ROAD TOWN, British Virgin Islands, October 22 2021 - Bitfinex, a state-of-the-art digital token trading platform will begin testing Notabene's end-to-end protocol-agnostic solution for crypto regulatory compliance.

Notabene will enable Bitfinex to test complex Travel Rule transactions in a low-risk, collaborative environment as the exchange prepares for the new rules and takes an industry leading role in meeting global regulatory requirements. Notabene’s open solution supports integration to multiple protocols, enabling Virtual Asset Service Providers (VASPs) to send and receive counterparty information alongside blockchain transactions to any counterparty that uses the same infrastructure.

Global money-laundering watchdog the Financial Action Task Force (FATF) introduced new guidelines that treat crypto companies as regulated financial entities. Going forward, companies that custody and exchange virtual assets on behalf of customers will have to comply with existing regulatory requirements similar to banks, including the “Travel Rule,” which mandates collaboration to exchange identifying information of customers in transactions over a certain threshold. This is a daunting task as blockchains are ill-equipped to transfer personal identifying information in a secure and private manner, in tandem with the exchange of value. 

After successful integration of Notabene’s Travel Rule solution, Bitfinex aims to deliver the highest levels of data privacy while enabling participants to send the required Travel Rule data to the correct counterparty in a safeguarded manner.

Paolo Ardoino, CTO of Bitfinex, comments:

“As the preeminent, leading exchange in the trading of bitcoin, Bitfinex has always taken a leading role in meeting new global regulatory requirements. We chose to trial Notabene’s best-in-class solution as it delivers a seamless compliance process without any compromise to the user experience.”

Pelle Braendgaard, CEO of Notabene, says:

‍“Bitfinex has been an integral part of the crypto currency community for many years now. They share our vision for a continued open crypto currency ecosystem. We are excited to help work with them implementing the Travel Rule, a key part of the latest guidelines for Virtual Asset Service Providers from FATF.  Travel Rule testnets are the best way for companies to collaborate on the approach to roll out Travel Rule compliance.”

‍
Notabene regularly holds strategic Travel Rule compliance testnets that substantially benefit all stakeholders in the community, including a recent cross-jurisdictional testnet, under the observance of the Financial Services Regulatory Authority (FSRA) of Abu Dhabi Global Market (ADGM). 

‍

##
‍

About Bitfinex

Founded in 2012, Bitfinex is a digital token trading platform offering state-of-the-art services for traders and global liquidity providers. In addition to a suite of advanced trading features and charting tools, Bitfinex provides access to peer-to-peer financing, an OTC market and margin trading for a wide selection of digital tokens. Bitfinex's strategy focuses on providing unparalleled support, tools, and innovation for experienced traders and liquidity providers around the world. Visit www.bitfinex.com to learn more.

‍

About Notabene

Notabene is a reg-tech SaaS solution that turns regulatory compliance into a competitive advantage. We are working to make crypto transactions a part of the everyday economy by providing software, tools, and comprehensive data to manage regulatory and counterparty risks in crypto transactions. Companies leverage our end-to-end FATF Travel Rule solution to identify virtual asset accounts, perform mandated VASP due diligence, and manage global transactions from one dashboard. Trusted by leading exchanges, Luno, Bitso, Crypto.com, and more.

Notabene is headquartered in New York with offices in Zug and Santiago de Chile. To learn more, visit www.notabene.id. Follow us on LinkedIn and X.

‍

Media contacts

Joe Morgan, Senior PR Manager, Bitfinex

[email protected]

Alice Nawfal, COO, Notabene

[email protected]

British Virgin Islands, October 20, 2021, 12:00 PM BST - Tether Operations Limited (“Tether”), the company operating the blockchain-enabled platform Tether.To that powers the largest stablecoin by market capitalization, announced today that it will be utilizing Notabene, an end-to-end solution for crypto regulatory compliance. It will begin testing its protocol-agnostic solution for Travel Rule compliance in order to bring transparency to cross-border transactions. 

Notabene will enable Tether to test complex Travel Rule transactions in a collaborative, low-risk environment as the stablecoin issuer prepares for new regulations. In order to ensure customer protection, specifically as it pertains to transactions made by Virtual Asset Service Providers (VASPs), Tether will use Notabene’s solution to share, send and receive counterparty information alongside blockchain transactions to counterparties that use the same infrastructure.

Global money-laundering watchdog the Financial Action Task Force (FATF) has issued guidelines holding crypto companies to similar standards as regulated financial entities. The “Travel Rule” recommends  that VASPs dealing with virtual assets should transmit specific customer data  between counterparties for transactions over a certain threshold. The updated guidelines describe the FATF’s recommendations in key areas, including how the FATF standards should be applied to stablecoins. These practices are intended to assist countries and service providers to combat money laundering, terrorist financing, and abide by Sanctions measures. 

‍

Paolo Ardoino, CTO of Tether.

“It's important that we work with regulators to build this industry from the ground up as pioneers of blockchain technology and leaders in transparency, we are dedicated to not only keeping up with new rules but helping shape them. Because the Travel Rule also applies to traditional financial institutions we see this as an opportune moment to foster cooperation across traditional and digital channels in order to create better services for customers globally. We are proud to lead the charge on behalf of all stablecoins in order to make a positive change towards protecting our clients.” 

Pelle Braendgaard, CEO of Notabene, comments:

“Tether’s stablecoin has rightfully cemented its role as a core part of the global crypto industry. Notabene is excited to help Tether bring out FATF Travel Rule compliance across its global network, leading to a safer and more regulatory compliant crypto world.”
‍

By bringing a trusted data layer to blockchain transactions, Notabene’s design will assist Tether in managing counterparty risk and deliver a best-in-class payment experience to its customers while maintaining GDPR compliance and user data protection.

With the successful integration of Notabene’s solution, Tether aims to maintain its reign as a leader in transparency and in getting information to the community as well as its stakeholders, while demonstrating full compliance with regulatory requirements. To learn more about Tether, please visit, https://tether.to/. 

##

About Tether

Tether is the preeminent stablecoin with the biggest market capitalization, surpassing that of all rival offerings combined. Created in October 2014, Tether has grown to become the most traded cryptocurrency. Tether is disrupting the legacy financial system by offering a more modern approach to money. By introducing fiat currency denominated-digital cash to the Bitcoin, Ethereum, EOS, Liquid Network, Omni, Tron, Algorand, and Solana blockchains, Tether makes a significant contribution to a more connected ecosystem. Tether combines digital currency benefits, such as instant global transactions, with traditional currency benefits, such as price stability. With a commitment to transparency and compliance, Tether is a fast and low-cost way to transact with money.

‍

About Notabene

Notabene is a reg-tech SaaS solution that turns regulatory compliance into a competitive advantage. We are working to make crypto transactions a part of the everyday economy by providing software, tools, and comprehensive data to manage regulatory and counterparty risks in crypto transactions. Companies leverage our end-to-end FATF Travel Rule solution to identify virtual asset accounts, perform mandated VASP due diligence, and manage global transactions from one dashboard. Trusted by leading exchanges, Luno, Bitso, Crypto.com, and more.

Notabene is headquartered in New York with offices in Zug and Santiago de Chile. To learn more, visit www.notabene.id. Follow us on LinkedIn and Twitter.

‍

Media contact

Alice Nawfal, COO, Notabene

[email protected]

We recently released a survey inviting the responses of VASPs of various sizes worldwide to compile the findings into the State of Crypto Travel Rule Compliance Report. The upcoming report will demonstrate a transparent understanding of Travel Rule compliance readiness levels and pain points. Today we present a preliminary analysis of this data. Thank you to all of you who completed the survey.

What we’ve noticed: Regulators will have a significant role to play in the smooth, global implementation of Travel Rule compliance. Most of the issues that VASPs are facing are due to a lack of regulatory clarity. Regulators could help with coordination and further guidance.

Learn more below.

1. 95% of respondents have an internal compliance/legal department. 

78% of those say these teams are a key pillar of the company with enough power to ensure that the business adheres to external rules and internal controls.

2. 72% of the respondents are already Travel Rule compliant or are on track to becoming fully compliant soon. [Q3/Q4 2021 - Q1/Q2 2022]

3. 100% of respondents that report full Travel Rule compliance are in Singapore.

4. 56% of respondents name the sunrise period and legal uncertainty as the two most relevant hindrances to adoption.

• Managing data privacy risks, UX impact, and interactions with non-custodial wallets are at the bottom of the list of adoption hindrances.
  ‍

5. Potentially due to the sunrise period, VASPs are in very different stages of compliance.

VASPs that are looking to comply with Travel Rule requirements are all in very different stages of the process. The distribution of VASPs across the research, planning, implementation and finalized phase is fairly equal. This is possibly connected to the "sunrise issue," resulting in VASPs having very different levels of regulatory pressure to go live with the Travel Rule. 

6. 18% of VASPs report to have suspended all transactions until they are ready to comply with the Travel Rule.

We will provide more information, including a deeper analysis, VASP interviews, and Regulator insights in the upcoming State of Crypto Travel Rule Compliance Report in December. Stay tuned to this and other regulatory news by signing up for our newsletters.

As the report aims to demonstrate a transparent understanding of compliance readiness levels and pain points, gathering responses and insights from a diverse group of VASPs is crucial. If your firm qualifies as a VASP, please feel free to submit your answers.

If you have any questions about the survey, please feel free to reach out to [email protected] or [email protected].

‍

Enter your information below to download the State of Crypto Travel Rule Compliance Report 2022.

AMSTERDAM & NEW YORK -- Notabene, a Financial Action Task Force (FATF) Travel Rule solution provider has announced a partnership with Crystal Blockchain, a Netherlands-based blockchain investigative tool. The collaboration is meant to enable Virtual Asset Service Providers (VASPs) to comply with the FATF’s Travel Rule identification, data exchange, and reporting process from beginning to end.

Crystal Blockchain powers regional and global AML compliance and operational continuity by enabling best-in-class blockchain transaction risk assessment. Notabene is a regtech SaaS solution that allows companies to leverage their end-to-end FATF Travel Rule solution to identify virtual asset accounts, perform mandated VASP due diligence, and manage global transactions from one dashboard.
‍
- Alice Nawfal, COO of Notabene says

“Industry partnerships are the key to FATF Crypto Travel Rule compliance. Working with Crystal Blockchain allows us to embed blockchain compliance security into our product offering, providing the best end-to-end Travel Rule compliance solution in the space.”

‍

Marina Khaustova, CEO at Crystal Blockchain, comments

“Crystal’s latest partnership with travel rule solutions aggregator Notabene allows us to bring the best of blockchain compliance security to our customers as we and Notabene work towards a safer and more risk-averse blockchain future.” --- Marina Khaustova, CEO at Crystal Blockchain

‍

Read more in PAYPERS about the latest partnership between Crystal and Notabene

About Notabene

Notabene is a reg-tech SaaS solution that turns regulatory compliance into a competitive advantage. We are working to make crypto transactions a part of the everyday economy by providing software, tools, and comprehensive data to manage regulatory and counterparty risks in crypto transactions. Companies leverage our end-to-end FATF Travel Rule solution to identify virtual asset accounts, perform mandated VASP due diligence, and manage global transactions from one dashboard. Trusted by leading exchanges, Luno, Bitso, Crypto.com, and more. Notabene is headquartered in New York with offices in Zug and Santiago de Chile. Notabene is headquartered in New York with offices in Zug and Santiago de Chile. To learn more, visit www.notabene.id. Follow us on LinkedIn and Twitter.

About Crystal Blockchain

Crystal is the world-leading all-in-one blockchain analytics tool for crypto AML compliance, providing blockchain analytics and crypto transaction monitoring for thousands of cryptocurrencies in real-time. Crystal works globally with customers in the digital asset industry, the banking, and FI sectors. We help streamline their Know Your Transaction (KYT) and Anti-Money Laundering (AML) procedures for meeting international compliance standards. Available as a free demo version, SaaS, API, and on-premise installation. Engineered by Bitfury.

Media contacts

Ana Diundina, Crystal Blockchain

[email protected]

+380977371660

Alice Nawfal, COO, Notabene

[email protected]

NEW YORK -- Notabene, the leading FATF Travel Rule solution provider, has announced the successful completion of a Travel Rule testnet in cooperation with the Financial Services Regulatory Authority (FSRA) of Abu Dhabi Global Market (ADGM). 

Notabene set up a collaborative environment for seven companies to test cross-jurisdictional Travel Rule transactions in a low-risk environment as they gear up to comply with impending regulations. Four ADGM-licensed firms, Matrix, Aarna Capital, DEX, and MidChains, tested sending transactions with companies applying for their Singaporean digital payment token (DPT) license–Amber Group, Liquid, and Zipmex.

New anti-money laundering (AML) rules, commonly known as the “Travel Rule,” require crypto companies to share personal customer information alongside a transaction. As enforcement deadlines approach, financial institutions rush to implement new compliance tools, train compliance teams to implement new processes and understand what actions to take across various scenarios. 

ADGM’s FSRA cooperated with Notabene to establish the testnet so that companies could perform simulated travel rule transactions between each other, collaborate on compliance approaches, while permitting the regulator to clarify their interpretation of the rules. 

The participating firms tested six real-life scenarios, including interactions with firms operating cross-jurisdictionally where thresholds and requirements vary. 

Other scenarios tested included:

• Rejecting transfers when data didn’t match internal records.
• Interacting with companies who are not Notabene customers and may not be live with Travel Rule.
• Requesting missing travel rule transfers from counterparties. 

Alice Nawfal, COO of Notabene, says:

‍“The industry is signaling to regulators that they can adapt to the intricacies of new regulations, including varying cross-jurisdictional rules. Notabene’s software ensures that firms complying with the various regulations do not have to limit transaction flow.”

Wai Lum Kwok, Senior Executive Director – Authorisation of the FSRA, comments:

“We are pleased to see that the industry is actively collaborating to use technology to facilitate compliance. Such collaborations let participants better understand regulatory requirements and improve their processes. Further, appropriate use of technology can lead to more efficient and effective compliance outcomes. The cross-border nature of this collaboration is a good signal that the industry is increasingly able to deal with the global nature of compliance for virtual assets.”  

Participating exchanges expressed excitement to trial Travel Rule transactions through Notabene with regulator participation.

Pav Gill, Chief Legal Officer at Zipmex, adds:

“It has been a pleasure to be granted the opportunity to work with ADGM. Throughout this experience, we have seen the positives of how these solutions will help in the fight against financial crimes within the digital assets industry. While there is an appreciation of the intentions behind the regulation, significant practical challenges remain in terms of implementation in order to ensure a seamless customer experience that matches the power of the underlying technology. We look forward to continuing to work with regulators during these exciting times.”‍

Vasja Zupan, President of Matrix, comments:

“We are thrilled to take part in a global effort to test Travel Rule transactions. As a regulated trading platform that prioritizes security, we see Notabene’s testnet as a responsible and resourceful step for testing customer transactions.”

Seth Melamed, COO, Liquid, comments:

"At Liquid, putting clients at the center of all that we do is core to how we operate. Adherence to AML regulations is an important part of our client-centric approach. In our collaboration with Notabene, Liquid is proactively working with other crypto entities, regulators, and solution providers to adapt the principles of Funds Travel Rule to a blockchain context."

This testnet presents an excellent opportunity for the participating firms to learn collaboratively. Going forward, Notabene will continue to facilitate further testing, provide integration support, and moderate compliance team discussions, as well as publishing ‘blueprint’ compliance flows to the industry. Sign up for the next testnet here.

About Notabene

Notabene is a reg-tech compliance SaaS solution that connects the traditional financial industry and crypto industry. We are working to make crypto transactions a part of the everyday economy by providing software, tools, and comprehensive data to manage regulatory and counterparty risks in crypto transactions. Using privacy-preserving technology, strategic partnerships, and commitment, our first-to-market FATF Travel Rule solution helps financial institutions, crypto exchanges, and businesses turn compliance into a competitive advantage. Key investors include Castle Island, Green Visor Capital, Illuminate Financial, CMT Digital, and a cadre of top-tier angel investors. Trusted by leading exchanges, Luno, Bitso, Crypto.com, and more.

Notabene is headquartered in New York with offices in Zug and Santiago de Chile. To learn more, visit www.notabene.id. Follow us on LinkedIn and Twitter.

Today, Germany published the Crypto Asset Transfer Regulation - KryptoWTransferV, implementing FATF's travel rule in the country. We will review this in the next few days and update our Germany jurisdiction page.

Until then, we share the highlights:

1. The Crypto Travel Rule regulation comes into force in Germany on October 1st, 2021.

KryptoWTransferV § 7 (1) Entry into force, expiry: ‍

"This Ordinance shall come into force on October 1, 2021."

2. The regulation subsumes to the preexisting Money Transfer Ordinance framework.

KryptoWTransferV § 3 (1): Duty to survey, Storage and transmission of data during transfers between crypto value service providers 

“For obliged entities making a transfer on behalf of the payer, the rules on obligations of the payment service provider of the payer under Articles 4 and 6 of the Funds Transfer Regulation shall apply mutatis mutandis if only crypto value service providers are involved in the transfer on behalf of the payer and the payee.

3. German VASPs must collect, store, and verify the name and addresses of non-custodial beneficiary and originators.

KryptoWTransferV § 4 (3): Duty to Collection and storage of data during transfers, in which not exclusively Crypto value service providers are involved

“For the purposes of paragraphs 1 and 2, risk-adequate measures are measures which correspond to the identified money laundering and terrorist financing risk of the transfer and which ensure the traceability of the transfer. In particular, a risk-appropriate measure is the collection, storage and verification of the name and address of the beneficiary or the principal for whom no crypto service provider is acting in the transfer and who is not a contractual partner of the obliged party.”

4. Companies that are unable to comply immediately must notify competent supervisory authorities by November 30, 2021.

Companies that cannot comply immediately with travel rule obligations must notify competent supervisory authorities by November 30th, 2021. They must further include the reasons for the impediment, the measures taken to remove it, and the timeline for the removal by December 31st, 2021. The stated reasons will be subject to the assessment of the supervisory authority, who may decide whether or not an exemption period should be granted to the VASP.

KryptoWTransferV § 5 (1) Transitional provisions: 

“Obligated persons who, at the time of entry into force of this Ordinance, conduct banking transactions within the meaning of section 1(1) sentence 2 of the German Banking Act, provide financial services within the meaning of section 1(1a) sentence 2 of the German Banking Act or securities services within the meaning of section 2(2) to (4) of the German Securities Institutions Act in relation to crypto securities, and who are unable to comply with the obligations under sections 3 and 4 on a permanent basis or at all for reasons for which they are not responsible, shall notify the competent supervisory authority in accordance with section 50 number 1 of the German Money Laundering Act by 30 November 2021 and provide reasons for this by 31 December 2021. If obliged entities commence such banking transactions, financial services or investment services for the first time after the entry into force of this Ordinance, sentence 1 shall apply subject to the proviso that the notification, including the justification, must be made upon commencement. “

5. VASPs must ensure Travel Rule compliance within 12 months. 

Under certain circumstances, a single extension of this period for additional 12 months may be granted.

KryptoWTransferV § 5 (2) Transitional provisions: 

“The justification referred to in paragraph 1 shall include information on the reason for the impediment and on the measures taken to remove the impediment. In addition, the period of time in which the removal of the reason for the impediment is expected to take place shall be indicated, and it shall be specified which other risk-appropriate measures will be taken during the implementation of transfers. The period specified in accordance with the first sentence may not exceed twelve months. A single extension of this period by a further twelve months shall be permissible if a reasoned notice of extension is submitted before the expiry of the first twelve-month period and if the reason for the impediment continues to exist.”

Relevant links:

• BaFIN | Banking Act (Kreditwesengesetz - KWG)
• Bundesminister der Finanzen | Kryptowertetransferverordnung – KryptoWTransferV
• The Federal Minister of Finance | Regulation on enhanced due diligence requirements for the transfer of crypto assets (Crypto Asset Transfer Regulation - KryptoWTransferV) translated to English.
  

Charles V. Senatore, former Director of the Southeast Region of the US SEC, shares his essential insights for crypto compliance officers. Senatore has over 36 years of industry experience; as a trial lawyer, a federal prosecutor, a law firm partner, and a senior regulator at the SEC. He then went on to lead global compliance functions at Merrill Lynch and Fidelity.

We’ve created a post with the top 10 takeaways from his conversation with our co-founder and CEO, Pelle Brændgaard.

1. Regulators have developed timeless principles they care about, and compliance officers should implement policies to address them.

The compliance team must keep in mind the timeless principles the regulators care about. If they look back to the essence of what regulators tend to think about, then they can provide input on how these principles may need to apply to new crypto products.

2. Crypto firms should do three things to encourage regulators to continue taking a risk-based approach with crypto to achieve desired regulatory outcomes:

1. Remember that it is your responsibility to become compliant. You are accountable for outcomes and must prepare adequate controls.
2. Work as a community to achieve herd compliance.
3. Engage with regulators responsibly.
   

3. Mandating technology doesn’t end well.

The danger of mandating a technology is that the technology changes, yet the regulation stays set to a specific point in time. It’s hard to unwind firm regulations, which creates all sorts of inefficiencies.

4. A healthy regulatory relationship can benefit the industry.

Regulators, as public servants, have an interest in the integrity of their markets. Accordingly, many regulators are eager to engage and learn–keeping up to speed is crucial for carrying out their mission.

5. Companies that view compliance as an opportunity for differentiation will have a competitive advantage over their competitors.

Businesses that do not take the proper steps to handle consumer assets well will lose ground to firms with strong and effective compliance programs.

6. Want a compliant product? Involve compliance officers during the ideation process.

‍New product ideas will have better outcomes if compliance officers successfully integrate themselves from the start. Nothing is more frustrating than having an excellent idea for a use case shot down by a compliance officer. Involving a compliance officer during step one mitigates future disappointment.

7. Compliance officers should consider aligning themselves with business goals and growth.‍

To forge a one-on-one connection with business leaders, compliance officers should search for compliant ways to realize business goals instead of reflexively saying “no.” With that mindset in place the compliance team will  eventually advance from being seen as the “anti-business department” to being appreciated as part of the solution to help the business grow.

8. Compliance officers are in a great position to have a seat at the leadership table. ‍

Once business leaders realize that the compliance team is a part of the solution to help the business grow, an opportunity for compliance officers to be a respected part of leadership soon follows.

9. Most compliance principles fall into two major categories: binary “yes” or “no” decisions or risk-based considerations. ‍

Use cases without specific binary regulatory requirements are where compliance officers can work their magic and show their value by applying time-tested risk-based principles to get a high level of comfort. Appropriately assess risk, and propose mitigation steps, and create that new product. 

10. Talent that understands both tech and regulatory principles will be key to success in this industry. ‍

As we head into uncharted waters, having people who understand the tech and how these regulatory principles apply to it will be crucial ingredients. The teams with these capabilities will be best suited to nimbly and quickly adapt as new use cases emerge. It will take collaboration among different teams and working seamlessly together to reduce friction and allow innovation to flourish.

On July 22, 2021, HM Treasury released Amendments to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 Statutory Instrument 2022, a consultation that included an entire chapter on the transfers of crypto assets. Chapter 6 laid forth provisions poised to implement the FATF’s Crypto Travel Rule into UK law.

Below are our important takeaways:

1. HM Treasury proposes to update the Money Laundering Regulations (MLRs) rather than pass primary legislation needed to amend the Funds Transfers Regulations (FTRs)

6.7: The use of the Money Laundering Regulations

As it is retained EU law, the government does not have the ability to easily amend the FTR, except to remove deficiencies caused by EU exit. More substantial amendments of the kind necessary to apply R.16 to cryptoassets would require primary legislation. The government therefore proposes to use its powers to amend the MLRs, which will also ensure that AML legislation for the cryptoasset sector is consolidated in one place, and is therefore easier to navigate. 

Notabene Takeaway: Acknowledging the urgency with which HM Treasury wants to roll out the Travel Rule, they propose to update existing MLRs rather than attempt to amend the EU FTR laws. This will make it easier and faster to implement, and also has the benefit of ensuring all AML regulation for cryptoassets is kept within the MLRs. 

2. HM Treasury offers an unspecified grace period for compliance solution integration

6.8: Timing

The government acknowledges that the process of integrating these requirements into a firm’s business practices may take time. It is important that new regulations are introduced in a proportionate way, striking the right balance between reducing the harms of illicit finance and supporting innovation that benefits consumers and the economy. It is therefore proposed that firms will be allowed a grace period after the amendments to the MLRs are made, to allow the integration of compliance solutions. 

Notabene Takeaway: The HM Treasury acknowledges that introducing new compliance measures is a cost and needs to be balanced with their support for innovation. It will offer a grace period and calls on critical industry players’ responses to create evidence-based policy decisions. You can submit your feedback to this email [email protected] by October 14, 2021. Notabene will also provide a response.

3. Full Travel Rule data transfer requirements will apply to all VASP-to-VASP transfers over £1,000

Meanwhile, transfers below £1,000 will still require the collection of less PII. 

6.12:

In line with INR.16 and the approach taken in the FTR, the government proposes that the following information should be required to be sent with a transfer of cryptoassets. 

These requirements are the minimum information which should accompany a transfer of cryptoassets; there is nothing to prevent a cryptoasset service provider providing additional information with the transfer (such as, for example, providing full beneficiary and originator information, if the sending cryptoasset sevice provider does not know the jurisdiction in which the receiving cryptoasset service provider is based). 

Notabene Takeaway: Notably, HM Treasury will require travel rule transfers below the threshold, similar to the EU requirements. Also, it is worth noting that while some jurisdictions have deemed all crypto transfers to be treated as ‘cross-border transfers, the UK makes an exception here by allowing transfers between UK-based VASPs not to include PII.

4. PII received, transmitted, or retained is within the scope of the UK GDPR

6.22:

Personal data received, transmitted or retained pursuant to these provisions is within scope of the UK General Data Protection Regulation (GDPR), and crypto asset service providers will therefore need to process it in line with the requirements in that legislation. 

Notabene Takeaway: UK VASPs must uphold GDPR when performing Travel Rule transfers. This is not unexpected, but some questions arise on whether they will oblige their counterparties who are not in the EU or UK to also abide by GDPR.

5. HM Treasury invites comments/feedback on unhosted wallet transfers

6.27: Treatment of unhosted wallets

Obligations under R.16 only fall on cryptoasset service providers, not on private individuals using unhosted wallets. Although FATF are reviewing the treatment of unhosted wallets within scope of the recommendations, current FATF Guidance states that, where a beneficiary’s cryptoassets service provider receives a transfer from an unhosted wallet, it should obtain the required originator information from its own customer that receives the cryptoassets transfer. This requirement does not extend to the verification of said originator information. Where a transfer is being made from a cryptoassets service provider to an unhosted wallet, the originating provider is not expected to send information to an unhosted wallet, though it should still collect information on the intended beneficiary.

Notabene Takeaway: HM Treasury is hinting that it would only require obtaining the counterparty information and not its verification if it were to roll out requirements around unhosted wallets. This is in line with what FATF recommends now, but it is encouraging that they invite commentary from the industry. Regardless, companies must be prepared to implement a risk-based approach concerning unhosted wallets.

On June 20, 2021, the European Commission published a proposal for regulating the transfers of funds and certain crypto-assets. This current proposal recasts Regulation EU 2015/847 as part of an AML/CFT package of four legislative proposals that are considered one coherent whole in implementing the Commission Action Plan of May 7, 2020. This proposal creates a new and more coherent AML/CFT regulatory and institutional framework within the EU. The package encompasses:

• a proposal for a regulation on the prevention of the use of the financial system for the purposes of money laundering (ML) and terrorist financing (TF)
• a proposal for a Directive establishing the mechanisms that Member States should put in place to prevent the use of the financial system for ML/TF purposes, and repealing Directive (EU) 2015/849;
• a proposal for a Regulation creating an EU Anti-Money Laundering Authority (AMLA)8, and
• This proposal for the recast of Regulation EU 2015/847 expanding traceability requirements to crypto-assets.
  

In essence, this regulation takes May 2015’s Directive (EU) 2015/847 on ‘the information accompanying transfers of funds and updates it to adequately cover virtual assets while repealing the over-reaching requirements of Directive (EU) 2015/849.

This regulation will enter into force on the 20th day after publication in the official journal. 

Read Notabene's key takeaways:

1. The EU sees the need for harmonized international rules

This proposal package addressed the need for harmonized rules across the internal market.

On May 7, 2020, the Commission presented an Action Plan for a comprehensive Union policy on preventing money laundering and terrorism financing. In that Action Plan, the Commission committed to taking measures to strengthen the EU’s rules on combating money laundering and terrorism financing and their implementation, with six priorities or pillars:
1. Ensuring effective implementation of the existing EU AML/CFT framework,

2. Establishing an EU single rulebook on AML/CFT,

3. Bringing about EU-level AML/CFT supervision,

4. Establishing a support and cooperation mechanism for FIUs,

5. Enforcing EU-level criminal law provisions and information exchange,

6. Strengthening the international dimension of the EU AML/CFT framework.

Pillars 1, 5, and 6 of the Action Plan are currently being implemented partly due to the support of both The European Parliament and the Council. The other pillars demand legislative action. Yet, evidence provided by reports and internal assessments identified that. In contrast, the requirements of Directive (EU) 2015/84912 were far-reaching; their lack of direct applicability and granularity led to a fragmentation in their application along national lines and divergent interpretations.

In response, this proposal updates Regulation EU 2015/847 while repealing Directive (EU) 2015/849.  

Notabene’s assessment: The EU believes a more harmonized front to combat money-laundering and terrorism financing is required. A country-by-country implementation has not proven very effective. They hope this would alleviate jurisdictional arbitrage or the milder term they call “jurisdictional shopping.” 

2. GDPR applies to CASPs

The EU clarifies that GDPR applies to CASPs (crypto asset service providers - the EU’s terminology equivalent to FATF’s virtual asset service providers.)

Article 15:

The EU is committed to ensuring high standards of protection of fundamental rights. Under article 15 of the current regulation, the processing of personal data under this Regulation is subject to Regulation (EU) 2016/679 of the European Parliament and of the Council31.Personal data that is processed pursuant to this Regulation by the Commission or EBA is subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council32. The General Data Protection Regulation33 will apply to CASPs as regards the personal data handled and attached to cross-border transfers of value using virtual assets.

Article 20:

Payment and crypto-asset service providers shall ensure that the confidentiality of the data processed is respected.

Additionally, CASPs must keep records of information on the originator and the beneficiary for five years; they must delete them.

2015/847 recital 29:

As it may not be possible in criminal investigations to identify the data required or the individuals involved in a transaction until many months, or even years, after the original transfer of funds or transfer of crypto-assets  , and in order to be able to have access to essential evidence in the context of investigations, it is appropriate to require payment service providers or crypto-asset service providers to keep records of information on the payer and the payee or the originator and the beneficiary for a period of time for the purposes of preventing, detecting and investigating money laundering and terrorist financing. That period should be limited to five years, after which all personal data should be deleted unless national law provides otherwise.

Notabene’s assessment: Many in the crypto industry have been long awaiting what the verdict on GDPR would be regarding the Travel Rule in the EU. The EU states that going forward, CASPs will need to implement a GDPR-compliant secure data storage solution, making it clear that AML/CFT measures supersede this.  

3. Personally Identifiable Information obligations accompanying transfers of crypto-assets are in line with FATF

Article 14:

OBLIGATIONS ON THE CRYPTO-ASSET SERVICE PROVIDER OF THE ORIGINATOR
Information accompanying transfers of crypto-assets
1. The crypto-asset service provider of the originator shall ensure that transfers of cryptoassets are accompanied by the following information on the originator:
(a) the name of the originator;
(b) the account number of the originator, where an account is used to process the transaction;
(c) the originator’s address, official personal document number, customer identification
number or date and place of birth.
2. The crypto-asset service provider of the originator shall ensure that transfers of cryptoassets are accompanied by the following information on the beneficiary:
(a) the name of the beneficiary;
(b) the beneficiary’s account number, where such an account exists and is used to process the transaction.

‍

Notabene’s assessment: By adhering to FATF suggested guidelines, it is easier for CASPs (or VASPs) to have unified rules as they comply cross-jurisdictionally.

4. Stakeholders consulted by the EU express concern about the walled garden of compliance.

pg 7:

Stakeholder input on the Action Plan was broadly positive. However, some European UnionVASP representatives claimed that the absence of a standardised global, open source and free, technical solution for the travel rule could lead to the exclusion of small actors from the crypto-assets market, with only important players being able to afford compliance with the rules.

Notabene’s assessment: Several working groups noted the possible exclusion of small players in the crypto-assets market if compliance is too complex and too expensive to roll out. If only a few exchanges can afford compliance or if messaging protocols are not free and open, a walled-garden scenario would cause a few “important” players to operate. At the same time, the rest may be hit with fines and must close.

5. The threshold is set at EUR 1000, but Travel Rule requirements still apply for lower thresholds (albeit with less PII shared)

The EU has set a threshold of EUR 1000, in line with FATF recommended guidelines. Above that, originator CASPs need to share originator identifying information beyond just name (i.e., physical address, official personal document number, customer identification number, or date and place of birth). The EU does call out transactions that may be part of structuring -  whereby the asset appears to be linked to other transfers that amount to EUR 1000. The travel rule also applies to them.

2015/847 recital 16:

In order not to impair the efficiency of payment systems and crypto-asset transfer services, and in order to balance the risk of driving transactions underground as a result of overly strict identification requirements against the potential terrorist threat posed by small transfers of funds or crypto-assets, the obligation to check whether information on the payer or the payee, or, for transfers of crypto-assets, the originator and the beneficiary, is accurate should, in the case of transfers of funds where verification has not yet taken place, be imposed only in respect of individual transfers of funds or crypto-assets that exceed EUR 1000, unless the transfer appears to be linked to other transfers of funds  or transfers of cryptoassets which together would exceed EUR 1000, the funds or crypto-assets have been received or paid out in cash or in anonymous electronic money, or where there are reasonable grounds for suspecting money laundering or terrorist financing.

The EU also calls out in Article 15 that the travel rule applies below the EUR 1000, but with only originator and beneficiary names shared.

Article 15:

By way of derogation from Article 14(1), transfers of crypto-assets not exceeding EUR1 000 that do not appear to be linked to other transfers of crypto-assets which, together with the transfer in question, exceed EUR 1 000, shall be accompanied by at least the following information:(a) the names of the originator and of the beneficiary;(b) the account number of the originator and of the beneficiary or, where Article 14(3)applies, the insurance that the crypto-asset transaction can be individually identified;

Notabene’s assessment: The European Commission has no desire to create overly strict requirements that impede the flow of transactions. But by requiring Travel Rule below the threshold, they are boldly signaling the importance of the Travel Rule to CASPs and asking them to take a more comprehensive or holistic approach to travel rule implementation.

6. Transfers of crypto assets from the EU to outside the EU should include a Legal Entity Identifier (LEI)

2015/847 recital 19 (adapted):

In order to allow the authorities responsible for combating money laundering or terrorist financing in third countries to trace the source of funds or crypto-assets used for those purposes, transfers of funds or transfer of crypto-assets from theUnion to outside the Union should carry complete information on the payer and the payee. Complete information on the payer and the payee should include the LegalEntity Identifier (LEI) when this information is provided by the payer to the payer’s service provider, since that would allow for better identification of the parties involved in a transfer of funds and could easily be included in existing payment message formats such as the one developed by the International Organisation for Standardisation for electronic data interchange between financial institutions.

Notabene’s assessment: Many in the crypto industry had pushed for the adoption of LEIs in the FATF guidance. While suggested as an identifier, the FATF did not introduce them as a requirement. We see the EU requirement as an excellent first step in accepting a more unified, global identification system for legal entities that will reduce diligence costs for CASPs for cross-border transfers.

7. Beneficiary CASPs should have effective risk-based procedures that apply where a transfer lacks the required information

2015/847 recital 22 (adapted):

As regards transfers of crypto-assets, the crypto-asset service provider of the beneficiary should implement effective procedures to detect whether the information on the originator is missing or incomplete. These procedures should include, where appropriate, monitoring after or during the transfers, in order to detect whether the required information on the originator or the beneficiary is missing. It should not be required that the information is attached directly to the transfer of crypto-assets itself, as long as it is submitted immediately and securely, and available upon request to appropriate authorities.

Article 12 calls for the beneficiary CASP to reject a transfer if it is missing data.
‍
Article 12:

Transfers of funds with missing information on the payer or the payee
1. The intermediary payment service provider shall establish effective risk-based procedures for determining whether to execute, reject or suspend a transfer of funds lacking the required payer and payee information and for taking the appropriate follow up action.

Additionally, the proposal goes on to say, “If a CASP continues to submit transfers with incomplete data, the counterparty CASP could take steps to reject any future transfers of funds or terminate the business relationship.” Beneficiary CASPs must implement adequate procedures to detect whether the originator information is missing or complete. 

2015/847 recital 23 (new):

Given the potential threat of money laundering and terrorist financing presented by anonymous transfers, it is appropriate to require payment service providers to request information on the payer and the payee. In line with the risk-based approach developed by FATF, it is appropriate to identify areas of higher and lower risk, with a view to better targeting the risk of money laundering and terrorist financing. Accordingly, the crypto-asset service provider of the beneficiary, the payment service provider of the payee and the intermediary payment service provider should have effective risk-based procedures that apply where a transfer of funds lacks the required information on the payer or the payee, or where a transfer of crypto-assets lacks the required information on the originator or the beneficiary, in order to allow them to decide whether to execute, reject or suspend that transfer and to determine the appropriate follow-up action to take.

Notabene’s assessment: A risk-based approach to compliance is urged and recommended for CASPs. This is good news for companies who can take a more nuanced approach to travel rule, especially during the sunrise period when many counterparty institutions may not respond quickly.

8. Member states should lay down sanctions to encourage compliance 

2015/847 recital 30:

In order to improve compliance with this Regulation, and in accordance with theCommission Communication of 9 December 2010 entitled ‘Reinforcing sanctioning regimes in the financial services sector’, the power to adopt supervisory measures and the sanctioning powers of competent authorities should be enhanced. Administrative sanctions and measures should be provided for and, given the importance of the fight against money laundering and terrorist financing, Member States should lay down sanctions and measures that are effective, proportionate and dissuasive. Member States should notify the Commission and the Joint Committee of EBA, EIOPA and ESMA(the ‘ESAs’) thereof.

The proposal goes on to state that legal persons can be held liable for breaches:

Chapter 5: Sanctions and monitoring:

5. Member States shall ensure that legal persons can be held liable for the breaches referred to in Article 2318 committed for their benefit by any person acting individually or aspart of an organ of that legal person, and having a leading position within the legal person based on any of the following:(a) power to represent the legal person;(b) authority to take decisions on behalf of the legal person; or(c) authority to exercise control within the legal person.

Competent authorities may impose administrative sanctions and measures in collaboration with other authorities.

Chapter 5: Sanctions and monitoring:

7. Competent authorities shall exercise their powers to impose administrative sanctions and measures in accordance with this Regulation in any of the following ways:EN 41 EN(a) directly;(b) in collaboration with other authorities;(c) under their responsibility by delegation to such other authorities;(d) by application to the competent judicial authorities.In the exercise of their powers to impose administrative sanctions and measures, competent authorities shall cooperate closely in order to ensure that those administrative sanctions or measures produce the desired results and coordinate their action when dealing with cross-border cases

Article 23:

Member States shall ensure that their administrative sanctions and measures include at least those laid down by Articles 40(2), 40(3) and 41(1)59(2) and (3) [...] in the event of the following breaches of this Regulation:
(a) repeated or systematic failure by a payment service provider to include the required information on the payer or the payee, in breach of Article 4, 5 or 6 or by a crypto-asset service provider to include the required information on the originator and beneficiary, in breach of Articles 14 and 15;
(b) repeated, systematic or serious failure by a payment service provider or crypto-asset service provider  to retain records, in breach of Article 2116;
(c) failure by a payment service provider to implement effective risk-based procedures, in breach of Articles 8 or 12  or by a crypto-asset service provider to implement effective risk-based procedures, in breach of Article 17;
(d) serious failure by an intermediary payment service provider to comply with Article 11 or 12.

Notabene’s assessment: While there will be a centralized body for AML/CFT revision at the EU level, enforcement (e.g., sanctions) still gets performed at the member state level. We’re interested to see how effective this approach will be for EU member states.

9. This regulation does not apply to p2p transfers

Article 2:

Electronic money tokens, as defined in Article 3(1), point 4 of Regulation shall be treated as crypto-assets under this Regulation. This Regulation shall not apply to person-to-person transfer of crypto-assets.

Notabene’s assessment: While P2P is not affected, the EU does not comment on transactions between CASPs and noncustodial or unhosted wallets. This is good news for now, though certain member states have rolled out their own requirements (e.g., Netherlands). 

10. The originator CASP should provide appropriate customer PII within three working days of receiving a request from the beneficiary CASP

Article 5: Transfers within the European Union:‍

2. Notwithstanding paragraph 1, the payment service provider of the payer shall, within three working days of receiving a request for information from the payment service provider of the payee or from the intermediary payment service provider, make available the
following:
(a) for transfers of funds exceeding EUR 1000, whether those transfers are carried
out in a single transaction or in several transactions which appear to be linked, the
information on the payer or the payee in accordance with Article 4;
(b) for transfers of funds not exceeding EUR 1000 that do not appear to be linked
to other transfers of funds which, together with the transfer in question, exceed EUR
1000, at least:
(i) the names of the payer and of the payee; and
(ii) the payment account numbers of the payer and of the payee or, where Article 4(3) applies, the unique transaction identifier

On May 11th, 2021, The German Federal Ministry of Finance published a working ordinance draft bill, the Crypto Securities Transfer Regulation, Krypto Wertetransfer Verordnung (KryptoTransferV), which included increased “duties of care” in the transfer of virtual assets.

Later, on June 14th, the German Federal Ministry of Finance released the updated hearing on the draft bill that requires crypto asset companies to enforce the Travel Rule. The regulation prohibits the transmission of information about clients and recipients arranged for transferring crypto values, as is the case with money transfers. This regulation is based on Regulation (EU) 2015/847 of the European Parliament and of the Council. The German Federal Ministry of Finance will approve the ordinance by the end of 2023. 

Read our key takeaways:
‍

1. Germany required the Travel Rule before the European Commission

Crypto Securities Transfer Regulation (KryptoTransferV) § 3:

“Possible alternatives do not represent justifiable alternatives to the proposed regulation with regard to proportionality on the one hand and the limitation of the threat posed by anonymous transactions on the other. A prohibition of transactions on electronic wallets that are not administered by a crypto custodian has only a very limited effect due to the mostly cross-border nature of crypto transfer business and presents itself as a less proportionate alternative compared to the proposed transmission of information. Due to the high risks posed by anonymous crypto power transfers, the adaptation of European regulation cannot be waited for.” 

Notabene takeaway: This is a strong example of a national regulator taking things into their own hands and moving forward with crypto rules before being enforced on a European Union level. In this case, the German regulator implies that imposing Travel Rule is a more effective alternative to banning non-custodial wallets due to their cross-border nature.

2. Germany views transfers to self-managed electronic wallets as the starting point of a suspicious transaction.

Crypto Securities Transfer Regulation (KryptoTransferV) § A:

In addition, the transfer of cryptovalues ​​to an electronic wallet that is not managed by a crypto custodian (self-managed electronic money exchange), or vice versa, is viewed as a case constellation with increased risk. So can the Forwarding of crypto values ​​to a self-managed electronic wallet represent a starting point for a suspicious transaction.

Notabene takeaway: While many regulators have signaled that they view transactions to non-custodial wallets as higher risk, it is surprising to see that the German regulator deems them as a starting point for suspicious transactions. This is a stricter stance than what FATF details in their latest guide. We expect that this will impact whether German VASPs will continue to allow transactions to non-custodial wallets, especially ones to third parties.  

3. The German proposal includes estimations of compliance costs

Crypto Securities Transfer Regulation (KryptoTransferV) § V:

"This ordinance does not impose any costs on citizens.
‍
The estimate of the compliance burden is subject to considerable uncertainty. If the requirements of the Ordinance are largely met, the compliance burden on business will be higher. If greater use is made of the notification requirement under Section 4 of the Ordinance, the costs for the economy will be lower.
‍
For the business community, there will be recurring compliance costs of approximately €420,800. In the event of an increase in the number of cases, no further costs for the implementation of Section 3 of the Ordinance can be assumed due to the expected automation of data transmission and the associated synergy effects, especially since it is expected that providers will offer flat rates for the implementation of data transmission for crypto value transfers.
‍
The administration will incur recurring compliance costs of approximately €157,000.”

Notabene takeaway: It is a reasonable effort for the regulator to quantify potential compliance costs for regulated institutions that must comply quickly. However, it is unclear how these estimates were reached without a more detailed breakdown of the charges, the large upfront investments companies need to make, and the daily maintenance costs to ensure proper detection of suspicious activity (e.g., additional compliance and technical team resources, software costs.) It would also help if the regulator can clarify the sources of the estimates involved or perform further consultations with the private sector and technology vendors like Notabene to arrive at more precise estimates.

4. German PII requirements are in line with the FATF Recommendations.

Crypto Securities Transfer Regulation (KryptoTransferV) § 3 paragraph 1:

“The obligor performing the transfer on behalf of the principal shall ensure that the following information is determined and stored: Name of the client
address of the client or the number of an official personal document of the client or the client number or the date and place of birth of the client
Number of the originator’s account (for example, the public key)
Name of the beneficiary and number of the beneficiary’s account (for example, the public key.)”

Notabene’s takeaway: This is in line with FATF and the most recent EU regulations. For VASPs, more streamlined Travel Rule requirements make it easier to roll out Travel Rule effectively.

5. This draft accounts for a possible lack of technical capability. 

Crypto Securities Transfer Regulation (KryptoTransferV) § 4:

“Section 4 (1) opens up the possibility of notifying the competent supervisory authority pursuant to Section 50 no. 1 AMLA that the transmission of information cannot yet be implemented or cannot be implemented in full due to a lack of technical capability for standardized transmission. The notification shall result in a suspension of the obligations under Section 3, provided that the competent supervisory authority under Section 50 no. 1 AMLA does not raise any objections under paragraph 2. Insofar as the technical implementation of the data transmission has already been taken into account in the structuring and issuance of crypto securities, a suspension of the obligations pursuant to Section 3 (2) shall not be considered.

Notabene takeaway: In the absence of viable and standardized technical messaging protocols, the German regulator can grant VASPs grace periods of up to one year. VASPs need to take steps for risk mitigation during this period, such as restricting certain types of transfers. 

‍

*Please note that we used DeepL to translate the original draft regulation from German to English. 

The FATF recently released their second 12-month review of the implementation of its virtual asset and VASP guidelines. The goal of the 12-month review is for the FATF to identify gaps in implementation and denote subsequent actions to be taken and plan forward. Below are Notabene’s key takeaways that we believe cryptoasset businesses and compliance teams should keep at the top of mind. 

1. Less than half of surveyed jurisdictions have introduced the necessary legislation

While the FATF recognizes the ‘significant progress’ by jurisdictions in implementing a licensing or registration regime for virtual asset service providers, less than half of jurisdictions surveyed (58 of 128) have introduced the necessary legislation. Even fewer have enforced the regulations or introduced the Travel Rule.

Notabene Takeaway: The low number of reported compliance leads the FATF to believe that we are still far from a global AML/CFT regime for virtual assets, which, in turn, encourages jurisdictional arbitrage. Also, with national jurisdictions behind on implementing the Travel Rule, this disincentivizes the private sector to invest in technological solutions and build compliance infrastructure. 

Below are two charts; the first compares FATF and the FSRB (FATF-Style Regional Bodies, which are autonomous regional organizations that help FATF implement its global AML/CFT policy) and their approach and readiness to crypto regulation. The second chart details which activities jurisdictions allow after passing crypto regulation.

2. Most jurisdictions are not Travel Rule compliant, leading to a significant obstacle to effective global AML/CFT mitigation

Two years after the FATF revised its Standards, most jurisdictions and VASPs are not currently Travel Rule compliant. The FATF sees this as a significant obstacle to effective global AML/CFT mitigation and undermines the effectiveness and impact of the revised FATF Standards.

Ten jurisdictions reported that they had implemented Travel Rule requirements for VASPs and that these requirements were being enforced. In comparison, a further 14 jurisdictions said they had introduced Travel Rule requirements, but they were not yet enforced. 

Notabene Takeaway: There is a vicious circle happening; the lack of national implementation reduces the incentive for technical progress. The lack of technological progress is used to justify the lack of national implementation. In the near future, greater jurisdictional implementation will be a necessary prerequisite to kick off technical progress.  

“Rapid implementation by all jurisdictions will act as the catalyst to promote the development of technical solutions and compliance by VASPs.” - FATF Second 12-month review of the Revised FATF standards on VAs and VASPs (July 2021)

3. Jurisdictional arbitrage is a growing problem

There has been a significant increase in the value of virtual assets collected as ransomware payments and in the use of virtual assets to commit and launder the proceeds of fraud in the last year. The proceeds of such ransomware attacks are often moved via unhosted or privacy wallets and/or other anonymity-enhancing tools and methods to VASPs. Most identified ML/TF activity relates to activity that is native to virtual assets. It is much less clear the extent to which virtual assets are being used to launder proceeds of crime that originate in fiat currency.

Notabene Takeaway: Non-compliant VASPs and privacy-enhancing tools facilitate an atmosphere of jurisdictional arbitrage. This creates a great environment for ransomware transacted through virtual assets. VAs are increasingly used for collecting ransomware - uneven implementation of regulatory regimes leading to jurisdictional arbitrage, non-compliant VASPs, and privacy-enhancing tools facilitate it.

4. FATF found no need to amend standards to include P2P transactions

FATF noted:

"If P2P transactions were to increase to the point that were to occur almost entirely on a P2P basis and criminals were able to exist entirely in the virtual asset ecosystem, without ever interacting with VASPs and on- and off-ramps to the traditional fiat economy, the current FATF Standards might need revision to sufficiently mitigate the ML/TF risks."

FATF continues with:

"VASPs currently play an important role in the virtual asset ecosystem. While P2P transfers occur in the ecosystem, VASPs are needed for the exchange or withdrawal of virtual assets for fiat currency. In addition, investigators, blockchain analytic companies, and other parties can generally capture information on P2P transactions generated on public blockchains, which can be transparent and traceable. This information can provide greater visibility of virtual asset transfers than off-chain transfers or transfers on private blockchains, including those carried out by VASPs, and assist in AML/CFT risk mitigation."

Notabene Takeaway: Suppose P2P transactions were to increase to the point that criminals could exist entirely in the virtual asset ecosystem without ever interacting with VASPs and on-and-off-ramps to the traditional fiat economy. In that case, the current FATF Standards might need revision to mitigate the ML/TF risks sufficiently. Currently, the FAFT found no need to amend the revised FATF standards, due in part to reliance on other players such as blockchain analytic companies, investigators, and the inherent traceable nature of public blockchains.

For example, if the addresses that are used for P2P and peer-VASP transactions could be correctly linked, it will inform the development of risk profiles and identity attribution for unhosted wallets. This may grow over time as more transfers are recorded on public blockchains.

‍

5. All jurisdictions need to implement the revised FATF Standards, including Travel Rule requirements, as quickly as possible.

The report states:

"The FATF should focus on the effective implementation of the currentFATF Standards on virtual assets and VASPs across the GlobalNetwork. Members of the FATF and its broader Global Network should implement the revised FATF Standards (R.15/INR.15) as a matter of priority."

Notabene Takeaway: To accelerate the implementation of the Travel Rule by the private sector, FATF members, particularly those who are leaders in AML/CFT regulation of VASPs, are advised to work collaboratively with each other and the private sector to facilitate the implementation of the Travel Rule.

With over 36 years of experience, spanning from heading global compliance teams at Fidelity to Director of the Southeast Region of the SEC, Advisor to Notabene, Charles V. Senatore has amassed diverse insight for compliance officers operating in the crypto industry.

During this fireside chat with Co-founder and CEO of Notabene Pelle Brændgaard, Chuck covers:

• A promise he committed to a higher-up that earned him a seat at the business partner table.
• Steps compliance officers can take to move from being perceived as the “anti-business” department to becoming an integral part of product teams by contributing early to product development. 
• Three tips that crypto firms can do to encourage regulatory regimes to take a risk-based approach to achieving desired regulatory outcomes instead of mandating the entire technology.

----

‍Pelle Brændgaard (PB): Thank you for joining me. Please tell us about your path into compliance.

Charles V. Senatore (CS): It was an unlikely route. But, looking in retrospect, I had a collection of experiences that ended up uniquely suiting me to becoming a compliance officer without ever having planned to become one. I am a lawyer with a multifaceted background.

First, I was a trial lawyer, so I understand dealing with issues like dispute resolution. Next, I became a federal prosecutor and became familiar with criminal laws, how they affect defendants, and how they are enforced. I then became a law firm partner, where I gained an understanding of the client’s perspective. Later, I became a senior regulator at the SEC, where, with a slightly different lens, I got deeper into public policy and understanding the drivers behind financial regulation. 

Then I unexpectedly became a compliance officer after experiencing what I would call a “bear hug.”  For those of you that are unfamiliar with mergers and acquisitions, a bear hug is a takeover offer that a target must respond to, with enormous pressure to say “yes.” In my case, I received a request from the general counsel for whom I was working, who asked me if I would consider taking on the compliance director role for a significant business unit. I was quite happy with my current role as an in-house lawyer at that time, so I gently pushed back. But it soon became apparent that this was less of a request and more of a demand. So, I began my unplanned compliance journey, which led to me leading global compliance functions, first at Merrill Lynch and later at Fidelity. 

Grabbing a seat at the leadership table as a compliance officer

PB: I know that you’re passionate about the value that compliance brings to a business. But, unfortunately, we sometimes hear from compliance teams that they are often not seen as a strategic function but as a necessary evil or a checkbox you just have to deal with. Have you experienced something like this in your career, and what did you do to change this perception?

CS: Great question. Compliance Officers are often in danger of being perceived as “the anti-business department.” If compliance officers behave in a way where they’re perceived as always saying “No,” it’s understandable why business partners may see them as an obstacle versus being part of the solution to help the business grow.

I’ll share a quick story. When I first assumed my compliance role, I was surprised to learn that the business heads never dealt with the compliance leader directly, instead of communicating indirectly and only on an as-needed basis through staff. I thought this was a little odd. So I initiated a direct connection with one of the business heads. In that first meeting, he asked me why we were meeting. I sensed that he questioned the value of him meeting with me when their practice had been simply to deal with compliance issues through staff when they arose.

I explained that I thought it would make sense for both of us to be better connected and working together. I also wanted a better one-on-one connection with other business leaders. I offered him a promise: whenever an issue arose, I would do whatever I could to find a way to realize the business vision and get to a “yes.” We would think as creatively and responsibly as possible and consider every alternative to reach a “yes,” unless it became abundantly clear that, after all that thought and effort, the answer had to be “no.” In exchange, I requested that he introduce me to the management ranks and invite me to their business meetings.

The change in how the compliance department was perceived didn’t happen overnight. When I first attended a national sales managers meeting and introduced myself as the compliance officer, the people I met were polite but uneasy. But over time, the strategy worked. Within a few years, I was invited to join the business unit’s operating committee. 

‍
The message here is understanding that reflexively saying “no” really isn’t a great option. Instead, a real value-add is helping the business get to a “yes” responsibly and consistently, not just with regulation but also with what’s suitable for the company and customers. And that ends up introducing the opportunity for compliance officers to be at the table and be a respected part of leadership.

Crypto compliance is based on classical banking principles

PB: Coming from the banking world, what do you see as some of the biggest challenges from a compliance perspective regarding supporting new crypto-based products?

CS: Today, we rely on principles based on classical banking and payment transactions and apply them to various new constructs. The big challenge is having those same principles work in a new setting. 

The industry is experiencing what I would call a square peg in a round hole regulatory phenomenon. Currently, the challenge is to figure out how to take those timeless principles, those underlying the foundations of, for example, the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) customer identification and reporting, and translate them into a new and different world.

We’re facing a rapidly maturing market with lots of new products. Even digital fiat is being discussed in countries where it could become a legal tender. But regulators need to assess what kind of issues they may produce and what bad things could happen as a result. The crypto industry is like a gangly teenager with growing pains, finding their way as they grow. Right now, we’re trying to help the industry mature and grow in a way that doesn’t create counterproductive issues. 

PB: It’s a challenge we’re seeing our customers grapple with all the time. And that leads me to the next question. US regulators have a history of a technology-agnostic view on managing ML/TF risks, which has been a boon to the US crypto industry in the past because they essentially let the industry figure out how to solve compliance. 

But the recent notice of proposed rule-making (NPRM) from the Department of Treasury seems to be setting a new precedent of more specific technical guidance instead of a more technology-agnostic approach. Do you see this as a general trend that’s coming, or is this something we can take on as an industry to encourage FinCEN to continue with a technology-agnostic approach?

Mandating a technology doesn’t end well 

CS: Unfortunately, there is a history where regulators have dictated a particular technology. And frankly, it often doesn’t end well in the long run. 

Here’s a well-known example in the securities space. “Write Once, Read Many” (WORM) is a mandated requirement by a books and records retention regulation created over 20 years ago. WORM required records to be kept on optical disks to ensure that records could not be altered. Today, this standard still exists, despite technological innovations that could enable less costly ways to ensure records can’t be changed. To comply, some firms have to duplicate their records by copying them onto those disks. You end up with these two redundant systems. It’s incredibly inefficient, and regulators have been, unfortunately, slow. 

The WORM example demonstrates why I believe mandating a technology doesn’t end well. The danger of mandating a technology is that the technology changes, yet the regulation stays set to a specific point in time. It’s hard to unwind it, and it creates all sorts of inefficiencies.

Regarding the recent NPRM, I believe there might be hope that regulators will not mandate a specific technology. Many regulatory regimes, FinCEN included, contemplate a risk-based approach when it comes to regulatory compliance. A risk-based approach allows you to deal with different cases and situations based on specific conditions in a firm, while a mandated or recommended approach may not fit and does not lead to good outcomes. In crafting the NPRM as it applies to unhosted wallets, FINCEN was essentially borrowing from existing BSA principles. 

PB: Is there anything you think the crypto industry should do to encourage regulators to take this approach?

CS: There are three things the industry can do. 

1. Firms should remember that at the end of the day, the onus is on them to create the proper internal controls and be accountable for outcomes.
2. The industry must gather as a community. I understand that, in general, individual businesses compete with each other. But when it comes to regulatory compliance issues, in my experience, collaboration and sharing ideas happen more freely. There appears to be an appreciation that “a rising tide lifts all boats.” In my experience, the firms I worked for certainly had competitors. But when it came to compliance, people from different firms were willing to share best practices.
3. Engage with regulators responsibly. Having a healthy relationship with the regulators enables all parties to understand the challenges facing an industry while fostering awareness regarding emerging technologies, improving controls, and mitigating risks.  
   

There is certainly a potential for adverse interactions with regulators, particularly when problems arise at our firms. And it’s understandable why some in the industry would want to avoid contact with them unless absolutely necessary. However, even in those circumstances, having a constructive relationship of trust with regulators often goes a long way towards a thoughtful and fair resolution. 

Additionally, there are other scenarios in which regulator interest can actually be positive. Often, regulators value their relationship with responsible industry participants because they want to understand where the markets are going and better understand the technology. Regulators, as public servants, have a laudable interest in the integrity of our markets, and keeping up to speed is crucial for executing their mission. Because if they don’t, regulations begin to become out of date and less effective. And if there are new and emerging technologies that regulators don’t understand, they risk finding themselves behind the curve. As such, many regulators are eager to engage and to learn.

Ultimately, our ideal scenario here in the United States, which I assume is also the case elsewhere, is to develop a paradigm where regulators and industry promote responsible innovation by learning together. Some jurisdictions, for example, in the UK’s FCA, appear to be further along, with their embracing of sandboxes and proactive collaboration with industry. These are examples of how a healthy regulatory relationship can benefit an industry.

Viewing compliance as a business strategy

PB: When FinCEN started instituting rules for applying the BSA to crypto companies, they tended to react in a few different ways. Some saw it as an opportunity to get regulatory compliance, while others moved offshore. Now, many are starting to see that compliance could be a competitive advantage, particularly in this crowded market that we see today in the crypto space. Do you think compliance can be an opportunity for differentiation?

CS: No question about that. Compliance offers an opportunity for differentiation whether regarding crypto, a banking transaction, or an investment transaction. Whenever anybody handles other people’s money, they really need to care that there are first-class controls and first-class attention to the welfare of clients. 

I’ll give you an example from the history of mutual funds. Many years ago, in the early 2000s, there was a scandal where certain mutual fund firms allowed special privileges to a particular client. Basically, the client said, “Look, I will give you lots of money as assets, from which you can earn hefty management fees. In exchange, I want you to allow me to trade more frequently than you allow other shareholders, to enable me to arbitrage various markets, and allow me special privileges to place mutual fund orders after the close of the markets–so I can get the previous day’s price.” This client essentially asked for a unique advantage, as one regulator said, to bet on yesterday’s horse race.

Over 20 mutual fund firms agreed to give the client that unfair advantage. But, once the scandal broke, the fallout for these firms was dramatic. For example, one firm, pre-scandal, had assets under management in the range of $360B. But, clients pulled significant assets out post-scandal, resulting in a dramatic loss of assets under management (AUM) down to approximately $60B. Considering that a mutual fund firm’s revenue is based on a percentage of AUM, I think you can imagine the magnitude of investment management fees lost. And it’s still as yet to fully come back to its former glory.

My point here is that clients and investors care about these issues, so having great compliance is a competitive advantage. When you’re in a position of trust, whether it’s doing a transaction, whether it’s providing custody, whether it’s managing investments, or otherwise, people are trusting you with their money. So if you don’t do that well, if you don’t have the commitment and controls, you’re going to lose ground to firms with strong and effective compliance programs.

A great compliance program can bring a large competitive advantage. Going back to the earlier question, when compliance officers work shoulder to shoulder alongside the firm’s leadership and jointly think about these things, this leads to extraordinary outcomes.

PB: We’re seeing more and more institutional players enter the space. For companies that want to service that market, will regulatory compliance become even more important than when servicing the average retail investor?

CS: In terms of the amount of money at stake, yes. However, we should remember that retail investors hold a special place in the hearts of regulators and in the regulatory scheme generally across the board. 

For example, when it comes to securities laws, there are stringent disclosure requirements and registration requirements that apply to the offering of securities meant to ensure that investors understand all the details and risks of an investment. This is intended to protect the “mom and pop” investor. However, the securities laws implicitly recognize that institutional investors, or those that are accredited, are in a better position to fend for themselves, resulting in more relaxed disclosure requirements. So institutional investors are presumed to need less protection.

With respect to cryptocurrencies, the risks and opportunities for bad outcomes for investors are actually higher at the retail level. When one considers the plenary risks of loss of assets and volatility versus other investments, mom and pop investors choosing to engage in the crypto markets could lose a larger percentage of their nest egg than an institutional investor. 

This goes back to the earlier point of the importance of best practices and controls. Even though institutional investors may have more risk tolerance, they still don’t want to risk the loss of potentially large sums. So, institutional clients want institutional level comfort. You’ll see custodians that hold crypto looking to compete on enhanced security with respect to key management, anti-hacking protocols, and critical ceremonies. Firms will demand best practices. Over time, reviews by independent parties such as SOC reviews and similar risk assessments will become very important. Because crypto presents a new set of challenges, people will really care that there are robust controls before entrusting their assets to crypto companies.

Involving the compliance team early in the ideation process‍

PB: If you’re a compliance officer working at a crypto business, what can you do to help the business see potential new growth areas through regulatory compliance, like expanding into new markets or creating new products?

CS: New product ideas will have better outcomes if compliance officers successfully integrate themselves from the start. Nothing frustrates a business more than having a great idea for a use case if they bring in a compliance officer who says it’s not going to work down the road. It creates a lot of frustration and gives rise to the risk of being perceived as the “anti-business” department. 

Going back to our earlier conversation, we talked about how compliance officers might tend to be conservative and gravitate to saying “no” in terms of dealing with the business. So the onus is also on them to behave in a way that makes them a business partner. 

If the business is thinking about new products, everyone needs to be aligned right from the start and think about it in real-time. I think of this as analogous to an agile program where real-time creation is happening and where product requirements are curated and tested during the development process. 

The role of the compliance team here should be to gain an understanding of the new products and keep in mind the timeless principles the regulators care about. If they look back to the essence of what regulators tend to think about, then they can provide input from the onset as to how these principles may need to apply to an emerging setting.

Most compliance principles fall into two major buckets. They are either binary “yes” or “no” decisions or risk-based considerations. An example of a binary decision where there is no debate is the Anti-Money Laundering Currency Transaction Report (AML CTR) requirement to report transactions in excess of $10,000. There is no space for flexibility there and no room for judgment. It just must be done.
‍
But suppose you’re working through a new use case without a specific binary regulatory requirement. In that case, you now have to think about what regulatory principles could apply and what best practice principles you can borrow from to build a program. While you can’t do anything about binary “yes” or “no” requirements except to make sure you identify them, your value as a compliance officer in the absence of such requirements is applying time tested risk-based principles to get a high level of comfort that you’ve assessed your risk appropriately and proposed mitigation steps accordingly.

PB: With this fast-moving crypto regulatory environment, we’ve seen so much happen in the last year, and we expect a lot more is going to happen over the next 1-2 years. What tips do you have for compliance teams as they put together their compliance strategies?

CS: We talked earlier about how compliance can be embedded more meaningfully as a partner and be part of the business and the importance of regulatory engagement. We just covered how compliance teams need to identify the binary requirements and the timeless principles that enable the adaptation or creation of something new. These are all essential elements for compliance teams to consider as they map out their approaches.

I would like to end with one more point. Today, across the industry, we don’t yet have many people with both the technical know-how and the understanding of how to apply regulation. 

The key thing is that compliance officers should consider, particularly when entering uncharted waters, is that regulators have these timeless principles that you can use to plan compliance going forward. But at the end of the day, having people who both understand tech and how these regulatory principles will apply to it will be necessary ingredients. The teams with these capabilities will be best suited to nimbly and quickly adapt as new use cases emerge. It will take collaboration among different teams and working seamlessly together to reduce friction and allow innovation to flourish.

PB: Perfect. Thank you very much, Chuck. 
‍

Want to learn more about how to empower your business with compliance? Reach out to the Notabene Team.
‍

‍