- The State of Travel Rule Compliance Report chronicles industry readiness–of both crypto and financial institutions–to comply with FATF’s Travel Rule.
- Most respondents plan to become fully compliant by the end of Q2 2022.
- Half of the respondents point to the sunrise period and legal uncertainty regarding the most relevant hindrances to Crypto Travel Rule adoption.
- Close to one-third of companies (31%) are either complying with the Travel Rule or are currently sending or responding to Travel Rule data transfers.
- Although most respondents desire to be fully compliant within the next six months, more than 60% have not started implementation.
Why this matters
Compliance officers at crypto companies and financial institutions have a new task on their plates- complying with the Financial Action Task Force’s (FATF) Recommendation 16–the Crypto Travel Rule.
Crypto businesses must now securely collect, exchange, screen, and store customer and beneficiary information to a crypto transaction. Businesses that must perform this include all enterprises that exchange between virtual assets (VAs) and fiat currencies, exchange between one or more forms of VAs, transfer VAs; safe keep and/or administer VAs or instruments enabling control over VAs; and participate in and provision of financial services related to an issuer's offer and/or sale of a VA.
Travel Rule enforcement dates rise at different times around the world, with considerable variations. As crypto transactions are inherently cross-border, VASPs must not only comply with their local jurisdictions’ stipulations, they must also account for the mandates in their Counterparty VASP’s jurisdiction as well.
In October 2021, Notabene conducted a survey to assess industry-wide Travel Rule compliance readiness. Noteworthy results show that financial institutions and cryptocurrency companies are taking compliance seriously but are at varying states of compliance–largely dependent upon their primary operating jurisdiction.
1. Most respondents plan to become fully compliant by the end of Q2 2022.
2. Half of the respondents point to the sunrise period and legal uncertainty regarding the most relevant hindrances to Travel Rule adoption.
3. Close to one-third of companies (31%) are either complying with the Travel Rule or are currently sending or responding to Travel Rule data transfers.
4. Although most respondents desire to be fully compliant within the next six months, more than 60% have not started implementation.
What this means:
The takeaways listed above and the remaining six listed in the State of Travel Rule Report demonstrate that VASPs are taking Travel Rule compliance seriously–yet they seemingly underestimate the resources and time investment required to comply with the Travel Rule fully.
- Identify Travel Rule transactions
- Determine wallet type and counterparty
- Identify and verify Beneficiary VASP
- Analyze beneficiary risk level through a blockchain analytics provider
- Detect and verify wallet ownership
- Leverage sanctions screening integrations to identify illicit actors
- Verify Counterparty VASP’s ML/TF information
- Apply appropriate jurisdictional requirements
- Send and receive customer data in a GDPR-compliant manner
- Interact with a wide variety of blockchain messaging protocols
All while accounting for the differences in Travel Rule messaging protocols, the required originator and beneficiary information, transactions with unhosted wallets, and enforcement of de minimis thresholds in their counterparty’s jurisdiction.
5. Top 6 Pitfalls to Crypto Travel Rule Adoption.
Chapter 4 of Notabene’s first semi-annual State of Crypto Travel Rule Compliance Report also outlines the commonly reported six pitfalls to Travel Rule adoption.
- The sunrise period
- Counterparty VASP due-diligence
- Data protection considerations
- Effective sanction screening vs. data accuracy requirements
- Requirements applicable to cross-border transactions
- Protocols and interoperability.
5.1. The sunrise period
The Travel Rule, like the sun, rises at different times around the world. The industry has aptly named the period when the Travel Rule is not fully implemented across jurisdictions, as the "sunrise period."
Compliance with the Travel Rule during the sunrise period is problematic for VASPs because crypto transactions are inherently global. Unless their counterparties take a proactive approach to compliance, VASPs situated in countries where the Travel Rule is already in effect may struggle to continue business connections with their counterparties. Of the surveyed VASPs, 25% point to the sunrise period as the #1 obstacle to complying with the Travel Rule.
The FATF acknowledges the dawn period's compliance challenges. The FATF offers numerous measures that VASPs can implement to comply with Travel Rule requirements regardless of their counterparties' compliance stages.
Chapter 3 of the State of Travel Rule report details the sunrise period.
5.2. Counterparty VASP due-diligence
Another reported pitfall that VASPs face is difficulty identifying who controls the wallet they are transacting with. Travel Rule requirements change in many jurisdictions depending on whether the funds are being transmitted to a hosted or non-custodial wallet. Moreover, regulations vary depending on whether the Counterparty VASP is located in the same jurisdiction or not. Therefore, correctly identifying the counterparty is a critical part of compliance.
The due diligence process must take place before conducting any Travel Rule data transfer (FATF's Updated Guidance [OCT 2021], paragraph 196) while considering the following factors:
- the robustness of the counterparty's data storage and security framework
- the licensing and registration requirements of the jurisdiction where the VASP is based, and
- whether the counterparty is complying with the Travel Rule
(FATF's Updated Guidance [OCT 2021], paragraph 199)
Learn more about Counterparty VASP due diligence in Chapter 4 of the State of Travel Rule Report.
5.3. Data protection considerations
The Travel Rule obliges VASPs to transfer customer PII, which increases personal data exposure and thus prompts novel data protection risks during a previously-anonymous crypto transaction. Before, the originator simply entered a blockchain wallet address and sent the transaction.
- VASPs’ customer personal data now must be transmitted and shared with the counterparty VASP.
- The personal data of the counterparty Originator or Beneficiary Customer must be used to assess transaction risks (e.g., screening against sanction lists);
- Both VASPs must keep records of their customers’ and counterparty Originator or Beneficiary Customer’s personal data.
The new requirements prompt various areas of potential data leakage.
For this reason, assessing the robustness of the counterparty VASP's data storage and security framework is an essential part of the due diligence process before transacting with any new counterparty VASP.
See Chapter 4, Section 2 of The State of Travel Rule Report to learn more.
5.4. Effective sanction screening vs. data accuracy requirements
A primary goal of enforcing Travel Rule requirements on VASPs is to prevent designated persons and entities from circumventing sanctions by using virtual assets. VASPs are required to take freezing actions and prohibit transactions with designated persons and entities. The exchange of Travel Rule information allows VASPs to take these actions concerning their counterparty originator or Beneficiary Customer.
VASPs are required to rely on data that they do not need to verify to screen their counterparties against sanction lists. The data used to screen their counterparties against sanction lists is often insufficient and non-verifiable. Identifying false-positive sanction screening findings may prove to be complex when the Beneficiary Customer's name is all the Originator VASP needs to obtain.
Under FATF's Recommendation 17, countries can permit obliged entities to rely on third parties to perform parts of the customer due diligence process. The FATF explicitly recognizes that VASPs can act as third parties, allowing companies to rely on the sanction screening performed by the VASP that has more comprehensive access to the underlying data and the obligation to verify it.
Learn more about effective sanction screening in Chapter 4 of The State of Travel Rule Report.
5.5. Requirements applicable to cross-border transactions
As highlighted in Chapter 3 of the State of Travel Rule Report, the implementation of the Travel Rule varies substantially across jurisdictions, which, due to the international nature of crypto transactions, causes difficulties in the collaboration between VASPs to achieve Travel Rule compliance.
Compliance becomes particularly challenging when the VASPs' jurisdictions enforce different de minimis thresholds and set forth different scopes of required Originator and Beneficiary Customer information. VASPs will tend to set their processes to fulfill the requirements of their prospective jurisdiction. However, that may not always be enough to successfully complete transactions with VASPs in jurisdictions that enforce stricter, or simply different, rules. This will cause delays in the transaction flow and ultimately force all VASPs to adhere to the most stringent requirements among the involved jurisdictions, regardless of the policy decisions made by their local authority.
Download the State of Travel Rule Report to read more.
5.6. Protocols and interoperability
Upon the release of FATF's Initial Guidance [JUN 2019], various companies and industry working groups began developing Travel Rule messaging protocols to address a significant component of Travel Rule compliance: a method to safely and securely transfer customer PII alongside blockchain transactions. Today, there are nine Travel Rule messaging protocols on the market, with various underlying tech and data transmission methods. This presents issues around interoperability and adds copious amounts of time to find a best-fit solution.
The following factors need to be considered when VASPs are selecting Travel Rule messaging protocols:
- Integration effort
- Interoperability with various protocols
- Governance model
- Non-custodial wallet support
- Launch date
- Industry support
- Membership/usage fee
- Building an in-house solution on top of a messaging protocol or choosing a fully-integrated software provider
Learn more about Protocols and Interoperability in Chapter 4 of the State of Travel Rule Report.
6. Survey Methodology
The State of Travel Rule Report survey was conducted in October 2021. Before release, the Notabene team prepared the questions, and advisors and fellow industry members reviewed them. The survey questions were shared in a digital format directly with VASPs and financial institutions eligible to provide crypto services. The survey provided the option for companies to remain anonymous in their responses.
Fifty-six companies completed the survey, representing broad global coverage. Overall, 45% of respondents (or 25 respondents) have primary operating jurisdiction in APAC, 30% in EMEA (or 17 respondents), and 25% in the Americas (or 14 respondents). A table is included below with a breakdown by operating jurisdiction.
Of the 56 participants, 13% (or 7 respondents) have a banking license or are a banking institution, and 86% (or 48 respondents) are crypto-native businesses. One participant requested to remain anonymous.