TL;DR:
Since the FATF clarified that the Travel Rule applies to crypto firms, various regulators have interpreted and applied the recommendation differently. Many jurisdictions have varied enforcement dates, Travel Rule thresholds, approaches to required Originator and Beneficiary information, and techniques for handling transactions to self-hosted wallets.
For example, several global regulators and the FATF guidance stipulates that VASPs must apply the Travel Rule to any transaction over $1,000 involving another VASP, whereas current U.S. rules denote $3,000. Some jurisdictions do not specify a threshold. Additionally, the crypto Travel Rule enforcement date varies: South Korea enforced it on March 25, 2022; Estonia began enforcement on June 15, 2022; and Singapore began enforcing it starting January 28, 2020.
These variations are essential to note as companies ramp up their Travel Rule compliance plans and test cross-jurisdictional Travel Rule transactions.
This page dives into four critical components of Travel Rule compliance to provide an overview of the different approaches jurisdictions are using to achieve compliance:
Regulated VASPs with counterparties located in jurisdictions with unclear or far-off enforcement dates cause issues with compliance. This unique problem is called the ‘sunrise issue.’
In June 2022, the FATF published a Targeted Update on Implementation and concluded that jurisdictions had made limited progress in introducing FATF’s Travel Rule.
As of March 2022, while 29 out of 98 responding jurisdictions reported having passed Travel Rule legislation, only 11 jurisdictions have started enforcement and supervisory measures. While around a quarter of responding jurisdictions are now in the process of passing the relevant legislation, around one-third (36 out of 98), have not yet started introducing the Travel Rule. This gap leaves VAs and VASPs vulnerable to misuse, and demonstrates the urgent need for jurisdictions to accelerate implementation and enforcement. (FATF 2022, para 2).
The image below provides a non-exhaustive overview of where different jurisdictions stand with Travel Rule adoption.
Countries reportedly attribute the delay in rolling out Travel Rule compliance to the lack of scalable technological infrastructure. Despite this, paragraphs 200–201 of FATF’s updated guidance state that countries are expected to implement the Travel Rule as soon as possible and that the sunrise issue should not preclude VASPs from implementing “robust control measures to comply with the Travel Rule requirements.” (FATF 2021b, pg.64, para 201)
One fundamental aspect of Travel Rule compliance is the obligation to collect, verify, transmit, and store certain information about the Originator and Beneficiary of a transaction. The image below illustrates the customer information Originator VASPs are mandated to obtain and transmit to the Beneficiary VASP in a Travel Rule–compliant transaction.
The FATF also gives guidance on the obligations that the Originator and Beneficiary VASPs shall have regarding such information.
Yet various regulatory bodies (Singapore, Switzerland, Canada, etc.) have adjusted the scope of Originator and Beneficiary Customer information that VASPs must collect, verify, and transmit in their jurisdictions. The image below highlights some differences in coverage across a few jurisdictions.
Considering the inherently international nature of crypto transactions, these differences in implementing the FATF’s guidance across jurisdictions create pitfalls to compliance.
Learn more in Chapter 4, Section 5 of the State of Crypto Travel Rule Compliance Report.
FATF originally recommended countries to adopt a de minimis threshold of 1,000 USD/EUR, below which Travel Rule requirements would not apply to the transaction. (FATF 2021b, p. 29, para. 112) However, with the more recent update to their guidance, the FATF changed its approach. While continuing to allow countries to adopt a de minimis threshold, the FATF called out additional compliance obligations regardless of the transaction amount:
191. (...) For VA transfers under the threshold, countries should require that VASPs collect: a. the name of the Originator and the Beneficiary; and
b. the VA wallet address for each or a unique transaction reference number.
192. Such information does not need to be verified unless there are suspicious circumstances related to ML/TF, in which case information pertaining to the customer should be verified. (FATF 2021b, p. 61, paras. 191-192)
Regulatory bodies such as the European Union submitted a similar proposal subjecting all transactions to the Travel Rule regardless of the amount.
Some countries, like Singapore, require a limited scope of shared data below the de minimis threshold. In Singapore, the Ordering VASP must submit Originator Customer and Beneficiary Customer information to the Beneficiary VASP regardless of the transaction amount. However, above the threshold of SGD 1,500, a broader scope of originator information needs to be transmitted. (MAS 2019, p. 28, para. 13.4-6)
Learn more on our Singapore jurisdiction page.
Some countries, like Canada, opted to exempt VASPs from Travel Rule obligations when transactions fall below a certain threshold. However, Canada enforces yet another threshold for recordkeeping purposes: Learn more on the crypto Travel Rule in Canada page.
TL:DR; Certain jurisdictions have differences in required information sent at certain thresholds, which adds friction to compliance; staying abreast of each counterparty VASP’s jurisdiction’s particular thresholds and required information for each threshold.
Currently, transfers between self-hosted wallets, so-called P2P transactions, are not explicitly covered by AML/CTF rules. The FATF opens the door to a future paradigm change if there is a distinct trend toward P2P transactions. Nevertheless, the FATF’s recent guidance recommends two methods of dealing with transactions to self-hosted wallets.
Jurisdictions take a risk-based approach when regulating P2P transactions and adopt risk-mitigation measures if needed. Below, we transcribe a non-exhaustive list of measures provided by FATF
Virtual asset transfers between VASPs and non-hosted wallets were added to the scope of the Travel Rule (in a specific manner in some instances) in paragraph 179 of its recent October 2021 guidance. The FATF recommends collecting such Travel Rule data from customers of VASPs.
VASPs sending or receiving a VA transfer to/from an entity that is not a VASP or other obliged entity (e.g., from an individual VA user to an unhosted wallet), should obtain the required originator and beneficiary information from their customer. (FATF 2021b, p. 65, para. 204)
This means:
Looking at different implementations of the Travel Rule, we were able to identify four distinct approaches to transactions between VASPs and self-hosted wallets by national regulators. Below, we have listed various implementations of these FATF Recommendations by different federal regulations.
A lighter approach is taken by countries that require VASPs to apply enhanced due diligence measures when transacting with self-hosted wallets. Liechtenstein is an example of instances where transfers to and from self-hosted wallets are not subject to Travel Rule requirements (FMA 2021, p. 7, para. 7)
However, in these cases, VASPs shall enforce enhanced risk mitigation measures such as the following:
In case of transactions to self-hosted wallets that belong to the VASP’s customer, requiring customers to prove ownership of the self-hosted wallet.
Other jurisdictions – such as the UK* and Gibraltar** UK and Gibraltar essentially replicate the FATF’s recommendations. (HMT, 2021, 34), (Gov. of Gibraltar, 4) In these cases, VASPs are required to collect from their customer the needed information about the owner of the originating or beneficiary self-hosted wallet; still, VASPs are not required to verify this information.
*The UK did not yet pass laws to implement the Travel Rule. They suggest this approach in the document they submitted to public consultation, but the final approach may change.
**It is worth highlighting that Gibraltar only addresses this issue in the context of receiving a transaction from a self-hosted wallet. It is unclear what rules apply when VASPs send funds to self-hosted wallets.
Singapore (MAS 2020 p.41, para 13.7) and Germany (Scholz 2021, p.2, para 4.3) have taken yet another step forward in requiring VASPs to identify and verify the identity of the owner of the Originating or Beneficiary self-hosted wallet.
Finally, in Switzerland, the Travel Rule requirements are the same, regardless of whether the transaction is with a VASP or a self-hosted wallet. Switzerland requires VASPs to verify the identity of the self-hosted wallet owner and confirm that the identified owner controls the wallet. (FINMA 2019, p. 3)
TL:DR; The requirements applicable to VASPs dealing with self-hosted wallets vary substantially across jurisdictions. In addition to the potential for jurisdictional arbitrage, the lack of solution-oriented guidance on how VASPs can effectively comply with the requirements drives VASPs to take simplified approaches that do not necessarily reflect their risk assessment.
Relevant links:
While most virtual asset activity is safe, bad actors take advantage of virtual assets for illicit activities. Introducing regulations to help control that and put mechanisms in place makes it a safer environment for consumers and businesses alike and will ultimately help bring more crypto adoption.
In early 2019, the FATF issued guidance that required virtual asset service providers and financial institutions participating in a transaction to exchange relevant beneficiary and originator KYC information. FATF member governments ratified these guidelines in June of 2019, with regulators from global jurisdictions following suit. The Travel Rule is now mandated to most crypto businesses globally.
Founded in 1989, the Financial Action Task Force (FATF) is an inter-governmental global money laundering and terrorist financing watchdog that sets international standards to prevent illegal activities like terrorist financing and money laundering. In 2018, the FATF adopted changes that now explicitly cover financial transactions involving virtual assets.
FATF has created a new definition of businesses operating in the crypto space that they call a VASP (Virtual Asset Service Provider). These VASPs now need to become licensed in jurisdictions they operate in. The Travel Rule probably does apply if your business is involved in:
- Exchange of cryptocurrency (both crypto-fiat and crypto-crypto)
- Transfer of cryptocurrency
- Providing financial services related to the issuance, initial offer, and sale of virtual assets
- Providing custodian wallets
The FATF stipulates that in transactions over a certain threshold, the originator VASPs must include and send the following:
- The name of the originator
- The blockchain address of the originator
- The identity of the originator’s VASP
- The originator’s identification number, e.g., National ID number or Passport number
- The virtual asset type and the amount being transmitted, and
- The identity of the beneficiary’s financial institution
- The name of the beneficiary
- The blockchain address or account number of the beneficiary
*It is important to note that different jurisdictions may require slightly different information.
View our jurisdiction pages for more details.
Future business opportunities after complying with the FinCEN Travel Rule are immense. FATF Travel Rule compliance presents the most significant opportunity for virtual assets to become widely accepted in everyday use cases. Cryptocurrency companies that comply will have better access to traditional banking, which will allow easier access to institutional investors. They will also be able to provide more visibility and trust around each transaction for their customers.
Notabene’s end-to-end Travel Rule compliance software was created to solve each component of the crypto Travel Rule on all fronts.
Our robust solution and integrations guide businesses to fulfill each Travel Rule compliance requirement: