The CVA position was drafted and submitted to the Financial Action Task Force on 26 April 2019 by the CVA Regulatory and Policy Working Group Task Force with the guidance and support from Christine Gschwend (WG Task Force Leader), Thomas Stoltz, Tobias Kallenbach (Co-Chairs), and Dr Mattia Rattaggi (CVA Board Member).
On February 22, 2019, the FATF published guidance to Members and Observers on the application of Recommendations 10, 15 and 16 to Virtual Assets and Virtual Asset Service Providers (VASPs). The FATF also requested that comments be provided on the proposed amendments to Recommendation 16 captured under item 7(b) of the Draft Interpretive Note.
The CVA recognizes that regulated VASPs provide a reliable source of information for law enforcement in the detection, investigation and prosecution of money laundering and other forms of criminal activity. In order to allow VASPs to provide services that compete with those alternatively offered by decentralized technologies, the CVA has crafted comments and recommendations that support the prevention of money laundering and the financing of terrorism, while allowing VASPs to remain competitive in the quickly evolving market of Distributed Ledger Technologies (DLTs).
The comments and recommendations presented below in principle reflect Switzerland’s legal framework for DLTs.
- Executive Summary
The CVA recommends the following:
- The definition of Virtual Assets should not be broadened. The term VASPs and custodial services should be clearly defined.
- Recommendation 16 on wire transfers should restrict the activity of VASPs to recording and screening beneficiary information, but should not include the transfer of such information to the beneficiary.
- Recommendation 17 should allow alternative means of identity validation.
- Support for the strengthening of global private – public partnerships in the area of information sharing should consider relevant data privacy laws.
- Position of the CVA
1. Definition of Virtual Assets
The FATF uses the term “virtual asset” to refer to “digital representations of value that can be digitally traded or transferred and can be used for payment or investment purposes, including digital representations of value that function as a medium of exchange, a unit of account, and/or a store of value.”
The FATF emphasises that virtual assets are distinct from fiat currency (a.k.a. “real currency,” “real money,” or “national currency”), which is the money of a country that is designated as its legal tender.
In its Draft Interpretive Note, the FATF further clarifies that “countries should consider virtual assets as “property,” “proceeds,” “funds”, “funds or other assets,” or other “corresponding value”. Countries should apply the relevant measures under the FATF Recommendations to virtual assets and virtual asset service providers (VASPs).”
The CVA is of the opinion that the term Virtual Assets should not be expanded to include these additional references and that the scope should be limited to a digital representation that can be used by third parties as a means of payment for goods and services.
The definition of Virtual Assets could, however, be further clarified by identifying the categories of tokens that do not fall under the definition of Virtual Assets due to their legal or technological characteristics. We note in particular that utility tokens, which solely provide access to a digital function or non-financial service, cannot be used as a means of payment. The same can be said of asset tokens that represent the equivalent of a share, bond, derivative or other financial instrument, which equally do not have the properties of a payment token. The issuance of such tokens should not be subject to money laundering regulations.
We further recommend that VASPs and “Custodial Wallet Service Providers” be defined as follows:
Virtual Asset Service Provider (VASP)
Persons or legal entities that, on a professional basis; (i) accept cash of more than EUR/USD 100,000 as part of a commercial transaction, (ii) accept or hold deposited Virtual Assets belonging to others as a CWSP, (iii) assist in the investment of Virtual Assets, or (iv) assist in the transfer Virtual Asset from one party to another. Examples may include: centralized trading platforms or exchanges, issuers of Virtual Assets, Virtual Asset fund managers or CWSPs.
Custodial Wallet Service Providers (CWSP)
A VASP that has access to its client’s private keys and therefore can trigger a transaction on behalf of its clients (power of disposal over 3rd party assets).
- Customer Due Diligence (Rec. 10)
VASPs should be required to undertake customer due diligence (CDD) measures when carrying out occasional transactions above USD / EUR 3,000, rather than USD / EUR 1,000 as recommended under 7(a) of the Draft Interpretive Note. Implementation of CDD below this threshold will add administrative costs to VASPs, further disadvantaging them over decentralized DLT services, with little gain in terms money laundering prevention. Maintaining a low enough threshold of USD / EUR 3000 will, however, allow CDD efforts to capture transactions which may be financing terrorism.
- Wire Transfers (Rec. 16)
“Countries should ensure that originating VASPs obtain and hold required and accurate originator information and required beneficiary information on virtual asset transfers, submit the above information to beneficiary VASPs and counterparts (if any), and make it available on request to appropriate authorities.”
(INR 15, 7(b) R.16)
3.1 Transferring Transactional Data
As the infrastructure for sharing originator and beneficiary information via blockchain technology in a cost-effective manner is limited, VASPs would need to rely on existing technology to transmit beneficiary and originator information on DLT transactions (email, sms, internal databases, etc.).
Such additional steps for each individual transaction would not only generate significant administration and operational expenses, but would also be impractical when applied to the transfer of assets between custodial accounts hosted by VASPs and private wallet addresses. Implementing such a requirement would therefore require a multi-process solution depending on the nature of the recipient.
Of greater importance is the risk to an individual’s data privacy that would come with the transmission of data between an originating VASP and a beneficiary, which contains both blockchain address information and a person’s name and residential address. Given the ease of tracing transaction histories via block explorers, mandating the exchange of such data between parties with no or inadequate security framework can potentially expose personal data to privacy breaches, leading to exploitation based on a person’s discoverable transaction history, account balance, or worse.
With the understanding that the transmission of such basic information aims at providing financial intelligence units with originator and beneficiary information, in order to support the investigation of suspicious or unusual activity, we propose that the recording of such information continue to be completed by the originating VASP without the proactive transmission of the information to the beneficiary.
3.2 Obtaining Beneficiary Information
As VASPs have the right of disposal over 3rd party assets, they initiate asset transfers on behalf of their originator clients. To fulfill their due diligence obligation of AML transaction screening, the originating client could therefore be prompted by the VASP to provide beneficiary information prior to a transaction, much like in traditional banking where an originating account holder must identify the beneficiary’s IBAN, but also the name and address of the person to which funds shall be sent.
While it is true that IBANs contain more information on the beneficiary than a blockchain address, VASPs can nevertheless establish a technical solution that prompts the user to provide beneficiary name and address prior to a transfer. Whether the beneficiary’s address is private or hosted by another VASP is irrelevant, and therefore does not need to be known by the originator. AML due diligence must be conducted on the beneficiary itself, not the service provider of the beneficiary’s wallet address.
Information provided by a VASP’s client on the ultimate beneficial owner (UBO) of the destination address can easily be falsified or circumvented. However, VASPs can incentivize honesty in the disclosure of UBO in various ways, including by denying services in the event of a confirmed false declaration. The accuracy of the identity of the UBO can be confirmed by blockchain analysis service providers (e.g. Chainalysis, Elliptic, Coinfirm) or additionally, for very high risk / high value transactions, by requesting the UBO to prove their access and control of the beneficiary address by technical means, including digitally signing a message or sending a microtransaction, both which require access to the private key of the beneficiary address.
3.3 VASP Identification
The investigation of criminal activity can be supported by the identification of the originating VASP via blockchain analysis services, or alternatively in the free text field available under the various blockchain transaction types. Both UTXO and account-based transaction types provide for very limited textual data to be added to each transaction. Requiring VASPs to add an identifier (i.e. equivalent to a bank’s BIC) to each outgoing transaction could provide law enforcement with a source for additional investigative information, a less costly endeavor than transmitting external data between parties off-chain.
For the above reasons, we recommend that the following changes be made to the proposed Interpretive Note to Recommendation 16:
“Countries should ensure that originating VASPs obtain and hold required and accurate originator information and required beneficiary information on virtual asset transfers, submit the above information to beneficiary VASPs and counterparts (if any), and make it available on request to appropriate authorities. It is not necessary for this information to be attached directly to virtual asset transfers. Countries should ensure that beneficiary VASPs obtain and hold required originator information and required and accurate beneficiary information on virtual asset transfers, and make it available on request to appropriate authorities. Other requirements of R.16 (including monitoring of the availability of information, and taking freezing action and prohibiting transactions with designated persons and entities) apply on the same basis as set out in R.16″
- Reliance on Third Parties (Rec. 17)
Increasingly, a number of blockchain-based services are providing platforms for individuals to manage their personal data, including information relating to each individual’s personal identity. Such services rely on a number of different identity validation methods, not all of which are regulated, supervised or stem from a national authority itself. Recommendation 17 relating to the Reliance on third parties should therefore be amended to allow room for innovative solution to develop in this space. In particular, to allow alternative means of identity validation to be recognized as legally valid. Such solutions will ensure that children born in locations where identification documentation cannot be issued or individuals whose central national identity register is no longer available due to regional instability can be included in the financial services provided by VASPs and other entities.
- Powers of Law Enforcement and Investigative Authorities (Rec. 31)
The CVA welcomes the ideas presented by Global Digital Finance in its input on the FATF Public Statement of April 7, 2019, in which it details under point 2.2 the process for exchanging information on Virtual Asset addresses of interest under a global private – public partnership. If implemented, such an initiative should be compatible with data privacy laws enforced within each jurisdiction.