FATF’s latest Targeted Update Report on Implementation of the FATF Standards on VAs and VASPs[1] stresses that many jurisdictions continue to struggle with the fundamentals of virtual asset regulation, including undertaking risk assessments. We cover here the importance of national risk assessments and how K2 Integrity can help jurisdictions with risk assessment execution and shaping an effective regulatory posture in response to risk assessment findings.
Summary of FATF’s Latest Targeted Update Report
On 9 July 2024, the Financial Action Task Force (FATF) published its fifth update on jurisdictions’ compliance with FATF’s Recommendation 15, which applies anti-money laundering (AML) and counter-terrorist financing (CFT) measures[2] to new technologies, including virtual assets (VAs) and virtual asset service providers (VASPs). The latest update specifically articulates a requirement for countries to undertake a national risk assessment to identify, understand, and assess the risks inherent in VAs and VASPs and ensure that VA activity and VASPs are subject to adequate regulation and supervision, including appropriate, risk-based supervisory inspections of the VASP sector.
The report acknowledges that while some jurisdictions have made progress in terms of developing and establishing AML/CFT regulation that is responsive to the risks of VAs and VASPs, global implementation is still lagging. A substantial number of governments have yet to take any significant steps to regulate their VA/VASP sector, with 75% of jurisdictions either not compliant or only partially compliant with FATF requirements—the same figure reported in 2023, evidencing negligible progress in VA regulation.
Notably, the FATF raised concerns that 75% of jurisdictions have not conducted an adequate VA/VASP risk assessment in line with FATF standards, including 29% of jurisdictions that have performed no VA/VASP risk assessment at all. Furthermore, FATF noted insufficient progress in Travel Rule implementation, with one third of survey respondents stating that they have not yet passed legislation implementing the Travel Rule. Among those jurisdictions that have passed such legislation, supervision and enforcement remain low.
What Is a National Risk Assessment?
The purpose of a national risk assessment (NRA) is to identify and assess the money laundering (ML) and terrorist financing (TF) risks in a jurisdiction, including those emerging from a given activity or sector; in this case, the activities associated with VAs and VASPs. NRAs help identify ML/TF threat actors and vulnerabilities in a given jurisdiction and, in the case of VA activity, help identify VASPs operating in the jurisdiction and assess their risks, virtual asset flows, and connections with high-risk and sanctioned jurisdictions, among other risk elements critical for a comprehensive analysis. Even where jurisdictions seek to curtail VA and VASP activity, it is important to undertake an NRA that covers VA risks given the borderless nature of VAs, the ease with which illicit actors may enter the market without appropriate licensing and registration, and the potential for indirect risk exposure through correspondent banking and customer activity in the traditional finance sector. An NRA typically includes the following components:
- Surveys: Working with the nation’s relevant competent authorities to design and disseminate surveys to key stakeholders, including law enforcement authorities (LEAs), financial institution supervisors, Financial Intelligence Units (FIUs), and private sector entities such as financial institutions (FIs) and VASPs. The objective of the surveys is to gather stakeholders’ unique observations related to VAs, including specific risks and concerns observed during the scope period.
- Stakeholder Discussions and Data Gathering: Holding workshops with public and private sector stakeholders to gather further information about their experiences with VAs and VASPs to inform the risk assessment, including gathering relevant quantitative metrics on VA exposure (e.g., volume and value of VA transactions, number of VASPs, efforts to measure exposure to unlicensed VASP activity, etc.) and qualitative information on risks and risk mitigants through a detailed walkthrough of survey results.
- On-Chain Data Analysis and Use of Blockchain Analytics: Utilizing on-chain information and specialized blockchain analytics tools to help identify, analyze, and understand on-chain risk exposures, particularly with respect to the on-chain activities of VASPs operating in the jurisdiction, including on-chain transaction volumes and flows, exposure to high-risk activity and entities, sanctioned actors, and higher risk jurisdictions.
- Risk Assessment Findings: Developing a written report that outlines the methodology used to measure VA and VASP risk exposure, the identification and assessment of inherent ML/TF risks associated with VA and VASP activity, the assessment of a given jurisdiction’s regulatory environment and its effectiveness in mitigating inherent risk, and a discussion of residual risks that remain after considering the regulatory control environment, as well as providing recommendations for further reducing residual risk based on the findings and observations emanating from the NRA process.
- Workshops to Disseminate Risk Assessment Findings: Upon finalizing the NRA, a country may choose to convene a series of workshops for key public and private sector stakeholder groups to disseminate risk assessment findings and ensure that stakeholders understand the relevant risks to their sector or agency. Such workshops may include training and capacity building, as necessary, to build a greater understanding of the risks and risk mitigation measures associated with VAs and VASPs. Each agency can leverage the results of the NRA to develop tailored action plans that can be used to further mitigate the risks associated with the abuse of VAs and VASPs for illicit activity.
Why Are NRAs Important?
NRAs are not only an FATF expectation but are a prerequisite to the development of an effective, risk-based policy and strategy for VAs and VASPs in a jurisdiction, including an appropriately tailored regulatory and supervisory regime. In the case of VAs and VASPs, a country’s risk profile may vary depending on such factors as the level of VA adoption, the number of VASPs operating in the jurisdiction and nearby regions, and the country’s broader risk of ML/TF, each factor necessitating a set of responsive regulations. NRAs can serve as a diagnostic tool to more efficiently organize a jurisdiction’s rulemaking and supervisory efforts and enable it to allocate resources and strategic priorities to achieve greater impact. NRAs can also be helpful in resetting FIU analytical priorities and law enforcement investigative priorities, leading to the incorporation of new structures and tools to more effectively manage identified risks. Moreover, NRAs can serve as helpful guidance to the private sector by signaling areas of heightened risk and regulatory priority.
How K2 Integrity Can Help
Despite the widely recognized importance of NRAs, countries commonly struggle to perform sound and effective NRAs given the time-intensive and data-intensive nature of these exercises. This is where we can help. K2 Integrity has deep expertise with FATF standards and guidance, has performed VA/VASP NRAs on behalf of a wide range of central banks, FIUs, and national governments, and maintains partnerships with leading blockchain analytics providers, enabling us to tap into deeper intelligence for assessing on-chain risk exposures.
As a case example, K2 Integrity worked with a leading financial center in the Persian Gulf to develop a VA/VASP NRA in accordance with FATF standards. The VA/VASP NRA considered the national ML and TF risk posed to the country by the misuse of VAs and VASPs, considering both threat levels and the effectiveness of preventive and mitigating measures in place throughout the country. The country has since significantly enhanced its VA/VASP regulatory and supervisory regime and continues to lead VA regulatory efforts in the region. Since completing the VA/VASP NRA, K2 Integrity has supported this jurisdiction with its overall VA/VASP AML/CFT strategy, including the issuance of regulatory guidance, training and capacity building, and support with international cooperation efforts.
VA adoption continues to accelerate globally at a rapid pace, including by threat actors that continue to exploit gaps in VA regulation. Isn’t it time to expedite adoption of FATF’s recommendations for the VA sector? The first step is to conduct a VA/VASP NRA.
Speak to K2 Integrity representatives from the Financial Crimes Compliance practice and the Crypto and Digital Asset Solutions practice to learn more about how K2 Integrity can support you in conducting NRAs for the VA/VASP sector.
[1] FATF, Virtual Assets: Targeted Update on Implementation of the FATF Standards on VAs and VASPs, 9 July 2024, https://www.fatf-gafi.org/en/publications/Fatfrecommendations/targeted-update-virtual-assets-vasps-2024.html.
[2] FATF (2012–2023), International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation, FATF, Paris, France, www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html.