Determining whether a transaction is with another VASP is the first phase of a due diligence process. This phase helps assess whether the counterparty VASP is eligible to establish a business relationship and send customer data (FATF’s Updated Guidance [OCT 2021], section 197 / c). 

Through this process, VASPs avoid dealing with illicit and sanctioned actors. They can ensure that counterparties can protect the confidentiality of the shared Travel Rule information (FATF’s Updated Guidance [OCT 2021], section 196.)

The Counterparty VASP’s due diligence process must consider several factors, such as:

  • The robustness of the counterparty’s data storage and security framework, 
  • The licensing and registration requirements of the jurisdiction where the VASP is based, and
  • Whether the counterparty complies with the Travel Rule. (FATF’s Updated Guidance [OCT 2021], paragraph 199).

Additionally, this assessment must occur before conducting any Travel Rule data transfer (FATF’s Updated Guidance [OCT 2021], paragraph 196.)

The operational importance of VASP due diligence 

Compliance with the Travel Rule necessarily hinges on accurate identification of the counterparty. Identifying who controls the wallet they are transacting with is a widely cited pitfall that VASPs face when implementing the Travel Rule, yet it is a crucial step for VASPs, as the classification of the originating and beneficiary wallet owner will determine the applicable Travel Rule requirements. 

As mentioned on our regulations page, enforcement varies depending on whether the transaction is with an unhosted wallet or another VASP, and if the counterparty VASP is registered in the same jurisdiction or a third country. 

VASPs are required by paragraph 197 of FATF’s Updated Draft Guidance to perform due diligence on their counterparties, yet the FATF acknowledges that accurately identifying the counterparty VASP is not possible in all circumstances. 

To date, the FATF is not aware of any technically proven means of identifying the VASP that manages the beneficiary wallet exhaustively, precisely, and accurately in all circumstances and from the VA address alone.
- FATF’s Updated Guidance [OCT 2021], paragraph 97 / A.)

An overview of the generalized counterparty due diligence process. (Source: FATF's Updated Guidance. Illustrated by Notabene)

The current process of VASP to VASP due diligence

As crypto transfers are recorded in public ledgers, VASPs treat their wallet address books as confidential information. Revealing wallet addresses would grant competitors, and other third parties access to information about the VASP’s business and transactions that would be treated as strictly confidential in the traditional finance world. Because of this, VASPs currently rely on blockchain analytics providers like Chainalysis, Elliptic, and TRM to determine whether a transaction is with another VASP and identifies which VASP it is.

Standards for scalable and reusable due diligence processes

To mitigate any adverse impacts of due diligence processes on the transaction volume and speed, it is essential to work on standards for scalable and reusable due diligence processes.

To address this, the Global Digital Finance (GDF) ’s AML Working Group began working on a standardized due diligence questionnaire similar to that found in traditional finance and known as the Wolfsberg DDQ. Later, they published the industry-specific VASP-to-VASP Due Diligence Questionnaire (DDQ). If adopted by the wider industry, this questionnaire could facilitate this component of Travel Rule compliance. 

VASP due diligence on a messaging protocol vs. full-service Travel Rule compliance solution

Since Travel Rule messaging protocols only address sending and receiving customer data, they rely on third-party services to perform due diligence on their network VASPs. It is improbable that a third party would have information on smaller exchanges, leading VASPs to painstakingly carry out due diligence on each of their counterparties themselves.

As a full-service Travel Rule compliance solution, Notabene clients can upload and share their due diligence information 1:1 between parties, removing friction from an already complex process.

How does Notabene support VASP due diligence?

Notabene’s VASP Network features the GDF’s VASP to VASP DDQ.

How to access the DDQ:

  • Navigate to the ‘My Company’ tab,
  • Scroll down to ‘Counterparty Due Diligence,’
  • You can either ‘Complete, Edit, or View DDQ.’

The GDF's VASP DDQ on Notabene's Travel Rule Compliance software.

In our February 2022 release, we integrated the first version of the VASP DDQ. We will continually update the document as the GDF releases the final standard for VASP to VASP due diligence.

From the VASP Network, clients can:

  • Sign up for a free ‘Sunrise’ account.
  • Fill out and submit their VASP DDQ.
  • Request a completed questionnaire from another VASP within the Notabene network (provided they filled it out already.)

VASPs are now able to:

  • Request access to a VASP's DDQ within the Notabene network, even if they haven’t yet filled it out. This request will trigger an email to the VASP, inviting them to complete the DDQ.
  • Share and Decline access to the questionnaire.
  • Revoke access to the questionnaire at any time.
  • View the document’s share history.
DDQ share history on Notabene's Travel Rule Compliance Dashboard.

Click here to access the VASP Network.‍