Crypto Travel Rule specifications vary by jurisdiction

Since the FATF stated the Travel Rule extended to crypto companies in 2019, regulators worldwide have interpreted and applied the recommendation differently. Many jurisdictions have different enforcement dates, varying thresholds that trigger the Travel Rule, contrasting approaches to the required Originator and Beneficiary information, as well as varying methods of dealing with transactions to unhosted/non-custodial wallets. 

For example, global regulators and the FATF guidance stipulates that VASPs must apply the Travel Rule to any transaction over $1000 involving another VASP, while current US rules denote $3000. Some jurisdictions do not specify a specific threshold. Additionally, the crypto Travel Rule enforcement date is March 25, 2022, in South Korea, mid-June in Estonia, and has already been enforced in Singapore on January 28, 2020 

These gaps in implementation and thresholds are essential to note as companies ramp up their Travel Rule compliance plans and test cross-jurisdictional Travel Rule transactions. 

This page dives into four critical components of Travel Rule compliance to provide an overview of the different approaches being adopted across jurisdictions: 

• Enforcement date
• Required originator and beneficiary information
• Thresholds
• Transactions with non-custodial wallets

Enforcement date: Sunrise issue

The FATF undertook a 12-month review to measure the revised standards’ implementation by jurisdictions and the private sector and concluded that less than half of FATF members had introduced Travel Rule requirements for VASPs.

As of June 2021, 58 out of 128 reporting jurisdictions advised that they have now implemented the revised FATF Standards. [FATF Plenary 2021]

The chart below provides a non-exhaustive overview of where different jurisdictions stand with Travel Rule adoption:

*However, Liechtenstein foresees a grace period to comply with the Travel Rule for cases where the transaction involves VASPs in EU/EEA/equivalent third countries that do not yet require full implementation of FATF’s Travel Rule.

Countries reportedly attribute the delay in rolling out Travel Rule compliance to the lack of scalable technological infrastructure. Yet, paragraphs 200-201 of FATF’s updated guidance [OCT 2021] clarify that countries are expected to implement the Travel Rule as soon as possible and that the sunrise period shall not preclude VASPs from implementing “robust control measures to comply with the Travel Rule requirements.” 

Regulated VASPs with counterparties located in jurisdictions with further or unclear enforcement dates cause issues with rolling out compliance before their counterparties are ready. This unique problem is called the Sunrise issue. Learn more in Chapter 3, the State of Crypto Travel Rule Compliance Report. 

Originator and Beneficiary customer information

One fundamental aspect of Travel Rule compliance is the obligation to collect, verify, transmit and store certain information about the Originator and the Beneficiary of a transaction. We’ve illustrated the Originator and Beneficiary Customer information that the FATF recommends the Originator VASP to obtain and transmit to the Beneficiary VASP in a Travel Rule compliant transaction below:

The FATF also gives guidance on the obligations that the Originator and Beneficiary VASPs shall have regarding such information.

Yet various regulatory bodies (Singapore, Switzerland, Canada, etc.) have adjusted the scope of Originator and Beneficiary Customer information that VASPs must collect, verify, and transmit in their jurisdictions. Chart VIII below highlights some differences in coverage across a few jurisdictions.

Considering the inherently international nature of crypto transactions, these differences in implementing the FATF’s guidance across jurisdictions create pitfalls to compliance. Learn more in Chapter 4, Section 5 of the State of Crypto Travel Rule Compliance Report.

Thresholds

FATF originally recommended countries to adopt a de minimis threshold of 1,000 USD/EUR, below which Travel Rule requirements would not apply to the transaction (FATF’s Initial Guidance [JUN 2019], paragraph 112.) Recently, the FATF changed its approach. While continuing to allow countries to adopt a de minimis threshold, the FATF called out additional compliance obligations regardless of the transaction amount (FATF’s Updated Guidance [OCT 2021], paragraphs 191 and 192.)

FATF’S UPDATED GUIDANCE [OCT 2021]

191. (...) For VA transfers under the threshold, countries should require that VASPs collect:
a. the name of the Originator and the Beneficiary; and
b. the VA wallet address for each or a unique transaction reference number.

192. Such information does not need to be verified unless there are suspicious circumstances related to ML/TF, in which case information pertaining to the customer should be verified.

Regulatory bodies such as the European Union submitted a similar proposal subjecting all transactions to the Travel Rule regardless of the amount. 

‍

Approaches in adopting new threshold ordinance:

→ A BROADER SCOPE OF TRAVEL RULE OBLIGATIONS ABOVE A DE MINIMIS THRESHOLD

Some countries, like Singapore, require a limited scope of shared data below the de minimis threshold. In Singapore, the Ordering VASP must submit Originator Customer and Beneficiary Customer information to the Beneficiary VASP regardless of the transaction amount (Notice PSN02, section 13.4). However, above the threshold of SGD 1,500, a broader scope of originator information needs to be transmitted (Notice PSN02, section 13.6).

Learn more on our Singapore jurisdiction page.

→ DE MINIMIS THRESHOLD ENFORCED

Some countries, like Canada, opted to exempt VASPs from Travel Rule obligations when transactions fall below a certain threshold. However, Canada enforces yet another threshold for recordkeeping purposes: Learn more on the crypto Travel Rule in Canada page.

TL:DR; Certain jurisdictions have differences in required information sent at certain thresholds, which adds friction to compliance; staying abreast of each counterparty VASP’s jurisdiction’s particular thresholds and required information for each threshold. 

Transactions to non-custodial wallets

Currently, transfers between non-custodial wallets, so-called peer-to-peer transactions, are not explicitly covered by AML/CFT rules. The FATF opens the door to a future paradigm change in case there is a distinct trend toward P2P transactions.

Nevertheless, the FATF’s recent guidance recommends two methods of dealing with transactions to non-custodial wallets. 

Jurisdictions take a risk-based approach when regulating P2P transactions and adopt risk mitigation measures if needed. We transcribe a non-exhaustive list of measures provided in paragraphs 105–106 below:

1. controls that facilitate visibility of P2P activity and/or VA activity crossing between obliged entities and non-obliged entities (these controls could include VA equivalents to currency transaction reports or a recordkeeping rule relating to such transfers);
2. ongoing risk-based enhanced supervision of VASPs and entities operating in the VA space with a specific focus on non-custodial wallet transactions (e.g., on-site and off-site supervision to confirm whether a VASP has complied with the regulations in place concerning these transactions);
3. obliging VASPs to facilitate transactions only to/from addresses/sources that have been deemed acceptable and in line with their RBA;
4. obliging VASPs to facilitate transactions only to/from VASPs and other obliged entities;
5. placing additional AML/CFT requirements on VASPs that allow transactions to/from non-obliged entities (e.g., enhanced recordkeeping requirements, EDD requirements);
6. guidance highlighting the importance of VASPs applying an RBA to dealing with customers that engage in, or facilitate, P2P transactions, supported by risk assessment, indicators, or typologies publications where appropriate; and
7. issuing public guidance and advisories and conducting information campaigns to raise awareness of risks posed by P2P transactions (e.g., accounting for specific risks posed by P2P transactions through the assessment of specific users, patterns of observed conduct, local and regional risks, and information from regulators and law enforcement).

2. The FATF issued Recommendations on how VASPs should transact with non-custodial wallets. In the next chapter, we take a closer look at these recommendations as they are part of the scope of the Travel Rule requirements.

FATF

Virtual asset transfers between VASPs and non-hosted wallets were added to the scope of the Travel Rule (in a specific manner in some instances) in paragraph 179 of its recent October 2021 guidance. The FATF recommends collecting such Travel Rule data from customers of VASPs.

This means:

• When initiating a transaction to a non-custodial wallet, the Originator VASP should require the Originator Customer to identify the Beneficiary of such transaction. 
• When receiving a transaction from a non-custodial wallet, the Beneficiary VASP should require their customer (the Beneficiary of the transaction) to identify the Originator.
• Additionally, VASPs should take a risk-based approach when interacting with non-custodial wallets and enforce additional risk mitigation measures if necessary. 

Looking at different implementations of the Travel Rule, we were able to identify four distinct approaches to transactions between VASPs and non-custodial wallets by national regulators. Below we list various implementations of these FATF recommendations by different federal regulations.

The approach to non-custodial wallets across jurisdictions

→ ENHANCED DUE DILIGENCE

A lighter approach is taken by countries that require VASPs to apply enhanced due diligence measures when transacting with non-custodial wallets. Liechtenstein is an example, where transfers to and from non-custodial wallets are not subject to Travel Rule requirements (§7 of FMA’s Instructions.) However, in these cases, VASPs shall enforce enhanced risk mitigation measures such as the following:

1. Using blockchain analytics to evaluate the risk of the transaction 
2. Collecting documentation about the purpose of the transaction
3. In case of transactions to non-custodial wallets that belong to the VASP’s customer, requiring customers to prove ownership of the non-custodial wallet

→ INFORMATION COLLECTION FROM VASP’S CUSTOMER

Other jurisdictions – such as the UK* (§6.27) and Gibraltar** (§5/2) UK and Gibraltar essentially replicate the FATF’s recommendations. In these cases, VASPs are required to collect from their customer the needed information about the owner of the originating or Beneficiary non-custodial wallet; still, VASPs are not required to verify this information.

*The UK did not yet pass laws to implement the Travel Rule. They suggest this approach in the document they submitted to public consultation, but the final approach may change.

**It is worth highlighting that Gibraltar only addresses this issue in the context of receiving a transaction from an non-custodial wallet. It is unclear what rules apply when VASPs send funds to non-custodial wallets.

→ IDENTITY VERIFICATION OF NON-CUSTODIAL WALLET

Singapore (§13-7) and Germany (§4/3) take yet another step forward in requiring VASPs to identify and verify the identity of the owner of the originating or Beneficiary non-custodial wallet. 

→ IDENTITY VERIFICATION AND PROOF OF OWNERSHIP

Finally, in Switzerland, the Travel Rule requirements are the same, regardless of whether the transaction is with a VASP or a non-custodial wallet. Switzerland requires VASPs to verify the identity of the non-custodial wallet owner and confirm that the identified owner controls the wallet.

(FINMA GUIDANCE 02/2019, P.3)

TL:DR; The requirements applicable to VASPs dealing with non-custodial wallets vary substantially across jurisdictions. In addition to the potential for jurisdictional arbitrage, the lack of solution-oriented guidance on how VASPs can effectively comply with the requirements drives VASPs to take simplified approaches that do not necessarily reflect their risk assessment.

We’ve summarized Crypto Travel Rule regulations by jurisdiction below.