Regulators have interpreted and applied the crypto Travel Rule differently.
Some jurisdictions have enforced the crypto Travel Rule since January 2020, while others have not.
The FATF recommends applying the Travel Rule to any transaction over $1,000 involving another VASP, but some jurisdictions have different thresholds.
Jurisdictions require different originator and beneficiary information.
Some regulators have not yet addressed self-hosted wallet transactions.
The lack of technological infrastructure and differing interpretations across jurisdictions has led to issues with compliance, known as the "sunrise issue."
Notabene offers a solution to the sunrise issue with its free Sunrise Plan, which allows VASPs securely responds to unlimited Travel Rule data transactions–independent of their enforcement dates.
Crypto Travel Rule requirements vary by jurisdiction
Since the FATF clarified that the Travel Rule applies to crypto firms, various regulators have interpreted and applied the recommendation differently. Many jurisdictions have varied enforcement dates, Travel Rule thresholds, approaches to required Originator and Beneficiary information, and techniques for handling transactions to self-hosted wallets.
For example, several global regulators and the FATF guidance stipulates that VASPs must apply the Travel Rule to any transaction over $1,000 involving another VASP, whereas current U.S. rules denote $3,000. Some jurisdictions do not specify a threshold. Additionally, the crypto Travel Rule enforcement date varies: South Korea enforced it on March 25, 2022; Estonia began enforcement on June 15, 2022; and Singapore began enforcing it starting January 28, 2020.
These variations are essential to note as companies ramp up their Travel Rule compliance plans and test cross-jurisdictional Travel Rule transactions.
This page dives into four critical components of Travel Rule compliance to provide an overview of the different approaches jurisdictions are using to achieve compliance:
Required originator and beneficiary information
Transactions to/from self-hosted wallets
Enforcement date: sunrise issue
Regulated VASPs with counterparties located in jurisdictions with unclear or far-off enforcement dates cause issues with compliance. This unique problem is called the ‘sunrise issue.’
In June 2022, the FATF published a Targeted Update on Implementation and concluded that jurisdictions had made limited progress in introducing FATF’s Travel Rule.
As of March 2022, while 29 out of 98 responding jurisdictions reported having passed Travel Rule legislation, only 11 jurisdictions have started enforcement and supervisory measures. While around a quarter of responding jurisdictions are now in the process of passing the relevant legislation, around one-third (36 out of 98), have not yet started introducing the Travel Rule. This gap leaves VAs and VASPs vulnerable to misuse, and demonstrates the urgent need for jurisdictions to accelerate implementation and enforcement. (FATF 2022, para 2).
The image below provides a non-exhaustive overview of where different jurisdictions stand with Travel Rule adoption.
Countries reportedly attribute the delay in rolling out Travel Rule compliance to the lack of scalable technological infrastructure. Despite this, paragraphs 200–201 of FATF’s updated guidance state that countries are expected to implement the Travel Rule as soon as possible and that the sunrise issue should not preclude VASPs from implementing “robust control measures to comply with the Travel Rule requirements.” (FATF 2021b, pg.64, para 201)
Our solution for the sunrise issue:
Notabene's Sunrise Plan
Securely respond to unlimited Travel Rule data transactions for free!
One fundamental aspect of Travel Rule compliance is the obligation to collect, verify, transmit, and store certain information about the Originator and Beneficiary of a transaction.The image below illustrates the customer information Originator VASPs are mandated to obtain and transmit to the Beneficiary VASP in a Travel Rule–compliant transaction.
The FATF also gives guidance on the obligations that the Originator and Beneficiary VASPs shall have regarding such information.
Yet various regulatory bodies (Singapore, Switzerland, Canada, etc.) have adjusted the scope of Originator and Beneficiary Customer information that VASPs must collect, verify, and transmit in their jurisdictions. The image below highlights some differences in coverage across a few jurisdictions.
Considering the inherently international nature of crypto transactions, these differences in implementing the FATF’s guidance across jurisdictions create pitfalls to compliance.
Learn more in Chapter 4, Section 5 of the State of Crypto Travel Rule Compliance Report.
FATF originally recommended countries to adopt a de minimis threshold of 1,000 USD/EUR, below which Travel Rule requirements would not apply to the transaction. (FATF 2021b, p. 29, para. 112) However, with the more recent update to their guidance, the FATF changed its approach. While continuing to allow countries to adopt a de minimis threshold, the FATF called out additional compliance obligations regardless of the transaction amount:
191. (...) For VA transfers under the threshold, countries should require that VASPs collect: a. the name of the Originator and the Beneficiary; and b. the VA wallet address for each or a unique transaction reference number. 192. Such information does not need to be verified unless there are suspicious circumstances related to ML/TF, in which case information pertaining to the customer should be verified. (FATF 2021b, p. 61, paras. 191-192)
Regulatory bodies such as the European Union submitted a similar proposal subjecting all transactions to the Travel Rule regardless of the amount.
Countries' approaches to adopting new threshold ordinance:
A broader scope of Travel Rule obligations above a de minimis threshold.
Some countries, like Singapore, require a limited scope of shared data below the de minimis threshold. In Singapore, the Ordering VASP must submit Originator Customer and Beneficiary Customer information to the Beneficiary VASP regardless of the transaction amount. However, above the threshold of SGD 1,500, a broader scope of originator information needs to be transmitted. (MAS 2019, p. 28, para. 13.4-6)
Some countries, like Canada, opted to exempt VASPs from Travel Rule obligations when transactions fall below a certain threshold. However, Canada enforces yet another threshold for recordkeeping purposes: Learn more on the crypto Travel Rule in Canada page.
TL:DR; Certain jurisdictions have differences in required information sent at certain thresholds, which adds friction to compliance; staying abreast of each counterparty VASP’s jurisdiction’s particular thresholds and required information for each threshold.
Transactions to self-hosted wallets
Currently, transfers between self-hosted wallets, so-called P2P transactions, are not explicitly covered by AML/CTF rules. The FATF opens the door to a future paradigm change if there is a distinct trend toward P2P transactions. Nevertheless, the FATF’s recent guidance recommends two methods of dealing with transactions to self-hosted wallets.
Jurisdictions take a risk-based approach when regulating P2P transactions and adopt risk-mitigation measures if needed. Below, we transcribe a non-exhaustive list of measures provided by FATF
controls that facilitate visibility of P2P activity and/or VA activity crossing between obliged entities and non-obliged entities (these controls could include VA equivalents to currency transaction reports or a recordkeeping rule relating to such transfers);
ongoing risk-based enhanced supervision of VASPs and entities operating in the VA space with a specific focus on non-custodial wallet transactions (e.g., on-site and off-site supervision to confirm whether a VASP has complied with the regulations in place concerning these transactions);
obliging VASPs to facilitate transactions only to/from addresses/sources that have been deemed acceptable and in line with their RBA;
obliging VASPs to facilitate transactions only to/from VASPs and other obliged entities;
placing additional AML/CFT requirements on VASPs that allow transactions to/from non-obliged entities (e.g., enhanced recordkeeping requirements, EDD requirements);
guidance highlighting the importance of VASPs applying an RBA to dealing with customers that engage in, or facilitate, P2P transactions, supported by risk assessment, indicators, or typologies publications where appropriate; and
issuing public guidance and advisories and conducting information campaigns to raise awareness of risks posed by P2P transactions (e.g., accounting for specific risks posed by P2P transactions through the assessment of specific users, patterns of observed conduct, local and regional risks, and information from regulators and law enforcement). (FATF 2021b, p. 39, para 106)
FATF issued Recommendations on how VASPs should transact with self-hosted wallets.
Virtual asset transfers between VASPs and non-hosted wallets were added to the scope of the Travel Rule (in a specific manner in some instances) in paragraph 179 of its recent October 2021 guidance. The FATF recommends collecting such Travel Rule data from customers of VASPs.
VASPs sending or receiving a VA transfer to/from an entity that is not a VASP or other obliged entity (e.g., from an individual VA user to an unhosted wallet), should obtain the required originator and beneficiary information from their customer. (FATF 2021b, p. 65, para. 204)
When initiating a transaction to a self-hosted wallet, the Originator VASP should require the Originator Customer to identify the Beneficiary of such transaction.
When receiving a transaction from a self-hosted wallet, the Beneficiary VASP should require their customer (the Beneficiary of the transaction) to identify the Originator.
Additionally, VASPs should take a risk-based approach when interacting with self-hosted wallets and enforce additional risk mitigation measures if necessary.
The approach to self-hosted wallets across jurisdictions.
Looking at different implementations of the Travel Rule, we were able to identify four distinct approaches to transactions between VASPs and self-hosted wallets by national regulators. Below, we have listed various implementations of these FATF Recommendations by different federal regulations.
Enhanced due diligence
A lighter approach is taken by countries that require VASPs to apply enhanced due diligence measures when transacting with self-hosted wallets. Liechtenstein is an example of instances where transfers to and from self-hosted wallets are not subject to Travel Rule requirements (FMA 2021, p. 7, para. 7)
However, in these cases, VASPs shall enforce enhanced risk mitigation measures such as the following:
Using blockchain analytics to evaluate the risk of the transaction .
Collecting documentation about the purpose of the transaction.
In case of transactions to self-hosted wallets that belong to the VASP’s customer, requiring customers to prove ownership of the self-hosted wallet.
Information collection from VASP’s customer
Other jurisdictions – such as the UK* and Gibraltar** UK and Gibraltar essentially replicate the FATF’s recommendations. (HMT, 2021, 34), (Gov. of Gibraltar, 4) In these cases, VASPs are required to collect from their customer the needed information about the owner of the originating or beneficiary self-hosted wallet; still, VASPs are not required to verify this information.
*The UK did not yet pass laws to implement the Travel Rule. They suggest this approach in the document they submitted to public consultation, but the final approach may change. **It is worth highlighting that Gibraltar only addresses this issue in the context of receiving a transaction from a self-hosted wallet. It is unclear what rules apply when VASPs send funds to self-hosted wallets.
Finally, in Switzerland, the Travel Rule requirements are the same, regardless of whether the transaction is with a VASP or a self-hosted wallet. Switzerland requires VASPs to verify the identity of the self-hosted wallet owner and confirm that the identified owner controls the wallet. (FINMA 2019, p. 3)
TL:DR; The requirements applicable to VASPs dealing with self-hosted wallets vary substantially across jurisdictions. In addition to the potential for jurisdictional arbitrage, the lack of solution-oriented guidance on how VASPs can effectively comply with the requirements drives VASPs to take simplified approaches that do not necessarily reflect their risk assessment.
MAS 2020.Guidelines to Mas Notice PS-N02 on Prevention of Money Laundering and Countering the Financing of Terrorism.
Scholz, Olaf. 2021.Verordnung über verstärkte Sorgfaltspflichten bei dem Transfer von Kryptowerten (Kryptowertetransferverordnung – KryptoWTransferV.)
Check out our summaries of Crypto Travel Rule regulations by jurisdiction below.
Global Crypto Travel Rule Requirements
Our comprehensive country guides and pages provide essential information on the enforcement status, threshold amount, and self-hosted wallet obligations in each jurisdiction. This information is invaluable for businesses seeking to navigate and comply with the Travel Rule requirements.
While most virtual asset activity is safe, bad actors take advantage of virtual assets for illicit activities. Introducing regulations to help control that and put mechanisms in place makes it a safer environment for consumers and businesses alike and will ultimately help bring more crypto adoption.
What is the Crypto Travel Rule?
In early 2019, the FATF issued guidance that required virtual asset service providers and financial institutions participating in a transaction to exchange relevant beneficiary and originator KYC information. FATF member governments ratified these guidelines in June of 2019, with regulators from global jurisdictions following suit. The Travel Rule is now mandated to most crypto businesses globally.
Who is the Financial Action Task Force (FATF)?
Founded in 1989, the Financial Action Task Force (FATF) is an inter-governmental global money laundering and terrorist financing watchdog that sets international standards to prevent illegal activities like terrorist financing and money laundering. In 2018, the FATF adopted changes that now explicitly cover financial transactions involving virtual assets.
Does the Crypto Travel Rule apply to my business?
FATF has created a new definition of businesses operating in the crypto space that they call a VASP (Virtual Asset Service Provider). These VASPs now need to become licensed in jurisdictions they operate in. The Travel Rule probably does apply if your business is involved in: - Exchange of cryptocurrency (both crypto-fiat and crypto-crypto) - Transfer of cryptocurrency - Providing financial services related to the issuance, initial offer, and sale of virtual assets - Providing custodian wallets
What are the Crypto Travel Rule data requirements?
The FATF stipulates that in transactions over a certain threshold, the originator VASPs must include and send the following: - The name of the originator - The blockchain address of the originator - The identity of the originator’s VASP - The originator’s identification number, e.g., National ID number or Passport number - The virtual asset type and the amount being transmitted, and - The identity of the beneficiary’s financial institution - The name of the beneficiary - The blockchain address or account number of the beneficiary *It is important to note that different jurisdictions may require slightly different information. View our jurisdiction pages for more details.
What are the advantages of cryptocurrency & virtual asset compliance?
Future business opportunities after complying with the FinCEN Travel Rule are immense. FATF Travel Rule compliance presents the most significant opportunity for virtual assets to become widely accepted in everyday use cases. Cryptocurrency companies that comply will have better access to traditional banking, which will allow easier access to institutional investors. They will also be able to provide more visibility and trust around each transaction for their customers.
Why choose Notabene for Travel Rule compliance?
Notabene’s end-to-end Travel Rule compliance software was created to solve each component of the crypto Travel Rule on all fronts.
Our robust solution and integrations guide businesses to fulfill each Travel Rule compliance requirement:
Allows VASPs to send Travel Rule data alongside each transmission.
Automatically recognizing the requirements originator and beneficiary information for each transaction based upon jurisdiction requirements.
Updates changes to regulatory requirements information in real-time.
Allows VASPs to set risk-based rules to automate transactions with counterparties that meet their internal risk criteria (e.g., by VASP, jurisdiction, KYT risk score, and sanction screen matches.)
Identifies wallet type (pre-transaction.)
Identifies counterparty VASPs.
Enables VASPs to manage counterparty risk related to non-custodial wallets, including performing ownership proofs, where required by the jurisdiction.