Why this matters

Compliance officers at crypto companies and financial institutions have a new task on their plates- complying with the Financial Action Task Force’s (FATF) Recommendation 16–the Crypto Travel Rule. 

Crypto businesses must now securely collect, exchange, screen, and store customer and beneficiary information to a crypto transaction. Businesses that must perform this include all enterprises that exchange between virtual assets (VAs) and fiat currencies, exchange between one or more forms of VAs, transfer VAs; safe keep and/or administer VAs or instruments enabling control over VAs; and participate in and provision of financial services related to an issuer's offer and/or sale of a VA.

Travel Rule enforcement dates rise at different times around the world, with considerable variations. As crypto transactions are inherently cross-border, VASPs must not only comply with their local jurisdictions’ stipulations, they must also account for the mandates in their Counterparty VASP’s jurisdiction as well. ​​

In October 2021, Notabene conducted a survey to assess industry-wide Travel Rule compliance readiness. Noteworthy results show that financial institutions and cryptocurrency companies are taking compliance seriously but are at varying states of compliance–largely dependent upon their primary operating jurisdiction.

CLICK HERE TO ACCESS THE FULL REPORT

Report highlights

1. Most respondents plan to become fully compliant by the end of Q2 2022.

2. Half of the respondents point to the sunrise period and legal uncertainty regarding the most relevant hindrances to Travel Rule adoption.

3. Close to one-third of companies (31%) are either complying with the Travel Rule or are currently sending or responding to Travel Rule data transfers. 

4. Although most respondents desire to be fully compliant within the next six months, more than 60% have not started implementation.

Download the State of Travel Rule Report for more trends

What this means:

The takeaways listed above and the remaining six listed in the State of Travel Rule Report demonstrate that VASPs are taking Travel Rule compliance seriously–yet they seemingly underestimate the resources and time investment required to comply with the Travel Rule fully. 

To comply with theFATF's Crypto Travel Rule, crypto companies and financial institutions need to: 

• Identify Travel Rule transactions 

• Determine wallet type and counterparty

• Identify and verify Beneficiary VASP 

• Analyze beneficiary risk level through a blockchain analytics provider

• Detect and verify wallet ownership

• Leverage sanctions screening integrations to identify illicit actors

• Verify Counterparty VASP’s ML/TF information 

• Apply appropriate jurisdictional requirements

• Send and receive customer data in a GDPR-compliant manner

• Interact with a wide variety of blockchain messaging protocols

All while accounting for the differences in Travel Rule messaging protocols, the required originator and beneficiary information, transactions with unhosted wallets, and enforcement of de minimis thresholds in their counterparty’s jurisdiction. 

5. Top 6 Pitfalls to Crypto Travel Rule Adoption.

Chapter 4 of Notabene’s first semi-annual State of Crypto Travel Rule Compliance Report also outlines the commonly reported six pitfalls to Travel Rule adoption. 

These include:

• The sunrise period
• Counterparty VASP due-diligence
• Data protection considerations
• Effective sanction screening vs. data accuracy requirements
• Requirements applicable to cross-border transactions
• Protocols and interoperability.
  

5.1. The sunrise period

The Travel Rule, like the sun, rises at different times around the world. The industry has aptly named the period when the Travel Rule is not fully implemented across jurisdictions, as the "sunrise period."  

Compliance with the Travel Rule during the sunrise period is problematic for VASPs because crypto transactions are inherently global. Unless their counterparties take a proactive approach to compliance, VASPs situated in countries where the Travel Rule is already in effect may struggle to continue business connections with their counterparties. Of the surveyed VASPs, 25% point to the sunrise period as the #1 obstacle to complying with the Travel Rule. 

The FATF acknowledges the dawn period's compliance challenges. The FATF offers numerous measures that VASPs can implement to comply with Travel Rule requirements regardless of their counterparties' compliance stages.

Chapter 3 of the State of Travel Rule report details the sunrise period. 

5.2. Counterparty VASP due-diligence

Another reported pitfall that VASPs face is difficulty identifying who controls the wallet they are transacting with. Travel Rule requirements change in many jurisdictions depending on whether the funds are being transmitted to a hosted or non-custodial wallet. Moreover, regulations vary depending on whether the Counterparty VASP is located in the same jurisdiction or not. Therefore, correctly identifying the counterparty is a critical part of compliance. 

The due diligence process must take place before conducting any Travel Rule data transfer (FATF's Updated Guidance [OCT 2021], paragraph 196) while considering the following factors:

• the robustness of the counterparty's data storage and security framework
• the licensing and registration requirements of the jurisdiction where the VASP is based, and
• whether the counterparty is complying with the Travel Rule
  (FATF's Updated Guidance [OCT 2021], paragraph 199)

Learn more about Counterparty VASP due diligence in Chapter 4 of the State of Travel Rule Report.

5.3. Data protection considerations

The Travel Rule obliges VASPs to transfer customer PII, which increases personal data exposure and thus prompts novel data protection risks during a previously-anonymous crypto transaction. Before, the originator simply entered a blockchain wallet address and sent the transaction.

Now:

• VASPs’ customer personal data now must be transmitted and shared with the counterparty VASP.
• The personal data of the counterparty Originator or Beneficiary Customer must be used to assess transaction risks (e.g., screening against sanction lists); 
• Both VASPs must keep records of their customers’ and counterparty Originator or Beneficiary Customer’s personal data.
  

The new requirements prompt various areas of potential data leakage. 

For this reason, assessing the robustness of the counterparty VASP's data storage and security framework is an essential part of the due diligence process before transacting with any new counterparty VASP.

See Chapter 4, Section 2 of The State of Travel Rule Report to learn more. 

5.4. Effective sanction screening vs. data accuracy requirements

A primary goal of enforcing Travel Rule requirements on VASPs is to prevent designated persons and entities from circumventing sanctions by using virtual assets. VASPs are required to take freezing actions and prohibit transactions with designated persons and entities. The exchange of Travel Rule information allows VASPs to take these actions concerning their counterparty originator or Beneficiary Customer.

VASPs are required to rely on data that they do not need to verify to screen their counterparties against sanction lists. The data used to screen their counterparties against sanction lists is often insufficient and non-verifiable. Identifying false-positive sanction screening findings may prove to be complex when the Beneficiary Customer's name is all the Originator VASP needs to obtain. 

Under FATF's Recommendation 17, countries can permit obliged entities to rely on third parties to perform parts of the customer due diligence process. The FATF explicitly recognizes that VASPs can act as third parties, allowing companies to rely on the sanction screening performed by the VASP that has more comprehensive access to the underlying data and the obligation to verify it. 
‍
Learn more about effective sanction screening in Chapter 4 of The State of Travel Rule Report.

5.5. Requirements applicable to cross-border transactions

As highlighted in Chapter 3 of the State of Travel Rule Report, the implementation of the Travel Rule varies substantially across jurisdictions, which, due to the international nature of crypto transactions, causes difficulties in the collaboration between VASPs to achieve Travel Rule compliance.

Compliance becomes particularly challenging when the VASPs' jurisdictions enforce different de minimis thresholds and set forth different scopes of required Originator and Beneficiary Customer information. VASPs will tend to set their processes to fulfill the requirements of their prospective jurisdiction. However, that may not always be enough to successfully complete transactions with VASPs in jurisdictions that enforce stricter, or simply different, rules. This will cause delays in the transaction flow and ultimately force all VASPs to adhere to the most stringent requirements among the involved jurisdictions, regardless of the policy decisions made by their local authority.

Download the State of Travel Rule Report to read more. 

5.6. Protocols and interoperability

Upon the release of FATF's Initial Guidance [JUN 2019], various companies and industry working groups began developing Travel Rule messaging protocols to address a significant component of Travel Rule compliance: a method to safely and securely transfer customer PII alongside blockchain transactions. Today, there are nine Travel Rule messaging protocols on the market, with various underlying tech and data transmission methods. This presents issues around interoperability and adds copious amounts of time to find a best-fit solution.

The following factors need to be considered when VASPs are selecting Travel Rule messaging protocols:

• Integration effort
• Interoperability with various protocols 
• Governance model
• Non-custodial wallet support
• Launch date
• Industry support
• Membership/usage fee
• Building an in-house solution on top of a messaging protocol or choosing a fully-integrated software provider

Learn more about Protocols and Interoperability in Chapter 4 of the State of Travel Rule Report.

6. Survey Methodology

The State of Travel Rule Report survey was conducted in October 2021. Before release, the Notabene team prepared the questions, and advisors and fellow industry members reviewed them. The survey questions were shared in a digital format directly with VASPs and financial institutions eligible to provide crypto services. The survey provided the option for companies to remain anonymous in their responses.

Fifty-six companies completed the survey, representing broad global coverage. Overall, 45% of respondents (or 25 respondents) have primary operating jurisdiction in APAC, 30% in EMEA (or 17 respondents), and 25% in the Americas (or 14 respondents). A table is included below with a breakdown by operating jurisdiction.

Of the 56 participants, 13% (or 7 respondents) have a banking license or are a banking institution, and 86% (or 48 respondents) are crypto-native businesses. One participant requested to remain anonymous.‍

‍

Enter your information below to download the State of Crypto Travel Rule Compliance Report 2022.

‍

‍

On a mission to help companies adjust to the new crypto regulatory landscape, Notabene, creator of market-leading end-to-end Crypto Travel Rule solution has completed the first ever comprehensive global Travel Rule compliance survey, releasing results in The State of Crypto Travel Rule Compliance Report. 

“Our experience with the regulators and Travel Rule implementation have taught us that there are many unique challenges with roll out. The pace is different across companies, countries and many businesses are still unaware of which protocol they intend to use. Now with looming regulatory deadlines, it is essential for the industry to come together to solve some of the implementation and roll-out challenges,”  said Pelle Braendgaard, CEO of Notabene. “We started this report aiming to provide first-hand insights from a broad range of crypto businesses on the challenges they’re facing, how they plan to overcome them, and their projected timelines.” 

The State of Travel Rule study contains information on how prepared financial institutions and crypto firms are for impending laws from around the world. The poll was completed by 56 businesses from all over the world. In total, 45 percent of respondents had primary operational jurisdiction in Asia-Pacific (APAC), 30% in Europe, Middle East and Africa (EMEA) and 25% in the Americas. 13% of respondents have a banking license or are a banking institution, and 86% of respondents are crypto-native businesses. 

By delving into the important components of Travel Rule compliance, the research offers a transparent grasp of compliance preparedness levels and pain spots. It examines the disparities in Travel Rule adoption among countries, as well as ways to implementation and adoption difficulties.

“The report highlighted legal uncertainty and the sunrise period as hindrances to most companies’ roll-out of the travel rule. This is consistent with what we have heard from the industry, where many exchanges have committed the resources to fully prepare for the travel rule but are looking for regulatory clarity around enforcement dates. They would like travel rule roll-out to be fair across the industry. This calls for closer collaboration between regulators and the industry to ensure expectations are clear around roll-out.”

- Alice Nawfal, Co-Founder and COO of Notabene
‍

Enter your information below to download the State of Crypto Travel Rule Compliance Report 2022.

‍

Notabene’s mission is to make crypto transactions a part of the everyday economy. Our end-to-end Travel Rule solution, SafeTransact, includes counterparty wallet identification tools, a VASP due-diligence directory, and a secure dashboard to manage regulated crypto transactions. Our software, tools, and comprehensive data help businesses manage counterparty risks without hindering user experience. 

Our ability to carry out this comprehensive vision is contingent upon the assurance that Notabene interacts securely with our client’s existing systems and that we’ve built with security best practices in mind from day one. 

Now, we can make that commitment official. 

Today, we are proud to announce that our SOC 2 Type II report is clean, confirming that our information security policies, practices, procedures, and personnel exceed the high SOC 2 security standards.

What is the SOC 2 certification?

The Association of International Certified Professional Accountants (AICPA) developed the System and Organization Controls (SOC) certification. SOC 2 to allow businesses to certify their adherence to industry security requirements thoroughly. To receive certification, an organization must codify specific security policies and procedures, continuously monitor the execution and conformance of these procedures, and annually submit documentation to a third party to ensure compliance.  

Why is SOC 2 important?

A SOC 2 report is intended to provide assurances regarding the effectiveness of controls in place at a service organization that pertains to the security, availability, or processing integrity of the system used to process clients’ information, as well as the confidentiality or privacy of that information.

SOC 2 reports are used by businesses to identify and mitigate the risks associated with third-party technological services. Independent third-party auditors give these reports.

What is the process of receiving a SOC 2 certification?

AICPA examined Notabene over the course of three months and concluded with reasonable assurance that we achieved our service commitments and system requirements based on the trust services criteria relevant to security and privacy outlined in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria).

We would like to extend a special thanks to Vanta’s security and compliance automation platform and the fantastic team behind it. Our customers extend their trust in our team, and we’re committed to providing them with an iron-clad product. Customers can access a copy of our SOC 2 audit report upon request.

Rebecca Macieira-Kaufmann is an accomplished CEO who has an unblemished track record of achievement. Her extensive experience as a Financial Services leader in sales & marketing, risk management, and international business operations, combined with her outstanding track record of leading highly successful business turnarounds, has resulted in the effective scaling of new businesses and expanding existing operations globally for Fortune-50 financial services organizations.

Throughout her distinguished 30+ year career, which includes 11 years at Citigroup, Banamex, Wells Fargo, and Revolut, Rebecca Macieira-Kaufmann has served as a business leader for financial institutions, assisting them in growing while adhering to requirements around complex regulatory obligations and large cross-border trade.

She sits down with Notabene to share how crypto business leaders should approach compliance, including setting up their defense lines, balancing business opportunities with compliance, and performing a reverse root cause analysis to prepare for hypothetical worst-case scenarios. Rebecca currently serves as an advisor to Notabene.

1. Please tell us about yourself and your journey into banking and the financial services space.

Like all journeys, they’re often meandering. I never imagined myself in banking. I went to business school to become an entrepreneur. I studied international business and worked in Hong Kong and London. After failing to get a job in manufacturing, I ended up in consulting, which is like a Ph.D. in business strategy.

Interestingly, the firm I ended up with had a lot of financial services clients. I was able to see the inside of building societies and the British financial services space. I was intrigued. Later in France, in the insurance space, I learned that financial services are not only fascinating but incredibly complicated. This kept me interested.

Upon my return to the United States, I wanted to be a product manager because I think that’s one of the best ways to learn how to run a business and manage a P&L (Profit & Loss line of business.) The areas hopping at the time were technology in Silicon Valley and banking in San Francisco. I ended up in a banking role in San Francisco.

2. When was the first time you had to deal with AML compliance as an executive leader?

Being in the finance space, I encountered AML compliance pretty early in my career. The institution I was with at that time had a matter requiring attention (MRA), which was the first time I had to solve an MRA. An MRA is when a regulator examines your company and tells you that a matter requires your attention immediately. If the issue is not addressed and resolved, it will potentially become a consent order.

I learned to step back and dig deep to understand complex issues and solve them with a team. We set out to solve this issue as a team for the long term. We gathered people from operations, legal, compliance, and customer service, designed a framework, and subsequently implemented it. We got out of that MRA probably faster than any other MRA.

3. How do you design a balance between business opportunities and compliance?

You design a balance between business opportunities and compliance by creating your products within a legal and regulatory environment from day one. In the 30+ years of working in financial services, we often thought in lines of defense; first, second, third, fourth, and so on. 

Financial service lines of defense:

1. ‍The Business team
   When designing a new product, I want the Chief Compliance Officer and/or General Counsel members at the table with Product Design. Aim to solve for 99% of risk here. 
   ‍
2. The Compliance team 
   The compliance team should test the products and processes’ edges. Where could the fraud happen? Where could things fall apart? 
   ‍
3. Internal/External auditors
   Internal auditors should run risk-based internal audits on a 12-24 month plan. Particularly high-risk events should be audited in 12-month increments, whereas the lowest risk areas could stand to get audited every 24 months. Your compliance team should have the same plan. Note that smaller firms typically rely on external auditors.
   ‍
4. Regulators
   Regulators are four levels away for a reason. Risk areas should be accounted for before they reach this level. You don’t want someone four levels away telling you about your risk areas during an examination. 
   

‍

Another first line area I often learned about risk was via client complaints. Clients tell you what isn’t working. Reading client complaints should be a C-suite activity. 

4. How did you approach budget and resource allocation for the compliance function? 

My approach would be one of stepping away from the view of “business opportunity versus compliance” and into the mindset of “compliance by design.”

First, you’ll need enough capacity to set up and invest in training your front line of defense; the product developers, the technology development team, and the customer service team. They should understand their role in the lines of defense. 

When designing a new product, I want the Chief Compliance Officer and/or General Counsel members at the table with product design. A good Chief Compliance Officer knows the regulations and the rules in your industry and could inform you of those trade-offs of how many people they need in-house and what you would bring from the outside. If your company has a reputation of giving compliance a seat at the table, you’ll attract great Chief Compliance Officers. This framework attracts better talent and costs companies less in the long run. 

5. Were you surprised how much of your role covered compliance? 

Yes, and no. Pre-2008, the financial services industry always thought we were doing things the right way. We had an embedded culture of excellent execution. Post-2008, increased scrutiny seeped into every department. After the financial crash, I noticed a shift in the industry that spilled over from the compliance/audit department and affected each department. 

The fascinating thing about shifts is that we aren't usually witnessing the exact issue we should be concerned about; that knowledge is usually hindsight. What initially had roots in the mortgage space ended up affecting the entire finance industry. 

There’s a similar shift happening in the crypto industry right now–for different reasons, of course. Currently, there’s a global regulatory shift, where people have to figure out how to deal with compliance for new asset classes and payment methods. 

It’s difficult to remain ahead of the related risks concerning the current shift that we’re in right now in the crypto industry: AML rules, KYC, the Travel Rule, understanding the originator and the beneficiary are critical frameworks currently requiring focus. What are the unidentified elements? What will pose the next tectonic shift? Embedding a culture of compliance will help prepare your firm for unexpected issues.

6. When should a CEO of a new and up-and-coming crypto company prioritize compliance, and how should they attack it?

Most business leaders of crypto institutions today are faced with significant regulatory burdens when it comes to AML/CFT processes, with requirements like the Travel Rule, or they face shut-down. They are currently building up their compliance teams and introducing new methods to manage risk.

Business leads must weigh income probabilities to make compliance spending and business opportunity trade-off decisions daily under looming uncertainty. To keep the team and investors motivated and engaged with the company’s long-term health at all times, balance a certain number of short-term wins as part of the equation with the end goal, which is often a public exit or a merger. 

It’s a balancing act of saying, “We need enough short-term wins that are happening at some level of frequency to motivate the team, with a strong focus on achieving the long-term goal.” Constantly building up that compliance muscle strength along the way gives a competitive advantage. 

7. Let’s imagine a worst-case scenario where a local regulator fines up-and-coming crypto company two years from now. How can they work back from that?

I’d recommend performing a reverse root cause analysis as early as possible. A premortem tabletop exercise is one of the many tools to combat a worst-case scenario preemptively. 

Comparable to a business continuity plan, you envision that the hurricane has happened and strategize around what to do going forward. You can do the same thing for regulatory actions; you can say, the event has happened, and now we’re being fined for XYZ violation. Launch yourself into the future and ask:

• What did we learn?
• What went wrong?
• What do we do when an event occurs? 
• What is our media strategy and external communication plan? 
• What is our internal communications plan?
  Etc. 
  

8. Any parting thoughts or general advice to business leaders in the crypto space?

Know your regulator.

A good exercise is to go through each crypto regulator and determine what risk they are trying to mitigate. For instance, the FDIC is one of the critical regulators trying to protect customer deposits in banking. Understand the motivation behind the SEC, CFTC, or the OCC’s regulations. If regulators are trying to stop human trafficking funding, terrorist financing, wouldn’t it be best to side with them? No CEO wants their platform to be tied to facilitating human trafficking. Reputation is priceless.  

NEW YORK, January 6, 2021 10:00 AM ET -- Notabene, the leading end-to-end Travel Rule solution provider, has announced the successful completion of phase one of a Travel Rule testnet between Bitfinex, a state-of-the-art digital token trading platform, Okcoin, one of the largest cryptocurrency exchanges in the world, and Tether Operations Limited (Tether), the blockchain-enabled platform that powers the largest stablecoin by market capitalization.

Notabene runs regular testnets for market-leading digital token and traditional financial companies to simulate cross-jurisdictional Travel Rule transactions in a low-risk environment as they gear up to comply with impending regulations. New anti-money laundering (AML) rules, commonly known as the “Travel Rule,” require companies in the digital token space to share personally identifiable customer information alongside a transaction of a particular threshold. 

As enforcement deadlines approach, financial firms rush to implement new compliance tools, train compliance teams to implement new processes and understand the appropriate actions to take across various scenarios. 

The successful completion of this testnet allowed companies to perform simulated Travel Rule transactions between each other and collaborate on setting up compliance processes, which will be crucial going forward. 

Bitfinex, Tether, and Okcoin tested real-life scenarios, including interactions with firms operating in other jurisdictions where thresholds and requirements vary. Other scenarios tested included:

1. Automatically sending Travel Rule transfers to trusted counterparties.
2. Sending and receiving Travel Rule data transfers to/from companies that are not Notabene customers 
3. Sending and receiving Travel Rule data transfers to/from companies that may not be live with Travel Rule compliance procedures
4. Requesting missing Travel Rule transfers from counterparties 
   

Alice Nawfal, COO of Notabene, says:

‍“We’re thrilled to assist Bitfinex, Tether, and Okcoin in adopting the Travel Rule, which is a critical component of the FATF’s current recommendations for Virtual Asset Service Providers. Each company shares our belief in the long-term viability of the open cryptocurrency ecosystem. Testnets are an effective mechanism for businesses to collaborate on how to implement Travel Rule compliance.”

Peter Warrack, Chief Compliance Officer at Bitfinex, said:

“We are delighted to have successfully completed Notabene’s phase one of the Travel Rule testnet in collaboration with Tether and Okcoin. This has enabled us to simulate a myriad of transactions as part of our efforts to put in place robust compliance processes in order that we meet all requirements of the Travel Rule.” 

Joanna Lane, Head of Regulatory at Okcoin USA, adds:

‍“As a company with entities in many jurisdictions offering services around the world, working out how we can meet the different iterations of the Travel Rule required by different regulators is pivotal. Participating in the testnet with several of our entities has helped us walk through different permutations of transactions we will encounter going forward, where we will be in a much better position to comply and manage our regulatory risk.”

‍

Notabene is committed to facilitating further testing, providing integration support, moderating compliance team discussions, and publishing ‘blueprint’ compliance flows to the industry. Please find out about our next testnet here.

‍

About Notabene

Notabene is a reg-tech compliance SaaS solution connecting the traditional financial and crypto industries. We are working to make crypto transactions a part of the everyday economy by providing software, tools, and comprehensive data to manage regulatory and counterparty risks in crypto transactions. Using privacy-preserving technology, strategic partnerships, and commitment, our first-to-market FATF Travel Rule solution helps financial institutions, crypto exchanges, and businesses turn compliance into a competitive advantage. Key investors include Castle Island, Green Visor Capital, Illuminate Financial, CMT Digital, and a cadre of top-tier angel investors. Trusted by leading exchanges, Luno, Bitso, Crypto.com, and more.

Notabene is headquartered in New York with offices in Zug and Santiago de Chile. To learn more, visit www.notabene.id. Follow us on LinkedIn and Twitter.

About Bitfinex

Founded in 2012, Bitfinex is a digital token trading platform offering state-of-the-art services for traders and global liquidity providers. In addition to a suite of advanced trading features and charting tools, Bitfinex provides access to peer-to-peer financing, an OTC market and margin trading for a wide selection of digital tokens. Bitfinex’s strategy focuses on providing unparalleled support, tools, and innovation for experienced traders and liquidity providers around the world. Visit www.bitfinex.com to learn more.

About Okcoin

Established in 2013, Okcoin is one of the world’s fastest-growing cryptocurrency platforms. Seeking to build a more inclusive finance future that builds wealth for everyone, Okcoin is building the next generation of tools to help anyone invest in and trade crypto easily and with industry-low fees. Okcoin supports millions of customers across more than 190 countries, assisting them in taking advantage of staking and DeFi offers and trading Bitcoin, Ethereum, and more than 50 other crypto assets. Headquartered in San Francisco, Okcoin has a remote, globally-distributed team and offices in Miami, Hong Kong, Singapore, Malta, and Japan.

2021 has been a transformational year for the world and the cryptocurrency industry.

As the world grew accustomed to starts and stops to the economy, WFH policies, Zoom rooms, meme coins, and NFTs ensured that crypto was here to stay. The greater public found their first foray into the crypto space through meme coins, word of mouth, and monkey NFTs.

2021 is the year that digital assets went mainstream. Crypto attracted more money in 2021 than the previous years combined–the total market cap of cryptocurrency reached $3 trillion in 2021. Venture capital funds invested around $30 billion into cryptocurrency this year. At the same time, 2021 was a monumental year for crypto losses. Overall losses caused by DeFi exploits have totaled $12 billion so far in 2021, according to Notabene partner Elliptic. Fraud and theft accounted for $10.5 billion of that sum — a sevenfold increase from last year.

This is where Notabene comes in. 

Notabene makes crypto transactions a part of the everyday economy by providing software, tools, and comprehensive data to manage regulatory and counterparty risks in crypto transactions. We are actively working on bringing both businesses and their end-users better, safer, and more privacy-preserving approaches to managing risk around crypto interactions. 

In early 2020, we founded Notabene to solve the compliance headache that exchanges now face. To solve Travel Rule compliance for the entire financial services industry, we began building a trusted data layer to blockchain transactions for protocol-agnostic communication. 

Notabene is on a path to remove global regulatory compliance complexity to cement crypto’s role in mainstream transactions. Ultimately our mission is to allow more people to transact on public blockchains safely. The proof is in the pudding–Notabene customer Bitbuy became the first Canadian crypto firm to be both a registered marketplace and restricted dealer. Additionally, we’ve made it even easier for companies to get started by introducing a free Sunrise plan, which helps VASPs kickstart their compliance journey at their own pace. In particular, counterparty VASPs to our customers can now respond to travel rule requests securely and at ease.

This post highlights product launches, team metrics, and accomplishments that defined Notabene in 2021.

1. We raised $10.2M

In November, we announced our A round, co-led by Jump Capital and F-Prime, two very relevant funds. Jump Capital is a thesis-led venture investor specializing in scalable software opportunities in fintech, crypto, IT, and data infrastructure. F-Prime invests in healthcare and technology companies that impact lives worldwide. The two funds joined the fundraise by Illuminate Financial, Fenbushi Capital, CMT Digital, and institutions like Gemini Frontier Fund, BlockFI, Luno, and BitSo. Existing investors who believed in our mission from day one, Castle Island Ventures, Green Visor, and Signature Ventures, continued to grow their investment. This round lets us expand on this to help us reach even more exchanges and financial institutions. 

2. We grew the team from 6 to 19

Notabene started the year off with four founders and two fearless devs, Lluis and Bruno. We ended the year with 19 employees, growing across marketing, sales, product, and engineering. Notabeenies now span three continents and eight countries. 

It was vital to hold a company offsite as a fully distributed team. In late November, we officially took our relationships from URL to IRL–connecting over Jamon Iberico, tapas, and informative deep-dive sessions in Girona, Cataluña.

3. We broadened our ecosystem reach to 75+ exchanges

From our first customers coming live with the Travel Rule in 2021, we grew the ecosystem of VASPs interacting with each other to 75+. VASPs include Bitbuy, Bitfinex, Luno, Paxful, and more. Solutions Engineer Michele Marrali and Legal Engineer Catarina Veloso joined to help smooth the onboarding process. 

4. We launched 3 testnets with 15+ exchanges

Travel Rule testnets present an excellent opportunity for collaborative learning as cryptocurrency businesses and financial institutions gear up to comply with impending regulations. 

In 2021, Notabene set up three collaborative environments where they tested the following real-life Travel Rule testnet scenarios:

• Interactions with firms operating cross-jurisdictionally where thresholds and requirements vary. 
• Rejecting transfers when data didn’t match internal records.
• Interacting with companies who are not Notabene customers and may not be live with Travel Rule.
• Requesting missing Travel Rule transfers from counterparties. 
• Automatically sending Travel Rule transfers to trusted counterparties.

Completed testnets:

1. ‍Singapore Testnet, between Crypto.com, Luno, Xfers, Onchain Custodian, and Sparrow Tech Pte Ltd.‍
2. Abu Dhabi Testnet, between Matrix, Aarna Capital, DEX, and MidChains, Amber Group, Liquid, and Zipmex, under the observation of the Financial Services Regulatory Authority (FSRA) of Abu Dhabi Global Market (ADGM.)
3. Tether, Bitfinex, and OkCoin testnet.
   

In 2022, we will continue to facilitate further testing, provide integration support, moderate compliance team discussions, and publish ‘blueprint’ compliance flows to the industry. Sign up for the next testnet here.

5. We partnered with best-in-class compliance and data products to bring a more seamless and rigorous Travel Rule compliance 

Industry partnerships are crucial to building an end-to-end Travel Rule compliance solution. In 2021, Notabene entered into partnerships with the following solutions:

Blockchain analytics: 

• Elliptic
• Chainalysis
• Crystal
• Coinfirm
• TRM Labs
  

Regulatory VASP reference data:

• VASPnet
  

6. We've consistently shipped new features to make Travel Rule compliance scalable and frictionless

Our product and dev team have tirelessly shipped updates to build components for a best-in-class end-to-end Travel Rule solution. In 2021, we’ve added the following integrations and features to our offering:

‍

7. We share our favorite content pieces from the year

7.1. Cryptocurrency regulatory recaps

The team spent many hours reading and summarizing regulatory docs, so you don’t have to. 

• 5 Key Takeaways: Germany’s Implementation of the FATF Travel Rule
• Germany Enforces Crypto Travel Rule from October 1, 2021
• Top 10 Takeaways from the European Commission’s Crypto Travel Rule Proposal
• 5 Key Takeaways from HM Treasury’s Crypto Travel Rule Amendments 
• 12 Outcomes from FATF’s Oct 2021 Updated Guidance for Virtual Assets and VASPs

7.2. Jurisdiction pages

We curate knowledge about Travel Rule regulations across the globe on our Jurisdiction Pages. 

• The United Kingdom 🇬🇧
• South Korea 🇰🇷
• Liechtenstein 🇱🇮
• Canada 🇨🇦
• Singapore 🇸🇬
• Japan 🇯🇵
• Australia 🇦🇺
• Gibraltar 🇬🇮

7.3. Webinars and Podcasts

Throughout the year, Notabene thought leaders shared knowledge through the following webinars and podcasts.

• Navigating crypto regulations in Singapore in 2021‍
• Navigating crypto regulations in the UK and EU in 2021‍
• Cracking Down on Evolving Crypto Regulations (Podcast)‍
• New FATF Guidelines for Crypto Industry‍
• FATF’s Final Guidance for Virtual Assets and VASPs. What now?
• ‍Crypto Compliance Deep Dive: A talk with former regulator Charles V. Senatore‍
• ACAMS: The FATF Travel Rule: Challenges and Solutions‍
  

8. We released the first VASP survey on Travel Rule to bring actionable insights to the industry

We began an initiative to collect relevant data on the industry's implementation of Travel Rule requirements and across jurisdictions. We will share our results and pertinent insights of a quarterly report in Q1 2022. Until then, feel free to take a look at the preliminary data. 

‍
Our goal is to o help crypto companies reduce compliance complexity on their path to cement crypto’s role in mainstream transactions. If you’d like to join us on this quest, check out our Careers page. We have open roles across various departments.

Thank you for joining us on this journey. We can’t wait to see what’s in store for 2022!

Yours,

The Notabene team. 

In October 2018, the Financial Action Task Force (FATF) announced that it would be recommending member countries apply the Travel Rule — a longstanding compliance requirement for traditional financial institutions — to virtual assets (VAs) and virtual asset service providers (VASPs). While the rule may be implemented differently depending on the jurisdiction, as its core, the Travel Rule requires VASPs to identify the originators and beneficiaries of transfers above a certain threshold and transmit that information to their VASP counterparty, where one exists.

The Travel Rule has presented a novel challenge for the cryptocurrency industry, as blockchains are not inherently conducive to sending personally identifiable information alongside a transaction. To comply with FATF’s Travel Rule Recommendation, VASPs must implement messaging protocols to exchange originator and beneficiary information with other VASPs securely.

Various providers have kicked off several initiatives to build such protocols and end-to-end Travel Rule compliance solutions, including a joint offering from Chainalysis and Notabene to help VASPs meet all compliance requirements. But there are several elements of a successful Travel Rule solution, which VASPs should keep in mind as they search for the right one. With over 30,000 registered VASPs operating in over 190 jurisdictions and all the differences in Travel Rule regulatory frameworks and tech stacks, those numbers imply that interoperability has emerged as a critical factor for compliance officers evaluating Travel Rule solutions in the cryptocurrency industry. 

Below, we’ll define what interoperability means in the context of the Travel Rule and explain how to pick a Travel Rule solution that works across all jurisdictions and VASPs. 

1. What is Travel Rule interoperability?

Interoperability is generally defined as the capacity for computer systems or software applications to exchange information and fulfill specific tasks based on that information in conjunction with one another. In the context of Travel Rule solutions, interoperability refers to VASPs’ ability to communicate and exchange data with counterparty VASPs using multiple messaging protocols. Interoperability is essential because if VASPs are limited to exchanging information only with VASPs using the same messaging protocol, they’ll be cut off from exchanging information in a compliant manner with other VASPs using different protocols. 
‍

2. Why is interoperability important?

With the emergence of multiple Travel Rule messaging protocols domestically and globally, VASPs are faced with the challenge of integrating numerous protocols to achieve full coverage of possible counterparty VASPs. If this excessive fragmentation persists, the cost and complexity of Travel Rule compliance will increase significantly, especially if different jurisdictions begin to adopt varying versions of FATF’s Travel Rule Recommendation. 

While existing protocols are adapting and are likely to become more interoperable in the future, they cannot currently “speak” directly to other protocols. Until then, solutions like Notabene can integrate multiple protocols to form an “interoperability bridge” on behalf of VASPs, helping teams circumvent interoperability issues manually and transact compliantly with partners using other protocols.

3. What is a Travel Rule messaging protocol? 

A messaging protocol is a set of rules for formatting, processing, and transmitting data. A Travel Rule messaging protocol is a particular set of rules for formatting, processing, and exchanging originator and beneficiary information alongside blockchain transactions, as recommended by FATF.

For comparison, the two most widely used internet standard communication protocols for email transmission are SMTP (Simple Mail Transfer Protocol) and Internet Message Access Protocol (IMAP). Mail servers and other message transfer agents use SMTP and IMAP to send and receive mail messages. 

To comply with FATF’s Travel Rule Recommendation, VASPs need similar messaging protocols to exchange originator and beneficiary information.

4. Why are there so many protocols?

Various industry leaders, commercial companies, and working groups took up the task of creating a messaging protocol that VASPs could use to send required PII alongside blockchain transactions. While the industry agreed upon one data messaging format–IVMS 101–there are currently nine Travel Rule Messaging Protocols on the market, leaving VASPs unsure of which solution to choose. Over time, existing protocols may merge or deprecate. 

‍

‍

5. Messaging protocols do not provide full Travel Rule compliance.

VASPs must meet five requirements on all transactions they process in order to comply with the Travel Rule Recommendation.

Identify transactions that fall under the Travel Rule. 

To pinpoint transactions that fall under the Travel Rule, VASPs need to verify if another VASP hosts their customer’s counterparty address on a given transaction. This is where Chainalysis Know Your Transaction (KYT) comes in. When a transaction meets the monetary value threshold for the Travel Rule, an API call is sent to KYT from the Notabene platform to determine if the wallet is hosted (by a VASP) or unhosted (non-custodial). If the address is hosted by a VASP, VASPs can then identify the counterparty VASP, collect and record missing counterparty data and apply necessary regulatory requirements. Some jurisdictions require additional due diligence requirements for transactions with non-custodial wallets, such as proof of wallet ownership.

Identify and verify the Beneficiary VASP. 

VASPs must identify the counterparty VASP in a transaction and confirm wallet ownership with them.

Assess the risk involved with the transaction.

VASPs must analyze the beneficiary risk level through blockchain analysis providers like Chainalysis and leverage sanctions screening integration to identify illicit actors before deciding to allow a Travel Rule transfer to be initiated. This step is essential, as some VASPs appear on sanctions lists, and exchanges must be sure not to send transactions to those entities.

Verify counterparty VASP’s AML/CTF information.

Paragraph 197 of FATF’s Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers requires VASPs to conduct counterparty due diligence before sending Travel Rule information to a counterparty: “Assess a counterparty VASP is an eligible counterparty to send customer data to and to have a business relationship with.” 

By leveraging VASP and Crypto Company directories that integrate open-source research, blockchain analysis, and real-time data from regulators and third parties, compliance officers can assess the risk level of their counterparties and determine whether they feel comfortable sending Travel Rule data transfers to their counterparty VASP. Directory information includes regulation status, the level of robustness of their AML/CFT program, a signal of whether they will be able to protect PII with robust cyber security standards, and so forth.

Securely send and receive customer data.

In certain jurisdictions, customer PII falls within the General Data Protection Regulation (GDPR) scope. UK VASPs must uphold the data protection principles outlined in the GDPR when performing Travel Rule transfers. 

Messaging protocols only assist with two of the five components needed for an end-to-end Travel Rule solution: sending and receiving customer data and identifying and verifying the Beneficiary VASP. Compliance Officers must look for end-to-end Travel Rule solutions that address all components.

6. Consider the fee schedule for Travel Rule Messaging Protocols.

Travel Rule messaging protocols have varying fee structures; some charge by transaction volume, some by membership fees, and some are free to use.  As messaging protocols constitute a small part of compliance, VASPs should consider the usage and membership fees (where applicable), costs involved with direct integration into a protocol, and/or the costs to service providers when choosing the best-fit solution.

7. IVMS 101 is the industry-standard data model for Travel Rule messaging protocols.

In October of 2019, a cross-industry working group of experts from the Chamber of Digital Commerce, Global Digital Finance, and the International Digital Asset Exchange Association developed a technical standard for Travel Rule message formatting known as the interVASP Messaging Standard IVMS 101. IVMS 101 is a universal language for communicating the required originator and beneficiary information between VASPs. FATF and critical regulators such as FinCEN, MAS, the FCA, and the JFSA were kept informed during the development of IVMS 101. On May 6, 2020, IVMS 101 was recommended for adoption at an InterVASP closing plenary. Today, all Travel Rule messaging protocols use IVMS 101, which is an excellent first step toward interoperability.

8. Open network protocols will ensure comprehensive transaction coverage.

Regarding Travel Rule messaging protocols, an open Travel Rule messaging protocol enables any two VASPs to use the protocol without consent or even knowledge of any third party. Users are granted access to closed (proprietary) Travel Rule messaging protocols through a membership process.

Open-network Travel Rule messaging protocols are vital to ensuring comprehensive coverage when facilitating transactions with VASPs across the cryptocurrency community. TRP and OpenVASP are decentralized, secure, scalable, reliable, and globally available protocols with open-source architecture. 

9. Travel Rule solution providers (not protocols) should account for jurisdictional differences in threshold applications. 

Various jurisdictions have implemented the Travel Rule for cryptocurrency differently, leading to different minimum thresholds, varying PII requirements, further obligations for the originator and beneficiary VASPs, and divergent treatment of transactions with non-custodial wallets. These gaps in implementation and thresholds are critical to note as companies ramp up their Travel Rule compliance plans and test cross-jurisdictional Travel Rule transactions. 

Many global regulators chose to adopt FATF’s recommendation that VASPs apply the Travel Rule to any cryptocurrency transaction over 1000 USD/EUR involving another VASP, while in the US, the Travel Rule for cryptocurrency applies at a higher threshold of USD 3000, in keeping with the US’s Travel Rule for fiat wire transfers. Meanwhile, some jurisdictions do not specify any threshold at all. Jurisdictional requirements add an added layer of complexity to complying with regional-specific virtual asset transfers.

Compliance Officers should look to their Travel Rule solution provider to help them account for these differences, as protocols will not solve this complexity. An end-to-end compliance solution that automatically updates its underlying tech to include changes in regional regulatory information while allowing VASPs to send Travel Rule data alongside each transmission over $0 is best. 
‍

10. Interoperability between protocols today is very early.

While there have been a few press releases and announcements on interoperability, there hasn’t been much interoperability implementation. Recent FATF guidance calls for cooperation between regulatory authorities and private sector organizations to ensure interoperability of Travel Rule solutions. In their second 12-month review, FATF urged countries to prioritize the Travel Rule implementation and enforcement.

While interoperability is not yet the standard across Travel Rule messaging protocols, FATF does not recognize a lack of interoperability as an excuse for noncompliance. As long as there are working solutions in production, FATF urges countries to implement the Travel Rule and additional robust control measures to interact with VASPs in jurisdictions where the Travel Rule is not yet implemented or has no solution in place. Additionally, early implementation of Travel Rule solutions can ensure operational continuity when regulatory deadlines arise in local jurisdictions. VASPs will benefit from implementing these solutions sooner rather than later.

FATF’s guidance also highlights the importance of cooperation and coordination among supervisory authorities and private sector organizations to ensure the interoperability of Travel Rule solutions adopted by VASPs. Collaboration and coordination are also crucial for the effective adoption of the Travel Rule worldwide.

How the Chainalysis + Notabene integration solves the challenges of the Travel Rule

‍Notabene provides an end-to-end Travel Rule platform that allows VASPs to manage regulatory and counterparty risks at scale. With its rule-setting tools, compliance officers can automate the exchange of Travel Rule data across the cryptocurrency business’ preferred communication protocols. From data collection and counterparty identification to secure data transmission, Notabene helps companies fully comply with the Travel Rule.

Chainalysis is the blockchain analysis platform trusted by investigators and compliance teams worldwide. Chainalysis KYT (Know Your Transaction) is an AML compliance solution for monitoring cryptocurrency transactions to detect and triage suspicious activity. The software conducts automated funds tracing and generates alerts for suspected high-risk activity, from OFAC sanctioned addresses and darknet markets to scams. KYT allows cryptocurrency businesses to identify Travel Rule transactions in real-time, analyze counterparty wallets, and perform instant due diligence on counterparty VASPs so that they can get the information they need to stay compliant.

Frictionless Compliance at Scale

Chainalysis and Notabene have partnered to provide a solution that allows VASPs to identify transactions that meet the rule’s requirements without compromising user experience. When a Travel Rule scenario is detected, an API call is sent to KYT from the Notabene platform to determine if the wallet is hosted or unhosted and identify the counterparty VASP. Users can leverage this information with real-time verified data about the VASP to conduct due diligence and take the appropriate next steps to stay compliant. Notabene has the widest protocol support, enabling users to transact with any VASP, all in one dashboard.

With our integrated solution, cryptocurrency businesses can automate transactions with trusted counterparties while providing them with the data they need to detect suspicious activity and meet their regulatory requirements, including: 

Wallet Identification

• Collect required Travel Rule data using a user-facing widget and API.
• Identify and verify wallet ownership for non-custodial.
• Automatically detect transactions that meet Travel Rule requirements and get alerts on potentially high-risk activity, all at once. 
  

Counterparty VASP Due Diligence

• Access to verified and up-to-date VASP information to perform informed decisions quickly.
• VASP data includes licensing, incorporation, AML/CFT processes.
  

Multi-protocol Support

• Transact with any VASP with TR:Now’s multi-protocol support.
• Transfers across all protocols are easily managed in the one API dashboard.
• Encrypted and segregated customer data.
  

Automated Transfers

• Customize, preset, and automate transfer requests using tools for rule-setting.
  

By adopting both Chainalysis and Notabene, cryptocurrency businesses can immediately signal Travel Rule compliance, putting themselves in a better position with regulators while gaining a market advantage. 

As other VASPs become compliant, they may be forced to stop doing business with counterparties if their compliance program isn’t up to par. By meeting Travel Rule requirements now, you can give your customers and partners the confidence to keep working with you, open up new opportunities, and gain an advantage in the market.

If you are interested to know more about how our solutions can help you build a complete Travel Rule solution to meet developing regulatory requirements, contact the Chainalysis or the Notabene team. 

You can also schedule a Notabene demo here.

NEW YORK / TORONTO, Ontario , December 3, 2021 - Bitbuy, Canada’s most secure and trusted platform for Bitcoin, Ethereum, and other Cryptocurrencies has implemented Notabene's end-to-end protocol-agnostic solution for crypto regulatory compliance to meet Canada's December 1, 2021 Travel Rule deadline for dealers in virtual currencies.

Notabene will enable Bitbuy to work through the various Travel Rule scenarios taking an industry-leading role in meeting its Canadian and global regulatory requirements. Notabene’s open solution supports integration of multiple protocols, enabling Virtual Asset Service Providers (VASPs) to send and receive counterparty information alongside blockchain transactions to any counterparty that uses the same infrastructure.

Global money-laundering body the Financial Action Task Force (FATF) introduced new guidelines that treat VASPs as regulated financial entities. Going forward, companies that custody and exchange virtual assets on behalf of customers will have to comply with existing regulatory requirements like banks, including the “Travel Rule,” which mandates collaboration to exchange identifying information of customers in transactions over a certain threshold. This is an incredibly difficult task given that blockchains are ill-equipped to transfer personal identifying information in a secure and private manner, in tandem with the exchange of value. 

Bitbuy aims to deliver the highest levels of data privacy all while enabling participants to send the required Travel Rule data to the correct counterparty in a safeguarded manner for those VASPs that are participating in one of the networks that Notabene supports.

Joseph Iuso, Chief Anti-Money Laundering Officer, comments:

“With the Notabene implementation, Bitbuy will be able to meet its obligations related to the Travel Rule in a compliant, safe and secure manner”

Pelle Braendgaard, CEO of Notabene, says:

“As one of the leading cryptocurrency exchanges in Canada, Bitbuy is setting best-in-class standards for compliance with the new Travel Rule guidelines, rolling out a robust, yet open compliance system. We look forward to working with the Bitbuy team as they continuously ensure safe and secure access to cryptocurrencies for their customers.

Notabene regularly holds strategic Travel Rule compliance testnets that benefit all stakeholders in the community, including a recent cross-jurisdictional testnet under the observance of the Financial Services Regulatory Authority (FSRA) of Abu Dhabi Global Market (ADGM).

About Bitbuy

Bitbuy Technologies Inc is a Canadian-owned and operated cryptocurrency company. The company’s mission is to provide convenient, dependable, and secure access to Bitcoin and other digital currencies. Bitbuy currently operates out of downtown Toronto, and Halifax, and is registered with FINTRAC as a Money Services Business as a Dealer in Virtual Currencies. Bitbuy was founded in 2016 and is currently one of Canada’s largest cryptocurrency platforms by trading volume. Bitbuy offers crypto trading services to beginners, advanced traders, and corporations.

To learn more, visit www.bitbuy.ca. Follow us on LinkedIn and Twitter. 

‍

About Notabene

Notabene is a reg-tech SaaS solution that turns regulatory compliance into a competitive advantage. Notabene is working to make crypto transactions a part of the everyday economy by providing software, tools, and comprehensive data to manage regulatory and counterparty risks in crypto transactions. Companies leverage our end-to-end FATF Travel Rule solution to identify virtual asset accounts, perform mandated VASP due diligence, and manage global transactions from one dashboard. Trusted by leading exchanges, Luno, Bitso, Crypto.com, and more. Notabene is headquartered in New York with offices in Zug and Santiago de Chile.  

To learn more, visit www.notabene.id. Follow us on LinkedIn and Twitter.

‍

Media contacts

Binu Koshy 

Bitbuy Technologies Inc.

[email protected]

Alice Nawfal, COO, Notabene

[email protected]

SAN FRANCISCO / AUSTIN, Texas / NEW YORK, Nov. 15, 2021 - Three market leaders in the global digital asset regulatory and compliance space have formed a partnership to create a one-stop solution for firms across the digital asset ecosystem, solving for cryptocurrency anti-money laundering (AML), trade surveillance, as well as Travel Rule compliance for Virtual Asset Service Providers (VASPs).

TRM Labs, a blockchain analytics provider, Eventus Systems, global provider of digital asset trade surveillance solutions, and end-to-end Travel Rule solution provider Notabene today announced the formation of “Project TEN,” which will provide the marketplace with a comprehensive offering to address a host of risk management and compliance challenges facing firms in the digital asset space.

With the launch of Project TEN, crypto-native firms as well as traditional financial institutions moving into virtual assets will benefit from a joint service designed to help maximize the efficiency of regulatory compliance operations. The offering will feature Eventus’ trade surveillance and market risk applications; TRM Labs’ transaction monitoring, wallet screening and forensics tools; and Notabene’s counterparty risk management and Travel Rule compliance software.

Esteban Castaño, Co-founder and CEO of TRM Labs, comments:

“Organizations operating in the crypto space are tasked with managing a complex regulatory landscape in a rapidly evolving market. Project TEN helps organizations address this complexity by bringing distinct areas of risk management expertise into one comprehensive offering.”

Eventus CEO Travis Schwab said:

“We’re delighted to join forces with two other market leaders in the global digital asset space to introduce efficiencies and make lives easier for crypto firms striving to hold themselves to the highest standards, both to attract investment flows and meet regulatory obligations. Powered in part by our Validus trade surveillance platform, the Project TEN partnership offers a compelling solution to a wide cross-section of participants, including traditional financial institutions looking to enter the digital asset space while ensuring they have the same robust processes in place that they apply to other asset classes.”

Pelle Brændgaard, CEO of Notabene, adds:

“There are many distinct tasks that must be addressed by any institution offering digital asset services. Project TEN creates a comprehensive compliance solution for firms across the rapidly growing global digital asset space. Partnerships are critical as many complex components must work together to manage overall compliance risk. We’re thrilled to embed our privacy-preserving Travel Rule solution into Project TEN, the first comprehensive offering allowing institutional clients to enter the crypto space in a regulatory-compliant manner.”

For more information on Project TEN, visit https://info.eventussystems.com/project-ten.

About TRM Labs

TRM Labs provides blockchain intelligence to organizations that need to monitor, detect and investigate crypto-related fraud and financial crime. Trusted by financial institutions, crypto businesses and government agencies across the globe, TRM’s platform includes tools for crypto wallet screening, transaction monitoring, VASP due diligence and investigative tracing.  www.trmlabs.com.

About Eventus Systems

Eventus Systems is a leading global provider of multi-asset class trade surveillance and market risk solutions. Its powerful, award-winning Validus platform is easy to deploy, customize and operate across equities, options, futures, foreign exchange (FX), fixed income and digital asset markets. Validus is proven in the most complex, high-volume and real-time environments of tier-1 banks, broker-dealers, futures commission merchants (FCMs), proprietary trading groups, market centers, buy-side institutions, energy and commodity trading firms, and regulators. The company’s rapidly growing client base relies on Validus and Eventus’ responsive support and product development teams to overcome its most pressing regulatory challenges. For more, visit www.eventussystems.com.

About Notabene

Notabene is a reg-tech Software-as-a-Service solution that turns regulatory compliance into a competitive advantage. Notabene is working to make crypto transactions a part of the everyday economy by providing software, tools, and comprehensive data to manage regulatory and counterparty risks in crypto transactions. Companies leverage our end-to-end FATF Travel Rule solution to identify virtual asset accounts, perform mandated VASP due diligence, and manage global transactions from one dashboard. Trusted by leading exchanges, Luno, Bitso, Crypto.com, and more. Notabene is headquartered in New York with offices in Zug and Santiago de Chile. To learn more, visit www.notabene.id.

Media Contacts:

TRM Labs:

Sutherland Gold for TRM Labs

[email protected]

Eventus:

Ellen G. Resnick

Crystal Clear Communications

+773-929-9292; +312-399-9295 (mobile)

[email protected]

Notabene:

Alice Nawfal, COO, Notabene

[email protected]

Many crypto users around the world go through similar trepidation when sending funds, “Is this the correct address?” “Have my funds arrived?” Seasoned crypto users eventually overcome this trepidation, but the general obscurity around counterparties creates an even greater risk of money laundering and terrorist financing.

For instance, crypto exchanges verify their user’s identities and check them against various lists of known terrorists the same way banks do, yet, a terrorist can create a brand new bitcoin address. The exchange currently does not have any way of blocking transactions to it. 

To close the loophole, the global Anti-Money Laundering regulatory watchdog FATF and national regulators like US’s FinCEN and Germany’s BaFin now require crypto exchanges to know with whom they are interacting on behalf of their customers. This recommendation is named the “Travel Rule,” as the customer’s private information “travels” along with the payment. Implementing Travel Rule requirements is very difficult for exchanges, as public blockchains–unlike bank payment networks–do not have a built-in method of transmitting identity information along with the transaction by design. 

My co-founders Alice, Ania, Andrés, and I, came from uPort, where we built the first decentralized identity protocol built on and for public blockchains. We designed uPort to allow parties to transactions or smart contracts to understand with whom they are transacting in the most privacy-preserving way possible.

In early 2020, we co-found Notabene to solve the compliance headache that exchanges now face. 

To solve Travel Rule compliance for the entire financial services industry, we began building a trusted data layer to blockchain transactions for protocol-agnostic communication. Now, more than 20+ businesses use our holistic software to manage counterparty risk with 50+ counterparties without impeding their customer’s transaction flow. 

Since we began, we’ve run testnets in cooperation with the Financial Services Regulatory Authority of Abu Dhabi Global Market (FSRA ADGM). We have global stablecoins like USDT and leading digital token trading platforms testing our solution. We set up monthly collaborative environments for firms to test cross-jurisdictional Travel Rule transactions in a low-risk environment as they gear up to comply with impending regulations.

But that’s just the beginning.

Notabene is on a path to remove global regulatory compliance complexity to cement crypto’s role in mainstream transactions. Ultimately our mission is to allow more people to transact on public blockchains. We are actively working on bringing both businesses and their end-users better, safer, and more privacy-preserving approaches to managing risk around crypto interactions. 

Our now 17-person strong team has built considerable traction around our Travel Rule solution that allows VASPs to identify virtual asset accounts, perform mandated VASP due diligence, and manage regulatory and counterparty risks from one holistic dashboard. We believe implementing the Travel Rule is foundational for blockchain technology; compliance will benefit the ultimate end users of crypto and will push crypto into much broader use cases than we’ve seen today.

We are very excited to announce our A round, which Jump Capital and F-Prime co-led. They were joined by Illuminate Financial, Fenbushi Capital, CMT Digital, and institutions like Gemini Frontier Fund, BlockFI, Luno, and BitSo. Our existing investors who believed in our mission from day one, Castle Island Ventures, Green Visor, and Signature Ventures, continued to grow their investment.

This round lets us expand on this to help us reach even more exchanges and financial institutions. If you’d like to join us on this quest, check out our Careers page. We have open roles across various departments.

We look forward to hearing from you!

- Pelle Brændgaard.

November 8, 2021-- Notabene, an end-to-end solution for crypto regulatory compliance and collaboration, announced a $10.2 million Series A funding round co-led by F-Prime Capital and Jump Capital. Peter Johnson from Jump Capital will serve on Notabene’s board of directors.

Existing customers Luno & Bitso extended a vote of confidence to Notabene by investing. Gemini Frontier Fund and the VC arm of global operator BlockFi also participated. Additional support came from Illuminate Financial, CMT Digital, Fenbushi Capital, and ComplyAdvantage’s CEO Charlie Delingpole alongside existing investors, Castle Island Ventures, Green Visor Capital and Signature Ventures. 

The new injection of funding will be used for product development, meeting the demand of crypto companies applying for operating licenses, and developing crypto counterparty risk management solutions more broadly.

CEO Pelle Braendgaard comments:

“We are on a mission to allow crypto native companies to comply with the travel rule today and keep their doors open. The majority of crypto companies find themselves at a pivotal moment as regulators around the globe set forth long-awaited regulatory requirements. Conversely, the nature of permissionless blockchains makes it challenging to fulfill the technical requirements. Complying with new regulatory requirements will enable crypto companies to unlock trillions of institutional dollars, establish banking relationships, launch new products and bring trust to the industry.” 

In 2019, global money-laundering watchdog the Financial Action Task Force (FATF) introduced new guidelines that treat crypto companies as regulated financial entities. Going forward, companies that custody and exchange virtual assets on behalf of customers must register with their local regulator and be licensed to operate in most jurisdictions. Additionally, crypto companies will have to comply with existing regulatory requirements similar to banks, including the “Travel Rule,”––which mandates collaboration to verify each other’s customers for transactions over a certain threshold. Regulators, including the US’s FinCEN, the UK’s Financial Conduct Authority, and Singapore’s Monetary Authority, now expect all companies providing crypto products to be fully compliant within the year. Germany’s BaFin expects compliance within the month.  

Adding counterparty information to a blockchain transaction doesn’t just benefit exchanges and their regulators; it also allows consumers to trust to whom they are sending funds. The FTC reports that Americans lost over $80 million in cryptocurrency scams between October 2020 and April 2021.

Currently, it is impossible to transfer personally identifiable information through the blockchain and equally improbable to tell with a high level of certainty if an institution is on the other side of the transaction. Additionally, the speed with which regulations are being enforced is not on par with industry readiness. 

Notabene leverages decentralized identity protocols to create a Trust Framework that allows companies to become Travel Rule compliant today. Notabene’s offering comprises a suite of protocol-agnostic tools, software, and comprehensive data that enables crypto companies to manage counterparty risk securely and exchange customer data with any counterparty in a privacy-preserving way.  

Peter Johnson, Partner at Jump Capital.

“At Jump, we believe crypto will be the defining technological innovation of our age and look to invest in companies that move the industry forward. Notabene is well-positioned to be a leader in enabling mainstream crypto adoption by ensuring regulatory compliance for crypto-native companies and financial institutions worldwide. We are proud to support Notabene and look forward to working closely with its team.”

Notabene is the first-to-market end-to-end Travel Rule compliance solution with 20+ customers on their platform, including global exchanges like Luno, Bitso, Paxful, Crypto.com. Notabene’s Travel Rule compliance solution has enabled 50+ exchanges to process Travel Rule transactions between counterparties. 

About Notabene

Notabene is a reg-tech compliance SaaS solution that connects the traditional financial industry and crypto industry. We are working to make crypto transactions a part of the everyday economy by providing software, tools, and comprehensive data to manage regulatory and counterparty risks in crypto transactions. Using privacy-preserving technology, strategic partnerships, and commitment, our first-to-market FATF Travel Rule solution helps financial institutions, crypto exchanges, and businesses turn compliance into a competitive advantage. Key investors include Jump Capital, F-Prime Capital, Castle Island, Green Visor Capital, Illuminate Financial, CMT Digital, and a cadre of top-tier angel investors. Trusted by leading exchanges, Luno, Bitso, Crypto.com, and more.

Notabene is headquartered in New York with offices in Zug and Santiago de Chile. To learn more, visit www.notabene.id. Follow us on LinkedIn and Twitter.

**** 

Media Contact

Alice Nawfal, Notabene COO

[email protected]

On October 28, 2021, the Financial Action Task Force (FATF) released its first fully updated guidance for a risk-based approach for Virtual Assets and Virtual Asset Service Providers since 2019. This document updates its draft guidance released in March. Read our comments on that release here. This guidance offers recommendations on how member jurisdictions should regulate cryptocurrency businesses. 

The key theme is FATF’s focus on regulating cryptocurrency businesses as VASPs based on their function and business model, rather than their underlying technology, self-described business category, or custodial status. Below, we’ve summarized the top 12 key takeaways from the updated guidance and tell you how Notabene can help you meet your compliance obligations.

‍Click here to watch the webinar summary. Access the slides.

1. FATF states that Stablecoins could be considered higher risk due to their potential for mass adoption 

§104 

As with VAs, it is important that ML/TF risks of stablecoins, particularly those with potential for mass-adoption and that can be used for P2P transactions, are analysed in an ongoing and forward-looking manner. In developing new products, VASPs and other obliged entities should assess the ML/TF risks before bringing them to market and put in place mitigation measures before launch. 

What this means: The FATF recognizes that all VAs have a potential for widespread adoption yet denotes that stablecoin projects have a greater potential for mass adoption, which can heighten ML/TF risks. FATF recommends that stablecoin providers employ potential mitigation measures to ensure AML/CFT obligations are fulfilled. Expect more VASPs to start building compliance into new stablecoin products. 

2. FATF calls on Public-Private collaboration to create new risk-mitigation tools for P2P transactions

§105 P2P transactions

As set out in Section 2, countries should also seek to understand the ML/TF risks related to P2P transactions and how they are being used in their jurisdiction. (...) 

§106

Depending on the assessed risks associated with P2P transactions, or certain types of P2P transactions, countries may consider and implement as appropriate options to mitigate these risks at a national level. 

What this means: FATF is firming its stance on P2P transactions or transactions from VASPs to unhosted wallets.

Currently, the FATF places the AML/CTF burden on intermediaries and, for the time being, this will continue to be the case.In the second annual review of the Guidance, which took place in June 2021, the FATF decided it was not yet time for a paradigm shift because, first, the available data on the P2P market was deemed not yet not reliable enough to make an informed decision, and second, intermediaries continue to have a predominant presence in the crypto market. However, the FATF admits that the standards might need to be adapted in the future in case the industry shifts to disintermediated transactions. Furthermore, the FATF recognizes that P2P transactions could pose specific ML/TF risks, as they can potentially be used to avoid AML/CFT controls in the FATF Standards. For that reason, in the latest Guidance the FATF lists a number of measures that members can adopt to mitigate the risks associated with P2P transactions. In particular, the FATF already recognizes the possibility of restricting VASPs to only transact with other VASPs as a means to mitigate risks. 

3. Every virtual asset for payment or investment should be subject to obligations applicable either as a VA or another type of financial asset

§51

The FATF does not intend for an asset to be both a VA and a financial asset at the same time. (...)  When determining if a new digital asset should qualify as a financial asset or a VA, authorities should consider whether their existing regime governing financial assets or their regime for VAs can be appropriately applied to the new digital assets in question. 

§52

In instances where characterization proves difficult, jurisdictions should assess their regulatory systems and decide which designation will best mitigate and manage the risk of the product or service. Consistent with the technology-neutral approach, a blockchain-based asset that is defined as a financial asset would likely not fall under this VA-focused Guidance. (...) RBA. Nonetheless, every asset for payment or investment should be subject to obligations applicable either as a VA or another type of financial asset. 

What this means: FATF places the onus on jurisdictions to determine if a VA is a financial asset or a virtual asset. Jurisdictions could consider the commonly accepted asset usage (payment or investment) and what type of regulatory regime offers the best fit. What is key is that, regardless of the framework that jurisdictions decide to apply, all assets used for payment or investment purposes are subject to obligations consistent with the FATF recommendations, either as a VA or as other type of financial asset. It is also worth mentioning that the underlying technology of the asset is not a deciding factor in determining the applicable framework to the asset at issue. For example, a blockchain-based asset defined as a financial asset would likely not fall under the FATF VA-focused Guidance.
‍

4. The guidance now includes clarifications around #DeFi developers, stablecoin developers, and multi-sig custodial APIs

§64

The definition of VASP covers any service allowing users to transfer ownership, or control of a VA to another user or to transfer VAs between VA addresses or accounts held by the same user. (...) If a new party has custody or ownership of the VA, has the ability to pass control of the VA to others, or has the ability to benefit from its use, then transfer has likely occurred. This control does not necessarily have to be unilateral and multi-signature  processes are not inherently exempt (see limb (iv) below), where a VASP undertakes the activity as a business on behalf of another natural or legal person. 

§73

The term “control” should be understood as the ability to hold, trade, transfer or spend the VA. (...) The existence of a multi-signature model or models in which multiple parties must use keys for a transaction to happen does not mean a particular entity does not maintain control, depending on the extent of the influence it may have over the VAs.

§67

A DeFi application (i.e. the software program) is not a VASP under the FATF standards, as the Standards do not apply to underlying software or technology (see paragraph 82 below). However, creators, owners and operators or some other persons who maintain control or sufficient influence in the DeFi arrangements, even if those arrangements seem decentralized, may fall under the FATF definition of a VASP where they are providing or actively facilitating VASP services. For example, there may be control or sufficient influence(...) even if this is exercised through a smart contract or in some cases voting protocols. Countries may wish to consider other factors as well, such as whether any party profits from the service or has the ability to set or change parameters to identify the owner/operator of a DeFi arrangement. 

§68

While this Guidance aims to provide direction, countries will need to evaluate the facts and circumstances of each individual situation to determine whether there is an identifiable person(s), whether legal or natural, providing a covered service. Marketing terms or self-identification as a DeFi is not determinative, nor is the specific technology involved in determining if its owner or operator is a VASP. (...)Countries should be guided by the principle that the FATF intends to cover natural or legal persons who conduct the financial services covered in the definition as a business. (...) In cases where a person can purchase governance tokens of a VASP, the VASP should retain the responsibility for satisfying AML/CFT obligations. An individual token holder in such a scenario does not have such responsibility if the holder does not exercise control or sufficient influence over the VASP activities undertaken as a business on behalf of others. 

What this means: Multi-Sig Custodial APIs are not outside of the VASP scope, as they control keys/credentials held by others. Central developers of governance bodies of stablecoins are, in general, considered VASPs. For stablecoins without a readily identifiable central body, the party that develops and launches its arrangement likely carries out VASP functions and would be covered under the VASP definition. DeFi developers, owners, and operators may fall under the FATF definition of a VASP provided that they maintain control or sufficient influence in the DeFi arrangements, even if the operations seem automated and decentralized. However, DeFi governance token holders do not have VASP responsibilities, so long as they do not have control or sufficient influence over VASP activities. As DeFi projects rapidly expand in number, countries will need to evaluate the facts of each particular situation to determine how to proceed. We strongly recommend that the industry pushes a unified interpretation of the rules to national regulators. 

5. This updated guidance changes the scope of application of the Travel Rule to include unhosted wallets

§179

The requirements of Recommendation 16 apply to VASPs whenever their transactions, whether in fiat currency or VA, involve: (a) a traditional wire transfer, (b) a VA transfer between a VASP and another obliged entity (e.g., between two VASPs or between a VASP and another obliged entity, such as a bank or other FI), or (c) a VA transfer between a VASP and a non-obliged entity (i.e., an unhosted wallet). The full requirements of Recommendation 16 apply to (a) and (b) but not (c), as set out below. 

What this means: In the June 2019 Guidance (§113), VA transfers between VASP and non-obliged entities were not within the scope of TR requirements. From now on, Travel Rule requirements apply to transactions with non-obliged entities (such as unhosted wallets), but with adaptations. This means that for VASPs to apply the right process, they need to determine whether the transaction is with a VASP or with an unhosted wallet in the first place. Notabene’s fully-customizable Wallet Identification tool can help VASP determine their counterparties. 

Now, when a transaction originating from a VASP to a non-obliged entity, FATF expects VASPs to:

• Obtain the originator and beneficiary information from VASP’s customer when originating or receiving a VA transfer
• Enforce AML/CTF obligations (e.g., transaction monitoring, sanctions compliance)

FATF does not expect VASP to:

• Send required information to non-obliged entities
  ‍

6. This guidance updates the de-minimis threshold and information required for a Travel Rule transaction.

§191

Countries may choose to adopt a de minimis threshold for VA transfers of USD/EUR 1 000 in line with the FATF Standards, having regard to the risks associated with various VAs and covered VA activities. (...) For VA transfers under the threshold, countries should require that VASPs collect: 
a. the name of the originator and the beneficiary; and 
b. the VA wallet address for each or a unique transaction reference number.

§192

Such information does not need to be verified unless there are suspicious circumstances related to ML/TF, in which case information pertaining to the customer should be verified.

What this means: Many jurisdictions adopted Travel Rule requirements only for VA transfers above certain thresholds. VA transfers below the threshold VASPs should still be required to collect (but not verify, unless there is an ML/TF suspicion) the beneficiary and originator: (i) name (ii) wallet address / TX identifier. 

7. FATF provides options for risk-mitigation when interacting with unhosted wallets

§297
‍

A VASP may choose to impose additional limitations, controls, or prohibitions on transactions with unhosted wallets in line with their risk analysis. Potential measures include: 
a. enhancing existing risk-based control framework to account for specific risks posed by transactions with unhosted wallets (e.g., accounting for specific users, patterns of observed conduct, local and regional risks, and information from regulators and law enforcement); and b. studying the feasibility of accepting transactions only from/to VASPs and other obliged entities, and/or unhosted wallets that the VASP has assessed to be reliable. 

What this means: The FATF now provides options for risk mitigation, including VASPS limiting transactions to only other VASPs or whitelisted accounts only.  FATF clarifies the scope and obligations intermediaries when it comes to Travel Rule requirements

Footnote 50

To clarify, when a VASP, FI or other intermediary obliged entity facilitates a VA transfers as an intermediate element in a chain of VA transfers, and the certain activity/business has been classified as a VASP in this Guidance, then they would be classified as an “intermediary VASP”.  

§202

(...)Just as a traditional intermediary FI processing a traditional fiat cross-border wire transfer must ensure that all required originator and beneficiary information that accompanies a wire transfer is retained with it, so too must an intermediary VASP or other comparable intermediary institution that facilitates VA transfers ensure that the required information is transmitted along the chain of VA transfers, as well as maintaining necessary records and making the information available to appropriate authorities upon request. (...)Intermediary institutions involved in VA transfers also have general obligations to identify suspicious transactions, take freezing actions, and prohibit transactions with designated persons and entities—just like ordering and beneficiary VASPs (or other ordering or beneficiary obliged entities that facilitate VA transfers). 

What this means: Intermediary VASPs are entities that sit somewhere in the chain of a virtual asset transfer and facilitate the transfer from the originating VASP to the beneficiary VASP by providing a service that qualifies as a virtual asset service under the Guidance. 

According to the FATF's guidance, Intermediaries only pass information along, so they aren’t required to verify originating or beneficiary information, but they are nevertheless subject to record keeping obligations and are required to carry out sanctions screening. Since intermediaries are not required to verify originator and beneficiary information, requiring intermediaries to also screen the parties to the transaction against sanction lists is potentially not the most effective approach. Relying on the VASP that knows more about each party to perform this function is preferable.

VASP <> VASP reliance for sanction screening is a more effective solution. Industry cooperation will be essential to implementing a standard compliance flow for intermediaries. 

Criteria to qualify as an intermediary VASP:

• Facilitates a VA transfer as an intermediate element in a chain of VA transfers
• That activity qualifies as a virtual asset service under the Guidance
  

Obligations of intermediary VASPs:

• Transmit required information along the chain of VA transfers
• Record keeping
• Identify suspicious transactions
• Take freezing actions
• Prohibit transactions with designated persons or entities
  

8. A phased risk-based approach applied to business models should help VASPs get around the Sunrise issue. 

§200

The FATF expects countries to implement paragraph 7(b) of INR.15 as soon as possible. Countries may wish to take a staged approach to enforcement of travel rule requirements to ensure that their VASPs have sufficient time to implement the necessary systems, but should continue to ensure that VASPs have alternative measures in place to suitably mitigate the ML/TF risks arising from VA transfers in the interim. (...) This means that some jurisdictions will require their VASPs to comply with the travel rule prior to other jurisdictions (i.e., the ‘sunrise issue’). This can be a challenge for VASPs regarding what approach they should take in dealing with VASPs located in jurisdictions where the travel rule is not yet in force. Regardless of the lack of regulation in the beneficiary jurisdiction, originating entities can require travel rule compliance from beneficiaries by contract or business practice.

§201

(...)Regardless of the regulation in a certain country, a VASP may implement robust control measures to comply with the travel rule requirements. Examples include VASPs restricting VA transfers to within their customer base (i.e., internal transfers of VAs within the same VASP), only allowing confirmed first-party transfers outside of their customer base (i.e., the originator and the beneficiary are confirmed to be the same person) and enhanced monitoring of transactions.

What this means: In this Guidance the FATF makes it very clear that the time for compliance is now. The FATF acknowledges the need for this staged approach to compliance with the Travel Rule. But, at the same time, the FATF requires countries to enforce interim risk mitigation measures that enable tackling the ML/TF risks associated with VA transfers now. 

The sunrise period - period during which Travel Rule requirements are not in force in all jurisdictions - causes a lot of practical problems due to crypto being inherently international. VASPs in countries where Travel Rule requirements are already being enforced will have a hard time complying if they want to keep interacting with VASPs based in countries where the Travel Rule is not yet being enforced. 

But what the FATF says in the new Guidance is that this issue should not preclude VASPs from already complying with the Travel Rule. And in this context, the FATF suggests a number of measures that VASPs could implement to circumvent the sunrise issue. Most of them entail substantial limitations to the VASPs' transaction volume.

In some instances, VASPs could avoid the business impact of Travel Rule compliance through policy coordination. Although the sunrise period is the #1 hindrance to compliance with the Travel Rule, FATF claims that it should not preclude VASPs from complying and offers the following risk-mitigating measures to circumvent the effect of the sunrise issue. 

• Require counterparty to comply
• Restricting TXs to within customer base
• Allowing only first-party transactions
• Enhanced monitoring

9. FATF recognizes that conducting counterparty due diligence is a challenge. Provides guidance on how counterparty due diligence could be undertaken.

§197.

The best way to conduct counterparty due diligence in a timely and secure manner is a challenge. There are broadly three phases in this process. These are not intended as prescriptive actions that VASPs must take, but guidance on how counterparty due diligence could be undertaken: 

a. Phase 1: Determine whether the VA transfer is with a counterparty VASP. A person may wish to transfer VAs to another VASP (e.g., a beneficiary with a hosted wallet) or they may wish to transfer VAs to an unhosted wallet. The originator VASP must therefore determine whether they will be transacting with another VASP. This determination process is not purely an AML/CFT requirement, but rather arises from the technology underpinning VAs. To date, the FATF is not aware of any technically proven means of identifying the VASP that manages the beneficiary wallet exhaustively, precisely, and accurately in all circumstances and from the VA address alone; 

b. Phase 2: Identify the counterparty VASP, as a VASP only knows the “name” of the counterparty VASP following the previous phase. A VASP may identify a counterparty VASP themselves using a reliable database in line with any guidelines from a country on when to rely on such data; and 

c. Phase 3: Assess whether the counterparty VASP is an eligible counterparty to send customer data to and to have a business relationship with (see Recommendation 16 in Section IV for further information on counterparty VASP due diligence and Recommendation 11 on record-keeping to appropriately store and manage that customer data). 

§193

Countries should require both ordering and beneficiary institutions to take freezing actions and prohibit transactions with designated persons and entities (i.e., screening and required information relating to VA transfers in order to comply with their targeted financial sanctions obligations). The ordering institution should have the required information about its customer, the originator, and the beneficiary institution should have the required information about its customer, the beneficiary, in line with the CDD requirements set forth in Recommendation 10. The ordering and beneficiary institutions should have screened their customer’s name for compliance with targeted financial sanctions obligations at the time of onboarding their respective (and upon name changes). They must then screen the names of the other party (the originator or the beneficiary) when they conduct the VA transfer (see Table 1 above). 

§198

To clarify the scope of this Guidance, competent authorities should require VASPs to implement preventive measures in ‘Phase 3’ to assess the counterparty VASP, where VASPs first have a business relationship, and then review the results of the due diligence periodically. Countries should also maintain reliable, independent sources of information for ‘Phase 2’ to assist VASPs in their efforts to identify the counterparty VASP. This could include regulated institutions lists, such as VASP lists where available, registries of beneficial ownership where available and other examples mentioned in the BCBS Guideline.49 For the benefit of effective and efficient counterparty due diligence, a regulated institutions list may include but should not be limited to contains the VASP name and registered VASP address. Considering the increased usage of digitalized processes in the financial industry, countries should be encouraged to use a format that is machine-readable. A country need not impose a separate licensing or registration system for VASPs with respect to natural or legal persons already licensed or registered as FIs (as defined by the FATF Recommendations) within that country. Countries that have such frameworks may clarify to their private sector that such FIs might not be on the designated VASPs lists, or even not under the supervision of the same regulator, to avoid unnecessary de-risking. 

§194

Countries should require VASPs or other obliged entities to implement an effective control framework to ensure that they can comply with their targeted financial sanction obligations. This framework should take into account the nature of VA transfers. Because the required information identifying the originator and beneficiary can be held separately to the VA transfer system (e.g., the blockchain), the VA transfer can be completed even with such information missing or without screening the transfer to identify suspicious and prohibited transactions. Therefore, VASPs or other obliged entities should screen required VA transfer information separately to such direct settlement. Thus, VASPs may need to consider mitigation measures that fit their business process and the technical nature of VAs. Although blockchain technology is ever-changing, examples of controls that a VASP or other obliged entity could implement include: 

a. putting a wallet on hold until screening is completed and confirmed that no concern is raised; and 

b. arranging to receive a VA transfer with a provider’s wallet that links to a customer’s wallet and moving the transferred VA to their customer’s wallet only after the screening is completed and has confirmed no concern is raised. 

What this means: The first thing VASPs should ask themselves when complying with the Travel Rule in the context of a VA transfer is whether they are transacting with a counterparty VASP, as this will influence the rules that apply to the transfer. This continues to be a relevant pain point and, in the Guidance, the FATF acknowledges that today it is not always possible to determine, securely, whether a VASP is managing the wallet on the other side.

In cases where the VA transfer is with a VASP, the goal is to make sure that such counterparty VASP can be trusted before transacting. For that purpose, VASPs need to undertake appropriate due diligence and look at several aspects such as the

• robustness of the counterparty's data security framework
• whether the counterparty is complying with the travel rule
• and whether the counterparty is under supervision of relevant authorities

All of this needs to happen before transacting. 

Identifying and conducting due diligence on counterparty VASPs is the first pain point and the first stage in implementing the Travel Rule. FATF recommends the Wolfsberg questionnaire as a starting point for a potential framework in the VASP counterparty due-diligence context. 

10. FATF outlines data requirements for ordering and beneficiary VASPs in the Travel Rule

Table 1: Data requirements for ordering and beneficiary VASPs in the travel rule (pg 59)

Notabene’s Takeaway: An important component of complying with the Travel Rule is the exchange of originator and beneficiary information between VASPs. The table above, included in the Guidance, provides an excellent summary of all the data exchange requirements and their purpose.

• The ordering VASP, which in most cases has a business relationship with the VA transfer originator, is required to transmit accurate information about the originator to the Beneficiary VASP.
• In turn, the Beneficiary VASP does not need to confirm the accuracy of the originator information, but needs to run the received information against sanction lists.
• Then, in contrast, the ordering VASP needs to send the beneficiary information collected from their customer to the Beneficiary VASP but does not need to confirm the accuracy of such data. The ordering VASP should use this data to screen the beneficiary user against sanction lists.
• The Beneficiary VASP (who verifies the identity of the beneficiary of the VA transfer upon establishing a business relationship with them), is required to confirm if the received beneficiary information is consistent with their records.

It is worth noting that in the updated Guidance the FATF recognizes that, when VASPs reasonably conclude that their counterparty does not handle PII securely, they can proceed with the blockchain transfer without sending PII to their counterparty VASP, provided that:

• AML / CTF risks are acceptable and
• That the VASP adopts alternative procedures.
  
  

11. FATF recommends VASPs to take freezing actions and prohibit transactions with designated persons/entities

§193

‍Countries should require both ordering and beneficiary institutions to take freezing actions and prohibit transactions with designated persons and entities (...)  The ordering and beneficiary institutions should have screened their customer’s name for compliance with targeted financial sanctions obligations at the time of onboarding their respective (and upon name changes). They must then screen the names of the other party (the originator or the beneficiary) when they conduct the VA transfer. 

§194

(...)  Because the required information identifying the originator and beneficiary can be held separately to the VA transfer system (e.g., the blockchain), the VA transfer can be completed even with such information missing or without screening the transfer to identify suspicious and prohibited transactions. (...) Thus, VASPs may need to consider mitigation measures that fit their business process and the technical nature of VAs. 

What this means: The goal of the sanction screening obligations imposed on VASPs is to prevent transactions with designated entities and allow VASPs to take freezing actions when such transactions occurs. For these purposes, VASPs are required to screen the names of their own customers and also of the counterparty to any transactions against sanction lists. Additionally, VASPs must take measures to mitigate the risk of settling the blockchain TX before the screening is completed, such as putting a wallet on hold until screening is completed and confirming that no concern is raised.

How Notabene helps VASPs meet FATF obligations

Notabene is a reg-tech SaaS solution that turns regulatory compliance into a competitive advantage. We are working to make crypto transactions a part of the everyday economy by providing software, tools, and comprehensive data to manage regulatory and counterparty risks in crypto transactions. Companies leverage our end-to-end FATF Travel Rule solution to identify virtual asset accounts, perform mandated VASP due diligence, and manage global transactions from one dashboard. We currently process transactions between more than 50 crypto native companies. Trusted by leading exchanges, Luno, Bitso, Crypto.com, and more. If you’d like to learn more about how we can help, please contact us here.