Regulatory frameworks for crypto asset activity have slowly been emerging around the world. Some countries have chosen to enact bespoke legislation (including Malta’s 2018 Virtual Financial Assets Act to the more recent European Parliament’s Markets in Crypto Assets Regulation), while others have adjusted current legislation/regulations (such as India, Australia, and South Korea). Several jurisdictions have chosen to focus primarily on AML, in regulating crypto asset activities, while others have set a wider scope.

There is a clear need for such frameworks, but there is no distinct golden thread of emerging uniformity in the approach. There appears to be various levels of sophistication, scope and focus.

Through these variety of approaches, authorities have sought to offer regulatory clarity given the continuous growth of this sector.

International organisations, regulatory and standard setting bodies (SSBs) have been working arduously to provide global standards for the regulation of the crypto asset ecosystem but there is still a lot of work to be done. In 2021, the International Monetary Fund (IMF) called for comprehensive, consistent and coordinated global standards[i].  This is critical to fully address risks to the financial system from crypto asset activities and to avoid regulatory arbitrage.

While such global standards remain a work in progress, in the interim, standard setting bodies, such as Financial Action Task Force and the International Organisation of Securities Commissions, have been issuing various pieces of guidance and recommendations on the regulation of crypto asset activities. Moreover, international bodies like the Financial Stability Board[ii] (FSB) and IMF have sought to provide high level guidance and recommendations towards achieving a global comprehensive framework.

Understanding these recommendations for the regulation of crypto asset activities, including stablecoin arrangements, will provide insight as to the general approach that will likely be adopted by many jurisdictions.

For ease of reading, I will bifurcate my discussion on this topic into two articles. This article (Part 1) will discuss the recommendations of standard setting bodies and a second article (Part 2) will discuss the recommendations of other key agencies (who are collaborating with the SSBs in developing a framework for regulation of crypto asset activities).

Financial Asset Task Force (FATF)

The FATF was one of the first international standard setting bodies to provide guidance on the regulation of virtual assets by updating its standards in 2018 to extend AML/CFT requirements to Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs)[iii], including providing definitions of VAs and VASPs[iv]. In June 2019, FATF adopted an Interpretive Note to Recommendation 15 (of its 40 recommendations) to clarify the applicability of its recommendations in relation to VAs and VASPs[v]. The Interpretive Note addressed, inter alia, matters relevant to an applicable risk-based approach to VA activities and VASPs, the licensing or registration of VASPs, supervision of VASPs for AML and related purposes, due diligence and suspicious reporting; as well as the application of enforcement measures (including sanctions).

In September 2020, the FATF issued a report on VA red flag indicators[vi] to assist with the identification of suspicious activities. The report highlighted red flag indicators relevant to transaction size and frequency, transaction patterns, anonymity, source of funds, and geographic locations. The report noted that the presence of several red flag indicators, in a given transaction, in the absence of a logical business explanation is likely to lead to suspicion of potential criminal activity.

In 2021, FATF issued updated guidance on the applicable risk-based approach for virtual asset activities[vii]. The updated guidance, in the main, provided clarification on the definition of VA and VASPs, highlighted tools available for assessing risks relevant to P2P transactions that do not involve licensed or registered entities, further elucidated on the licensing and registration of VASPs as well as on the implementation of the travel rule; and addressed cooperation and information sharing among VASP supervisors.

One of the key matters clarified by FATF in providing a definition for VAs (for the purposes of implementing AML/CTF measures) is that they are viewed as ‘property’, ‘proceeds’, ‘funds’, ‘funds or other assets’ or a ‘corresponding value’[viii]. 

The FATF has also focused its attention on stablecoins and entities involved in stablecoin arrangements. In June 2020, FATF issued a report to the G20 that addressed stablecoins[ix] and, inter alia, highlighted ML/TF risks associated with same. In its 2021 updated guidance (noted above) FATF included guidance on the applicability of its standards to stablecoins and entities involved in these arrangements.

As other trends continue to emerge in the sector, such as Decentralised Finance (DeFi) and non- fungible tokens (NFTs), it is expected that FATF will provide further guidance for ML/TF purposes.

What does this mean for persons operating in this space?

Regulators, guided by FATF’s recommendations, are likely to focus on inter alia, requiring licensing/registration of VASPs[x], and the imposition of specific requirements on those offering virtual asset activities. Such requirements may include the need for adequate systems, policies and procedures that will facilitate effective monitoring of transactions (as regard to matters such as size and frequency, patterns, anonymity of participants, source of funds and geographic locations) and in that regard be able to identify suspicious transactions.

They are also likely to examine a VASP’s CDD and KYC processes and procedures and its internal controls regarding the implementation of same. Appropriate systems and training to prevent and/or mitigate the occurrence of ML/TF/PF, implementation of appropriate record keeping procedures and any other procedures and controls appropriate for the purposes of mitigating or preventing ML/TF/PF will be of key focus. Regulators will also expect entities to have in place, mechanisms for ensuring its own risk management having regard to matters such as the nature and size of its business as well as risks in relation to customers, geographic regions, services, products, transactions, delivery channels etc.

Much attention has also been placed on compliance with the travel rule. This rule in essence requires persons offering VA services to obtain, hold and transmit required originator and beneficiary information regarding crypto transactions, over a specified threshold, for the purpose of identifying and reporting suspicious transactions, among other things. There has notably been challenges in implementing this rule including the lack of interoperability of various travel rule solutions and, where VASPs engage with counterparties that operate in a jurisdiction that does not impose this requirement[xi]. The FATF in its 2022 report ‘Targeted Update on Implementation of FATF’s Standards on VAs and VASPs’[xii] noted that only 11 jurisdictions have implemented supervisory and enforcement measures. However, there is likely to be an increase in implementation by various jurisdictions soon. For example, Japan[xiii] and the UK[xiv] expect to implement the Travel Rule by May and September 2023 respectively.  

In summary, VASPs will be expected to have in place appropriate systems, mechanisms, policies, and procedures that would facilitate the identification, assessment, management and mitigation of their money laundering and terrorist financing risks.

While different jurisdictions will have tailored and varying requirements for entities conducting VA activities, the above are some key matters that persons operating in the space should be cognizant of, to ensure appropriate compliance.

International Organization of Securities Commissions (IOSCO)

Crypto asset trading platforms

IOSCO, an international body that develops, implements and promotes adherence to internationally recognized standards for securities regulation, has also issued some helpful reports providing guidance on various areas. One such area is in relation to the regulation of crypto asset trading platforms. In its February 2020 report titled ‘Issues, Risks and Regulatory Considerations Relating to Crypto-Asset Trading Platforms[xv]’, it noted that crypto asset trading platforms shared some similarities with traditional trading platforms in terms of issues and risks faced[xvi]. In that regard, focus should be placed on key objectives such as investor protection and confidence, fair and efficient markets, and reduction of systemic risks in regulating such entities. Despite there being similarities, it is recognized that there are likely to be unique matters that ought to be considered given the various models of some crypto asset trading platforms (who tend to offer multiple services such as asset listings, trading, clearing and settlement, custody and wallet provision services). Therefore, consideration may have to be given to an appropriate ‘new, alternative or tailored approach’. 

The IOSCO report highlights key considerations for the regulation of crypto assets trading platforms such as: access to and onboarding of crypto trading platforms (whether intermediated or non-intermediated), the safeguarding of investor assets (including custody arrangements), conflicts of interests, transparency in relation to a crypto asset trading platform’s operations (lack of information could raise market integrity and/or fairness issues), the ability of the trading platform to prevent and/or detect market abuse, effective support of price discovery, resiliency, reliability and integrity of the relevant trading systems (including cyber security resilience), as well as efficient and reliable clearing and settlement of transactions. In addition to these matters, IOSCO emphasizes the importance of cross border sharing of information among regulators to mitigate risks such as regulatory arbitrage.

Of course, there is still more work to be done to truly be able to appropriately regulate crypto asset trading platforms and their activities, including staying up to date with continuous developments in this evolving space. IOSCO recognizes this, given their Crypto-Asset Roadmap for 2022-2023 which identifies work that will be done in relation to issues relevant to market integrity and investor protection.

Stablecoins

IOSCO together with the Committee on Payments and Market Infrastructures (CPMI) issued guidance in July 2022 on the applicability of the Principles for Financial Market Infrastructures to stablecoin arrangements[xvii].

A stablecoin is a type of crypto-asset designed to maintain a “stable” value through either being pegged to a basket of reserved assets (such as commodities and fiat currency) or having its supply regulated by an algorithm.

It is widely acknowledged that stablecoins play a significant role in bridging the traditional fiat currency and crypto asset ecosystems and the use of same has largely stimulated the growth of the decentralized finance world and the activities conducted therein (such as trading, lending and borrowing). 

The IOSCO and CPMI report focuses on clarifying how the principles for financial market infrastructures (PFMI) can appropriately apply to stablecoin arrangements (SAs) that are considered systemically important financial market infrastructures (FMIs). This also includes the entities integral to these arrangements.

Key points noted are that:

(i) Stablecoin arrangements should ensure timely convertibility into traditional currency and in this regard the report speaks to the need for appropriate settlement arrangements that must be clear, certain and final with low liquidity and credit risks; and

(ii) Arrangements should contain appropriate governance with clear and direct accountabilities as to ownership structure and operations, and have in place a comprehensive risk management framework. They also point out that timely human intervention should always be available to supervise the stablecoin arrangement.

Decentralized Finance (DeFi)

IOSCO also published an insightful report on DeFi in March 2022[xviii]. The DeFi ecosystem largely involves the ‘provision of financial products, services, arrangements and activities’ that use distributed ledger technology with the intention of decentralizing traditional financial activities including the use of intermediaries.

The report provides a useful illustration of the DeFi technology stack in four main layers; namely, the settlement, asset, smart contract and application layers. It discusses various aspects of the DeFi ecosystem including the participants within the ecosystem, as well as products and services being offered.

It highlights the main risks associated with DeFi activities, acknowledges the interactions of DeFi with other financial markets; and considers regulatory implications as it pertains to certain actors and activities within the system. In doing, IOSCO notes the involvement of certain central actors including those holding governance tokens that maintain control of the enterprise, as well as the role of certain centralized platforms as the “on-ramp to participation”. These actors are likely to be of focus in any regulatory framework developed for DeFi activities.

In its Crypto-Asset Roadmap for 2022-2023, IOSCO indicates that it will inter alia, focus on emerging trends and risks as well as the applicability of IOSCO principles and standards to activities conducted within the DeFi ecosystem and is expected to issue a second report on DeFi in Quarter 4 of 2023.

What does this mean for persons operating in the crypto space?

Adoption of the IOSCO recommendations/guidance highlighted above, by various jurisdictions, will likely result in impacts:

a.    For crypto asset trading platforms: regulatory requirements such as ensuring the safekeeping of investor assets, the implementation of systems and procedures to monitor and detect market abuse, as well as procedures for the efficient clearing and settlement of crypto asset and fiat currency transactions. Disclosure, cybersecurity, conflict of interests, price discovery mechanisms, governance and risk management requirements are also likely to be included in any regulatory framework for crypto asset trading platforms.

b.    For stablecoin arrangements: convertibility/redemption and an effective stabilisation mechanism will be of key focus for regulators; as well as ensuring appropriate governance and transparent disclosures to investors.

c.     For DeFi: while the IOSCO report did not delve into specific regulatory recommendations, it is likely that regulators will consider crucial matters outlined therein. As such, regulators will be looking at ‘central identifiable actors’ who can be held responsible for activities conducted within the DeFi ecosystem[xix]. For example, concentrated governance token holders who maintain control of the operation and management of a DeFi protocol or those who hold administrative keys to the protocol. Entities that bridge the gap between the traditional market and DeFi ecosystem, such as exchanges, wallet providers, market makers, etc are also likely to be the focus of regulation. As will be discussed in Part 2, the FSB has urged authorities to require compliance with effective rules and regulations regardless of the structure used to conduct crypto asset activities. This is a debatable proposition as some private sector bodies argue that this approach, without further clarification, is neither appropriate nor practical given the nature of DeFi. Regulators may explore innovative ways to apply regulatory requirements for DeFi. For example, by requiring KYC and other due diligence systems to be embedded within the protocol. I look forward to IOSCO’s report on the applicability of its regulatory principles and standards to DeFi. 

Basel Committee on Banking Supervision (BCBS)

The BCBS, the primary global standard setter for the prudential regulation of banks, issued standards for the ‘Prudential Treatment of Crypto Asset Exposures[xx]’ for banks in December 2022, following two consultations in 2021[xxi] and 2022[xxii]. The effect of these newly issued standards (which focuses on managing the risks that crypto assets pose to banks), is to amend the BCBS’ framework for the prudential regulation of banks. It is expected that the standards will be fully implemented by January 2025.

The standards categorize crypto assets into two groups for the purposes of the regulation and supervision of bank activities.

Group 1 includes tokenized traditional assets (i.e. dematerialized securities issued through DLT or similar technologies) and crypto assets with effective stabilization mechanisms (i.e. stablecoins), that meet the four classification conditions. Namely, (a) that it has adequate reference assets at all times (in this regard, group 1 stablecoins must pass a redemption risk test which essentially ensures that reserve assets are redeemable at all times for its peg value, including during stress periods); (b) interests/obligations/rights assigned are clear and legally enforceable; (c) the assets’ underlying network adequately manages and mitigates material risks; and (d) the redemption, transfer storage, settlement etc. must be executed by entities that are subject to appropriate risk management standards and have in place a sound governance framework, among other things.

Group 2 includes crypto assets that do not meet the classification conditions (noted above) such as, tokenised traditional assets and stablecoins with ineffective stabilisation mechanisms as well as unbacked crypto assets. Group 2 is subdivided into two groups, those assets where a limited degree of hedging is permitted and those where hedging is not recognized. Since assets in Group 2 pose higher risks compared to Group 1 assets, they are subject to a prescribed conservative capital treatment.

Banks must also adhere to the exposure[xxiii] limit for group 2 crypto assets, which must not exceed 2% of their Tier 1 capital, and ideally should be lower than 1%. An exposure exceeding 1% will result in a more conservative Group 2b capital treatment being applied to the amount above the 1%.

Other key elements of the BCBS’ standards include an infrastructure risk add-on[xxiv]; a supervision/regulation requirement, descriptions of how the operational risk, liquidity, leverage ratio and large exposures requirements should be applied to banks’ crypto asset exposures; a supervisory review process; and disclosure requirements.

Furthermore, the standards require that banks have in place adequate risk management[xxv] and governance policies and procedures; as well as human and IT capacities to continually assess the risks of engaging with crypto assets.

The BCBS recommends powers for supervisors including the ability to override a bank’s classification decisions if not appropriately assessed by the bank (in the opinion of the supervisor), implementing additional capital charges (where appropriate), provisioning and/or imposing supervisory limits or other mitigation measures.

What is the impact of the above standards?

While not enforceable until adopted/transposed into domestic regulations, industry should be prepared for the gradual implementation of these standards by regulators. Banks should prepare to comply with the above noted requirements and take same into account when determining their business and capital strategies going forward.

Conclusion

The above noted recommendations by these key SSBs, provide insight as to the likely components of the regulatory framework that will be adopted by most jurisdictions. They address some crucial elements of the crypto asset ecosystem where risks emanate; and if unregulated, could cause negative consequences not only in the crypto asset sector but possibly beyond. Although useful for the regulation of various aspects of the crypto asset sector, they paint a fragmented picture as they focus on specific activities and risks, and may not address broader implications of this growing sector.

International bodies like the IMF have sought to provide guidance for the creation of a comprehensive framework, in addition to the various areas addressed by the SSB’s. Both aspects play a crucial role in determining an effective and appropriate regulatory regime. 

In Part 2 of this topic, I continue this discussion in looking at the recommendations of the FSB and IMF and consider the utility of same for the development of an effective regulatory regime for the crypto asset sector.

References and Notes

[i] See IMF Blog: Global Crypto Regulation Should be Comprehensive, Consistent, and Coordinated- https://www.imf.org/en/Blogs/Articles/2021/12/09/blog120921-global-crypto-regulation-should-be-comprehensive-consistent-coordinated

[ii] The FSB Proposals remain in draft (for the purpose of consultation) but it expected to be finalized in July 2023.

[iii] Of course, the conversation on the risks of virtual assets started a few years before this: see for example FATF (2014): ‘Virtual Currencies Key Definitions and Potential AML/CFT Risks’, FATF, Paris and FATF (2015): ‘Guidance for a Risk-Based Approach to Virtual Currencies’, FATF, Paris.

[iv] There are many great articles already written on the FATF’s definition of VASPs so I will not expound here. See for example Notabene’s article ‘Virtual assets (VAs) and virtual asset service providers (VASPs): what are they?’: https://notabene.id/crypto-travel-rule-101/vasps-virtual-asset-service-providers.

[v] See FATF Note: ‘Targeted Update on Implementation of the FATF Standards on Virtual Assets and Virtual Asset Service Providers’, June 2022.

[vi] FATF (2020), Money Laundering and Terrorist Financing Red Flag Indicators Associated with Virtual Assets, FATF, Paris, France,

https://www.fatf-gafi.org/en/publications/Methodsandtrends/Virtual-assets-red-flag-indicators.html

[vii] FATF (2021), Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers,

FATF, Paris,

https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Guidance-rba-virtual-assets-2021.html

[viii] Pavlidis, G. (2020), "International regulation of virtual assets under FATF’s new standards", Journal of Investment Compliance, Vol. 21 No. 1, pp. 1-8. https://doi.org/10.1108/JOIC-08-2019-0051

[ix] FATF (2020), FATF Report to the G20, FATF, France,

www.fatf-gafi.org/publications/virtualassets/documents/report-g20-so-called-stablecoins-june-2020.html

[x] Indeed, many have already begun to implement same, in some cases amending relevant laws and regulation or introducing bespoke legislation.

[xi] https://www.thebanker.com/Banking-Regulation-Risk/FATF-s-Travel-Rule-faces-implementation-issues .

[xii] FATF (2022), Targeted Update on Implementation of the FATF Standards on Virtual Assets/VASPs, FATF, Paris, France, www.fatf-gafi.org/publications/fatfrecommendations/documents/targeted-update-virtual-assets-vasps.html

[xiii] https://asia.nikkei.com/Spotlight/Cryptocurrencies/Japan-cryptocurrency-transfer-rules-take-aim-at-money-laundering

[xiv] https://www.legislation.gov.uk/uksi/2022/860/made?view=plain

[xv] February 2020: https://www.iosco.org/library/pubdocs/pdf/IOSCOPD649.pdf

[xvi] IOSCO starts with the position that where trading platforms trade crypto assets which may be deemed as securities and they fall under the relevant regulatory jurisdiction then, it is sensible to apply securities regulation principles.

[xvii] Application of the Principles for Financial Market Infrastructures to stablecoin arrangements (bis.org)

[xviii] IOSCO Decentralized Finance Report: https://www.iosco.org/library/pubdocs/pdf/IOSCOPD699.pdf

[xix] It is often the case that DeFi protocols are not as distributed as they may first appear. Indeed, in most cases governance is often concentrated in a small group of development team members, investors or large governance token holders.

[xx] BCBS, Prudential treatment of cryptoasset exposures (Dec. 16, 2022), https://www.bis.org/bcbs/publ/d545.htm.

[xxi] BCBS, Prudential treatment of cryptoasset exposures (June 10, 2021), https://www.bis.org/bcbs/publ/d519.htm.

[xxii] BCBS, Prudential treatment of cryptoasset exposures - second consultation (June 30, 2022), https://www.bis.org/bcbs/publ/d533.htm.

[xxiii] The term “exposure” referenced in the standards includes on- or off-balance sheet amounts that give rise to credit, market, operational and/or liquidity risks: BCBS, Prudential treatment of cryptoasset exposures (Dec. 16, 2022).

[xxiv] This is meant to cover infrastructure risk for all Group 1 cryptoassets to be implemented by authorities based on observed weaknesses in the cryptoassets’ infrastructure: BCBS, Prudential treatment of cryptoasset exposures (Dec. 16, 2022).

[xxv] Banks should consider cryptoasset technology, communication, ICT, cyber risks, legal, money laundering and financing of terrorism, and valuation risks in designing an appropriate risk management framework.