KYC AML Guide: the Clock shows the average reeding time of the blog21 min Read


KYC AML Guide: the Clock shows the average reeding time of the blogSeptember 17, 2023

What are Virtual Asset Service Providers (VASPs)?

In the wake of the rapid digitization of the financial world, the currency has also shape-shifted and taken a digital form that is widely known as cryptocurrency. Cryptocurrency exists virtually and has revolutionized online payments. Virtual Asset Service Providers deal with cryptocurrencies and assets.  In this article, we shall dive into the world of Virtual Asset Service Providers (VASPs), and their regulatory framework, and explore the evolving landscape of virtual assets beyond cryptocurrencies. 

M Abd'al Bari

Research Associate

Virtual Asset Service Providers (VASPs) Beyond Cryptocurrencies

While cryptocurrencies have been leading the digital assets world, VASPs have expanded their services to encompass a broader spectrum of virtual assets. Beyond the realm of Bitcoin and Ethereum, VASPs have ventured into tokenized assets, non-fungible tokens (NFTs), digital securities, stablecoins, and even Virtual Real Estate.

Definition of Virtual Assets and VASPs

In 2020, the Financial Action Task Force (FATF) published the revised standards of Virtual Assets and VASPs. According to the document, the following are the definitions of virtual assets and VASPs.

What are Virtual Assets?

The FATF defines virtual assets as digital representations of value that can be digitally traded or transferred and can be used for payment or investment purposes. Virtual assets exist digitally and are intangible assets that have value to owners in different ways. They are mostly associated with digital platforms like crypto exchanges and Blockchain (DeFi). However, these assets are not limited to cryptocurrencies or NFTs.

Some examples of Virtual Assets include:

  • Cryptocurrencies
  • Non-Fungible Tokens (NFT)
  • Virtual Real Estate
  • Virtual Goods
  • Online Businesses (E-commerce stores)
  • Digital Art
  • Social Media Accounts
  • Data and information
  • Software Licenses

FATF Definition of VASPs

According to FATF, a virtual asset service provider is a natural and legal person who is not covered as a business in other FATF recommendations, and conducts the following activities:

  • Trade and exchange between Virtual Assets and Fiat currency.
  • Trade and exchange between one or multiple virtual assets.
  • Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets.
  • Participating in and providing financial services related to an issuer’s offer and/or sale of a virtual asset.

FATF’s definition of VASPs largely covers cryptocurrencies and NFTs. Here are some examples of VASPs considering it:

  • Custodians
  • Crypto Wallet providers
  • Crypto Mining Pools
  • Crypto Brokerage services
  • Bitcoin ATMs
  • NFTs
  • Decentralized exchanges

Regulatory Framework of Virtual Asset Service Providers (VASPs)

Regulatory Updates of VASPs (2023)

The following framework focuses on the regulatory bodies of 4 major jurisdictions in the context of virtual assets focused on the US, Australia, UAE (Dubai), and the UK.

  • FinCEN (Financial Crimes Enforcement Network) recently published FIN-2023-Alert005 on September 8th, 2023 covering the ‘Pig Butchering’ scams targeting virtual asset owners and VASPs. It explains the complete activity to alert the VASPs and VA owners against scams and how scammers carry out the whole activity. The publication also covers Red Flag indicators, Suspicious Activity Reporting, and SAR filing instructions in this regard.
  • SFC (Securities & Futures Commission) of Hong Kong published the consultation conclusions on the proposed regulatory requirements for Virtual Asset trading platforms on March 23, 2023, which came into force on June 1st, 2023. It provides guidelines to the VASPs which the document refers to as VATPs (Virtual Asset Trading Platforms). It covers the key aspects of retail trading, VA derivatives, prohibited activities, custody of client assets, compensation arrangements, and AML/CFT requirements.
  • VARA (Virtual Assets Regulatory Authority) of Dubai issued its virtual asset regulations in 2023. VARA has claimed to be the world’s first tailored-made digital asset regulatory body. It has recently updated the VA Activity and Rule Book on September 8th, 2023.
  • The FCA (Financial Conduct Authority) released an obligation to register the crypto assets service providers through an online registration portal in March 2023. The latest update in this regard was published on September 1st, 2023 in which the statistics of feedback of applications, their approval and rejection status was shared publicly.

FATF’s Latest Insights for VASPs

In June 2023, FATF published its targeted update on the implementation of FATF Standards that primarily focused on Virtual Asset Service Providers (VASPs). The following are the key takeaways from this publication:

  • After 4 years of adoption of FATF’s standards for VAs and VASPs, poor compliance and implementation is observed as compared to other financial sector. 78% of FATF mutual evaluations were partially compliant to non-compliant with FATF standards.
  • Jurisdictions are also facing problems in regulating VASPs. According to a survey in March 2023, 73% of jurisdictions are not conducting adequate risk assessments. Nearly one-third of respondents are unsure about allowing VAs and VASPs whereas 11% prohibit VASPs.
  • Jurisdictions made insufficient progress in implementing the Travel Rule which leaves VAs and VASPs for misuse. More than 50% of respondents took no steps to implement Travel Rule where the expected number is even larger as 54 respondents didn’t respond to the survey. However, after the survey, the EU passed legislation establishing a regulatory framework for VASPs.
  • The private sector offers tools for VASPs to implement the Travel Rule, but they don’t fully comply with FATF’s requirements. Progress on interoperability between these tools is limited, although not mandated by FATF. Some suggest enforcing Travel Rule violations to drive progress.
  • Recent reports highlight concerns about DPRK’s illicit virtual asset activities, including ransomware attacks and sanctions evasion, enabling weapons proliferation. This has resulted in significant funding (USD 1.2 billion in stolen VAs since 2017, including DeFi assets). Virtual Assets also pose rising terrorist financing risks, alongside fiat currency, involving groups like ISIL, Al Qaeda, and right-wing extremists.
  • DeFi and unhosted wallets, including P2P transactions, within the virtual asset ecosystem, pose money laundering, terrorist financing, and proliferation financing risks, including misuse by sanctioned entities. Some jurisdictions face challenges in identifying responsible parties for VASP obligations in DeFi, assessing illicit finance risks in unhosted wallet transactions (including P2P), and addressing data gaps.

How does FATFs Travel Rule Regulate VASPs?

Travel Rule is one of the key AML/CFT regulatory measures Financing enabling VASPs and other financial institutions to prevent money laundering and terrorism funding. Specifically, these requirements ensure that basic originator and beneficiary information is available to the following.

  • Authorities in charge of law enforcement work actively to identify, investigate, and bring terrorists and criminals to justice, while also tracking their assets.
  • Financial intelligence units play a critical role in examining activities that appear suspicious or out of the ordinary.
  • VASPs serving as intermediaries between ordering and beneficiary entities, along with financial institutions, have the responsibility of recognizing and reporting transactions that raise suspicions. They are also mandated to freeze assets and prohibit dealings with individuals or entities subject to sanctions.

Summarizing the FATF’s Targeted Updated of June 2023 it stresses the following points concerning the implementation of the Travel Rule:

  • FATF stresses the urgent implementation of the Travel Rule for jurisdictions that need to do so.
  • The jurisdictions should maintain effective supervision and enforcement against non-compliance.
  • FATF urges the public and private sectors to maintain counter-party due diligence through publicizing information on VASPs that are registered in a particular jurisdiction
  • Jurisdictions & VASPs need to engage in the adoption of Travel Rule compliance tools and address their shortcomings.

FATF’s Plans for 2024

According to the Targeted Update 2023, FATF plans the following for the first half of 2024:

  • FATF will publish a table indicating the progress made by member jurisdictions and other key jurisdictions involved in virtual asset activities in implementing Recommendation 15. This includes steps such as conducting risk assessments, enacting regulatory legislation for VASPs, and conducting supervisory inspections. A Targeted Update report will be produced in 2024 to assess progress and regulatory responses to emerging virtual asset risks like DeFi and P2P transactions.
  • FATF and VACG will continue to closely monitor the evolution of the virtual asset ecosystem as more jurisdictions enforce Recommendation 15 and the Travel Rule. They will actively engage with the private sector and share relevant information and insights.
  • To ensure that FATF Standards remain pertinent in the face of rapid changes and evolving risks, particularly in areas like DeFi and unhosted wallets with P2P transactions, FATF and VACG will stay vigilant by monitoring market developments, including activities involving sanctioned entities. They will foster collaboration among VACG members and with the wider FATF global network to exchange findings, and experiences, address challenges, and promote best practices in the evolving virtual asset landscape.

Privacy & Data Protection in Virtual Asset Service Providers

Apart from the Travel Rule, another notable progress has been made by VARA Dubai in regulating VASPS for data protection and privacy laws for the jurisdiction. In February 2023, it published a document entitled “Technology and Information Rule Book”. It’s Part 2 and Part 3 explain the data protection and confidentiality of information as follows:

Compliance With Data Protection Laws

  • VASPs must adhere to data protection and privacy regulations in all relevant jurisdictions, including within the UAE, where the Personal Data Protection Law (PDPL) and sector-specific or free zone laws and regulations may apply.
  • They are obligated to comply with data protection laws in any other jurisdiction where their activities take place, regardless of the data’s storage location or transfer methods.
  • Compliance involves various aspects related to data handling and processing.
  • VASPs are required to develop and implement a written compliance program to safeguard the privacy of Personal Data, ensuring alignment with applicable data protection laws.
  • They must adhere to specific VARA requirements, which include appointing a competent Data Protection Officer responsible for fulfilling statutory duties under data protection laws. This officer may also serve as the VASP’s Chief Information Security Officer (CISO).
  • VASPs must establish an organizational function responsible for managing and protecting Personal Data by the law, tailored to the level of associated risk, and encompassing the implementation and maintenance of suitable policies, procedures, systems, and controls.

Information Access and Confidentiality

  • VASPs must ensure that VARA has access to all information related to their compliance with Part II of the Technology and Information Rulebook, regardless of where this information is stored.
  • They should take necessary steps, including notifications, contractual arrangements, and obtaining consent, to facilitate VARA’s access to such data as per VARA’s communicated instructions.
  • They are obligated to promptly inform VARA, within 24 hours, upon notifying any data regulator in the UAE or a Data Subject of an incident that impacts or potentially impacts Personal Data.
  • VASPs must provide VARA with a summary of the incident report and, if the data regulator is in the UAE, a copy of the report, unless such provision is prohibited by applicable law, with evidence satisfactory to VARA.
  • They must safeguard client information and records by implementing protective measures, including policies and procedures.
  • They should ensure that client information is used only for its intended purpose and in compliance with confidentiality agreements and applicable laws.
  • VASPs must educate and certify their staff on internal policies and Part III of the Technology and Information Rulebook.
  • Staff should share confidential information only when necessary for VA activities and refrain from using or sharing such information for trading Virtual Assets on behalf of any entity.

DeFi & Decentralized Exchanges

The trend of DeFi has rapidly grown due to rapid digitization thus replacing the traditional banking systems. In this regard, VASPs are expected to grow in the future considering the following factors:

Liquidity Pools VASPs are enabling users to participate in DeFi liquidity pools, earning rewards on their crypto assets.
Decentralized Exchanges Integration The integration with decentralized exchanges (DEXs) allows users to trade cryptocurrencies directly from their wallets.
Non-custodial services The support of non-custodial DeFi services gives users control over their assets without relying on centralized intermediaries.
Smart Contract Audits Smart contract audits are conducted to enhance security and trust in DeFi platforms.
Risk Management DeFi investments pose risks, and VASPs educate users on risk management and potential losses.
Tokenized Assets DeFi platforms are tokenizing real-world assets, offering new investment opportunities facilitated by VASPs.
Decentralized Identity VASPs explore decentralized identity solutions to enhance security and privacy in DeFi.

In addition to DeFi, Stablecoins, NFTs (Non-Fungible Tokens), and Metaverse (Virtual Real Estate), the trending developments in Virtual Asset Service Providers (VASPs) encompass diverse opportunities and challenges.

Challenges in Regulating VASPs

Referring again to the Targeted Update 2023 by FATF, the main challenges faced in regulating VASPs and VAs are as follows:

  • The survey showed that many jurisdictions allow domestic VASPs to exchange cryptocurrencies and other virtual assets with non-licensed and foreign VASPs which increases the risk of money laundering and other financial crime. Domestic VASPs also faced difficulties in identifying the counterparty VASPs that were non-licensed.
  • The compliance tools fall short in ensuring the Travel Rule implementation of FATF standards.
  • A rising concern of (Democratic People’s Republic of Korea) DPRK’s direct involvement in illicit activities including money laundering and weaponry financing through cryptocurrency, cyber-enabled heists through VASPs to fund its illegal Ballistic Missile program. The Republic of Korea confirms these findings and adds that DPRK stole US$ 1.2 billion worth of virtual assets since 2017 including US$ 630 million in 2022 alone.
  • FATF also observed an increase in the use of AECs (Anonymity Enhanced Coins) and other VAs to fund terrorism worldwide. Globally banned terrorist organizations like Al-Qaeda & ISIL and their affiliates have shifted to the use of VAs through different illicit online activities.

From the above-mentioned points, it is clear that VASPs offer a high level of anonymity which gives criminals an edge in concealing their true identity and poses a risk to the financial integrity of the digital financial circle.

The most important thing to note in the case of VASPs and Virtual Assets is the high level of anonymity that they offer to users. Even after a stringent regulatory compliance framework that is actively working to regulate cryptocurrencies and other virtual assets globally, the challenge stays and cybercrime is rising virtually. Digital KYC sometimes known as eKYC is a concept that can help in identifying the actual owner and user of the VASP systems. A robust KYC solution can contribute to regulating VASPs through the following attributes:

  • Identity Verification and Authentication are the core parts of any KYC process. It helps in knowing the true identity of Virtual Asset owners and the people involved in transactions.
  • Through ongoing monitoring, KYC systems help enhance compliance with AML (Anti-Money Laundering) and CTF (Counter Terrorism Financing) regulations.
  • Risk Assessment allows VASPs to analyze the risk levels of customers and conduct due diligence accordingly.
  • KYC also helps the VASPs in the prevention of online fraud and its multiple types through the timely identification of actual users.

Furthermore, the KYC service providers offer different solutions, tools, and software suites specifically for the needs of VASPs. This not only enhances the customer onboarding experience through automated procedures like Biometrics but also ensures a crime-free digital world.

Also Read: KYC in Crypto Exchanges

Final Word

Virtual Asset Service Providers (VASPs) are at a high risk of financial crime like Money Laundering and ATO Fraud. To tackle this challenge, VASPs need to realize the importance of implementing regulations like the Travel Rule and enhancing their compliance practices as per their jurisdiction. Finally, KYC is a best practice in helping VASPs like crypto exchanges to identify and detect potential financial crime through prior identification means.
Also Read: Crypto Travel Rule and Money Laundering


KYC AML Guide: the Facebook share KYC AML Guide: the Linkedin share KYC AML Guide: the Twitter share
M Abd'al Bari
KYC AML Guide: the Linkedin share

Muhammed Abd'al Bari is a certified Research Professional of KYC AML Guide. Connect with Muhammed on LinkedIn.