top of page

FATF published Guidance on Virtual Assets

On 21 June 2019, the Financial Action Task Force (FATF) at its June 2019 Plenary has adopted the Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers. This Guidance provides some global regulatory clarity (recommendations) on AML/CTF issues in cryptocurrency industry. FATF detailed which types of “Virtual Asset” (VA) activities must be regulated and the minimum requirements for the regulation thereof.

The following are the key notes from the Guidance:

  • The definition of “Virtual Asset Service Provider” (VASP) is broad and technology neutral – any natural or legal person who as a business conducts one or more of the following activities or operations for or on behalf of another person:

    • Exchange between virtual assets and fiat currencies;

    • Exchange between one or more forms of virtual assets;

    • Transfer of virtual assets; and

    • Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets;

    • Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset,

  • VASP should be subject to licensing/registration requirement;

  • VASP should identify, assess, and take effective action (risk-based approach) to mitigate its ML/TF risks;

  • VASP should prepare an initial risk assessment taking into account all of the risk factors that the VASP as well as its competent authorities consider relevant, including the types of services, products, or transactions involved; customer risk, geographical factors; and type(s) of Virtual Asset exchanged, among other factors. Such initial risk assessment should be updated on a regular basis considering the changes in business environment;

  • VASP should have customer due diligence and enhanced due diligence procedures in place. Such procedures at least should be able to identify the customer and, where applicable, the customer’s beneficiary, to determine whether the customer is not a PEP, to verify the customer’s identity, to establish the purpose and intended nature of the business relationship, where relevant, and to obtain further information in higher risk situations;

  • If relations with the client are limited only to occasional transactions, then the threshold above which VASP should conduct customer due diligence is USD/EUR 1 000, except where the national legal framework would provide lower threshold;

  • VASP should keep documents, data and information collected under the customer due diligence process up-to-date and relevant by way of regular reviews and ongoing monitoring as well as maintain all records of transactions and customer due diligence measures;

  • The Guidance provides that automated transaction monitoring and customer risk scoring are essential components of an effective AML/CTF program;

  • VASP should maintain and submit suspicious transaction reports to the local Financial Intelligence Units;

  • VASP should immediately and securely send originator and beneficiary information to other VASPs or FIs party to transactions over EUR/USD 1 000, except where the national legal framework would provide lower threshold. Respectively, where VASP is receiving party it should obtain the required originator information from the transferring party;

  • VASP should have internal control in place with a view to establishing the effectiveness of the AML/CTF policies and processes and the quality of the risk management across its operations, departments, branches and subsidiaries. Those internal controls should include appropriate governance arrangements where responsibility for ALM/CTF is clearly allocated and a compliance officer is appointed at management level; controls to monitor the integrity of staff, which are implemented in accordance with the applicable local legislation; ongoing training of staff; and an independent audit function to test the system;


The compliance of VASPs’ activities with AML/CTF requirements should be subject to effective supervision or monitoring by the competent authority.


Are you curious how this may impact your business? Please feel free to contact us.

bottom of page