The FATF and DeFi

Update of the FATF Guidance for a risk-based approach to virtual assets and VASP

13 April 2021

On March 19, 2021, the Financial Action Task Force (FATF) announced that it is updating its guidance for a risk-based approach to virtual assets and virtual asset service providers. The update is open for comments until April 20, 2021, and, if implemented as is, will have far-reaching implications for the DeFi space.

The Updates

The updates include the following areas and are meant to provide the public and private sector with more clarity:

  1. definition of virtual assets (VA) and virtual asset service providers (VASP)
  2. guidance on the implementation of the ‘travel rule’
  3. guidance on the risks and potential risk mitigants to P2P transactions
  4. guidance on the licensing and registration of VASP
  5. guidance on the application of the standards to stablecoins
  6. principles of information-sharing and cooperation amongst VASP supervisors

The focus of this post will be on item 1. The other areas will be covered in a separate post in the future.

The definition of VA and VASP

Virtual Assets

“A virtual asset is a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations.”

Source: Glossary of the FATF Recommendations

In the updated guidance, the FATF highlights that no asset should entirely fall outside the FATF standards. At the same time, no asset should be considered both a VA and a traditional financial asset. In cases where it is difficult to characterize an asset as a VA or a traditional financial asset, jurisdictions are required to decide which designation suits best to mitigate and manage the risk of the product. 

So what is a VA according to the FATF?

A VA is not a traditional financial asset. The digital representation of fiat currencies, securities or other financial assets are therefore not covered by the definition. For an asset to be considered a VA, the asset must further be digitally traded or transferred and used for payment or investment purposes. The otherwise denied inherent value of cryptocurrencies is seen as a defining feature of VA.

While it is easy to see that cryptocurrencies, utility tokens and governance tokens are covered by the definition it is not clear whether non-fungible tokens (NFTs) are included as well. Given the fact that they have a similar risk profile with respect to cross-border transfers, their increasing popularity, and pseudonymity, it is however likely that the FATF wants to see these assets covered by the definition as well.

“Assets should not be deemed uncovered by the FATF Recommendations because of the format in which they are offered and no asset should be interpreted as falling entirely outside the FATF Standards.“

Source: Draft updated Guidance for a risk-based approach to virtual assets and VASPs, para 40

To include NFTs representing digital art, collectibles or in-game items would however constitute a departure from the principle of financial markets regulation. After all other unique assets such as traditional arts, real estate, etc. are not covered by the definition of traditional financial assets as well which are fungible by definition – or in other words interchangeable with each other.

Virtual Asset Service Providers

“Virtual asset service provider means any natural or legal person who is not covered elsewhere under the Recommendations, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

i. exchange between virtual assets and fiat currencies;
ii. exchange between one or more forms of virtual assets;
iii. transfer of virtual assets;
iv. safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and
v. participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.”

Source: Glossary of the FATF Recommendations

As with the definition of VA, the FATF highlights that the definition of VASP must be interpreted broadly. Without going into the details of what services are covered by item (i) to (iv), the focus of this post is on the question to which extent DeFi protocols are covered. The updated guidance provides more clarity on this which does, however, not necessarily mean that you will like it.

In short, it can be summarized as follows:

Software developers do not fall under the definition of VASP. But – according to the FATF there are hardly any cases where someone only provides a software solution.

So, let’s look at this in some more detail.

In the guidance, the FATF reiterates that it does not intend to regulate technology. The target of regulation are always natural or legal persons – in other words, individuals and legal entities. This point is important as it allows projects to assess whether they fall within the scope of VASP and, where necessary, make changes to their setup. As can be seen from the following statement, this will become increasingly difficult – yet not impossible – in the future.

“The FATF takes an expansive view of the definitions of VA and VASP and considers most arrangements currently in operation, even if they self-categorize as P2P platforms, may have at least some party involved at some stage of the product’s development and launch that constitutes a VASP. Automating a process that has been designed to provide covered services does not relieve the controlling party of obligations.”

Source: Draft updated Guidance for a risk-based approach to virtual assets and VASPs, para 75

According to the FATF, the expansive view is a conscious choice. Despite its commitment to innovation and not regulating software developers, this could still be the ultimate result. Similar to blockchain companies that were not meant to be excluded from traditional finance on a wholesale basis but still have a hard time opening bank accounts, the regulation of software developers might just be another collateral damage, and as such a conscious choice by the FATF.

So, if the regulatory environment was as strict as we claim here, how is it possible that projects like Uniswap allow users to exchange millions worth of dollars daily without being regulated?

First, the new guidance has not been finalized yet.

Second, the guidance has not been implemented into national law yet.

Third, even if it was implemented as is, law enforcement is still a different issue altogether.

The fact that the FATF intends to update its guidance on VAs and VASPs shows that the success of DeFi has not gone unnoticed. From the request for public comments, it is also clear that the overall direction is set – more regulation rather than less. The request only aims at removing potential ambiguities that could give countries room for interpretation and offer loopholes for DeFi projects and other innovations.

Getting back to Uniswap which was initially funded by venture capital, there is indeed the risk that it falls under the definition of VASP. The fact that the governance of Uniswap was largely distributed to the community by an airdrop last year, does not necessarily lead to a different result if other elements of the VASP definition remain in place.

Where the initiators of a protocol, for example, control the admin keys of the exchange’s smart contracts, the initiators may be considered a VASP. If transaction fees, on the other hand, are not distributed to the initiators of the protocol but the liquidity providers, this may lead to different results as the VASP – if existent – is not provided as a business.

Since there is no bright line test, there is always the possibility that DeFi protocols or the teams behind them are considered VASP. As the FATF wants its recommendations to be as broad as possible, it is highly likely that the teams behind DeFi protocols will initially be considered VASP unless active measures are taken, and proper structures implemented are implemented to further mitigate this risk.


The updated guidance shows that the FATF has been monitoring the DeFi space closely. If implemented as is, most projects will be covered as VASP under the new guidance. The growing regulatory burden has the potential to slow down innovation in the DeFi space. More likely than not, the industry will however find an appropriate answer which either includes increasing decentralization or the implementation of new solutions such as DeFi Compli from CipherTrace.

Besides all the criticism, the new regulations should also be considered as an opportunity for CeFi as it will most likely allow registered exchanges to implement DeFi solutions much more easily.