On October 28, 2021, the Financial Action Task Force (FATF) released its first fully updated guidance for a risk-based approach for Virtual Assets and Virtual Asset Service Providers since 2019. This document updates its draft guidance released in March. Read our comments on that release here. This guidance offers recommendations on how member jurisdictions should regulate cryptocurrency businesses. 

The key theme is FATF’s focus on regulating cryptocurrency businesses as VASPs based on their function and business model, rather than their underlying technology, self-described business category, or custodial status. Below, we’ve summarized the top 12 key takeaways from the updated guidance and tell you how Notabene can help you meet your compliance obligations.

‍Click here to watch the webinar summary. Access the slides.

1. FATF states that Stablecoins could be considered higher risk due to their potential for mass adoption 

§104 

As with VAs, it is important that ML/TF risks of stablecoins, particularly those with potential for mass-adoption and that can be used for P2P transactions, are analysed in an ongoing and forward-looking manner. In developing new products, VASPs and other obliged entities should assess the ML/TF risks before bringing them to market and put in place mitigation measures before launch. 

What this means: The FATF recognizes that all VAs have a potential for widespread adoption yet denotes that stablecoin projects have a greater potential for mass adoption, which can heighten ML/TF risks. FATF recommends that stablecoin providers employ potential mitigation measures to ensure AML/CFT obligations are fulfilled. Expect more VASPs to start building compliance into new stablecoin products. 

2. FATF calls on Public-Private collaboration to create new risk-mitigation tools for P2P transactions

§105 P2P transactions

As set out in Section 2, countries should also seek to understand the ML/TF risks related to P2P transactions and how they are being used in their jurisdiction. (...) 

§106

Depending on the assessed risks associated with P2P transactions, or certain types of P2P transactions, countries may consider and implement as appropriate options to mitigate these risks at a national level. 

What this means: FATF is firming its stance on P2P transactions or transactions from VASPs to unhosted wallets.

Currently, the FATF places the AML/CTF burden on intermediaries and, for the time being, this will continue to be the case.In the second annual review of the Guidance, which took place in June 2021, the FATF decided it was not yet time for a paradigm shift because, first, the available data on the P2P market was deemed not yet not reliable enough to make an informed decision, and second, intermediaries continue to have a predominant presence in the crypto market. However, the FATF admits that the standards might need to be adapted in the future in case the industry shifts to disintermediated transactions. Furthermore, the FATF recognizes that P2P transactions could pose specific ML/TF risks, as they can potentially be used to avoid AML/CFT controls in the FATF Standards. For that reason, in the latest Guidance the FATF lists a number of measures that members can adopt to mitigate the risks associated with P2P transactions. In particular, the FATF already recognizes the possibility of restricting VASPs to only transact with other VASPs as a means to mitigate risks. 

3. Every virtual asset for payment or investment should be subject to obligations applicable either as a VA or another type of financial asset

§51

The FATF does not intend for an asset to be both a VA and a financial asset at the same time. (...)  When determining if a new digital asset should qualify as a financial asset or a VA, authorities should consider whether their existing regime governing financial assets or their regime for VAs can be appropriately applied to the new digital assets in question. 

§52

In instances where characterization proves difficult, jurisdictions should assess their regulatory systems and decide which designation will best mitigate and manage the risk of the product or service. Consistent with the technology-neutral approach, a blockchain-based asset that is defined as a financial asset would likely not fall under this VA-focused Guidance. (...) RBA. Nonetheless, every asset for payment or investment should be subject to obligations applicable either as a VA or another type of financial asset. 

What this means: FATF places the onus on jurisdictions to determine if a VA is a financial asset or a virtual asset. Jurisdictions could consider the commonly accepted asset usage (payment or investment) and what type of regulatory regime offers the best fit. What is key is that, regardless of the framework that jurisdictions decide to apply, all assets used for payment or investment purposes are subject to obligations consistent with the FATF recommendations, either as a VA or as other type of financial asset. It is also worth mentioning that the underlying technology of the asset is not a deciding factor in determining the applicable framework to the asset at issue. For example, a blockchain-based asset defined as a financial asset would likely not fall under the FATF VA-focused Guidance.
‍

4. The guidance now includes clarifications around #DeFi developers, stablecoin developers, and multi-sig custodial APIs

§64

The definition of VASP covers any service allowing users to transfer ownership, or control of a VA to another user or to transfer VAs between VA addresses or accounts held by the same user. (...) If a new party has custody or ownership of the VA, has the ability to pass control of the VA to others, or has the ability to benefit from its use, then transfer has likely occurred. This control does not necessarily have to be unilateral and multi-signature  processes are not inherently exempt (see limb (iv) below), where a VASP undertakes the activity as a business on behalf of another natural or legal person. 

§73

The term “control” should be understood as the ability to hold, trade, transfer or spend the VA. (...) The existence of a multi-signature model or models in which multiple parties must use keys for a transaction to happen does not mean a particular entity does not maintain control, depending on the extent of the influence it may have over the VAs.

§67

A DeFi application (i.e. the software program) is not a VASP under the FATF standards, as the Standards do not apply to underlying software or technology (see paragraph 82 below). However, creators, owners and operators or some other persons who maintain control or sufficient influence in the DeFi arrangements, even if those arrangements seem decentralized, may fall under the FATF definition of a VASP where they are providing or actively facilitating VASP services. For example, there may be control or sufficient influence(...) even if this is exercised through a smart contract or in some cases voting protocols. Countries may wish to consider other factors as well, such as whether any party profits from the service or has the ability to set or change parameters to identify the owner/operator of a DeFi arrangement. 

§68

While this Guidance aims to provide direction, countries will need to evaluate the facts and circumstances of each individual situation to determine whether there is an identifiable person(s), whether legal or natural, providing a covered service. Marketing terms or self-identification as a DeFi is not determinative, nor is the specific technology involved in determining if its owner or operator is a VASP. (...)Countries should be guided by the principle that the FATF intends to cover natural or legal persons who conduct the financial services covered in the definition as a business. (...) In cases where a person can purchase governance tokens of a VASP, the VASP should retain the responsibility for satisfying AML/CFT obligations. An individual token holder in such a scenario does not have such responsibility if the holder does not exercise control or sufficient influence over the VASP activities undertaken as a business on behalf of others. 

What this means: Multi-Sig Custodial APIs are not outside of the VASP scope, as they control keys/credentials held by others. Central developers of governance bodies of stablecoins are, in general, considered VASPs. For stablecoins without a readily identifiable central body, the party that develops and launches its arrangement likely carries out VASP functions and would be covered under the VASP definition. DeFi developers, owners, and operators may fall under the FATF definition of a VASP provided that they maintain control or sufficient influence in the DeFi arrangements, even if the operations seem automated and decentralized. However, DeFi governance token holders do not have VASP responsibilities, so long as they do not have control or sufficient influence over VASP activities. As DeFi projects rapidly expand in number, countries will need to evaluate the facts of each particular situation to determine how to proceed. We strongly recommend that the industry pushes a unified interpretation of the rules to national regulators. 

5. This updated guidance changes the scope of application of the Travel Rule to include unhosted wallets

§179

The requirements of Recommendation 16 apply to VASPs whenever their transactions, whether in fiat currency or VA, involve: (a) a traditional wire transfer, (b) a VA transfer between a VASP and another obliged entity (e.g., between two VASPs or between a VASP and another obliged entity, such as a bank or other FI), or (c) a VA transfer between a VASP and a non-obliged entity (i.e., an unhosted wallet). The full requirements of Recommendation 16 apply to (a) and (b) but not (c), as set out below. 

What this means: In the June 2019 Guidance (§113), VA transfers between VASP and non-obliged entities were not within the scope of TR requirements. From now on, Travel Rule requirements apply to transactions with non-obliged entities (such as unhosted wallets), but with adaptations. This means that for VASPs to apply the right process, they need to determine whether the transaction is with a VASP or with an unhosted wallet in the first place. Notabene’s fully-customizable Wallet Identification tool can help VASP determine their counterparties. 

Now, when a transaction originating from a VASP to a non-obliged entity, FATF expects VASPs to:

• Obtain the originator and beneficiary information from VASP’s customer when originating or receiving a VA transfer
• Enforce AML/CTF obligations (e.g., transaction monitoring, sanctions compliance)

FATF does not expect VASP to:

• Send required information to non-obliged entities
  ‍

6. This guidance updates the de-minimis threshold and information required for a Travel Rule transaction.

§191

Countries may choose to adopt a de minimis threshold for VA transfers of USD/EUR 1 000 in line with the FATF Standards, having regard to the risks associated with various VAs and covered VA activities. (...) For VA transfers under the threshold, countries should require that VASPs collect: 
a. the name of the originator and the beneficiary; and 
b. the VA wallet address for each or a unique transaction reference number.

§192

Such information does not need to be verified unless there are suspicious circumstances related to ML/TF, in which case information pertaining to the customer should be verified.

What this means: Many jurisdictions adopted Travel Rule requirements only for VA transfers above certain thresholds. VA transfers below the threshold VASPs should still be required to collect (but not verify, unless there is an ML/TF suspicion) the beneficiary and originator: (i) name (ii) wallet address / TX identifier. 

7. FATF provides options for risk-mitigation when interacting with unhosted wallets

§297
‍

A VASP may choose to impose additional limitations, controls, or prohibitions on transactions with unhosted wallets in line with their risk analysis. Potential measures include: 
a. enhancing existing risk-based control framework to account for specific risks posed by transactions with unhosted wallets (e.g., accounting for specific users, patterns of observed conduct, local and regional risks, and information from regulators and law enforcement); and b. studying the feasibility of accepting transactions only from/to VASPs and other obliged entities, and/or unhosted wallets that the VASP has assessed to be reliable. 

What this means: The FATF now provides options for risk mitigation, including VASPS limiting transactions to only other VASPs or whitelisted accounts only.  FATF clarifies the scope and obligations intermediaries when it comes to Travel Rule requirements

Footnote 50

To clarify, when a VASP, FI or other intermediary obliged entity facilitates a VA transfers as an intermediate element in a chain of VA transfers, and the certain activity/business has been classified as a VASP in this Guidance, then they would be classified as an “intermediary VASP”.  

§202

(...)Just as a traditional intermediary FI processing a traditional fiat cross-border wire transfer must ensure that all required originator and beneficiary information that accompanies a wire transfer is retained with it, so too must an intermediary VASP or other comparable intermediary institution that facilitates VA transfers ensure that the required information is transmitted along the chain of VA transfers, as well as maintaining necessary records and making the information available to appropriate authorities upon request. (...)Intermediary institutions involved in VA transfers also have general obligations to identify suspicious transactions, take freezing actions, and prohibit transactions with designated persons and entities—just like ordering and beneficiary VASPs (or other ordering or beneficiary obliged entities that facilitate VA transfers). 

What this means: Intermediary VASPs are entities that sit somewhere in the chain of a virtual asset transfer and facilitate the transfer from the originating VASP to the beneficiary VASP by providing a service that qualifies as a virtual asset service under the Guidance. 

According to the FATF's guidance, Intermediaries only pass information along, so they aren’t required to verify originating or beneficiary information, but they are nevertheless subject to record keeping obligations and are required to carry out sanctions screening. Since intermediaries are not required to verify originator and beneficiary information, requiring intermediaries to also screen the parties to the transaction against sanction lists is potentially not the most effective approach. Relying on the VASP that knows more about each party to perform this function is preferable.

VASP <> VASP reliance for sanction screening is a more effective solution. Industry cooperation will be essential to implementing a standard compliance flow for intermediaries. 

Criteria to qualify as an intermediary VASP:

• Facilitates a VA transfer as an intermediate element in a chain of VA transfers
• That activity qualifies as a virtual asset service under the Guidance
  

Obligations of intermediary VASPs:

• Transmit required information along the chain of VA transfers
• Record keeping
• Identify suspicious transactions
• Take freezing actions
• Prohibit transactions with designated persons or entities
  

8. A phased risk-based approach applied to business models should help VASPs get around the Sunrise issue. 

§200

The FATF expects countries to implement paragraph 7(b) of INR.15 as soon as possible. Countries may wish to take a staged approach to enforcement of travel rule requirements to ensure that their VASPs have sufficient time to implement the necessary systems, but should continue to ensure that VASPs have alternative measures in place to suitably mitigate the ML/TF risks arising from VA transfers in the interim. (...) This means that some jurisdictions will require their VASPs to comply with the travel rule prior to other jurisdictions (i.e., the ‘sunrise issue’). This can be a challenge for VASPs regarding what approach they should take in dealing with VASPs located in jurisdictions where the travel rule is not yet in force. Regardless of the lack of regulation in the beneficiary jurisdiction, originating entities can require travel rule compliance from beneficiaries by contract or business practice.

§201

(...)Regardless of the regulation in a certain country, a VASP may implement robust control measures to comply with the travel rule requirements. Examples include VASPs restricting VA transfers to within their customer base (i.e., internal transfers of VAs within the same VASP), only allowing confirmed first-party transfers outside of their customer base (i.e., the originator and the beneficiary are confirmed to be the same person) and enhanced monitoring of transactions.

What this means: In this Guidance the FATF makes it very clear that the time for compliance is now. The FATF acknowledges the need for this staged approach to compliance with the Travel Rule. But, at the same time, the FATF requires countries to enforce interim risk mitigation measures that enable tackling the ML/TF risks associated with VA transfers now. 

The sunrise period - period during which Travel Rule requirements are not in force in all jurisdictions - causes a lot of practical problems due to crypto being inherently international. VASPs in countries where Travel Rule requirements are already being enforced will have a hard time complying if they want to keep interacting with VASPs based in countries where the Travel Rule is not yet being enforced. 

But what the FATF says in the new Guidance is that this issue should not preclude VASPs from already complying with the Travel Rule. And in this context, the FATF suggests a number of measures that VASPs could implement to circumvent the sunrise issue. Most of them entail substantial limitations to the VASPs' transaction volume.

In some instances, VASPs could avoid the business impact of Travel Rule compliance through policy coordination. Although the sunrise period is the #1 hindrance to compliance with the Travel Rule, FATF claims that it should not preclude VASPs from complying and offers the following risk-mitigating measures to circumvent the effect of the sunrise issue. 

• Require counterparty to comply
• Restricting TXs to within customer base
• Allowing only first-party transactions
• Enhanced monitoring

9. FATF recognizes that conducting counterparty due diligence is a challenge. Provides guidance on how counterparty due diligence could be undertaken.

§197.

The best way to conduct counterparty due diligence in a timely and secure manner is a challenge. There are broadly three phases in this process. These are not intended as prescriptive actions that VASPs must take, but guidance on how counterparty due diligence could be undertaken: 

a. Phase 1: Determine whether the VA transfer is with a counterparty VASP. A person may wish to transfer VAs to another VASP (e.g., a beneficiary with a hosted wallet) or they may wish to transfer VAs to an unhosted wallet. The originator VASP must therefore determine whether they will be transacting with another VASP. This determination process is not purely an AML/CFT requirement, but rather arises from the technology underpinning VAs. To date, the FATF is not aware of any technically proven means of identifying the VASP that manages the beneficiary wallet exhaustively, precisely, and accurately in all circumstances and from the VA address alone; 

b. Phase 2: Identify the counterparty VASP, as a VASP only knows the “name” of the counterparty VASP following the previous phase. A VASP may identify a counterparty VASP themselves using a reliable database in line with any guidelines from a country on when to rely on such data; and 

c. Phase 3: Assess whether the counterparty VASP is an eligible counterparty to send customer data to and to have a business relationship with (see Recommendation 16 in Section IV for further information on counterparty VASP due diligence and Recommendation 11 on record-keeping to appropriately store and manage that customer data). 

§193

Countries should require both ordering and beneficiary institutions to take freezing actions and prohibit transactions with designated persons and entities (i.e., screening and required information relating to VA transfers in order to comply with their targeted financial sanctions obligations). The ordering institution should have the required information about its customer, the originator, and the beneficiary institution should have the required information about its customer, the beneficiary, in line with the CDD requirements set forth in Recommendation 10. The ordering and beneficiary institutions should have screened their customer’s name for compliance with targeted financial sanctions obligations at the time of onboarding their respective (and upon name changes). They must then screen the names of the other party (the originator or the beneficiary) when they conduct the VA transfer (see Table 1 above). 

§198

To clarify the scope of this Guidance, competent authorities should require VASPs to implement preventive measures in ‘Phase 3’ to assess the counterparty VASP, where VASPs first have a business relationship, and then review the results of the due diligence periodically. Countries should also maintain reliable, independent sources of information for ‘Phase 2’ to assist VASPs in their efforts to identify the counterparty VASP. This could include regulated institutions lists, such as VASP lists where available, registries of beneficial ownership where available and other examples mentioned in the BCBS Guideline.49 For the benefit of effective and efficient counterparty due diligence, a regulated institutions list may include but should not be limited to contains the VASP name and registered VASP address. Considering the increased usage of digitalized processes in the financial industry, countries should be encouraged to use a format that is machine-readable. A country need not impose a separate licensing or registration system for VASPs with respect to natural or legal persons already licensed or registered as FIs (as defined by the FATF Recommendations) within that country. Countries that have such frameworks may clarify to their private sector that such FIs might not be on the designated VASPs lists, or even not under the supervision of the same regulator, to avoid unnecessary de-risking. 

§194

Countries should require VASPs or other obliged entities to implement an effective control framework to ensure that they can comply with their targeted financial sanction obligations. This framework should take into account the nature of VA transfers. Because the required information identifying the originator and beneficiary can be held separately to the VA transfer system (e.g., the blockchain), the VA transfer can be completed even with such information missing or without screening the transfer to identify suspicious and prohibited transactions. Therefore, VASPs or other obliged entities should screen required VA transfer information separately to such direct settlement. Thus, VASPs may need to consider mitigation measures that fit their business process and the technical nature of VAs. Although blockchain technology is ever-changing, examples of controls that a VASP or other obliged entity could implement include: 

a. putting a wallet on hold until screening is completed and confirmed that no concern is raised; and 

b. arranging to receive a VA transfer with a provider’s wallet that links to a customer’s wallet and moving the transferred VA to their customer’s wallet only after the screening is completed and has confirmed no concern is raised. 

What this means: The first thing VASPs should ask themselves when complying with the Travel Rule in the context of a VA transfer is whether they are transacting with a counterparty VASP, as this will influence the rules that apply to the transfer. This continues to be a relevant pain point and, in the Guidance, the FATF acknowledges that today it is not always possible to determine, securely, whether a VASP is managing the wallet on the other side.

In cases where the VA transfer is with a VASP, the goal is to make sure that such counterparty VASP can be trusted before transacting. For that purpose, VASPs need to undertake appropriate due diligence and look at several aspects such as the

• robustness of the counterparty's data security framework
• whether the counterparty is complying with the travel rule
• and whether the counterparty is under supervision of relevant authorities

All of this needs to happen before transacting. 

Identifying and conducting due diligence on counterparty VASPs is the first pain point and the first stage in implementing the Travel Rule. FATF recommends the Wolfsberg questionnaire as a starting point for a potential framework in the VASP counterparty due-diligence context. 

10. FATF outlines data requirements for ordering and beneficiary VASPs in the Travel Rule

Table 1: Data requirements for ordering and beneficiary VASPs in the travel rule (pg 59)

Notabene’s Takeaway: An important component of complying with the Travel Rule is the exchange of originator and beneficiary information between VASPs. The table above, included in the Guidance, provides an excellent summary of all the data exchange requirements and their purpose.

• The ordering VASP, which in most cases has a business relationship with the VA transfer originator, is required to transmit accurate information about the originator to the Beneficiary VASP.
• In turn, the Beneficiary VASP does not need to confirm the accuracy of the originator information, but needs to run the received information against sanction lists.
• Then, in contrast, the ordering VASP needs to send the beneficiary information collected from their customer to the Beneficiary VASP but does not need to confirm the accuracy of such data. The ordering VASP should use this data to screen the beneficiary user against sanction lists.
• The Beneficiary VASP (who verifies the identity of the beneficiary of the VA transfer upon establishing a business relationship with them), is required to confirm if the received beneficiary information is consistent with their records.

It is worth noting that in the updated Guidance the FATF recognizes that, when VASPs reasonably conclude that their counterparty does not handle PII securely, they can proceed with the blockchain transfer without sending PII to their counterparty VASP, provided that:

• AML / CTF risks are acceptable and
• That the VASP adopts alternative procedures.
  
  

11. FATF recommends VASPs to take freezing actions and prohibit transactions with designated persons/entities

§193

‍Countries should require both ordering and beneficiary institutions to take freezing actions and prohibit transactions with designated persons and entities (...)  The ordering and beneficiary institutions should have screened their customer’s name for compliance with targeted financial sanctions obligations at the time of onboarding their respective (and upon name changes). They must then screen the names of the other party (the originator or the beneficiary) when they conduct the VA transfer. 

§194

(...)  Because the required information identifying the originator and beneficiary can be held separately to the VA transfer system (e.g., the blockchain), the VA transfer can be completed even with such information missing or without screening the transfer to identify suspicious and prohibited transactions. (...) Thus, VASPs may need to consider mitigation measures that fit their business process and the technical nature of VAs. 

What this means: The goal of the sanction screening obligations imposed on VASPs is to prevent transactions with designated entities and allow VASPs to take freezing actions when such transactions occurs. For these purposes, VASPs are required to screen the names of their own customers and also of the counterparty to any transactions against sanction lists. Additionally, VASPs must take measures to mitigate the risk of settling the blockchain TX before the screening is completed, such as putting a wallet on hold until screening is completed and confirming that no concern is raised.

How Notabene helps VASPs meet FATF obligations

Notabene is a reg-tech SaaS solution that turns regulatory compliance into a competitive advantage. We are working to make crypto transactions a part of the everyday economy by providing software, tools, and comprehensive data to manage regulatory and counterparty risks in crypto transactions. Companies leverage our end-to-end FATF Travel Rule solution to identify virtual asset accounts, perform mandated VASP due diligence, and manage global transactions from one dashboard. We currently process transactions between more than 50 crypto native companies. Trusted by leading exchanges, Luno, Bitso, Crypto.com, and more. If you’d like to learn more about how we can help, please contact us here.

ROAD TOWN, British Virgin Islands, October 22 2021 - Bitfinex, a state-of-the-art digital token trading platform will begin testing Notabene's end-to-end protocol-agnostic solution for crypto regulatory compliance.

Notabene will enable Bitfinex to test complex Travel Rule transactions in a low-risk, collaborative environment as the exchange prepares for the new rules and takes an industry leading role in meeting global regulatory requirements. Notabene’s open solution supports integration to multiple protocols, enabling Virtual Asset Service Providers (VASPs) to send and receive counterparty information alongside blockchain transactions to any counterparty that uses the same infrastructure.

Global money-laundering watchdog the Financial Action Task Force (FATF) introduced new guidelines that treat crypto companies as regulated financial entities. Going forward, companies that custody and exchange virtual assets on behalf of customers will have to comply with existing regulatory requirements similar to banks, including the “Travel Rule,” which mandates collaboration to exchange identifying information of customers in transactions over a certain threshold. This is a daunting task as blockchains are ill-equipped to transfer personal identifying information in a secure and private manner, in tandem with the exchange of value. 

After successful integration of Notabene’s Travel Rule solution, Bitfinex aims to deliver the highest levels of data privacy while enabling participants to send the required Travel Rule data to the correct counterparty in a safeguarded manner.

Paolo Ardoino, CTO of Bitfinex, comments:

“As the preeminent, leading exchange in the trading of bitcoin, Bitfinex has always taken a leading role in meeting new global regulatory requirements. We chose to trial Notabene’s best-in-class solution as it delivers a seamless compliance process without any compromise to the user experience.”

Pelle Braendgaard, CEO of Notabene, says:

‍“Bitfinex has been an integral part of the crypto currency community for many years now. They share our vision for a continued open crypto currency ecosystem. We are excited to help work with them implementing the Travel Rule, a key part of the latest guidelines for Virtual Asset Service Providers from FATF.  Travel Rule testnets are the best way for companies to collaborate on the approach to roll out Travel Rule compliance.”

‍
Notabene regularly holds strategic Travel Rule compliance testnets that substantially benefit all stakeholders in the community, including a recent cross-jurisdictional testnet, under the observance of the Financial Services Regulatory Authority (FSRA) of Abu Dhabi Global Market (ADGM). 

‍

##
‍

About Bitfinex

Founded in 2012, Bitfinex is a digital token trading platform offering state-of-the-art services for traders and global liquidity providers. In addition to a suite of advanced trading features and charting tools, Bitfinex provides access to peer-to-peer financing, an OTC market and margin trading for a wide selection of digital tokens. Bitfinex's strategy focuses on providing unparalleled support, tools, and innovation for experienced traders and liquidity providers around the world. Visit www.bitfinex.com to learn more.

‍

About Notabene

Notabene is a reg-tech SaaS solution that turns regulatory compliance into a competitive advantage. We are working to make crypto transactions a part of the everyday economy by providing software, tools, and comprehensive data to manage regulatory and counterparty risks in crypto transactions. Companies leverage our end-to-end FATF Travel Rule solution to identify virtual asset accounts, perform mandated VASP due diligence, and manage global transactions from one dashboard. Trusted by leading exchanges, Luno, Bitso, Crypto.com, and more.

Notabene is headquartered in New York with offices in Zug and Santiago de Chile. To learn more, visit www.notabene.id. Follow us on LinkedIn and X.

‍

Media contacts

Joe Morgan, Senior PR Manager, Bitfinex

[email protected]

Alice Nawfal, COO, Notabene

[email protected]

British Virgin Islands, October 20, 2021, 12:00 PM BST - Tether Operations Limited (“Tether”), the company operating the blockchain-enabled platform Tether.To that powers the largest stablecoin by market capitalization, announced today that it will be utilizing Notabene, an end-to-end solution for crypto regulatory compliance. It will begin testing its protocol-agnostic solution for Travel Rule compliance in order to bring transparency to cross-border transactions. 

Notabene will enable Tether to test complex Travel Rule transactions in a collaborative, low-risk environment as the stablecoin issuer prepares for new regulations. In order to ensure customer protection, specifically as it pertains to transactions made by Virtual Asset Service Providers (VASPs), Tether will use Notabene’s solution to share, send and receive counterparty information alongside blockchain transactions to counterparties that use the same infrastructure.

Global money-laundering watchdog the Financial Action Task Force (FATF) has issued guidelines holding crypto companies to similar standards as regulated financial entities. The “Travel Rule” recommends  that VASPs dealing with virtual assets should transmit specific customer data  between counterparties for transactions over a certain threshold. The updated guidelines describe the FATF’s recommendations in key areas, including how the FATF standards should be applied to stablecoins. These practices are intended to assist countries and service providers to combat money laundering, terrorist financing, and abide by Sanctions measures. 

‍

Paolo Ardoino, CTO of Tether.

“It's important that we work with regulators to build this industry from the ground up as pioneers of blockchain technology and leaders in transparency, we are dedicated to not only keeping up with new rules but helping shape them. Because the Travel Rule also applies to traditional financial institutions we see this as an opportune moment to foster cooperation across traditional and digital channels in order to create better services for customers globally. We are proud to lead the charge on behalf of all stablecoins in order to make a positive change towards protecting our clients.” 

Pelle Braendgaard, CEO of Notabene, comments:

“Tether’s stablecoin has rightfully cemented its role as a core part of the global crypto industry. Notabene is excited to help Tether bring out FATF Travel Rule compliance across its global network, leading to a safer and more regulatory compliant crypto world.”
‍

By bringing a trusted data layer to blockchain transactions, Notabene’s design will assist Tether in managing counterparty risk and deliver a best-in-class payment experience to its customers while maintaining GDPR compliance and user data protection.

With the successful integration of Notabene’s solution, Tether aims to maintain its reign as a leader in transparency and in getting information to the community as well as its stakeholders, while demonstrating full compliance with regulatory requirements. To learn more about Tether, please visit, https://tether.to/. 

##

About Tether

Tether is the preeminent stablecoin with the biggest market capitalization, surpassing that of all rival offerings combined. Created in October 2014, Tether has grown to become the most traded cryptocurrency. Tether is disrupting the legacy financial system by offering a more modern approach to money. By introducing fiat currency denominated-digital cash to the Bitcoin, Ethereum, EOS, Liquid Network, Omni, Tron, Algorand, and Solana blockchains, Tether makes a significant contribution to a more connected ecosystem. Tether combines digital currency benefits, such as instant global transactions, with traditional currency benefits, such as price stability. With a commitment to transparency and compliance, Tether is a fast and low-cost way to transact with money.

‍

About Notabene

Notabene is a reg-tech SaaS solution that turns regulatory compliance into a competitive advantage. We are working to make crypto transactions a part of the everyday economy by providing software, tools, and comprehensive data to manage regulatory and counterparty risks in crypto transactions. Companies leverage our end-to-end FATF Travel Rule solution to identify virtual asset accounts, perform mandated VASP due diligence, and manage global transactions from one dashboard. Trusted by leading exchanges, Luno, Bitso, Crypto.com, and more.

Notabene is headquartered in New York with offices in Zug and Santiago de Chile. To learn more, visit www.notabene.id. Follow us on LinkedIn and Twitter.

‍

Media contact

Alice Nawfal, COO, Notabene

[email protected]

We recently released a survey inviting the responses of VASPs of various sizes worldwide to compile the findings into the State of Crypto Travel Rule Compliance Report. The upcoming report will demonstrate a transparent understanding of Travel Rule compliance readiness levels and pain points. Today we present a preliminary analysis of this data. Thank you to all of you who completed the survey.

What we’ve noticed: Regulators will have a significant role to play in the smooth, global implementation of Travel Rule compliance. Most of the issues that VASPs are facing are due to a lack of regulatory clarity. Regulators could help with coordination and further guidance.

Learn more below.

1. 95% of respondents have an internal compliance/legal department. 

78% of those say these teams are a key pillar of the company with enough power to ensure that the business adheres to external rules and internal controls.

2. 72% of the respondents are already Travel Rule compliant or are on track to becoming fully compliant soon. [Q3/Q4 2021 - Q1/Q2 2022]

3. 100% of respondents that report full Travel Rule compliance are in Singapore.

4. 56% of respondents name the sunrise period and legal uncertainty as the two most relevant hindrances to adoption.

• Managing data privacy risks, UX impact, and interactions with non-custodial wallets are at the bottom of the list of adoption hindrances.
  ‍

5. Potentially due to the sunrise period, VASPs are in very different stages of compliance.

VASPs that are looking to comply with Travel Rule requirements are all in very different stages of the process. The distribution of VASPs across the research, planning, implementation and finalized phase is fairly equal. This is possibly connected to the "sunrise issue," resulting in VASPs having very different levels of regulatory pressure to go live with the Travel Rule. 

6. 18% of VASPs report to have suspended all transactions until they are ready to comply with the Travel Rule.

We will provide more information, including a deeper analysis, VASP interviews, and Regulator insights in the upcoming State of Crypto Travel Rule Compliance Report in December. Stay tuned to this and other regulatory news by signing up for our newsletters.

As the report aims to demonstrate a transparent understanding of compliance readiness levels and pain points, gathering responses and insights from a diverse group of VASPs is crucial. If your firm qualifies as a VASP, please feel free to submit your answers.

If you have any questions about the survey, please feel free to reach out to [email protected] or [email protected].

‍

Enter your information below to download the State of Crypto Travel Rule Compliance Report 2022.

AMSTERDAM & NEW YORK -- Notabene, a Financial Action Task Force (FATF) Travel Rule solution provider has announced a partnership with Crystal Blockchain, a Netherlands-based blockchain investigative tool. The collaboration is meant to enable Virtual Asset Service Providers (VASPs) to comply with the FATF’s Travel Rule identification, data exchange, and reporting process from beginning to end.

Crystal Blockchain powers regional and global AML compliance and operational continuity by enabling best-in-class blockchain transaction risk assessment. Notabene is a regtech SaaS solution that allows companies to leverage their end-to-end FATF Travel Rule solution to identify virtual asset accounts, perform mandated VASP due diligence, and manage global transactions from one dashboard.
‍
- Alice Nawfal, COO of Notabene says

“Industry partnerships are the key to FATF Crypto Travel Rule compliance. Working with Crystal Blockchain allows us to embed blockchain compliance security into our product offering, providing the best end-to-end Travel Rule compliance solution in the space.”

‍

Marina Khaustova, CEO at Crystal Blockchain, comments

“Crystal’s latest partnership with travel rule solutions aggregator Notabene allows us to bring the best of blockchain compliance security to our customers as we and Notabene work towards a safer and more risk-averse blockchain future.” --- Marina Khaustova, CEO at Crystal Blockchain

‍

Read more in PAYPERS about the latest partnership between Crystal and Notabene

About Notabene

Notabene is a reg-tech SaaS solution that turns regulatory compliance into a competitive advantage. We are working to make crypto transactions a part of the everyday economy by providing software, tools, and comprehensive data to manage regulatory and counterparty risks in crypto transactions. Companies leverage our end-to-end FATF Travel Rule solution to identify virtual asset accounts, perform mandated VASP due diligence, and manage global transactions from one dashboard. Trusted by leading exchanges, Luno, Bitso, Crypto.com, and more. Notabene is headquartered in New York with offices in Zug and Santiago de Chile. Notabene is headquartered in New York with offices in Zug and Santiago de Chile. To learn more, visit www.notabene.id. Follow us on LinkedIn and Twitter.

About Crystal Blockchain

Crystal is the world-leading all-in-one blockchain analytics tool for crypto AML compliance, providing blockchain analytics and crypto transaction monitoring for thousands of cryptocurrencies in real-time. Crystal works globally with customers in the digital asset industry, the banking, and FI sectors. We help streamline their Know Your Transaction (KYT) and Anti-Money Laundering (AML) procedures for meeting international compliance standards. Available as a free demo version, SaaS, API, and on-premise installation. Engineered by Bitfury.

Media contacts

Ana Diundina, Crystal Blockchain

[email protected]

+380977371660

Alice Nawfal, COO, Notabene

[email protected]

NEW YORK -- Notabene, the leading FATF Travel Rule solution provider, has announced the successful completion of a Travel Rule testnet in cooperation with the Financial Services Regulatory Authority (FSRA) of Abu Dhabi Global Market (ADGM). 

Notabene set up a collaborative environment for seven companies to test cross-jurisdictional Travel Rule transactions in a low-risk environment as they gear up to comply with impending regulations. Four ADGM-licensed firms, Matrix, Aarna Capital, DEX, and MidChains, tested sending transactions with companies applying for their Singaporean digital payment token (DPT) license–Amber Group, Liquid, and Zipmex.

New anti-money laundering (AML) rules, commonly known as the “Travel Rule,” require crypto companies to share personal customer information alongside a transaction. As enforcement deadlines approach, financial institutions rush to implement new compliance tools, train compliance teams to implement new processes and understand what actions to take across various scenarios. 

ADGM’s FSRA cooperated with Notabene to establish the testnet so that companies could perform simulated travel rule transactions between each other, collaborate on compliance approaches, while permitting the regulator to clarify their interpretation of the rules. 

The participating firms tested six real-life scenarios, including interactions with firms operating cross-jurisdictionally where thresholds and requirements vary. 

Other scenarios tested included:

• Rejecting transfers when data didn’t match internal records.
• Interacting with companies who are not Notabene customers and may not be live with Travel Rule.
• Requesting missing travel rule transfers from counterparties. 

Alice Nawfal, COO of Notabene, says:

‍“The industry is signaling to regulators that they can adapt to the intricacies of new regulations, including varying cross-jurisdictional rules. Notabene’s software ensures that firms complying with the various regulations do not have to limit transaction flow.”

Wai Lum Kwok, Senior Executive Director – Authorisation of the FSRA, comments:

“We are pleased to see that the industry is actively collaborating to use technology to facilitate compliance. Such collaborations let participants better understand regulatory requirements and improve their processes. Further, appropriate use of technology can lead to more efficient and effective compliance outcomes. The cross-border nature of this collaboration is a good signal that the industry is increasingly able to deal with the global nature of compliance for virtual assets.”  

Participating exchanges expressed excitement to trial Travel Rule transactions through Notabene with regulator participation.

Pav Gill, Chief Legal Officer at Zipmex, adds:

“It has been a pleasure to be granted the opportunity to work with ADGM. Throughout this experience, we have seen the positives of how these solutions will help in the fight against financial crimes within the digital assets industry. While there is an appreciation of the intentions behind the regulation, significant practical challenges remain in terms of implementation in order to ensure a seamless customer experience that matches the power of the underlying technology. We look forward to continuing to work with regulators during these exciting times.”‍

Vasja Zupan, President of Matrix, comments:

“We are thrilled to take part in a global effort to test Travel Rule transactions. As a regulated trading platform that prioritizes security, we see Notabene’s testnet as a responsible and resourceful step for testing customer transactions.”

Seth Melamed, COO, Liquid, comments:

"At Liquid, putting clients at the center of all that we do is core to how we operate. Adherence to AML regulations is an important part of our client-centric approach. In our collaboration with Notabene, Liquid is proactively working with other crypto entities, regulators, and solution providers to adapt the principles of Funds Travel Rule to a blockchain context."

This testnet presents an excellent opportunity for the participating firms to learn collaboratively. Going forward, Notabene will continue to facilitate further testing, provide integration support, and moderate compliance team discussions, as well as publishing ‘blueprint’ compliance flows to the industry. Sign up for the next testnet here.

About Notabene

Notabene is a reg-tech compliance SaaS solution that connects the traditional financial industry and crypto industry. We are working to make crypto transactions a part of the everyday economy by providing software, tools, and comprehensive data to manage regulatory and counterparty risks in crypto transactions. Using privacy-preserving technology, strategic partnerships, and commitment, our first-to-market FATF Travel Rule solution helps financial institutions, crypto exchanges, and businesses turn compliance into a competitive advantage. Key investors include Castle Island, Green Visor Capital, Illuminate Financial, CMT Digital, and a cadre of top-tier angel investors. Trusted by leading exchanges, Luno, Bitso, Crypto.com, and more.

Notabene is headquartered in New York with offices in Zug and Santiago de Chile. To learn more, visit www.notabene.id. Follow us on LinkedIn and Twitter.

Today, Germany published the Crypto Asset Transfer Regulation - KryptoWTransferV, implementing FATF's travel rule in the country. We will review this in the next few days and update our Germany jurisdiction page.

Until then, we share the highlights:

1. The Crypto Travel Rule regulation comes into force in Germany on October 1st, 2021.

KryptoWTransferV § 7 (1) Entry into force, expiry: ‍

"This Ordinance shall come into force on October 1, 2021."

2. The regulation subsumes to the preexisting Money Transfer Ordinance framework.

KryptoWTransferV § 3 (1): Duty to survey, Storage and transmission of data during transfers between crypto value service providers 

“For obliged entities making a transfer on behalf of the payer, the rules on obligations of the payment service provider of the payer under Articles 4 and 6 of the Funds Transfer Regulation shall apply mutatis mutandis if only crypto value service providers are involved in the transfer on behalf of the payer and the payee.

3. German VASPs must collect, store, and verify the name and addresses of non-custodial beneficiary and originators.

KryptoWTransferV § 4 (3): Duty to Collection and storage of data during transfers, in which not exclusively Crypto value service providers are involved

“For the purposes of paragraphs 1 and 2, risk-adequate measures are measures which correspond to the identified money laundering and terrorist financing risk of the transfer and which ensure the traceability of the transfer. In particular, a risk-appropriate measure is the collection, storage and verification of the name and address of the beneficiary or the principal for whom no crypto service provider is acting in the transfer and who is not a contractual partner of the obliged party.”

4. Companies that are unable to comply immediately must notify competent supervisory authorities by November 30, 2021.

Companies that cannot comply immediately with travel rule obligations must notify competent supervisory authorities by November 30th, 2021. They must further include the reasons for the impediment, the measures taken to remove it, and the timeline for the removal by December 31st, 2021. The stated reasons will be subject to the assessment of the supervisory authority, who may decide whether or not an exemption period should be granted to the VASP.

KryptoWTransferV § 5 (1) Transitional provisions: 

“Obligated persons who, at the time of entry into force of this Ordinance, conduct banking transactions within the meaning of section 1(1) sentence 2 of the German Banking Act, provide financial services within the meaning of section 1(1a) sentence 2 of the German Banking Act or securities services within the meaning of section 2(2) to (4) of the German Securities Institutions Act in relation to crypto securities, and who are unable to comply with the obligations under sections 3 and 4 on a permanent basis or at all for reasons for which they are not responsible, shall notify the competent supervisory authority in accordance with section 50 number 1 of the German Money Laundering Act by 30 November 2021 and provide reasons for this by 31 December 2021. If obliged entities commence such banking transactions, financial services or investment services for the first time after the entry into force of this Ordinance, sentence 1 shall apply subject to the proviso that the notification, including the justification, must be made upon commencement. “

5. VASPs must ensure Travel Rule compliance within 12 months. 

Under certain circumstances, a single extension of this period for additional 12 months may be granted.

KryptoWTransferV § 5 (2) Transitional provisions: 

“The justification referred to in paragraph 1 shall include information on the reason for the impediment and on the measures taken to remove the impediment. In addition, the period of time in which the removal of the reason for the impediment is expected to take place shall be indicated, and it shall be specified which other risk-appropriate measures will be taken during the implementation of transfers. The period specified in accordance with the first sentence may not exceed twelve months. A single extension of this period by a further twelve months shall be permissible if a reasoned notice of extension is submitted before the expiry of the first twelve-month period and if the reason for the impediment continues to exist.”

Relevant links:

• BaFIN | Banking Act (Kreditwesengesetz - KWG)
• Bundesminister der Finanzen | Kryptowertetransferverordnung – KryptoWTransferV
• The Federal Minister of Finance | Regulation on enhanced due diligence requirements for the transfer of crypto assets (Crypto Asset Transfer Regulation - KryptoWTransferV) translated to English.
  

Charles V. Senatore, former Director of the Southeast Region of the US SEC, shares his essential insights for crypto compliance officers. Senatore has over 36 years of industry experience; as a trial lawyer, a federal prosecutor, a law firm partner, and a senior regulator at the SEC. He then went on to lead global compliance functions at Merrill Lynch and Fidelity.

We’ve created a post with the top 10 takeaways from his conversation with our co-founder and CEO, Pelle Brændgaard.

1. Regulators have developed timeless principles they care about, and compliance officers should implement policies to address them.

The compliance team must keep in mind the timeless principles the regulators care about. If they look back to the essence of what regulators tend to think about, then they can provide input on how these principles may need to apply to new crypto products.

2. Crypto firms should do three things to encourage regulators to continue taking a risk-based approach with crypto to achieve desired regulatory outcomes:

1. Remember that it is your responsibility to become compliant. You are accountable for outcomes and must prepare adequate controls.
2. Work as a community to achieve herd compliance.
3. Engage with regulators responsibly.
   

3. Mandating technology doesn’t end well.

The danger of mandating a technology is that the technology changes, yet the regulation stays set to a specific point in time. It’s hard to unwind firm regulations, which creates all sorts of inefficiencies.

4. A healthy regulatory relationship can benefit the industry.

Regulators, as public servants, have an interest in the integrity of their markets. Accordingly, many regulators are eager to engage and learn–keeping up to speed is crucial for carrying out their mission.

5. Companies that view compliance as an opportunity for differentiation will have a competitive advantage over their competitors.

Businesses that do not take the proper steps to handle consumer assets well will lose ground to firms with strong and effective compliance programs.

6. Want a compliant product? Involve compliance officers during the ideation process.

‍New product ideas will have better outcomes if compliance officers successfully integrate themselves from the start. Nothing is more frustrating than having an excellent idea for a use case shot down by a compliance officer. Involving a compliance officer during step one mitigates future disappointment.

7. Compliance officers should consider aligning themselves with business goals and growth.‍

To forge a one-on-one connection with business leaders, compliance officers should search for compliant ways to realize business goals instead of reflexively saying “no.” With that mindset in place the compliance team will  eventually advance from being seen as the “anti-business department” to being appreciated as part of the solution to help the business grow.

8. Compliance officers are in a great position to have a seat at the leadership table. ‍

Once business leaders realize that the compliance team is a part of the solution to help the business grow, an opportunity for compliance officers to be a respected part of leadership soon follows.

9. Most compliance principles fall into two major categories: binary “yes” or “no” decisions or risk-based considerations. ‍

Use cases without specific binary regulatory requirements are where compliance officers can work their magic and show their value by applying time-tested risk-based principles to get a high level of comfort. Appropriately assess risk, and propose mitigation steps, and create that new product. 

10. Talent that understands both tech and regulatory principles will be key to success in this industry. ‍

As we head into uncharted waters, having people who understand the tech and how these regulatory principles apply to it will be crucial ingredients. The teams with these capabilities will be best suited to nimbly and quickly adapt as new use cases emerge. It will take collaboration among different teams and working seamlessly together to reduce friction and allow innovation to flourish.

On July 22, 2021, HM Treasury released Amendments to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 Statutory Instrument 2022, a consultation that included an entire chapter on the transfers of crypto assets. Chapter 6 laid forth provisions poised to implement the FATF’s Crypto Travel Rule into UK law.

Below are our important takeaways:

1. HM Treasury proposes to update the Money Laundering Regulations (MLRs) rather than pass primary legislation needed to amend the Funds Transfers Regulations (FTRs)

6.7: The use of the Money Laundering Regulations

As it is retained EU law, the government does not have the ability to easily amend the FTR, except to remove deficiencies caused by EU exit. More substantial amendments of the kind necessary to apply R.16 to cryptoassets would require primary legislation. The government therefore proposes to use its powers to amend the MLRs, which will also ensure that AML legislation for the cryptoasset sector is consolidated in one place, and is therefore easier to navigate. 

Notabene Takeaway: Acknowledging the urgency with which HM Treasury wants to roll out the Travel Rule, they propose to update existing MLRs rather than attempt to amend the EU FTR laws. This will make it easier and faster to implement, and also has the benefit of ensuring all AML regulation for cryptoassets is kept within the MLRs. 

2. HM Treasury offers an unspecified grace period for compliance solution integration

6.8: Timing

The government acknowledges that the process of integrating these requirements into a firm’s business practices may take time. It is important that new regulations are introduced in a proportionate way, striking the right balance between reducing the harms of illicit finance and supporting innovation that benefits consumers and the economy. It is therefore proposed that firms will be allowed a grace period after the amendments to the MLRs are made, to allow the integration of compliance solutions. 

Notabene Takeaway: The HM Treasury acknowledges that introducing new compliance measures is a cost and needs to be balanced with their support for innovation. It will offer a grace period and calls on critical industry players’ responses to create evidence-based policy decisions. You can submit your feedback to this email [email protected] by October 14, 2021. Notabene will also provide a response.

3. Full Travel Rule data transfer requirements will apply to all VASP-to-VASP transfers over £1,000

Meanwhile, transfers below £1,000 will still require the collection of less PII. 

6.12:

In line with INR.16 and the approach taken in the FTR, the government proposes that the following information should be required to be sent with a transfer of cryptoassets. 

These requirements are the minimum information which should accompany a transfer of cryptoassets; there is nothing to prevent a cryptoasset service provider providing additional information with the transfer (such as, for example, providing full beneficiary and originator information, if the sending cryptoasset sevice provider does not know the jurisdiction in which the receiving cryptoasset service provider is based). 

Notabene Takeaway: Notably, HM Treasury will require travel rule transfers below the threshold, similar to the EU requirements. Also, it is worth noting that while some jurisdictions have deemed all crypto transfers to be treated as ‘cross-border transfers, the UK makes an exception here by allowing transfers between UK-based VASPs not to include PII.

4. PII received, transmitted, or retained is within the scope of the UK GDPR

6.22:

Personal data received, transmitted or retained pursuant to these provisions is within scope of the UK General Data Protection Regulation (GDPR), and crypto asset service providers will therefore need to process it in line with the requirements in that legislation. 

Notabene Takeaway: UK VASPs must uphold GDPR when performing Travel Rule transfers. This is not unexpected, but some questions arise on whether they will oblige their counterparties who are not in the EU or UK to also abide by GDPR.

5. HM Treasury invites comments/feedback on unhosted wallet transfers

6.27: Treatment of unhosted wallets

Obligations under R.16 only fall on cryptoasset service providers, not on private individuals using unhosted wallets. Although FATF are reviewing the treatment of unhosted wallets within scope of the recommendations, current FATF Guidance states that, where a beneficiary’s cryptoassets service provider receives a transfer from an unhosted wallet, it should obtain the required originator information from its own customer that receives the cryptoassets transfer. This requirement does not extend to the verification of said originator information. Where a transfer is being made from a cryptoassets service provider to an unhosted wallet, the originating provider is not expected to send information to an unhosted wallet, though it should still collect information on the intended beneficiary.

Notabene Takeaway: HM Treasury is hinting that it would only require obtaining the counterparty information and not its verification if it were to roll out requirements around unhosted wallets. This is in line with what FATF recommends now, but it is encouraging that they invite commentary from the industry. Regardless, companies must be prepared to implement a risk-based approach concerning unhosted wallets.

On June 20, 2021, the European Commission published a proposal for regulating the transfers of funds and certain crypto-assets. This current proposal recasts Regulation EU 2015/847 as part of an AML/CFT package of four legislative proposals that are considered one coherent whole in implementing the Commission Action Plan of May 7, 2020. This proposal creates a new and more coherent AML/CFT regulatory and institutional framework within the EU. The package encompasses:

• a proposal for a regulation on the prevention of the use of the financial system for the purposes of money laundering (ML) and terrorist financing (TF)
• a proposal for a Directive establishing the mechanisms that Member States should put in place to prevent the use of the financial system for ML/TF purposes, and repealing Directive (EU) 2015/849;
• a proposal for a Regulation creating an EU Anti-Money Laundering Authority (AMLA)8, and
• This proposal for the recast of Regulation EU 2015/847 expanding traceability requirements to crypto-assets.
  

In essence, this regulation takes May 2015’s Directive (EU) 2015/847 on ‘the information accompanying transfers of funds and updates it to adequately cover virtual assets while repealing the over-reaching requirements of Directive (EU) 2015/849.

This regulation will enter into force on the 20th day after publication in the official journal. 

Read Notabene's key takeaways:

1. The EU sees the need for harmonized international rules

This proposal package addressed the need for harmonized rules across the internal market.

On May 7, 2020, the Commission presented an Action Plan for a comprehensive Union policy on preventing money laundering and terrorism financing. In that Action Plan, the Commission committed to taking measures to strengthen the EU’s rules on combating money laundering and terrorism financing and their implementation, with six priorities or pillars:
1. Ensuring effective implementation of the existing EU AML/CFT framework,

2. Establishing an EU single rulebook on AML/CFT,

3. Bringing about EU-level AML/CFT supervision,

4. Establishing a support and cooperation mechanism for FIUs,

5. Enforcing EU-level criminal law provisions and information exchange,

6. Strengthening the international dimension of the EU AML/CFT framework.

Pillars 1, 5, and 6 of the Action Plan are currently being implemented partly due to the support of both The European Parliament and the Council. The other pillars demand legislative action. Yet, evidence provided by reports and internal assessments identified that. In contrast, the requirements of Directive (EU) 2015/84912 were far-reaching; their lack of direct applicability and granularity led to a fragmentation in their application along national lines and divergent interpretations.

In response, this proposal updates Regulation EU 2015/847 while repealing Directive (EU) 2015/849.  

Notabene’s assessment: The EU believes a more harmonized front to combat money-laundering and terrorism financing is required. A country-by-country implementation has not proven very effective. They hope this would alleviate jurisdictional arbitrage or the milder term they call “jurisdictional shopping.” 

2. GDPR applies to CASPs

The EU clarifies that GDPR applies to CASPs (crypto asset service providers - the EU’s terminology equivalent to FATF’s virtual asset service providers.)

Article 15:

The EU is committed to ensuring high standards of protection of fundamental rights. Under article 15 of the current regulation, the processing of personal data under this Regulation is subject to Regulation (EU) 2016/679 of the European Parliament and of the Council31.Personal data that is processed pursuant to this Regulation by the Commission or EBA is subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council32. The General Data Protection Regulation33 will apply to CASPs as regards the personal data handled and attached to cross-border transfers of value using virtual assets.

Article 20:

Payment and crypto-asset service providers shall ensure that the confidentiality of the data processed is respected.

Additionally, CASPs must keep records of information on the originator and the beneficiary for five years; they must delete them.

2015/847 recital 29:

As it may not be possible in criminal investigations to identify the data required or the individuals involved in a transaction until many months, or even years, after the original transfer of funds or transfer of crypto-assets  , and in order to be able to have access to essential evidence in the context of investigations, it is appropriate to require payment service providers or crypto-asset service providers to keep records of information on the payer and the payee or the originator and the beneficiary for a period of time for the purposes of preventing, detecting and investigating money laundering and terrorist financing. That period should be limited to five years, after which all personal data should be deleted unless national law provides otherwise.

Notabene’s assessment: Many in the crypto industry have been long awaiting what the verdict on GDPR would be regarding the Travel Rule in the EU. The EU states that going forward, CASPs will need to implement a GDPR-compliant secure data storage solution, making it clear that AML/CFT measures supersede this.  

3. Personally Identifiable Information obligations accompanying transfers of crypto-assets are in line with FATF

Article 14:

OBLIGATIONS ON THE CRYPTO-ASSET SERVICE PROVIDER OF THE ORIGINATOR
Information accompanying transfers of crypto-assets
1. The crypto-asset service provider of the originator shall ensure that transfers of cryptoassets are accompanied by the following information on the originator:
(a) the name of the originator;
(b) the account number of the originator, where an account is used to process the transaction;
(c) the originator’s address, official personal document number, customer identification
number or date and place of birth.
2. The crypto-asset service provider of the originator shall ensure that transfers of cryptoassets are accompanied by the following information on the beneficiary:
(a) the name of the beneficiary;
(b) the beneficiary’s account number, where such an account exists and is used to process the transaction.

‍

Notabene’s assessment: By adhering to FATF suggested guidelines, it is easier for CASPs (or VASPs) to have unified rules as they comply cross-jurisdictionally.

4. Stakeholders consulted by the EU express concern about the walled garden of compliance.

pg 7:

Stakeholder input on the Action Plan was broadly positive. However, some European UnionVASP representatives claimed that the absence of a standardised global, open source and free, technical solution for the travel rule could lead to the exclusion of small actors from the crypto-assets market, with only important players being able to afford compliance with the rules.

Notabene’s assessment: Several working groups noted the possible exclusion of small players in the crypto-assets market if compliance is too complex and too expensive to roll out. If only a few exchanges can afford compliance or if messaging protocols are not free and open, a walled-garden scenario would cause a few “important” players to operate. At the same time, the rest may be hit with fines and must close.

5. The threshold is set at EUR 1000, but Travel Rule requirements still apply for lower thresholds (albeit with less PII shared)

The EU has set a threshold of EUR 1000, in line with FATF recommended guidelines. Above that, originator CASPs need to share originator identifying information beyond just name (i.e., physical address, official personal document number, customer identification number, or date and place of birth). The EU does call out transactions that may be part of structuring -  whereby the asset appears to be linked to other transfers that amount to EUR 1000. The travel rule also applies to them.

2015/847 recital 16:

In order not to impair the efficiency of payment systems and crypto-asset transfer services, and in order to balance the risk of driving transactions underground as a result of overly strict identification requirements against the potential terrorist threat posed by small transfers of funds or crypto-assets, the obligation to check whether information on the payer or the payee, or, for transfers of crypto-assets, the originator and the beneficiary, is accurate should, in the case of transfers of funds where verification has not yet taken place, be imposed only in respect of individual transfers of funds or crypto-assets that exceed EUR 1000, unless the transfer appears to be linked to other transfers of funds  or transfers of cryptoassets which together would exceed EUR 1000, the funds or crypto-assets have been received or paid out in cash or in anonymous electronic money, or where there are reasonable grounds for suspecting money laundering or terrorist financing.

The EU also calls out in Article 15 that the travel rule applies below the EUR 1000, but with only originator and beneficiary names shared.

Article 15:

By way of derogation from Article 14(1), transfers of crypto-assets not exceeding EUR1 000 that do not appear to be linked to other transfers of crypto-assets which, together with the transfer in question, exceed EUR 1 000, shall be accompanied by at least the following information:(a) the names of the originator and of the beneficiary;(b) the account number of the originator and of the beneficiary or, where Article 14(3)applies, the insurance that the crypto-asset transaction can be individually identified;

Notabene’s assessment: The European Commission has no desire to create overly strict requirements that impede the flow of transactions. But by requiring Travel Rule below the threshold, they are boldly signaling the importance of the Travel Rule to CASPs and asking them to take a more comprehensive or holistic approach to travel rule implementation.

6. Transfers of crypto assets from the EU to outside the EU should include a Legal Entity Identifier (LEI)

2015/847 recital 19 (adapted):

In order to allow the authorities responsible for combating money laundering or terrorist financing in third countries to trace the source of funds or crypto-assets used for those purposes, transfers of funds or transfer of crypto-assets from theUnion to outside the Union should carry complete information on the payer and the payee. Complete information on the payer and the payee should include the LegalEntity Identifier (LEI) when this information is provided by the payer to the payer’s service provider, since that would allow for better identification of the parties involved in a transfer of funds and could easily be included in existing payment message formats such as the one developed by the International Organisation for Standardisation for electronic data interchange between financial institutions.

Notabene’s assessment: Many in the crypto industry had pushed for the adoption of LEIs in the FATF guidance. While suggested as an identifier, the FATF did not introduce them as a requirement. We see the EU requirement as an excellent first step in accepting a more unified, global identification system for legal entities that will reduce diligence costs for CASPs for cross-border transfers.

7. Beneficiary CASPs should have effective risk-based procedures that apply where a transfer lacks the required information

2015/847 recital 22 (adapted):

As regards transfers of crypto-assets, the crypto-asset service provider of the beneficiary should implement effective procedures to detect whether the information on the originator is missing or incomplete. These procedures should include, where appropriate, monitoring after or during the transfers, in order to detect whether the required information on the originator or the beneficiary is missing. It should not be required that the information is attached directly to the transfer of crypto-assets itself, as long as it is submitted immediately and securely, and available upon request to appropriate authorities.

Article 12 calls for the beneficiary CASP to reject a transfer if it is missing data.
‍
Article 12:

Transfers of funds with missing information on the payer or the payee
1. The intermediary payment service provider shall establish effective risk-based procedures for determining whether to execute, reject or suspend a transfer of funds lacking the required payer and payee information and for taking the appropriate follow up action.

Additionally, the proposal goes on to say, “If a CASP continues to submit transfers with incomplete data, the counterparty CASP could take steps to reject any future transfers of funds or terminate the business relationship.” Beneficiary CASPs must implement adequate procedures to detect whether the originator information is missing or complete. 

2015/847 recital 23 (new):

Given the potential threat of money laundering and terrorist financing presented by anonymous transfers, it is appropriate to require payment service providers to request information on the payer and the payee. In line with the risk-based approach developed by FATF, it is appropriate to identify areas of higher and lower risk, with a view to better targeting the risk of money laundering and terrorist financing. Accordingly, the crypto-asset service provider of the beneficiary, the payment service provider of the payee and the intermediary payment service provider should have effective risk-based procedures that apply where a transfer of funds lacks the required information on the payer or the payee, or where a transfer of crypto-assets lacks the required information on the originator or the beneficiary, in order to allow them to decide whether to execute, reject or suspend that transfer and to determine the appropriate follow-up action to take.

Notabene’s assessment: A risk-based approach to compliance is urged and recommended for CASPs. This is good news for companies who can take a more nuanced approach to travel rule, especially during the sunrise period when many counterparty institutions may not respond quickly.

8. Member states should lay down sanctions to encourage compliance 

2015/847 recital 30:

In order to improve compliance with this Regulation, and in accordance with theCommission Communication of 9 December 2010 entitled ‘Reinforcing sanctioning regimes in the financial services sector’, the power to adopt supervisory measures and the sanctioning powers of competent authorities should be enhanced. Administrative sanctions and measures should be provided for and, given the importance of the fight against money laundering and terrorist financing, Member States should lay down sanctions and measures that are effective, proportionate and dissuasive. Member States should notify the Commission and the Joint Committee of EBA, EIOPA and ESMA(the ‘ESAs’) thereof.

The proposal goes on to state that legal persons can be held liable for breaches:

Chapter 5: Sanctions and monitoring:

5. Member States shall ensure that legal persons can be held liable for the breaches referred to in Article 2318 committed for their benefit by any person acting individually or aspart of an organ of that legal person, and having a leading position within the legal person based on any of the following:(a) power to represent the legal person;(b) authority to take decisions on behalf of the legal person; or(c) authority to exercise control within the legal person.

Competent authorities may impose administrative sanctions and measures in collaboration with other authorities.

Chapter 5: Sanctions and monitoring:

7. Competent authorities shall exercise their powers to impose administrative sanctions and measures in accordance with this Regulation in any of the following ways:EN 41 EN(a) directly;(b) in collaboration with other authorities;(c) under their responsibility by delegation to such other authorities;(d) by application to the competent judicial authorities.In the exercise of their powers to impose administrative sanctions and measures, competent authorities shall cooperate closely in order to ensure that those administrative sanctions or measures produce the desired results and coordinate their action when dealing with cross-border cases

Article 23:

Member States shall ensure that their administrative sanctions and measures include at least those laid down by Articles 40(2), 40(3) and 41(1)59(2) and (3) [...] in the event of the following breaches of this Regulation:
(a) repeated or systematic failure by a payment service provider to include the required information on the payer or the payee, in breach of Article 4, 5 or 6 or by a crypto-asset service provider to include the required information on the originator and beneficiary, in breach of Articles 14 and 15;
(b) repeated, systematic or serious failure by a payment service provider or crypto-asset service provider  to retain records, in breach of Article 2116;
(c) failure by a payment service provider to implement effective risk-based procedures, in breach of Articles 8 or 12  or by a crypto-asset service provider to implement effective risk-based procedures, in breach of Article 17;
(d) serious failure by an intermediary payment service provider to comply with Article 11 or 12.

Notabene’s assessment: While there will be a centralized body for AML/CFT revision at the EU level, enforcement (e.g., sanctions) still gets performed at the member state level. We’re interested to see how effective this approach will be for EU member states.

9. This regulation does not apply to p2p transfers

Article 2:

Electronic money tokens, as defined in Article 3(1), point 4 of Regulation shall be treated as crypto-assets under this Regulation. This Regulation shall not apply to person-to-person transfer of crypto-assets.

Notabene’s assessment: While P2P is not affected, the EU does not comment on transactions between CASPs and noncustodial or unhosted wallets. This is good news for now, though certain member states have rolled out their own requirements (e.g., Netherlands). 

10. The originator CASP should provide appropriate customer PII within three working days of receiving a request from the beneficiary CASP

Article 5: Transfers within the European Union:‍

2. Notwithstanding paragraph 1, the payment service provider of the payer shall, within three working days of receiving a request for information from the payment service provider of the payee or from the intermediary payment service provider, make available the
following:
(a) for transfers of funds exceeding EUR 1000, whether those transfers are carried
out in a single transaction or in several transactions which appear to be linked, the
information on the payer or the payee in accordance with Article 4;
(b) for transfers of funds not exceeding EUR 1000 that do not appear to be linked
to other transfers of funds which, together with the transfer in question, exceed EUR
1000, at least:
(i) the names of the payer and of the payee; and
(ii) the payment account numbers of the payer and of the payee or, where Article 4(3) applies, the unique transaction identifier

On May 11th, 2021, The German Federal Ministry of Finance published a working ordinance draft bill, the Crypto Securities Transfer Regulation, Krypto Wertetransfer Verordnung (KryptoTransferV), which included increased “duties of care” in the transfer of virtual assets.

Later, on June 14th, the German Federal Ministry of Finance released the updated hearing on the draft bill that requires crypto asset companies to enforce the Travel Rule. The regulation prohibits the transmission of information about clients and recipients arranged for transferring crypto values, as is the case with money transfers. This regulation is based on Regulation (EU) 2015/847 of the European Parliament and of the Council. The German Federal Ministry of Finance will approve the ordinance by the end of 2023. 

Read our key takeaways:
‍

1. Germany required the Travel Rule before the European Commission

Crypto Securities Transfer Regulation (KryptoTransferV) § 3:

“Possible alternatives do not represent justifiable alternatives to the proposed regulation with regard to proportionality on the one hand and the limitation of the threat posed by anonymous transactions on the other. A prohibition of transactions on electronic wallets that are not administered by a crypto custodian has only a very limited effect due to the mostly cross-border nature of crypto transfer business and presents itself as a less proportionate alternative compared to the proposed transmission of information. Due to the high risks posed by anonymous crypto power transfers, the adaptation of European regulation cannot be waited for.” 

Notabene takeaway: This is a strong example of a national regulator taking things into their own hands and moving forward with crypto rules before being enforced on a European Union level. In this case, the German regulator implies that imposing Travel Rule is a more effective alternative to banning non-custodial wallets due to their cross-border nature.

2. Germany views transfers to self-managed electronic wallets as the starting point of a suspicious transaction.

Crypto Securities Transfer Regulation (KryptoTransferV) § A:

In addition, the transfer of cryptovalues ​​to an electronic wallet that is not managed by a crypto custodian (self-managed electronic money exchange), or vice versa, is viewed as a case constellation with increased risk. So can the Forwarding of crypto values ​​to a self-managed electronic wallet represent a starting point for a suspicious transaction.

Notabene takeaway: While many regulators have signaled that they view transactions to non-custodial wallets as higher risk, it is surprising to see that the German regulator deems them as a starting point for suspicious transactions. This is a stricter stance than what FATF details in their latest guide. We expect that this will impact whether German VASPs will continue to allow transactions to non-custodial wallets, especially ones to third parties.  

3. The German proposal includes estimations of compliance costs

Crypto Securities Transfer Regulation (KryptoTransferV) § V:

"This ordinance does not impose any costs on citizens.
‍
The estimate of the compliance burden is subject to considerable uncertainty. If the requirements of the Ordinance are largely met, the compliance burden on business will be higher. If greater use is made of the notification requirement under Section 4 of the Ordinance, the costs for the economy will be lower.
‍
For the business community, there will be recurring compliance costs of approximately €420,800. In the event of an increase in the number of cases, no further costs for the implementation of Section 3 of the Ordinance can be assumed due to the expected automation of data transmission and the associated synergy effects, especially since it is expected that providers will offer flat rates for the implementation of data transmission for crypto value transfers.
‍
The administration will incur recurring compliance costs of approximately €157,000.”

Notabene takeaway: It is a reasonable effort for the regulator to quantify potential compliance costs for regulated institutions that must comply quickly. However, it is unclear how these estimates were reached without a more detailed breakdown of the charges, the large upfront investments companies need to make, and the daily maintenance costs to ensure proper detection of suspicious activity (e.g., additional compliance and technical team resources, software costs.) It would also help if the regulator can clarify the sources of the estimates involved or perform further consultations with the private sector and technology vendors like Notabene to arrive at more precise estimates.

4. German PII requirements are in line with the FATF Recommendations.

Crypto Securities Transfer Regulation (KryptoTransferV) § 3 paragraph 1:

“The obligor performing the transfer on behalf of the principal shall ensure that the following information is determined and stored: Name of the client
address of the client or the number of an official personal document of the client or the client number or the date and place of birth of the client
Number of the originator’s account (for example, the public key)
Name of the beneficiary and number of the beneficiary’s account (for example, the public key.)”

Notabene’s takeaway: This is in line with FATF and the most recent EU regulations. For VASPs, more streamlined Travel Rule requirements make it easier to roll out Travel Rule effectively.

5. This draft accounts for a possible lack of technical capability. 

Crypto Securities Transfer Regulation (KryptoTransferV) § 4:

“Section 4 (1) opens up the possibility of notifying the competent supervisory authority pursuant to Section 50 no. 1 AMLA that the transmission of information cannot yet be implemented or cannot be implemented in full due to a lack of technical capability for standardized transmission. The notification shall result in a suspension of the obligations under Section 3, provided that the competent supervisory authority under Section 50 no. 1 AMLA does not raise any objections under paragraph 2. Insofar as the technical implementation of the data transmission has already been taken into account in the structuring and issuance of crypto securities, a suspension of the obligations pursuant to Section 3 (2) shall not be considered.

Notabene takeaway: In the absence of viable and standardized technical messaging protocols, the German regulator can grant VASPs grace periods of up to one year. VASPs need to take steps for risk mitigation during this period, such as restricting certain types of transfers. 

‍

*Please note that we used DeepL to translate the original draft regulation from German to English. 

The FATF recently released their second 12-month review of the implementation of its virtual asset and VASP guidelines. The goal of the 12-month review is for the FATF to identify gaps in implementation and denote subsequent actions to be taken and plan forward. Below are Notabene’s key takeaways that we believe cryptoasset businesses and compliance teams should keep at the top of mind. 

1. Less than half of surveyed jurisdictions have introduced the necessary legislation

While the FATF recognizes the ‘significant progress’ by jurisdictions in implementing a licensing or registration regime for virtual asset service providers, less than half of jurisdictions surveyed (58 of 128) have introduced the necessary legislation. Even fewer have enforced the regulations or introduced the Travel Rule.

Notabene Takeaway: The low number of reported compliance leads the FATF to believe that we are still far from a global AML/CFT regime for virtual assets, which, in turn, encourages jurisdictional arbitrage. Also, with national jurisdictions behind on implementing the Travel Rule, this disincentivizes the private sector to invest in technological solutions and build compliance infrastructure. 

Below are two charts; the first compares FATF and the FSRB (FATF-Style Regional Bodies, which are autonomous regional organizations that help FATF implement its global AML/CFT policy) and their approach and readiness to crypto regulation. The second chart details which activities jurisdictions allow after passing crypto regulation.

2. Most jurisdictions are not Travel Rule compliant, leading to a significant obstacle to effective global AML/CFT mitigation

Two years after the FATF revised its Standards, most jurisdictions and VASPs are not currently Travel Rule compliant. The FATF sees this as a significant obstacle to effective global AML/CFT mitigation and undermines the effectiveness and impact of the revised FATF Standards.

Ten jurisdictions reported that they had implemented Travel Rule requirements for VASPs and that these requirements were being enforced. In comparison, a further 14 jurisdictions said they had introduced Travel Rule requirements, but they were not yet enforced. 

Notabene Takeaway: There is a vicious circle happening; the lack of national implementation reduces the incentive for technical progress. The lack of technological progress is used to justify the lack of national implementation. In the near future, greater jurisdictional implementation will be a necessary prerequisite to kick off technical progress.  

“Rapid implementation by all jurisdictions will act as the catalyst to promote the development of technical solutions and compliance by VASPs.” - FATF Second 12-month review of the Revised FATF standards on VAs and VASPs (July 2021)

3. Jurisdictional arbitrage is a growing problem

There has been a significant increase in the value of virtual assets collected as ransomware payments and in the use of virtual assets to commit and launder the proceeds of fraud in the last year. The proceeds of such ransomware attacks are often moved via unhosted or privacy wallets and/or other anonymity-enhancing tools and methods to VASPs. Most identified ML/TF activity relates to activity that is native to virtual assets. It is much less clear the extent to which virtual assets are being used to launder proceeds of crime that originate in fiat currency.

Notabene Takeaway: Non-compliant VASPs and privacy-enhancing tools facilitate an atmosphere of jurisdictional arbitrage. This creates a great environment for ransomware transacted through virtual assets. VAs are increasingly used for collecting ransomware - uneven implementation of regulatory regimes leading to jurisdictional arbitrage, non-compliant VASPs, and privacy-enhancing tools facilitate it.

4. FATF found no need to amend standards to include P2P transactions

FATF noted:

"If P2P transactions were to increase to the point that were to occur almost entirely on a P2P basis and criminals were able to exist entirely in the virtual asset ecosystem, without ever interacting with VASPs and on- and off-ramps to the traditional fiat economy, the current FATF Standards might need revision to sufficiently mitigate the ML/TF risks."

FATF continues with:

"VASPs currently play an important role in the virtual asset ecosystem. While P2P transfers occur in the ecosystem, VASPs are needed for the exchange or withdrawal of virtual assets for fiat currency. In addition, investigators, blockchain analytic companies, and other parties can generally capture information on P2P transactions generated on public blockchains, which can be transparent and traceable. This information can provide greater visibility of virtual asset transfers than off-chain transfers or transfers on private blockchains, including those carried out by VASPs, and assist in AML/CFT risk mitigation."

Notabene Takeaway: Suppose P2P transactions were to increase to the point that criminals could exist entirely in the virtual asset ecosystem without ever interacting with VASPs and on-and-off-ramps to the traditional fiat economy. In that case, the current FATF Standards might need revision to mitigate the ML/TF risks sufficiently. Currently, the FAFT found no need to amend the revised FATF standards, due in part to reliance on other players such as blockchain analytic companies, investigators, and the inherent traceable nature of public blockchains.

For example, if the addresses that are used for P2P and peer-VASP transactions could be correctly linked, it will inform the development of risk profiles and identity attribution for unhosted wallets. This may grow over time as more transfers are recorded on public blockchains.

‍

5. All jurisdictions need to implement the revised FATF Standards, including Travel Rule requirements, as quickly as possible.

The report states:

"The FATF should focus on the effective implementation of the currentFATF Standards on virtual assets and VASPs across the GlobalNetwork. Members of the FATF and its broader Global Network should implement the revised FATF Standards (R.15/INR.15) as a matter of priority."

Notabene Takeaway: To accelerate the implementation of the Travel Rule by the private sector, FATF members, particularly those who are leaders in AML/CFT regulation of VASPs, are advised to work collaboratively with each other and the private sector to facilitate the implementation of the Travel Rule.