Key facts to remember:
- Virtual asset service providers (VASPs) are a fairly newly established sector in many jurisdictions. To put it simply, VASPs include exchanges, P2P platforms, crypto ATMs, custodians, and OTC desks, among others.
- A virtual asset (VA) is a digital form of value that can be traded or transferred online. Virtual assets are both suitable for payment and investment.
According to the Financial Action Task Force (FATF), VASPs are more prone to serious risks. For example, VASPs can be exploited by criminals and terrorists for money laundering and funding terrorist activities.
The FATF’s guidance on virtual assets and VASPs, employing a risk-based approach, provides a precise understanding of virtual asset service providers. They played a crucial role in comprehending how FATF Recommendations affect cryptocurrency businesses.
Today, anti-money laundering and counter-terrorism financing (AML/CTF) frameworks are applicable to specific crypto assets and services worldwide, and these definitions guide the determination of which types of digital assets and service providers should be addressed by AML compliance regulations on a global scale.
We talk more about this topic, covering all the basics that you need to know about VASPs and their legal obligations.
The Origin of Virtual Asset Service Providers (VASPs)
In 2019, the FATF expanded its efforts against money laundering and other financial crimes. The organization presented its report called “Guidance for a Risk-based Approach to Virtual Assets and Virtual Asset Service Providers.”
Since then, FATF has conducted multiple reviews to check how well countries follow their created standards. FATF has also covered new risks and emerging market changes, like in Decentralized Finance (DeFi), Non-Fungible Tokens (NFTs), Peer-to-Peer transactions (P2P), or stablecoins.
The Role of the FATF and VASPs
According to the FATF, the virtual asset ecosystem has made its way to build anonymity-enhanced cryptocurrencies, decentralized exchanges (DEXs), privacy wallets, and various other services throughout recent years. However, such services contribute to reduced transparency and increased obfuscation of financial flows.
According to the FATF, these new virtual asset business models pose risks related to money laundering, terrorist financing, market manipulation, and other fraud types. Moreover, emerging illicit tendencies include the growing use of virtual-to-virtual layering schemes. These scams aim to further hide illicit funds in a relatively easy and cost-effective way.
To combat fraud risks, the FATF provided universal AML compliance guidance for VASPs, financial institutions, other designated non-financial businesses, and other reporting entities. The FATF aims to help companies detect and report suspicious transactions.
The mentioned FATF report explains how to assess the risks of money laundering and terrorist financing associated with virtual assets. It also covers topics such as licensing and registration, actions needed to acquire customer information, as well as secure storage of this information.
What is a Virtual Asset Service Provider (VASP)?
A virtual asset service provider involves the process of issuing a virtual asset or conducting one or more specific activities on behalf of someone else. In general, a VASP has the option to transfer, manage, or supervise the sale of virtual assets through an issuer’s office.
As per the FATF’s definition, a virtual asset service provider can be an individual or a legal entity engaged in one or more of these activities. Virtual asset service providers offer services, such as:
- Converting virtual assets from one form to another.
- Transferring virtual assets.
- Exchanging virtual assets and fiat currencies.
- Safeguarding or managing virtual assets or instruments that provide comprehensive control over them.
- Participating in and facilitating financial services related to the sale of virtual assets or an issuer’s offer.
Who doesn’t Fall into the VASP Category?
The FATF’s VASP definition excludes software publishers whose services include creating new virtual assets. Additionally, investment funds, under specific conditions, do not fit into the VASP category. For example, when investment funds accept subscriptions through an external trading platform.
Additionally, consumers, P2P transactions, and individual miners (when mining for personal use), do not meet the FATF’s definition of a VASP.
How do Virtual Asset Service Providers Operate?
Virtual asset service providers operate by facilitating the transfer, exchange, safekeeping, and administration of virtual assets. VASPs achieve this by harnessing the capabilities of blockchain technology.
VASPs are defined by specific financial activities, not by a specific entity. Anyone engaging in activities outlined by the FATF as a legal business qualifies as a VASP, regardless of the technology they use for virtual assets.
A fundamental aspect of digital assets involves using decentralized digital ledgers to document ownership and transactions. This differs from traditional assets, which are recorded in a private ledger managed by a central authority. The FATF’s recommendations mean that not all digital asset entities, like individual miners, can be VASPs. A single miner lacks the traits needed for VASP classification.
What are Some Examples of Virtual Asset Service Providers?
VASPs must comply with FATF’s crypto Travel Rule, which consists of the following obliged entities:
- Mining pools
- Wallet providers
- Bitcoin ATMs and kiosks that engage in the exchange of virtual assets for fiat currency or other virtual assets.
- Brokerage services that facilitate the issuance and trading of VAs for individuals or entities.
The Travel Rule for crypto assets mandates that any crypto transaction surpassing a specific threshold should include the customer’s personal information. Furthermore, VASPs are required to conduct sanctions screening on the counterparty customer and conduct customer due diligence (CDD) on the counterparty VASP.
How does the Travel Rule Apply to VASPs?
According to the crypto Travel Rule, VASPs and cryptocurrency businesses are obligated to exchange customer information when transferring cryptocurrency or digital assets beyond a certain threshold. This personally identifiable information (PII) should encompass the name and wallet address of the sender.
A quick timeline of the Travel Rule’s evolution and VASPs compliance:
- The ‘Travel Rule’ was initially introduced by FinCEN under the US Bank Secrecy Act (BSA) and became effective in 1996. This rule mandated financial institutions to share specific information with the next financial institution during wire transfers.
- In 2012, the FATF added similar Travel Rule guidelines for wire transfers into the mentioned FATF 40 recommendations.
- In 2018, the FATF added virtual assets and issued guidance on applying a Risk-Based Approach (RBA) to virtual asset service providers.
- In October 2021, FATF revised and expanded the scope of AML/CTF obligations for cryptocurrencies. This includes incorporating CDD practices under the Travel Rule outlined in Recommendation 16.
- Currently, FATF’s Travel Rule mandates regulated entities to ensure that specific information about the parties involved in transactions exceeding USD/EUR 1,000 accompanies the transaction to the receiving entity.
The Travel Rule is applicable to transfers of VAs between two obligated entities, such as two VASPs or a virtual asset service provider and a traditional financial institution.
What are Some Examples of Virtual Assets (VAs)?
According to the FATF, VAs include:
- Gaming tokens.
- NFTs that can be exchanged back to fiat currency.
- Cryptocurrencies, such as Bitcoin, Ethereum, or Litecoin.
- Some stablecoins. However, it depends on their characteristics.
Who aren’t Considered VAs?
The definition of VAs excludes Central Bank Digital Currencies (CBDCs) because they are digital representations of fiat currencies. On top of that, there are some exceptions regarding NFTs.
The FATF provided a framework to determine if NFTs qualify as VAs. The criteria include assessing whether the digital asset is unique rather than interchangeable and if it is primarily used as a collectible rather than for payment or investment purposes. If both conditions are met, the assets do not fall under the definition of VAs according to FATF. Ultimately, the classification of NFTs as VAs depends on their practical function in use.
Can Criminals Use VASPs for Fraud?
The significant distinctions between traditional financial fraud and digital asset fraud that affect consumers include the ease of concealing digital asset transactions and the irrevocability of executed transactions. Criminals can use VASPs for their anonymizing services, such as crypto tumblers and mixers, to sever connections between transactions.
While blockchain transactions are publicly recorded, the use of pseudonyms is possible, as only the underlying wallet addresses are identifiable. This remains a key reason why bad actors may exploit digital assets for criminal activities, underscoring the need for crypto exchanges to enhance customer protection and secure their financial positions.
Common Digital Asset Fraud Examples
VASPs and other obliged entities should learn about digital asset fraud because fraudsters use familiar fraud methods in traditional finance as well. However, while digital asset fraud shares similarities within the financial crime space, consumers face significant differences.
Bad actors take advantage of the anonymity provided by digital assets, posing fraud risks for companies to address. Here are some common examples of digital asset fraud:
1. Account Takeover (ATO)
Account Takeover (ATO) fraud functions similarly in digital assets and traditional finance. In both scenarios, bad actors gather enough information about a victim to pinpoint the location of their assets. They use this data to navigate static or dynamic Knowledge-Based Authentication successfully.
Additionally, they conduct credential-stuffing attacks, deploying bots for brute force attempts to gain unauthorized access. Once unauthorized access is gained, the bad actors swiftly transfer funds to a wallet under their control. The victim remains unaware of the issue until attempting to access their account and discovering the missing assets.
2. “Rug Pull”
In crypto, a rug pull is a common exit scam. In this scheme, the developers of a Web3 startup introduce a project but have no intention of fulfilling their promise after attracting investments. These schemes are more common in the decentralized finance industry and often target individuals comfortable with digital assets.
Unlike confidence scams involving trust-building, a rug pull typically lacks this relationship. The process is similar to a pump-and-dump scheme in the traditional financial space, where scammers provide misleading information about a project, inflating the value of associated digital assets before vanishing without delivering a viable product or service.
3. Market Manipulation
Digital asset markets face similar susceptibility to market manipulation as traditional equities, commodities, and other markets. Another issue comes from the existence of many thinly traded digital assets. While manipulating the prices of major cryptocurrencies like Bitcoin is challenging, smaller altcoins are more vulnerable to manipulation by bad actors.
Fighting against crypto market manipulation is crucial for regulatory compliance and for broadening the use of digital asset technologies, such as crypto ETFs. However, defending against certain forms of manipulation, like wash trading, is notably challenging due to the anonymous nature of blockchain transactions, making it difficult to distinguish legitimate trades.
Some companies trading in digital asset markets already use trade monitoring and other automated RegTech tools for their orders, even without a legal requirement. Others choose not to, taking risks. This gap encourages some firms to introduce products, hoping to escape regulatory scrutiny.
That’s why regulators seek even more stringent rules that could ensure consistent user protection and make manipulative trading and other financial crimes harder.
How Can Virtual Asset Service Providers Combat Fraud?
To manage fraud risks and maintain compliance, virtual asset service providers must integrate Know Your Customer (KYC) processes along with robust fraud prevention measures that would complete their AML program:
- At iDenfy, we help onboard users in a simple, frictionless manner through our document verification, selfie verification, or in-house manual KYC checks.
- For your AML needs, we help screen sanctions, PEPs, and UBOs, as well as conduct KYB verification on your business partners — all in a single platform.
We have 5+ years of experience in the crypto and digital asset ecosystem with industry-knowledge insights and the support of our internal compliance team.