Growing Regulatory Convergence Offers Opportunities for Compliant VASPs

The growing rigor of virtual asset service provider (VASP) regulation and supervision globally has strengthened the compliance focus of leading VASPs, increasing their access to the traditional financial system and to sophisticated financial services. Ongoing implementation of the recently revised Financial Action Task Force (FATF) standards for VASPs¹suggests growing regulatory convergence on common compliance standards in the virtual assets sector.

• The European Union (EU) announced in May that it was taking the initial steps in legal proceedings against nine member jurisdictions that had missed the deadline to pass legislation meeting the requirements of the 5th Anti-Money Laundering Directive.² The Directive imposes anti-money laundering/combatting the financing of terrorism (AML/CFT) requirements on EU VASPs for the first time. The Netherlands passed its version of the required legislation in April.³
• South Korea in March passed comprehensive virtual assets legislation that both regularizes the status of VASPs and imposes strict compliance obligations, including requiring VASPs to ensure that all customers have a bank account with a South Korean bank.⁴ Additional jurisdictions such as Albania and Ukraine have passed or are considering similar legislation to both clarify the legal status of VASPs and impose compliance requirements meant to meet the FATF standard.^5,6,7
• U.S. states are also creating avenues for VASPs to access financial services. New York State’s Department of Financial Services issued its 25th virtual currency license (commonly known as a “bitlicense”) in May.⁸ Two companies have announced plans to apply for licenses as Wyoming Special Purpose Depository Institutions (SPDIs), a type of entity created in 2019 to act as custody banks for virtual assets.^9,10,11

Leading VASPs have responded to growing regulatory scrutiny by signaling their seriousness about compliance, leading to increasing acceptance for some among mainstream financial institutions. The Joint Working Group for InterVASP Messaging Standards, an unofficial standards development committee supported by a number of industry organizations, announced in May that it had developed a uniform format for messages accompanying virtual asset transactions, making it easier for VASPs to comply with the travel rule, a key element of the FATF standards.¹²

• In May, the Libra Association announced the appointments of Stuart Levey and Robert Werner, both former senior U.S. Treasury officials to top posts.^13,14 Their appointments and public statements, combined with the April release of a new Libra White Paper that strengthened financial crimes compliance measures, indicates the Libra Association is increasingly focused on compliance and regulatory acceptance following intense scrutiny.^15,16,17 
• The Libra Association will require participating VASPs to publicly certify that they comply with travel rule requirements, and the Libra Association plans to develop a messaging service to facilitate compliance, according to the revised White Paper.¹⁸
• In April J.P. Morgan approved accounts for Coinbase Inc. and Gemini Trust Co. as its first VASP banking customers, providing cash management services and processing transactions for U.S.-based customers of the two exchanges. The move—which is a marked departure from the bank’s previous approach to VASPs—signals growing mainstream acceptance of VASPs that can meet compliance standards.¹⁹

As U.S. regulators continue to lead enforcement globally, the industry appears to be moving toward a two-tier system in which “compliant” VASPs have a path toward mainstream acceptance and “noncompliant” VASPs are further excluded from the traditional financial system. Fear of enforcement actions is likely to limit traditional financial institutions’ willingness to extend services to VASPs domiciled in jurisdictions that they perceive as having more lax VASP supervision, to VASPs without effective, risk-based compliance programs and robust preventive measures, and to VASPs that deal in virtual assets whose decentralization or inherent privacy measures make compliance difficult.

• The Director of the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) in two sets of public remarks made in May emphasized that FinCEN will pursue enforcement actions against VASPs that are based outside the U.S. but do business with U.S. customers, using its recently established a Global Investigations Division to target offshore VASPs that come under U.S. jurisdiction. He also cautioned VASPs regarding the risks of “anonymity-enhanced cryptocurrencies” (also known as “privacy coins”).²⁰
• Sources familiar with J.P. Morgan’s decision to onboard Coinbase and Gemini noted that the VASPs’ status as regulated institutions was a key factor, and the Wall Street Journal described Gemini as “in the vanguard of the industry’s movement to attract mainstream clients and embrace regulation.”²¹
• The Libra Association’s new White Paper establishes categories of VASPs that may be granted access to the Libra network, identifying those that are regulated or licensed in FATF member jurisdictions as among those that may be able to operate on the Libra network without per-transaction and per-address balance limits. VASPs licensed and regulated outside of FATF member jurisdictions, in contrast, will be subject to a risk-based compliance certification process.²²
• Similarly, the co-founder of blockchain analysis firm Elliptic in May noted an increasing bifurcation of the virtual assets space, dividing exchanges that are regulated and incorporate customer identification processes from those that are unregulated or fail to comply with regulations.

As supervisory approaches to the VASP sector continue to mature, traditional financial institutions and VASPs hoping to access their services need to carefully track changes to regulatory regimes in key jurisdictions and consider them a core element of their risk assessment process. Traditional financial institutions should also assess their indirect exposure to VASPs even if they have not onboarded VASP customers directly.

• VASPs that want to take advantage of growing acceptance of virtual assets within the traditional financial sector will need to fully integrate international regulatory standards, such as compliance with the travel rule and sanctions screening expectations, into their operations.
• VASPs offering exchange services from one virtual asset to another or between virtual and fiat currency should look to developments in correspondent banking risk management when building their compliance functions. Highly regulated exchanges will need to develop robust compliance programs to assess and mitigate risks associated with their relationships with other VASPs, and determine their risk tolerance for those that are not regulated in accordance with FATF standards, those that deal in privacy coins, and those that have structural or design features that foster anonymity.
• Highly regulated VASPs are likely to face increasing compliance costs and may decide to refuse transactions with non-compliant VASPs or to charge additional fees to support higher associated compliance costs. These highly-regulated VASPs should also consider forming networks that can share compliance costs through the application of managed services models.

Further Reading: K2/FIN closely tracks regulatory developments in the virtual assets policy space. See our 2018 and 2019 policy alerts for more insights on developments in this sector, including the FATF standards for VASPs.