On June 20, 2021, the European Commission published a proposal for regulating the transfers of funds and certain crypto-assets. This current proposal recasts Regulation EU 2015/847 as part of an AML/CFT package of four legislative proposals that are considered one coherent whole in implementing the Commission Action Plan of May 7, 2020. This proposal creates a new and more coherent AML/CFT regulatory and institutional framework within the EU. The package encompasses:

• a proposal for a regulation on the prevention of the use of the financial system for the purposes of money laundering (ML) and terrorist financing (TF)
• a proposal for a Directive establishing the mechanisms that Member States should put in place to prevent the use of the financial system for ML/TF purposes, and repealing Directive (EU) 2015/849;
• a proposal for a Regulation creating an EU Anti-Money Laundering Authority (AMLA)8, and
• This proposal for the recast of Regulation EU 2015/847 expanding traceability requirements to crypto-assets.
  

In essence, this regulation takes May 2015’s Directive (EU) 2015/847 on ‘the information accompanying transfers of funds and updates it to adequately cover virtual assets while repealing the over-reaching requirements of Directive (EU) 2015/849.

This regulation will enter into force on the 20th day after publication in the official journal. 

Read Notabene's key takeaways:

1. The EU sees the need for harmonized international rules

This proposal package addressed the need for harmonized rules across the internal market.

On May 7, 2020, the Commission presented an Action Plan for a comprehensive Union policy on preventing money laundering and terrorism financing. In that Action Plan, the Commission committed to taking measures to strengthen the EU’s rules on combating money laundering and terrorism financing and their implementation, with six priorities or pillars:
1. Ensuring effective implementation of the existing EU AML/CFT framework,

2. Establishing an EU single rulebook on AML/CFT,

3. Bringing about EU-level AML/CFT supervision,

4. Establishing a support and cooperation mechanism for FIUs,

5. Enforcing EU-level criminal law provisions and information exchange,

6. Strengthening the international dimension of the EU AML/CFT framework.

Pillars 1, 5, and 6 of the Action Plan are currently being implemented partly due to the support of both The European Parliament and the Council. The other pillars demand legislative action. Yet, evidence provided by reports and internal assessments identified that. In contrast, the requirements of Directive (EU) 2015/84912 were far-reaching; their lack of direct applicability and granularity led to a fragmentation in their application along national lines and divergent interpretations.

In response, this proposal updates Regulation EU 2015/847 while repealing Directive (EU) 2015/849.  

Notabene’s assessment: The EU believes a more harmonized front to combat money-laundering and terrorism financing is required. A country-by-country implementation has not proven very effective. They hope this would alleviate jurisdictional arbitrage or the milder term they call “jurisdictional shopping.” 

2. GDPR applies to CASPs

The EU clarifies that GDPR applies to CASPs (crypto asset service providers - the EU’s terminology equivalent to FATF’s virtual asset service providers.)

Article 15:

The EU is committed to ensuring high standards of protection of fundamental rights. Under article 15 of the current regulation, the processing of personal data under this Regulation is subject to Regulation (EU) 2016/679 of the European Parliament and of the Council31.Personal data that is processed pursuant to this Regulation by the Commission or EBA is subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council32. The General Data Protection Regulation33 will apply to CASPs as regards the personal data handled and attached to cross-border transfers of value using virtual assets.

Article 20:

Payment and crypto-asset service providers shall ensure that the confidentiality of the data processed is respected.

Additionally, CASPs must keep records of information on the originator and the beneficiary for five years; they must delete them.

2015/847 recital 29:

As it may not be possible in criminal investigations to identify the data required or the individuals involved in a transaction until many months, or even years, after the original transfer of funds or transfer of crypto-assets  , and in order to be able to have access to essential evidence in the context of investigations, it is appropriate to require payment service providers or crypto-asset service providers to keep records of information on the payer and the payee or the originator and the beneficiary for a period of time for the purposes of preventing, detecting and investigating money laundering and terrorist financing. That period should be limited to five years, after which all personal data should be deleted unless national law provides otherwise.

Notabene’s assessment: Many in the crypto industry have been long awaiting what the verdict on GDPR would be regarding the Travel Rule in the EU. The EU states that going forward, CASPs will need to implement a GDPR-compliant secure data storage solution, making it clear that AML/CFT measures supersede this.  

3. Personally Identifiable Information obligations accompanying transfers of crypto-assets are in line with FATF

Article 14:

OBLIGATIONS ON THE CRYPTO-ASSET SERVICE PROVIDER OF THE ORIGINATOR
Information accompanying transfers of crypto-assets
1. The crypto-asset service provider of the originator shall ensure that transfers of cryptoassets are accompanied by the following information on the originator:
(a) the name of the originator;
(b) the account number of the originator, where an account is used to process the transaction;
(c) the originator’s address, official personal document number, customer identification
number or date and place of birth.
2. The crypto-asset service provider of the originator shall ensure that transfers of cryptoassets are accompanied by the following information on the beneficiary:
(a) the name of the beneficiary;
(b) the beneficiary’s account number, where such an account exists and is used to process the transaction.

‍

Notabene’s assessment: By adhering to FATF suggested guidelines, it is easier for CASPs (or VASPs) to have unified rules as they comply cross-jurisdictionally.

4. Stakeholders consulted by the EU express concern about the walled garden of compliance.

pg 7:

Stakeholder input on the Action Plan was broadly positive. However, some European UnionVASP representatives claimed that the absence of a standardised global, open source and free, technical solution for the travel rule could lead to the exclusion of small actors from the crypto-assets market, with only important players being able to afford compliance with the rules.

Notabene’s assessment: Several working groups noted the possible exclusion of small players in the crypto-assets market if compliance is too complex and too expensive to roll out. If only a few exchanges can afford compliance or if messaging protocols are not free and open, a walled-garden scenario would cause a few “important” players to operate. At the same time, the rest may be hit with fines and must close.

5. The threshold is set at EUR 1000, but Travel Rule requirements still apply for lower thresholds (albeit with less PII shared)

The EU has set a threshold of EUR 1000, in line with FATF recommended guidelines. Above that, originator CASPs need to share originator identifying information beyond just name (i.e., physical address, official personal document number, customer identification number, or date and place of birth). The EU does call out transactions that may be part of structuring -  whereby the asset appears to be linked to other transfers that amount to EUR 1000. The travel rule also applies to them.

2015/847 recital 16:

In order not to impair the efficiency of payment systems and crypto-asset transfer services, and in order to balance the risk of driving transactions underground as a result of overly strict identification requirements against the potential terrorist threat posed by small transfers of funds or crypto-assets, the obligation to check whether information on the payer or the payee, or, for transfers of crypto-assets, the originator and the beneficiary, is accurate should, in the case of transfers of funds where verification has not yet taken place, be imposed only in respect of individual transfers of funds or crypto-assets that exceed EUR 1000, unless the transfer appears to be linked to other transfers of funds  or transfers of cryptoassets which together would exceed EUR 1000, the funds or crypto-assets have been received or paid out in cash or in anonymous electronic money, or where there are reasonable grounds for suspecting money laundering or terrorist financing.

The EU also calls out in Article 15 that the travel rule applies below the EUR 1000, but with only originator and beneficiary names shared.

Article 15:

By way of derogation from Article 14(1), transfers of crypto-assets not exceeding EUR1 000 that do not appear to be linked to other transfers of crypto-assets which, together with the transfer in question, exceed EUR 1 000, shall be accompanied by at least the following information:(a) the names of the originator and of the beneficiary;(b) the account number of the originator and of the beneficiary or, where Article 14(3)applies, the insurance that the crypto-asset transaction can be individually identified;

Notabene’s assessment: The European Commission has no desire to create overly strict requirements that impede the flow of transactions. But by requiring Travel Rule below the threshold, they are boldly signaling the importance of the Travel Rule to CASPs and asking them to take a more comprehensive or holistic approach to travel rule implementation.

6. Transfers of crypto assets from the EU to outside the EU should include a Legal Entity Identifier (LEI)

2015/847 recital 19 (adapted):

In order to allow the authorities responsible for combating money laundering or terrorist financing in third countries to trace the source of funds or crypto-assets used for those purposes, transfers of funds or transfer of crypto-assets from theUnion to outside the Union should carry complete information on the payer and the payee. Complete information on the payer and the payee should include the LegalEntity Identifier (LEI) when this information is provided by the payer to the payer’s service provider, since that would allow for better identification of the parties involved in a transfer of funds and could easily be included in existing payment message formats such as the one developed by the International Organisation for Standardisation for electronic data interchange between financial institutions.

Notabene’s assessment: Many in the crypto industry had pushed for the adoption of LEIs in the FATF guidance. While suggested as an identifier, the FATF did not introduce them as a requirement. We see the EU requirement as an excellent first step in accepting a more unified, global identification system for legal entities that will reduce diligence costs for CASPs for cross-border transfers.

7. Beneficiary CASPs should have effective risk-based procedures that apply where a transfer lacks the required information

2015/847 recital 22 (adapted):

As regards transfers of crypto-assets, the crypto-asset service provider of the beneficiary should implement effective procedures to detect whether the information on the originator is missing or incomplete. These procedures should include, where appropriate, monitoring after or during the transfers, in order to detect whether the required information on the originator or the beneficiary is missing. It should not be required that the information is attached directly to the transfer of crypto-assets itself, as long as it is submitted immediately and securely, and available upon request to appropriate authorities.

Article 12 calls for the beneficiary CASP to reject a transfer if it is missing data.
‍
Article 12:

Transfers of funds with missing information on the payer or the payee
1. The intermediary payment service provider shall establish effective risk-based procedures for determining whether to execute, reject or suspend a transfer of funds lacking the required payer and payee information and for taking the appropriate follow up action.

Additionally, the proposal goes on to say, “If a CASP continues to submit transfers with incomplete data, the counterparty CASP could take steps to reject any future transfers of funds or terminate the business relationship.” Beneficiary CASPs must implement adequate procedures to detect whether the originator information is missing or complete. 

2015/847 recital 23 (new):

Given the potential threat of money laundering and terrorist financing presented by anonymous transfers, it is appropriate to require payment service providers to request information on the payer and the payee. In line with the risk-based approach developed by FATF, it is appropriate to identify areas of higher and lower risk, with a view to better targeting the risk of money laundering and terrorist financing. Accordingly, the crypto-asset service provider of the beneficiary, the payment service provider of the payee and the intermediary payment service provider should have effective risk-based procedures that apply where a transfer of funds lacks the required information on the payer or the payee, or where a transfer of crypto-assets lacks the required information on the originator or the beneficiary, in order to allow them to decide whether to execute, reject or suspend that transfer and to determine the appropriate follow-up action to take.

Notabene’s assessment: A risk-based approach to compliance is urged and recommended for CASPs. This is good news for companies who can take a more nuanced approach to travel rule, especially during the sunrise period when many counterparty institutions may not respond quickly.

8. Member states should lay down sanctions to encourage compliance 

2015/847 recital 30:

In order to improve compliance with this Regulation, and in accordance with theCommission Communication of 9 December 2010 entitled ‘Reinforcing sanctioning regimes in the financial services sector’, the power to adopt supervisory measures and the sanctioning powers of competent authorities should be enhanced. Administrative sanctions and measures should be provided for and, given the importance of the fight against money laundering and terrorist financing, Member States should lay down sanctions and measures that are effective, proportionate and dissuasive. Member States should notify the Commission and the Joint Committee of EBA, EIOPA and ESMA(the ‘ESAs’) thereof.

The proposal goes on to state that legal persons can be held liable for breaches:

Chapter 5: Sanctions and monitoring:

5. Member States shall ensure that legal persons can be held liable for the breaches referred to in Article 2318 committed for their benefit by any person acting individually or aspart of an organ of that legal person, and having a leading position within the legal person based on any of the following:(a) power to represent the legal person;(b) authority to take decisions on behalf of the legal person; or(c) authority to exercise control within the legal person.

Competent authorities may impose administrative sanctions and measures in collaboration with other authorities.

Chapter 5: Sanctions and monitoring:

7. Competent authorities shall exercise their powers to impose administrative sanctions and measures in accordance with this Regulation in any of the following ways:EN 41 EN(a) directly;(b) in collaboration with other authorities;(c) under their responsibility by delegation to such other authorities;(d) by application to the competent judicial authorities.In the exercise of their powers to impose administrative sanctions and measures, competent authorities shall cooperate closely in order to ensure that those administrative sanctions or measures produce the desired results and coordinate their action when dealing with cross-border cases

Article 23:

Member States shall ensure that their administrative sanctions and measures include at least those laid down by Articles 40(2), 40(3) and 41(1)59(2) and (3) [...] in the event of the following breaches of this Regulation:
(a) repeated or systematic failure by a payment service provider to include the required information on the payer or the payee, in breach of Article 4, 5 or 6 or by a crypto-asset service provider to include the required information on the originator and beneficiary, in breach of Articles 14 and 15;
(b) repeated, systematic or serious failure by a payment service provider or crypto-asset service provider  to retain records, in breach of Article 2116;
(c) failure by a payment service provider to implement effective risk-based procedures, in breach of Articles 8 or 12  or by a crypto-asset service provider to implement effective risk-based procedures, in breach of Article 17;
(d) serious failure by an intermediary payment service provider to comply with Article 11 or 12.

Notabene’s assessment: While there will be a centralized body for AML/CFT revision at the EU level, enforcement (e.g., sanctions) still gets performed at the member state level. We’re interested to see how effective this approach will be for EU member states.

9. This regulation does not apply to p2p transfers

Article 2:

Electronic money tokens, as defined in Article 3(1), point 4 of Regulation shall be treated as crypto-assets under this Regulation. This Regulation shall not apply to person-to-person transfer of crypto-assets.

Notabene’s assessment: While P2P is not affected, the EU does not comment on transactions between CASPs and noncustodial or unhosted wallets. This is good news for now, though certain member states have rolled out their own requirements (e.g., Netherlands). 

10. The originator CASP should provide appropriate customer PII within three working days of receiving a request from the beneficiary CASP

Article 5: Transfers within the European Union:‍

2. Notwithstanding paragraph 1, the payment service provider of the payer shall, within three working days of receiving a request for information from the payment service provider of the payee or from the intermediary payment service provider, make available the
following:
(a) for transfers of funds exceeding EUR 1000, whether those transfers are carried
out in a single transaction or in several transactions which appear to be linked, the
information on the payer or the payee in accordance with Article 4;
(b) for transfers of funds not exceeding EUR 1000 that do not appear to be linked
to other transfers of funds which, together with the transfer in question, exceed EUR
1000, at least:
(i) the names of the payer and of the payee; and
(ii) the payment account numbers of the payer and of the payee or, where Article 4(3) applies, the unique transaction identifier

On May 11th, 2021, The German Federal Ministry of Finance published a working ordinance draft bill, the Crypto Securities Transfer Regulation, Krypto Wertetransfer Verordnung (KryptoTransferV), which included increased “duties of care” in the transfer of virtual assets.

Later, on June 14th, the German Federal Ministry of Finance released the updated hearing on the draft bill that requires crypto asset companies to enforce the Travel Rule. The regulation prohibits the transmission of information about clients and recipients arranged for transferring crypto values, as is the case with money transfers. This regulation is based on Regulation (EU) 2015/847 of the European Parliament and of the Council. The German Federal Ministry of Finance will approve the ordinance by the end of 2023. 

Read our key takeaways:
‍

1. Germany required the Travel Rule before the European Commission

Crypto Securities Transfer Regulation (KryptoTransferV) § 3:

“Possible alternatives do not represent justifiable alternatives to the proposed regulation with regard to proportionality on the one hand and the limitation of the threat posed by anonymous transactions on the other. A prohibition of transactions on electronic wallets that are not administered by a crypto custodian has only a very limited effect due to the mostly cross-border nature of crypto transfer business and presents itself as a less proportionate alternative compared to the proposed transmission of information. Due to the high risks posed by anonymous crypto power transfers, the adaptation of European regulation cannot be waited for.” 

Notabene takeaway: This is a strong example of a national regulator taking things into their own hands and moving forward with crypto rules before being enforced on a European Union level. In this case, the German regulator implies that imposing Travel Rule is a more effective alternative to banning non-custodial wallets due to their cross-border nature.

2. Germany views transfers to self-managed electronic wallets as the starting point of a suspicious transaction.

Crypto Securities Transfer Regulation (KryptoTransferV) § A:

In addition, the transfer of cryptovalues ​​to an electronic wallet that is not managed by a crypto custodian (self-managed electronic money exchange), or vice versa, is viewed as a case constellation with increased risk. So can the Forwarding of crypto values ​​to a self-managed electronic wallet represent a starting point for a suspicious transaction.

Notabene takeaway: While many regulators have signaled that they view transactions to non-custodial wallets as higher risk, it is surprising to see that the German regulator deems them as a starting point for suspicious transactions. This is a stricter stance than what FATF details in their latest guide. We expect that this will impact whether German VASPs will continue to allow transactions to non-custodial wallets, especially ones to third parties.  

3. The German proposal includes estimations of compliance costs

Crypto Securities Transfer Regulation (KryptoTransferV) § V:

"This ordinance does not impose any costs on citizens.
‍
The estimate of the compliance burden is subject to considerable uncertainty. If the requirements of the Ordinance are largely met, the compliance burden on business will be higher. If greater use is made of the notification requirement under Section 4 of the Ordinance, the costs for the economy will be lower.
‍
For the business community, there will be recurring compliance costs of approximately €420,800. In the event of an increase in the number of cases, no further costs for the implementation of Section 3 of the Ordinance can be assumed due to the expected automation of data transmission and the associated synergy effects, especially since it is expected that providers will offer flat rates for the implementation of data transmission for crypto value transfers.
‍
The administration will incur recurring compliance costs of approximately €157,000.”

Notabene takeaway: It is a reasonable effort for the regulator to quantify potential compliance costs for regulated institutions that must comply quickly. However, it is unclear how these estimates were reached without a more detailed breakdown of the charges, the large upfront investments companies need to make, and the daily maintenance costs to ensure proper detection of suspicious activity (e.g., additional compliance and technical team resources, software costs.) It would also help if the regulator can clarify the sources of the estimates involved or perform further consultations with the private sector and technology vendors like Notabene to arrive at more precise estimates.

4. German PII requirements are in line with the FATF Recommendations.

Crypto Securities Transfer Regulation (KryptoTransferV) § 3 paragraph 1:

“The obligor performing the transfer on behalf of the principal shall ensure that the following information is determined and stored: Name of the client
address of the client or the number of an official personal document of the client or the client number or the date and place of birth of the client
Number of the originator’s account (for example, the public key)
Name of the beneficiary and number of the beneficiary’s account (for example, the public key.)”

Notabene’s takeaway: This is in line with FATF and the most recent EU regulations. For VASPs, more streamlined Travel Rule requirements make it easier to roll out Travel Rule effectively.

5. This draft accounts for a possible lack of technical capability. 

Crypto Securities Transfer Regulation (KryptoTransferV) § 4:

“Section 4 (1) opens up the possibility of notifying the competent supervisory authority pursuant to Section 50 no. 1 AMLA that the transmission of information cannot yet be implemented or cannot be implemented in full due to a lack of technical capability for standardized transmission. The notification shall result in a suspension of the obligations under Section 3, provided that the competent supervisory authority under Section 50 no. 1 AMLA does not raise any objections under paragraph 2. Insofar as the technical implementation of the data transmission has already been taken into account in the structuring and issuance of crypto securities, a suspension of the obligations pursuant to Section 3 (2) shall not be considered.

Notabene takeaway: In the absence of viable and standardized technical messaging protocols, the German regulator can grant VASPs grace periods of up to one year. VASPs need to take steps for risk mitigation during this period, such as restricting certain types of transfers. 

‍

*Please note that we used DeepL to translate the original draft regulation from German to English. 

The FATF recently released their second 12-month review of the implementation of its virtual asset and VASP guidelines. The goal of the 12-month review is for the FATF to identify gaps in implementation and denote subsequent actions to be taken and plan forward. Below are Notabene’s key takeaways that we believe cryptoasset businesses and compliance teams should keep at the top of mind. 

1. Less than half of surveyed jurisdictions have introduced the necessary legislation

While the FATF recognizes the ‘significant progress’ by jurisdictions in implementing a licensing or registration regime for virtual asset service providers, less than half of jurisdictions surveyed (58 of 128) have introduced the necessary legislation. Even fewer have enforced the regulations or introduced the Travel Rule.

Notabene Takeaway: The low number of reported compliance leads the FATF to believe that we are still far from a global AML/CFT regime for virtual assets, which, in turn, encourages jurisdictional arbitrage. Also, with national jurisdictions behind on implementing the Travel Rule, this disincentivizes the private sector to invest in technological solutions and build compliance infrastructure. 

Below are two charts; the first compares FATF and the FSRB (FATF-Style Regional Bodies, which are autonomous regional organizations that help FATF implement its global AML/CFT policy) and their approach and readiness to crypto regulation. The second chart details which activities jurisdictions allow after passing crypto regulation.

2. Most jurisdictions are not Travel Rule compliant, leading to a significant obstacle to effective global AML/CFT mitigation

Two years after the FATF revised its Standards, most jurisdictions and VASPs are not currently Travel Rule compliant. The FATF sees this as a significant obstacle to effective global AML/CFT mitigation and undermines the effectiveness and impact of the revised FATF Standards.

Ten jurisdictions reported that they had implemented Travel Rule requirements for VASPs and that these requirements were being enforced. In comparison, a further 14 jurisdictions said they had introduced Travel Rule requirements, but they were not yet enforced. 

Notabene Takeaway: There is a vicious circle happening; the lack of national implementation reduces the incentive for technical progress. The lack of technological progress is used to justify the lack of national implementation. In the near future, greater jurisdictional implementation will be a necessary prerequisite to kick off technical progress.  

“Rapid implementation by all jurisdictions will act as the catalyst to promote the development of technical solutions and compliance by VASPs.” - FATF Second 12-month review of the Revised FATF standards on VAs and VASPs (July 2021)

3. Jurisdictional arbitrage is a growing problem

There has been a significant increase in the value of virtual assets collected as ransomware payments and in the use of virtual assets to commit and launder the proceeds of fraud in the last year. The proceeds of such ransomware attacks are often moved via unhosted or privacy wallets and/or other anonymity-enhancing tools and methods to VASPs. Most identified ML/TF activity relates to activity that is native to virtual assets. It is much less clear the extent to which virtual assets are being used to launder proceeds of crime that originate in fiat currency.

Notabene Takeaway: Non-compliant VASPs and privacy-enhancing tools facilitate an atmosphere of jurisdictional arbitrage. This creates a great environment for ransomware transacted through virtual assets. VAs are increasingly used for collecting ransomware - uneven implementation of regulatory regimes leading to jurisdictional arbitrage, non-compliant VASPs, and privacy-enhancing tools facilitate it.

4. FATF found no need to amend standards to include P2P transactions

FATF noted:

"If P2P transactions were to increase to the point that were to occur almost entirely on a P2P basis and criminals were able to exist entirely in the virtual asset ecosystem, without ever interacting with VASPs and on- and off-ramps to the traditional fiat economy, the current FATF Standards might need revision to sufficiently mitigate the ML/TF risks."

FATF continues with:

"VASPs currently play an important role in the virtual asset ecosystem. While P2P transfers occur in the ecosystem, VASPs are needed for the exchange or withdrawal of virtual assets for fiat currency. In addition, investigators, blockchain analytic companies, and other parties can generally capture information on P2P transactions generated on public blockchains, which can be transparent and traceable. This information can provide greater visibility of virtual asset transfers than off-chain transfers or transfers on private blockchains, including those carried out by VASPs, and assist in AML/CFT risk mitigation."

Notabene Takeaway: Suppose P2P transactions were to increase to the point that criminals could exist entirely in the virtual asset ecosystem without ever interacting with VASPs and on-and-off-ramps to the traditional fiat economy. In that case, the current FATF Standards might need revision to mitigate the ML/TF risks sufficiently. Currently, the FAFT found no need to amend the revised FATF standards, due in part to reliance on other players such as blockchain analytic companies, investigators, and the inherent traceable nature of public blockchains.

For example, if the addresses that are used for P2P and peer-VASP transactions could be correctly linked, it will inform the development of risk profiles and identity attribution for unhosted wallets. This may grow over time as more transfers are recorded on public blockchains.

‍

5. All jurisdictions need to implement the revised FATF Standards, including Travel Rule requirements, as quickly as possible.

The report states:

"The FATF should focus on the effective implementation of the currentFATF Standards on virtual assets and VASPs across the GlobalNetwork. Members of the FATF and its broader Global Network should implement the revised FATF Standards (R.15/INR.15) as a matter of priority."

Notabene Takeaway: To accelerate the implementation of the Travel Rule by the private sector, FATF members, particularly those who are leaders in AML/CFT regulation of VASPs, are advised to work collaboratively with each other and the private sector to facilitate the implementation of the Travel Rule.

With over 36 years of experience, spanning from heading global compliance teams at Fidelity to Director of the Southeast Region of the SEC, Advisor to Notabene, Charles V. Senatore has amassed diverse insight for compliance officers operating in the crypto industry.

During this fireside chat with Co-founder and CEO of Notabene Pelle Brændgaard, Chuck covers:

• A promise he committed to a higher-up that earned him a seat at the business partner table.
• Steps compliance officers can take to move from being perceived as the “anti-business” department to becoming an integral part of product teams by contributing early to product development. 
• Three tips that crypto firms can do to encourage regulatory regimes to take a risk-based approach to achieving desired regulatory outcomes instead of mandating the entire technology.

----

‍Pelle Brændgaard (PB): Thank you for joining me. Please tell us about your path into compliance.

Charles V. Senatore (CS): It was an unlikely route. But, looking in retrospect, I had a collection of experiences that ended up uniquely suiting me to becoming a compliance officer without ever having planned to become one. I am a lawyer with a multifaceted background.

First, I was a trial lawyer, so I understand dealing with issues like dispute resolution. Next, I became a federal prosecutor and became familiar with criminal laws, how they affect defendants, and how they are enforced. I then became a law firm partner, where I gained an understanding of the client’s perspective. Later, I became a senior regulator at the SEC, where, with a slightly different lens, I got deeper into public policy and understanding the drivers behind financial regulation. 

Then I unexpectedly became a compliance officer after experiencing what I would call a “bear hug.”  For those of you that are unfamiliar with mergers and acquisitions, a bear hug is a takeover offer that a target must respond to, with enormous pressure to say “yes.” In my case, I received a request from the general counsel for whom I was working, who asked me if I would consider taking on the compliance director role for a significant business unit. I was quite happy with my current role as an in-house lawyer at that time, so I gently pushed back. But it soon became apparent that this was less of a request and more of a demand. So, I began my unplanned compliance journey, which led to me leading global compliance functions, first at Merrill Lynch and later at Fidelity. 

Grabbing a seat at the leadership table as a compliance officer

PB: I know that you’re passionate about the value that compliance brings to a business. But, unfortunately, we sometimes hear from compliance teams that they are often not seen as a strategic function but as a necessary evil or a checkbox you just have to deal with. Have you experienced something like this in your career, and what did you do to change this perception?

CS: Great question. Compliance Officers are often in danger of being perceived as “the anti-business department.” If compliance officers behave in a way where they’re perceived as always saying “No,” it’s understandable why business partners may see them as an obstacle versus being part of the solution to help the business grow.

I’ll share a quick story. When I first assumed my compliance role, I was surprised to learn that the business heads never dealt with the compliance leader directly, instead of communicating indirectly and only on an as-needed basis through staff. I thought this was a little odd. So I initiated a direct connection with one of the business heads. In that first meeting, he asked me why we were meeting. I sensed that he questioned the value of him meeting with me when their practice had been simply to deal with compliance issues through staff when they arose.

I explained that I thought it would make sense for both of us to be better connected and working together. I also wanted a better one-on-one connection with other business leaders. I offered him a promise: whenever an issue arose, I would do whatever I could to find a way to realize the business vision and get to a “yes.” We would think as creatively and responsibly as possible and consider every alternative to reach a “yes,” unless it became abundantly clear that, after all that thought and effort, the answer had to be “no.” In exchange, I requested that he introduce me to the management ranks and invite me to their business meetings.

The change in how the compliance department was perceived didn’t happen overnight. When I first attended a national sales managers meeting and introduced myself as the compliance officer, the people I met were polite but uneasy. But over time, the strategy worked. Within a few years, I was invited to join the business unit’s operating committee. 

‍
The message here is understanding that reflexively saying “no” really isn’t a great option. Instead, a real value-add is helping the business get to a “yes” responsibly and consistently, not just with regulation but also with what’s suitable for the company and customers. And that ends up introducing the opportunity for compliance officers to be at the table and be a respected part of leadership.

Crypto compliance is based on classical banking principles

PB: Coming from the banking world, what do you see as some of the biggest challenges from a compliance perspective regarding supporting new crypto-based products?

CS: Today, we rely on principles based on classical banking and payment transactions and apply them to various new constructs. The big challenge is having those same principles work in a new setting. 

The industry is experiencing what I would call a square peg in a round hole regulatory phenomenon. Currently, the challenge is to figure out how to take those timeless principles, those underlying the foundations of, for example, the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) customer identification and reporting, and translate them into a new and different world.

We’re facing a rapidly maturing market with lots of new products. Even digital fiat is being discussed in countries where it could become a legal tender. But regulators need to assess what kind of issues they may produce and what bad things could happen as a result. The crypto industry is like a gangly teenager with growing pains, finding their way as they grow. Right now, we’re trying to help the industry mature and grow in a way that doesn’t create counterproductive issues. 

PB: It’s a challenge we’re seeing our customers grapple with all the time. And that leads me to the next question. US regulators have a history of a technology-agnostic view on managing ML/TF risks, which has been a boon to the US crypto industry in the past because they essentially let the industry figure out how to solve compliance. 

But the recent notice of proposed rule-making (NPRM) from the Department of Treasury seems to be setting a new precedent of more specific technical guidance instead of a more technology-agnostic approach. Do you see this as a general trend that’s coming, or is this something we can take on as an industry to encourage FinCEN to continue with a technology-agnostic approach?

Mandating a technology doesn’t end well 

CS: Unfortunately, there is a history where regulators have dictated a particular technology. And frankly, it often doesn’t end well in the long run. 

Here’s a well-known example in the securities space. “Write Once, Read Many” (WORM) is a mandated requirement by a books and records retention regulation created over 20 years ago. WORM required records to be kept on optical disks to ensure that records could not be altered. Today, this standard still exists, despite technological innovations that could enable less costly ways to ensure records can’t be changed. To comply, some firms have to duplicate their records by copying them onto those disks. You end up with these two redundant systems. It’s incredibly inefficient, and regulators have been, unfortunately, slow. 

The WORM example demonstrates why I believe mandating a technology doesn’t end well. The danger of mandating a technology is that the technology changes, yet the regulation stays set to a specific point in time. It’s hard to unwind it, and it creates all sorts of inefficiencies.

Regarding the recent NPRM, I believe there might be hope that regulators will not mandate a specific technology. Many regulatory regimes, FinCEN included, contemplate a risk-based approach when it comes to regulatory compliance. A risk-based approach allows you to deal with different cases and situations based on specific conditions in a firm, while a mandated or recommended approach may not fit and does not lead to good outcomes. In crafting the NPRM as it applies to unhosted wallets, FINCEN was essentially borrowing from existing BSA principles. 

PB: Is there anything you think the crypto industry should do to encourage regulators to take this approach?

CS: There are three things the industry can do. 

1. Firms should remember that at the end of the day, the onus is on them to create the proper internal controls and be accountable for outcomes.
2. The industry must gather as a community. I understand that, in general, individual businesses compete with each other. But when it comes to regulatory compliance issues, in my experience, collaboration and sharing ideas happen more freely. There appears to be an appreciation that “a rising tide lifts all boats.” In my experience, the firms I worked for certainly had competitors. But when it came to compliance, people from different firms were willing to share best practices.
3. Engage with regulators responsibly. Having a healthy relationship with the regulators enables all parties to understand the challenges facing an industry while fostering awareness regarding emerging technologies, improving controls, and mitigating risks.  
   

There is certainly a potential for adverse interactions with regulators, particularly when problems arise at our firms. And it’s understandable why some in the industry would want to avoid contact with them unless absolutely necessary. However, even in those circumstances, having a constructive relationship of trust with regulators often goes a long way towards a thoughtful and fair resolution. 

Additionally, there are other scenarios in which regulator interest can actually be positive. Often, regulators value their relationship with responsible industry participants because they want to understand where the markets are going and better understand the technology. Regulators, as public servants, have a laudable interest in the integrity of our markets, and keeping up to speed is crucial for executing their mission. Because if they don’t, regulations begin to become out of date and less effective. And if there are new and emerging technologies that regulators don’t understand, they risk finding themselves behind the curve. As such, many regulators are eager to engage and to learn.

Ultimately, our ideal scenario here in the United States, which I assume is also the case elsewhere, is to develop a paradigm where regulators and industry promote responsible innovation by learning together. Some jurisdictions, for example, in the UK’s FCA, appear to be further along, with their embracing of sandboxes and proactive collaboration with industry. These are examples of how a healthy regulatory relationship can benefit an industry.

Viewing compliance as a business strategy

PB: When FinCEN started instituting rules for applying the BSA to crypto companies, they tended to react in a few different ways. Some saw it as an opportunity to get regulatory compliance, while others moved offshore. Now, many are starting to see that compliance could be a competitive advantage, particularly in this crowded market that we see today in the crypto space. Do you think compliance can be an opportunity for differentiation?

CS: No question about that. Compliance offers an opportunity for differentiation whether regarding crypto, a banking transaction, or an investment transaction. Whenever anybody handles other people’s money, they really need to care that there are first-class controls and first-class attention to the welfare of clients. 

I’ll give you an example from the history of mutual funds. Many years ago, in the early 2000s, there was a scandal where certain mutual fund firms allowed special privileges to a particular client. Basically, the client said, “Look, I will give you lots of money as assets, from which you can earn hefty management fees. In exchange, I want you to allow me to trade more frequently than you allow other shareholders, to enable me to arbitrage various markets, and allow me special privileges to place mutual fund orders after the close of the markets–so I can get the previous day’s price.” This client essentially asked for a unique advantage, as one regulator said, to bet on yesterday’s horse race.

Over 20 mutual fund firms agreed to give the client that unfair advantage. But, once the scandal broke, the fallout for these firms was dramatic. For example, one firm, pre-scandal, had assets under management in the range of $360B. But, clients pulled significant assets out post-scandal, resulting in a dramatic loss of assets under management (AUM) down to approximately $60B. Considering that a mutual fund firm’s revenue is based on a percentage of AUM, I think you can imagine the magnitude of investment management fees lost. And it’s still as yet to fully come back to its former glory.

My point here is that clients and investors care about these issues, so having great compliance is a competitive advantage. When you’re in a position of trust, whether it’s doing a transaction, whether it’s providing custody, whether it’s managing investments, or otherwise, people are trusting you with their money. So if you don’t do that well, if you don’t have the commitment and controls, you’re going to lose ground to firms with strong and effective compliance programs.

A great compliance program can bring a large competitive advantage. Going back to the earlier question, when compliance officers work shoulder to shoulder alongside the firm’s leadership and jointly think about these things, this leads to extraordinary outcomes.

PB: We’re seeing more and more institutional players enter the space. For companies that want to service that market, will regulatory compliance become even more important than when servicing the average retail investor?

CS: In terms of the amount of money at stake, yes. However, we should remember that retail investors hold a special place in the hearts of regulators and in the regulatory scheme generally across the board. 

For example, when it comes to securities laws, there are stringent disclosure requirements and registration requirements that apply to the offering of securities meant to ensure that investors understand all the details and risks of an investment. This is intended to protect the “mom and pop” investor. However, the securities laws implicitly recognize that institutional investors, or those that are accredited, are in a better position to fend for themselves, resulting in more relaxed disclosure requirements. So institutional investors are presumed to need less protection.

With respect to cryptocurrencies, the risks and opportunities for bad outcomes for investors are actually higher at the retail level. When one considers the plenary risks of loss of assets and volatility versus other investments, mom and pop investors choosing to engage in the crypto markets could lose a larger percentage of their nest egg than an institutional investor. 

This goes back to the earlier point of the importance of best practices and controls. Even though institutional investors may have more risk tolerance, they still don’t want to risk the loss of potentially large sums. So, institutional clients want institutional level comfort. You’ll see custodians that hold crypto looking to compete on enhanced security with respect to key management, anti-hacking protocols, and critical ceremonies. Firms will demand best practices. Over time, reviews by independent parties such as SOC reviews and similar risk assessments will become very important. Because crypto presents a new set of challenges, people will really care that there are robust controls before entrusting their assets to crypto companies.

Involving the compliance team early in the ideation process‍

PB: If you’re a compliance officer working at a crypto business, what can you do to help the business see potential new growth areas through regulatory compliance, like expanding into new markets or creating new products?

CS: New product ideas will have better outcomes if compliance officers successfully integrate themselves from the start. Nothing frustrates a business more than having a great idea for a use case if they bring in a compliance officer who says it’s not going to work down the road. It creates a lot of frustration and gives rise to the risk of being perceived as the “anti-business” department. 

Going back to our earlier conversation, we talked about how compliance officers might tend to be conservative and gravitate to saying “no” in terms of dealing with the business. So the onus is also on them to behave in a way that makes them a business partner. 

If the business is thinking about new products, everyone needs to be aligned right from the start and think about it in real-time. I think of this as analogous to an agile program where real-time creation is happening and where product requirements are curated and tested during the development process. 

The role of the compliance team here should be to gain an understanding of the new products and keep in mind the timeless principles the regulators care about. If they look back to the essence of what regulators tend to think about, then they can provide input from the onset as to how these principles may need to apply to an emerging setting.

Most compliance principles fall into two major buckets. They are either binary “yes” or “no” decisions or risk-based considerations. An example of a binary decision where there is no debate is the Anti-Money Laundering Currency Transaction Report (AML CTR) requirement to report transactions in excess of $10,000. There is no space for flexibility there and no room for judgment. It just must be done.
‍
But suppose you’re working through a new use case without a specific binary regulatory requirement. In that case, you now have to think about what regulatory principles could apply and what best practice principles you can borrow from to build a program. While you can’t do anything about binary “yes” or “no” requirements except to make sure you identify them, your value as a compliance officer in the absence of such requirements is applying time tested risk-based principles to get a high level of comfort that you’ve assessed your risk appropriately and proposed mitigation steps accordingly.

PB: With this fast-moving crypto regulatory environment, we’ve seen so much happen in the last year, and we expect a lot more is going to happen over the next 1-2 years. What tips do you have for compliance teams as they put together their compliance strategies?

CS: We talked earlier about how compliance can be embedded more meaningfully as a partner and be part of the business and the importance of regulatory engagement. We just covered how compliance teams need to identify the binary requirements and the timeless principles that enable the adaptation or creation of something new. These are all essential elements for compliance teams to consider as they map out their approaches.

I would like to end with one more point. Today, across the industry, we don’t yet have many people with both the technical know-how and the understanding of how to apply regulation. 

The key thing is that compliance officers should consider, particularly when entering uncharted waters, is that regulators have these timeless principles that you can use to plan compliance going forward. But at the end of the day, having people who both understand tech and how these regulatory principles will apply to it will be necessary ingredients. The teams with these capabilities will be best suited to nimbly and quickly adapt as new use cases emerge. It will take collaboration among different teams and working seamlessly together to reduce friction and allow innovation to flourish.

PB: Perfect. Thank you very much, Chuck. 
‍

Want to learn more about how to empower your business with compliance? Reach out to the Notabene Team.
‍

‍

GIBRALTAR & NEW YORK, October 13, 2021-- Notabene, the leading FATF Travel Rule solution provider, has partnered with VASPnet, the assured source of VASP regulatory data.

This collaboration solves a crucial yet overlooked challenge presented by FATF’s anti-money laundering standards on virtual assets which mandate that Virtual Asset Service Providers carry out due diligence on their counterpart VASPs before engaging in a business relationship with them. Additionally, if a counterpart VASP’s regulatory status cannot be determined as regulated, the originating VASP may deem it high risk and restrict all transaction flow.

With Notabene’s integration of VASPnet’s reference data, firms can confidently make comprehensive and well-informed risk-based decisions to help manage their AML/CTF risk using real-time, high-quality data directly sourced from regulators.

VASPdata is the world’s largest dataset of up-to-date authoritative regulatory data on 28,000 service providers authorised to conduct virtual asset activities. VASPdata will support Notabene’s mission to remove regulatory complexity by adding transparency to firms’ transaction flows. Armed with VASPdata, Notabene will enhance how firms comply with FATF’s Recommendation 16. 

Notabene benefits from data that is assured by the VASPnet Verified freshness seal, ensuring Notabene’s customers receive only up-to-date and accurate regulatory information. With VASPdata and Notabene’s proprietary Rules Engine, Notabene’s customers can set robust regulatory rules into place, and scale ‘safe’ flows to regulated VASPs.

Quote from Notabene’s CEO Pelle Braendgaard: 

“Implementing the Travel Rule requires you to trust that your counterparty exchange has properly verified their customers. Performing manual due diligence on the often 100s of counterparty exchanges that an average exchange interacts with will lead to loss of business or increased risk of fines. Notabene’s partnership with VASPnet is the first service allowing exchanges to continue to transact with thousands of counterparties, while at the same time managing their own risk appetite.”

Quote from VASPnet Executive Chair Siân Jones: 

“Counterpart due diligence is a cornerstone requirement in FATF’s VASP-to-VASP value transfer standards. With real-time access to VASPdata’s authoritative regulatory information on licensed VASPs around the world, Notabene’s customers will be one step closer meeting their AML compliance obligations.” 
‍

About VASPnet:

VASPnet is the assured source of VASP regulatory data. VASPnet provides the authoritative data to confidently make well-informed, risk-based decisions and help meet AML/CTF obligations. VASPnet Ltd, an XReg company, is headquartered in Gibraltar, a leading cryptoasset jurisdiction. Visit www.vaspnet.com to find out more. Follow us on LinkedIn. 

About Notabene

Notabene is a reg-tech compliance SaaS solution that connects the traditional financial industry and crypto industry. We are working to make crypto transactions a part of the everyday economy by providing software, tools, and comprehensive data to manage regulatory and counterparty risks in crypto transactions. Using privacy-preserving technology, strategic partnerships and commitment, our first-to-market FATF Travel Rule solution helps financial institutions, crypto exchanges, and businesses turn compliance into a competitive advantage. Trusted by leading exchanges, Luno, Bitso, Crypto.com and more.

Notabene is headquartered in New York with offices in Zug and Santiago de Chile. To learn more, visit www.notabene.id. Follow us on LinkedIn and Twitter.

• Notabene and Elliptic launch a ready-to-use solution that complies with FATF Recommendations to virtual asset service providers (VASPs) and financial institutions (FIs)
• VASPs and FIs can automate the exchange of counterparty information during cryptoasset transactions securely and privately

LONDON, NEW YORK – June 16, 2021: Notabene, a fast-growing FATF Travel Rule solution provider, has integrated with Elliptic, the global leader in cryptoasset risk management and blockchain analytics. 

The intergovernmental FATF Travel Rule requires virtual asset service providers (VASPs) to exchange counterparty information when cryptoasset transactions exceed certain limits for all their customers. 

Countries that have implemented the Travel Rule include the United States, Switzerland, and Singapore. Other jurisdictions are not far behind in enforcing these rules over the next 12 months.

With Notabene and Elliptic’s integrated solution, VASPs can automate transactions with trusted counterparties while providing them with the data they need to detect suspicious activity and meet their regulatory requirements. 

In April, three crypto companies in Singapore completed the testing of automated Travel Rule transfers using Notabene. This made them some of the first VASPs ready to roll out full Travel Rule compliance at scale on their platforms.

Alice Nawfal, Chief Operating Officer of Notabene, comments:

“When it comes to compliance with the Travel Rule, VASPs are now in a rush to implement scalable solutions and come live. We expect the next six to twelve months will be a pivotal time for the crypto industry as VASPs overcome outstanding challenges and determine how to collaborate with each other effectively. We are excited to partner with Elliptic so that VASPs can have access to rich transaction data when performing Travel Rule transfers. This helps them make smarter compliance decisions.”

‍

Elsa Said-Armanet, Director of Partnerships at Elliptic, said:

“Crypto companies are increasingly expecting counterparties to be Travel Rule compliant, or they will not do business with them. Now we can offer Notabene alongside Elliptic’s crypto risk monitoring solutions to help VASPs comply to the Travel Rule today, wherever they are, and transact with any counterparty, even if they didn’t implement a solution on their side yet.”

Notabene provides top crypto businesses and financial institutions with software and tools to manage risk in crypto transactions. Notabene’s customers are able to assess whether counterparties are safe to transact with and perform any regulatory actions required.  Notabene offers the most secure Travel Rule fulfillment solution while simultaneously providing the broadest network coverage of compliant VASPs.  

Elliptic is the go-to provider of enterprise-grade crypto compliance solutions for fintechs, crypto exchanges, and traditional financial institutions. Elliptic’s customers can assess risk on transactions across more than 100 different assets - including cryptocurrencies, stablecoins, and tokens. This represents the broadest coverage of any crypto transaction screening solution, with support for over 97% of all cryptoassets by trading volume.

#

Media Contact

Alice Nawfal 

alice@notabene.id

Sacha Lowenthal

press@elliptic.co

About Notabene

Notabene helps crypto businesses and financial institutions manage regulatory and counterparty risks around crypto transactions. Notabene provides software, tools, and comprehensive data that helps businesses implement the new requirements of the FATF guidelines including the Travel Rule and identification of virtual asset accounts. They use Notabene to manage risk and deliver a best-in-class payment experience to their customers. Notabene is headquartered in New York with offices in Zug and Santiago de Chile.  To learn more, visit www.notabene.id and follow us on LinkedIn and Twitter.

About Elliptic

Elliptic is the global leader in cryptoasset risk management for crypto businesses and financial institutions worldwide. A WEF Technology Pioneer, Elliptic is backed by investors including Wells Fargo Strategic Capital, SBI Group, and Santander Innoventures, and has assessed risk on transactions worth several trillion dollars, uncovering activities related to money laundering, terrorist fundraising, fraud, and other financial crimes. Elliptic is headquartered in London with offices in New York, Singapore, and Tokyo. To learn more, visit www.elliptic.co and follow us on LinkedIn, Medium, and Twitter.

• With many protocols on the market, Notabene simplifies travel rule compliance by integrating multiple messaging layers into one platform.
• In response to the sunrise period, Notabene offers a ready-to-use solution today - TRNow. You can exchange data transfers with any VASP, even if they didn’t implement a solution on their side yet. No need for them to sign up for or integrate with Notabene either!
  

Notabene lets you securely exchange Travel Rule data with any counterparty VASP. Yes, really.

Notabene’s multi-protocol approach helps you comply with the Travel Rule without hindering your transaction flow. Our goal is to instantly and securely connect you with all of your transaction counterparty VASPs despite regulatory complexity. The Travel Rule shouldn’t stop you from sending or receiving funds from certain businesses just because you two use different messaging protocols. Avoid spending time and efforts trying to convince all of your counterparties to sign up for the same network, or worse, joining multiple ones yourself!

‍

1. How do I send a travel rule transfer to a counterparty VASP if... 

1.1. I don’t know which protocol they use?

You don’t need to! We integrate the most widely adopted and ready-for-deployment protocols into our platform, so you don’t have to.  There is no need to involve your dev team to support multiple protocols, run necessary blockchain nodes, and stay abreast of technical changes. We handle it all! You can think of Notabene’s solution as a switch on top of protocols. This means no more worrying about which protocol to choose for the broadest possible coverage. 

Once your Travel Rule transfer is ready to send, our system automatically checks against all integrated protocols, the messaging channel you have in common with the Beneficiary VASP.

1.2. They don’t have any Travel Rule solution in place yet?

This is where our in-house solution, TR:Now, comes into play. It lets you send a Travel Rule transfer to any counterparty, even if they don’t have any solution in place yet! After a counterparty VASP is identified, a Travel Rule transfer is created and sent, the Beneficiary VASP receives an email notification. Once they verify that the address belongs to them, they can access the transfer in their browser securely. For security reasons, their access to the transfer information expires 72h after they open it. 

Don’t know your Beneficiary VASP’s designated travel rule email address? Leave it to us! Notabene will help you determine the correct contact information for the Beneficiary VASP.

1.3. Notabene doesn’t support the protocol they use?

You can still meet your compliance requirements and send a Travel Rule transfer. Just like the previous example, Notabene enables transfers to any counterparty VASP, regardless of their protocol usage. See the steps described in 1b above for more.  

2. How to receive a travel rule transfer from a counterparty VASP if... 

2.1. They don’t know which protocol I use?

• If your counterparty VASP wants to send you a data transfer related to an incoming transaction, all they need to do is visit your company’s public profile at Notabene. At the bottom of your profile page, they’ll see all of your supported travel rule protocols with their respective identifiers. The list of available protocols is automatically updated as we integrate new protocols into our platform.

2.2. They don’t have any solution in place yet?

• If your counterparty doesn’t have any solution in place but you need them to send you a Travel Rule transfer, simply share with them a link to your company’s public profile on Notabene. From there, after authenticating themselves, they will be able to access a simple form and fill in all of the data required by the Travel Rule and send it straight to your Notabene dashboard.
• 
  

2.3. Notabene doesn’t support the protocol they use?

• You can still meet your compliance requirements and receive a Travel Rule transfer. Following the same process as 2b above, Notabene enables transfers to and from any counterparty VASP, protocol or not! 
  

3. How do I verify my counterparty VASPs?

Each company, regardless of the solution they use, can join Notabene’s public VASP directory for free. They create a profile by providing their license and incorporation information along with any respective supporting documents. This allows us to verify their business listing and issue a “Verified by Notabene” badge. After they have created a verified profile, they will be able to share additional information (e.g., AML/CFT processes) securely with you during the due diligence process.

If you’d like us to verify your counterparty, ask them to create their profile here.

4. How do I manage my transfers?

With Notabene, you have access to a secure, all-in-one dashboard where you can manage and monitor all of your transfers, regardless of the protocol over which they were sent. We make it easy and efficient for your compliance team to manage travel rule transfers from one place, and not have to worry about any underlying protocol complexity.

5. What if my company spans multiple jurisdictions?

If you closely monitor the travel rule implementation trends (because we do!), you might have noticed that some protocols get broader adoption in particular jurisdictions. But, have no fear! This doesn’t mean that you’ll have to sign up for different solutions just because your business is global. Notabene ensures coverage with all VASPs and regions, and offers multi-entity support so you can use one platform for seamless compliance and transaction flows, even if the rules differ from country to country.

Have more questions?

Great, we’ve got answers! To learn more about Notabene’s Travel Rule solution and how it can help you comply with the travel rule, book a demo today!

We’re excited to share that a select group of our Singaporean customers, Luno, Crypto.com, and Xfers, have successfully completed the second phase of Notabene’s Travel Rule testnet.

‍This makes them one of the first VASPs ready to roll out full Travel Rule compliance at scale on their platforms.

In various real-world scenarios, participants exchanged automated Travel Rule transfers that allowed instant counterparty VASP verification and Beneficiary’s VASP blockchain address confirmation. This phase also demonstrated the Notabene’s protocol-agnostic approach by using both TRNow, Notabene’s in-house solution, and TRP, an open-source, industry-led protocol, as messaging channels.

Phase 1 - Counterparty verification and secure data exchange

In the first phase, companies exchanged Travel Rule transfers using Notabene’s manual solution. This was an excellent opportunity for participants to tackle practical challenges in verifying a counterparty and securely performing data transfers. 

As a result, participants developed the know-how and exchanged best-practices to improve their internal transaction flows to address Travel Rule requirements. 

Phase 1 of the testnet also led to the creation of a testnet working group. Members of compliance, product, and dev teams from the participating VASPs now meet bi-weekly to collaborate on various challenges and agree on best practices for solutions.    

Phase 2 - Automating the Travel Rule flow full-scale compliance   

The goal of the second phase was to test: 

• The automation and scalability of Travel Rule compliance processes using Notabene’s API  
• The instant counterparty VASP verification using client-defined whitelists
• Increased customer data protection through blockchain address confirmation for beneficiary VASPs
• The ability to connect, regardless of protocol, with any VASP by using TRNow and TRP 
  

Automatically generated Travel Rule transfers

For this exercise, participants exchanged automatically generated and verified Travel Rule transfers. With simple API integration, data transfers are created seamlessly by collecting Beneficiary’s and Originator’s information from VASPs’ internal systems, the moment a user initiates a transaction. 

Did you know? Notabene’s pre-built user interface components instantly identify the wallet type and counterparties involved in a transaction and help collect any missing data from users. This feature was not part of the testnet but is a core part of Notabene’s Travel Rule offering. Learn more here.

‍Instant counterparty VASP verification

Notabene’s “Trust this company” functionality enabled testnet participants to easily verify and whitelist counterparties. This way, every transfer sent to a trusted VASP is automatically approved, allowing compliance officers to focus only on high-risk transactions.

Did you know? Notabene built a VASP directory that allows any company to create a public profile for free. Create your profile today and reduce the burden of business-to-business verification, a necessary but time intensive step to ensure the secure exchange of Travel Rule information.

Beneficiary VASP’s blockchain address confirmation

To prevent customers’ personal data from being sent to the wrong VASP, Notabene adds an extra layer of trust ensuring that a customers’ data always reaches the intended counterparty. Before a data exchange occurred, participants receiving a transfer were able to automatically confirm that the Beneficiary’s blockchain address belongs to them. 

Sending Travel Rule transfers to VASPs outside of the Notabene Network

Notabene enables its customers to work with any VASP, regardless of protocol. The testnet allowed companies to send and receive transfers from a set of mock/simulated counterparties that lacked any Travel Rule solution. With much of the industry still early in its Travel Rule implementation, this capability is critical while different jurisdictions are developing at various speeds. 

Participating VASPs also seamlessly exchanged customer data over an external protocol, TRP. As the proliferation and adoption of various Travel Rule protocols grows, Notabene will be adding them to its platform, allowing its customers to reach the most extensive number of counterparties possible.    

Meeting FATF requirements without hindering business growth

These three scenarios were critical to test the implementation of the FATF and MAS requirements in a real-world business environment. 

This evaluation allowed our customers to better understand what adjustments they need to make within their compliance and transaction flows to roll out a fully scalable Travel Rule solution without hindering business growth.

This is just the beginning

The implementation of the Travel Rule doesn’t happen overnight and will impact user experience, product, and compliance across the entire transaction flow. This is why it’s important to start testing and assessing its impact on existing systems as soon as possible. We’re committed to constantly supporting our customers along this journey from start  through post full-deployment. Our bi-weekly meetings and deep-dive sessions will continue, and we hope the group of participants will only grow as we launch the next editions of the testnet.

Call for submission!

If you constantly hear about the Travel Rule but aren’t sure where to start, we’re here to help! We’re currently inviting VASPs interested in participating in the next edition of a global, cross-jurisdiction Travel Rule testnet. Apply here!

It’s been one year since we started Notabene, and what a crazy ride it has been!

Last April, as the world was going into lockdown, pushing the economy further into the unknown, we got together to work on a big challenge. We believed that crypto transactions should be a larger part of the everyday economy. To make this happen, transacting with crypto first had to become safer and easier to use.

And so, we started Notabene. What lay ahead of us was uncertain, but we bet on three things.

First, increasing global uncertainty will push people and businesses to more quickly adopt digital assets and cryptocurrencies. 

Second, regulators will not budge on the deadlines set for crypto businesses to comply with new requirements. If anything, they may even put on more pressure to limit access to illicit finance as the financial world becomes more globally connected. 

Finally, our confidence that we have the best team possible to tackle these challenges.

Fast forward to today, and what a year it has been! Our three bets have already started to pay off and there’s even more to look forward to than before.

Crypto is here to stay, paving a path for every financial institution to get into the space

We were bullish on crypto, but the speed of global adoption has shocked even us. From Visa launching a settlement layer with USDC, Paypal rolling out crypto for its 370M users, to Defi’s exploding innovation, crypto has roared onto the scene in a big way. Regulators like the OCC have made it possible for any financial institution to start offering crypto products. Momentum is high now, but this is still just the beginning. Tens of thousands of traditional financial companies will be entering the space over the next 5 years. Not to mention the thousands of new companies that have yet to even be created.

Regulators are keeping close watch on crypto

Cryptocurrency’s market impact makes it impossible for regulators to ignore any longer. The compliance landscape has been fast-moving. Local regulators have been enforcing the travel rule and other requirements to prevent the flow of illicit finance. The industry has also increasingly been working alongside, providing feedback and commentary to ensure that innovation can continue to prosper.

Our team built a strong foundation, and we’re ready for what’s next

This past year, we have created a rock solid team. We learned how to adjust to the new realities of a pandemic lockdown and work together remotely. We are proud of the culture we built and the principles we stand by: we are idealistic and ethically driven in how we build, but we are also pragmatic and keep one foot on the ground.

With this mindset, we launched our product just 4 months after starting Notabene. We’ve been releasing features continuously since, making sure our customers have access to the latest compliance requirements as well as best-in-class features.

Today, we serve crypto companies across 4 continents, including some of the largest exchanges like Luno and Crypto.com. We have partnered with companies like Chainalysis to tackle the evolving regulatory landscape together. It has been a pleasure to work closely with and learn from our clients and partners.

Finally, the support we have received this past year has been incredible. From the Y-Combinator partner and founder community, to our investors, advisors and mentors, you have all been an incredible source of support. To our first employees, we are excited to have you. Thank you all for joining our vision!

But this is just the beginning. We are beyond excited for the road ahead, and here's to many more years to come!

- Alice, Ania, Andres and Pelle

At a time where crypto companies and financial institutions are pressing the pedal to grow and meet large-scale retail and institutional demand, they also need to fulfill immediate regulatory obligations and manage risk around transactions. We started Notabene last year to make transacting with cryptocurrencies safer and easier for businesses and individuals alike. Only then, can crypto transactions become part of the everyday economy. 

We provide companies with the software and tools to manage counterparty risk and perform regulatory compliant transactions at scale. However, our role does not end there: We also help companies make sense of a fast-moving regulatory landscape and engage regulators on their behalf. As companies look to introduce comprehensive compliance policies, we need to continue investing in our role as a trusted partner who can support our clients along the way. 

Today, we are excited to welcome Rebecca Macieira-Kaufmann and Charles “Chuck” V. Senatore to the Notabene team as our advisors. As a seasoned CEO, Rebecca has scaled financial service businesses to exponential revenue while overseeing the implementation of strong regulatory and risk management controls. While leading global compliance programs at major financial institutions, Chuck worked closely with management teams to align compliance and business goals. He also spent years as a regulator at the SEC. Together, their decades of experience working with complex financial and risk issues will be instrumental in helping Notabene build a best-in-class product and support our community of customers during this critical time.

Rebecca spent more than 11 years at Citigroup serving in a range of CEO, President, and General Manager roles. In her last role as Head of Citigroup’s International Personal Bank, Rebecca managed a full P&L line of business serving the offshore wealth needs of multinational clients in more than 100 countries. Rebecca was brought into multiple businesses as the transformation leader to bring a culture of risk management, control and regulatory compliance to the forefront. She remediated issues, simplified operations and digitized the customer experience—all while meeting regulatory standards and growing the business exponentially—leaving them strong and financially secure. 

Previously, Rebecca served as President and CEO of Banamex USA, where she turned the business around by remediating a Consent Order while simultaneously meeting the cross-border needs of Mexican businesses and high-net-worth individuals. Today, Rebecca is a member of Revolut’s US board and advises CEOs of start-ups in all phases of growth. 

In her role as an advisor of Notabene, Rebecca will support us becoming more effective leaders as we scale our business in this fast-moving market. She will help us better understand our customers and build the right tools for them. She is a big advocate of making compliance a part of the culture of a financial institution. We will continue to leverage her hands-on experience to support our customers as they look to grow their businesses responsibly.

“It is exciting and deeply gratifying to be a part of Notabene at the ground floor as they help clients grow and operate with the right regulatory controls in the digital asset space”, says Rebecca about joining Notabene as an advisor.

Chuck brings decades of experience in compliance, risk and regulatory affairs for financial services and, in more recent years, digital assets. He is a board member and audit committee chair of Fidelity Digital Asset Services, LLC. Most recently, Chuck was Head of Risk Oversight for Fidelity Investments’ Devonshire Investors unit. Before that, he led Fidelity’s global compliance and ethics function and served as the firm’s head of regulatory coordination and strategy. Prior to joining Fidelity, Chuck was Co-Head of Global Compliance at Merrill Lynch, and led the firm’s Regulatory Affairs Group. During his time leading compliance functions, he was instrumental in helping his compliance teams get a seat at the management table and be part of decision-making. 

Chuck is also a former regulator. He was the SEC’s Southeast Regional Director, and prior to that an Assistant U.S. Attorney and Chief of the Public Corruption Section in the Southern District of Florida. 

More recently, he teaches Compliance and Regulatory Strategy at the University of Chicago Law School, and is a Senior Fellow at New York University's Program on Corporate Compliance and Enforcement. He also founded the Boston Regtech Meetup, and is a member of the Massachusetts Secretary of State's Fintech Advisory Working Group.

In his advisory role at Notabene, Chuck will provide insight on how we can engage regulators constructively and advocate for digital assets and the unique opportunities they bring to the financial markets. He will also be helping us build products that empower compliance teams to meet regulators’ expectations and become more effective decision-makers in their companies. With regulators moving fast to introduce crypto regulations, Chuck believes this is a critical moment for the crypto industry.

He believes that “Digital assets and blockchain use cases are maturing rapidly, and Notabene is poised to make an important contribution to the industry's rapid evolution. I am pleased to have the opportunity to help guide Notabene's very talented team and be part of its effort to lead positive, responsible and innovative change.”

The whole Notabene team is looking forward to working closely with Rebecca and Chuck going forward. Their insights have already helped us and our customers. Please join me in welcoming Rebecca and Chuck to the Notabene team!

Best regards,

Pelle Braendgaard

Singapore, New York – Luno, a leading global cryptocurrency company based in London with over 7 million customers in 40 countries, has partnered with Notabene, the end-to-end Travel Rule compliance platform. With Notabene’s help, Luno is rolling out Travel Rule compliance starting with Singapore. 

Luno is using Notabene’s services to manage counterparty risks related to crypto transactions and to meet the latest anti-money laundering (AML) requirements as defined in Singapore’s Payment Services Act 2019 (the PSA). By integrating our solution, the Luno team can now perform Travel Rule transactions securely and at scale. 

As consumer demand for cryptocurrency grows across global markets, regulators are introducing requirements to protect consumers and mitigate the risk of money laundering. One of these requirements is the Travel Rule, and it requires that cryptocurrency platforms like Luno share customer data related to a crypto transaction securely with the counterpart exchange. 

Besides regulatory compliance, Luno believes that the Travel Rule can promote customer confidence in crypto transactions. When customers are requested to input information about recipients and checks are performed, the risk of a transaction going to the wrong recipient decreases. 

Notabene’s solution helps Luno’s team manage counterparty risks. With our rule-setting tools and due diligence service, their compliance officers can now automate the transfers of Travel Rule data with trusted exchanges. 

Sherry Goh, Country Manager of Luno Singapore, says:

“We are delighted to partner with Notabene for Luno’s Travel Rule roll out in Singapore. We were impressed with Notabene’s protocol agnostic approach and the decision to build a platform aimed at end-to-end compliance with the Travel Rule. We are confident that the integration with Notabene will mean that our customers’ Luno experience will remain as smooth as ever.”

Pelle Braendgaard, CEO of Notabene, comments:

“With Luno’s continued commitment to compliance, it has brought safe crypto products to millions of consumers worldwide. We are excited to see how our product can help Luno continue on their mission to upgrade the world to a better financial system.”

Luno is also a participant in Notabene’s recently launched Singapore testnet. It is testing travel rule transfers alongside other cryptocurrency platforms. 

Are you interested in learning more about our travel rule solution and how we help with managing counterparty risk? Reach out to us at hello@notabene.id.

‍

Media Contact

Alice Nawfal: alice@notabene.id 

About Notabene

Notabene helps crypto businesses manage regulatory and counterparty risks around transactions. Notabene provides software, tools, and comprehensive data that helps their customers implement the new requirements of the FATF guidelines including the Travel Rule and identification of virtual asset accounts. 

Notabene is a Y Combinator company and has offices in New York, Zürich, and Santiago de Chile. 

Find out more here: https://www.notabene.id

About Luno 

Luno is a leading global cryptocurrency company on a mission to upgrade the world to a better financial system. 

Co-founded by CEO Marcus Swanepoel and CTO Timothy Stranex, Luno launched in 2013 and has built a team of nearly 400 with its headquarters in London with regional hubs in Singapore and Cape Town. With over 7 million customers spanning in over 40 countries, Luno’s products and services make it safe and easy to buy, sell, store and learn about cryptocurrencies like Bitcoin and Ethereum. 

Luno has been backed by some of the world’s leading investors including Balderton Capital, RMI, Naspers and Venturra, before recently having been acquired by Digital Currency Group (DCG).

Find out more here: https://www.luno.com

Summary: In FATF’s latest guidance, it broadly defines DeFi operators as VASPs that have to deal with AML/CFT obligations. On the Travel Rule, the big news is that FATF expands these requirements to include all financial institutions (FIs) who deal with virtual assets. FATF also clarified many outstanding questions by adding new requirements such as sanction-screening of counterparties and collection of beneficiary names, even with unhosted wallets. VASPs will need to move quickly on the Travel Rule or risk not receiving licenses for operation and being outcompeted by FIs entering the market today with strong compliance expertise.

On March 19th, 2021, the Financial Action Task Force (FATF) released its updated guidance on the risk-based approach for virtual assets (VAs) and virtual asset service providers (VASPs). 

The original guidance was published in June 2019, placing anti-money laundering and countering the financing of terrorism (AML/CFT) obligations on VAs and VASPs. It also extended Recommendation 16 to VASPs, commonly known as the “travel rule”. 

Following the publication of this revised guidance, there is a 4 week public consultation period in which private sector participants will provide feedback and commentary. Notabene will be providing input directly to FATF as part of the FATF Virtual Asset Contact Group (VACG) and indirectly through its participation in various forums like the Global Digital Finance (GDF) and the Chamber of Digital Commerce.

With this revised guidance, FATF aims to achieve two goals:

• Level the playing field for VASPs in line with existing standards applicable to financial institutions and other AML/CFT-obligated entities
• Minimize the opportunity for regulatory arbitrage across financial sectors and jurisdictions
  

We describe below FATF's general approach as well as summarize the main takeaways. We supplement the sections with our assessment of how this may impact the crypto industry.

1. Virtual assets is not higher risk than other financial service sectors, but some aspects of it are deemed riskier 

FATF maintains a technology neutral approach to virtual assets. 

FATF states that VASPs should be regulated similarly to financial institutions (FIs) that provide functionally similar services with similar ML/TF risks. In addition, FATF requirements should apply to all VAs and VASPs regardless of the underlying technology.

“The FATF Standards are intended to be technology neutral. As such, the FATF does not seek to regulate the technology that underlies VAs or VASP activities, but rather the natural or legal persons behind such technology or software applications that facilitate financial activity or conduct as a business the aforementioned VA activities on behalf of another natural or legal person.” (Section 68, Page 26)

Our assessment: FATF would like to maintain its view on technology neutrality and that VAs are not treated differently from other financial sectors of similar risk. However, they also apply this argument within the crypto sector - with what some may consider as direct jabs at ‘decentralized’ projects who may not be completely decentralized and for all intents and purposes would be considered VASPs. 

FATF provides recommendations to local regulators to treat certain aspects of VAs as higher risk.

FATF recommends that jurisdictions manage rather than avoid risk, and thus should not ban VAs completely. They should assess the risk introduced by VA activity and whether they can manage that risk. If they cannot manage it effectively, then they can take actions to limit or restrict certain activities.‍

“The FATF recommendations do not prejudge any sector as higher risk. … however the overall risk at a national level should be determined by individual jurisdictions through an assessment of the sector - in this case, the VASP sector.”  (Section 28, Page 12)
‍

Our assessment: FATF is giving the green light to local jurisdictions to implement stricter rules. We expect some regulators over the next year will deem certain activities such as transactions with unhosted wallets as higher risk.‍

VASPs are expected to "build compliance into their product".‍

FATF recommends that VASPs build sufficient AML/CFT controls into the design of their product before they launch it.‍

"Authorities may also require that appropriate AML/CFT mitigations must be built into products and services before they are brought to market, as it is much more difficult to do so later. (...) Once licensing and registration has taken place, AML/CFT mitigations which are built into products and services should be maintained and be the subject of active supervision." (Section 119, Page 43)‍

Our assessment: Regulators will increasingly expect products to have built-in compliance. This should not be an after-thought, and VASPs need to make compliance an integral part of their product design and development.

2. FATF plans to regulate certain Defi protocols, stablecoin platforms and multi-signature providers

No financial asset should ever fall outside of FATF standards.

FATF broadens both the VA and VASP definitions. It would like to ensure that every financial asset is either a VA or a traditional financial asset. 

It defines VAs as the following:

“ VAs must be digital, and must themselves be digitally traded or transferred and be capable of being used for payment or investment purposes.” (Section 38, Page 18)

This excludes digital representations of fiat currencies such as central bank issued digital currencies (CBDCs). 

With regards to VASPs, FATF did not update the definition from its 2019 guidance, but instead provided more examples as to what is considered a VASP and guidelines for regulators. 

Our assessment: FATF is looking to close the loop here on what is considered under its purview and who should be regulated. Previously unregulated segments of the crypto industry will find themselves under additional scrutiny. 

FATF believes that in the majority of crypto protocols a VASP is involved at some stage. 

In a direct jab at the decentralized community, FATF cautions regulators from buying into the “marketing terms and innovative business models”, and instead separating the function of a VASP from the underlying technologies. 

The VASP definition is expanded to potentially include multisig and MPC service providers:

“Where custodians need keys held by others to carry out transactions, these custodians still have control of the asset. A user, for example, who owns a VA, but cannot send it without the participation of others in a multisignature transaction, likely still controls it for the purposes of this definition. Service providers who cannot complete transactions without a key held by another party are not disqualified from falling under the definition of a VASP, regardless of the numbers, controlling power and any other properties of the involved.” (Section 55, Page 22)

FATF’s standards do not apply to underlying software (e.g. a DApp or software program), but the owner/operator of a DApp or a person conducting business development for a DApp are considered VASPs. (Section 57, Page 23)

Likewise, in stablecoin issuance, the developers building the platform are not VASPs unless they use it to engage as a business in conducting financial activities. Persons forming the governance body could also be considered VASPs, depending on the amount of influence and control they have. (Section 72, Page 27)

Non-custodial wallet providers are excluded from being VASPs. So are network participants and service providers solely engaging in the operation of a VA network (e.g. miners and validators). (Section 69, Page 26)

A company launching a business that could fall under VASP definition and then gives up control after launching it may still qualify as a VASP. 

“The FATF takes an expansive view of the definitions of VA and VASP and considers most arrangements currently in operation, even if they self-categorize as P2P platforms, may have at least some party involved at some stage of the product’s development and launch that constitutes a VASP.” (Section 75, Page 29)

“The use of an automated process such as a smart contract to carry out VASP functions does not relieve the controlling party of responsibility for VASP obligations. For purposes of determining VASP status, launching a self-propelling infrastructure to offer VASP services is the same as offering them, and similarly commissioning others to build the elements of an infrastructure, is the same as building them.” (Section 79, Page 30)

Our assessment: FATF is clearly taking a more rigid stance at projects in the crypto space who may market themselves as decentralized but in fact maintain power or control over financial activities (and are profiting from them). We expect lots of pushback from the industry here, but also projects to go one way or another: either launch fully decentralized or get regulated.

 3. Regulators will introduce stricter crypto rules in their jurisdictions

FATF leaves regulators to take a risk-based approach with regards to P2P transactions.

If a jurisdiction deems the risks associated with P2P transactions too high, then it needs to limit its exposure to them. FATF provides examples of measures it can take for VASPs who transact with unhosted wallets, including introducing reporting requirements similar to currency transaction reports (CTRs), enhanced recordkeeping and due diligence requirements, guiding VASPs in applying a risk-based approach, or even denying them licensing. (Section 91, Page 37)

Virtual Assets in non-compliant jurisdictions or with decentralized governance structures are also considered at higher risk. 

Our assessment: We expect that multiple jurisdictions will take this as a green light to pass more stringent rules on unhosted wallets. We caution regulators to take the time to learn about why unhosted wallets do not pose necessarily more risk, and also recommend that the industry educate regulators so they do not take the easy way out and ban them.‍

Regulators are responsible for introducing a regulatory regime, but have flexibility in picking the approach.

FATF is not prescriptive, but recommends that countries do not outright ban virtual assets as that can lead to higher ML/TF risks (e.g. crypto users move to offshore exchanges). Instead, they should introduce registration and licensing regimes. Regulators can ask VASPs to introduce enhanced due diligence measures and devote more resources to AML/CFT compliance.

They should require VASPs to conduct CDD for transactions above USD/EUR 1000 and perform the travel rule. The rest of the recommendations more or less apply similarly as they do with FIs.‍

Our assessment: This is consistent with FATF’s general approach. Many jurisdictions who have not allocated resources as yet to regulating VAs may find it difficult over the next few years as they look to close the gap.

4. FATF adds additional clarity and requirements to the Travel Rule

VASPs must now perform sanctions screening on originators and beneficiaries.

We summarize the new requirements for VASPs:

Originating VASP must:

• Verify originator information (e.g. their own KYC process)
• Collect beneficiary information but not verify it
• Perform sanctions screen
• Be prepared to freeze and prohibit transactions
  

Beneficiary VASP must:

• Not verify originator information provided
• Detect if the required originator or beneficiary data is missing
• Verify provided beneficiary information with their own KYC’d information
• Perform sanctions screen
• Be prepared to freeze and prohibit transactions
  

Our assessment: Adding a sanction screening requirement is not a surprise, but in this case it could lead to many false positives. There is a lot of gray area here that can lead to a big burden on compliance teams today as they manually need to address issues that come up in transactions.

Originator VASPs must collect beneficiary names for all transactions.

It does not matter if a transaction is under the travel rule threshold  (Section 167, Page 56) or going to an unhosted wallet (Section 180, Page 60). In fact, FATF calls out that the travel rule applies to transfers between a VASP and an unhosted wallet, and that unhosted wallets could be treated as higher risk.

Our assessment: We expect pushback from the industry regarding end-user privacy and treating unhosted wallets as higher risk. 

Travel Rule data transfers must be immediate and secure.

They should be done at the same time (or presumably before) performing the underlying VA transaction. It does not have to be attached to the blockchain transaction itself. Batching is allowed as long as it is submitted immediately.

Our assessment: We expect the implementation to be a challenge in the sunrise period for some VASPs as they grapple with insufficient data, timely identification of counterparty VASP, and determining what travel rule solution they support.‍

Intermediaries have record-keeping and sanction-screening requirements.

Intermediaries only pass information along, so they aren’t required to verify originating or beneficiary customer information. However, they are required to perform record keeping and sanctions checks.

Our assessment: We expect a standard travel rule compliance flow for intermediaries to emerge in the industry in the next 6 months. Today, there have been some individual efforts, but industry cooperation will be important here to implement a standard flow across the industry.

5. VASP due diligence is a core requirement of the Travel Rule

VASPs are required to conduct counterparty VASP diligence before initiating a transfer.

A VASP should consider treating a counterparty VASP as a correspondent banking relationship and conduct thorough due diligence on the counterparty VASP. (Section 146, Page 50)

It can collect information directly from the VASP, but it must be verified. Beyond that, the VASP should assess the level of risk in the jurisdiction (e..g. AML/CFT laws of the jurisdiction, country assessment reports) as well as the counterparty VASP’s AML/CFT controls. After an initial due diligence, the VASP should periodically refresh it or have mechanisms in place to identify if a new risk emerges. 

FATF recognizes due diligence is a challenge and summarizes it in a 3 phase approach:

Our assessment: Conducting thorough due diligence at scale can be a challenge. Platforms like Notabene will provide solutions to help streamline the data collection and verification, as well as facilitate the relationship between the VASPs. However, regulators will also have to provide databases of verified information about VASPs.

Sunrise period is a challenge but not an excuse.

VASPs who want to interact with counterparty VASPs in a jurisdiction where the travel rule is not yet implemented could require them to implement it. 

“This can be a challenge for VASPs regarding what approach they should take in dealing with VASPs located in jurisdictions where the travel rule is not yet in force. Regardless of the lack of regulation in the beneficiary jurisdiction, originating entities can require travel rule compliance from beneficiaries by contract or business practice.“ (Section 176, Page 59)

VASPs who want to be compliant can consider taking additional robust control measures:

“Examples include VASPs restricting VA transfers to within their customer base (i.e., internal transfers of VAs within the same VASP), only allowing confirmed first-party transfers outside of their customer base (i.e., the originator and the beneficiary are confirmed to be the same person) and enhanced monitoring of transactions. The absence of relevant regulations in one country does not necessarily preclude the effectiveness of measures introduced by a VASP on its own.”  (Section 177, Page 59)

Our assessment: In the latter part of 2021, many VASPs will adopt the travel rule for business reasons - mainly that their counterparty VASPs already require it. 

Are you interested in learning more about how we can help you comply with the latest crypto compliance rules? Reach out to us at hello@notabene.id.‍