Crypto Travel Rule 101

VASP Due Diligence: Establishing Trust in Counterparty Sanctions Screening

Summary:
  • One aim of Travel Rule compliance is to prevent sanctions evasion through virtual assets.
  • VASPs routinely screen their customers against sanctions lists, but are not obligated to verify counterparty customer data before screening it.
  • FATF Recommendation 17 allows VASPs to rely on third parties to perform elements of counterparty customer due diligence, including other VASPs. 
  • The Travel Rule's VASP-to-VASP due diligence obligations can provide a foundation for mitigating the risk of sanctions screening unverified information and establish a trust framework for mutual reliance on counterparty sanctions screening.
  • VASPs need an efficient method to identify and conduct due diligence on each counterparty VASP to prevent adverse effects on transaction speed and volume.

TL;DR:

  • One aim of Travel Rule compliance is to prevent sanctions evasion through virtual assets.
  • VASPs routinely screen their customers against sanctions lists, but are not obligated to verify counterparty customer data before screening it.
  • FATF Recommendation 17 allows VASPs to rely on third parties to perform elements of counterparty customer due diligence, including other VASPs. 
  • The Travel Rule's VASP-to-VASP due diligence obligations can provide a foundation for mitigating the risk of sanctions screening unverified information and establish a trust framework for mutual reliance on counterparty sanctions screening.
  • VASPs need an efficient method to identify and conduct due diligence on each counterparty VASP to prevent adverse effects on transaction speed and volume.

The importance of VASP due diligence in Travel Rule compliance

A primary goal of enforcing Travel Rule requirements on virtual asset service providers (VASPs) is to prevent designated persons and entities from circumventing sanctions using virtual assets. 

VASPs routinely screen their customers against relevant sanction lists as a part of their KYC processes but are not obliged to verify the counterparty customer data before screening it. This reliance on unverified data can lead to false positive results and create difficulties for VASPs complying with the Travel Rule. 

To balance the demands of an effective sanctions compliance program with the data requirements set by the FATF, VASPs can apply the guidelines for third-party assistance in customer due diligence set forth in Recommendation 17 to counterparty sanction screening, which goes well with another component of Travel Rule compliance: the VASP-to-VASP due diligence obligation.

What are the crypto Travel Rule's data requirements?

One fundamental aspect of Travel Rule compliance is the obligation to collect, verify, transmit, and store certain information about the Originator and the Beneficiary of a transaction.

“Countries should ensure that ordering institutions (whether a VASP or other obliged entity such as a FI) involved in a VA transfer, obtain and hold required and accurate originator information and required beneficiary information and submit the information to beneficiary institutions (whether a VASP or other obliged entity, such as a FI), if any. Further, countries should ensure that beneficiary institutions (whether a VASP or other obliged entity, such as a FI) obtain and hold required (but not necessarily accurate) originator information and required and accurate beneficiary information.” (FATF 2021, p. 57, para 181)

According to FATF’s Updated Guidance, the Originator and Beneficiary Customer information that the Originator VASP needs to obtain and transmit to the Beneficiary VASP and that the Beneficiary VASP, in turn, needs to receive is the following:

required originator and beneficiary customer information graphic for crypto
Figure 1: Required Originator and Beneficiary Customer Information. Source FATF 2021 p. 60, para. 182)

Originator and Beneficiary VASP data obligations

FATF also gives guidance on the obligations of the Originator and Beneficiary VASPs regarding customer information. We’ve illustrated the requirements in Figure 2 below.

VASP obligations during a regulated transaction are as follows: 

  • The Originator VASP must collect from their customer (the Originator Customer) information about the beneficiary of the transaction (Beneficiary Customer). The accuracy of this information does not need to be verified by the Originator VASP. The Originator VASP should then screen the Beneficiary Customer information against relevant sanction lists to determine whether the Beneficiary Customer is a designated person. 
  • Conversely, the Beneficiary VASP needs to rely on the information about the Originator Customer transmitted by the Originator VASP to perform the screening against sanction lists. Likewise, the Beneficiary VASP is not required to verify the accuracy of the Originator Customer information transmitted by the Originator VASP. 
  • Each VASP also screens the name of its own customer (Originator or Beneficiary Customer, as the case may be) as part of the customer due diligence process.
data requirements for originator vasps graphic
Source: FATF 2021 p. 59. Table 1. Illustrated by Notabene.)

This means VASPs must rely on data they do not need to verify to screen their counterparties against sanction lists. Often, the unverified data proves insufficient. In instances where the Originator VASP is required to collect only the name of the Beneficiary Customer, identifying false positive sanction screening results can be an unfeasible task as a name itself does not provide sufficient resolution on the identity of the Beneficiary Customer. 

Relying on unverified and insufficient data for sanction compliance may be inefficient in securing appropriate freezing actions and effectively prohibiting transactions with designated persons and entities.

FATF permits VASPs to leverage third parties for counterparty sanction screening

FATF’s Recommendation 17, “Reliance on Third Parties,” states that financial institutions can rely on third parties to perform parts of the customer due diligence (CDD) process. The FATF explicitly recognizes that VASPs can act as third parties. (FATF 2022, pg. 85, para 1

“Countries may permit financial institutions to rely on third parties to perform elements (a)-(c) of the CDD measures set out in Recommendation 10 or to introduce business, provided that the criteria set out below are met. Where such reliance is permitted, the ultimate responsibility for CDD measures remains with the financial institution relying on the third party.”  - FATF Recommendation 17
“The third party will usually have an existing business relationship with the customer, which is independent from the relationship to be formed by the customer with the relying institution, and would apply its own procedures to perform the CDD measures.” -FATF Interpretive Note to Recommendation 17

When this framework is applied to counterparty sanction screening, VASPs can rely on the screening done by another VASP with complete access to the underlying data and the responsibility to verify it. For example, the Beneficiary VASP could trust the Originator VASP with the screening of the Originator Customer, and the Originator VASP could trust the Beneficiary VASP with the screening of the Beneficiary Customer. 

Applying the guidelines for third-party assistance in customer due diligence set forth in Recommendation 17 to counterparty sanction screening goes well with another component of Travel Rule compliance: the obligation for VASP-to-VASP due diligence.

Travel Rule compliance builds VASP-to-VASP trust

Establishing trust between VASPs is built into Travel Rule compliance–the requirements oblige VASPs to perform due diligence on their counterparties to assess the robustness of their AML/CTF compliance programs. (FATF 2021 p. 64. para 197) The resulting trust framework can also be leveraged for mutual reliance on each other for counterparty sanctions screening.

The counterparty VASP due diligence process must include several factors, such as:

  • The robustness of the counterparty's AML/CTF program, data storage, and security framework, 
  • The licensing and registration requirements of the jurisdiction where the VASP is based, and
  • Whether the counterparty VASP complies with the Travel Rule. (FATF 2021 p. 66. para 199)

This process helps ensure that VASPs interact with responsible parties who can protect confidential information and reduces the risk of dealing with illicit actors. Additionally, this assessment must occur before conducting any Travel Rule data transfer. (FATF 2021 p. 64. para 196)

overview of generatlised counterparty vasp due dilligence graphic
Figure 3: Overview of generalized counterparty VASP due diligence process. (FATF 2021 p. 65) Illustrated by Notabene.

In summary, VASP due diligence provides a solid foundation to mitigate the risk of sanctions screening unverified information: the robustness of your counterparty's sanction screening process can inform your risk-based approach to screening their customers.

How can Notabene help VASPs validate counterparty data by performing VASP to VASP due diligence at scale?

To prevent any adverse effects on transaction speed and volume, VASPs need an efficient method to identify and conduct due diligence on each counterparty VASP. Notabene’s full-service Travel Rule compliance solution removes friction from the VASP-to-VASP due diligence process.

We’ve incorporated the industry-standard VASP-to-VASP Due Diligence Questionnaire (DDQ) into our compliance dashboard, allowing VASPs to upload their legal and security information into a secure portal and share their due diligence information 1:1 between selected parties. Through the Notabene Network, VASPs can request, share, decline, and revoke access to the DDQ and view the document’s shared history. 

Click here to access the Notabene Network

Resources:

FATF. 2021. Updated Guidance for a Risk-based Approach to Virtual Assets and Virtual Asset Service Providers. Paris: FATF. Published June 21, 2021.

Our certification program covers this topic and much more

FAQ

VASP Due Diligence

What are the customer information requirements for VASPs complying with the FATF crypto Travel Rule?

With non-custodial crypto wallets, users have complete control over their funds and the associated private key. It is important to note that the terms “non-custodial” and “unhosted “are used interchangeably in the industry.

What is the difference between a custodial wallet and a non-custodial wallet?

Under the crypto Travel Rule, VASPs must collect, verify, transmit, and store certain information about a transaction’s Originator and Beneficiary. The FATF gives guidance on the obligations of the Originator and Beneficiary VASPs regarding customer information.

What are the Originator and Beneficiary VASP data obligations in the context of the Travel Rule?

The Originator and Beneficiary VASPs must screen counterparty customer information against relevant sanctions lists, with the Originator VASP collecting data from its customer about the Beneficiary Customer and the Beneficiary VASP relying on information transmitted by the Originator VASP. Neither VASP is required to verify the accuracy of customer information before screening it.

Both VASPs also screen their own customers’ names.

Can VASPs rely on third parties for counterparty sanction screening per the Travel Rule?

Yes, the FATF’s Recommendation 17 permits VASPs to rely on third parties for parts of the customer due diligence process, including counterparty sanction screening. VASPs can act as third parties and are permitted to rely on another VASP for the screening of their counterparties as long as the ultimate responsibility for due diligence measures remains with the financial institution depending on the third party.

What is the FATF’s approach to peer-to-peer transactions?

The FATF and local regulators have generally focused on enforcing AML/CTF controls on transactions that involve intermediaries, such as VASPs or other obliged entities. Thus, crypto transfers between unhosted wallets, so-called peer-to-peer transactions, are not explicitly covered by AML/CTF rules.

The FATF opens the door to a future change of paradigm in case there is a distinct trend toward P2P transactions, as this would necessarily hurt the effectiveness of the AML/CTF frameworks as they exist today.

SafeTransact Rise

FREE | NO INTEGRATION REQUIRED

Start with the basics. Ease into Travel Rule compliance with our code-free, low-effort SafeTransact-Rise plan. Ramp up the full implementation when you're ready.

Learn more
Incoming TX
unlimited
OUTGOING TX
up to US$10k
DASHBOARD
full access
VASP NETWORK
full access

By clicking “Get started” you’re agreeing to sign up to Notabene’s SafeTransact-Rise plan

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.