Abler Group

The Travel Rule: Ground realities for your crypto compliance obligation

As the Financial Action Task Force (FATF) updates its AML/CFT guidance to include information exchange and knowledge transfer between Virtual Asset Service Providers (VASPs) under a comprehensive ‘Travel Rule’, Abler Consulting explains the implications for crypto firms as challenges to data privacy and data security arise in the wake of its implementation in FATF member states

The FATF Recommendations represent the international standard to combat Money Laundering (ML) and Terrorist Financing (TF). Over the years, the FATF has been fairly successful in its approach, with 39 member countries now adhering to its policies. However, new technologies and a digitally transformed financial system mean fresh challenges have arisen and need to be addressed. For example, the less-regulated Virtual Asset (VA) industry contains loopholes that can be exploited for ML and TF.

Acknowledging the growing threat, the FATF extended Recommendation 16 (“Wire Transfers”), initially targeting banks and financial institutions, to include Virtual Asset Service Providers (VASPs). While the recommendation serves to strengthen crypto compliance standards and to help cryptocurrency exchanges as well as other virtual asset businesses to counter ML/TF risks with surer success, VASPs are struggling with the meaning and impact of this new guidance. Let us look into the challenges and opportunities that the new rule brings in its wake for virtual asset firms based in FATF member states.

What obligations does the Travel Rule impose on VASPs?

In a nutshell, once this guidance is adopted by FATF member countries, it will require them to pass customer information to each other when transferring crypto assets, similar to the standard that US banks are required to abide by for wire transfers under the Bank Secrecy Act (BSA), which is often referred to as the “Travel Rule.”

The Travel Rule requires VASPs to obtain, hold and transmit required information on the originator and beneficiary, referred to as Personally Identifiable Information (PII), of a VA transaction above a de minimis threshold of USD/EUR 1000. This exchange of information under the Travel Rule will allow VASPs to flag transactions they suspect might be linked to ML and/or TF and externalise such information to financial regulators for immediate actions.

According to the FATF Interpretive Note to Recommendation 16, PII on the originator and beneficiary should include the following:

The name of the originator The originator’s account number involved in the VA transaction The originator’s address, or national identity number, or date and place of birth The name of the beneficiary The beneficiary’s account number involved in the VA transaction Does the Travel Rule clip the wings of crypto firms?

Whilst the Travel Rule is favourably welcomed to provide regulatory enforcement and clarity to the VA industry, it can potentially infringe on data privacy and data security. There are risks of hacking, PII data leaks and counterfeit VASPs masquerading as legitimate VASPs to steal information, among others and these represent major barriers for the implementation of the Travel Rule. Indeed, through its Targeted Update report¹, the FATF concluded that limited progress has been made in introducing the Travel Rule.

Another cause for the delay in the Travel Rule’s effective implementation observed is the Sunrise Issue, which the FATF defines as the uneven speed at which different jurisdictions have adopted the Travel Rule, resulting in VASPs interacting with foreign counterparties adhering to different compliance standards.

Slow and Steady: The Travel Rule will need time to take effect

Ultimately, while the Travel Rule is expected to play an important role in the fight against ML and TF, it is undeniably coming at an early phase of a regulatory revolution for the VA industry and VASPs.

Countries are encouraged to transpose and promulgate the requirements of the Travel Rule into domestic laws and regulations, and thereby strengthen their respective legislative framework governing VA and VASPs. Implementing a global standard will require a global effort.