‍

‍

Crypto Travel Rule requirements vary by jurisdiction

Various regulators have interpreted and applied the Travel Rule differently. Many jurisdictions have various approaches to:

• Timeline for enforcement of Travel Rule requirements
• Required originator and beneficiary information
• Compliance Thresholds
• Transactions to/from self-hosted wallets
• Counterparty VASP due diligence obligations
• Transacting during the Sunrise Period

‍

It is crucial to acknowledge these variations in implementation as companies set out their global Travel Rule compliance plans. For instance, some regulators, in line with the FATF guidance in Recommendation 16, stipulate that VASPs must transmit Travel Rule information for any transaction over $1,000 involving another VASP (FATF, 2021, p. 61, para. 191).

‍

Ready to dive deeper? Our certification course covers this topic and much more

Learn more

‍

In contrast, current U.S. regulations set the Travel Rule threshold at $3,000 (Records to be Made and Retained by Financial Institutions, 2024), whereas other jurisdictions do not specify a threshold at all. Furthermore, the enforcement date for Travel Rule compliance varies from jurisdiction to jurisdiction: Singapore began enforcement starting January 28, 2020 (MAS, 2020), whereas the EU requirements will enter into force on December 30, 2024. These variances in timelines and specific requirements present distinct obstacles forTravel Rule compliance, specifically concerning the Sunrise Issue and cross-border implications.

To provide a comprehensive view of the current global state of Travel Rule adoption, we have created a detailed chart that illustrates the approaches that different jurisdictions have taken on key components. The chart includes information on the enforcement status of each jurisdiction, as well as the applicable compliance threshold and self-hosted wallet obligations. This information is crucial for businesses seeking to comply with the Travel Rule.

‍

Travel Rule Adoption at a Glance. Non-exhaustive. March 2024

‍

‍

Zooming Into Jurisdictional Travel Rule Requirements

Let's examine and elaborate on the key regulatory trends as they relate to compliance thresholds and transactions involving VASPs and self-hosted wallets.

‍

Compliance thresholds

The FATF originally recommended countries adopt a Travel Rule requirements de minimis threshold of 1,000 USD/EUR — for transactions below that amount, Travel Rule requirements would not apply(FATF, 2019, p. 29, para. 112).

However, in its 2021 update, the FATF changed its approach. While they continue to recommend that all countries adopt a de minimis threshold, the FATF has also called out additional compliance obligations that must be met, regardless of the transaction amount:

191. (...) For VA transfers under the threshold, countries should require that VASPs collect:
a. the name of the Originator and the Beneficiary; and
b. the VA wallet address for each or a unique transaction reference number.
192. Such information does not need to be verified unless there are suspicious circumstances related to [money laundering/terrorist financing] ML/TF, in which case information pertaining to the customer should be verified. - FATF, Updated guidance for a risk-based approach to virtual assets and virtual asset service providers, p. 61, paras. 191-192

As illustrated above, jurisdictions define the thresholds that trigger Travel Rule obligations in various ways. We expand on some of these approaches below.
‍

1. A broader scope of Travel Rule obligations above a certain threshold

Some countries, like Singapore, require the transmission of a limited scope of data for transactions below a certain de minimis threshold. These jurisdictions are identified as requiring limited information below threshold in the chart in Figure 38. In Singapore, the originator VASP must submit originator customer and beneficiary customer information to the beneficiary VASP, regardless of the transaction amount. However, above the threshold of SGD 1,500, a broader scope of originator information needs to be transmitted.

Singapore’s required originator and beneficiary customer information

2. No transmission obligations below a certain threshold

Some countries, like Canada, opted to exempt VASPs from Travel Rule obligations when transactions are below a certain threshold. Canada’s approach to the obligation of collecting, storing, and transmitting information is worth noting:

• According to the Ministry of Justice (MOJ, 2022), Travel Rule requirements apply when VASPs must keep records for a virtual currency transaction (p. 100, para 124.1.1).
• In turn, VASPs have record-keeping obligations when transferring or receiving CAD 1,000 or more in virtual currency4 (MOJ, 2022).
• Thus, Travel Rule requirements apply in transactions of CAD 1,000 or more.
• However, Canada enforces yet another threshold for record-keeping purposes:
  • ‍When VASPs receive CAD 10,000 or more in virtual currency, they are required to‍
    • keep records that include, for instance, the name, address, date of birth, and occupation of “any person involved in the transaction,” including the person from whom the VASP received the funds (Financial Transactions and Report Analysis Centre of Canada [FINTRAC], 2022) and
    • file a Large Virtual Currency Transaction Report to FINTRAC (2021).

Canada’s Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (2002) the instrument that transposes the Travel Rule into national law, does not foresee the obligation to collect and transmit the counterparty customer’s date of birth and occupation. Hence, VASP’s obligations when receiving transactions of CAD 10,000 or more are expanded by the record-keeping requirements that apply, which ultimately results in the existence of two tiers (≥CAD 1,000 and ≥CAD 10,000).

‍

3. Uniform obligations independent of the transaction amount

Other countries do not enforce any de minimis threshold, which means VASPs are required to transmit the same scope of originator and beneficiary information regardless of the transaction amount. The jurisdictions that take this approach are identified in Figure 38 as having a thresholdof zero. This is the case, for instance, in Japan and Malaysia.

In Europe, the TFR goes in the same direction. The TFR states that the “transfers of crypto-assets should be subject to the same requirements regardless of their amount and of whether they are domestic or cross-border transfers” in order to account for the specific features of crypto transactions, such as high speed and global reach (EU Parl and Council of the EU. 2023)., p. 6, para. 30).

Hence, EU VASPs are required to transmit the same scope of information, regardless of the transaction amount.

The varying approaches taken globally to define the thresholds that trigger Travel Rule information transmission obligations create challenges for VASPs when transacting internationally.

‍

Transactions between VASPs and self-hosted wallets

Taking a closer look at the chart, it identifies two significant trends in the regulatory treatment of transactions with self-hosted wallets:

• Legislation regarding the requirements for transactions involving self-hosted wallets often lacks specificity, which leads to a lack of legal clarity — this is apparent from the number of jurisdictions qualified as “Unknown/Not specified” in the self-hosted wallet criteria.
• In jurisdictions that do explicitly address transactions between VASPs and self-hosted wallets,Figure 38 highlights the diverse regulatory approaches that global regulators have adopted —this is apparent from the wide variety of qualifications in the self-hosted wallet criteria (PII collection, RBA, EDD, ownership verification, etc.).
  
  Below, we elaborate on several key approaches towards these transactions, identified in the chart above.

‍

1. Enhanced due diligence [EDD]

In some jurisdictions, transactions with self-hosted wallets are perceived as higher risk because of their specific characteristics (in particular, their anonymity and lack of intermediation by a regulated counterpart) and, therefore, are subject to EDD obligations.

For instance, the Philippines Central Bank recognizes the increased money laundering and terrorism financing risks that may arise from transacting with self-hosted wallets and therefore determines that “stricter rules shall apply,” namely that VASPs “are expected to exercise caution and perform enhanced due diligence when dealing with transfers with unhosted wallets” (BangkoSentral ng Pilipinas, 2023, p. 3). Under Philippines’ rules, VASPs are also required to collect certain information from their customers — the next subsection further explores this regulatory approach.

‍

2. Information collection from the VASP's customer  [PII Collection]

In jurisdictions like the U.K. and Gibraltar (Proceeds of Crime Act 2015, p. 4. , section 5.2), VASPs are mandated to collect certain information from their customers regarding the owner of the originating or beneficiary self-hosted wallet. However, VASPs are not obligated to verify the information they collect.

When U.K. VASPs conduct transactions that involve self-hosted wallets, based on their risk assessment, they are required to obtain the name and account number of either the originator or the beneficiary, as applicable, from their respective customers. Additionally, if the VASP’s customer is the beneficiary of a self-hosted wallet transfer amounting to 1,000 euros or more, the VASP must obtain additional details about the originator. These details may include the customer identification number, address, identity card number, or date and place of birth (The Money Laundering and TerroristFinancing (Amendment) (No. 2) Regulations 2022, 2022, pp. 7-8, para. 64G).

‍

The table below illustrates the requirements for information collection.

‍

VASPs’ information collection requirements in self-hosted wallet transactions under the U.K.’s MLTFR

It is worth highlighting that Gibraltar only addresses this issue in the context of receiving a transaction from a self-hosted wallet. It is unclear what rules apply when VASPs send funds to self-hosted wallets.

In the U.K., collecting this information from the end customer is not stipulated as a mandatory requirement but as a measure that VASPs may decide to adopt based on a risk assessment (hence being tagged in the chart in Figure 38 as “RBA to PII collection”). VASPs’ risk-based assessments shall take into account:

1. the purpose, nature, and duration of the relationship with the customer
2. the purpose and value of the self-hosted wallet transfer, and
3. how frequently the customer transacts.
   ‍

WALLET OWNERSHIP VERIFICATION

Wallet Ownership VerificationIn some jurisdictions, VASPs are required to verify that their customer or a third party truly has control over the private keys associated with the wallet address. This is the approach taken, for instance, by the European Transfer of Funds Regulation.When conducting transactions involving self-hosted wallets, EU VASPs are required to gather the necessary originator and beneficiary information. Additionally, they must comply with the following additional wallet verification obligations for transactions exceeding 1,000 euros:

• When sending a transfer exceeding 1,000 euros to a self-hosted wallet, the originator VASP is required to verify that the wallet is owned or controlled by the originator customer (EUParl and Council of the EU, 2023, article 14.5)
• When receiving a transfer exceeding 1,000 euros from a self-hosted wallet, the beneficiaryVASP must verify that the beneficiary customer owns or controls the originating wallet (EU Parl and Council of the EU, 2023, article 16.2)
  ‍

IDENTITY VERIFICATION OF SELF-HOSTED WALLET OWNER [PII verification]

Singapore (MAS, 2020, p. 41, para. 13-7), Switzerland (Swiss Financial Market Supervisory Authority [FINMA],2019, p. 3), and Germany (Scholz, 2021, p. 2, para. 4.3) have taken it a step further by requiring VASPs toboth identify and verify the identity of the owner of the originating or beneficiary self-hosted wallet.

Switzerland, in particular, takes the stance that Travel Rule requirements apply regardless of whether the transaction is with a VASP or a self-hosted wallet:

Article 10 AMLO-FINMA does not provide for any exception for payments involving unregulated wallet providers. Such an exception would favour unsupervised service providers and would result in supervised providers not being able to prevent problematic payments from being executed.
- FINMA, 2019, p. 3

Switzerland requires VASPs to both verify the identity of the self-hosted wallet owner and confirmthat the identified owner actually controls the wallet (FINMA, 2019, p. 3).

Self-hosted wallet transaction requirements vary substantially across jurisdictions. The challengesthis variation poses for VASPs are further explored in the 2024 State of Crypto Travel Rule Compliance Report, Chapter 5, Section 6.