The rise of cryptocurrencies globally has led to the rise of regulations and fines for companies that get involved in this new technology. A big part of navigating regulations is knowing how your business is classified and what laws are applicable. Crypto companies have likely now come across the term Virtual Asset Service Provider, commonly referred to as a VASP, which is a special case of the generalized Money Service Businesses that are now subject to AML/CFT measures. The recent case with Ripple being sued by SEC shows that governments are eager to enforce these laws on the crypto industry.
We will outline what a VASP is, what kind of businesses may fall under this definition, and why it is important for crypto services to implement AML compliance procedures and KYC checks to future-proof against regulatory consequences.
Why should I bother?
Cryptocurrencies from Bitcoin to the latest altcoins and virtual assets such as non-fungible tokens (NFTs) previously existed outside financial regulations. This made them an ideal tool for money laundering and the financing of terrorism because there was no explicit requirement to trace the sources of funds. While many crypto companies may have been founded on the principles of anonymity and privacy, blockchain-based technologies increasingly need to demonstrate how they are also securing their platforms and preventing fraud to attract users and grow.
Both blockchain and crypto companies are relatively new and not all regions have set up regulations. However, the companies should face the challenge of AML/CFT regulations head-on from the markets such as the US and EU that have become most mature. Thoughtfully incorporating AML and KYC measures now will differentiate crypto services that can deliver on privacy for end-users, regulatory compliance for lawmakers, and a security level that produces win-win-win conditions for all parties.
What is a Virtual Asset?
In order to grasp what must be done to secure a business, it’s important to review some basic definitions to get a better understanding of crypto and wider landscape of virtual assets.
VASPs typically handle digital assets that come with some value as they can be traded, exchanged between parties, used for payment, or help investors diversify their portfolios. In October 2020, the Financial Action Task Force (FATF) released official recommendations on what counted as a VASP and how to handle them as part of AML/CFT programs. The FATF defines virtual assets as a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes. They do not include digital representations of fiat currencies, securities, and other financial assets that are already covered elsewhere in the FATF AML/CFT recommendations.
Many countries are taking steps to follow FATF recommendations and applying relevant laws to companies in the crypto industries as well as to utility and NFTs that can be considered virtual assets.
What is a Virtual Asset Service Provider?
FATF defines Virtual Asset Service providers as companies or individuals that facilitate any financial activities related to virtual assets such as money transfers, exchange of virtual currencies into fiat and vice versa, sale and storage of these assets, and their creation via mining. Thus, the following common entities fall under this definition:
- Centralized and decentralized exchanges: Both exchange platforms that are controlled from a single server or rely on a distributed network of nodes are counted. If the service allows users to exchange cryptocurrencies, it falls under the definition of VASP. Although decentralized exchanges have no central party to govern them after launch, the regulations still apply to the entity that has initially launched them.
- Cryptocurrency wallet providers: Cryptocurrency wallets can include services giving their owners the capability to access funds “on-the-go” or offering solutions for long-term investing. Regardless of the use, they all deal with virtual assets.
- Mining pools: Since these online services facilitate the creation of new coins and help their users make profits via mining, they fall under the definition of a VASP.
- Services powered by smart contracts: Since smart contracts can operate with digital currencies, such as automating the transfer of funds once conditions of a deal are met, any service involving them in its operations has to follow the relevant guidelines. Decentralized applications (dApps) that fully rely on smart contracts or companies that implement them in their operations may also have regulatory considerations.
- Brokerage and trading services: Any facility providing its users with the possibility to buy and sell cryptocurrencies directly or through a broker can be considered as a VASP. This applies to services such as cryptocurrency ATMs, P2P exchange services, OTC desks, and custody providers.
- Investment vehicles: Services providing investors with the option to add cryptocurrencies into their portfolios must also follow local investment regulations.
This list is not exhaustive, but it highlights some of the most common crypto-related services currently available. If the service you work on is not included, the best way to define it is to run through the checklist of VASPs characteristics to see if they apply.
Could you still be considered a VASP?
As we’ve already mentioned above, FATF defines a VASP as an individual or legal entity that is involved in at least one of the following types of activities:
- Transfer of virtual assets in an automated form via smart contracts with open code or private exchange vehicles
- The exchange between virtual assets and fiat currencies such as USD or EUR
- The exchange solely between virtual assets on the blockchain
- Any form of control over virtual assets such as administration or safekeeping
- Any financial services that involve the usage of virtual assets
If any of these activities is applicable to your business, incorporating some form of KYC or AML program can mitigate future regulatory complications.
Mind the regional specifics
Note that the rules we have mentioned above have been most prominent in more mature markets for crypto, such as the US and EU, but regions such as the Asia Pacific are quickly catching up with crypto regulations. If you operate from a different region, following the FATF recommendations can help your business serve global markets from day one.
Also, note that countries may approach regulations in different ways and have their own regulatory bodies. For example, the EU has Anti-Money Laundering Directives (AMLDs) set by the European Commission that member states are expected to enact corresponding laws for. In the US, different government departments and agencies may refer to the same concept using different terminology. Look out for the following terms when making your research:
- Financial Crimes Enforcement Network (FinCEN): Money Transmitter/Money Service Business (MSB); convertible virtual currency (CVC)
- US Commodity Futures Trading Commission (CFTC): Designated contract markets (DCMs); virtual currency
- Securities Exchange Commission (SEC): Digital Asset Trading Platform and digital asset
- EU 6th Anti-Money Laundering Directive (6AMLD): crypto-asset service providers, virtual currencies, cryptocurrencies
How can a VASP implement KYC to future-proof a business?
Now, you may wonder how to implement all these recommendations in practice. Below, we have listed some practical pieces of advice that you may follow should you decide to launch a cryptocurrency-related business that falls under a definition of a VASP.
Follow basic AML/CFT requirements
Implementing basic procedures would provide businesses in crypto with some protection from future legal consequences as the industry regulations settle across regions.
For example, if you operate from the US, you can cover AML and KYC requirements by implementing a Customer Identification Program (CIP) that requires getting such details from your customers as name, date of birth, address, and identification number. You can take the following steps to future-proof your business.
Add identity verification
Typically, it includes:
- Official government-issued photo ID (i.e. ID card, passport)
- biometric verification (facial matching to photo ID)
- proof of address (additional document, such as utility bill)
- Screening against watchlist checks to make sure a person is not on a sanctions list behind the scenes after the customer has submitted their documents
You can either conduct it yourself or, in case you don’t have sufficient resources internally, outsource the process to third-party services such as Passbase.
Decide on who will handle a customer’s digital identity
Ensuring that a customer’s identity is verified, while also securing that digital identity requires significant investments while the inability to meet the standards may result in sanctions and loss of reputation. Companies with the resources should consider creating a dedicated compliance department. In the meantime, sourcing an identity verification service provider and focus on improving your customer experience can help you become compliance-ready.
Build a branded identity verification into your product
Leverage your digital native status by incorporating branded identity verification to ensure seamless onboarding.
Educate end-users transparently
Create a dedicated FAQ section and explanatory text on the screen before the identity check on why it is needed and how it is handled so that end-users know what to expect.
Give customers incentives to opt-in
You may not want to force end users to perform an identity verification unless you need it for regulatory purposes. However, you can provide them with additional perks if identity verification is introduced as a security and fraud reduction feature.
Although cryptocurrencies still lack regulation in many regions, their impact on global finance and online transactions will sooner or later require regulation. Even if your company is not a VASP now, it may be considered to be one in the future when the corresponding laws are released. Therefore, if you are somehow engaged with virtual assets, taking precautions now can create a smoother transition for future compliance.
A thoroughly-designed approach can enable you to preserve user privacy and increase the security of your platform by collecting the right type of information to identify an end-user or a specific transaction. As fraud continues to rise and regulations get more strict, incorporating KYC best practices from the financial sector combined with great UX design from a dedicated platform will help you to build trust with your customers and ensure business growth.
Considering an ID verification solution for your business? Try Passbase for free.