Skip Navigation

New Financial Action Task Force Guidance Released on Virtual Assets and Virtual Asset Service Providers


On October 28, 2021, the Financial Action Task Force (the “FATF”) released updated guidance on its risk-based approach to Virtual Assets (“VA”) and Virtual Asset Service Providers (“VASPs”).  The updated guidance (the “Guidance”) revises and supplements the original guidance released in June 2019 and provides recommendations on the Anti-Money Laundering (“AML”)/Combating the Financing of Terrorism (“CFT”) regulations and monitoring systems of the member countries.  The Guidance includes the following significant updates: (i) clarification of the definitions of VA and VASP; (ii) guidance for the application of the “Travel Rule” on VASP; and (iii) the potential regulations on Peer-to-Peer (“P2P”) transactions.

1.   Clarification of the Definitions of VA and VASP

The FATF defines a VA as a “digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes.”  Considering the VA’s unique nature, the Guidance expects VA to be traded and transferred electronically and be used for payment or investment purposes.1  In this regard, the FATF provided a more context-specific approach regarding the much-discussed non-fungible token (“NFT”) – while NFTs are generally not considered as VAs under the FATF definition, some NFTs may fall under the scope of VA if they are used for payment processing or investment purposes.  In addition, the Guidance made it clear that stable coins are included as VA.

The Guidance defines a VASP as “any person or natural legal person” that “conducts one or more of the following activities or operations for or on behalf of another natural or legal person” for business purposes: (a) exchange between VA and fiat currencies; (b) exchange between one or more forms of VA; (c) transfer of VA; (d) safekeeping and/or administration of VA or instruments enabling control over VA; and (e) participation in and provision of financial services related to an issuer’s offer and/or sale of a VA2.

The Guidance also discusses decentralized finance (“DeFi”).  With respect to DeFi, the Guidance explains that a DeFi application is not a VASP, and the centralization and automation of the system are not criteria for classification of VASP.  However, similar to the above, a DeFi system operator can also be classified as a VASP if it meets the requirements of VASPs stipulated above, regardless of whether portions of the service or process are decentralized or automated.  In addition, the Guidance further clarifies the ability to exercise “control” over VA in regards to “safekeeping and/or administration of VA.”  Here, the term “control” is understood as the ability to hold, trade, transfer or spend the VA, and it does not mean that such control must be unilateral.  “Control” can include circumstances where “key credentials held by others required to change the disposition of the assets, such as multi-signature process,” and in such cases, the VASP definition should be interpreted expansively to include any entity that has the ability to exercise control, such as safekeeping or administration, over VAs.

2.   Application of the “Travel Rule”

The Guidance also discusses the implementation of the “Travel Rule” and obligations for VASPs that make transfers in cryptocurrency over USD 1,000 share to conduct certain identification processes of the client and recipient as follows: 

  Obligations of Ordering VASP Obligations of Beneficiary VASP
Originator Information3
  • Mandatory to submit the necessary data to a beneficiary VASP (need to verify the accuracy of the originator information)
  • Required to obtain the necessary data from the ordering VASP
Beneficiary Information4
  • Mandatory to submit the necessary data to a beneficiary VASP  (data accuracy is not required, but the ordering VASP must monitor to confirm no suspicions arise) 
  • Required to obtain the necessary data from the ordering VASP (data accuracy is required and the consistency of the received data should be confirmed)
  • Obtain the necessary information from the originator and retain a record.
  • Screen to confirm that the beneficiary is not a sanctioned name.
  • Monitor transactions and report when they raise a suspicion (regarding STR).
  • Obtain the necessary information from the ordering VASP and retain a record.
  • Screen to confirm that the originator is not a sanctioned name.
  • Monitor transaction and report when it raises suspicion (regarding STR).

In addition, the Guidance specifies the required due diligence process of the originator VASP prior to the transfer to the counterparty VASP in relation to the “Travel Rule” implementation.  In this case, such due diligence obligations are not required for each remittance transaction unless there are any particularly suspicious circumstances.  However, such due diligence process is periodically required since the initial transfer or VA exchange, rather than each transaction.

Phase Required Activities 
Phase 1 Determine whether the VA transfer is with a counterparty VASP 
Phase 2 Identify the counterparty VASP 
Phase 3 Assess whether the counterparty VASP is an eligible counterparty to send customer data and to have a business relationship with5 


3.   Potential Regulations on P2P Transactions

The Guidance includes discussions regarding P2P transactions (transfers to and from “unhosted wallets”) and notes the potentially heightened AML/CFT risks such transactions pose.  It emphasizes that each country should understand these risks and consider implementation measures to mitigate such risks.  With respect to the above, the Guidance provides the following examples to implement as mitigation measures: (i) controls that facilitate visibility of P2P activity and/or VA activity crossing between obliged entities and non-obliged entities (including VA equivalents to currency transaction reports or a recordkeeping rule relating to such transfers); (ii) ongoing risk-based enhanced supervision of VASPs that transact with unhosted wallet and placing additional AML/CFT requirements on VASPs that allow transactions to/from non-obliged entities (e.g., enhanced recordkeeping requirements, EDD requirements); and (iii) obligating VASPs to facilitate transactions only to/from VASPs and other obliged entities.

There is no immediate legal effect of the Guidance as the Guidance merely provides the recommendation and direction of regulation on VAs to each member country.  However, upon the legislation of the relevant recommendation by the member country, the Guidance may serve as a standard for the regulatory authorities’ interpretation of laws.  The applicable laws and regulations may be newly legislated and amended in line with the Guidance as well.

In particular, the Guidance interprets the scope of the VA and VASPs more broadly than the definitions of such established in the Korean market.  Therefore, we recommend continuing to monitor the regulatory authorities whether the FATF’s interpretation will be reflected and implemented.  In addition, with respect to the “Travel Rule” that will be enforced in March 2022, we need to pay attention to whether the due diligence obligations on the VASPs, including the VA exchanges, proposed in this Guidance will be introduced by amending the existing laws and regulations, and the structure of the regulation is introduced.


1  Therefore, digitalized fiat currencies, securities, or other financial assets do not fall under the definition of VA as they are covered elsewhere in the FATF Recommendations, without an inherent ability themselves to be digitally traded or transferred. Other closed-loop items that are non-transferable, non-exchangeable, and cannot be used for payment or investment purposes, but may be used only for limited purposes and areas such as airline miles, credit card awards, or similar loyalty program rewards/points. Similarly, items that cannot be traded in the secondary market do not fall under the definition of VAs.
2  Here, the issuance of VA by the VASP is not included.
3  Originator’s name, account number (or in the VA context, wallet address), physical address, national identify number, customer identification number, or date of birth.
4  Beneficiary’s name, account number(or in the VA context, wallet address).
5  Assessment regarding customer data security such as data storage is possible on top of AML/CFT related regulations. The concerned VASP should determine whether to have business relationship with the counterpart VASP based on the above assessment.