1. What is FATF?

The Financial Action Task Force (“FATF”), created in 1989 by the Group of Seven G-7, is the leading intergovernmental body for establishing guidelines to combat money laundering, terrorist financing, the proliferation of weapons of mass destruction, and other threats related to the integrity of the financial system.

2. What are the FATF Recommendations?

The FATF Recommendations (“Recommendations”) outline measures that countries must implement to combat money laundering, terrorist financing, the proliferation of weapons of mass destruction, and other related crimes.

The legislations of FATF member countries must observe such Recommendations from their own legal, governmental, socioeconomic, and risk nature. Mexico has been a member country since 2000.

3. Which Recommendations should be considered in crypto-asset transactions?

First of all, FATF and Mexican regulations use “Virtual Asset” to refer to crypto-assets. Therefore, this term will be used in this document.

The Recommendations establish guidelines to the countries and applicable to the authorities that regulate or supervise the regime for the prevention of money laundering and combating the financing of terrorism (“AML”) and the regulated entities.

Regulated entities are classified as i) entities that are part of the financial system; and ii) designated non-financial businesses and professionals (“DNFBPs”).

DNFBPs are certain types of legitimate businesses and professions that, due to their characteristics, can be used by organized crime to access illicit resources to the formal economy, to hide their criminal origin, and which are known in Mexico as “Vulnerable Activities”.

Although Recommendation 22 establishes some examples of DNFBPs (casinos, real estate agents, dealers in precious metals and precious stones, lawyers, notaries, accountants, etc.), these are selected by each country according to their risk levels and the degree of exposure to which they are subject and depending on their tendency to operate with resources of illicit origin.

4. What does Recommendation 15 establish?

Under Recommendation 15, countries should identify and assess the money laundering or terrorist financing risks that may arise concerning: i) the development of new products and new business practices, including new delivery mechanisms; and ii) the use of new or developing technologies for both new and existing products.

Specifically, it indicates that in order to manage and mitigate risks arising from Virtual Assets, countries should ensure that Virtual Asset Service Providers (“VASPs”) are regulated for AML purposes and are licensed or registered and subject to monitoring systems, as well as ensure compliance with the relevant measures required in the FATF Recommendations, which are described below.

Also, by the Interpretative Note to Recommendation 15:

a. Countries should consider Virtual Assets as “goods”, “products”, “funds”, or other assets of “equivalent value”.

b. Countries should identify, assess, and understand the money laundering and terrorist financing risks arising from Virtual Assets and VASP transactions.

c. Countries should require that VASPs identify, assess and take adequate measures to mitigate their money laundering and terrorist financing risks.

d. VASPs should be licensed or registered. At a minimum, VASPs should be required to be licensed or registered in the country where they are established.

e. Countries may also require that VASPs offering products and services to customers in their jurisdiction or conducting operations from their jurisdiction be licensed or registered in their jurisdiction as well.

f. Competent authorities should take the necessary measures to prevent criminals from owning, being beneficial owners of, having a controlling or significant interest in, or occupying a management role in a VASP.

g. Countries should take measures to identify natural or legal persons carrying out VASP activities without the necessary license or registration and apply the corresponding sanctions.

h. Countries do not need impose a separate licensing or registration system concerning financial entities operating with Virtual Assets.

i. Countries should ensure that VASPs are subject to adequate AML regulation and supervision and effectively implement the relevant FATF Recommendations and national AML requirements.

j. VASPs should be supervised or monitored by a competent authority, not by a self-regulatory body.

k. Supervisors should have adequate powers to monitor and ensure compliance by VASPs, including the authority to conduct inspections, compel the production of information, and impose disciplinary and financial sanctions, including the power to withdraw, restrict or suspend the license or registration of the VASP.

l. Countries should ensure a range of practical, proportionate, and dissuasive sanctions, whether criminal, civil or administrative, In addition, sanctions should apply not only to VASPs, also to their directors.

m. Concerning preventive measures:

  • The designated threshold for occasional transactions above which CSDPs must conduct customer due diligence (“CDD”) is USD/EUR 1,000.
  • Countries should ensure that VASPs: i) obtain and maintain originator information and beneficiary information on transfers of Virtual Assets; and ii) send the above information to the beneficiary VASP or financial institution (if any) promptly and securely, as well as make it available to competent authorities upon request.
  • Countries should ensure that beneficiary VASPs obtain and maintain originator information and beneficiary information on transfers of Virtual Assets and make it available to the competent authorities upon request.
  • The information mentioned in the above points may be submitted directly or indirectly. This information do not need be attached directly to the transfer of Virtual Assets.

n. Countries should provide the broadest possible range of international AML cooperation about Virtual Assets.

5. What obligations do the rest of the applicable Recommendations establish?

In general terms, we can determine that operations with Virtual Assets must comply with the following obligations within the context of the Recommendations:

Recommendation 10.
Customer due diligence.

Establish CDD measures, such as:

a. Identify the customer and verify his identity.

b. Identify the beneficial owner and take reasonable steps to verify their identity.

c. Understand the intended purpose of the business relationship.

d. Conduct ongoing due diligence of the business relationship and review transactions conducted throughout that relationship to ensure that the transactions are consistent with the VASP’s knowledge of the customer.

Recommendation 11.

Maintain for at least five years all necessary records on operations, both local and international, to enable them to promptly comply with requests for the information requested by the competent authorities.

Recommendation 12.
Politically Exposed Persons.

Take steps to determine whether a customer or beneficial owner is a Politically Exposed Person. In cases of a higher risk relationship with such persons:

a. Obtain senior management approval to establish (or continue, in the case of existing customers) such relationships.

b. Take reasonable steps to establish the source of resources.

c. Conduct intensified ongoing monitoring of the business relationship.

Recommendation 17.
Dependence on third parties.

Third parties may be allowed to be delegated to perform CDD measures; however, the final responsibility will always remain with VASP.

Recommendation 18.
Internal Controls and Foreign Branches and Subsidiaries.

Where appropriate, implement group-wide AML programs, including policies and procedures for sharing information within the group. Moreover, ensure that foreign branches and subsidiaries apply AML measures by home country requirements to implement the FATF Recommendations.

Recommendation 19.
Highest risk countries.

Apply enhanced CDD measures to business relations and transactions with natural and legal persons and financial entities from countries for which the FATF makes a call in this regard (“Black List” or “Grey List”).

Recommendation 20.
Suspicious transaction reporting.

Suppose it is suspected that the resources used in the transactions are the proceeds of criminal activity or are related to the financing of terrorism. In that case, a report must be promptly issued to the Financial Intelligence Unit (“FIU”).

Recommendation 21.
Disclosure and confidentiality.

VASPs, their directors, officers, and employees shall:

a. Be protected by law against criminal and civil liability for violation of any restriction on disclosing information imposed by contract or by any legislative, regulatory or administrative provision if they report their suspicions in good faith to the FIU.

b. Being prohibited by law from disclosing that a suspicious transaction report or related information is being submitted to the FIU.

6. What additional criteria has FATF issued?

In addition to the Recommendations, the FATF, with the support of the G-20, has issued some specific documents to guide countries in the application of these Recommendations to the Virtual Assets sector. FATF guidelines apply when Virtual Assets are exchanged for fiat currency and when they are transferred from one Virtual Asset to another. The FATF has issued the following documents that complement its Recommendations on this matter:

a. Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers.

b. Review of the FATF Recommendations: Virtual Assets and Virtual Asset Service Providers.

c. FATF Report to the G20 on the so-called Stable Currencies.

Scope of CBDC.

The FATF clarifies that Central Bank Stable Currencies, known as “CBDCs”, are not considered Virtual Assets, as they are digital representations of fiat currencies. However, the Recommendations would similarly apply to any other form of fiat currency issued by a central bank.

Virtual Assets Definition.

FATF defines Virtual Assets as a digital representation of value that can be digitally traded or transferred and used for payment or investment purposes. Virtual Assets do not include digital representations of fiat currencies, securities, and other financial assets already covered elsewhere in the FATF Recommendations.

VASP definition.

FATF defines a VASP as any natural or legal person that is not covered elsewhere by the Recommendations and carries out one or more of the following activities or transactions for or on behalf of another natural or legal person:

a. Exchange between Virtual Assets and fiat currency.

b. Exchange between one or more forms of Virtual Assets.

c. Transfers of Virtual Assets.

d. Custody and management of assets or instruments that allow control over Virtual Assets.

e. Provision of financial services related to an issuer’s offer and sale of a Virtual Asset.

NFT as a Virtual Asset.

A Non Fungible Token (“NFT”) is generally not considered a Virtual Asset. However, some NFTs may be considered Virtual Assets if used for payment or investment purposes. NFTs that are digital representations of other financial assets covered by the Recommendations are not considered Virtual Assets. The FATF recommends a “functional approach” to regulate these types of assets; therefore, countries should consider applying the Recommendations to CFTs on a case-by-case basis.

DeFi software as a VASP.

When a decentralized or distributed application (“DApp”) can facilitate or carry out the Exchange or transfer of a Virtual Asset and offers services such as those offered by VASPs, the term Decentralized Finance (“DeFi”) will be used. However, DeFi software or application is not a PSAV, but the creators, owners, operators, or persons having sufficient control or influence over the DeFi arrangement could be considered a PSAV when they are actively providing or facilitating the services.

ICO as a VASP.

When considered in a broad sense, the interpretation of the definition of VASP covers activities related to an Initial Coin Offering (“ICO”).

ICOs are generally used to raise resources for new projects from the first sponsors, covering particular persons who participate in the offer and sale of Virtual Assets from issuers or provide related financial services through ICOs.

The FATF determines that the definition of VASP does apply to entities in an ICO; however, it will be the facts and circumstances underlying an asset, activity, or service that will determine the categorization.

RBA Methodology.

Recommendation 1 states that countries should apply a Risk-Based Approach (“RBA”) to ensure that measures to prevent and mitigate money laundering and terrorist financing risks are proportionate to the risks identified in their respective jurisdictions.

When developing new products, VASPs should assess money laundering and terrorist financing risks prior to commercialization and put mitigation measures prior to launch.

Controls on P2P operations.

The FATF calls on countries and VASPs to understand the risks associated with peer-to-peer (“P2P”) transactions, which do not involve any obliged parties and are therefore not explicitly subject to money laundering and terrorist financing prevention controls under the FATF Recommendations.

The suggested measures are as follows:

a. Conduct outreach to the private sector, including VASPs and representatives of the P2P sector.

b. Training of FIU supervisory staff.

c. Encourage the development of methodologies and tools such as blockchain analytics to collect and evaluate P2P2 market metrics and risk mitigation solutions and methodologies to identify suspicious transactions.

d. Oblige VASPs to facilitate transactions only to and from VASPs themselves and other obliged parties that comply AML requirements.

Travel Rule.

The FATF provides additional clarity as to the correct implementation of Recommendation 16 and its Interpretative Note (“Travel Rule”), indicating that countries should ensure that VASPs and, where relevant, financial institutions, include the required and accurate originator information, and the required beneficiary information, in transfers of Virtual Assets, and that it is obtained, maintained and transmitted securely and promptly.

The Travel Rule applies to VASPs whenever transactions in fiat currency or Virtual Assets involve:

a. A traditional wire transfer.

b. A transfer of Virtual Assets between a VASP and another obligor.

c. A transfer of Virtual Assets between a VASP and a non-obligated entity (unhosted wallet).

The Travel Rule must be complied with by anyone sending USD 1,000 or more in Virtual Assets either through a VASP or a financial institution.

7. What are examples of warning signs in crypto-asset trading?

ccording to the FATF, when assessing a potentially suspicious transaction, competent authorities, financial institutions, DNFBPs, and VASPs should remember that some red flags may be more readily observable during general transactional monitoring. In contrast, others may be more readily observable during transaction-specific reviews.

Observation of one or more indicators depends on the lines of business, products, or services a financial institution or PSAV offers and how it interacts with its customers. When one or more red flags are present, with little or no indication of a legitimate economic or commercial purpose, the regulated entity is more likely to suspect that money laundering or terrorist financing occurs.

Examples of red flags, which are illustrative but not limiting, may include, but are not limited to, the following:

a. Regarding the size and frequency of operations.

  • Structure Virtual Asset transactions (e.g., exchange or transfer) in small amounts or amounts below recordkeeping or reporting thresholds.
  • Perform multiple high-value transactions.
  • Transferring Virtual Assets immediately to multiple VASPs, especially to VASPs registered or operated in another jurisdiction where: i) there is no relationship to where the customer lives or does business; or ii) AML regulation is non-existent or weak.

b. Regarding operations related to new customers.

  • Making a large initial deposit to open a new relationship with a VASP while the amount funded is inconsistent with the client’s profile.
  • Making a large initial deposit to open a new relationship with a VASP and funding the full deposit on the first day it is opened, and the client begins trading the total amount or a large portion of the amount that same day or one day later, or if the client withdraws the total amount the next day.
  • A new client attempts to trade the entire balance of the Virtual Assets or withdraws the Virtual Assets and attempts to send the entire balance off the platform.

c. In respect of transactions relating to all customers.

  • Transactions involving multiple Virtual Assets, or multiple accounts, without a logical business explanation.
  • Making frequent transfers in a given period (e.g., a day, a week, a month, etc.) to the same Virtual Assets account: i) by more than one person; ii) from the same IP address by one or more persons; or iii) about large amounts.
  • Incoming transactions from many unrelated wallets in relatively small amounts (accumulation of resources) with subsequent transfer to another wallet or full exchange for fiat currency.

We hope you find this helpful guide; for additional information, you can contact our Fintech and Cryptoassets practice team members.

Diego A. Ramos Castillo
Ramos, Ripoll & Schuster

Antonio Casas Vessi
Ramos, Ripoll & Schuster

Paulina Martínez Chávez
Ramos, Ripoll & Schuster

Frida Sofía Rojas Cuéllar
Ramos, Ripoll & Schuster

Daniela Morales González
Ramos, Ripoll & Schuster

Rodrigo Ramos Hopkins
Ramos, Ripoll & Schuster



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ramos, Ripoll & Schuster

Ramos, Ripoll & Schuster


RRS is a full-service law firm that preserves the adaptability, personal involvement and high specialization of a boutique.