs must be able to demonstrate an ability to carry out their anti-money laundering obligations. [xxvii]

Further Guidance on the Travel Rule

The updated Guidance clarifies the procedures that VASPs need to undertake to comply with the “travel rule.” This rule was imposed on VASPs in the 2019 Guidance, and requires that they exchange identifying information for transfers above $1,000 between obliged entities.[xxviii] The updated Guidance advises countries to maintain records of originator and beneficiary information for VA transfers, and to be prepared to produce that data upon request by the appropriate authorities.[xxix] VASPs are also responsible for conducting customer due diligence, as well as assessing the anti-money laundering capabilities of a counterparty VASP.[xxx] This year, the United States Travel Rule Working Group (“USTRWG”) introduced a potential solution for facilitating compliance with the travel rule by VASPs.[xxxi] The USTRWG has over 30 US based VASPs, and they are collaborating on finalizing an interoperable solution for compliance.[xxxii] The protocol is currently being tested, and is expected to be ready for use with real customer information by the end of the year.[xxxiii]  

Regulatory Landscape

The exact impact of the FATF guidance is unclear, but it carries the potential effect of prompting more countries to work towards clear regulation on cryptocurrency activity.  In the absence of such regulatory clarity, potential market entrants may be more reticent to participate for fear of unforeseen legal and compliance obstacles.

But swift and uneven global regulation could disrupt innovation and limit the industry’s growth potential. Developers may hesitate to push the boundaries of blockchain technology for fear of liability. More broadly, some consider privacy, confidentiality, and coding efficiency as core values of the industry, and may resist regulations perceived to compromise those values.[xxxiv]

 Additionally, implementing and enforcing regulations will create logistical issues. For instance, in the case of peer-to-peer transactions, there are no VASPs or other regulated financial institutions on which to impose requirements. Regulators have yet to grapple with the enforceability of theoretical regulations.[xxxv]

Despite the challenges in regulating cryptocurrency and DeFi, regulators are nonetheless quickly implementing rules. For example, in January 2021, the U.S. enacted the National Defense Authorization Act for Fiscal Year 2021, which contained the most significant AML overhaul since the Patriot Act, and explicitly extended certain AML obligations to digital assets.[xxxvi] More recently, a panel led by the U.S. Treasury tasked the Financial Stability Oversight Council with considering whether to designate certain stablecoin activity as systemically important.[xxxvii] Similarly, the United Kingdom’s Cryptoasset Task Force has issued guidance requiring that all digital asset businesses must comply with all existing AML regulations.[xxxviii] The UK is also requiring that all entities engaged in “digital asset activity” register with the Financial Conduct Authority by March 31, 2022.[xxxix] 


As regulators continue to adopt new rules, the opportunities to run afoul of them grow and, simultaneously, the likelihood of investigations and enforcement rises. Market participants should review and understand relevant laws and procedures along with industry-wide compliance trends—not just in their home jurisdiction but globally. Market participants should also update their policies and procedures regularly to ensure that they remain compliant with the latest evolving international standards. 

In addition to consistently considering their AML compliance infrastructure, crypto and defi market participants should take steps—if they have not already done so—to consider how their compliance and diligence processes can combat cyber threats and any applicable consumer protection laws in their jurisdiction.  


[i] As we have previously written, DeFi describes blockchain-based alternative finance systems that enable users to engage in transactions without a bank or other traditional financial intermediary.


[iii] Financial Action Task Force, Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (October 28, 2021), available at [hereinafter FATF Updated Guidance].

[iv] See Alexander Osipovich, Global Regulators Back Tougher Rules to Prevent Criminals From Using Crypto, Wall Street Journal (October 28, 2021, 10:33 AM), available at

[v] The “travel rule” requires “obligations to obtain, hold, and transmit required originator and beneficiary information in order to identify and report suspicious transactions, monitor the availability of information, take freezing actions, and prohibit transactions with designated persons and entities.” We have previously written about the application of the travel rule to virtual assets.  

[vi] FATF Updated Guidance, supra note 3 at 5, 22.

[vii] Other financial assets include digital representations of fiat currencies, securities, and anything else already covered by other FATF guidelines. Id at 21.

[viii] Id. at 29.

[ix] Id. at 36.

[x] Id.

[xi] Supra, note 1.

[xii] FATF Updated Guidance, supra note 10 at 27.

[xiii] Id. at 24.

[xiv] Id.

[xv] Id. at 17.

[xvi] Id.

[xvii] Id.

[xviii] Id. at 18.

[xix] Id., at 39.

[xx] Id. at 39-40.

[xxi] Id. at 35.

[xxii] Id.

[xxiii] Id. at 42.

[xxiv] Id. at 43.

[xxv] Id. at 43-44.

[xxvi] Id. at 44.

[xxvii] Id.

[xxviii] Id. at 48.

[xxix] Id. at 60.

[xxx] Id. at 63.

[xxxi] Ian Allison, US Crypto Giants Build First Version of FATF-Compliant ‘Travel Rule’ Tool, CoinDesk (June 25, 2021, 9:17 AM), available at

[xxxii] Id.

[xxxiii] Id.

[xxxiv] Id.

[xxxv] David Z. Morris, DeFi Is Nothing Like Regulators Have Seen Before. How Should They Tackle It?, CoinDesk (October 19, 2021), available at

[xxxvi]WILLIAM M. (MAC) THORNBERRY NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2021, PL 116-283, January 1, 2021, 134 Stat 3388, available at

[xxxvii] Press Release, U.S. Treasury Dep’t, FACT SHEET: President’s Working Group on Financial Markets (PWG), the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency (November 1, 2021), available at

[xxxviii] Her Majesty’s Treasury, UK Regulatory Approach To Cryptoassets And Stablecoins, (January 2021), available at

[xxxix] Ryan Browne, Many Cryptocurrency Firms Are Not Meeting Money Laundering Rules, UK Watchdog Warns, CNBC (June 3, 2021, 6:06 AM), available at .; for further information on global regulatory trends with respect to cryptocurrency, see