What is the Crypto Travel Rule?

‍

‍

The original (fiat) Travel Rule

In a publication published in January 1996, the Financial Crimes Enforcement Network (FinCEN) Advisory presented the original Travel Rule:

A Bank Secrecy Act (BSA) rule [31 CFR 103.33(g)]—often called the “Travel” rule—requires all financial institutions to pass on certain information to the next financial institution, in certain funds transmittals involving more than one financial institution. (FinCEN 1997)

In 2019, the Financial Action Task Force (FATF) updated its recommendations to extend them, including the Travel Rule, to virtual assets (VAs) and VA service providers (VASPs). Individuals who work in crypto and DeFi must understand and abide by these regulatory regimes. Though compliance may feel burdensome, the regulations are designed to prevent transactions with profound national security consequences.

Since the second half of 2019, several countries — including Germany, Singapore, Switzerland, Canada, the United States, South Africa, the Netherlands, and Estonia, among others — have adopted or introduced legislation that mirrors these FATF-driven AML compliance obligations in almost every aspect. 
‍

How does the Travel Rule apply to crypto assets?

The Travel Rule for crypto assets states that any crypto transaction that crosses a certain threshold must be accompanied by the personal information of the customer. Additionally, VASPs must sanction screen the counterparty customer, and perform due diligence on the counterparty VASP. Crypto and DeFi businesses must take time to understand and prepare to abide by these regulations or run the risk of losing their operational licenses.  

To learn more about Travel Rule implementation worldwide, visit our Travel Rule Requirements by Jurisdiction page.

‍

What is a Travel Rule data transfer? 

All Travel Rule–regulated transactions must be accompanied by the customer’s and beneficiary’s personally identifiable information (PII). At Notabene, we call these messages Travel Rule data transfers. ‍

‍

Is there a standard for data included in Travel Rule data transfers?

Naturally, a few questions arise when dealing with the exchange of customer PII:

• What information should be exchanged?
• In what format?
• What happens when a VASP receives customer names formatted with different character sets than their systems are accustomed to?
  
  

The IVMS101 messaging standard, created by the Joint Working Group on interVASP Messaging Standards (interVASP n.d.), defines a standardized customer record data model for transmitting originator and beneficiary information. The FATF and critical regulators such as FinCEN, the Monetary Authority of Singapore (MAS), the United Kingdom’s Financial Conduct Authority (FCA), and Japan’s Financial Services Agency (JFSA) were kept informed during the development of IVMS101. 

On May 6th, 2020, IVMS101 was commended for adoption at an InterVASP closing plenary. Virtually every Travel Rule messaging protocol either uses IVMS101 or has announced plans to support IVMS101 in the future.
‍

Requesting workflow using IVMS 101

To request a transfer, there must be a workflow that enables exchange of information and ultimately authorizes a transfer.

‍

Exchanging required customer PII using IVMS 101

To exchange customer information through the industry-standard Travel Rule messaging protocol, it is essential to:

• Verify that the recipient counterparty VASP is correct
• Ensure the data doesn’t leak
• Leverage several intermediary service providers

‍

Trust framework for VASPs and other FIs

One of the most significant problems in this space is knowing your counterparty VASP. Some questions you can ask to determine the trustworthiness of other VASPs and FIs include:

• Where are they incorporated?
• Are they regulated?
• What are their know-your-customer (KYC) policies?
• Do they have a robust KYC/AML process? Which third-party services do they use for KYC/AML?
• What are their data privacy rules (and which regulation ensures them)?
• Who else trusts them?
• How can I verify that a request belongs to them?
• How can I verify I am sending a request to them (rather than an imposter)?

‍

A risk-based approach to trusting correspondent VASPs

When implementing the Travel Rule, trust is imperative for VASP interaction. VASPs send their customers’ data and rely on their counterparties to do an excellent job KYC-ing their customers. While it is your counterparty’s responsibility to perform KYC on their customer, it is Originator VASP’s responsibility to determine whether their counterparty’s KYC processes are robust.

The FATF recommends performing due diligence on counterparties like a bank would while creating a correspondent banking relationship. Paragraph 105 of FATF’s initial guidance states:

Recommendation 13 stipulates that countries should require FIs to apply certain other obligations in addition to performing normal CDD measures when they engage in cross-border correspondent relationships. Separate and apart from traditional FIs that may engage in covered VA activities and for which all of the measures of Recommendation 13 already apply, some other business relationships or covered VA activities in the VASP sector may have characteristics similar to cross-border correspondent banking relationships. INR. 13 stipulates that for correspondent banking and other similar cross-border relationships, FIs should apply criteria (a) to (e) of Recommendation 13, in addition to performing normal CDD measures. “Other similar relationships” includes money or value transfer services (MVTS) when MVTS providers act as intermediaries for other MVTS providers or where an MVTS provider accesses banking or similar services through the account of another MVTS customer of the bank (see 2016 FATF Guidance on Correspondent Banking Relationships). (FATF Initial Guidance, 2019, para. 105)

In the quote above, the FATF states that VASPs should implement a new due diligence process to determine which VASP they wish to interact with. Even after performing successful due diligence on a VASP, it is recommended that this information be included in the ongoing AML process of approving and denying transactions.

‍

FATF’s counterparty due diligence recommendations

FATF acknowledges that conducting counterparty VASP due diligence in a timely and secure manner is a chalenge, and has provided guidance on how counterparty due diligence could be undertaken:

• Perform due diligence on the counterparty VASP.
• Know where their business is registered.
• Know their licensing status with their local financial regulator.
• Know the ultimate beneficial owners.
• Establish whether any of the ultimate beneficial owners are politically exposed persons or on a sanctions list.
• Investigate and approve of your counterparty’s KYC/AML processes.
• Ensure that both parties understand their responsibilities with regard to the Travel Rule.
• Approve the senior management of the VASP before accepting a relationship.

As required by paragraph 6 of INR.15 (FATF 2021, 108) countries should also have sanctions in place for VASPs and other obligated entities that engage in VA activities but don't meet their AML/CTF requirements.

How do I send Travel Rule data transfers with Notabene?

By signing up for Notabene’s VASP Network, clients are enrolled in Notabene’s free Sunrise Plan. Sunrise users can receive and respond to unlimited Travel Rule data transfers and send transfers up to USD 10,000.00 per month to any of their counterparties — regardless of which Travel Rule solution they use.

‍

How does Notabene support VASP Due diligence?

We have incorporated the industry-standard VASP due diligence questionnaire into our client Dashboard. 

Global Digital Finance, an industry association accelerating digital finance through adopting best practices and standards and engagement with regulators and policymakers, created a VASP-to-VASP due diligence questionnaire based on the Wolfsberg Correspondent Banking Due Diligence Questionnaire (CBDDQ.)

This questionnaire could facilitate Travel Rule compliance if implemented as a standard. Additionally, Notabene’s VASP Network includes the licensing and registration information on 500+ VASPs.

‍

How to access the DDQ:

• Create a free Notabene account
• Navigate to the ‘My Company’ tab.
• Scroll down to ‘Counterparty Due Diligence.'
• You can either ‘Complete, Edit, or View DDQ.’