The FATF and Global AML Standards

The Financial Action Task Force (FATF) is an intergovernmental organization established in 1989 to combat money laundering and terrorist financing.

FATF OVERVIEW

Established: 1989 (G7 initiative)
Headquarters: Paris, France
Members: 40 countries/jurisdictions
+ 2 regional organizations
Associate Members: 9 FATF-Style Regional Bodies (FSRBs)
covering 200+ jurisdictions

Mission: Set standards and promote effective
implementation of measures to combat
money laundering, terrorist financing,
and other related threats

Key Output: FATF Recommendations (40 recommendations)
+ Interpretive Notes
+ Guidance documents
```

FATF doesn't make law—but its influence is profound:

The Recommendation System:

FATF STANDARD-SETTING PROCESS

1. FATF Issues Recommendations

1. Mutual Evaluations

1. Grey/Black Lists

1. Peer Pressure and Market Effects

Why Countries Comply:

• Grey/black listing creates real economic consequences
• Correspondent banking access depends on FATF compliance
• International financial system access requires compliance
• Peer pressure among member nations

FATF's crypto-specific guidance evolved over time:

Key Documents:

FATF VIRTUAL ASSET GUIDANCE TIMELINE

2014: First acknowledgment of "virtual currencies"

2015: Guidance for risk-based approach

2018: Amendment to Recommendations
      - "Virtual Assets" (VAs) defined
      - "Virtual Asset Service Providers" (VASPs) defined

2019: Interpretive Note to Recommendation 15
      - Travel Rule extended to VASPs
      - June 2019 "Guidance for a Risk-Based Approach"

2021: Updated Guidance (October)
      - Clarifies peer-to-peer transactions
      - Addresses DeFi and NFTs
      - Stablecoin guidance

2023-2024: Implementation focus
      - Monitoring VASP compliance
      - Travel Rule implementation assessment

Key Definitions:

FATF DEFINITIONS

Virtual Asset (VA):
A digital representation of value that can be 
digitally traded or transferred, and can be used 
for payment or investment purposes.

Includes: Cryptocurrencies, tokens
Excludes: CBDCs, digital representations of fiat,
          securities (already regulated), closed-loop items

- Exchange between VAs and fiat currencies
- Exchange between one or more forms of VAs
- Transfer of VAs
- Safekeeping/administration of VAs
- Participation in financial services related to VA issuance

XRP Status: XRP is a virtual asset
Ripple/Exchanges: VASPs (to extent providing covered services)

---

The Travel Rule (Recommendation 16) requires that financial institutions include and transmit originator and beneficiary information with wire transfers. FATF extended this to VASPs in 2019.

Core Requirement:

TRAVEL RULE REQUIREMENTS

For VA transfers above threshold ($1,000/€1,000 in most jurisdictions):

• Originator name

• Originator account number (wallet address)

• Originator physical address OR national ID OR

• All originator information above

• Beneficiary name

• Beneficiary account number (wallet address)

• Receive and verify information

• Screen against sanctions

• Maintain records

• Report suspicious activity

The Threshold Question:

Different jurisdictions implement different thresholds:

TRAVEL RULE THRESHOLDS BY JURISDICTION

FATF Recommendation: $1,000/€1,000

United States: $3,000 (FinCEN)
EU (TFR): €0 (no threshold—all transfers)
Japan: ¥3,000,000 (~$20,000)
Singapore: SGD 1,500 (~$1,100)
Switzerland: CHF 1,000 (~$1,100)
UK: £1,000 (~$1,250)

Note: EU's zero threshold is strictest globally
Most jurisdictions align near FATF recommendation

The Travel Rule faces significant implementation challenges:

Technical Challenge: No Universal Protocol:

THE INTEROPERABILITY PROBLEM

Traditional Banking:
Bank A → SWIFT Network → Bank B
(Single, universal messaging system)

Crypto Before Travel Rule:
Exchange A → Blockchain → Exchange B
(No originator/beneficiary data transmitted)

Crypto After Travel Rule:
Exchange A → ??? → Exchange B
(Need separate system for compliance data)

- No single universal Travel Rule protocol
- Multiple competing solutions
- VASPs must support multiple protocols
- Cross-protocol communication incomplete

Competing Solutions:

TRAVEL RULE SOLUTIONS

- Coalition including Coinbase, Kraken, Gemini
- US-focused initially
- Expanding internationally

- Open protocol design
- Global focus
- Certificate-based security

- Asia-Pacific focus
- Used by Japanese exchanges

- Decentralized approach
- Blockchain-based verification

- Open-source protocol
- Swiss origins

Challenge: These don't all communicate with each other
Result: Fragmented compliance landscape

Operational Challenges:

1. Counterparty Identification:

2. Privacy Concerns:

3. Cost:

4. Unhosted Wallets:

The Travel Rule assumes VASP-to-VASP transfers. Self-custody creates complications:

UNHOSTED (SELF-CUSTODY) WALLET CHALLENGE

VASP → VASP Transfer:
Originating VASP → [Compliance Data] → Beneficiary VASP
Clear counterparty for data transmission ✓

VASP → Unhosted Wallet:
Originating VASP → [???] → Self-Custody Wallet
No counterparty to receive data ✗

Unhosted → VASP:
Self-Custody Wallet → [???] → Receiving VASP
No originating VASP to provide data ✗
```

Regulatory Approaches:

APPROACHES TO UNHOSTED WALLETS

- Travel Rule only applies to VASP-to-VASP
- Unhosted transfers: Standard AML on VASP side only
- No prohibition on unhosted wallet interaction

- VASP must collect information about unhosted wallet owner
- For transfers above €1,000: Verify wallet ownership
- Doesn't prohibit but adds friction

- Prohibit VASP-to-unhosted transfers
- Force all transactions through VASPs
- Effectively ban self-custody
- (Largely rejected by industry and many regulators)

---

Every XRP exchange must implement comprehensive AML programs:

EXCHANGE AML REQUIREMENTS

- Identity verification (KYC)
- Address verification
- Source of funds (for larger accounts)
- Ongoing monitoring

- Automated screening systems
- Pattern detection
- Threshold alerts
- Blockchain analytics integration

- OFAC (US)
- EU sanctions lists
- UN sanctions
- Country-specific lists
- Screen every transaction

- File SARs/STRs with authorities
- Timeliness requirements
- Record retention
- Staff training

- Data collection systems
- Protocol implementation
- Counterparty communication
- Record keeping

Cost of Compliance:

• Technology: Blockchain analytics, screening tools, Travel Rule systems
• Personnel: Compliance officers, analysts, legal
• Operations: Delays, manual review, customer friction
• Estimates: 2-5% of revenue for major exchanges

On-Demand Liquidity requires AML compliance at both corridor endpoints:

ODL AML REQUIREMENTS

Sender Side (Origin Corridor):
└─ Sending Institution (bank, payment provider)
   - Full KYC on sender
   - Source of funds verification
   - Sanctions screening
   - Transaction monitoring
   └─ Exchange (Market Maker)
      - VASP registration
      - Travel Rule compliance
      - Liquidity provider compliance

XRP Leg (XRPL):
└─ Transaction itself
   - No native AML (pseudonymous)
   - Compliance handled at on/off ramps
   - Blockchain analytics can trace

Receiver Side (Destination Corridor):
└─ Exchange (Market Maker)
   - VASP registration
   - Travel Rule compliance
   - Receive compliance data
   └─ Receiving Institution
      - Beneficiary verification
      - Final delivery compliance

Why This Matters:

1. Clear regulatory framework permitting VASPs
2. Licensed/registered exchanges with AML compliance
3. Travel Rule implementation (or equivalency)
4. Functioning fiat on/off ramps

Corridor Viability Assessment:

ODL CORRIDOR AML VIABILITY

- Japan → Philippines
- US → Mexico (with compliance)
- UAE → Various

- EU → Various (TFR implementing)
- Australia → Various

- Jurisdictions with weak AML infrastructure
- FATF grey-listed jurisdictions
- Jurisdictions without VASP framework

Institutions have additional AML considerations:

INSTITUTIONAL AML REQUIREMENTS

- Enhanced due diligence on crypto counterparties
- VASP customer risk assessment
- Ongoing monitoring requirements
- Regulatory reporting
- Board-level risk acceptance

- Custody through compliant custodians
- AML program covering fund operations
- Investor due diligence
- Investment committee approval of compliance framework

- Source of funds documentation
- Purpose of transactions
- Board authorization
- Ongoing monitoring

- Counterparty VASPs with strong AML programs
- Clear audit trail
- Regulatory acceptance in jurisdiction
- Legal opinion on compliance

---

Travel Rule implementation varies globally:

TRAVEL RULE IMPLEMENTATION STATUS (2025)

Fully Implemented:
┌──────────────┬────────────────────────────────────────┐
│ Jurisdiction │ Status                                 │
├──────────────┼────────────────────────────────────────┤
│ Japan        │ April 2023 effective; JVCEA protocols  │
│ Singapore    │ January 2020; MAS requirements         │
│ Switzerland  │ January 2020; FINMA guidance           │
│ South Korea  │ March 2022; VASP registration          │
│ USA          │ Technically in force; enforcement      │
│              │ ramping (FinCEN)                       │
└──────────────┴────────────────────────────────────────┘

Implementing (Transition):
┌──────────────┬────────────────────────────────────────┐
│ EU           │ TFR effective December 2024; full      │
│              │ implementation by 2025-2026            │
│ UK           │ Implementing through FCA framework     │
│ UAE          │ VARA/ADGM implementing                 │
│ Hong Kong    │ SFC framework includes Travel Rule     │
└──────────────┴────────────────────────────────────────┘

Limited/Unclear:
┌──────────────┬────────────────────────────────────────┐
│ Many         │ Varying levels of implementation       │
│ emerging     │ FATF monitoring progress               │
│ markets      │ Risk of grey-listing for non-compliance│
└──────────────┴────────────────────────────────────────┘

The EU's TFR is the strictest Travel Rule implementation:

EU TRANSFER OF FUNDS REGULATION

Effective: December 2024 (with MiCA)

- €0 threshold (ALL crypto transfers)
- Applies to all CASPs under MiCA
- Unhosted wallet requirements above €1,000
- Immediate interoperability expected

- Full originator/beneficiary information
- Verification obligations
- Record keeping (5 years)
- Sanctioned country restrictions

- Below €1,000: Standard CASP AML
- Above €1,000: Collect and verify unhosted wallet
- Creates friction for self-custody users

- Most comprehensive Travel Rule globally
- Higher compliance costs for EU CASPs
- Privacy concerns raised
- Industry adaptation ongoing

The US Travel Rule for crypto has complex history:

US TRAVEL RULE STATUS

- Bank Secrecy Act
- FinCEN existing Travel Rule (1996)
- 2019: FinCEN clarified applies to crypto

- Technically in force
- $3,000 threshold
- Enforcement has been limited
- Industry compliance varies

- Would have lowered threshold to $250
- Unhosted wallet documentation requirements
- Withdrawn/not finalized by successive administrations

- Enforcement increasing
- Industry compliance improving
- Protocol adoption (TRUST, TRISA)
- Practical implementation maturing

The biggest challenge—protocol interoperability—is improving:

TRAVEL RULE INTEROPERABILITY (2025)

- Major protocols developing bridges
- TRUST expanding internationally
- Cross-protocol messaging improving
- Industry standardization efforts

- Not all VASPs on same protocol
- Smaller exchanges lag adoption
- Cross-border complications
- Verification standards vary

- Travel Rule Universal Interoperability
- Standard message formats
- Certificate verification systems
- Testing environments

- 2025-2026: Major interoperability improvements
- 2026-2027: Near-universal coverage among major VASPs
- Smaller VASPs: Longer timeline

---

XRP and XRPL have compliance advantages and considerations:

Advantages:

XRP COMPLIANCE ADVANTAGES

- All XRPL transactions on public ledger
- Blockchain analytics can trace flows
- No native privacy features obscuring transactions

- Major exchanges all AML-compliant
- Ripple as known entity (not anonymous team)
- ODL built with compliance in mind

- Created for institutional use cases
- Compliance considered from inception
- Bank/FI target users already have AML infrastructure

Considerations:

XRP COMPLIANCE CONSIDERATIONS

- XRPL: 3-5 second settlement
- Travel Rule: May add delays for compliance checks
- Trade-off between speed and compliance overhead

- XRPL supports self-custody
- Travel Rule creates friction for VASP ↔ self-custody
- May push some users away from regulated exchanges

- XRP's key use case is cross-border
- Requires compliance in multiple jurisdictions
- ODL corridors need both-side compliance

Ripple has invested significantly in compliance:

RIPPLE COMPLIANCE INVESTMENT

- Active FATF and regulatory dialogue
- Compliance team growth
- Industry working group participation

- Built with AML compliance requirements
- Partner selection emphasizes compliance
- Corridor-by-corridor regulatory clearance

- NYDFS-regulated from launch
- Designed for compliant stablecoin market
- AML/KYC integrated

- Blockchain analytics integration
- Compliance monitoring tools
- Partner compliance verification

For XRP investors, AML requirements create both opportunities and considerations:

Opportunities:

1. Compliance as Moat:

2. Institutional Enabler:

3. Regulatory Acceptance:

Considerations:

1. Cost Passed Through:

2. Privacy Trade-offs:

3. Regulatory Dependency:

---

AML compliance is not optional for legitimate crypto adoption. The FATF framework, including the Travel Rule, creates universal requirements that VASPs must meet. This creates costs and friction—but also creates legitimacy and institutional pathway.

XRP and the broader Ripple ecosystem are well-positioned for AML compliance. The institutional focus, transparent blockchain, and compliance investment provide advantages. But compliance isn't free—it adds costs that affect economics.

For investors: AML compliance infrastructure is bullish for long-term adoption and institutional acceptance. The friction is real but manageable. The alternative—operating outside compliant systems—increasingly means operating outside the mainstream financial system.

---

Assignment: Create an AML compliance assessment for an XRP ODL corridor of your choice, evaluating whether the corridor meets FATF and jurisdictional AML requirements.

Requirements:

Part 1: Corridor Selection (100-150 words)

• Why you selected this corridor
• The general XRP/ODL use case it serves
• Key participants (sending/receiving institutions)

Part 2: AML Framework Analysis (250-300 words)

• FATF membership status
• Travel Rule implementation status
• VASP licensing requirements
• Key AML requirements
• Any grey/black list considerations

Part 3: Compliance Viability Assessment (150-200 words)

• Can compliant ODL operate in this corridor?
• What are the main compliance challenges?
• What would improve compliance viability?

Rate overall AML compliance viability: High / Medium / Low

• Professional assessment format

• Maximum 600 words

• Clear structure with sections

• Suitable for compliance review

• Research accuracy (25%): Are AML frameworks correctly described?

• Analysis depth (25%): Is the assessment thorough?

• Practical utility (25%): Would this help assess corridor viability?

• Presentation (25%): Is it professionally formatted?

Time investment: 2 hours (including research)
Value: Develops practical skill in assessing ODL corridor compliance.

---

1. FATF Role:

What is the FATF's role in crypto regulation, and why do countries follow its recommendations?

A) FATF is a global government that directly enforces crypto laws
B) FATF sets AML standards that countries implement; non-compliance risks grey/black listing with real economic consequences
C) FATF only advises banks, not crypto companies
D) FATF recommendations are purely voluntary with no practical effect

Correct Answer: B
Explanation: FATF is an intergovernmental body that sets standards (not laws). Countries implement these standards because grey/black listing creates real consequences—banking access difficulties, correspondent relationship problems, and reputational damage. Option A is wrong—FATF doesn't directly enforce. Option C is wrong—VASP guidance explicitly covers crypto. Option D is wrong—there are significant practical effects.

---

2. Travel Rule:

What information must the originating VASP collect and transmit under the Travel Rule?

A) Only the transaction amount
B) Originator name, account number, address/ID, and beneficiary name and account number
C) Complete tax records for both parties
D) Travel Rule only applies to fiat transfers, not crypto

Correct Answer: B
Explanation: The Travel Rule requires originator name, account (wallet) number, and physical address OR national ID OR customer ID OR date/place of birth, plus beneficiary name and account number. This information must be transmitted to the beneficiary VASP. Option A is incomplete. Option C overstates. Option D is wrong—FATF explicitly extended Travel Rule to VASPs.

---

3. Implementation Challenge:

What is the primary technical challenge in Travel Rule implementation for crypto?

A) Blockchain technology cannot support any compliance
B) No universal protocol exists for VASP-to-VASP information sharing, requiring multiple competing solutions
C) Travel Rule has been implemented seamlessly with no challenges
D) Only the US has implemented Travel Rule

Correct Answer: B
Explanation: Unlike traditional banking (SWIFT), crypto lacks a universal messaging system for compliance data. Multiple competing protocols (TRUST, TRISA, Sygna, etc.) don't all communicate with each other, creating fragmentation. Option A is wrong—blockchain supports compliance at on/off ramps. Option C is wrong—challenges are well-documented. Option D is wrong—many jurisdictions have implemented.

---

4. Unhosted Wallets:

How does the EU's Transfer of Funds Regulation handle VASP transfers to unhosted (self-custody) wallets?

A) Prohibits all transfers to unhosted wallets
B) Below €1,000: standard CASP AML; above €1,000: CASP must collect and verify unhosted wallet owner information
C) No requirements apply to unhosted wallet transfers
D) Only fiat-to-crypto transfers are regulated

Correct Answer: B
Explanation: EU TFR takes restrictive approach to unhosted wallets. Below €1,000, standard AML applies. Above €1,000, the CASP must collect and verify information about the unhosted wallet owner. This creates friction for self-custody but doesn't prohibit it (Option A wrong). Options C and D are incorrect—requirements explicitly apply.

---

5. XRP Positioning:

Why is XRP's ecosystem considered well-positioned for AML compliance?

A) XRP transactions are completely anonymous and untraceable
B) XRPL's transparent public ledger, Ripple's institutional focus and compliance investment, and ODL's design for compliant corridors create compliance advantages
C) XRP is exempt from AML requirements
D) AML compliance doesn't matter for XRP adoption

Correct Answer: B
Explanation: XRP's compliance positioning comes from: transparent public ledger (traceable, not anonymous—Option A wrong), Ripple's compliance investment, institutional design focus, and ODL built with compliance in mind. Option C is wrong—XRP as virtual asset is subject to AML. Option D is wrong—AML compliance is prerequisite for institutional adoption.

---

For Next Lesson:
Lesson 8 begins Phase 2 with a deep dive into Singapore—the "precision regulator" that built one of the world's most sophisticated crypto frameworks. We'll examine MAS's approach, the June 2025 DTSP framework, and why Singapore attracts crypto businesses despite strict requirements.

---

End of Lesson 7

Total words: ~5,300
Estimated completion time: 50 minutes reading + 2 hours for deliverable

---

---

End of Lesson 7 / End of Phase 1