Jurisdictional approaches to crypto regulation fall into four broad categories. The first is that adopted by a small number of countries including Saudi Arabia and Afghanistan which have banned cryptocurrencies outright. The second approach is to severely restrict the use of cryptocurrency, for example China which prohibits the trading of cryptocurrencies and their use for payment as well as initial coin offerings (ICOs). The third category comprises countries that have created specific regulatory frameworks for cryptocurrencies – for example Japan, Malta and Thailand. However, the regulation that has been introduced relates mainly to imposing licensing requirements on crypto intermediaries – that is the entities that trade or provide other services in relation to cryptocurrencies. Lastly, the final category of jurisdictions – which is the majority – are those like Hong Kong, the US and the UK which regulate cryptocurrencies to the extent they fall within existing categories of regulated financial instruments, such as securities, commodities or e-money. Some of these regulatory authorities have issued guidance classifying cryptocurrencies according to their characteristics and economic purpose (such as the UK Financial Conduct Authority (FCA)). This approach has advantages – adopting a “wait and see” approach to cryptocurrency regulation allows this emerging asset class to develop while knee-jerk imposition of regulation risks stifling innovation, as has been seen to some extent in the US. The downside of trying to regulate cryptocurrencies under existing regulatory frameworks is that shoe-horning these very diverse assets into categories of investments created many years ago for traditional investments has led to a lot of uncertainty as to how the regulations apply. There are arguments for a more nuanced approach to regulating cryptocurrencies.

Regulatory Status Of Cryptocurrencies

The International Monetary Fund published a report on crypto regulation in December 2019 [1] recommending that while cryptocurrencies continue to evolve, regulatory authorities should consider pursuing a “proactive and holistic approach to regulation” based on a comprehensive assessment of the risks. The report outlines the IMF’s view that there is a need for international cooperation in the crypto space and the need for risk-based and proportional regulation.

Part of the difficulty facing regulators is the speed of evolution in cryptocurrencies and their uses which is being driven by factors as diverse as customer preference, regulation, competition, developments in technology, speculation and privacy and security concerns. Bitcoin, the first ever cryptocurrency, was launched in January 2009 as an alternative means of payment and has evolved into a store of value, hedging and speculative investment tool. As those of you who follow Bitcoin prices will know, 2020 was quite a year. The turmoil that hit financial markets in March 2020 delivered one of Bitcoin’s worst months on record, with prices falling to around US$3,600, which was Bitcoin’s worst month since the crash at the end of 2018.[2] Prices then recovered and on 16 December 2020, Bitcoin’s price passed US$20,000 for the first time ever – a surge of more than 400% from the March low point.[3] On 3 January 2021, Bitcoin reached an all-time high above US$34,000. Its soaring valuation is being attributed to increasing institutional interest as investors hedge against inflation.[4] This also comes against a backdrop of US dollar weakness, US China tensions and, of course, COVID-19 leading cryptocurrency advocates to dub Bitcoin the new gold after periods when both rallied in tandem.[5]

There are now approximately 8,164 cryptocurrencies with a total market cap. of over US$893 billion as at 4 January 2021. These include payment tokens, ICO tokens, stablecoins, security tokens and more. The largest by far is Bitcoin, which with a market cap of over US$614 billion on 4 January 2021, is now more valuable than many publicly traded companies. 18.59 million Bitcoin were in circulation and 24-hour trading volume was over US$81.6 billion on 4 January 2021.[6] Ethereum and Tether ranked second and third with a market capitalisation of US$116.5 billion and US$21.3 billion, respectively, on 4 January 2021.[7]

The number of consumers holding cryptocurrencies has also risen significantly with the highest rates of cryptocurrency ownership and use found in Africa, particularly Nigeria and South Africa, Latin America – where Brazil, Colombia and Mexico have crypto adoption rates of between 18 and 20% – and Asia, particularly Vietnam, according to a recent survey by Statista.[8] The high cost of transferring money cross border has led many offshore workers to turn to cryptocurrency exchanges to send funds back to their families. Currency instability is also driving cryptocurrency adoption in Africa and Latin America. The lowest rates of crypto use are in English-speaking and European countries. The Bitcoin ATM industry has grown since April 2019. 1,200 new Bitcoin ATMs were installed worldwide between January and April 2020, bringing the total number to 7,500,[9] and as of 1 November 2020, this number had reached 11,497.[10]

In a further sign that cryptocurrencies are entering the mainstream, institutional interest in cryptocurrency sky-rocketed in 2020. In July 2020, Fidelity reported that some 36% of institutional investors worldwide own crypto, while 60% were actively looking at crypto investment,[11] with Evertas, the world’s first cryptoasset insurance company, attributing the increase in institutional interest to an improved regulatory environment, more mainstream fund managers/financial services companies entering the crypto market and increased choice in terms of cryptoasset focused investment vehicles (to name but a few factors).[12] JPMorgan’s Global Markets Strategy report released in October 2020 further suggests that corporate endorsement of cryptocurrency (in particular PayPal) is propagating demand,[13] and this is supported by the finding that 0.5% of all Bitcoin in circulation is held in the treasuries of publicly traded companies,[14] notably NYSE-listed Square Inc. and NASDAQ-listed Microstrategy. Square Inc. recently allocated 1% of its total assets into Bitcoin and Microstrategy invested US$425 million in Bitcoin and made it the company’s primary treasury reserve asset.[15]

As regards the levels of institutional holdings being seen, Coinbase, a US-based cryptoexchange, found that their institutional assets under custody had grown three-fold since April 2020 from US$6 billion to US$20 billion as of November 2020,[16] and JP Morgan’s calculations indicate that Bitcoin currently accounts for around 0.18% of family office assets (this compares to 3.3% for gold ETFs).[17] JPMorgan has even gone so far as to suggest that gold may suffer for years because of the rise of cryptocurrencies, a trend that is already unfolding. For example, the Grayscale Bitcoin Trust has seen significant inflows (around US$2 billion) since October 2020, compared to outflows of US$7 billion for ETFs backed by gold.[18]

Meanwhile, according to a 9 December 2020 press release, Standard Chartered (in collaboration with Northern Trust) is launching a cryptocurrency custody solution tailored to institutional investors (dubbed “Zodia Custody”), a platform which aims to enable institutions to invest in crypto assets. The platform is expected to launch in London in 2021.[19]

We have also seen a number of traditional finance players launching cryptocurrencies. JP Morgan, long a staunch critic of crypto, became the first US bank to launch a cryptocurrency in February 2020 with the launch of its JPM Coin which is pegged to the US dollar. Unlike Bitcoin, the JPM coin operates privately and enables instantaneous international payment transfers between its institutional clients, replacing wire transfers.[20] Goldman Sachs is reportedly looking to follow JP Morgan’s lead with the issue of a Goldman coin following the firm’s recent appointment of a new global head of digital assets[21] who envisages that crypto will cause a radical shakeup of traditional finance within 5 to 10 years, will all financial assets and liabilities on blockchain and everything that today is done physically being done digitally, creating huge efficiencies in debt issues, loan origination, IPOs and securitisation.

Interest in decentralised Finance or DeFi also surged in 2020. The opposite of traditional centralised finance or CEFI, DeFi is disrupting traditional market activities such as lending and securities trading by removing the intermediaries (brokers, banks etc.). Instead, transactions are conducted on decentralised open-source networks using smart contracts, cutting costs and improving security.

An example of a DeFi project is MakerDao – a decentralised finance platform that allows borrowers to provide cryptocurrencies as collateral for loans of stable coins called dai that are pegged to the US dollar. According to statistics from DeFi Pulse, over US$7.7 billion is tied up in the DeFi market, with about US$4 billion of that having been added in the past few months. Many of the DeFi products facilitate lending and borrowing. Others, such as Uniswap, are automated market makers (AMMs) – smart contracts that create a liquidity pool of tokens that are automatically traded by an algorithm rather than an order book.


Interest in stablecoins has surged during the pandemic making them a key driver of mainstream crypto adoption. A stablecoin is a cryptocurrency designed to be resistant to the price volatility associated with cryptocurrencies such as Bitcoin and Ether. Typically, stablecoins are backed by a reserve of real assets, typically fiat money (e.g. US dollars) or a basket of currencies, bonds, assets like gold or oil, or a mixture of assets. Examples include Tether’s USDT which claims to be fully backed by US dollars and CNH – Tether’s offshore Chinese yuan backed stablecoin. The value of these stablecoins is locked relative to the reserve currency.

Between March and July 2020, the number of stablecoins doubled to 12 billion, having taken 5 years to reach 6 billion in March 2020.[22] US dollar-backed stablecoins in particular saw a boom in this period: the market cap of Binance USD (BUSD), for example, rocketed 176% to US$188 million in the first 27 days of March 2020.[23] The success of stablecoins in 2020 was boosted by the volatility of traditional asset prices, but how they fare once volatility subsides obviously remains to be seen. 2020 saw a number of developments in stablecoins, with many tapping into the e-commerce space. The end of August 2020 saw the first e-commerce payment using a bank-issued stablecoin – Sygnum Bank’s Digital Swiss Franc (DCHF) – which was used to make a payment on Galaxus, a leading Swiss online retailer.[24]

JP Morgan’s JPM Coin is another example of a stablecoin. On September 9th 2020, Fnality – a stablecoin project across 13 global banks spearheaded by UBS Group – under development for over 5 years, predicted that it would receive regulatory approval for its “UtilitySettlementCoin” by the second quarter of 2021. The project aims to establish a network featuring tokenised US dollars, Japanese yen, Euros, Canadian dollars and the British pound sterling.

Facebook’s Libra

Facebook’s planned launch of Libra – a global digital currency backed by different currencies and government debt was supported originally by over 20 companies including Visa, Mastercard, ebay and uber. However, it ran into problems with regulators which resulted in some of its biggest backers dropping out. The original proposal was subjected to intense regulatory scrutiny given the possibility of Facebook’s 2.5 billion users adopting the cryptocurrency, threatening regulators’ control over money.[25] In an effort to woo regulators, the original plans were scrapped and the planned Libra 2.0 is reportedly planning to launch as early as January 2021. Reportedly a single coin backed one-for-one by the US dollar will launch in early 2021, with other currencies and the composite launching at a later date.[26] Launch is however subject to regulatory approval (by the Swiss Financial Market Supervisory Authority (FINMA)).

Central Bank Digital Currencies

Central bank digital currencies or CBDCs are another major development which, if they come to fruition, may eliminate the need for stablecoins. The International Monetary Fund’s survey of CBDC research[27] published in June 2020 noted that the two primary objectives of central banks exploring the potential issue of a CBDC are: (i) improving financial inclusion; and (ii) maintaining the central bank’s relevance in the monetary system. Other objectives include reducing costs and increasing the efficiency of payment systems

China looks set to be the first to launch a digital version of its national currency. The People’s Bank of China began trials of China’s digital yuan in four major cities in April 2020 and it was recently reported (on 17 December 2020) that Hong Kong’s HKMA is in talks to pilot-test China’s digital yuan.[28] This would be quite significant if it goes ahead as it would be the first time that the digital yuan would be used outside the Mainland and the first application of the digital yuan to cross-border payments.

However, China’s digital yuan differs from typical cryptocurrencies in that it is not a separate currency on a decentralised market. Rather the digital yuan will represent the digitalisation of a portion of China’s monetary base. The Chinese Government is also reported to be planning a stablecoin backed by a basket of four Asian digital currencies (the Yen, Wong, Yuan and Hong Kong Dollar), to stimulate trade between China, Japan, Korea and Hong Kong and improve cross-border payments.[29]

Risks Associated with Virtual Assets

Regulators have generally been slow to regulate this space. This is despite a number of concerns related to the risks associated with cryptocurrencies and the general perception of the potential for the distributed ledger technology (DLT) underlying cryptocurrencies and cryptocurrencies themselves to deliver significant benefits.

Risks and Benefits

As the IMF report on crypto regulation highlights, regulation needs to be considered in the light of the risks associated with cryptocurrencies which include the following:

  • Fraud – widespread fraud was a major factor in China imposing a ban on ICOs in September 2017. A statement on the website of the People’s Bank of China claimed that some 90% of ICOs conducted were fraudulent and in 2019, China saw a US$42 billion Bitcoin scandal play out. PlusToken scandal, a scandal that was estimated to be worth more than US42 billion. Meanwhile, in the UK, the High Court ordered the closure and winding-up of GPay, a cryptocurrency platform which scammed traders through fake celebrity endorsements. It was reported that GPay had lost US$1.96 million of investor funds.

  • Financial crime – the risk of cryptocurrencies being used for money-laundering and terrorist financing. However, the Financial Action Task Force notes in its June 2020 report that use of cryptocurrencies in detected money laundering and terrorist financing cases is relatively small compared to the use of traditional financial services and products.

  • Security and security breaches are a key concern – cyber-attacks resulting in crypto exchanges being hacked and cryptocurrencies being stolen are common. Japan, one of the world’s most active markets for cryptocurrency trading, has experienced a series of major hacks resulting in the theft of some US$580 million worth of cryptocurrencies from the Japan-based Coincheck and Zaif exchanges in 2018. In 2019, more than US$290 million worth of cryptocurrencies and over half a million customer user logins were stolen from cryptocurrency exchanges worldwide.[30]

  • Risk of misselling and other market-abuse activities such as ‘pump-and-dump’ schemes.

  • General risk of failure – many ICO issuers are start-ups which have a high failure rate. Consumer protection concerns have focused on the quality of information provided to investors and whether ICOs are suitable investments for retail investors.

  • Volatility. For example, Bitcoin’s price reached a then high of US$19,665 in December 2017 – up 1,824% from its price at the start of 2017 and then crashed to just US$4,000 by the end of 2018.

On the other hand, cryptocurrencies offer significant benefits. Virtual assets which act as a means of exchange (e.g. Bitcoin) can provide more efficient and cheaper transactions, e.g. in international transfers. As originally conceived by Satoshi, Bitcoin was intended as a “purely peer-to-peer version of electronic cash [that] would allow online payments to be sent directly from one party to another without going through a financial institution” (according to Bitcoin’s 2008 whitepaper). Published during the 2008 global financial crisis, Bitcoin’s whitepaper offered up an alternative to the traditional banking sector and financial access for the world’s unbanked populations. The World Bank’s latest (2017) Global Findex Database found that 1.7 billion adults do not have a bank or financial services account – although around 2/3 of them own a mobile phone. Bitcoin was thus envisaged as a means of providing a cheap and fast payment mechanism which could operate cross-border with far greater efficiency than was possible through traditional banks, while eliminating the possible risk of a failure of the financial system. Satoshi did not however foresee that Bitcoin would become a ‘store of value’ or ‘investment’ which people would buy for speculative purposes rather than its use value. The different uses of virtual assets, and the fact that their actual use can be very different from the use intended by their creator, are among the factors making the regulation of virtual assets so challenging. Moreover, when used as a capital-raising method in ICOs, virtual assets can support innovative business models which may have access to traditional fund-raising avenues.

FATF Standards

The most significant regulatory development to date comes from FATF – the setter of international standards on anti-money laundering (AML) and counter-terrorist financing (CTF). FATF has revised its Recommendations – the global standards on AML and CTF – to explicitly require member countries (which include Hong Kong) to:

  • Regulate virtual asset service providers or VASPs for AML and CTF purposes;

  • License or register VASPs; and

  • Subject VASPs to effective systems for monitoring and supervision (revised FATF Recommendation 15).

As of June 2020, 32 regulatory authorities had introduced regulation of VASPs, 3 had prohibited VASPs and 19 had not yet implemented a VASP regulatory regime. As for Hong Kong, the Financial Secretary’s 2020–2021 budget speech stated that the Government would consider extending Hong Kong’s AML/CFT regime to cover virtual asset service providers as required by FATF’s Recommendations.[31] The FSTB subsequently published a consultation on 3 November 2020 outlining proposals to introduce a new licensing regime for virtual asset exchanges under Hong Kong’s anti-money laundering legislation (the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (the AMLO). This new regime would require the licensing of virtual asset exchanges that are not currently required to be licensed under the Securities and Futures Ordinance (the SFO) (because they trade virtual assets which are not within the statutory definitions of “securities” or “futures contracts”). Presently, the AMLO only applies to financial institutions (including HKMA-authorised institutions, such as banks, and SFC-licensed corporations) and “designated non-financial businesses and professions” (e.g. lawyers, public accountants, and trust and company service agents). Unless they are licensed by the SFC, crypto currency exchanges and OTC trading desks are not currently subject to the AMLO.

FATF Definitions of Virtual Assets and VASPs

FATF defines a virtual asset as a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. This definition explicitly excludes digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations.

Virtual asset service providers or VASPS are defined as any person who is not covered elsewhere in the Recommendations and conducts any of the following activities as a business on behalf of another person:

  • exchanges virtual assets and fiat currencies;

  • exchanges different forms of virtual assets;

  • transfers virtual assets (i.e. conducts a transaction that moves a virtual asset from one virtual asset address or account to another);

  • provides safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and

  • participates in and provides financial services related to an issuer’s offer and/or sale of a virtual asset.

VASPs thus include cryptocurrency exchanges, providers of certain types of crypto wallets and providers of financial services for ICOs.

June 2019 FATF Updated Guidance

In June 2019, the FATF updated its Guidance on Virtual Assets and related Service Providers [32] and issued an Interpretive Note to Recommendation 15 on New Technologies (INR. 15) clarifying how its AML and CFT standards apply to virtual assets.

Application to Countries and regulatory authorities

INR.15 imposes binding measures on member countries for the regulation, supervision and monitoring of virtual asset service providers. In particular, it requires countries to:

  • apply a risk-based approach to financial activities involving virtual assets and VASPs to ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate with the risks identified. Countries should require VASPs to identify, assess, and take effective action to mitigate their money laundering and terrorist financing risks;

  • require the licensing or registration of VASPs incorporated or established in their jurisdiction and natural persons who carry on VASP business in their jurisdiction. Jurisdictions may also require the licensing or registration of VASPs which offer products and/or services to customers in, or conduct operations from, their jurisdiction;

  • ensure that VASPs are subject to adequate regulation and supervision or monitoring from an AML/CFT point of view and that VASPs effectively implement the relevant FATF Recommendations. VASPs should also be subject to effective systems for monitoring and ensuring their compliance with national AML/CTF requirements and should be supervised by a competent authority;

  • apply all FATF preventative measures, including (without limitation) customer due diligence, record keeping, suspicious transaction monitoring to VASPs. Customer due diligence is required for transactions above US$ or EUR 1,000;

  • designate a competent authority – not a self-regulatory body – to be responsible for VASPs’ licensing or registration, monitoring and supervision;

  • require competent authorities to:

    • take necessary legal or regulatory measures to prevent criminals or their associates from holding, or being the beneficial owner of, a significant or controlling interest, or holding a management function, in a VASP; and

    • take steps to identify persons carrying on activities in virtual assets without the necessary licence or registration, and impose appropriate sanctions;

  • empower competent authorities to ensure VASPs’ compliance with AML and CTF obligations, including the authority to conduct inspections, compel the production of information and impose sanctions; and

  • have a range of effective, proportionate and dissuasive sanctions to deal with VASPs that fail to comply with their AML/CTF obligations, including powers for supervisors to withdraw, restrict or suspend VASPs’ licence or registration. Sanctions should apply to VASPs, their directors and senior management.

FATF also allows countries to prohibit virtual asset activities or VASPs to support other policy goals, such as consumer protection and monetary policy.

Application of FATF Guidance

The FATF Recommendations do not apply to a person who is not engaging in the various activities as a business for or on behalf of another person. Accordingly, an individual who uses virtual assets to purchase goods or services on their own behalf is not a VASP.

Further, depending on a jurisdiction’s local laws, a virtual asset trading platform may not be a VASP if it simply provides a forum for buyers and sellers of virtual assets to post bids and offers and the parties trade at an outside venue (e.g. through individual wallets or wallets not hosted by the trading platform). However, if the platform facilitates the trade by buying the virtual assets from the seller and selling them to the buyer, it will be conducting exchange and/or transfer activity as a business on customers’ behalf and will thus be a VASP subject to the requirements. Closed-loop items that are non-transferable, non-exchangeable and non-fungible such as airline miles and credit card rewards are also outside the scope of the VASP regulatory controls.

The “Travel Rule”

One of the most controversial provisions is the “travel rule” which requires countries to ensure that originating VASPs:

  • obtain and hold the required originator and beneficiary information (including the name and account number of the originator and beneficiary and the originator’s identification number);

  • transmit the information to the beneficiary VASP or financial institution (if any); and

  • make the information available on request to the appropriate authorities.

To comply with the travel rule, VASPs need to be able to identify when they are transacting with another VASP, as opposed to a private wallet and whether the counterparty VASP is licensed or registered in a jurisdiction and adequately supervised for AML/CTF purposes. Conducting timely counterparty due diligence in a secure manner is proving to be a challenge and one suggestion is for the creation of a global list of VASPs which would be accessible through a central database or through an API which connects to each jurisdiction’s list. The creation of a global list raises a number of challenges such as who would be responsible for ensuring the accuracy and security of the information. Another difficulty is that peer-to-peer transfers not involving a VASP or financial institution are not explicitly subject to AML/CTF obligations leaving VASPs uncertain as to how they should transact with private or unhosted wallets.

FATF’s June 2020 Report[33] notes that there has been less implementation of the travel rule than other AML/CTF requirements and that several jurisdictions saw the travel rule as a significant challenge to implementing the revised Recommendations. FATF however did not consider the issues raised around technology solutions to be fundamental barriers to adopting the travel rule.

Implementation Requirement of the FATF Recommendations

When the FATF revised its Recommendations to cover virtual assets in June 2019, its expectation was that member countries should apply them promptly to virtual asset activities and service providers. In its 12 Month Review[34] of the implementation of the Recommendations published in June 2020, FATF noted that 24 FATF members and 8 members of FATF-Style Regional Bodies (FSRBs) had introduced a regulatory regime regulating VASPs and one FATF member and 2 FSRBs had prohibited VASPs. 19 jurisdictions (13 FATF members and 6 FSRB members) had not yet implemented a regime regulating VASPs. Most jurisdictions which have introduced new legislation to regulate VASPs did so by adding VASPs as an obliged entity under their existing law.

An example of regulation aimed at FATF compliance is the European Union’s (EU) fifth money laundering directive (5MLD) which requires virtual asset service providers to be registered, and meet the requirements of the EU’s anti-money laundering regime. EU member states were required to implement the requirements of the fifth money laundering directive into local law by 10 January 2020. Subsequently, the 6th Anti-money Laundering Directive (6MLD) entered into force. Member states were required to transpose the 6MLD into national law by 3 December 2020, while all relevant financial institutions have 6 months (that is until 3 June 2021) to implement it.

The main updates to the AML regime under the 6MLD include:

  • a harmonised definition of money laundering offences;

  • an enhanced definition of “criminal activity” which has been narrowed down to 22 predicate offences (offences which enable more serious crimes such as money laundering or terrorist financing);

  • an increase in the minimum prison sentence for natural persons for money laundering offences from one year to four years; and

  • the extension of criminal liability to legal persons. This means that organisations operating in EU member states may be held criminally liability for failure to prevent illegal activity conducted by a “directing mind” within the company. The sanctions and penalties include disqualifications from commercial activities, undergoing judicial supervision and temporary or permanent closure of establishments.

The 6MLD also encourages the member states to collaborate in prosecuting firms/individuals in an effort to enhance enforcement. For example, the 6MLD prescribes that where a money laundering offence has occurred within the jurisdiction of more than one member state, the members states involved should cooperate in deciding which member state should prosecute it. The 6LMD provides factors for member states to consider for making this determination. These include: where the offence was committed, the nationality/residency of the offender, country of origin of the victims and the territory where the offender was found.

It is interesting to note that the UK has decided to opt out of complying with the 6MLD on the basis that, in the UK Government’s view, the UK’s domestic legislation already goes much further. Any UK businesses operating in the EU will however be required to comply with the requirements of the 6MLD.

Singapore has also passed legislation, the Payment Services Act of January 2019, which requires entities providing virtual asset dealing or exchange services to be licensed by the Monetary Authority of Singapore (MAS). The detailed AML/CTF requirements applicable to licensees are being imposed by notices issued by the MAS under the Monetary Authority of Singapore Act. In Hong Kong, crypto exchanges which are licensed by the SFC are required to comply with anti-money laundering and counter-terrorist financing obligations under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance and are specifically required to comply with any updates to the FATF Recommendations relating to virtual assets including INR15. Hong Kong currently only requires crypto exchanges to be licensed if they trade at least one cryptocurrency that is a “security” or “futures contract”. However, it is currently consulting on introducing a new licensing regime which will require crypto exchanges to be licensed even if they only trade cryptocurrencies that are not securities. These exchanges will also be subject to AML and CTF obligations under the AMLO.

Trends in Use of Virtual Assets for ML/TF purposes

Money laundering and terrorist financing is a risk associated with cryptocurrencies and understanding the trends in the use of virtual assets for these purposes is important in better understanding and effectively tackling these challenges.

The FATF has observed that in most detected cases, generally, only one type of virtual asset was used. Where more than one type of virtual asset was used, this typically involved the layering of illicit proceeds. Other than being used in money-laundering activities and commission of predicate offences, virtual assets were also used in fund-raising activities for terrorism and to evade financial sanctions. The most prominent typology observed in the detected cases was the use of virtual assets as a way of layering, possibly due to the ease of rapid transfer. Among the offences involving virtual assets, the most prevalent offences were narcotics-related and fraud offences.

The FATF has observed that the dominant trends in the virtual asset money-laundering or terrorist-financing risk landscape since June 2019 include:

  • the use of VASPs registered or operating in jurisdictions that lack effective AML/CFT regulation and the use of multiple VASPs (local and/or overseas); and

  • the continued use of tools and methods to increase the anonymity of transactions. This includes the use of registering domain names and using domain name service providers which redact the identity of the true owners of the domain name.

Both trends make it more difficult to track and trace the transaction trail. In response to the ongoing COVID-19 pandemic, FATF jurisdictions have also observed the increased use of virtual assets to move and conceal illicit funds. For example, in one case, there was a report of virtual assets being used to launder proceeds earned from selling COVID-19 medicines.

Stablecoins – Increased ML/TF Risks

The risk landscape has also been impacted by the increased use of stablecoins and the recent proposals for the worldwide adoption and mass production of stable coins. The FATF’s main concerns are that mass-adoption could lead to a substantial increase in the number of anonymous peer-to-peer virtual asset transactions occurring via unhosted wallets, since peer-to-peer transactions that do not involve the use of a VASP or other AML/CFT-regulated entity are not explicitly covered by the revised FATF Recommendations. A rapid expansion in the number and value of transactions not subject to AML/CFT controls under the revised FATF Recommendations would then present a material ML/TF vulnerability. Therefore, the FATF urges jurisdictions to analyse and address risk in a forward-looking manner and ensure that they have all the necessary tools and authorities in place before they are needed. Otherwise, enforcement can be challenging, particularly given the cross-border nature of transactions.

FATF and Stablecoins

FATF’s concerns from an AML/CTF perspective in relation to stablecoins include those referred to below.


As with other virtual assets, anonymity is also a concern with stablecoins. In short, the concern stems from the fact that (as with other virtual assets) stablecoins have public, permissionless, and decentralised ledgers. Although the transaction ledger may be accessible and records transactions, the ledger may not record any customer identification information. As such, the FATF Recommendations are aimed at addressing these issues by placing certain AML/CTF obligations on VASPs which carry out these financial activities.

Global reach

The global reach of stablecoins heightens the AML/CFT risks. With the tendency of stablecoins to be mass-adopted, these risks are increased exponentially. While virtual assets are in certain circumstances used for cross-border transactions, the FATF Report notes that this is not a widely adopted practice due to the fact that virtual assets are not recognised or adopted in many jurisdictions, but also in part due to their volatility. However, stablecoins seek to make payments faster, cheaper and more efficient for cross-border payments and transfers. From an AML/CFT point of view, cross-border transfers are thought to pose a greater risk than domestic transfers. As such, cross-border transfers are subject to additional AML/CFT measures pursuant to FATF Recommendation 16. This is known as the ‘travel rule’ and it mandates that VASPs maintain and exchange information regarding the originators and beneficiaries of virtual asset transfers. However, this ‘travel rule’ only applies to transactions which involve a VASP or other AML/CFT entity and does not apply to unmediated peer-to-peer transactions via un-hosted wallets. This issue is compounded by the lack of implementation of the travel rule as discussed above.


The ability to swiftly exchange between virtual assets numerous times has the effect of disguising the origin of the funds which makes virtual assets susceptible to ‘chain-hopping.’ Simply put, chain-hopping is the practice whereby money is moved from one virtual asset to another and also moved across exchanges. This creates a complex ‘track-record’ or ‘money-trail’ that is almost impossible to track. This is equally a risk to stablecoins in circumstances where stablecoins can quickly be exchanged for virtual assets or fiat currency.

Potential for mass production

A criminal’s ability to use virtual assets as a means of exchange depends to a degree on how freely available the virtual asset is and also how freely exchangeable the virtual asset is. Virtual assets may have characteristics that do not make them appealing for use by criminals which include, their unstable value, the fact that they may not generally be accepted as a means of payment and their complexity of use. However, stablecoins are designed to overcome the value volatility issue associated with virtual assets. In addition, stablecoins are being integrated into pre-existing communication and messaging systems which will make them simpler and faster to use. These aspects of stablecoins make them attractive and more susceptible to criminal abuse.

FATF Recommendations and their Applicability to Stablecoins

The FATF studied five of the largest stablecoins to gain an understanding of whether or not the FATF Recommendations sufficiently cover stablecoins. From its assessment, the FATF concluded that its Recommendations do sufficiently apply to entities involved in the stablecoin ecosystem. Entities within the stablecoin ecosystem will have AML/CFT obligations under the FATF Recommendations if they meet the definition of a financial institution or a VASP as set out in Recommendation 15. Where central governance bodies exist within the stablecoin ecosystem, they will generally be obliged entities under the FATF Recommendations in the same way as other entities in the stablecoin ecosystem such as exchanges, transfer service providers and custodial service providers.

However, the FATF has identified some residual risks which include the following:

  • the risk associated with anonymous peer-to-peer transactions via un-hosted wallets (i.e. software hosted on a device that allows a person to store and conduct transactions in convertible virtual currencies without the intervention of third parties. This can be distinguished from a “hosted” wallet, where the wallet receives, transfers and stores convertible cryptocurrencies on behalf of account holders, typically done online or through a mobile app);

  • risks from weak or non-existent AML/CFT regulation by some jurisdictions; and

  • risks associated with stablecoins having a decentralised governance structure.

Jurisdictions’ Progress in Implementing the Revised FATF Recommendations

In order to assess the progress made by jurisdictions in implementing the revised FATF Recommendations on virtual assets and Virtual Asset Service Providers (VASPs), the FATF conducted a survey in March 2020 of its membership and its broader global network. 38 FATF members (37 jurisdictions and 1 regional organisation) and 16 FATF Style Regional Bodies (FSRBs) responded. The results of the survey indicate that, overall, jurisdictions have made progress in implementing the revised FATF Recommendations (that is Recommendation 15 and its Interpretative Note to Recommendation 15 (INR.15). Among the responding jurisdictions, 35 jurisdictions had implemented regimes for VASPs, while 19 jurisdictions did not have regimes for VASPs yet. For jurisdictions that established regimes for VASPs, 32 jurisdictions introduced regulatory regimes permitting VASPs while 3 jurisdictions prohibited VASPs. Among jurisdictions that had not yet implemented regimes for AML/CTF, the majority (13) intended to regulate VASPs, 2 intended to prohibit VASPs and 4 had yet to decide.

The travel rule

One of the challenges that the FATF Report highlighted was the global implementation of the travel rule. VASPs are required to implement the FATF’s AML/CTF preventive measures in Recommendations 10-21 set out in INR.15. This includes Recommendation 16 (R.16), which sets out wire transfer requirements and is a key measure to ensure that the originators and beneficiaries of financial transactions are identifiable and are not anonymous. VASPs and financial institutions must comply with these requirements for virtual asset transfers. This is the so-called ‘travel rule’.

Although the FATF is technology neutral and does not prescribe a particular technology software, the FATF Guidance on virtual assets and VASPs published in June 2019 lists a range of technologies which may enable VASPs to comply with aspects of the travel rule requirements. However, the FATF Report explained that there was no technological solution(s) that enabled VASPs to comply with all aspects of the travel rule in a holistic, instantaneous and secure manner.

Notwithstanding these concerns, the FATF Report explained that jurisdictions have made progress in the development of certain technologies to provide a solution to the travel rule.

There seems to have been progress in developing technological solutions for the travel rule which includes:

  • progress in the development of technological standards for use by different travel rule solutions. An international industry-wide initiative has been established to set global technical standards for travel rule solutions. A first messaging standard that sets a common universal language for the communication of the required originator and beneficiary information between VASPs was developed. This initiative may now be undertaking work on further messaging standards and the maintenance of this standard;

  • several different travel rule solutions are being developed. In line with the decentralisation ethos that underpins virtual assets, there appears to be a greater desire for multiple potential solutions, as compared to one centralised travel rule solution. However, the FATF Report explained that use of a common standard will assist in ensuring that different computer systems or software are able to exchange and make use of the information which is exchanged pursuant to the travel rule; and

  • from a jurisdictional point of view, the FATF Report highlighted that, of the FATF Recommendations, there has been lower implementation/adoption of the travel rule when compared to the other AML/CTF requirements. Of the 32 jurisdictions that had implemented the AML/CTF regulatory requirements for VASPs, 15 jurisdictions advised they introduced Recommendation 16 requirements for VASPs. This delayed enforcement of the requirement can be attributed to the lack of adequate holistic technology solutions, highlighting the importance of the need for the swift development of technological solutions.

Notwithstanding the aforementioned concerns in relation to the travel rule, the FATF Report explained that these concerns are not obstacles which will prevent the development of technological solutions to implement the travel rule. As such, the FATF Report urged VASPs to increase their efforts towards a swift development of holistic technological solutions to cover the entirety of the travel rule.

A key aspect of the implementation of the travel rule is the ability of a VASP to identify the counterparty VASP. Compliance with the travel rule requires that VASPs must be able to identify:

  • when they are transacting with another VASP as opposed to transacting with a private wallet; and

  • whether the counterparty VASP is registered/licensed by the jurisdiction and is adequately supervised for AML/CTF purposes.

The FATF Report notes that the best way to conduct this due diligence on the counterparty is to do so in a timely and secure manner. A possible solution to the obstacles faced by VASPs is to create a global VASP list. This approach would require that information be collected from each jurisdiction on the VASPs registered/licensed in that particular jurisdiction which would then be accessed via a central database. However, this ‘central data base’ approach has its own challenges which include, but are not limited to, ensuring the information on the data base is secure, assigning responsibility for maintenance and accuracy of the data, determining who would supervise the bodies responsible for collecting the information and deciding who would have access to the information.

Peer-to-peer transactions via private/ unhosted wallets

Peer-to-peer transfers of virtual assets, without the use or involvement of a VASP or financial institution, are not explicitly subject to AML/CTF obligations under the revised FATF Recommendations. This has resulted in many VASPs being unsure of the required approach in such circumstances and they have raised queries as to what approach is required when transacting with private or unhosted wallets.

Concerns have been raised regarding the extent to which a wallet can be identified as a custodial vs a non-custodial wallet, causing some VASPs to ask for guidance on the extent to which blockchain analytic tools can be used in complying with the travel rule requirement.

A further concern that has been raised is whether VASPs should be able to transact with private wallets, and if so, what kind of AML/CTF requirements need to be put in place to mitigate the risks. When considering this issue, some VASPs have raised the risk of unnecessarily burdensome AML/CTF compliance obligations (including the travel rule), which may incentivise greater use of peer-to-peer transactions via unhosted wallets and raise the risks and require further mitigation measures.

Batch and post facto submission and past transfers

Some VASPs have also requested guidance on the following:

  • the extent to which the batched data submission of transfers of originator and beneficiary data is permissible under the revised FATF Recommendations;

  • whether originator and beneficiary data could be submitted on a post facto basis (e.g. at the end of the day, or 5 to 6 business days later) instead of immediate data submission on an individual virtual asset transfers; and

  • the extent to which beneficiary and originator data should be collected on past virtual asset transfers.

Inter-operability of systems

For the smooth global implementation of the travel rule, different solutions need to be of such capability that different computer systems and software are able to exchange and make use of the information being shared. This also requires that the technology must have in place adequate controls to address data sharing, storage and security

The first step to ensuring interoperability of systems is the development of global messaging standards. However, fragmentation may be driven by the different rules and standards adopted in different jurisdictions for areas such as privacy and data protection, cyber-security or AML/CTF.

The inter-operability of different travel rule solutions may then be impacted, unless (i) sufficient flexibility is being built into the messaging standards, or (ii) solutions are being developed to accommodate the requirements of particular jurisdictions.

This highlights the importance of close co-operation with and within the private sector and amongst jurisdictions in developing their AML/CTF regimes and supervisory approaches.

Sunrise issue

As less than half of FATF members have introduced travel rule requirements, there is a lack of a global framework for travel rule compliance. This poses a challenge to VASPs, since it is unclear what approach they should take in dealing with VASPs located in jurisdictions without the travel rule.

Specific wording issues

Several specific wording issues in the FATF guidance regarding R.16 for VASPs were raised, including references to the Legal Entity Identifier, the term ‘account number’ and the address of an originator.

Implementation of the other AML/CTF obligations

The FATF Report noted that the adoption and implementation of the AML/CTF obligations globally is at an early stage. This is partly due to the fact that many VASPs may be unfamiliar with the fundamentals of AML/CTF as they may previously have had no regulatory oversight. This is said to be compounded by the speed at which the VASP sector develops and changes.

That being said, jurisdictions which already have a developed AML/CTF regime for VASPs and have imposed such on their VASPs have reported an improvement in overall compliance, with increasing awareness and attention to AML/CTF obligations. This is particularly apparent in larger well established VASPs.

CH-018280 (Webpage Portal)
2018-09-27 (Published)
2021-05-20 (Updated)