By Dow Jones Risk & Compliance

Since the fall of Mt. Gox, regulators around the world have been examining the risks and challenges associated with cryptocurrencies. A now-defunct Tokyo-based cryptocurrency exchange, Mt. Gox was hacked in 2014 for 850,000 bitcoins (at the time worth almost USD500 million), which raised important regulatory questions. While the Tokyo District Court approved a case-related rehabilitation plan last year, the questions of jurisdiction, the financial definition of cryptocurrency and virtual asset service providers (VASPs), security protocols and anti-money laundering/countering financing of terrorism (AML/CFT) measures continue to be discussed among regulators and crypto players.

Amidst escalating needs to counter ransomware attacks and to prevent virtual currencies from being used for sanctions evasion, regulators, led by the Financial Action Task Force (FATF), are scrambling to regulate the crypto industry. It is therefore imperative for businesses to keep abreast of relevant regulations in order to mitigate financial and legal risks in the ever-evolving crypto world.

Regulatory Landscape

FATF

Although the FATF’s recommendations and guidance are not legally binding, they are recognised international standards and many countries are working to comply with them. In October last year, FATF updated the guidance for virtual assets (VAs) and VASPs. Some key recommendations for crypto businesses are:

VASPs are to be subject to the same relevant FATF measures that apply to financial institutions. This means that customer due diligence, including identification of beneficial owners and politically exposed persons (PEPs), enhanced due diligence for high-risk jurisdictions, record keeping, sanctions screening and reporting of suspicious transactions, are required for crypto businesses.

VASPs need to be licenced or registered where they are created through an existing or new purpose-built mechanism. VASPs where services can be accessed from a different jurisdiction may also be requested to register in the hosting jurisdictions.

While the idea is not new, the FATF takes the view that the so-called travel rule (Recommendation 16) — the obligation to obtain, hold and transmit required originator and beneficiary information immediately and securely throughout the payment chain — applies to VA transfers. VASPs such as exchanges and custodial wallet service providers should be required to capture certain information, such as the names of the originator and the beneficiary, addresses and identification numbers in line with customer due diligence (CDD) requirements for any transaction over USD/EUR1,000.

Singapore

Singapore is attempting to continue its success in branding itself as Asia’s crypto financial hub by introducing strict regulations while maintaining a tax-friendly environment and driving blockchain innovation. This initiative was recently reiterated by Ravi Menon, Managing Director of the Monetary Authority of Singapore (MAS): “The licencing process is stringent because we want to be a responsible global crypto hub, with innovative players but also with strong risk management capabilities.”

Pursuant to this, the city-state has implemented these key measures:

After the Financial Services and Markets Bill was passed earlier this year, intermediary companies that want to process digital payment tokens are required to obtain a licence if they are established in Singapore but provide services outside of the country. This brings the country’s licence requirement in line with the latest FATF guidance.

Under the Payment Services Act, the crypto licensee will need to satisfy certain requirements such as having a permanent place of business, record keeping and having a “fit and proper” person, as well as being in good financial standing. In addition, they will also be subject to AML/CFT requirements. These include due diligence exercises, transaction monitoring, record keeping and reporting of suspicious transactions related to AML/CFT risks.

The travel rule implemented through MAS Notice PSN02 on Notice to Holders of Payment Service Licence (Digital Payment Token Service), which came into effect in January 2020, imposes more stringent requirements for information gathering (e.g. the identification number and residential address for transactions exceeding SGD1,500 in value).

Hong Kong

Hong Kong is also establishing a robust regulatory regime for crypto players. The Legislative Council has accepted that Hong Kong’s regulatory regime for VASPs should be “more rigorous and comprehensive (than those in Singapore, the UK and Japan)”. This has been achieved through amendment of the existing Anti-money Laundering and Counter-terrorist Financing Ordinance (AMLO). These changes come into effect on 1 March 2023.

Currently, the Securities and Futures Commission (SFC) can only regulate VA trading platforms through a voluntary licencing mechanism; trading services in non-security tokens fall outside of the SFC’s jurisdiction. Although voluntary licensees are required to have AML/CFT procedures, a reputable external market surveillance system, full insurance coverage, due diligence on VAs and good financial standards, the opt-in scheme has limited reach and carries no enforcement. For example, many major crypto currencies, such as bitcoin and ethereum, are not considered ‘securities’ and fall outside of the SFC’s jurisdiction. There are certain requirements for fund managers of VA discretionary investment accounts investing in cryptocurrencies that are not considered securities.

The Hong Kong Monetary Authority (HKMA) traditionally oversees AML/CFT matters related to financial institutions but does not regulate cryptocurrencies, as they are a ‘virtual commodity’ rather than legal tender. However, the HKMA has publicly warned of the highly speculative nature of virtual commodities and urges extra caution when considering transactions or investments.

From March of next year, VA will be defined as ‘digital representation of value’ under the amended AMLO and the SFC will have wider licencing and enforcement powers.

Firstly, anyone seeking to operate a VA exchange will need a licence, whilst those who participate in the opt-in scheme will be exempt. Similar to financial institutions, licence applicants will need to pass a ‘fit and proper’ test assessing experience and qualifications as well as previous convictions.

Secondly, the applicant will need to appoint at least two SFC-approved responsible officers to ensure AML/CFT compliance requirements are met under Schedule 2 to the AMLO. This includes CDD, the travel rule and record keeping.

Lastly, the SFC will be given robust supervisory powers such as inspection, investigation and imposition of administrative sanctions in the case of non-compliance. For example, operating a VA exchange that is open to the public of Hong Kong without a licence could incur a fine of HKD5 million and seven years’ imprisonment. In case of AML/CFT non-compliance, responsible officers may be liable to a fine of HKD1 million and two years’ imprisonment.

Currently, the VASP regulatory regime is limited to those providing services to professional investors, but is likely to expand to retail investors. Peer-to-peer platforms where transactions are taking place privately, as well as stablecoins, are excluded.

Japan

Japan suffered yet another crypto heist in 2018 when Coincheck, a Tokyo-based cryptocurrency exchange, was hacked for over USD500 million in digital assets. The attack highlighted not only security concerns but also wider sanctions implications. According to cybersecurity firm Group-IB, the North Korean state-sponsored Lazarus Group was behind the attack. Lazarus Group has since been sanctioned by the United States for participating in North Korea’s cyber operations to support illicit weapon and missile programmes. Japan has traditionally been a crypto-friendly country; cryptocurrencies have been recognised as property since 2017 under the Payment Services Act (PSA) and crypto investments are taxed as ‘miscellaneous income’. Given the recent scandal, the country is developing a new set of regulations:

In terms of registration, Crypto-asset Exchange Service Providers (CAESPs), including traditional exchanges, brokering service providers and custodial wallet providers, must register with the Financial Services Agency (FSA). To do so, applicants need to have a physical presence in Japan, JPY10 million in capital, a sound corporate structure and an appropriate compliance programme. For a foreign company to register, it must have a licence equivalent to the requirements under the PSA and a resident representative in Japan.

The registration process includes a questionnaire, which covers a broad range of topics such as system security, privacy protection, AML/CFT measures (PEP and sanctions screening and auditing processes), and measures to counter anti-social forces.

The FSA issued a second warning last year against Binance, the largest global crypto exchange, for operating in Japan without a licence.

As a Specially Permitted Business under the Act on Prevention of Transfer of Criminal Proceeds, CAESPs are required to perform a Know Your Customer (KYC) procedure for any transactions over JPY100,000. Transactions over JPY2 million are considered high risk and require additional checks, such as additional KYC documentation and confirming the source of income.

Following the Russian invasion of Ukraine, Japan revised the Foreign Exchange and Foreign Trade Act to prevent cryptocurrencies from being used to evade sanctions. Accordingly, CAESPs are now prohibited from executing crypto transfers unless they confirm that the recipient is not on a sanctions list.

The travel rule was introduced 1 April 2022 with full implementation from 1 October 2022 by the Japan Virtual and Crypto assets Exchange Association (JVCEA), the self-regulated body established under the PSA. During the transition period, CAESPs initiating a transaction with receiving VASPs must obtain, keep and share the originator’s name and address and the name of the beneficiary. The beneficiary’s address and transaction purpose must be shared beginning October. Even when there is no requirement to pass the information to the receiving VASP (e.g. the receiving VASP is located in a jurisdiction with no travel rule), an individual risk assessment will also be required before approving the transaction.

South Korea

In South Korea, after the amendment of the Act on Reporting and Using Specified Financial Transaction Information came into effect in September 2021, domestic and offshore VASPs are required to register with the Financial Intelligence Unit and comply with various AML/CFT obligations. A couple of key points should be considered for crypto compliance:

Security tokens representing ownership of a business or financial interest are currently treated like other VAs, but the Financial Services Commission has recently proposed to amend the Capital Markets Act to incorporate Security Token Offerings (STOs). This may result in more oversight and regulation of tokens, similar to securities.

When VASPs provide exchange services involving fiat currency, customers must establish a real-name bank account at the same bank with a VASP. VASPs are also required to verify the identity of their customers through their banks, which will bring more traceability in the market.

Regulatory Pitfalls

While crypto regulations diverge across Asia and the world, it is important to determine what type of business entity you are defined as in your home jurisdiction because this serves as the basis for various regulatory requirements. Similarly, it is important to understand where your customers are, as their consumer protections may restrict your activities in their jurisdiction.

Keep up with technology. Blockchain technology is still in its early stages. Non-fungible tokens (NFTs) are growing in popularity. While the FATF does not recognise NFTs as VAs, it cautions that a case-by-case approach is necessary when it is used for payment or investment purposes. There are many gray areas regulators have not clarified, such as the treatment of stablecoins.

Keep up with regulatory changes. Crypto regulations are still fragmented; countries are trying to regulate virtual activities by redefining existing regulations or through new regimes. Last month, the EU agreed to expand the travel rule and synchronise regulations across member states. Crypto firms will be required to declare information on their environmental and climate footprint. More regulatory oversight is expected globally in the coming years.

As highlighted in a recent Goup of Seven statement, crypto assets are already covered by existing sanctions regimes. The US has already penalised a mining firm for facilitating sanctions evasion by Russia and a crypto exchange for facilitating ransomware actors’ transactions. Due to their global reach, crypto businesses should be aware of US sanctions as well as domestic sanctions.

Outlook

For crypto firms, it is important to detect regulatory risks early, establish a corporate governance framework and have a playbook ready. They can also learn from traditional financial institutions with decades of experience in risk management training, establishing auditable workflows, screening, reporting and managing reputational risks. Consumer sentiment is also important, as calls for stronger oversight came from consumers who witnessed the recent market crash. As more rogue nations and criminals exploit the crypto world, regulatory activities will increase along with compliance needs.

Dow Jones Risk & Compliance is a global provider of risk data, integrated technology solutions and due diligence services covering anti-money laundering, anti-bribery and corruption, sanctions and international trade compliance.