In the (Mankun Research | Overview of Cayman’s New Regulations: Virtual Asset Compliance Enters the 'Deepening Regulation' Phase) released by Mankun, we detailed the strict regulations of the 2024 VASP amendment in the Cayman Islands on Web3 project architecture, auditing, licensing, etc. Previously, we also analyzed the VASP laws released by Dubai and Hong Kong.
I wonder if everyone has noticed a common point: regardless of which country or region, the definitions, architectural designs, information disclosure obligations, and AML/KYC regulatory requirements for VASPs present a highly convergent trend.
So, why do global VASP laws show such an astonishing convergence? Is it merely coincidence, or is there another 'invisible referee' behind it?
Here, Mankun can give everyone a clear answer: Behind the global regulatory convergence, there is a real driving force—the FATF (Financial Action Task Force).
How does the FATF shape the fate of Web3 projects?
So, who exactly is the FATF? How does it influence the direction of VASP laws in various countries?
Let me briefly introduce: the FATF (Financial Action Task Force) was established in 1989, initiated by the G7 and supported by the OECD. It is the most influential organization for anti-money laundering (AML) and counter-terrorism financing (CFT) policy formulation globally. Its (40 Recommendations) have become the 'baseline standard' for global financial regulation.
Although the FATF itself does not have direct law enforcement power, it continually exerts financial cooperation pressure through legislative transmission by member countries and regular peer review mechanisms (grey list, black list), directly promoting legislative obligations for various countries and the private sector (trading platforms, custodians, DeFi projects), ultimately affecting every Web3 project team and investor.
As of now, the FATF has 39 member countries, including the United States, China, the United Kingdom, Singapore, Dubai, the Cayman Islands, and many other popular Web3 jurisdictions. In recent years, these countries and regions have launched highly convergent VASP laws in accordance with FATF requirements.
As the highest standard-setting body for global anti-money laundering and counter-terrorism financing policies, the FATF's (40 Recommendations) has become an important blueprint for financial regulatory legal systems in various countries, especially in the fields of banking, securities, funds, insurance, and the recently emerging virtual assets sector, where its established rules are almost equivalent to the 'baseline standards for global financial compliance'.
The impact of the FATF on the Web3 industry can be traced back to 2019. That year, the FATF first included virtual assets and virtual asset service providers (VASPs) into the regulatory framework and published (Guidelines for Virtual Assets and VASPs), clearly requiring member countries to incorporate VASPs into their anti-money laundering and counter-terrorism financing systems.
For Web3 entrepreneurs, starting from that year, the design of project governance structure, transparency of funding chains, and cross-border business layout have gradually started to be included in global compliance regulatory perspectives.
In the following years, the FATF will issue supplementary documents or assessment reports, such as the (Virtual Assets Update Guidelines) in October 2021, multiple rounds of (peer review reports) (compliance progress reviews) from 2022 to 2024, as well as 'grey lists' and 'black lists', continuously expanding the regulatory coverage over new business models like NFTs, DeFi, and stablecoins.
Although the FATF does not directly intervene with project teams, it influences every Web3 entrepreneur and investor's business decision-making space through legislative transmission by member countries and regulatory oversight by the private sector. So, how does the FATF gradually implement these standards into the VASP laws of various countries?
Mankun believes that the approach should start from the following clear paths:
1. Directly establish regulatory baseline standards
The FATF clearly defines VASP in a broad sense, including centralized exchanges, custody wallets, OTC service providers, and also encompasses DeFi protocols and NFT platforms that have governance or control rights. The VASP laws of various countries are almost designed based on this blueprint, with the definition boundaries continuously expanding, leaving less and less room for regulatory avoidance.
2. Promote the core rule 'Travel Rule' implementation
The FATF requires countries to write the 'Travel Rule' into local laws, and VASPs must transmit the identity information of the sender and receiver during virtual asset transfers, directly connecting the KYC chain and seamlessly integrating with traditional financial systems like banks, ensuring transparency throughout the funding flow.
3. Regular peer reviews and pressure exertion
The FATF conducts (compliance peer reviews) and (follow-up assessments) annually for its member countries, placing non-compliant countries on the 'grey list' or 'black list', restricting their international financial cooperation and foreign capital inflow. To avoid being listed, countries are accelerating the introduction of VASP laws and strictly controlling industry risks.
4. Continuously update guidelines to expand the regulatory scope
The FATF continuously includes emerging business models such as NFTs, stablecoins, and DeFi into the regulatory scope by issuing supplementary documents, and countries are also compelled to amend their laws in synchrony to ensure 'no dead ends'.
Here, there is an interesting fact. In 2023, the UAE was placed on the FATF's grey list, during which numerous local trading platforms and custodians faced upgraded compliance reviews, and foreign investment entry was hindered. This restriction lasted for more than half a year, until the rectification was completed and the UAE was officially removed in March 2024. Similar cases also occurred in South Korea and Singapore, fully demonstrating the profound impact of the FATF's 'invisible referee' on the global regulatory direction.
This also explains why we see VASP laws in jurisdictions like the Cayman Islands, Dubai, and Hong Kong, which appear to have their own characteristics, but the core provisions are highly consistent. The 'invisible referee' behind this is the global top-level standards set by the FATF.
Of course, this also means that with the acceleration of the global Web3 regulatory process, all member countries will soon arrange clearer regulatory laws for the Web3 industry based on those set by the FATF.
What are the impacts and challenges for Web3 entrepreneurship?
Mankun believes that under FATF's global standards, VASP projects and even investors face three major impacts and challenges:
With the strict alignment of KYC, Travel Rule, and black and grey lists requirements by member countries, the transparency requirements for the source and destination of funds have significantly increased, causing funding chains from some high-risk countries to nearly come to a halt.
Many project teams believe that DAO or NFT projects naturally evade regulation, but from the FATF's perspective, as long as there is concentration in governance or financial authority, they still fall under the scope of VASP regulation. Therefore, the shareholders, directors, and beneficial owners of these projects need to be transparent in advance, and the design space for project structures narrows while the pressure for structural adjustments increases.
Policies in jurisdictions like the Cayman Islands, which are regulatory lenient, will no longer be able to serve as a 'safe haven' for Web3. Cross-border license applications, technical system integrations, audit reports, etc., are gradually becoming rigid investments that Web3 project teams must face, raising compliance costs globally.
In this comprehensive trend, how should Web3 project teams and investors respond to these global challenges?
How to find compliance pathways under FATF regulation?
Under the unavoidable regulatory logic of FATF standards, how to reduce compliance costs and maintain long-term competitiveness is a question that every Web3 project team and investor must seriously consider.
Then, while fully complying with FATF regulatory programs, Mankun advises VASP project teams and investors to take the following steps in advance to avoid passive responses to compliance pressure:
1. Choice of jurisdiction
Taking as an example the currently clear and crypto-friendly jurisdictions, such as the Cayman Islands, which are suitable for custody, issuance, and fund-based VASP projects, but must optimize the shareholder structure in advance to avoid shareholder penetration review obstacles; Dubai, suitable for technology research and development, innovative businesses, can quickly enter through a regulatory sandbox, but the compliance supporting the Travel Rule must be planned in advance; Singapore and Hong Kong are more suitable for trading platforms and custody services, and must meet strict AML/KYC and capital requirements in advance.
2. Project structure design
Proactively sort out the governance structure of your project, especially focus on whether governance power is concentrated and whether the financial attributes of the project are too strong, to avoid being forcibly included in regulation due to issues with the determination of the actual controller. Additionally, it is advisable to equip a dedicated compliance officer or independent director in advance to improve the project governance structure and compliance system, facilitating smoother license applications and subsequent regulatory reviews. Moreover, when developing and operating infrastructure projects, pay attention to the substantial separation between projects to avoid causing a chain reaction due to unclear separations.
3. Regarding the Travel Rule
Proactively design cross-border transaction data transmission solutions that meet FATF requirements, especially suggesting that trading platforms and custodians consider introducing privacy-enhancing technologies like MPC (Multi-Party Computation) and ZKP (Zero-Knowledge Proof) to create compliance-friendly and user-trustworthy technical solutions, which may instead form their own competitive barriers.
4. Global VASP licensing layout
As mainstream trading platforms represented by Binance apply for and obtain VASP licenses in multiple countries and regions, the necessity and strategic significance of VASP licensing layout are increasingly prominent. At the same time, with compliance synchronizing under the push of FATF standards, the previous path of 'bypassing regulation through a single legal jurisdiction like Cayman or BVI' has gradually become ineffective. The future trend is that multi-jurisdiction VASP licenses, transparent funding sources, and governance penetration will become standard configurations. Therefore, Mankun also suggests project teams to plan for VASP licenses in advance based on their business models and market positioning in multiple jurisdictions such as Singapore, Dubai, and Europe (like Estonia and Lithuania), to build a robust global compliance network, reduce single jurisdiction compliance risks, and enjoy policy dividends in advance.
By the way, professional matters should certainly be handled by professionals.
If you also wish to proactively align with the core regulations of the FATF and prepare adequately for compliance, feel free to consult with Mankun Law Firm at any time. As an experienced Web3 lawyer, Mankun has been closely monitoring global regulatory trends and possesses rich experience in commercial law, licensing applications, and regulatory compliance on the practical level, providing comprehensive compliance services for Web3 projects to help businesses move forward steadily.
/ END.
