The European Union's Transfer of Funds Regulation (TFR) enforces the Crypto Travel Rule to combat money laundering and terrorist financing. This rule, initially mandated by the U.S. Financial Crimes Enforcement Network (FinCEN), was extended in June 2019 by the Financial Action Task Force (FATF) to include virtual assets (VAs) and Virtual Asset Service Providers (VASPs). The Travel Rule requires VASPs to securely obtain, hold, and transmit originator and beneficiary information during VA transfers.

This article provides an overview of the crypto Travel Rule in the European Union, pulling from the Transfer of Funds Regulation (TFR) and the European Banking Authority (EBA)’s draft Travel Rule Guidelines.
‍

{{cta-learnmore1="/cta-components"}}

‍

Regulatory Milestones in the EU

The EU has been proactive in aligning its regulations with FATF’s recommendations:

• FATF Guidance (2019): The FATF issued its first guidance on a risk-based approach to virtual assets and VASPs, marking a significant expansion of AML/CTF measures.
• EU Regulation (2015/847): This regulation was adopted to apply FATF’s requirements uniformly across member states, ensuring fund transfers include payer and payee information.
• TFR Recast (2023): The TFR was extended to include crypto transfers, setting uniform Travel Rule requirements across all 27 EU member states.
• Travel Rule Comes into Force (2024): The European Banking Authority (EBA) will publish final Travel Rule guidelines in June 2024, and crypto Travel Rule obligations will become enforceable on December 30, 2024.

Information Transmission Requirements

The TFR mandates uniform obligations for crypto transfers, regardless of the transaction amount or whether they are cross-border. CASPs must include specific details about the originator and beneficiary in all transfers.

Required Information for Crypto Transfers

‍

Natural Persons

Legal Persons‍

* Note: Regarding the date and place of birth, the EBA does not clarify what would be required instead if the originator is a legal person. In some jurisdictions, VASPs are required to provide a date and place of incorporation, but the EU requirement is unclear. 

‍

{{cta-learnmore1="/cta-components"}}

‍

General Obligations for Information Transmission

CASPs must ensure their information transmission infrastructure is fully capable of compliance without technical limitations. The information should be transmitted immediately and securely before or at the same time as the crypto-asset transfer is completed. For joint accounts, transfers must include information about all account holders. Selected messaging protocols must enable seamless and interoperable transmission of information.

Travel Rule Obligations in Deposits

Beneficiary CASPs also have responsibilities upon receiving a transaction. They must implement robust policies and procedures to detect incoming transactions lacking necessary information and handle such transactions appropriately. If a transaction lacks the required information, beneficiary CASPs can choose to execute, reject, return, or suspend the transfer based on a risk-based approach.

Managing Non-Compliant Counterparties

When deposits lack Travel Rule data, CASPs must reassess their relationships with non-compliant counterparties. If a counterparty repeatedly fails to meet obligations, CASPs should consider enhanced due diligence measures, potentially terminating the business relationship, and reporting the non-compliance to competent authorities.

‍

Self-Hosted Wallet Transactions

Transactions between CASPs and self-hosted wallets fall within the scope of FATF’s Recommendation 16. The regulatory requirements vary depending on the transaction amount and whether the wallet owner is a CASP customer or a third party.

Transactions of 1,000 Euros or Less 

For transactions involving self-hosted wallets of 1,000 euros or less, CASPs must obtain and hold information about the parties to the transaction. This information should be cross-matched using suitable methods, such as blockchain analytics and third-party data providers, to verify the originator's or beneficiary's identity.

Transactions Over 1,000 Euros Where the Wallet Owner is a CASP Customer 

For transactions exceeding 1,000 Euros, CASPs must verify whether the customer owns or controls the wallet. The EBA’s Travel Rule guidelines specify that CASPs must use at least two methods for this verification. Methods include advanced analytical tools, sending a predefined amount from the wallet to the CASP’s account, and signing a specific message in the account and wallet software.

Transactions Over 1,000 Euros Where the Wallet Owner is Not a CASP Customer 

While the TFR is silent on the obligations for transactions involving third-party wallets, the Travel Rule Guidelines provide a framework. CASPs must verify wallet ownership/control and apply risk mitigation measures proportional to the identified risks, such as verifying the originator's or beneficiary's identity and requesting additional information about the transfer.

‍

{{cta-learnmore1="/cta-components"}}

‍

The EU’s implementation of the Travel Rule through the TFR sets a comprehensive regulatory framework for CASPs, ensuring that crypto asset transfers are transparent and secure. By adhering to these requirements, CASPs can help mitigate the risks of money laundering and terrorist financing, fostering a safer and more trustworthy environment for digital asset transactions. As the regulatory landscape evolves, staying informed and compliant with these obligations will be crucial for CASPs operating within the EU.

The European Union’s Transfer of Funds Regulation (TFR) and the European Banking Authority (EBA)’s Travel Rule Guidelines, updated with the EBA’s final Travel Rule guidelines published on July 4, set out specific requirements for transactions involving self-hosted wallets. These wallets, controlled by individuals rather than VASPs, pose unique challenges to regulatory compliance. This article summarizes the obligations for self-hosted wallet transactions under the TFR, focusing on different transaction scenarios and the required verification measures.

‍

Highlights of What Changed in the EBA’s Final Travel Rule Guidelines

1. More Flexibility in the Scope of Required Originator Information:

The final version of the Travel Rule guidelines clarifies that CASPs have the discretion to determine which “alternative information items” about the originator customer to transmit and demand receiving, as long as they achieve unambiguous identification and support sanction screening. This approach is intended to be better suited for cross-border transfers.

2. Eased Requirements for SHW Transfers Below €1,000:

The final version of the Travel Rule guidelines removes verification requirements. Only information collection obligations apply, eliminating the need for technical means like blockchain analytics to cross-match collected data in order to identify and verify the originator or beneficiary.

3. Simplified Verification for 1st-Party SHW Transfers ≥ €1,000:

The requirement to use two methods for wallet ownership verification has been removed. CASPs are now required to use only one method by default for verifying wallet ownership/control.

4. Clarification for 3rd-Party SHW Transfers Above €1,000:

The Travel Rule Guidelines now clarify the requirements, specifying that if the SHW is owned or controlled by a third party who is not a customer of the CASP, the requirements from Article 19a of Directive (EU) 2015/849 apply. Additionally, the originator/beneficiary identity verification required therein is deemed to be fulfilled by collecting additional information from other sources (e.g., blockchain analytics, third-party data, or recognized authorities’ data) or using other suitable means to ensure the originator/beneficiary’s identity is known.

‍

{{european1="/cta-components"}}

‍

Overview of Applicable Obligations

The TFR categorizes obligations based on the transaction amount and whether the wallet owner is a customer of the Crypto Asset Service Provider (CASP). These scenarios include:

• Transactions of 1,000 euros or less.
• Transactions over 1,000 euros where the wallet owner is a CASP customer.
• Transactions over 1,000 euros where the wallet owner is not a CASP customer.

Understanding these categories is crucial for CASPs to ensure compliance with the TFR and the associated Travel Rule Guidelines.

‍

A. Transactions of 1,000 Euros or Less

For transactions of 1,000 euros or less involving self-hosted wallets, the TFR mandates that CASPs collect and hold specific information about the parties involved. As outlined in Articles 14/5 and 16/2 of the TFR, transactions involving self-hosted wallets of 1,000 euros or less require CASPs to obtain and hold information about the parties to the transaction. The scope of information that CASPs are required to collect mirrors that which is mandated for CASP-to-CASP transactions.

The Travel Rule Guidelines clarify in paragraph 80 that this information must be sourced from the CASP’s customer. This includes:

• Full name of the originator and beneficiary

• Distributed ledger address

• Account number

The final EBA Travel Rule Guidelines removed the requirement for CASPs to cross-match this information using suitable methods such as blockchain analytics and third-party data providers to verify the identity of the originator or beneficiary. Now, CASPs are mandated to collect and retain specific pieces of information from their customers. ^[1]

‍

B. Transactions Exceeding 1,000 Euros Where the Wallet Owner is a Customer of the CASP

For self-hosted wallet transactions exceeding 1,000 euros, the TFR requires CASPs to verify whether their customer owns or controls the self-hosted wallet. ^[2] The originator CASP is tasked with evaluating whether the wallet is owned or controlled by the originator, while the beneficiary CASP must determine whether the wallet is owned or controlled by the beneficiary. ^[3]

The Travel Rule Guidelines set a non-exhaustive list of verification methods available to CASPs and mandate the use of at least one method for wallet ownership/control verification, such as:

• Advanced analytical tools
• Unattended verifications (e.g., displaying the address)
• Attended verifications (e.g., live customer interaction)
• Sending a predefined amount from the wallet to the CASP
• Signing a specific message in the account and wallet software
• Other suitable technical means, as long as they allow for reliable and secure assessment. ^[4]

Where one method on its own is not sufficiently reliable to reasonably ascertain the ownership or control of a self-hosted address, the CASP should use a combination of methods. ^[5]

‍

C. Transactions Exceeding 1,000 Euros Where the Wallet Owner is Not a CASP Customer

The TFR does not explicitly address transactions over 1,000 euros involving third-party wallets. However, the Travel Rule Guidelines include a framework governing these transactions. According to the guidelines, the requirements outlined in Article 19a(1)/(a) of Directive (EU) 2015/849—verification of the originator or beneficiary’s identity—are considered fulfilled if the CASP:

• Collects additional information from other sources to verify the submitted information (e.g., from blockchain analytics, third-party data, or recognized authorities’ data)
• Uses other suitable means as long as it is fully satisfied that it knows the originator’s or beneficiary’s identity. ^[6]

‍

Verification and Risk Assessment

CASPs must adopt a risk-based approach to all transactions involving self-hosted wallets. This includes assessing the risks associated with each transfer and applying enhanced due diligence when high ML/TF risks are detected. The verification process involves collecting additional data from various sources, such as blockchain analytics, third-party data providers, recognized authorities, and publicly available information.

‍

General Obligations for Self-Hosted Wallet Transactions

In addition to specific transaction-based requirements, CASPs must adhere to several general obligations when dealing with self-hosted wallets:

1. Self-Hosted Wallet Identification

Use technical methods to discern whether the transaction involves a VASP or a self-hosted wallet. If technical means are insufficient, acquire the necessary information directly from the customer. ^[7]

2. Threshold Calculation

Compute the transaction amount based on the exchange rate prevailing at the time of the transfer. ^[8]

3. Risk Assessment

Assess the risks associated with self-hosted wallet transactions and apply appropriate risk mitigation measures. ^[9]

‍

Additional Context and Considerations

‍

FATF’s Recommendation 16

Transactions between VASPs and self-hosted wallets fall within the scope of FATF’s Recommendation 16, following its revision in October 2021. Unlike VASP-to-VASP transactions, there is no mandate to transmit originator and beneficiary details to a counterpart. Instead, VASPs must adhere to specific obligations, which can vary significantly across jurisdictions.

Regulatory Expectations and Trends

Although regulatory expectations vary significantly across regions, the requirement for VASPs to verify their customer’s or a third party’s control over the wallet address involved in transactions is gaining traction. The TFR’s requirements reinforce this trend, as further detailed in the sections above.

Future Assessments

By July 1, 2026, the Commission will assess the necessity for additional measures to mitigate risks associated with self-hosted wallet transactions. This evaluation will encompass examining the efficacy and proportionality of verification mechanisms and considering potential restrictions.

The EU TFR sets comprehensive requirements for self-hosted wallet transactions to mitigate the risks associated with money laundering and terrorist financing. CASPs must ensure compliance by verifying wallet ownership, implementing robust monitoring systems, and adopting a risk-based approach to all transactions. By doing so, CASPs can enhance the security and transparency of crypto-asset transfers, contributing to a safer financial ecosystem.

‍

{{european2="/cta-components"}}

‍

The EU TFR sets comprehensive requirements for self-hosted wallet transactions to mitigate the risks associated with money laundering and terrorist financing. CASPs must ensure compliance by verifying wallet ownership, implementing robust monitoring systems, and adopting a risk-based approach to all transactions. 

Interested in learning more? Check out our blog on what the TFR says beneficiary VASPs should do when it comes to incoming transactions and the top 10 insights European CASPs need to know about their upcoming Travel Rule compliance framework.

With the European Union’s Transfer of Funds Regulation (TFR) taking effect on December 30, 2024, virtually all Crypto/Virtual Asset Service Providers (CASPs/VASPs) transacting with European customers must ensure compliance or face operational halts. Reachability and responsiveness are crucial for regulated VASPs, as non-responsiveness will prevent future transactions. We’re now at a critical juncture, as this regulation marks the end of the sunrise period and shifts the focus from protocol interoperability to compliant counterparty responsiveness.

At Notabene, we’re thrilled to announce a major milestone in our mission to integrate crypto transactions into the everyday economy. Our latest innovation, SafeTransact for Networks, aims to enhance counterparty responsiveness and bring Travel Rule compliance to existing ecosystems where transactions are already occurring today.

Notabene is uniquely positioned to deliver on this vision, as our extensive network already spans 27 countries, enabling us to process $71 billion worth of transactions in May 2024 alone. With 143 companies actively transacting daily, our clients have successfully integrated with us, setting up robust compliance processes and collaborating effectively with regulators.

Shifting Focus: From Interoperability to Reachability

It is widely understood that the fragmented nature of Travel Rule protocols has impeded widespread adoption. Initially, the industry thought solving protocol interoperability would boost Travel Rule adoption rates. This hypothesis seemed reasonable enough at the time, but it became evident that building a new network from scratch was very difficult. With many protocols with restricted access, low activity, or too few users, VASPs constantly struggle to reach all of their counterparties and achieve full compliance. We have since learned from experience in real-world applications from customers and regulators that the value of protocol interoperability is only as strong as the user adoption that protocols are able to achieve. 

Despite the impressive logos associated with various initiatives, we recognized that many of the biggest names in Travel Rule protocols had little to no activity occurring. To solve this, we shifted our focus from interoperability to reachability. This meant rethinking our approach entirely and not falling into the same trap of inventing yet another competing protocol, but instead solving our customers' core business needs – reaching and receiving responses from transaction counterparties.

Introducing SafeTransact for Networks

‍

‍

Instead of creating a new Travel Rule messaging network from scratch, SafeTransact for Networks integrates a compliance layer into existing networks, where millions of transactions already occur daily. This allows institutional custodians, settlement networks, multi-party computation (MPC) wallets, service providers, and stablecoin issuer ecosystems to seamlessly offer Travel Rule compliance. Networks can now integrate SafeTransact and offer Travel Compliance on top of their transactions. Members can perform checks and screen transactions to make automated authorization decisions without pure technical integration. SafeTransact for Networks helps businesses become compliant faster and seamlessly transact within the ecosystem.

Addressing Activation with SafeTransact for Networks

SafeTransact for Networks directly tackles the reachability challenge by bringing Travel Rule compliance where crypto businesses already transact with their counterparties today. To make SafeTransact for Networks work and reflect real-world transactions, we expanded the rigid Travel Rule, Alice-to-Bob flow, to transaction intermediaries, like custodians. We introduced flexibility and modularity into SafeTransact's transaction flow, which allows you to add as many transaction participants as real-world use cases require. 

Our solution uniquely operates at scale, managing Personally Identifiable Information (PII) in a compliant, risk-based manner, where only authorized businesses receive PII information. SafeTransact remains the only Travel Rule solution that offers this capability.

How it Works

Here’s a clear example of one multi-party transaction:

1. Initiating the Transaction

• Alice, a customer of BerlinEx, initiates a Bitcoin transfer to Bob.
• BerlinEx initiates the transaction by calling their wallet provider, SIGTrust, registered on the Seychelles.
• SIGTrust, being a network partner at SafeTransact, acts as the initiator for the Transaction authorization flow between the participants.

2. Chain of Intermediaries

• SIGTrust initiates the transfer in SafeTransact for Networks.
• Through our discovery methods, SIGTrust identifies that the recipient’s address belongs to TexEx. A first transfer initiation message is exchanged.
• TexEX responds and adds CryptoTrust, their custodian, to the transaction chain.

Once TexEx responds with adding their Custodian CryptoTrust:

‍

3. Transparency and Policy Implementation

• All parties involved recognize that this is a four-party transfer.
• TexEx establishes policies that require a Travel Rule exchange and flags the Seychelles jurisdiction from SIGTrust.
• The transfer appears in TexEx’s platform, listing all participants and their respective roles.

4. Compliance and Authorization

• The compliance team reviews and authorizes the transfer.
• Responses are sent to all participants to ensure everyone is informed.
• A request for a Travel Rule transfer is sent to the Originators about the Originator.

5. Completion and Notification

• All participants send and receive notifications detailing their roles and authorization policies in the transaction.
• Personally Identifiable Information (PII) is shared only with parties that require it.
• Once policies are fulfilled and the transfer is authorized, the transfer is completed and settled on-chain.

6. Policy Setup and Management

• BerlinEx has the option to apply for a profile with Notabene.
• This profile allows them to set up specific policies, including the ability to authorize or reject future transfers.
• The moment they onboard, they see all the historic transfers that they initiated via SIGTrust.

‍

SafeTransact for Networks ensures that even complex multi-party transactions are handled smoothly and securely, with careful management of PII and compliance with all necessary regulations.

Why Choose SafeTransact for Networks?

• Network Providers (e.g. institutional custodians, settlement networks, MPC wallet providers) deliver incremental value to their customers by offering network members a layer of compliance on top of their existing service. 
• Network members (e.g. exchanges, banks, lending desks) quickly and easily achieve Travel Rule compliance without the need for additional development resources by joining the SafeTransact ecosystem. 
• The Entire Ecosystem benefits from the network effects of expanding compliance reachability from individual networks across all integrated networks. This interconnected approach ensures that businesses can transact safely and compliantly within their existing ecosystems without needing to adjust to new frameworks.
  
  

Bringing the Power of SafeTransact to Established Networks

• Comprehensive Travel Rule Compliance: SafeTransact is designed to meet the stringent requirements of the Travel Rule and other regulatory frameworks. By facilitating the exchange of travel rule information and automating compliance processes, SafeTransact helps businesses stay ahead of regulatory demands. This is particularly important as more jurisdictions globally implement these compliance requirements.
• Pre-Transaction Authorization: SafeTransact enables businesses to make informed authorization decisions before a transaction is completed. This feature allows for instantaneous approvals, flags transactions for review, or rejects them based on predefined criteria. By identifying and screening all counterparties, SafeTransact performs thorough due diligence and risk assessments, ensuring that only legitimate transactions are processed.
• Real-Time Decision Making: One of SafeTransact’s standout features is its ability to make authorization decisions in real-time. This capability is crucial for businesses that need to operate at the speed of digital transactions without compromising security. With SafeTransact, businesses can automate their transaction flows and analyze insights, making the entire process seamless and efficient.

We’re excited to present SafeTransact for Networks as an innovative way of increasing Travel Rule adoption globally by meeting crypto businesses where they transact with their counterparties today. We allow existing networks, like institutional custodians and MPC wallet providers, to offer their customers a layer of compliance on top of their ecosystems. All of this is possible with Notabene’s new transaction flow expanding to intermediary and more complex, real-world use cases.

We believe that reachability, activation, and responsiveness are the most pressing issues facing our industry, which is why we are doubling down on expanding the Notabene Network to give our customers truly global reach. We understand that our industry cannot thrive with a one-size-fits-all approach to regulatory compliance, so we have invested in tools like our new PolicyEngine to enable customers to easily manage their unique workflows.

We are approaching a global tipping point for Travel Rule compliance, driven largely by the December 30 implementation deadline for the EU. We are here to help you prepare for that deadline in any way possible. Whether you are a customer participating in our Travel Rule certification programs or seeking a trusted resource for industry updates and education, please consider us a valuable resource. Our team are experts on these issues and is here to assist you with any questions you might have.

‍

To learn more about how SafeTransact can benefit your business and ensure compliance, contact our team for a custom demo.

The European Union's Transfer of Funds Regulation (TFR) and the European Banking Authority’s final Travel Rule Guidelines impose stringent requirements on Crypto Asset Service Providers (CASPs) to ensure transparency and security in crypto-asset transactions. Beneficiary CASPs, in particular, have critical responsibilities in managing incoming transactions despite their limited control over deposit flows compared to originating CASPs.

Beneficiary CASPs cannot proactively block incoming deposits and rely on the compliance of the originator CASP to meet obligations. Therefore, it is crucial to evaluate strategies for handling non-compliant deposits. This article focuses on the specific requirements for beneficiary CASPs and strategies for managing transactions that fail to meet compliance standards.

Required Information for Transactions

Under Article 16/1 of the TFR, beneficiary CASPs are obligated to receive specific information about both the originator and the beneficiary of each transaction. Articles 14(1) and 16(1) of the TFR specify the required information, including:

• Full name of the originator and beneficiary
• Distributed ledger address and account number
• Address and official personal document number of the originator
• Additional optional information, such as customer identification number or date and place of birth, to ensure unambiguous identification.

Monitoring Systems for Detecting Non-Compliance

The TFR mandates that beneficiary CASPs implement robust monitoring systems to detect non-compliant transactions. According to the Travel Rule Guidelines, these systems should include:

1. Methods for detecting missing, incomplete, or meaningless information.
2. Pre- and post-monitoring practices aligned with money laundering and terrorist financing (ML/TF) risk levels.
3. Criteria for recognizing risk-increasing factors. ^[1]

Managing Non-Compliant Transactions

Beneficiary CASPs must follow specific procedures to detect a transaction lacking the required information. Article 17 of the TFR outlines four possible actions:

1. Execute: The CASP can proceed with the transaction if the risk assessment allows it.
2. Reject: The transaction can be rejected if it does not meet compliance standards.
3. Return: The funds can be returned to the originator if the necessary information is not provided.
4. Suspend: The transaction can be temporarily suspended while additional information is requested.

The Travel Rule Guidelines provide more granularity on how CASPs should define the appropriate follow-up action:

• Beneficiary CASPs can request missing information from the originator CASP rather than immediately rejecting or returning the transfer. ^[2] 
• If the information is not provided within a specified timeframe (three working days for EU transfers and up to seven days for others), the CASP must decide whether to proceed based on a risk assessment. ^[3] 
• If the rejection is technically impossible (e.g., the crypto-assets have already been received), the transfer should be returned to the originator. ^[4]
• If returning the transfer to the original address is not possible, CASPs should hold the returned assets in a secure, segregated account while communicating with the originator CASP to arrange the proper return of the crypto-assets. ^[4]

‍

Managing Non-Compliant Counterparties

When beneficiary CASPs identify deposits missing Travel Rule data, it not only disrupts the transaction but also strains relationships with non-compliant counterparties. Here’s how CASPs should manage these situations according to Article 17/2 of the TFR:

1. Reassess the Relationship: Evaluate if the counterparty repeatedly fails to provide the required information.
2. Report Non-Compliance: Notify competent authorities about the non-compliance.

Assessment Criteria

To determine the appropriate course of action, CASPs must assess whether the counterparty has repeatedly failed to meet their obligations. The assessment involves both quantitative and qualitative criteria:

• Quantitative: Frequency of incomplete transfers and unanswered follow-up requests. ^[5]
• Qualitative: Counterparty cooperation, agreements for extended time, and reasons for missing data. ^[6]

Steps for Repeated Non-Compliance

1. Issue Warnings: Inform the counterparty of potential consequences and set deadlines for compliance.
2. Enhanced Due Diligence: Apply stricter measures to manage risk.
3. Terminate Relationship: If necessary, end the business relationship or reject future transfers.
4. Report Repeatedly Non-compliant CASPs: CASPs must report non-compliant counterparties within three months of identifying non-compliance and include details of the non-compliant counterparty CASP, nature and frequency of breaches, justifications provided, and actions taken. ^[7] 

‍

General Obligations

Finally, the Travel Rule Guidelines offer a concise overview of supplementary requirements that CASPs should consider when dealing with deposits. 

‍

Pre vs. Post Transaction Monitoring

CASPs are responsible for establishing policies and procedures to determine which transfers require monitoring before or during the transfer process. This decision should consider any factors that may increase risk, as specified in the “EBA’s Guidelines on Money Laundering/Terrorist Financing (ML/TF) Risk Factors.” ^[8]

Meaningless and Inconsistent Information

CASPs should treat information as missing if essential fields are left empty or if the provided information is deemed meaningless or inconsistent. For example, random strings of letters should be considered meaningless information. ^[9]

Communication Systems

When contacting the counterparty for clarification, CASPs should use the same messaging system utilized to transmit the initial information. ^[10]

Self-Hosted Wallet Deposits

For deposits from self-hosted wallets, any requests for clarification should be directed straight to the customer. ^[11]

Interested in learning more? Check out our articles on Self-Hosted Wallet Transaction Requirements Under the EU TFR and Top 10 Insights European CASPs Need to Know About the Upcoming Travel Rule Compliance Regulation.

On July 9, 2024, the Financial Action Task Force (FATF) released its fifth targeted review of the implementation of FATF Standards on Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs). This review provides an overview of the progress made by countries and the industry, as well as ongoing implementation gaps and concerns.

While the report covers a range of topics, we will focus here on the implementation of the Travel Rule. As a reminder, the Travel Rule requires VASPs and financial institutions to obtain, hold, and transmit specific originator and beneficiary information immediately and securely when transferring virtual assets. 

Let's dive in to the main takeaways from the report.

‍

More jurisdictions are passing Travel Rule legislation 

85% of jurisdictions have passed or are in the process of passing Travel Rule legislation, compared to 69% last year

‍‍Jurisdictions have made progress on implementing the Travel Rule. In fact, 70% of respondents (65 of 94 jurisdictions, excluding those that prohibit or plan to prohibit VASPs explicitly) have passed legislation implementing the Travel Rule.

The methodology used by FATF and the Global Network consists of 205 jurisdictions in total. However, 147 jurisdictions responded to the 2024 survey (35 FATF members and 112 FSRB members). It is worth noting that 58 jurisdictions did not respond to the survey. The report infers that these 58 have not made progress on R.15, including the Travel Rule implementation. Responses were self-reported and not verified.

‍

FATF is urging jurisdictions to make immediate progress to enact and enforce legislation implementing the Travel Rule

Despite the legislation, enforcement remains weak. Of the 65 jurisdictions that have passed legislation implementing the Travel Rule, only 17 have issued findings, directives, or taken enforcement or other supervisory actions against VASPs focused on Travel Rule compliance. ^[2]

The targeted update clarifies that a lack of interoperability and the Travel Rule tool’s deficiencies in comprehensive coverage are not excuses for not being compliant. FATF urges jurisdictions to make immediate progress in enacting and enforcing legislation implementing the Travel Rule. Specifically, the report shares the example that,‍

One jurisdiction shared that although regulated VASPs suffer from the lack of interoperability among Travel Rule compliance tools, non-compliant VASPs would still be penalised for their compliance shortcomings. [Paragraph 65]

Another jurisdiction reported imposing regulatory orders on a VASP for non-compliance related to Travel Rule tool deficiencies such as incomprehensive coverage of VAs or delayed data submission. [Paragraph 24]

In short, the FATF is urging jurisdictions to make immediate progress to enact and enforce legislation implementing the Travel Rule.

‍

FATF highlights specific public and private sector challenges in Travel Rule implementation

Both jurisdictions and VASPs continue to face a range of challenges in implementing the Travel Rule, as highlighted below:

Inconsistent implementation and lack of enforcement

VASPs use Travel Rule obligations to mitigate illicit finance risks. However, inconsistent implementation and lack of enforcement have not sufficiently motivated the private sector to enhance compliance.

Interoperability Issues

Although progress has been made, challenges persist due to architectural differences and data protection requirements. VASPs integrating multiple compliance tools face technical, operational, and financial burdens.

Discreet, rather than interconnected, Travel Rule tools with closed lists of participants (aka closed networks)  may also complicate the identification of counterparty VASPs and could result in the misidentification of a counterparty VASP as an unhosted wallet simply because the counterparty did not use the same Travel Rule compliance tool as the beneficiary. The FATF urges the private sector to progress towards increasing compatibility amongst Travel Rule compliance tools, whether through technological advancements that allow interoperability between tools, or by developing relationships that permit transactions to be made through a chain of interoperable tools or other methods. [Paragraph41]

Notabene’s SafeGateway facilitates VASP-to-VASP interactions across various protocols. 

Complex transactions

The industry reported widespread use of the interVASP Messaging Standards (IVMS) for Travel Rule information, akin to ISO20022 for the VA sector. They see potential in further developing standards to enhance message transitions, such as handling transaction rejections and follow-up queries. The increasing sophistication of VA transfers involving professional traders and over-the-counter brokers indicates that some Travel Rule compliance tools may not suit broader transaction types.

To address this, Notabene launched SafeTransact for Networks, which ensures the smooth handling of complex multi-party transactions, careful management of PII, and regulatory compliance.

Sunrise Issue

The report highlights ongoing challenges with the Sunrise issue, where jurisdictions implement the Travel Rule at different times.

• Phased Implementation and Grace Periods: Among the 80 jurisdictions implementing or planning to implement the Travel Rule, many are adopting a phased approach or granting grace periods with exemptions or flexible compliance expectations for VASPs.
• Interaction Restrictions: Most jurisdictions restrict domestic VASPs from interacting with foreign counterparts that lack Travel Rule legislation to mitigate associated risks.
• Risk Mitigation Measures: Specifically, of the 65 jurisdictions that have passed legislation enacting the Travel Rule, about half have measures in place to ensure domestic VASPs are only transacting with regulated and/or Travel Rule-complaint counterparts or are otherwise mitigating the risks.

‍

Despite the challenges mentioned above, FATF calls on all jurisdictions to rapidly enact and enforce the Travel Rule.

‍

VASP should perform counterparty due diligence, even when Travel Rule obligations differ

In order to transmit the required Travel Rule information, VASPs identify and conduct due diligence on their counterparty VASP. This remains a challenge due to difficulties in identifying the counterparty VASP based on VA wallet addresses and varying counterparty VASP due diligence requirements across jurisdictions. 

The FATF report suggests that for cases in which only one of the originator and beneficiary VASPs has Travel Rule obligations due to differences in national requirements, VASPs should still take steps to comply with targeted financial sanctions obligations. They further suggest to transact with unlicensed/unregistered foreign counterparts only if the originator VASP takes risk mitigating measures in place.

Counterparty due diligence ensures VASPs avoid dealing with illicit or sanctioned actors and helps ensure that a counterparty can comply with the Travel Rule, including protecting the confidentiality of shared information. Note that counterparty due diligence for the purpose of complying with R.16 is distinct from the obligations applicable to cross-border correspondent relationships (R. 13). [Page 22]

‍

FATF highlights issues with some Travel Rule compliance tools

The 2022 and 2023 Targeted Update reports highlighted that while the industry has developed various Travel Rule compliance tools in response to FATF standards, many tools still do not fully meet these standards and face interoperability challenges. Common shortcomings include a failure to transmit information immediately in information transmission, affecting sanctions screening and due diligence. 

Regulators and supervisors are encouraged to engage with VASPs to ensure compliance tools meet all FATF requirements and take enforcement actions for non-compliance. VASPs should “deliberative and make informed decisions and select a compliance tool(s) that will allow them to meet all FATF Travel Rule requirements”. The lack of interoperability between tools can hinder transaction monitoring and counterparty identification. The FATF urges the private sector to enhance tool compatibility through technological advancements or relationships among tool providers.

An increasing number of jurisdictions report VASPs using in-house developed compliance tools. There is interest in understanding how these tools interact with others and concerns about their effectiveness. Collaborative efforts between supervisory authorities, regulated VASPs, and tool providers are recommended to ensure tools meet regulatory requirements before use.

FATF shares guiding questions and considerations for Travel Rule compliance tool providers

‍

VASPs should take a deliberative and informed decision and select a compliance tool(s) that will allow them to meet all FATF Travel Rule requirements. Box 2.1 below sets out guiding questions that VASPs should ask to determine whether potential Travel Rule solution tools will comply with all FATF requirements. [Paragraph 40]

The following chart compares SafeTransact’s capabilities vs the VAGC’s guiding questions. 

‍

FATF proposes revisions to Recommendation 16 and implications for Travel Rule

In February 2024, the FATF initiated a public consultation on proposed changes to Recommendation 16 (R.16) and its Interpretive Note on payment transparency. The revisions aim to align the Standard with evolving payment systems and messaging standards (ISO 20022) while maintaining technological neutrality and the principle of "same activity, same risk, same rules." These updates could impact the VA sector by specifying the required originator and beneficiary information and defining the roles of VASPs in complex payment chains. The final revisions to R.16 will determine any changes to the Travel Rule requirements for VASPs. Read Notabene’s response to the public consultation here.

Summary of Recommendations from FATF to public sector

• Jurisdictions without Travel Rule legislation/regulation should urgently introduce it.
• Jurisdictions with the Travel Rule should quickly operationalize it through effective supervision and enforcement.
• Jurisdictions should publicize information on registered or licensed VASPs to facilitate counterparty due diligence.
• Jurisdictions should engage with the VASP sector to identify and ensure Travel Rule compliance tools meet FATF requirements.
• VASPs and compliance tool providers should review and improve tools to fully comply with FATF requirements and enhance compatibility for effective implementation.
• FATF will update and publish assessments of R.15 compliance by 2025.

‍

If you have any questions about the FATF report, or the implementation of the Travel Rule for your business or jurisdiction, let us know at [email protected].

And if you are in the process of determining the right Travel Rule solution for your needs, we'd be happy to offer a free consultation with our compliance experts.

The European Banking Authority (EBA) has issued new Travel Rule Guidelines to enhance the traceability of fund and crypto asset transfers, aiming to combat money laundering and terrorist financing. Stemming from Regulation (EU) 2023/1113, which aligns EU regulations with FATF standards, the Guidelines aim for consistent implementation across the EU, taking effect on December 30, 2024. After releasing a consultation paper in November 2023, to which Notabene responded, the EBA released the final Travel Rule Guidelines on July 4, 2024.

Relevance of the Travel Rule Guidelines: Aligning Travel Rule Supervisory Practices across the EU

The Guidelines reflect the EBA’s view on appropriate supervisory practices within the European System of Financial Supervision or how EU law should be applied in this area. Authorities should integrate these Guidelines into their practices, including adjusting their legal frameworks or supervisory processes as needed.

‍

Key Takeaways from the EBA’s Final Travel Rule Guidelines - July 2024

Key Takeaways from the EBA’s Final Travel Rule Guidelines - July 2024

‍

1. Flexibility in Originator Information

The final version of the Travel Rule guidelines clarifies that CASPs have the discretion to determine which “alternative information items” about the originator customer to transmit and demand receiving, as long as they achieve unambiguous identification and support sanction screening. This approach is intended to be better suited for cross-border transfers. ^[1]

‍

2. Eased Requirements for Self-Hosted Wallet Transfers Below €1,000

• ‍Consultation Paper: The EBA’s consultation paper required that CASPs “use suitable technical means to cross-match data, including blockchain analytics and third-party data providers, for the purpose of identifying or verifying the identity of the originator or the beneficiary.” ^[2]‍
• Final Guidelines: Now, only information collection obligations apply for self-hosted wallet transfers below 1,000, eliminating the need for technical means like blockchain analytics to cross-match collected data to identify and verify the originator or beneficiary. ^[3]

In response to the public consultation, Notabene argued that this requirement was disproportionate and technically unfeasible to implement. The framework initially proposed was stricter than the one set out in the Transfer of Funds Regulation (TFR), creating disproportionate obligations on small transactions. Additionally, Notabene argued that verifying identities through blockchain analytics is impractical, as these providers lack the capability to link personal identities with wallet addresses. We are pleased that the EBA adopted our suggestion, and this adjustment will make compliance more feasible for smaller transactions.

3. Simplified Verification for 1st-Party Self-Hosted Wallet Transfers ≥ €1,000

• ‍Consultation Paper: The draft guidelines initially required CASPs to use two methods for wallet ownership verification. ^[4] 
• ‍Final Guidelines: The requirement to use two methods for wallet ownership verification has been removed. CASPs are now required to use only one method by default for verifying wallet ownership/control. ^[5]

In our consultation response, we successfully argued that requiring two methods for verifying wallet ownership/control may not enhance the verification process and could force the adoption of potentially inefficient practices. In the final version of the guidelines, CASPs are required to use only one method by default.

Notabene’s product suite includes a pop-up user interface designed to identify and verify Travel Rule counterparties at the point of transaction without impeding the transaction flow. SafeConnect obtains proof of self-hosted wallet (SHW) ownership through cryptographic signatures, one of the methods explicitly permitted in the guidelines. 

‍

{{european1="/cta-components"}}

‍

4. Clarification for 3rd-Party Self-Hosted Wallet Transfers Above €1,000

While the TFR does not specify the requirements for third-party self-hosted wallet transfers above €1,000, the Travel Rule Guidelines clarify that if the SHW is owned or controlled by a third party who is not a customer of the CASP, the requirements outlined in Article 19a(1)/(a) of Directive (EU) 2015/849 (AMLD) apply. [6] 

According to this provision, CASPs must evaluate the risks associated with transfers to or from self-hosted wallets. Additionally, CASPs are required to implement risk mitigation measures commensurate with the identified risks. These measures may include:

1. Verifying the identity of the transfer's originator or beneficiary;
2. Requesting additional information regarding the origin and destination of the transfer;
3. Implementing enhanced ongoing monitoring of the transactions.

Therefore, CASPs should adopt a risk-based approach to transactions involving self-hosted wallets and implement any necessary risk mitigation measures proportional to the identified risks.

‍

5. Full Compliance from December 30, 2024, is Mandatory

Travel Rule obligations apply to crypto asset service providers (CASPs) starting December 30, 2024. The EBA states: “From December 30 2024, CASPs as defined in MiCAR will be subject to the EU’s AML/CFT regime and, therefore, these Guidelines,” emphasizing that “non-compliance with Regulation (EU) 2023/1113 is not accepted.” ^[7]

CASPs may use infrastructures or services with technical limitations until July 31, 2025, provided they fully compensate with additional technical steps to comply with these Guidelines. Full compliance is still mandatory. ^[8]

6. The EBA Provides Criteria to Evaluate Travel Rule Solutions

‍

When choosing the messaging or payment and settlement system(s), CASPs and ICASPs should

take proportionate, risk-sensitive measures to assess: [9]

• Seamless Integration: The system’s ability to communicate with other internal core systems and with the messaging or payment and settlement systems of the counterparty of a transfer and its compatibility with other blockchain networks

‍Notabene’s open network approach and integrations with top blockchain analytics, custodians, and sanction screening providers guarantee this connectivity. Additionally, Notabene’s SafeGateway builds secure clients for each Travel Rule messaging protocol, significantly expanding our users' connectivity and enabling them to engage with VASPs on previously inaccessible protocols. 

• The reachability of the protocol (i.e., the diversity and accuracy of counterparties that can be reached using the protocol – subject to the CASP's own due diligence assessment – and the rate of transfers that would successfully be sent to the intended beneficiary or received from the originator);

Notabene’s robust network ensures high transaction success rates.

• How the system enable the CASP or ICASP to detect a transfer with missing or incomplete information;

Notabene’s SafeTransact excels here, automatically identifying deposits lacking Travel Rule information and promptly requesting the necessary details from the originator VASP. 

The EBA’s final Travel Rule Guidelines mark a significant step in enhancing the traceability of fund and crypto asset transfers across the EU. With full compliance required by December 30, 2024, CASPs must prepare to meet these new requirements. Notabene’s solutions are designed to help CASPs navigate these changes efficiently, ensuring compliance while maintaining smooth transaction flows.

{{european2="/cta-components"}}

The sixth and final Plenary of the Financial Action Task Force (FATF) under the Presidency of T. Raja Kumar of Singapore marked significant progress and established future priorities. Here are the main takeaways from the plenary.

‍

Virtual Assets: Implementation Update

The FATF will release its fifth annual update on the implementation of FATF Standards for virtual assets (VA) and virtual asset service providers (VASPs) in July 2024. Since June 2023, the number of compliant jurisdictions has risen from 25 to 33. Despite this progress, 75% of jurisdictions (97 out of 130) remain only partially or non-compliant, indicating that VASP implementation still lags behind other financial sectors. The FATF urges jurisdictions to achieve rapid, full compliance and will continue providing support to this end.

Payment Transparency

Following a public consultation that ended in May 2024, to which Notabene publicly responded to here, the FATF is revising its standards to align with evolving cross-border payment systems and industry standards like ISO20022. These revisions aim to enhance the speed, cost-effectiveness, transparency, and inclusivity of cross-border payments while maintaining AML/CFT compliance. Further dialogue with experts is needed before finalizing these amendments.

Jurisdictions Under Increased Monitoring

Monaco and Venezuela have been added to the list of jurisdictions subject to increased monitoring. Congratulations to Jamaica and Türkiye which have been removed from this list, reflecting their improved compliance.

High Risk Jurisdictions - Call for Action

The FATF reiterated its concerns over certain high risk jurisdictions in its Call for Action.  Specifically for Democratic People’s Republic of Korea (DPRK), Iran, and Myanmar. 

‍

‍Democratic People's Republic of Korea (DPRK) 🇰🇵‍

FATF remains deeply concerned about the DPRK's failure to address significant AML/CFT deficiencies and the proliferation financing risks posed by its illicit activities related to WMDs. The FATF urges all jurisdictions to:

• Terminate correspondent relationships with DPRK banks.
• Close any DPRK bank branches or subsidiaries.
• Limit financial transactions with DPRK persons.

Greater vigilance and enforcement are required, especially given DPRK's increased financial connectivity and use of front companies to evade sanctions.

‍

Iran 🇮🇷

Since Iran has not completed its action plan, including enacting key conventions, the FATF calls for:

• Enhanced supervisory examination for Iranian financial institutions.
• Systematic reporting of financial transactions.
• Increased external audit requirements.

Until Iran fully implements the required measures, the FATF maintains concerns over terrorism financing risks from Iran.

‍

Myanmar 🇲🇲

Due to slow progress in addressing AML/CFT deficiencies, the FATF calls for enhanced due diligence measures. Financial institutions should:

• Increase monitoring of business relationships.
• Ensure legitimate financial flows, such as humanitarian aid and remittances, are not disrupted.

If no further progress is made by October 2024, the FATF will consider applying countermeasures.

Mutual Evaluation Reports: India and Kuwait

India has achieved a high level of technical compliance with FATF requirements, particularly in understanding ML and TF risks, international cooperation, and access to beneficial ownership information. However, improvements are needed in supervising non-financial sectors. Kuwait is also nearing compliance but requires further progress.

Review of Gatekeepers

FATF will publish its findings on the regulation of gatekeepers in July 2024. These entities, if unregulated, remain exposed to significant criminal risks and may fail to detect money laundering red flags.

Women in FATF and the Global Network (WFGN) Initiative

Notabene commends Minister Indranee Rajah who launched the e-book “Breaking Barriers: Inspiring the Next Generation of Women Leaders,” showcasing the resilience and expertise of women in combating financial crime. This initiative, part of the Women in FATF and the Global Network (WFGN), aims to inspire and support aspiring women leaders and complements the multicultural mentoring program.

Compliance with FATF Standards

The Plenary approved revised criteria for prioritizing countries for the International Cooperation Review Group (ICRG) review process. This will ensure that the listing process remains risk-based, fair, and transparent. Members also agreed on assessment methods for compliance with the revised FATF Standards on asset recovery and related international cooperation, adopted in October 2023.

Incoming Mexican Presidency’s Priorities (2024-2026)

As many know, Elisa de Anda Madrazo, is the incoming President.  She outlined the Mexican Presidency’s priorities, which include:

• Advancing financial inclusion through risk-based implementation of the Standards.
• Ensuring a successful start to the new round of assessments.
• Strengthening the cohesion of the Global Network by fostering transparency and unity.
• Supporting effective implementation of revised FATF Standards, focusing on asset recovery, beneficial ownership, and virtual assets.‍
• Continuing efforts to combat terrorist and proliferation financing.

The outcomes of this Plenary set a robust agenda for the FATF, emphasizing the need for rapid compliance, enhanced transparency, and international cooperation to combat financial crime effectively.  We at Notabene are excited to support this and eager to see how this will unfold in the coming year.

📥 Interested in more content like this? Sign up to receive regular updates via LinkedIn.

Authored by CryptoUK’s Travel Rule Working Group, the Travel Rule Good Practices Guide is a cornerstone document for virtual asset service providers (VASPs), cryptoasset businesses, and digital asset industry participants navigating the regulatory landscape in the UK.

This comprehensive guide is a culmination of the industry’s collective effort. It provides an in-depth overview of compliance strategies and valuable guidance on addressing associated challenges.

The UK’s Pivotal Role in the Travel Rule Compliance Landscape

According to Chainalysis (2023), the UK ranks third globally in transaction volume, with an estimated $252.1 billion received last year. The 44 VASPs currently registered with the FCA must comply with the Travel Rule, which came into force on September 1, 2023. This situation underscores the UK’s significant role in promoting Travel Rule compliance worldwide.

Insights from the 2024 State of Crypto Travel Rule Compliance Report

The UK, with its robust regulatory framework, leads in compliance rates. Our comprehensive State of Crypto Travel Rule Compliance Report 2024 revealed that the UK boasts a 100% compliance rate among surveyed respondents in the EMEA region, reflecting the country’s stringent standards since the rule’s enforcement.

Notabene’s Proactive Role in UK Travel Rule Compliance

Our team at Notabene is dedicated to assisting UK VASPs in understanding and complying with their Travel Rule obligations. In 2023, we spearheaded several initiatives:

• Regulatory Sandbox Testnets: As part of the Financial Conduct Authority's (FCA) regulatory sandbox, we conducted two testnets with firms such as Ramp, Bitstamp, Wirex, CoinPass, Altalix, Hidden Road, Bitpanda, Custody, Uphold, and Zodia Markets.
• Guidance Publication: We published a concise guide summarizing the Travel Rule obligations outlined in the Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022 (MLTFR 2022.)

Additionally, Notabene has actively engaged in the JMLSG consultation process, submitting a response to contribute to the development of practical and effective compliance strategies for the industry. Our efforts ensure the guidance remains relevant and supports VASPs’ compliance journey.

Key Insights from the Travel Rule Good Practices Guide

The CryptoUK Travel Rule Good Practices Guide is an invaluable resource for navigating the complexities of regulatory compliance in the crypto industry. With contributions from industry experts, this guide provides a clear path for VASPs to achieve and maintain compliance.

Key areas covered include:

• Counterparty VASP Due Diligence: In the absence of regulatory guidelines in this respect, this chapter outlines key considerations and best practices, featuring key insights shared by Notabene’s Head of Regulatory and Compliance Team, Lana Schwartzman.
• Withdrawal and Deposit Flows: Provides an overview of applicable obligations and approaches for operationalizing Travel Rule compliance within withdrawal and deposit flows.
• Unhosted Wallets: Discusses the regulatory framework, associated risks, and potential mitigations.

About the Working Group

The CryptoUK Travel Rule Working Group was established in 2023 to foster knowledge sharing and best practices. 

The group collaborates with policymakers, regulators, and key stakeholders, including HM Treasury, the FCA, the Electronic Money Association, and the JMLSG. The Working Group significantly contributed to the development of the JMLSG’s Guidance on Cryptoasset Transfers, published in August 2023.

For more insights and to stay informed about regulatory developments, download the guide and join the CryptoUK Travel Rule Working Group today.

This article provides an in-depth look at virtual asset service providers' (VASPs) current transaction restrictions and compliance measures as they navigate Travel Rule compliance.

Based on the results from Notabene's 2024 State of Crypto Travel Rule Compliance survey, we explore how crypto businesses and financial institutions are preparing to meet these regulatory requirements. Download the report here to gain deeper insights.

Key Findings

Global Survey Overview
The survey, conducted between October 2023 and January 2024, included 70 companies from Europe, the Middle East, Africa (45.7%), Asia-Pacific (30%), and the Americas (21.4%).

66% of VASPs Enforce Restrictions on Withdrawals That Do Not Comply With Travel Rule Requirements

66% of VASPs enforce restrictions on withdrawals that do not comply with Travel Rule requirements. Notably, 23% do not allow withdrawals unless a Travel Rule message can be sent to the beneficiary VASP, up from 8% last year. This shift reflects a growing trend towards stricter compliance measures within the industry. The percentage of respondents permitting customers to withdraw funds without being able to send Travel Rule messages to the beneficiary VASP has dropped significantly from 37% in 2023 to 19% in 2024. This decrease of 49% underscores a heightened focus on ensuring compliance with regulatory requirements.

Moreover, 40% of respondents adopt a risk-based approach when determining whether to allow a withdrawal. This method reflects an industry-wide effort to balance business considerations with regulatory compliance. Given the persistent limitations that hinder full compliance, such as the Sunrise Issue, this approach is particularly significant. The increasing adoption of stringent compliance measures marks a notable shift in the industry’s approach to risk management, demonstrating a mature, proactive, and compliant stance in navigating the evolving landscape of crypto regulations.

66% of Companies Impose Restrictions on Transactions With Self-Hosted Wallets

66% of companies impose restrictions on transactions with self-hosted wallets. Approximately one-third of companies (33%) exclusively allow first-party transactions with self-hosted wallets and require customers to demonstrate control over the wallet address before authorizing the transaction. Additionally, 27% of companies allow third-party transactions with self-hosted wallets but collect beneficiary information from their customers, showcasing a commitment to due diligence. A minority of 6% of companies outright prohibit transactions with self-hosted wallets. 

There is still a substantial portion of respondents (29%) that do not impose any restrictions on transactions with self-hosted wallets. The “Other” category, comprising 6% of responses, suggests a unique range of approaches that some companies have adopted to handle transactions with self-hosted wallets. The distribution of survey responses illustrates the diversity of approaches that regulators worldwide take when defining rules for transactions involving VASPs and self-hosted wallets.

Over 20% of VASPs Return Deposits Missing Required Travel Rule Information

Handling Deposits

Over 20% of VASPs return deposits missing required Travel Rule information. Specifically, 21% of companies, upon identifying the originator VASP, promptly send requests for missing Travel Rule information. If the information is not received, companies take the decisive step of returning the funds. This approach often creates additional operational challenges for VASPs, which is further discussed in Chapter 5, Section 7 of the report. Another 10% follow a similar protocol but opt to collect the required information directly from their end-customers in the absence of the necessary data, using this as an alternative means to assess transaction risk when counterparty collaboration is lacking.

Nearly half (49%) of the respondents take more lenient approaches. Notably, 30% adopt a risk-based approach, evaluating the associated risks before deciding whether to make the deposit available to end-customers. Meanwhile, 19% of respondents permit their customers to receive deposits without the mandated Travel Rule information. This variation in approach may stem from the need to balance compliance with business needs. A significant portion of deposits from VASPs still lack Travel Rule information due to hindrances like the Sunrise Issue and interoperability issues. For these firms, strict compliance would entail refusing all deposits except from self-hosted wallets, which would have a significant and potentially disproportionate impact on business.

Diverse Compliance Strategies

VASPs employ a range of strategies to manage non-compliant deposits, from providing grace periods to negotiating compliance practices with counterparties. Some respondents revealed ongoing efforts toward implementation, development, or the intention to implement in the future. Strategies included providing grace periods for clients, negotiating compliance practices with counterparties, and adopting selective compliance measures based on specific circumstances. These diverse responses underscore the complex and evolving nature of the regulatory landscape and the varied approaches taken by entities within the crypto ecosystem. This emphasizes the need for continued collaboration and standardization for comprehensive and effective risk mitigation practices.

As the regulatory landscape continues to evolve, VASPs must stay abreast of changes and adopt robust compliance strategies. The increasing adoption of stringent compliance measures marks a significant shift in the industry's approach to risk management, demonstrating a mature, proactive, and compliant stance in navigating the evolving landscape of crypto regulations. For VASPs, staying ahead of these changes will be crucial in maintaining competitive advantage and fostering trust in the digital asset space.

{{report1="/cta-components"}}

This article provides an in-depth look at virtual asset service providers' (VASPs) current implementation challenges as they navigate the Travel Rule.

Based on the results from Notabene's 2024 State of Crypto Travel Rule Compliance survey, we explore how crypto businesses and financial institutions are preparing to meet these regulatory requirements. Download the report here to gain deeper insights.

Protocol Interoperability Emerges as the Top Hurdle to Travel Rule Adoption

Each year, we explore the evolving challenges of implementing the Travel Rule. This year, the lack of interoperability between different protocols has become the foremost challenge, as 34% of respondents highlighted. This underscores the growing necessity for standardized communication to ensure effective compliance with the Travel Rule across various platforms. 

Interestingly, despite identifying interoperability as a major hurdle, 67% of respondents reported not using more than one Travel Rule protocol. This suggests that the impracticality of integrating multiple protocols outweighs the compliance limitations that arise from the lack of protocol interoperability.

Additionally, respondents were asked about their companies’ responses to Travel Rule transfers from other VASPs. Notably, 37% of respondents indicated that they had not received such requests. The lack of incoming Travel Rule transfers points to a fragmented approach to compliance, where many VASPs continue to operate in isolation due to the lack of interoperability.

The survey results highlight a crucial industry dilemma: counterparties may not be using the same Travel Rule protocol and thus may be unaware of Travel Rule requests from others, contributing to significant compliance challenges in deposit flows. This is why it is imperative to address interoperability—to improve compliance and unlock the full transaction potential by ensuring seamless industry-wide communication. This topic is further explored in Chapter 5, Section 5 of the Report.

The Sunrise Issue’s Negative Impact Jumps 74%

The prominence of the Sunrise Issue as a barrier to adopting the Travel Rule has escalated, moving from the third to the second most significant challenge. This marks a 74% increase from the previous year’s findings. Despite expectations that last year’s surge in Travel Rule adoption would mitigate the Sunrise Issue, the opposite has occurred. The rise in adoption has been offset by increasing regulatory demands, leading to more stringent compliance measures.

Even though more VASPs are adhering to the Travel Rule, theoretically easing the Sunrise Issue, regulatory standards have tightened. Previously, VASPs had more leeway in handling non-compliant counterparties, with only 8% opting not to execute transactions when unable to transmit Travel Rule information. Currently, although more VASPs are compliant and able to exchange information, the flexibility in dealing with non-compliant counterparts has diminished. The number of VASPs halting transactions when unable to send a Travel Rule data transfer has nearly tripled this year.

Overcoming the Sunrise Issue requires a universal agreement on implementing the Travel Rule. Without swift and broad enforcement, the negative impacts of the Sunrise Issue are likely to grow due to increased regulatory scrutiny and enforcement in compliant regions. This issue is further examined in Chapter 5, Section 1. The “Regulatory/legal uncertainty” hurdle has shifted to the third position at 16%, marking a measurable decline from its second-place standing of 22% in 2023.

This shift suggests that increased regulatory clarity has eased some hindrances, as evidenced by developments like the U.K. Travel Rule implementation and the definition of the EU Travel Rule framework with the publication of the TFR. However, though this stride forward signals progress, this hurdle still places in the top three, underscoring the need for continued efforts to comprehensively address the clarity of the regulatory guidelines, with the goal of moving it out of the top three.

In the 2023 survey, VASPs highlighted "Lack of technical resources" as the primary hurdle to Travel Rule adoption (at 27%). However, in 2024, the percentage of those citing it as their top concern decreased dramatically to 3%, a staggering 89% decrease. Such a change in position indicates that the challenges relating to this obstacle have been alleviated, possibly due to the increased business commitment to Travel Rule implementation. It could be argued that the rising regulatory urgency fostered an alignment between compliance needs and business objectives. As reported by nearly half of the respondents (47%), Travel Rule adherence has evolved into a prerequisite for obtaining a license to operate in new markets. This is true in pivotal crypto hubs like Hong Kong and the United Arab Emirates, as explored in Chapter 2, Section 1 of the 2024 State of Crypto Travel Rule Compliance Report.

Moreover, Travel Rule adherence plays an increasingly vital role in the due diligence processes of banks and financial institutions—when assessing VASPs for core financial services, such as bank accounts—and regulators and auditors, as further explored on page 56 of the report.

Nearly Half of All Respondents Face Travel Rule Obligations in Multiple Jurisdictions

Last year’s survey results uncovered the global nature of Travel Rule compliance; this year’s findings further support this. A notable finding is that 47% of respondents are now subject to the Travel Rule in multiple jurisdictions, which represents a substantial increase of approximately 104% compared with last year’s 23%. This surge underscores the growing complexity of complying with the Travel Rule on a global scale, as it requires adherence to different regulatory standards across jurisdictions.

A closer examination of the respondents required to comply across multiple jurisdictions reveals a substantial concentration within specific jurisdictions:

• 33% have a presence in the United Kingdom,
• 27% in the United States, and
• 21% in Singapore.This emphasizes the global significance of these key jurisdictions and underscores the urgency of adopting sensible regulatory policies that facilitate seamless cross-border transactions.

Cross-Border Compliance Emerges As a Key Concern

Additionally, as part of the survey, participants were given the option to rank the importance of factors contributing to the success of their Travel Rule solution. The findings indicate that 65% identified “multi-jurisdictional roll-out” among their top two priorities, with 23% ranking it as their primary concern. This trend underscores the significance of cross-border compliance with the Travel Rule.

{{report1="/cta-components"}}

This data highlights the industry’s potential for improved efficiency through a unified and cohesive strategy to navigate diverse regulatory requirements across regions.

Understanding who controls the recipient wallet is crucial for Virtual Asset Service Providers (VASPs) to comply with the Travel Rule. The first phase of the mandated pre-transaction due diligence process, as set forth by the Financial Action Task Force (FATF) ^[1], involves identifying the counterparty VASP. A comprehensive due diligence process is initiated once another VASP is identified as the counterparty.

Correctly carrying out this procedure enables VASPs to sidestep transactions with suspicious or sanctioned entities. Moreover, it safeguards sensitive customer data by ensuring it only goes to a verified or intended counterparty. ^[2]

‍

‍

{{cta-learnmore10="/cta-components"}}

Counterparty VASP Identification Challenges

Crypto transfers are recorded on public ledgers, leading VASPs to treat their wallet address books as confidential, which complicates identification efforts during Travel Rule-compliant transfers. VASPs face a wide range of counterparties, from other VASPs and financial institutions to self-hosted wallets and entities like e-commerce platforms, gaming sites, and mining pools. This diversity adds another layer of complexity to the already challenging counterparty identification process.

Currently, VASPs rely on (1) blockchain analytics, (2) input from their end customer, and (3) other specific discoverability methods available in their Travel Rule network to identify the counterparty to the transaction. These solutions have limitations: blockchain analytics can cluster wallet addresses with VASP groups but cannot reconcile them with specific legal entities; end customers may know the VASP brand but often do not know the specific legal entity with which they or their transaction counterparty is contracted; Travel Rule networks are limited to the information made available by the network members.

This issue remains critical, as compliance with the Travel Rule hinges on the accurate identification of the counterparty.

Learn more about this topic in Chapter 1, Section 2.2.1 of the 2024 State of Crypto Travel Rule Compliance Report.

FATF's Stance on VASP Identification

In its 2021 update, FATF highlighted the lack of "technically proven means" for accurately identifying the VASP overseeing the beneficiary wallet based solely on the Virtual Asset (VA) address:

To date, the FATF is not aware of any technically proven means of identifying the VASP that manages the beneficiary wallet exhaustively, precisely, and accurately in all circumstances and from the VA address alone. - FATF ^[3]

In the same report, the FATF explicitly urged the industry to accelerate efforts to strengthen global solutions that can accommodate nuances in requirements across jurisdictions in accordance with FATF Standards. ^[4]

‍

{{report2="/cta-components"}}

‍

Approaches to theSunrise Issue Challenges

Below, we discuss what can be done about the VASP identification issue and initiatives that are already in place at the various stakeholder levels, and which stakeholders are best positioned to drive solutions to this issue:

Joint Industry Initiatives

Notabene had the honor of attending the V20 Summit in October 2022. Held alongside the G20, 20 VASPs convened to discuss global financial policies and industry proposals in the wake of the FTX collapse, TerraUSD crash, and other industry events. At the V20 Summit, the stakeholders present set a goal to develop and agree on a common approach to public infrastructure for VASP discovery and the general principles that should be observed, namely:

• The infrastructure should be common, global, decentralized, and open (available to all VASPs and Travel Rule protocols).
• The infrastructure should provide base layers of information (entity name, jurisdiction, regulatory status, contact info, and supported Travel Rule protocols). 

The Joint Working Group under IVMS, in which Notabene is an active participant, is leading the initiative to create this infrastructure.

Travel Rule Solutions

Many Travel Rule solutions are already participating in the Joint Working Group under IVMS mentioned above. Others are encouraged to join to ensure that the chosen industry approach has stakeholders' buy-in at all levels. 

Notabene enables VASPs to autonomously identify the counterparty to transactions through the following discoverability methods: 

1. Integration with blockchain analytics: SafeTransact features integrations with several blockchain analytics service providers that allow VASPs to plug in their blockchain analytics accounts to the Travel Rule flow. The counterparty wallet address is queried against the information available to the blockchain analytics service to determine whether or not that wallet is associated with a known VASP.
   ‍
2. Network Discoverability: In response to these identified challenges, Notabene has rolled out Network Discoverability. This feature offers scalable, secure, and reusable techniques for counterparty VASP identification within open networks. The Notabene Network features an internal, self-managed address book. Participating VASPs can upload their blockchain addresses in hashed format to Notabene and permit them to be safely leveraged across the network to streamline the discoverability process. When other VASPs in the network engage in transactions involving any of the uploaded hashed addresses, the VASP that controls the respective address will be automatically identified.
   
   

{{cta-learnmore7="/cta-components"}}

VASPs

VASPs ultimately own the information that allows the accurate association between their wallet addresses and the legal entities that operate them. The adoption of any standard for VASP discovery necessarily hinges on VASPs’ collaboration. 

2024 Status Check

‍

‍

Partial solutions for VASP identification are available, but their limitations continue to negatively impact Travel Rule compliance. Recognizing how important a common industry approach will be in solving this, the Joint Working Group under IVMS is working toward a standard that it hopes the industry will adopt.

Learn more about Network Discoverability

Learn more about our VASP identification feature, which offers scalable, secure, and reusable techniques for counterparty VASP identification within open networks.

‍

{{cta-learnmore7="/cta-components"}}
‍‍

This article provides an in-depth look at virtual asset service providers' (VASPs) current compliance status and future planning as they navigate the Travel Rule. Based on the results from Notabene's 2024 State of Crypto Travel Rule Compliance survey, we explore how crypto businesses and financial institutions are preparing to meet these regulatory requirements. 

96% of VASPs Are Travel Rule Compliant or Plan To Be in 2024

The Travel Rule has become a fundamental aspect of the crypto compliance landscape. According to the survey, 96% of respondents are either already compliant or plan to be by Q4 2024. This marks a significant milestone, with over half (52%) of respondents already adhering to the Travel Rule in 2023—a substantial increase from 23% the previous year, indicating a 123% growth in compliance.

A mere 4% of respondents indicated a stance of non-compliance until 2025. This highlights that compliance with the Travel Rule is not only an immediate necessity due to increased regulatory urgency but also a strategic imperative for entities aiming to operate and transact globally in a compliant manner. For a comprehensive analysis and detailed statistics, download the full report.

Team Sizes and Automation

A notable 80% of firms have dedicated Travel Rule compliance teams, reflecting the industry's commitment to meeting these stringent requirements and recognizing the importance of working with specialized personnel to successfully navigate the intricacies of Travel Rule compliance and stay abreast of increased scrutiny and regulatory demands.

The survey also investigated team sizes and the automation of pre-transaction checks, which revealed respondents’ efforts to ensure the efficient operation of their compliance teams.

A large portion of respondents (46%) have significantly automated their systems, with less than 25% of transactions flagged for manual review. Another 24% partially automate, flagging over 25% for manual review. However, 17% manually approve every transaction, and 13% automate without pre-transaction checks.

Nearly half of respondents (47%) had to demonstrate Travel Rule compliance during license applications, indicating its importance in gaining market access.

Additionally, more than half of the respondents (53%) have had their AML and sanctions programs evaluated by local regulators, examiners, or independent reviewers, explicitly focusing on Travel Rule compliance. This standardized assessment process highlights Travel Rule adherence's integral role in the AML framework and its strategic importance within the overarching compliance framework.

The industry's commitment to Travel Rule compliance is evident through dedicated teams, integration into licensing processes, and comprehensive AML assessments, making it a strategic imperative for operational excellence and market credibility.

VASPs Ensure Compliance Where the Travel Rule Is a Licensing Deal-Breaker

A commendable 52% of companies, spanning diverse primary jurisdictions are already complying with Travel Rule requirements. However, a closer examination of survey responses on primary jurisdiction and implementation timelines reveals a clear pattern: VASPs prioritize compliance where Travel Rule compliance is a license “deal breaker.”

EMEA

The EMEA region as a whole, in particular, demonstrates a high compliance rate, with 59% of respondents claiming to be already complying in this region.

In the EMEA region, the U.K. stood out as the primary jurisdiction with the highest percentage of compliant respondents, boasting an exceptional 100% compliance rate among those surveyed. Of these, 89% were already compliant, and the remaining 11% planned to be by the end of 2023 when the survey was issued. This remarkable compliance rate can be attributed to the U.K.’s robust standards since the country began enforcing the Travel Rule on September 1, 2023.

UAE

When looking deeper into the UAE respondents, where Travel Rule compliance is a licensing prerequisite, 60% of companies have already achieved compliance, and an additional 20% anticipate reaching compliance by the second quarter of 2024. These statistics demonstrate that having Travel Rule compliance as a license deal-breaker fosters a proactive commitment to adoption from the industry.

The trend of enforcing strict licensing regimes is positive. An analysis conducted by TRM Labs (2024) found that VASPs in countries with full licensing and supervision regimes have lower rates of illicit activity than those in less regulated jurisdictions.

‍

APAC

It’s crucial to highlight that the rest of the world is keeping pace. Among respondents with primary jurisdictions in APAC, an impressive 86% are already in compliance with the Travel Rule. This includes vital APAC jurisdictions such as Singapore, Hong Kong, India, Japan, and Malaysia.

Of the 39% of APAC respondents that listed Singapore as their primary jurisdiction, 63% are already compliant, while an additional 25% aim for compliance by Q1 of 2024.

U.S.

The U.S. is trailing behind compared to other key jurisdictions. Despite the Travel Rule requirements in the U.S. since 2013, only 50% of companies claim compliance, with an additional 30% expecting compliance by Q1 of 2024. These numbers are particularly striking compared to the 100% compliance rate observed in the U.K., where the measures were implemented only recently, just four months before the survey was issued. This trend may be attributed to regulatory ambiguity and limited enforcement action in the U.S., contrasting with the proactive commitment to adoption seen in other jurisdictions.

However, the increasing counterparty urgency is expected to drive global adoption, particularly in the United States. Our survey data indicated that fewer VASPs are willing to send withdrawals or receive deposits without the ability to transmit or receive relevant Travel Rule information, which means a potential increase in business loss. Such pressure to adapt will hopefully drive industry stakeholders and regulators to take action, especially those in the U.S.

The Number of VASPs Not Implementing Counterparty Due Diligence Processes Has Nearly Halved

Trend Shift

The survey indicates a significant decrease in the proportion of companies willing to send Travel Rule transfers to counterparties without specific criteria, dropping from 52% in 2023 to 29% in 2024. This reflects a growing emphasis on rigorous counterparty due diligence. Another notable trend is the growing emphasis on assessing the regulatory status of counterparties, a number that has seen doubled growth, from 4% to 9%.

Due Diligence Practices

Sixty-four percent of companies perform due diligence pre-transaction. The survey question, “What checks do you perform, if any, on your counterparties prior to initiating Travel Rule transactions?” highlights the industry's maturing commitment to Travel Rule compliance. The majority of respondents conduct:

• Wallet sanction screening (87%)
• Counterparty name sanction screening (77%)
• Evaluation of wallet risk scores (74%)
• VASP due diligence (64%)

Only a minority (6%) reported conducting no checks, underscoring a holistic approach to risk management. However, despite the positive trend, VASP due diligence is still the least adopted measure.

The trends indicate a clear shift toward more rigorous counterparty due diligence, a preference for regulated counterparties, and a strategic move away from indiscriminate transfers to all VASPs. Despite this progress, challenges remain. As outlined in Chapter 5, Section 3, issues such as the least performed measure of VASP due diligence continue to hinder the counterparty due diligence process.

‍

The industry’s growing commitment to Travel Rule compliance is evident with the existence of dedicated teams, integration into regulatory licensing processes, and the core fabric of AML compliance assessments. This trend positions Travel Rule compliance not merely as a regulatory necessity but as a strategic imperative that drives operational excellence and market credibility.

‍

{{report1="/cta-components"}}

‍