A primary goal of enforcing Travel Rule requirements on virtual asset service providers (VASPs) is to prevent designated persons and entities from circumventing sanctions using virtual assets.
VASPs routinely screen their customers against relevant sanction lists as a part of their KYC processes but are not obliged to verify the counterparty customer data before screening it. This reliance on unverified data can lead to false positive results and create difficulties for VASPs complying with the Travel Rule.
To balance the demands of an effective sanctions compliance program with the data requirements set by the FATF, VASPs can apply the guidelines for third-party assistance in customer due diligence set forth in Recommendation 17 to counterparty sanction screening, which goes well with another component of Travel Rule compliance: the VASP-to-VASP due diligence obligation.
One fundamental aspect of Travel Rule compliance is the obligation to collect, verify, transmit, and store certain information about the Originator and the Beneficiary of a transaction.
“Countries should ensure that ordering institutions (whether a VASP or other obliged entity such as a FI) involved in a VA transfer, obtain and hold required and accurate originator information and required beneficiary information and submit the information to beneficiary institutions (whether a VASP or other obliged entity, such as a FI), if any. Further, countries should ensure that beneficiary institutions (whether a VASP or other obliged entity, such as a FI) obtain and hold required (but not necessarily accurate) originator information and required and accurate beneficiary information.” (FATF 2021, p. 59, para 181)
According to FATF’s Updated Guidance, the Originator and Beneficiary Customer information that the Originator VASP needs to obtain and transmit to the Beneficiary VASP and that the Beneficiary VASP, in turn, needs to receive is the following:
FATF also gives guidance on the obligations of the Originator and Beneficiary VASPs regarding customer information. We’ve illustrated the requirements in Figure 2 below.
VASP obligations during a regulated transaction are as follows:
This means VASPs must rely on data they do not need to verify to screen their counterparties against sanction lists. Often, the unverified data proves insufficient. In instances where the Originator VASP is required to collect only the name of the Beneficiary Customer, identifying false positive sanction screening results can be an unfeasible task as a name itself does not provide sufficient resolution on the identity of the Beneficiary Customer.
Relying on unverified and insufficient data for sanction compliance may be inefficient in securing appropriate freezing actions and effectively prohibiting transactions with designated persons and entities.
FATF’s Recommendation 17, “Reliance on Third Parties,” states that financial institutions can rely on third parties to perform parts of the customer due diligence (CDD) process. The FATF explicitly recognizes that VASPs can act as third parties. (FATF 2022, pg. 85, para 1)
“Countries may permit financial institutions to rely on third parties to perform elements (a)-(c) of the CDD measures set out in Recommendation 10 or to introduce business, provided that the criteria set out below are met. Where such reliance is permitted, the ultimate responsibility for CDD measures remains with the financial institution relying on the third party.” - FATF Recommendation 17
“The third party will usually have an existing business relationship with the customer, which is independent from the relationship to be formed by the customer with the relying institution, and would apply its own procedures to perform the CDD measures.” -FATF Interpretive Note to Recommendation 17
When this framework is applied to counterparty sanction screening, VASPs can rely on the screening done by another VASP with complete access to the underlying data and the responsibility to verify it. For example, the Beneficiary VASP could trust the Originator VASP with the screening of the Originator Customer, and the Originator VASP could trust the Beneficiary VASP with the screening of the Beneficiary Customer.
Applying the guidelines for third-party assistance in customer due diligence set forth in Recommendation 17 to counterparty sanction screening goes well with another component of Travel Rule compliance: the obligation for VASP-to-VASP due diligence.
Establishing trust between VASPs is built into Travel Rule compliance–the requirements oblige VASPs to perform due diligence on their counterparties to assess the robustness of their AML/CTF compliance programs. (FATF 2021 p. 64. para 197) The resulting trust framework can also be leveraged for mutual reliance on each other for counterparty sanctions screening.
The counterparty VASP due diligence process must include several factors, such as:
This process helps ensure that VASPs interact with responsible parties who can protect confidential information and reduces the risk of dealing with illicit actors. Additionally, this assessment must occur before conducting any Travel Rule data transfer. (FATF 2021 p. 64. para 196)
In summary, VASP due diligence provides a solid foundation to mitigate the risk of sanctions screening unverified information: the robustness of your counterparty's sanction screening process can inform your risk-based approach to screening their customers.
To prevent any adverse effects on transaction speed and volume, VASPs need an efficient method to identify and conduct due diligence on each counterparty VASP. Notabene’s full-service Travel Rule compliance solution removes friction from the VASP-to-VASP due diligence process.
We’ve incorporated the industry-standard VASP-to-VASP Due Diligence Questionnaire (DDQ) into our compliance dashboard, allowing VASPs to upload their legal and security information into a secure portal and share their due diligence information 1:1 between selected parties. Through the Notabene Network, VASPs can request, share, decline, and revoke access to the DDQ and view the document’s shared history.
Click here to access the Notabene Network
FATF. 2021. Updated Guidance for a Risk-based Approach to Virtual Assets and Virtual Asset Service Providers. Paris: FATF. Published June 21, 2021.
With non-custodial crypto wallets, users have complete control over their funds and the associated private key. It is important to note that the terms “non-custodial” and “unhosted “are used interchangeably in the industry.
Under the crypto Travel Rule, VASPs must collect, verify, transmit, and store certain information about a transaction’s Originator and Beneficiary. The FATF gives guidance on the obligations of the Originator and Beneficiary VASPs regarding customer information.
The Originator and Beneficiary VASPs must screen counterparty customer information against relevant sanctions lists, with the Originator VASP collecting data from its customer about the Beneficiary Customer and the Beneficiary VASP relying on information transmitted by the Originator VASP. Neither VASP is required to verify the accuracy of customer information before screening it.
Both VASPs also screen their own customers’ names.
Yes, the FATF’s Recommendation 17 permits VASPs to rely on third parties for parts of the customer due diligence process, including counterparty sanction screening. VASPs can act as third parties and are permitted to rely on another VASP for the screening of their counterparties as long as the ultimate responsibility for due diligence measures remains with the financial institution depending on the third party.
The FATF and local regulators have generally focused on enforcing AML/CTF controls on transactions that involve intermediaries, such as VASPs or other obliged entities. Thus, crypto transfers between unhosted wallets, so-called peer-to-peer transactions, are not explicitly covered by AML/CTF rules.
The FATF opens the door to a future change of paradigm in case there is a distinct trend toward P2P transactions, as this would necessarily hurt the effectiveness of the AML/CTF frameworks as they exist today.