Deciphering Travel Rule Expectations: Insights from the FATF Plenary—June 2023

Today, the Financial Action Task Force (FATF) released its fourth annual report on Virtual Assets and VASPs. The report, “Virtual Assets: Targeted Update on Implementation of the FATF Standards” (“Targeted Update 2023”), is based on a voluntary survey that collected responses from 151 jurisdictions, the FATF’s Virtual Assets Contact Group meetings, private sector consultations, including Notabene's participation, and results from FATF’s mutual evaluation reports. Section 2 of the Targeted Update is dedicated to the Travel Rule, focusing on the progress in its adoption and ongoing implementation challenges, including issues with compliance tools.

This article walks you through the key Travel Rule highlights. 

‍

Key Travel Rule Takeaways

‍

How many jurisdictions have implemented vs. enforced the Travel Rule?

The FATF reports that jurisdictions have made insufficient progress in implementing the Travel Rule and urges countries to urgently introduce the required legislation/regulations and operationalize Travel Rule compliance through supervision and enforcement.

Below we illustrate several key data points shared by the FATF to substantiate their findings.

Figure 1 above contrasts the count of jurisdictions that have enacted the Travel Rule with those still adopting it, compared to the survey results from the Targeted Update (2022).

Figure 2 illustrates the progress of jurisdictions on the Travel Rule. It shows the number of jurisdictions that have passed or are adopting legislation for the Travel Rule (62) versus the number of jurisdictions actively enforcing compliance with the Travel Rule (13). 

Relevantly, more than half (54%) of the survey respondents have not taken any steps towards Travel Rule implementation, and even among the jurisdictions that did pass relevant legislation, only a small minority (21%) has “issued findings or directives or taken enforcement or other supervisory actions against VASPs focused on Travel Rule compliance.” 

The FATF also stresses that the lack of progress is particularly concerning given that Travel Rule compliance requires intra-VASP and cross-border collaboration and, hence, its “effectiveness depends on consistent, global implementation and enforcement.”

‍

The ‘Sunrise Period’ is highlighted as a persistent issue

The Travel Rule, like the sun, rises at different times worldwide. The “sunrise period” refers to when the Travel Rule is not in full effect across jurisdictions. As revealed in Notabene’s 2023 State of Travel Rule Report, ‘Sunrise period effects’ continues to be one of the top 3 hindrances to the implementation of the Travel Rule: 19% of respondents cited it as their greatest compliance challenge. 

The FATF validates these concerns by stating that “Until all VASPs are required to implement the Travel Rule, VASPs operating in or from jurisdictions with Travel Rule obligations will continue to face challenges executing all covered transactions in a compliant manner.” ^[1]

‍

In most countries, domestic VASPs must transact with regulated and/or Travel Rule-compliant counterparties or must otherwise mitigate risks.

The FATF provides interesting insights into how jurisdictions are currently handling the sunrise issue and, more generally, the ability to transact with counterparties. As seen in Figure 5 below, allowing for a grace period for Travel Rule compliance or permitting a phased approach to implementation are still common practices. 

Survey data reveals that while 47% of countries enforce measures to ensure that domestic VASPs transact with regulated or Travel Rule-compliant entities or mitigate risks associated with VASPs that lack AML/CFT obligations (see measures highlighted in blue in the chart below), a substantial 26% of jurisdictions still allow VASPs to transact regardless of licensing status, Travel Rule compliance, or risk mitigation measures.

This aspect is closely connected to VASPs’ counterparty due diligence obligations, which we explore in the following section. 

‍

FATF clarifies that counterparty VASP due diligence must be carried out independently

Performing due diligence on the counterparty is an essential component of Travel Rule compliance. Even in countries where VASPs are allowed to transact with any foreign VASPs, regardless of licensing/registration status, Travel Rule compliance, or risk mitigation measures, the FATF clarifies that the private sector needs to take additional risk mitigation measures “to avoid submitting customer data to inappropriate counterparties.” ^[2] 

As reported by the FATF, counterparty due diligence is one of the reasons cited for resisting Travel Rule interoperability efforts: “the rationale is that compliance tool providers may screen users of their tool to ensure adequate data protection controls or even a level of counterparty due diligence, and therefore consider that allowing information sharing only between tool users (i.e., no interoperability).” ^[3]

However, the FATF clarifies that “VASPs are required to independently assess counterparty risk” and that this approach—taken primarily by closed Travel Rule networks—“does not remove the need for VASPs to independently verify the information and ensure all relevant domestic obligations are met.” ^[3] 

‍

{{cta-learnmore10="/cta-components"}}

‍

Report insights: counterparty due diligence challenges

VASPs still face challenges in performing due diligence on their counterparties. According to the FATF, these challenges are associated with three main reasons:

1. Subsistence of unregistered/unlicensed VASPs
   The FATF reports that only 30% of assessed jurisdictions require VASPs to be licensed or registered) and increased difficulty in obtaining information about these institutions to properly assess whether they are tied to illicit actors or sanctioned persons and the VASP’s AML/CFT compliance level.
2. Lack of public information about licensed/registered VASPs
   E.g., through a database or public register of licensed/registered VASPs.
3. Insufficiency of information available in some Travel Rule compliance tools.
   Some tools are only able to identify counterparties that are subscribers to that particular tool. ^[4] 

To counter the second issue mentioned above, FATF encourages jurisdictions to “maintain and publicise information on VASPs that are registered or licensed in their jurisdiction.” ^[4] The third issue pointed out by the FATF is mainly associated with closed Travel Rule networks. In such systems, VASPs are only able to identify and reach VASPs that are part of the same network, creating a Travel Rule compliance gap. 

The insights shared in Notabene’s 2023 State of Travel Rule Report corroborate the fact that VASPs struggle with counterparty due diligence, as 52% of respondents reported sending Travel Rule transfers to all VASPs without applying any criteria or counterparty due diligence process. 

‍

FATF clarifies that the Travel Rule is a pre-transaction requirement

In its 2023 Targeted Update, FATF dedicates a section to Travel Rule compliance tool shortcomings. The FATF highlights two main issues: the unsuitability of some existent tools to fully comply with FATF standards and the limited interoperability between solutions.

 In this context, the FATF urges:

Jurisdictions to 

1. Engage with VASPs to promote “the adoption of Travel Rule compliance tools that meet all the FATF requirements”; ^[5] 
2. In case shortcomings in Travel Rule compliance tools persist, alert VASPs of non-compliant tools operating within the jurisdiction and remind VASPs only to use compliance tools that meet the FATF requirements and/or take supervisory or enforcement action as appropriate. ^[6] 

VASPs and Travel Rule compliance tool providers to:

1. Review Travel Rule compliance tools to ensure they fully comply with the FATF requirements; ^[7] 
2. Rapidly address any shortcomings; ^[7] 
3. Improve the interoperability of Travel Rule compliance tools globally. ^[7] 

‍

FATF gives examples of shortcomings in available Travel Rule compliance tools

‍

“Many of the compliance tools fall short of the FATF Standards” ^[8] 

Table 2.1 provides “Examples of shortcomings in available Travel Rule compliance tools,” which provides much-needed clarity on what constitutes a compliant Travel Rule implementation.

For FATF's examples of non-compliance, please refer to the table below. 

‍

It is worth highlighting that the FATF clarifies that Travel Rule is a pre-transaction requirement; hence any implementations of post-transaction information transmission fall short of FATF standards.

FATF provides its reasoning below:

“To comply with their freezing obligations in practice, VASPs must submit Travel Rule information in sufficient time for both institutions to conduct sanctions screening, identify any designated persons/entities, and freeze funds before any sanctioned actor can access or dissipate the funds.” ^[8]

‍

This is particularly relevant given the specific characteristics of virtual asset transactions: settlement is immediate and irreversible; hence, only pre-transaction actions can effectively mitigate risk. 

Additionally, the FATF clarifies that the Originator VASP is required to transmit information about the originator and the beneficiary customer. Hence, Travel Rule implementations where the Originator VASP obtains beneficiary customer information from the Beneficiary VASP also fall short of FATF standards. 

‍

FATF calls out the limited interoperability among Travel Rule compliance tools

“There is only very limited interoperability among Travel Rule compliance tools.” ^[9]
- FATF, "Targeted Update 2023,” paragraph 29

The FATF highlights that interoperability between Travel Rule compliance tools limits VASPs’ ability to send Travel Rule information to all counterparties and increases compliance costs for VASPs that have to integrate with multiple tools. 

The report also states that there was limited progress in the past year to improve interoperability while acknowledging that some “industry participants are developing Travel Rule compliance tool aggregators to provide broader coverage amongst VASPs using different tools.” ^[10]

This is the case of Notabene: Notabene's Travel Rule product is the first protocol-agnostic solution and allows VASPs to connect to an open global network of 400+ reachable VASPs to securely exchange data transfers across jurisdictions. To address cases where the counterparty is part of a closed network that the VASP does not participate in, Notabene built a Travel Rule protocol agent that standardizes the connection to different protocols.

Finally, the FATF “urges the private sector to progress towards interoperability, whether through technological advancements that allow interoperability between tools or by developing relationships that permit transactions to be made through a chain of interoperable tools.” ^[11] 

‍

FATF provides guidance on how to assess the suitability of a Travel Rule solution provider

The Targeted Update includes a list of “guiding questions that VASPs should ask to determine whether potential Travel Rule compliance tools will comply with all FATF requirements.” ^[12]

Below, Notabene proactively gives answers to these questions:

‍

‍

Next steps

In addition to the above takeaways, FATF’s Targeted Update 2023 also includes updates regarding the overall adoption of Recommendation 15 and the evolving risks of DeFi and peer-to-peer transactions. FATF will continue outreach, identification, and publication of implementation steps, sharing of findings and experiences, engagement with member countries and the private sector, and conduct a further review by June 2024. The FATF and VACG also monitor developments relating to DeFi and self-hosted wallets, including peer-to-peer transactions.