Since the FATF stated the Travel Rule extended to crypto companies in 2019, regulators worldwide have interpreted and applied the recommendation differently. Many jurisdictions have different enforcement dates, varying thresholds that trigger the Travel Rule, contrasting approaches to the required Originator and Beneficiary information, and have varying methods of dealing with transactions to unhosted/non-custodial wallets.
For example, global regulators and the FATF guidance stipulates that VASPs must apply the Travel Rule to any transaction over $1000 involving another VASP, while current US rules denote $3000. Some jurisdictions do not specify a specific threshold. Additionally, the crypto Travel Rule enforcement date is March 25, 2022, in South Korea, mid-June in Estonia, and has already been enforced in Singapore on January 28, 2020
These gaps in implementation and thresholds are essential to note as companies ramp up their Travel Rule compliance plans and test cross-jurisdictional Travel Rule transactions.
This page dives into four critical components of Travel Rule compliance to provide an overview of the different approaches being adopted across jurisdictions:
The FATF undertook a 12-month review to measure the revised standards’ implementation by jurisdictions and the private sector and concluded that less than half of FATF members had introduced Travel Rule requirements for VASPs. As of June 2021, 58 out of 128 reporting jurisdictions advised that they have now implemented the revised FATF Standards. [FATF Plenary 2021]
The chart below provides a non-exhaustive overview of where different jurisdictions stand with Travel Rule adoption:
*However, Liechtenstein foresees a grace period to comply with the Travel Rule for cases where the transaction involves VASPs in EU/EEA/equivalent third countries that do not yet require full implementation of FATF’s Travel Rule.
Countries reportedly attribute the delay in rolling out Travel Rule compliance to the lack of scalable technological infrastructure. Yet, paragraphs 200-201 of FATF’s updated guidance [OCT 2021] clarifies that countries are expected to implement the Travel Rule as soon as possible and that the sunrise period shall not preclude VASPs from implementing “robust control measures to comply with the Travel Rule requirements.”
Regulated VASPs with counterparties located in jurisdictions with further or unclear enforcement dates cause issues with rolling out compliance before their counterparties are ready. This unique problem is called the Sunrise issue. Learn more in Chapter 3, the State of Crypto Travel Rule Compliance Report.
One fundamental aspect of Travel Rule compliance is the obligation to collect, verify, transmit and store certain information about the Originator and the Beneficiary of a transaction. We’ve illustrated the Originator and Beneficiary Customer information that the FATF recommends the Originator VASP to obtain and transmit to the Beneficiary VASP in a Travel Rule compliant transaction below:
The FATF also gives guidance on the obligations that the Originator and Beneficiary VASPs shall have regarding such information.
Yet various regulatory bodies (Singapore, Switzerland, Canada, etc.) have adjusted the scope of Originator and Beneficiary Customer information that VASPs must collect, verify, and transmit in their jurisdictions. Chart VIII below highlights some differences in coverage across a few jurisdictions.
Considering the inherently international nature of crypto transactions, these differences in implementing the FATF’s guidance across jurisdictions create pitfalls to compliance. Learn more in Chapter 4, Section 5 of the State of Crypto Travel Rule Compliance Report.
FATF originally recommended countries to adopt a de minimis threshold of 1,000 USD/EUR, below which Travel Rule requirements would not apply to the transaction (FATF’s Initial Guidance [JUN 2019], paragraph 112.) Recently, the FATF changed its approach. While continuing to allow countries to adopt a de minimis threshold, the FATF called out additional compliance obligations regardless of the transaction amount (FATF’s Updated Guidance [OCT 2021], paragraphs 191 and 192.)
FATF’S UPDATED GUIDANCE [OCT 2021], PARAGRAPHS 191 AND 192:
191. (...) For VA transfers under the threshold, countries should require that VASPs collect:
a. the name of the Originator and the Beneficiary; and
b. the VA wallet address for each or a unique transaction reference number.
192. Such information does not need to be verified unless there are suspicious circumstances related to ML/TF, in which case information pertaining to the customer should be verified.
Regulatory bodies such as the European Union submitted a similar proposal subjecting all transactions to the Travel Rule regardless of the amount.
→ A BROADER SCOPE OF TRAVEL RULE OBLIGATIONS ABOVE A DE MINIMIS THRESHOLD
Some countries, like Singapore, require a limited scope of shared data below the de minimis threshold. In Singapore, the Ordering VASP must submit Originator Customer and Beneficiary Customer information to the Beneficiary VASP regardless of the transaction amount (Notice PSN02, section 13.4). However, above the threshold of SGD 1,500, a broader scope of originator information needs to be transmitted (Notice PSN02, section 13.6).
Learn more on our Singapore jurisdiction page.
→ DE MINIMIS THRESHOLD ENFORCED
Some countries, like Canada, opted to exempt VASPs from Travel Rule obligations when transactions fall below a certain threshold. However, Canada enforces yet another threshold for recordkeeping purposes: Learn more on the crypto Travel Rule in Canada page.
TL:DR; Certain jurisdictions have differences in required information sent at certain thresholds, which adds friction to compliance; staying abreast of each counterparty VASP’s jurisdiction’s particular thresholds and required information for each threshold.
Currently, transfers between non-custodial wallets, so-called peer-to-peer transactions, are not explicitly covered by AML/CFT rules. The FATF opens the door to a future paradigm change in case there is a distinct trend toward P2P transactions.
Nevertheless, the FATF’s recent guidance recommends two methods of dealing with transactions to non-custodial wallets.
Jurisdictions take a risk-based approach when regulating P2P transactions and adopt risk mitigation measures if needed. We transcribe a non-exhaustive list of measures provided in paragraphs 105–106 below:
2. The FATF issued Recommendations on how VASPs should transact with non-custodial wallets. In the next chapter, we take a closer look at these recommendations as they are part of the scope of the Travel Rule requirements.
FATF
Virtual asset transfers between VASPs and non-hosted wallets were added to the scope of the Travel Rule (in a specific manner in some instances) in paragraph 179 of its recent October 2021 guidance. The FATF recommends collecting such Travel Rule data from customers of VASPs.
This means:
Looking at different implementations of the Travel Rule, we were able to identify four distinct approaches to transactions between VASPs and non-custodial wallets by national regulators. Below we list various implementations of these FATF recommendations by different federal regulations.
→ ENHANCED DUE DILIGENCE
A lighter approach is taken by countries that require VASPs to apply enhanced due diligence measures when transacting with non-custodial wallets. Liechtenstein is an example, where transfers to and from non-custodial wallets are not subject to Travel Rule requirements (§7 of FMA’s Instructions.) However, in these cases, VASPs shall enforce enhanced risk mitigation measures such as the following:
→ INFORMATION COLLECTION FROM VASP’S CUSTOMER
Other jurisdictions – such as the UK* (§6.27) and Gibraltar** (§5/2) UK and Gibraltar essentially replicate the FATF’s recommendations. In these cases, VASPs are required to collect from their customer the needed information about the owner of the originating or Beneficiary non-custodial wallet; still, VASPs are not required to verify this information.
*The UK did not yet pass laws to implement the Travel Rule. They suggest this approach in the document they submitted to public consultation, but the final approach may change.
**It is worth highlighting that Gibraltar only addresses this issue in the context of receiving a transaction from an non-custodial wallet. It is unclear what rules apply when VASPs send funds to non-custodial wallets.
→ IDENTITY VERIFICATION OF NON-CUSTODIAL WALLET
Singapore (§13-7) and Germany (§4/3) take yet another step forward in requiring VASPs to identify and verify the identity of the owner of the originating or Beneficiary non-custodial wallet.
→ IDENTITY VERIFICATION AND PROOF OF OWNERSHIP
Finally, in Switzerland, the Travel Rule requirements are the same, regardless of whether the transaction is with a VASP or a non-custodial wallet. Switzerland requires VASPs to verify the identity of the non-custodial wallet owner and confirm that the identified owner controls the wallet.
TL:DR; The requirements applicable to VASPs dealing with non-custodial wallets vary substantially across jurisdictions. In addition to the potential for jurisdictional arbitrage, the lack of solution-oriented guidance on how VASPs can effectively comply with the requirements drives VASPs to take simplified approaches that do not necessarily reflect their risk assessment.
Notabene’s end-to-end Travel Rule compliance software was created to solve each component of the crypto Travel Rule on all fronts.
Notabene’s robust solution and integrations guide businesses to fulfill each Travel Rule compliance requirement:
Automatically recognizing the requirements originator and beneficiary information for each transaction based upon jurisdiction requirements
We’ve summarized Crypto Travel Rule regulations by jurisdiction below.
While most virtual asset activity is safe, bad actors take advantage of virtual assets for illicit activities. Introducing regulations to help control that and put mechanisms in place makes it a safer environment for consumers and businesses alike and will ultimately help bring more crypto adoption.
In early 2019, the FATF issued guidance that required virtual asset service providers and financial institutions participating in a transaction to exchange relevant beneficiary and originator KYC information. FATF member governments ratified these guidelines in June of 2019, with regulators from global jurisdictions following suit. The Travel Rule is now mandated to most crypto businesses globally.
Founded in 1989, the Financial Action Task Force (FATF) is an inter-governmental global money laundering and terrorist financing watchdog that sets international standards to prevent illegal activities like terrorist financing and money laundering. In 2018, the FATF adopted changes that now explicitly cover financial transactions involving virtual assets.
FATF has created a new definition of businesses operating in the crypto space that they call a VASP (Virtual Asset Service Provider). These VASPs now need to become licensed in jurisdictions they operate in. The Travel Rule probably does apply if your business is involved in:
- Exchange of cryptocurrency (both crypto-fiat and crypto-crypto)
- Transfer of cryptocurrency
- Providing financial services related to the issuance, initial offer, and sale of virtual assets
- Providing custodian wallets
The FATF stipulates that in transactions over a certain threshold, the originator VASPs must include and send the following:
- The name of the originator
- The blockchain address of the originator
- The identity of the originator’s VASP
- The originator’s identification number, e.g., National ID number or Passport number
- The virtual asset type and the amount being transmitted, and
- The identity of the beneficiary’s financial institution
- The name of the beneficiary
- The blockchain address or account number of the beneficiary
*It is important to note that different jurisdictions may require slightly different information.
View our jurisdiction pages for more details.
Future business opportunities after complying with the FinCEN Travel Rule are immense. FATF Travel Rule compliance presents the most significant opportunity for virtual assets to become widely accepted in everyday use cases. Cryptocurrency companies that comply will have better access to traditional banking, which will allow easier access to institutional investors. They will also be able to provide more visibility and trust around each transaction for their customers.