‍

‍

Crypto Travel Rule requirements vary by jurisdiction

Since the FATF clarified that the Travel Rule applies to crypto firms, various regulators have interpreted and applied the recommendation differently. Many jurisdictions have varied enforcement dates, Travel Rule thresholds, approaches to required Originator and Beneficiary information, and techniques for handling transactions to self-hosted wallets.

For example, several global regulators and the FATF guidance stipulates that VASPs must apply the Travel Rule to any transaction over $1,000 involving another VASP, whereas current U.S. rules denote $3,000. Some jurisdictions do not specify a threshold. Additionally, the crypto Travel Rule enforcement date varies: South Korea enforced it on March 25, 2022; Estonia began enforcement on June 15, 2022; and Singapore began enforcing it starting January 28, 2020. 

These variations are essential to note as companies ramp up their Travel Rule compliance plans and test cross-jurisdictional Travel Rule transactions. 

This page dives into four critical components of Travel Rule compliance to provide an overview of the different approaches jurisdictions are using to achieve compliance: 

• Enforcement date
• Required originator and beneficiary information
• Thresholds
• Transactions to/from self-hosted wallets

‍

Enforcement date: sunrise issue

Regulated VASPs with counterparties located in jurisdictions with unclear or far-off enforcement dates cause issues with compliance. This unique problem is called the ‘sunrise issue.’ 

In June 2022, the FATF published a Targeted Update on Implementation and concluded that jurisdictions had made limited progress in introducing FATF’s Travel Rule.

As of March 2022, while 29 out of 98 responding jurisdictions reported having passed Travel Rule legislation, only 11 jurisdictions have started enforcement and supervisory measures. While around a quarter of responding jurisdictions are now in the process of passing the relevant legislation, around one-third (36 out of 98), have not yet started introducing the Travel Rule. This gap leaves VAs and VASPs vulnerable to misuse, and demonstrates the urgent need for jurisdictions to accelerate implementation and enforcement. (FATF 2022, para 2).

The image below provides a non-exhaustive overview of where different jurisdictions stand with Travel Rule adoption.

Countries reportedly attribute the delay in rolling out Travel Rule compliance to the lack of scalable technological infrastructure. Despite this, paragraphs 200–201 of FATF’s updated guidance state that countries are expected to implement the Travel Rule as soon as possible and that the sunrise issue should not preclude VASPs from implementing “robust control measures to comply with the Travel Rule requirements.” (FATF 2021b, pg.64, para 201)

Originator and Beneficiary Customer information

One fundamental aspect of Travel Rule compliance is the obligation to collect, verify, transmit, and store certain information about the Originator and Beneficiary of a transaction. The image below illustrates the customer information Originator VASPs are mandated to obtain and transmit to the Beneficiary VASP in a Travel Rule–compliant transaction.

The FATF also gives guidance on the obligations that the Originator and Beneficiary VASPs shall have regarding such information.

Yet various regulatory bodies (Singapore, Switzerland, Canada, etc.) have adjusted the scope of Originator and Beneficiary Customer information that VASPs must collect, verify, and transmit in their jurisdictions. The image below highlights some differences in coverage across a few jurisdictions.

Considering the inherently international nature of crypto transactions, these differences in implementing the FATF’s guidance across jurisdictions create pitfalls to compliance.

Learn more in Chapter 4, Section 5 of the State of Crypto Travel Rule Compliance Report.

Thresholds

FATF originally recommended countries to adopt a de minimis threshold of 1,000 USD/EUR, below which Travel Rule requirements would not apply to the transaction. (FATF 2021b, p. 29, para. 112) However, with the more recent update to their guidance, the FATF changed its approach. While continuing to allow countries to adopt a de minimis threshold, the FATF called out additional compliance obligations regardless of the transaction amount:

191. (...) For VA transfers under the threshold, countries should require that VASPs collect: a. the name of the Originator and the Beneficiary; and
b. the VA wallet address for each or a unique transaction reference number. 
192. Such information does not need to be verified unless there are suspicious circumstances related to ML/TF, in which case information pertaining to the customer should be verified. (FATF 2021b, p. 61, paras. 191-192)

Regulatory bodies such as the European Union submitted a similar proposal subjecting all transactions to the Travel Rule regardless of the amount. 

Countries' approaches to adopting new threshold ordinance:

• A broader scope of Travel Rule obligations above a de minimis threshold.

Some countries, like Singapore, require a limited scope of shared data below the de minimis threshold. In Singapore, the Ordering VASP must submit Originator Customer and Beneficiary Customer information to the Beneficiary VASP regardless of the transaction amount. However, above the threshold of SGD 1,500, a broader scope of originator information needs to be transmitted. (MAS 2019, p. 28, para. 13.4-6)

Learn more on our Singapore jurisdiction page.

• De minimis threshold enforced

Some countries, like Canada, opted to exempt VASPs from Travel Rule obligations when transactions fall below a certain threshold. However, Canada enforces yet another threshold for recordkeeping purposes: Learn more on the crypto Travel Rule in Canada page.

TL:DR; Certain jurisdictions have differences in required information sent at certain thresholds, which adds friction to compliance; staying abreast of each counterparty VASP’s jurisdiction’s particular thresholds and required information for each threshold.

Transactions to self-hosted wallets

Currently, transfers between self-hosted wallets, so-called P2P transactions, are not explicitly covered by AML/CTF rules. The FATF opens the door to a future paradigm change if there is a distinct trend toward P2P transactions. Nevertheless, the FATF’s recent guidance recommends two methods of dealing with transactions to self-hosted wallets. 

Jurisdictions take a risk-based approach when regulating P2P transactions and adopt risk-mitigation measures if needed. Below, we transcribe a non-exhaustive list of measures provided by FATF

1. controls that facilitate visibility of P2P activity and/or VA activity crossing between obliged entities and non-obliged entities (these controls could include VA equivalents to currency transaction reports or a recordkeeping rule relating to such transfers);
2. ongoing risk-based enhanced supervision of VASPs and entities operating in the VA space with a specific focus on non-custodial wallet transactions (e.g., on-site and off-site supervision to confirm whether a VASP has complied with the regulations in place concerning these transactions);
3. obliging VASPs to facilitate transactions only to/from addresses/sources that have been deemed acceptable and in line with their RBA;
4. obliging VASPs to facilitate transactions only to/from VASPs and other obliged entities;
5. placing additional AML/CFT requirements on VASPs that allow transactions to/from non-obliged entities (e.g., enhanced recordkeeping requirements, EDD requirements);
6. guidance highlighting the importance of VASPs applying an RBA to dealing with customers that engage in, or facilitate, P2P transactions, supported by risk assessment, indicators, or typologies publications where appropriate; and
7. issuing public guidance and advisories and conducting information campaigns to raise awareness of risks posed by P2P transactions (e.g., accounting for specific risks posed by P2P transactions through the assessment of specific users, patterns of observed conduct, local and regional risks, and information from regulators and law enforcement). (FATF 2021b, p. 39, para 106)

FATF issued Recommendations on how VASPs should transact with self-hosted wallets.

Virtual asset transfers between VASPs and non-hosted wallets were added to the scope of the Travel Rule (in a specific manner in some instances) in paragraph 179 of its recent October 2021 guidance. The FATF recommends collecting such Travel Rule data from customers of VASPs.

VASPs sending or receiving a VA transfer to/from an entity that is not a VASP or other obliged entity (e.g., from an individual VA user to an unhosted wallet), should obtain the required originator and beneficiary information from their customer. (FATF 2021b, p. 65, para. 204)

This means:

• When initiating a transaction to a self-hosted wallet, the Originator VASP should require the Originator Customer to identify the Beneficiary of such transaction. 
• When receiving a transaction from a self-hosted wallet, the Beneficiary VASP should require their customer (the Beneficiary of the transaction) to identify the Originator.
• Additionally, VASPs should take a risk-based approach when interacting with self-hosted wallets and enforce additional risk mitigation measures if necessary.

The approach to self-hosted wallets across jurisdictions.

Looking at different implementations of the Travel Rule, we were able to identify four distinct approaches to transactions between VASPs and self-hosted wallets by national regulators. Below, we have listed various implementations of these FATF Recommendations by different federal regulations.

• Enhanced due diligence

A lighter approach is taken by countries that require VASPs to apply enhanced due diligence measures when transacting with self-hosted wallets. Liechtenstein is an example of instances where transfers to and from self-hosted wallets are not subject to Travel Rule requirements (FMA 2021, p. 7, para. 7) 

However, in these cases, VASPs shall enforce enhanced risk mitigation measures such as the following:

1. Using blockchain analytics to evaluate the risk of the transaction .
2. Collecting documentation about the purpose of the transaction.

In case of transactions to self-hosted wallets that belong to the VASP’s customer, requiring customers to prove ownership of the self-hosted wallet.

• Information collection from VASP’s customer

Other jurisdictions – such as the UK* and Gibraltar** UK and Gibraltar essentially replicate the FATF’s recommendations. (HMT, 2021, 34), (Gov. of Gibraltar, 4) In these cases, VASPs are required to collect from their customer the needed information about the owner of the originating or beneficiary self-hosted wallet; still, VASPs are not required to verify this information.

*The UK did not yet pass laws to implement the Travel Rule. They suggest this approach in the document they submitted to public consultation, but the final approach may change.
**It is worth highlighting that Gibraltar only addresses this issue in the context of receiving a transaction from a self-hosted wallet. It is unclear what rules apply when VASPs send funds to self-hosted wallets.

‍

• Identity verification of self-hosted wallet owner

Singapore (MAS 2020 p.41, para 13.7) and Germany (Scholz 2021, p.2, para 4.3) have taken yet another step forward in requiring VASPs to identify and verify the identity of the owner of the Originating or Beneficiary self-hosted wallet. 

• Identity verification and proof of ownership

Finally, in Switzerland, the Travel Rule requirements are the same, regardless of whether the transaction is with a VASP or a self-hosted wallet. Switzerland requires VASPs to verify the identity of the self-hosted wallet owner and confirm that the identified owner controls the wallet. (FINMA 2019, p. 3)

TL:DR; The requirements applicable to VASPs dealing with self-hosted wallets vary substantially across jurisdictions. In addition to the potential for jurisdictional arbitrage, the lack of solution-oriented guidance on how VASPs can effectively comply with the requirements drives VASPs to take simplified approaches that do not necessarily reflect their risk assessment.

Relevant links:

• FATF (Financial Action Task Force). 2019b. Guidance for a Risk-based Approach to Virtual Assets and Virtual Asset Service Providers. 
• FATF. 2021a. Second 12-month review of the revised FATF standards on virtual assets and virtual asset service providers.
• FATF. 2021b. Updated Guidance for a Risk-based Approach to Virtual Assets and Virtual Asset Service Providers.
• FATF. 2022. Targeted Update on Implementation of the FATF Standards on Virtual Assets/VASPs. 
• FINMA (​​Swiss Financial Market Supervisory Authority). 2019. FINMA Guidance 02/2019 Payments on the blockchain. 

• MAS (The Monetary Authority of Singapore). 2019. MAS Notice: PSN02: Prevention of Money Laundering and Countering the Financing of Terrorism – Holders of Payment Service Licence (Digital Payment Token Service).
• MAS 2020. Guidelines to Mas Notice PS-N02 on Prevention of Money Laundering and Countering the Financing of Terrorism. 
• Scholz, Olaf. 2021. Verordnung über verstärkte Sorgfaltspflichten bei dem Transfer von Kryptowerten (Kryptowertetransferverordnung – KryptoWTransferV.) 

‍

Check out our summaries of Crypto Travel Rule regulations by jurisdiction below.