Skip to content.

FATF Issues Updated Virtual Asset Guidance

On October 28, the Financial Action Task Force[1] (“FATF”) issued its Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers, updating its 2019 guidance (the “Guidance”). This updated guidance outlines the FATF’s view on the application of the FATF Recommendations to virtual assets, including providing further clarification on the definitions of “virtual assets” and “virtual asset service providers” and addressing current developments such as stablecoins, non-fungible tokens (“NFTs”), initial coin offerings (“ICOs”), decentralized finance (“DeFi”) and decentralized applications (“DApps”).

Definition of Virtual Assets (VA)

The Guidance reiterates the definition of “virtual assets” as a “digital representation of value that can be digitally traded or transferred and can be used for payment or investment purpose” and also notes that “[v]irtual assets do not include digital representations of fiat currencies, securities, and other financial assets that are already covered elsewhere in the FATF Recommendations”. In addition, the Guidance states that “[f]inancial assets should not be deemed uncovered by the FATF Recommendations because of the format in which they are offered and no financial asset should be interpreted as falling entirely outside the FATF Standards. Finally, the Guidance reiterates that the definition should be interpreted broadly.

Definition of Virtual Asset Service Provider (VASP)

The Guidance reiterates that “any natural or legal person who is not covered elsewhere under the [FATF] Recommendations, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person”: (each of the following referred to as a “limb” of the VASP definition in the Guidance):

  1. Exchange between virtual assets and fiat currencies;
  2. Exchange between one or more forms of virtual assets;
  3. Transfer of virtual assets;
  4. Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets;
  5. Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

The Guidance provides further insight into this definition, noting in particular that “conducts” “includes the provision and/or active facilitation of a service, which refers to active involvement in the provision of activities covered” and that “as a business” means “for commercial reasons” and “on at least a sufficiently regular basis, rather than infrequently.”

The Guidance also provides detailed description and examples of entities that may be captured as VASPs, including in the stablecoin and DeFi context (discussed below). The Guidance also notes that other common examples of entities that may be captured as VASPs include:

  1. “VA escrow services, including services involving smart contract technology, that VA buyers use to send, receive or transfer fiat currency in exchange for VAs, when the entity providing the service has custody over the funds;
  2. brokerage services that facilitate the issuance and trading of VAs on behalf of a natural or legal person’s users;
  3. order-book exchange services, which bring together orders for buyers and sellers, typically by enabling users to find counterparties, discover prices, and trade, potentially through the use of a matching engine that matches the buy and sell orders from users. However, a platform which only allows buyers and sellers of VAs to find each other and does not undertake any of the services in the definition of a VASP would not be a VASP; and
  4. advanced trading services, which may allow users to access more sophisticated trading techniques, such as trading on margin or algorithm- based trading.”

On the other hand, the Guidance notes that “[f]irms which merely provide ancillary infrastructure to allow another entity to offer this service, such as cloud data storage providers or integrity service providers responsible for verifying the accuracy of signatures, will not normally satisfy this definition” nor would providers of “ancillary services like hardware wallet manufacturers or providers of unhosted wallets”, although each analysis should be fact-based.

Central Bank Digital Currencies

The Guidance states that it does not apply to central bank digital currencies (“CBDCs”) and that these are not virtual assets “as they are digital representation of fiat currencies”. Rather, the FATF considers CBDCs to be fiat currencies and the FATF Recommendations to apply to them on such basis, similar to other forms of fiat currencies.


The Guidance notes that a stablecoin will likely be either a security or a virtual asset and therefore captured by the FATF Recommendations. In addition, the Guidance outlines that a number of entities involved in a stablecoin arrangement, ranging from the central developer/ governance body, to parties that “drive the development and launch of such an arrangement before its release”, to exchanges or custodial wallet services, may be captured as a VASP and that a careful review of the actual arrangement and the roles of each party would be required.


The Guidance states the following in respect of NFTs:

“Digital assets that are unique, rather than interchangeable, and that are in practice used as collectibles rather than as payment or investment instruments, can be referred to as a non-fungible tokens (NFT) or crypto-collectibles. Such assets, depending on their characteristics, are generally not considered to be VAs (Virtual Assets) under the FATF definition. However, it is important to consider the nature of the NFT and its function in practice and not what terminology or marketing terms are used. This is because the FATF Standards may cover them, regardless of the terminology. Some NFTs that on their face do not appear to constitute VAs may fall under the VA definition if they are to be used for payment or investment purposes in practice. (…) Given that the VA space is rapidly evolving, the functional approach is particularly relevant in the context of NFTs and other similar digital assets. Countries should therefore consider the application of the FATF Standards to NFTs on a case-by-case basis.” (our emphasis)

Accordingly, the determination of whether a NFT is a virtual asset will be very fact-based and will depend on the intended use of the asset rather than the nature of the asset itself. This could lead to situations where the same asset may be a virtual asset in some contexts (where it is intended to be used for payment or investment purposes, for example in the case of a collectible that is expected to appreciate in value) and not a virtual asset in others (for example in the case of a collectible acquired for sentimental reasons).


The Guidance notes that various parties involved in an ICO may be a VASP . For example, a token issuer could be a VASP “if it conducts other activities that fall under any limb of the VASP definition (e.g. if they are exchanging the VA for fiat currency or other VAs (limbs (i) and (ii)) or if they are providing liquidity in the VA by acting as a market-maker following the ICO (limb (v)). Businesses providing related financial services to the person’s sale of the VA (e.g., by acting as a broker or dealer for the person), would then be a VASP under limb (v) of the VASP definition, regardless of whether they are formally affiliated with the person.” 

The Guidance also highlights that such activity could be subject to securities laws and that “whether the issuer of the digital asset will be considered a VASP or an issuer of securities will depend on the unique facts and circumstances of the ICO and the laws of the country”. In addition, and relevant in Canada where a virtual asset trading platform may for example be both a securities dealer and a VASP, “[a] person may be engaged in activity that may subject them to more than one type of regulatory framework, and the digital assets used by such a person may similarly be subject to more than one type of regulatory framework.”

DeFi and DApps

The Guidance notes that a “DeFi application (i.e. the software program) is not a VASP under the FATF standards, as the [s]tandards do not apply to underlying software or technology” but “creators, owners and operators or some other persons who maintain control or sufficient influence in the DeFi arrangements, even if those arrangements seem decentralized, may fall under the FATF definition of a VASP where they are providing or actively facilitating VASP services. This is the case, even if other parties play a role in the service or portions of the process are automated.” The Guidance therefore puts forward the concept of an “owner/operator” of a DeFi arrangement, noting for example that such owner/operator may exist where “there may be control or sufficient influence over assets or over aspects of the service’s protocol, and the existence of an ongoing business relationship between themselves and users, even if this is exercised through a smart contract or in some cases voting protocols.”

Therefore, the Guidance distinguishes between automation and decentralization and puts forward a broad interpretation of VASPs, which could capture software developers or others who maintain some control over DeFi arrangements.

The Guidance also notes that “[m]arketing terms or self-identification as a DeFi is not determinative, nor is the specific technology involved in determining if its owner or operator is a VASP”.

Multisig Wallet Transactions

The Guidance states that “multi-signature processes are not inherently exempt (see limb (iv) [above]), where a VASP undertakes the activity as a business on behalf of another natural or legal person.” In particular, it states that “[t]he existence of a multi-signature model or models in which multiple parties must use keys for a transaction to happen does not mean a particular entity does not maintain control, depending on the extent of the influence it may have over the VAs.”

Correspondent Relationships (White Label VASP Services and Nested VASPs)

The Guidance notes where a VASP provides VASP services to another VASP or financial institution, such relationship would be characterized as a correspondent relationship and “could also include, for example, one VASP white-labelling its platform functionality to another VASP and also providing nested services (providing accounts to smaller VASPs for access to liquidity and trading pairs)”. The Guidance notes the application of Recommendation 13 (Correspondent banking and other similar relationships) to such relationships.

Unhosted Wallets - Peer-to-Peer Transactions and Application of Travel Rule

The Guidance defines peer-to-peer’ (P2P) transactions as “VA transfers conducted without the use or involvement of a VASP or other obliged entity (e.g., VA transfers between two unhosted wallets whose users are acting on their own behalf” and notes the higher money laundering/ terrorist financing risk associated with such transactions, as they do not involve a regulated entity. The FATF recommends that countries take measures to understand the risks associated with P2P transactions through industry outreach, training of personnel and encouraging the development of methodologies and tools, and then implement appropriate options to mitigate the risks, such as instituting controls (such as reporting requirements) or other requirements, providing for supervision of VASPs and other entities with a focus on unhosted wallet transactions, issuing guidance and/or placing restrictions on such transactions.

The Guidance also notes that regulated entities must still comply with the requirements of the travel rule in the case of transactions involving unhosted wallets (where a VASP is either the originator or beneficiary as applicable), by obtaining “the required originator and beneficiary information from their customer”. 

Other Travel Rule Updates

Transaction Fees Exempt

The Guidance notes that transaction fees (i.e. “the amounts of VA that may be collected by the miner who includes the transaction in a block. It could be called by various names depending on the type of VA, such as gas or block rewards”) are not within scope of the travel rule. Therefore, VASPs do not need to identify the recipient of the transaction fee, because the recipient is not the originator or recipient of the VA transfer itself.” 

In addition, the Guidance notes that “[t]here may also be scenarios where technical reasons means a VASP must send a greater amount of a VA than the actual amount of VA to be transferred, with the difference automatically refunded to the ordering VASP. In such a scenario, the travel rule does not apply to the recipient VASP in respect of the refund, as the refund forms part of the transfer by the ordering VASP.”

Counterparty Due Diligence Requirement

The Guidance also states that a VASP should conduct counterparty due diligence before transmitting the required travel rule information to its counterparty but notes the challenges with complying with such requirements and proposes a multi-step counterparty VASP due diligence process. While this process does not need to be undertaken for every transfer, the due diligence information should be periodically refreshed and updated.

Sunrise Issue Approach

The “sunrise issue” refers to the fact that certain countries will require compliance with the travel rule before other countries. The Guidance recommends that countries adopt a risk-based approach in respect of compliance by a VASP with travel rule requirements and notes that “[r]egardless of the lack of regulation in the beneficiary jurisdiction, originating entities can require travel rule compliance from beneficiaries by contract or business practice.”

Information Sharing Among VASP Supervisors

The Guidance notes the FATF Recommendations currently encourage co-operation among supervisors but that “[g]iven the pseudonymous, fast-paced, cross-border nature of VAs, international co-operation is all the more critical between VASP supervisors” . Accordingly, the Guidance proposes certain non-binding Principles of Information-Sharing and Co-operation between VASP Supervisors.

Canadian Implications

While the Guidance is not binding, as a FATF member country, we can expect Canadian policy makers and regulators to carefully review the Guidance and determine how, and to what extent, to best apply the recommendations in a Canadian context, through additional regulatory guidance and/or amendments to the legislation, as applicable.

For more information about our firm’s Fintech expertise, please see our Fintech group page.

[1] The FATF is an intergovernmental policy-making body that was established in 1989. The FATF sets standards and promotes the implementation of legal, regulatory, and operational measures to combat threats to the integrity of the international financial system, including money laundering and financing terrorism.

Fintech cryptocurrency virtual currency FATF Regulatory



Stay Connected

Get the latest posts from this blog

Please enter a valid email address