When I spoke about the Dawn of Travel Rule at the GBBC Members Forum, I spoke about the importance of not only sending and receiving Travel Rule messages, but responding to them as well.

Why is this so important? Simply put, at this point in our Travel Rule timeline (5 years since first adoption), supervisory authorities are starting to evaluate the effectiveness of Travel Rule. This means taking a closer look at one key requirement, which is responding to Travel Rule messages. Depending on the jurisdiction, it is no longer okay to only send a transfer and state to a regulator that “As a VASP, I am Travel Rule Compliant”. You will have to also demonstrate that you have been responding to incoming messages from counterparties.

Why Responding Matters

As the industry evolves, responding accurately to Travel Rule requests is not just a "nice-to-have" feature; it’s a compliance obligation that can impact a firm’s ability to do business. Let’s take a closer look at some of the key reasons why.

1. Compliance Requirements

Many jurisdictions have regulations explicitly mandating that VASPs engage in a two-way dialogue for Travel Rule compliance. This means that merely sending the required information is not enough—you must also respond to missing or incomplete data, and provide follow-up information when requested by counterparties or authorities. Failure to do so can put your business at risk of non-compliance and possible subject to fines or penalties.

Let’s take a look at just a few jurisdictional regulations (this is not the exhaustive list) that emphasize not only the need to send and receive required information but also the importance of responding to travel rule messages. You might note that these rules are primarily in the context of providing required transfer details back when there is incomplete or missing information.

European Union

The EU’s Transfer of Funds Regulation (TFR) goes beyond requiring accurate originator and beneficiary information. It mandates that CASPs (Crypto Asset Service Providers) request missing details and actively respond to counterparty requests to rectify discrepancies. Specifically, Article 16(1) and Article 17 of the TFR require prompt follow-up and compliance checks. Full details at the bottom of this article.

United States

The FinCEN Travel Rule requires U.S.-based VASPs to provide specified information for transactions over $3,000. This includes responding to any queries or compliance checks from counterparties. Ignoring such requests or failing to engage can be seen as regulatory non-compliance, particularly in the context of suspicious transactions. Full details at the bottom of this article.

United Kingdom

Under the Money Laundering Regulations (MLR), VASPs are required to take proactive steps if information is missing or incomplete. For example, if a discrepancy is detected, the VASP must request the missing information, delay the transaction, or, in some cases, even return the crypto assets. Such procedures necessitate a robust response mechanism. Full details at the bottom of this article.

Singapore

Under the Payment Services Act (PSA), the Monetary Authority of Singapore (MAS) implements FATF’s Travel Rule. VASPs must gather, verify, and transmit required information, and are expected to “provide value transfer information” by a certain time frame which can only be done through a response. For example, the legislation states that “In a value transfer where the amount to be transferred is below or equal to S$1,500…….the ordering institution shall provide the value transfer originator information and value transfer beneficiary information set out in paragraph 13.4(a) to (d) within 3 business days of a request for such information…” Full details at the bottom of this article.

Across these global regulations, the emphasis is clear: while sending and receiving information is essential, responding to travel rule transfers is equally important. This includes engaging with counterparties to verify, request additional information, and ensure compliance with AML/CFT obligations. A lack of response or failure to follow up on incomplete or suspicious transfers can result in non-compliance and regulatory scrutiny.

2. Counterparty Trust and Business Relationships

VASPs are increasingly choosing to limit their transactions to compliant counterparties. This trend is evident in Notabene’s own research, where 66% of surveyed VASPs reported restricting withdrawals with entities that do not comply with the Travel Rule. Failing to respond to a Travel Rule message sends a strong signal to your counterparties that your business may not be fully committed to compliance, leading them to potentially cut off transactions altogether.

3. Operational Efficiency and Risk Management

Failing to respond promptly to Travel Rule messages can create bottlenecks in your transaction workflows, resulting in increased operational costs and slower settlements. Having an automated system like Notabene’s SafeTransact that not only sends and receives messages but also monitors and responds to them can help streamline compliance processes and reduce the risk of human error.

Real-World Implications: What Happens When You Don’t Respond?

If a VASP fails to respond to a Travel Rule message, several scenarios could unfold:

Regulatory Penalties and Fines

Non-compliance can result in significant fines or penalties from regulatory bodies.

Counterparty De-Risking

If a counterparty sees that you are not responding to compliance messages, they may choose to de-risk by ceasing all business activities with your VASP, resulting in lost revenue and a damaged reputation.

Loss of Market Access

As global jurisdictions begin implementing stricter compliance rules, VASPs that are flagged for non-compliance may find themselves unable to operate in key markets.

Notabene’s Approach: Streamlining and Automating Responses

The complexity of responding to Travel Rule messages often stems from inconsistent regulations across jurisdictions. Notabene’s solution simplifies this by offering a unified platform that helps businesses automatically detect missing or incomplete data, sends requests for clarification, and ensures compliance through automated responses.

Notabene’s SafeTransact for Networks automates the end-to-end compliance process, enabling customers to respond to Travel Rule requests in real-time, ensuring compliance without disrupting business operations.

Responding to Travel Rule messages is not just about meeting regulatory expectations; it’s about building trust in the industry. As the market matures, businesses that invest in compliance today will be best positioned to thrive tomorrow.

By actively responding to Travel Rule messages, your business is not only complying with global regulations but also paving the way for more secure and efficient transactions, making you a preferred partner for other VASPs and financial institutions.

Want to learn more about how Notabene’s solution can help streamline your Travel Rule compliance? Book a call with our team today.

‍

‍

Addendum

European Union (EU) - Transfer of Funds Regulation (TFR) (Regulation (EU) 2015/847)

Articles 16(1) and 17 of the Transfer of Funds Regulation outline the responsibilities of Crypto Asset Service Providers (CASPs) to ensure that all transfers include accurate and complete originator and beneficiary information. They also specify that CASPs must request missing information  from the sender's VASP and actively engage when information is incomplete. Responding  to these situations is crucial for compliance.

“crypto-asset service providers should ensure that the information on the ... originator and the beneficiary is not missing or incomplete.” (Par. 28)

“With the aim of assisting payment service providers and crypto-asset service providers to put effective procedures in place to detect cases in which they receive transfers of funds or transfers of crypto-assets with missing or incomplete information on the payer, payee, originator or beneficiary and to take effective follow-up action, “ (Par. 51)

“To enable prompt action to be taken in the fight against money laundering and terrorist financing, payment service providers and crypto-asset service providers should respond promptly to requests for information on the payer and the payee or on the originator and the beneficiary from the authorities responsible for combating money laundering or terrorist financing in the Member State where those payment service providers are established or where those crypto-asset service providers have their registered office” (Par. 53)

Further, according to the final Travel Rule Guidelines¹ by the European Banking Authority that accompany the TFR paragraph 56 states:

“Where the PSP, IPSP, CASP or ICASP requests required information that is missing, it should set a reasonable deadline by which the information should be provided. This deadline should not exceed three working days for transfers taking place within the Union, and five working days for transfers received from outside of the Union, starting from the day the PSP, CASP, IPSP or ICASP identifies the missing information”

¹https://www.eba.europa.eu/sites/default/files/2024-07/6de6e9b9-0ed9-49cd-985d-c0834b5b4356/Travel%20Rule%20Guidelines.pdf

‍

United States - Financial Crimes Enforcement Network (FinCEN) Travel Rule (31 CFR 1010.410)

The FinCEN Travel Rule mandates U.S. based VASPs (CVC’s) and financial institutions to collect, retain, and transmit specified information on fund transfers over $3,000. Responding to requests for additional details or missing information is required, particularly in suspicious cases or incomplete transfers.

“The money transmitter must obtain or provide the required regulatory information either before or at the time of the transmittal of value, regardless of how a money transmitter sets up their system for clearing and settling transactions, including those involving CVC” (Fincen Guidance FIN-2019-G001)

United Kingdom - The Money Laundering and Terrorist Financing (Amendment) (EU Exit) Regulations 2019

The UK’s Money Laundering Regulations (MLR) require VASPs to ensure full compliance with AML/CTF requirements, including receiving and transmitting required travel rule information.  Further, there are requirements around reporting to FCA those that do not provide the required information back. Hence this really underscores the responsibility of VASPs to respond to inquiries from counterparties and authorities when information is missing or insufficient.

“(2) Where the cryptoasset business of the beneficiary becomes aware that any information required by regulation 64C to be provided is missing or does not correspond with information verified by it under Part 3, the cryptoasset business of the beneficiary must— (a) request the cryptoasset business of the originator to provide the missing information; (b) consider whether to make enquiries as to any discrepancy between information received and information verified by it under Part 3; and (c) consider whether— (i) to delay making the cryptoasset available to the beneficiary until the information is received or any discrepancy resolved; and (ii) if the information is not received or discrepancy resolved within a reasonable time, to return the cryptoasset to the cryptoasset business of the originator. (3) In deciding what action to take under paragraph (2)(c) the cryptoasset business must have regard to— (a) the risk assessments carried out by the cryptoasset business under regulations 18(1) (risk assessment by relevant persons) and 18A(1) (risk assessment by relevant persons in relation to proliferation financing); and (b) its assessment of the level of risk of money laundering, terrorist financing and proliferation financing arising from the inter-cryptoasset business transfer……."

(5) The cryptoasset business of a beneficiary must report to the FCA repeated failure by a cryptoasset business to provide any information required by regulation 64C as well as any steps the cryptoasset business of the beneficiary has taken in respect of such failures.  (Par 64D)

Singapore - Payment Services Act (PSA) and FATF Travel Rule Implementation

Under the Payment Services Act (PSA), the Monetary Authority of Singapore (MAS) implements FATF’s Travel Rule. VASPs must gather, verify, and transmit required information, and are expected to “provide value transfer information” by a certain time frame which can only be done through a response. For example,  “In a value transfer where the amount to be transferred is below or equal to S$1,500…….the ordering institution shall provide the value transfer originator information and value transfer beneficiary information set out in paragraph 13.4(a) to (d) within 3 business days of a request for such information…….”

As of 30 December 2024, compliance with the Transfer of Funds Regulation (TFR) and respective EBA Guidelines is mandatory for any CASPs operating in the EU.

▶︎ Watch this special video message from Lana Schwartzman, Head of Regulatory & Compliance at Notabene, explaining why compliance with TFR is so important, as what consequences may face CASPs that fail to comply.

A common misconception that we hear is that there is a “grace period” that delays the need to comply until July of this year. While it is true that the EBA guidelines foresee a transitional period until July 31, 2025, during which CASPs may exceptionally use infrastructures or services with certain technical limitations, this does not exempt them from Travel Rule compliance. CASPs using such infrastructures are required to take additional technical steps to ensure full compliance with the Travel Rule during this period.

This provision from the EBA Guidelines gave rise to misinterpretations that many are now incorrectly viewing as a grace period or exemption. The EBA already clarified that this is not the case. In page 51 of the final Guidelines “the EBA stresses that non-compliance with Regulation (EU) 2023/1113 is not accepted”. In fact, paragraph 24 of the EBA Guidelines clearly states that the technical limitations “need to be compensated by additional technical steps or fixes to fully comply with these Guidelines”.

It is therefore very clear that the TFR obligations must be fully complied with as of December 30, 2024. 

CASPs that repeatedly or systematically fail to accompany crypto-asset transfers with the required information on the originator and beneficiary may face severe penalties and consequences under the Transfer of Funds Regulation and related EU directives. All told, the risks that a company faces by not complying with TFR are substantial. 

Let’s have a look at the potential consequences of non-compliance with the TFR.

1. Financial Penalties

One of the most immediate and tangible consequences of non-compliance is the imposition of financial penalties. These can be substantial and may vary depending on the severity of the breach and the specific regulations in each EU member state. The regulation allows for substantial monetary sanctions:

• Standard Penalty: A maximum administrative fine of at least twice the amount of the benefit derived from the breach (if determinable) or a minimum of €1,000,000.
• Enhanced Penalties for Financial Institutions: For CASPs classified as credit or financial institutions, the penalties can be more severe:
  • Legal Persons: Fines of up to €5,000,000 or 10% of the total annual turnover, whichever is higher.
  • Natural Persons: Fines of up to €5,000,000

Keep in mind that penalties can accumulate, potentially resulting in daily fines. In addition, increased compliance costs and operational burdens may be necessary to resolve deficiencies, resulting in additional financial burden.

*Source: Article (3) of Directive (EU) 2015/849

2. Criminal and Administrative Sanctions

In more severe cases, particularly those involving deliberate non-compliance or gross negligence, entities and individuals may face criminal or administrative sanctions. This can include:

• Criminal liability for Chief Compliance Officers (CCOs) or executives responsible for overseeing AML/CFT protocols
• Administrative sanctions that could significantly impact business operations
  • Public Statement: Authorities may issue a public statement identifying the CASP and detailing the nature of the breach.
  • Cease and Desist Order: The CASP may be ordered to stop the non-compliant behavior and refrain from repeating it.
  • Authorisation Suspension or Revocation: For authorized CASPs, their operating license may be suspended or withdrawn entirely.
  • Managerial Ban: Individuals responsible for the breach, including those in managerial positions, may face a temporary ban from exercising managerial functions in obliged entities.

  *Source: Article 29 of the TFR and Article 59(2) and (3) of Directive (EU) 2015/849)

3. Regulatory Sanctions

While exact details may vary, it's likely that regulatory sanctions for non-compliance could be severe:

• Suspension or revocation of operating licenses within the EU
• Restrictions on certain activities or prohibitions on cross-border crypto-asset transfers

4. Reputational Damage

In the highly regulated EU market, reputation is crucial. Non-compliance can lead to:

• Loss of trust from customers and partners
• Negative publicity that can be challenging to overcome
• Long-term impact on business relationships and growth opportunities

5. Heightened Regulatory Scrutiny

Entities found to be non-compliant will likely face increased attention from regulators:

• More frequent audits and inspections
• Increased reporting obligations, adding administrative burdens and costs
• Requirements to submit additional documentation to demonstrate compliance improvements

6. Counterparty Risks

Non-compliance can also affect business relationships, as partners may be hesitant to work with non-compliant entities, leading to lower transaction volumes and overall business success.

• Counterparties may report non-compliance to regulators. CASPs must report the repeatedly non-compliant counterparties to the competent authority responsible for Anti-Money Laundering/Counter-Terrorist Financing (AML/CTF) supervision within three months of identifying the non-compliance.
• Counterparties of CASPs that repeatedly or systematically fail to accompany crypto-asset transfers with the required information on the originator and beneficiary may be required to reject incoming transfers and terminate the existing business relationship or all reject future transfers from the non-compliant counterparty.

While no one has a crystal ball, the consequences of non-compliance with the EU's TFR after December 30th, 2024, are far-reaching and potentially severe. From financial penalties to reputational damage, the possible risks suggest that CASPs and other obligated entities should take seriously the need to be fully prepared with a TFR-ready Travel Rule solution when the regulation comes into force.

As the Head of Regulatory and Compliance at Notabene, I've been at the forefront of discussions about one of the most pressing issues keeping compliance officers awake at night: How do you handle non-compliant deposits under the Travel Rule in the EU and other jurisdictions?

The implementation of the Travel Rule is an essential step in ensuring compliance with anti-money laundering (AML) and counter-terrorist financing (CTF) regulations. But this regulatory evolution brings a real challenge—how should Crypto Asset Service Providers (CASPs) respond when they receive non-compliant deposits? The issue isn’t only theoretical; it’s something that every CASP will face.

The Challenge of Non-Compliant Deposits

With the implementation of the Travel Rule, non-compliant deposits are an inevitable reality. These can arise from various scenarios(^1) that beneficiary CASPs must be prepared to address such as:

1. Deposits originating outside of approved CASPs
2. Deposits from approved CASPs with insufficient Travel Rule information
3. Deposits from approved CASPs with inconsistent beneficiary information
4. Deposits from approved CASPs where the originator is not an allowed person 

Without a clear policy or well-defined workflow, the risks are high and these issues can disrupt the user experience, complicate operations, and even lead to asset loss. Each scenario requires a well-thought-out policy and workflow to address it effectively while minimizing disruption to user experience.

Non-Compliance Under the EU’s TFR (Regulation 1113/2023)

In the EU, Travel Rule under the TFR (Regulation 1113/2023)(^2) places significant responsibility on beneficiary CASPs. Articles 14, 16, and 17 of the regulation clearly outline the need for accurate originator and beneficiary information to be included with each transaction. The challenge lies in the fact that beneficiary CASPs can't proactively block incoming deposits. They must rely on the originating CASP's compliance to meet their obligations. This creates a complex situation where beneficiary CASPs must navigate between regulatory compliance and customer service. Despite beneficiary CASPs having less control over incoming deposit flows than originating CASPs, they must still enforce compliance, using methods such as post-monitoring or suspending suspicious transactions.

Under Article 17, CASPs must implement risk-based procedures to determine whether to execute, reject, return, or suspend transfers of crypto-assets that lack the required information. Non-compliant transactions must be carefully reviewed, with potential responses ranging from requesting missing data to returning the crypto-assets to the originator.

But the process isn't simple. For instance, a transfer may originate from a wallet that no longer belongs to the sender. Or, the originator may have no account with an approved CASP. How do you return the funds then? The answers are not always straightforward, and the EU’s TFR leaves room for a risk-based approach to address these scenarios.

Developing a Policy for Travel Rule Non-Compliant Deposits

At the heart of handling non-compliant deposits is the necessity of a clear, risk-based policy which is part of every industry best practice. This policy must account for several key steps:

1. Withhold assets until compliance is achieved: If the necessary Travel Rule information is missing, the assets should not be made available to the beneficiary until compliance is ensured. This may require collecting additional information or performing enhanced due diligence.
2. Return non-compliant assets promptly: Where compliance cannot be achieved, CASPs should have clear procedures for returning the assets to the originator. This process should be timely to avoid user frustration while ensuring that the return itself is secure and complies with AML/CTF obligations.
3. Avoiding technical complications in the return process: Blockchain transactions, particularly those involving aggregated wallets, present additional challenges. Simply sending the funds back to the originating address may not always be feasible or safe. Instead, CASPs should establish secure, alternative methods to return funds while protecting against illicit activity.
4. Reassess relationships with non-compliant counterparties: CASPs should monitor their counterparties’ compliance levels. Repeated non-compliance from a particular CASP may necessitate reevaluating the relationship, issuing warnings, applying enhanced due diligence, or even terminating the partnership. And let's not forget that there is a requirement of reporting of non-compliance of CASPs to national authorities. 
   

The Return Dilemma

One of the most challenging aspects of handling non-compliant deposits is the return process. The FATF guidance and local regulations don't prescribe specific requirements for return policies, leading to varied practices among VASPs.
Key considerations for a return policy include:

1. Where to return the assets
2. Who to return the assets to
3. Whether Travel Rule compliance applies to the return transaction

While there’s no universally accepted answer, the principle of reliability and a risk-based approach may guide your actions. For instance, can you confidently rely on a blockchain address used in a Travel Rule message for returning assets? Often, the answer is no. Wallet addresses change, can become dormant, and may result in commingled assets. 

A more cautious approach is to confirm the originator’s identity and account details through both on-chain screening and direct communication with the counterparty. This ensures that the return process doesn’t inadvertently violate AML/CTF rules.

These are the practical steps for compliance that you can take:

1. Develop clear policies for handling non-compliant deposits
2. Implement robust monitoring systems to detect non-compliant transactions
3. Establish a detailed workflow for the return process
4. Communicate policies clearly to users to minimize disruption
5. Regularly reassess relationships with repeatedly non-compliant counterparties

Notabene’s Role: Helping CASPs Navigate Non-Compliance

At Notabene, our platform helps CASPs identify and manage non-compliant CASPs with precision. By offering insights into missing Travel Rule data and alerting users to potential non-compliant transactions, we help CASPs maintain compliance while minimizing disruption. Additionally, our reporting tools allow CASPs to generate comprehensive lists of non-compliant transactions, simplifying their decision-making process and enhancing their regulatory reporting.

The Path Forward: A Risk-Based Approach

Handling non-compliant deposits under the Travel Rule is complex, but not insurmountable. As the regulatory landscape continues to evolve, staying informed and adaptable will be key to success in the world of crypto compliance. The road ahead may be challenging, but with the right policies, workflows, and tools such as Notabene in place, compliance can be achieved without sacrificing user experience. At Notabene, we’re committed to helping CASPs and regulators strike this critical balance.

If you would like to speak with Notabene about  implementing a risk-based compliance solution for your unique needs, book a call with our team today.
‍

References

^1 This is not an inclusive list
^2 https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32023R1113

Differences between national Travel Rule requirements can be challenging for VASPs to navigate. Various regulators have interpreted and applied the Travel Rule differently, leading to various approaches across jurisdictions regarding:

• Timeline for enforcement of Travel Rule requirements

• Required originator and beneficiary information

• Compliance thresholds

• Transactions to/from self-hosted wallets

• Counterparty VASP due diligence obligations

• Transacting during the Sunrise Period

A transaction could be within the scope of Travel Rule requirements for one counterparty and outside the scope for the other. This issue is especially complex during the Sunrise Period. Even after the Travel Rule is fully implemented, national framework differences will likely continue to cause friction for VASPs.

‍

Practical examples to illustrate these challenges

In Estonia, virtual asset service providers (VASPs) are not required to collect or transmit beneficiary names. However, a beneficiary VASP in another jurisdiction may expect to receive beneficiary information and could be obliged to reject transactions where this information is missing.

Canadian originator VASPs must collect and transmit the beneficiary’s physical address. However, originator VASPs in other jurisdictions may not have this requirement. As a result, Canadian VASPs may often receive incomplete information that nonetheless meets the requirements of the originator VASP’s domestic framework.

In the United States, an originator VASP is required to collect and transmit Travel Rule information only when the transaction exceeds $3,000. In contrast, a beneficiary VASP in the European Union requires this information for transactions of any value.

‍

A non-exhaustive list of the differences in required originator and beneficiary information across jurisdictions

Approaches to the Challenges of Cross-Border Transactions

Below we discuss what can be done about the challenges associated with cross-border transactions, initiatives that are already in place, and which stakeholders are best positioned to drive solutions to these challenges:

FATF

Although global harmonization of Travel Rule requirements would certainly solve these challenges for VASPs, this is not a realistic solution and is not something that the Financial Action Task Force (FATF) would or could mandate. National frameworks will also inevitably vary because, as the FATF points out, regulators take into account different risk profiles, contexts, and approaches to risk mitigation. [1] As such, the FATF Standards permit variation from the FATF’s Travel Rule, provided the minimum requirements are met.

REGULATORS

It is essential that regulators implement clear Travel Rule requirements for VASPs and that the frameworks address how VASPs should treat cross-border transactions where the requirements vary.

The U.K.’s Joint Money Laundering Steering Group's (JMLSG) guidance addresses this by ignoring cross-border discrepancies in the Travel Rule’s application. For instance, if a U.K. VASP complies with U.K.-specific requirements, it’s considered compliant even when dealing with jurisdictions that have more stringent rules. ^[2] On the other hand, if a U.K. VASP receives a deposit with incomplete or incorrect information, it must seek the missing details, irrespective of the originating VASP’s local thresholds. ^[3] 

We encourage the adoption of a more flexible deposit policy than the one that theJMLSG has adopted to facilitate smoother cross-border transactions. For example, a more lenient policy could permit VASPs to accept deposits without full Travel Rule information for transactions below the threshold set in the originating VASP’s country based on a risk assessment.

TRAVEL RULE SOLUTIONS

Travel Rule solutions are generally best positioned to ease some of the challenges for VASPs in facilitating cross-border transactions, especially when these transactions are happening at scale.

Notabene embeds jurisdictional requirements from more than 20 jurisdictions. Specifically, the system has encoded the applicable compliance thresholds and required information scope in each supported jurisdiction. This allows VASPs to validate their Travel Rule transfers against the Travel Rule requirements applicable in both their own and their counterparty’s jurisdiction. Using the available settings, VASPs can decide whether a Travel Rule transfer is required for a given transaction. They can make this decision based on their own compliance threshold or by considering the lowest threshold amount of the jurisdictions involved in the transaction.

VASPS

VASPs’ Travel Rule policies and processes should proactively address cross-border transactions. These policies need to take into account the differences across national frameworks and what actions are mandated by applicable domestic regulations. Additionally, partnering with the right Travel Rule solution can remove some of the operational complexity associated with cross-border transactions. When assessing different options, VASPs should closely assess the solution’s jurisdiction coverage and functionality when it comes to cross-border transactions.

‍

Notabene’s 2024 status check

‍

From a technical perspective, the differences in Travel Rule requirements across jurisdictions can be effectively reconciled. Solutions like Notabene’s jurisdictional validation are key in the process. However, from a policy perspective, it is crucial to ensure that VASPs are free to transact with foreign counterparties, despite the differences in requirements.

A risk-based approach that allows decisions on whether to accept transactions with missing information should be adopted. This flexibility is necessary in cases where the originator VASP is not legally obligated or able to provide the required information. Adopting stricter approaches might, in practice, prevent VASPs from accepting a significant number of transactions from their foreign counterparts.

‍

{{report2="/cta-components"}}

‍

Since the Travel Rule was first applied to cryptocurrency by FinCEN in 2019, and with the Financial Action Task Force (FATF) following suit with its own related recommendations, self-hosted wallets (also known as non-custodial wallets) have come under increased scrutiny.

In October 2021, FATF released its Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (VASPs). This guidance builds upon FATF’s initial 2019 recommendations, including directives on peer-to-peer (P2P) transactions—cryptocurrency exchanges that occur without the involvement of a VASP or other obliged entity. 

While the standards do not apply to transactions solely between self-hosted wallets, FATF highlighted the potential money laundering and terrorist financing (ML/TF) risks they pose. Moreover, FATF clarified that transactions involving self-hosted wallets can fall under the scope of the Travel Rule under certain circumstances.

VASPs: What to Expect When Transacting With Self-Hosted Wallets

VASPs face significant implementation challenges due to varying regulatory requirements across jurisdictions. 

• In regions such as the EU, UK, and Gibraltar, VASPs are required to collect information on their clients' self-hosted wallets. 
• In Singapore and Germany, VASPs must go a step further and verify the identity of the self-hosted wallet owner. 
• Liechtenstein mandates enhanced due diligence.
• Switzerland requires both identity verification and proof of ownership.

Many in the cryptocurrency community have expressed concerns about these measures. Since blockchain is inherently public, sharing personal information associated with a self-hosted wallet could potentially expose the entire transaction history of that client, going beyond what the Travel Rule requires from traditional financial institutions.

Despite these concerns, VASPs must integrate solutions and establish processes to comply with FATF’s recommendations. 

Below is an overview of what FATF expects from VASPs when interacting with self-hosted wallets:

‍

1. Obtain the Originator and Beneficiary Information from the VASP’s Customer (¶ 295)

When sending or receiving a virtual asset transfer to a self-hosted wallet, the originator and beneficiary information must be obtained from the VASP’s customer, as there is no other VASP from which to obtain the information. This requirement generally applies to transactions above USD 1,000/EUR, but this threshold might vary depending on how jurisdictions implement it.

To remain compliant, VASPs must collect all the necessary Travel Rule information, such as names, account numbers or wallet addresses, addresses or IDs, birth dates, and birthplaces, without compromising user experience. 

Blockchain analysis solutions like Chainalysis KYT enable VASPs to identify Travel Rule transactions, ensuring frictionless data collection automatically. In combination with solutions like Notabene, VASPs can gather the necessary data in a user-friendly way and automatically detect the jurisdictional requirements and thresholds applicable to each transaction.

‍

2. Enforce AML/CTF Obligations (¶ 295 & 296)

Travel Rule guidance applies only above certain thresholds, which vary depending on the jurisdiction. However, VASPs are required to perform Know Your Customer (KYC) checks and implement transaction monitoring, regardless of whether their customer’s transactions meet the Travel Rule requirements.

Tools like Notabene can assist compliance teams in efficiently implementing the data collection and verification process for the owner of a self-hosted wallet. Integrating a Travel Rule solution with an automated transaction monitoring tool allows VASPs to identify which transactions meet the Travel Rule threshold immediately. Additionally, these tools help compliance teams automatically detect if transactions are related to potential high-risk activities and take action when historical transactions become risky in light of new regulatory information through continuous monitoring.

Implementing the right solution enables compliance teams to adapt more efficiently to ongoing industry changes. If a solution flags a high number of false positives, analysts may have to allocate significant time to investigating non-critical alerts. Worse still, incorrect data could lead them to draw inaccurate conclusions.

‍

3. Implement Additional Risk Mitigation Measures (¶ 297)

Additional risk mitigation measures may be necessary when interacting with self-hosted wallets. FATF’s guidance considers transactions with self-hosted wallets potentially higher risk, providing VASPs with options to treat them accordingly. These measures can range from imposing additional limitations and controls to avoiding interactions with self-hosted wallets altogether.

FATF advises VASPs to observe patterns of conduct, evaluate local and regional risks, and review information and bulletins issued by regulators and law enforcement to form their own risk assessments. Although this recommendation is optional, it raises concerns about the potential impact on industry adoption, as self-hosted wallets are integral to the cryptocurrency ecosystem. They are commonly used for legitimate purposes, such as securely moving funds and holding long-term investments.

Blockchain analysis tools can equip VASPs with the necessary data regarding self-hosted wallets to conduct comprehensive risk assessments, mitigate risks, and support their decisions in front of regulators.

‍

‍Global Approaches to Self-Hosted Wallet Regulation

VASPs face numerous challenges due to differing requirements across jurisdictions. The FATF’s third targeted update on the global implementation of its standards revealed that around 70% of jurisdictions are still undecided on their approach to transactions between VASPs and self-hosted wallets. Among the jurisdictions that have made decisions, about 40% align with FATF recommendations, requiring VASPs to collect relevant beneficiary or originator information from their customers. Additionally, 25% of these jurisdictions have implemented mitigation measures or transaction limitations, such as identity verification of self-hosted wallet owners or enhanced due diligence procedures.

• In Liechtenstein, VASPs are not required to apply the Travel Rule to transactions with self-hosted wallets. However, they must enforce enhanced risk mitigation measures, such as using blockchain analytics to assess transaction risks, collecting documentation on the purpose of the transaction, and requiring customers to prove ownership of their self-hosted wallets when transacting with them.
• Japan closely aligns with FATF recommendations. VASPs in Japan are required to collect the necessary information from their customers regarding the owner of the self-hosted wallet involved in a transaction. However, there is no obligation to verify this information. This approach, requiring data collection without verification, is widely adopted and can also be seen in jurisdictions like Gibraltar and the European Union for transactions amounting to 1,000 EUR or less.
• The European Union follows a stringent approach when dealing with self-hosted wallets, as outlined in the revised Transfer of Funds Regulation. For transactions exceeding 1,000 EUR, European CASPs (Crypto Asset Service Providers) must verify the ownership of the self-hosted wallet, whether they are sending or receiving funds. This wallet ownership verification requirement aligns with FATF recommendations and is similarly applied in other jurisdictions like Hong Kong and Portugal.
• Switzerland has adopted one of the strictest approaches to self-hosted wallet transactions. Under Article 10 of FINMA’s guidelines, Swiss VASPs are required to identify and verify the identity of the self-hosted wallet owner, regardless of whether the transaction involves another VASP or a self-hosted wallet. This requirement ensures that VASPs can prevent problematic payments by ensuring all transactions meet stringent identity verification standards.

‍

What the data says about self-hosted wallets

In December 2020, when the Treasury’s 72-page NPRM for transactions with self-hosted wallets and certain foreign jurisdictions came out, Chainalysis analyzed the data on cryptocurrency transactions involving self-hosted wallets.

The data shows that the majority of the funds held in self-hosted wallets often come from VASPs, which are related to investing purposes or are used by individuals or organizations to move funds between regulated exchanges. It is important to mention that the 2021 data didn’t vary significantly in comparison to the 2020 analysis. There are still three trends related to the usage of self-hosted wallets.

1. The vast majority of the Bitcoin funds transferred to self-hosted wallets came from VASPs

During Q3 of 2021, almost 83% of the bitcoin sent from one self-hosted wallet to another originated from cryptocurrency exchanges, and only 2% came from illicit services. This means that in the vast majority of cases, law enforcement can investigate illicit activity related to self-hosted wallets by working with cryptocurrency exchanges, which are obligated entities, and obtaining KYC information from them through legal process.

2. The majority of bitcoin sent to non-VASPs are eventually sent to a VASP

Many transfers sent and received by self-hosted wallets have VASPs on the other side of the transaction. If cryptocurrency is being used for illicit purposes, criminals will eventually need to cash out their illicit proceeds. This means going through a cryptocurrency exchange (we can see this behavior reflected in our data). As long as they are in a country that regulates cryptocurrency exchanges – and this list is growing – exchanges will collect KYC information. Access to this information is vital to financial crime investigations.

During Q3 2021, the percentage of funds that were not sent to an exchange service decreased from 29% to 18% in comparison with Q2 2020. Meanwhile, the percentage of funds sent to exchanges increased from 62% to 71%. This means that crypto holders moved the funds they were holding inside self-hosted wallets to an exchange, maybe to take out some profits due to the crypto bull market we experienced this year.

‍

3. The transaction activity levels among self-hosted wallets highly suggest that their primary use is for investment

After funds are deposited to a self-hosted wallet from an exchange, the percentage of bitcoin moved to another self-hosted wallet in a given month is significantly low. The majority of the bitcoin stays in the original wallet for a long period of time. On average, the funds originated from a VASP to self-hosted wallets move only once a month, which likely indicates that the primary use case is investment.

Chainalysis’ robust blockchain dataset provides key insights into the role of self-hosted wallets in the cryptocurrency ecosystem. If the main purpose of these regulatory requirements is to decrease illicit transactions and avoid money laundering, targeting self-hosted wallets may not accomplish the intended objective.

Chainalysis's blockchain analysis data makes it clear that self-hosted wallets are not inherently risky and do not inhibit law enforcement’s ability to investigate the illicit use of cryptocurrency. Blockchain analytics can inform risk analysis and compliance programs so that compliance teams can mitigate risks responsibly and effectively.

What’s next?

Travel Rule guidelines have already been released by the regulators and VASPs have a deadline to build compliance programs to comply with it. We know this process can be overwhelming, but luckily, there are many available solutions to facilitate this process for VASPs, and there will likely be many more as the cryptocurrency industry continues to overlap with the traditional financial system.

Chainalysis and Notabene have created an integrated solution that helps VASPs save time and money while looking to meet the complete Travel Rule requirements and build their own risk assessment on self-hosted wallets.

Our integration covers a variety of compliance needs that can simplify the technical and operation integration process. Notabene’s end-to-end Travel Rule solution provides counterparty wallet identification tools, a VASP due-diligence directory, and a secure dashboard to help financial institutions manage counterparty risks without hindering user experience. In conjunction with Chainalysis, VASPs can immediately identify counterparties’ wallet types, get automatic transaction alerts on risky activity, and perform continuous monitoring, all in one place.

Choosing the right partners can save compliance teams time, resources, and protect the company from additional regulatory scrutiny or even fines.

Contact the Chainalysis and Notabene teams for more information.

The Travel Rule requires Virtual Asset Service Providers (VASPs) to identify and conduct due diligence on their counterparty VASP or financial institution. However, national Travel Rule frameworks tend to be silent or vague on this topic.

Conducting VASP due diligence generally involves obtaining information about the counterparty VASP’s registration/licensing status, its ability to securely hold Travel Rule information, whether it is tied to illicit actors or sanctioned persons, and its level of anti-money-laundering, counter-terrorism financing (AML/CTF) compliance. The aim of performing this due diligence is to ensure that VASPs avoid dealing with illicit or sanctioned actors and to gain assurance that a counterparty VASP can comply with the Travel Rule and protect the confidentiality of shared information.

‍

Counterparty VASP Due Diligence Challenges Faced by VASPs

VASPs face three main challenges in implementing due diligence processes:

1. Difficulty Accessing Information

Beyond identifying counterparties, VASPs struggle to make risk-based decisions due to the scarcity of publicly available information. Verifying whether a counterparty VASP is licensed or registered is particularly hard given the limited number of public registers. Furthermore, assessing a VASP’s adherence to AML/CTF standards is challenging without directly engaging each potential counterparty, which becomes impractical at scale.

2. Lack of Standardization

Currently, there is no uniform standard for conducting VASP due diligence. Additionally, national frameworks for the Travel Rule often lack clear criteria for due diligence.

3. Operational Costs

Conducting VASP due diligence requires resources, which involve either purchasing the relevant compliance tools (to the extent they are available) and/or allocating personnel to perform these due diligence assessments.

‍

The FATF acknowledged these challenges in its June 2023 Targeted Update, reporting that VASPs struggle to effectively conduct due diligence on counterparty VASPs ^[1]. This difficulty is further exacerbated by the existence of unregulated and unlicensed VASPs, making it even more challenging to gather information to assess these entities’ possible connections to illicit activities or sanctioned individuals, as well as their compliance with AML/CTF standards. Notabene’s industry survey supports these observations. Despite the significant drop in prominence since last year, a notable percentage of respondents (29%) continues to send Travel Rule information transfers to all VASPs, regardless of any due diligence assessment. Additionally, counterparty due diligence ranks as the least adopted compliance check among respondents, only ahead of the options “None” and “Other” (see Chapter 3, Section 8 of Notabene’s 2024 State of Crypto Travel Rule Compliance Report).

Approaches to VASP Due Diligence Challenges

FATF

The FATF can do little to solve the operational challenges associated with a VASP’s due diligence process apart from sharing recommendations on how a jurisdiction should implement VASP due diligence requirements. As such, the FATF does the following:

• Makes a clear distinction between the due diligence process required for establishing a correspondent relationship and the process required for Travel Rule purposes ^[2].
• Strongly encourages jurisdictions to maintain and publicize information on VASPs that are registered or licensed in their jurisdiction, to give VASPs access to information needed to perform counterparty due diligence in line with Recommendations 16 and 13 ^[3].
• Clarifies that VASPs need to independently perform due diligence ^[4] — a contentious point that has hindered Travel Rule interoperability efforts. Operators of Travel Rule protocols may resist interoperability to maintain control over the network. However, the FATF emphasizes that VASPs must still independently assess counterparty risk, highlighting that being part of closed Travel Rule networks does not eliminate a VASP’s need to verify information and meet domestic obligations.
• Suggests that the Wolfsberg Correspondent Banking Due Diligence Questionnaire be used as a starting point for the VA industry to develop its own risk-based best practices ^[5].

Regulators

It is not desirable that national regulators specify prescriptive criteria for conducting VASP due diligence, yet it is necessary that regulators understand the current challenges associated with evaluating counterparty VASPs and thus provide VASPs with practical guidance. In 2023, Hong Kong’s SFC offered valuable granularity in their detailed guidance on counterparty due diligence measures ^[6], identifying several criteria that VASPs should consider to determine whether a counterparty is eligible, such as the quality and effectiveness of regulations and supervision, the Travel Rule status in their jurisdiction, and the existent AML/CTF and data protection controls.

‍
National legislators and regulators should also strive to adhere to FATF guidelines on this topic to facilitate the emergence of a global standard for VASP due diligence. However, the European Transfer of Funds Regulation deviates from FATF guidelines by labeling the relationships between domestic CASPs and foreign VASPs as correspondent relationships due to their “ongoing and repetitive” nature. This divergence raises concerns about proportionality and scalability.
‍

Regulators may also consider incorporating exceptions for carrying out due diligence when appropriate, such as in the context of transactions between domestic VASPs that are both supervised by the same authority, or prescribing scenarios where simplified due diligence measures are permissible.

Joint Industry Initiatives

Finding solutions to some of the challenges associated with VASP due diligence can be championed by joint industry initiatives. In fact, there is already work underway to address this.
‍

In 2023, the Global Digital Finance (GDF) members association published the GDF Virtual Asset Due Diligence Questionnaire ^[7]. The questionnaire was designed to provide an overview of a VASP’s AML policies and practices, and it is suggested that VASPs use it to onboard counterparty VASPs or that financial institutions use it to onboard VASPs.

Travel Rule Solutions

Travel Rule solutions and other service providers can offer tools to assist VASPs in operationalizing and scaling due diligence efforts.

‍
Notabene customers can easily access and monitor their counterparties within the Notabene Network. By integrating with VASPNet and Global Legal Entity Identifier Foundation (GLEIF), Notabene provides real-time, verified data about counterparty VASPs’ regulatory statuses and incorporation information. Furthermore, VASPs can also request, review, and share an adapted version of GDF’s questionnaire between selected parties in a secure and encrypted manner.

‍

{{cta-learnmore10="/cta-components"}}

‍

VASPs

VASPs are encouraged to engage in global and local industry initiatives focused on VASP due diligence. Considering the significant impact of VASP due diligence on Travel Rule compliance, it is important that VASPs keep this in mind when selecting a Travel Rule solution to partner with.

Additionally, VASPs should cooperate with their counterparty’s due diligence efforts by providing any requested information. Ideally, VASPs should make their information available to as wide a network of trustworthy counterparties as possible. This would enable other VASPs to conduct due diligence more efficiently.

Notabene’s 2024 Status Check

In 2023, there was significant progress in clarifying and operationalizing counterparty due diligence obligations. The FATF clarified that this due diligence must be carried out independently, which helped the industry to advance with a unified understanding of these obligations. The publication of GDF’s questionnaire was a substantial contribution toward standardizing VASP due diligence. As detailed in Chapter 3, Section 8, our survey results indicate a substantial shift: the proportion of VASPs sending Travel Rule transfers to all counterparts without specific criteria dropped from 52% in 2023 to 29% in 2024. This change highlights a growing commitment to counterparty due diligence obligations.

‍

{{report2="/cta-components"}}

The European Union's Transfer of Funds Regulation (TFR) and the associated Travel Rule Guidelines from the European Banking Authority (EBA) are set to significantly impact how Crypto Asset Service Providers (CASPs) handle crypto-asset transactions. As these regulations come into effect, it is crucial for CASPs to understand the key requirements and prepare for compliance. 

This blog highlights the top 10 things European CASPs need to know about the upcoming Travel Rule compliance enforcement.

1. Comprehensive Data Collection Requirements

Under Article 14, paragraphs 1 and 2 of the TFR, CASPs must ensure that all transfers include specific details about the originator and beneficiary.

This includes:

Natural persons

Legal persons

This comprehensive data collection ensures that all parties in a transaction can be unambiguously identified.

2. Robust Monitoring Systems

Beneficiary CASPs must implement robust monitoring systems to detect and manage non-compliant transactions. These systems should be capable of identifying missing, incomplete, or meaningless information and should align with the risk levels associated with money laundering and terrorist financing. ^[1]

{{european2="/cta-components"}}

3. Handling Non-Compliant Transactions

When a transaction lacks the required information, CASPs have four options: execute, reject, return, or suspend the transfer. The appropriate action depends on the specific circumstances and the risk assessment results. ^[2]

4. Managing Non-Compliant Counterparties

Repeated non-compliance by counterparties requires CASPs to reassess their relationships. This includes applying stricter monitoring and verification measures, potentially terminating business relationships, and reporting non-compliant counterparties to the relevant authorities. ^[3]

5. Verifying Self-Hosted Wallet Transactions

For transactions involving self-hosted wallets, the requirement to use two methods for wallet ownership verification has been removed. CASPs are now required to use only one method by default for verifying wallet ownership/control. ^[4]

6. Understanding Different Self-Hosted Wallet Transaction Scenarios 

The TFR categorizes self-hosted wallet obligations based on the transaction amount and whether the wallet owner is a customer of the CASP. These scenarios include transactions of 1,000 euros or less, transactions over 1,000 euros where the wallet owner is a CASP customer, and transactions over 1,000 euros where the wallet owner is not a CASP customer.

‍

7. Implementing Appropriate Risk Mitigation Measures on Self-Hosted Wallet Transactions

CASPs should adopt a risk-based approach to transactions involving self-hosted wallets and implement any necessary risk mitigation measures proportional to the identified risks. These measures may include verifying the identity of the transfer's originator or beneficiary, requesting additional information, and conducting enhanced ongoing monitoring of transactions. ^[5]

8. Ensuring Compliance with General Obligations

CASPs must ensure compliance with several general obligations, such as:

• Information transmission infrastructure: Must be fully capable of transmitting information without technical limitations. A transitional period until July 31, 2025, allows for exceptions with compensatory policies in place. ^[6]
• Compliance timing: Information must be transmitted immediately and securely, before or at the same time the crypto-asset transfer is completed. ^[7]
• Joint accounts: Transfers from joint accounts, addresses, or wallets must include information about all holders. ^[8]‍
• Information submission changes: Initial information submissions cannot be changed unless requested by the beneficiary CASP or if an error is identified. Subsequent CASPs must be informed and required to detect any missing or incomplete information. ^[9]

9. Evaluating Payment and Messaging Systems (Travel Rule solutions)

Payment and messaging system requirements: CASPs must evaluate selected messaging or payment protocols based on the following aspects:

• Communication with internal core systems and counterparty messaging or payment systems.
• Compatibility with other blockchain networks.
• Reachability, including the ability to reach counterparties and the success rate of transfers.
• Detection of transfers with missing or incomplete information.
• Data integration, security, and reliability. ^[10]

10. Preparing for the Future

By July 1, 2026, the European Commission will assess the necessity for additional measures to mitigate risks associated with self-hosted wallet transactions. This evaluation will encompass examining the efficacy and proportionality of verification mechanisms and considering potential restrictions. ^[11]

‍

{{european1="/cta-components"}}

‍

The upcoming Travel Rule compliance regulation imposes comprehensive requirements on CASPs to ensure the integrity of crypto-asset transactions. By understanding and adhering to these requirements, CASPs can effectively manage transaction information, monitor compliance, handle non-compliant transactions, and manage relationships with non-compliant counterparties. This regulatory framework not only helps in mitigating risks associated with money laundering and terrorist financing but also fosters a more secure and transparent crypto-asset ecosystem in the European Union.

‍

Want to learn more? Read our blogs on beneficiary VASPs' transaction requirements under the TFR and the upcoming self-hosted wallet requirements.

The European Union's Transfer of Funds Regulation (TFR) enforces the Crypto Travel Rule to combat money laundering and terrorist financing. This rule, initially mandated by the U.S. Financial Crimes Enforcement Network (FinCEN), was extended in June 2019 by the Financial Action Task Force (FATF) to include virtual assets (VAs) and Virtual Asset Service Providers (VASPs). The Travel Rule requires VASPs to securely obtain, hold, and transmit originator and beneficiary information during VA transfers.

This article provides an overview of the crypto Travel Rule in the European Union, pulling from the Transfer of Funds Regulation (TFR) and the European Banking Authority (EBA)’s draft Travel Rule Guidelines.
‍

{{cta-learnmore1="/cta-components"}}

‍

Regulatory Milestones in the EU

The EU has been proactive in aligning its regulations with FATF’s recommendations:

• FATF Guidance (2019): The FATF issued its first guidance on a risk-based approach to virtual assets and VASPs, marking a significant expansion of AML/CTF measures.
• EU Regulation (2015/847): This regulation was adopted to apply FATF’s requirements uniformly across member states, ensuring fund transfers include payer and payee information.
• TFR Recast (2023): The TFR was extended to include crypto transfers, setting uniform Travel Rule requirements across all 27 EU member states.
• Travel Rule Comes into Force (2024): The European Banking Authority (EBA) will publish final Travel Rule guidelines in June 2024, and crypto Travel Rule obligations will become enforceable on December 30, 2024.

Information Transmission Requirements

The TFR mandates uniform obligations for crypto transfers, regardless of the transaction amount or whether they are cross-border. CASPs must include specific details about the originator and beneficiary in all transfers.

Required Information for Crypto Transfers

‍

Natural Persons

Legal Persons‍

* Note: Regarding the date and place of birth, the EBA does not clarify what would be required instead if the originator is a legal person. In some jurisdictions, VASPs are required to provide a date and place of incorporation, but the EU requirement is unclear. 

‍

{{cta-learnmore1="/cta-components"}}

‍

General Obligations for Information Transmission

CASPs must ensure their information transmission infrastructure is fully capable of compliance without technical limitations. The information should be transmitted immediately and securely before or at the same time as the crypto-asset transfer is completed. For joint accounts, transfers must include information about all account holders. Selected messaging protocols must enable seamless and interoperable transmission of information.

Travel Rule Obligations in Deposits

Beneficiary CASPs also have responsibilities upon receiving a transaction. They must implement robust policies and procedures to detect incoming transactions lacking necessary information and handle such transactions appropriately. If a transaction lacks the required information, beneficiary CASPs can choose to execute, reject, return, or suspend the transfer based on a risk-based approach.

Managing Non-Compliant Counterparties

When deposits lack Travel Rule data, CASPs must reassess their relationships with non-compliant counterparties. If a counterparty repeatedly fails to meet obligations, CASPs should consider enhanced due diligence measures, potentially terminating the business relationship, and reporting the non-compliance to competent authorities.

‍

Self-Hosted Wallet Transactions

Transactions between CASPs and self-hosted wallets fall within the scope of FATF’s Recommendation 16. The regulatory requirements vary depending on the transaction amount and whether the wallet owner is a CASP customer or a third party.

Transactions of 1,000 Euros or Less 

For transactions involving self-hosted wallets of 1,000 euros or less, CASPs must obtain and hold information about the parties to the transaction. This information should be cross-matched using suitable methods, such as blockchain analytics and third-party data providers, to verify the originator's or beneficiary's identity.

Transactions Over 1,000 Euros Where the Wallet Owner is a CASP Customer 

For transactions exceeding 1,000 Euros, CASPs must verify whether the customer owns or controls the wallet. The EBA’s Travel Rule guidelines specify that CASPs must use at least two methods for this verification. Methods include advanced analytical tools, sending a predefined amount from the wallet to the CASP’s account, and signing a specific message in the account and wallet software.

Transactions Over 1,000 Euros Where the Wallet Owner is Not a CASP Customer 

While the TFR is silent on the obligations for transactions involving third-party wallets, the Travel Rule Guidelines provide a framework. CASPs must verify wallet ownership/control and apply risk mitigation measures proportional to the identified risks, such as verifying the originator's or beneficiary's identity and requesting additional information about the transfer.

‍

{{cta-learnmore1="/cta-components"}}

‍

The EU’s implementation of the Travel Rule through the TFR sets a comprehensive regulatory framework for CASPs, ensuring that crypto asset transfers are transparent and secure. By adhering to these requirements, CASPs can help mitigate the risks of money laundering and terrorist financing, fostering a safer and more trustworthy environment for digital asset transactions. As the regulatory landscape evolves, staying informed and compliant with these obligations will be crucial for CASPs operating within the EU.

The European Union’s Transfer of Funds Regulation (TFR) and the European Banking Authority (EBA)’s Travel Rule Guidelines, updated with the EBA’s final Travel Rule guidelines published on July 4, set out specific requirements for transactions involving self-hosted wallets. These wallets, controlled by individuals rather than VASPs, pose unique challenges to regulatory compliance. This article summarizes the obligations for self-hosted wallet transactions under the TFR, focusing on different transaction scenarios and the required verification measures.

‍

Highlights of What Changed in the EBA’s Final Travel Rule Guidelines

1. More Flexibility in the Scope of Required Originator Information:

The final version of the Travel Rule guidelines clarifies that CASPs have the discretion to determine which “alternative information items” about the originator customer to transmit and demand receiving, as long as they achieve unambiguous identification and support sanction screening. This approach is intended to be better suited for cross-border transfers.

2. Eased Requirements for SHW Transfers Below €1,000:

The final version of the Travel Rule guidelines removes verification requirements. Only information collection obligations apply, eliminating the need for technical means like blockchain analytics to cross-match collected data in order to identify and verify the originator or beneficiary.

3. Simplified Verification for 1st-Party SHW Transfers ≥ €1,000:

The requirement to use two methods for wallet ownership verification has been removed. CASPs are now required to use only one method by default for verifying wallet ownership/control.

4. Clarification for 3rd-Party SHW Transfers Above €1,000:

The Travel Rule Guidelines now clarify the requirements, specifying that if the SHW is owned or controlled by a third party who is not a customer of the CASP, the requirements from Article 19a of Directive (EU) 2015/849 apply. Additionally, the originator/beneficiary identity verification required therein is deemed to be fulfilled by collecting additional information from other sources (e.g., blockchain analytics, third-party data, or recognized authorities’ data) or using other suitable means to ensure the originator/beneficiary’s identity is known.

‍

{{european1="/cta-components"}}

‍

Overview of Applicable Obligations

The TFR categorizes obligations based on the transaction amount and whether the wallet owner is a customer of the Crypto Asset Service Provider (CASP). These scenarios include:

• Transactions of 1,000 euros or less.
• Transactions over 1,000 euros where the wallet owner is a CASP customer.
• Transactions over 1,000 euros where the wallet owner is not a CASP customer.

Understanding these categories is crucial for CASPs to ensure compliance with the TFR and the associated Travel Rule Guidelines.

‍

A. Transactions of 1,000 Euros or Less

For transactions of 1,000 euros or less involving self-hosted wallets, the TFR mandates that CASPs collect and hold specific information about the parties involved. As outlined in Articles 14/5 and 16/2 of the TFR, transactions involving self-hosted wallets of 1,000 euros or less require CASPs to obtain and hold information about the parties to the transaction. The scope of information that CASPs are required to collect mirrors that which is mandated for CASP-to-CASP transactions.

The Travel Rule Guidelines clarify in paragraph 80 that this information must be sourced from the CASP’s customer. This includes:

• Full name of the originator and beneficiary

• Distributed ledger address

• Account number

The final EBA Travel Rule Guidelines removed the requirement for CASPs to cross-match this information using suitable methods such as blockchain analytics and third-party data providers to verify the identity of the originator or beneficiary. Now, CASPs are mandated to collect and retain specific pieces of information from their customers. ^[1]

‍

B. Transactions Exceeding 1,000 Euros Where the Wallet Owner is a Customer of the CASP

For self-hosted wallet transactions exceeding 1,000 euros, the TFR requires CASPs to verify whether their customer owns or controls the self-hosted wallet. ^[2] The originator CASP is tasked with evaluating whether the wallet is owned or controlled by the originator, while the beneficiary CASP must determine whether the wallet is owned or controlled by the beneficiary. ^[3]

The Travel Rule Guidelines set a non-exhaustive list of verification methods available to CASPs and mandate the use of at least one method for wallet ownership/control verification, such as:

• Advanced analytical tools
• Unattended verifications (e.g., displaying the address)
• Attended verifications (e.g., live customer interaction)
• Sending a predefined amount from the wallet to the CASP
• Signing a specific message in the account and wallet software
• Other suitable technical means, as long as they allow for reliable and secure assessment. ^[4]

Where one method on its own is not sufficiently reliable to reasonably ascertain the ownership or control of a self-hosted address, the CASP should use a combination of methods. ^[5]

‍

C. Transactions Exceeding 1,000 Euros Where the Wallet Owner is Not a CASP Customer

The TFR does not explicitly address transactions over 1,000 euros involving third-party wallets. However, the Travel Rule Guidelines include a framework governing these transactions. According to the guidelines, the requirements outlined in Article 19a(1)/(a) of Directive (EU) 2015/849—verification of the originator or beneficiary’s identity—are considered fulfilled if the CASP:

• Collects additional information from other sources to verify the submitted information (e.g., from blockchain analytics, third-party data, or recognized authorities’ data)
• Uses other suitable means as long as it is fully satisfied that it knows the originator’s or beneficiary’s identity. ^[6]

‍

Verification and Risk Assessment

CASPs must adopt a risk-based approach to all transactions involving self-hosted wallets. This includes assessing the risks associated with each transfer and applying enhanced due diligence when high ML/TF risks are detected. The verification process involves collecting additional data from various sources, such as blockchain analytics, third-party data providers, recognized authorities, and publicly available information.

‍

General Obligations for Self-Hosted Wallet Transactions

In addition to specific transaction-based requirements, CASPs must adhere to several general obligations when dealing with self-hosted wallets:

1. Self-Hosted Wallet Identification

Use technical methods to discern whether the transaction involves a VASP or a self-hosted wallet. If technical means are insufficient, acquire the necessary information directly from the customer. ^[7]

2. Threshold Calculation

Compute the transaction amount based on the exchange rate prevailing at the time of the transfer. ^[8]

3. Risk Assessment

Assess the risks associated with self-hosted wallet transactions and apply appropriate risk mitigation measures. ^[9]

‍

Additional Context and Considerations

‍

FATF’s Recommendation 16

Transactions between VASPs and self-hosted wallets fall within the scope of FATF’s Recommendation 16, following its revision in October 2021. Unlike VASP-to-VASP transactions, there is no mandate to transmit originator and beneficiary details to a counterpart. Instead, VASPs must adhere to specific obligations, which can vary significantly across jurisdictions.

Regulatory Expectations and Trends

Although regulatory expectations vary significantly across regions, the requirement for VASPs to verify their customer’s or a third party’s control over the wallet address involved in transactions is gaining traction. The TFR’s requirements reinforce this trend, as further detailed in the sections above.

Future Assessments

By July 1, 2026, the Commission will assess the necessity for additional measures to mitigate risks associated with self-hosted wallet transactions. This evaluation will encompass examining the efficacy and proportionality of verification mechanisms and considering potential restrictions.

The EU TFR sets comprehensive requirements for self-hosted wallet transactions to mitigate the risks associated with money laundering and terrorist financing. CASPs must ensure compliance by verifying wallet ownership, implementing robust monitoring systems, and adopting a risk-based approach to all transactions. By doing so, CASPs can enhance the security and transparency of crypto-asset transfers, contributing to a safer financial ecosystem.

‍

{{european2="/cta-components"}}

‍

The EU TFR sets comprehensive requirements for self-hosted wallet transactions to mitigate the risks associated with money laundering and terrorist financing. CASPs must ensure compliance by verifying wallet ownership, implementing robust monitoring systems, and adopting a risk-based approach to all transactions. 

Interested in learning more? Check out our blog on what the TFR says beneficiary VASPs should do when it comes to incoming transactions and the top 10 insights European CASPs need to know about their upcoming Travel Rule compliance framework.

With the European Union’s Transfer of Funds Regulation (TFR) taking effect on December 30, 2024, virtually all Crypto/Virtual Asset Service Providers (CASPs/VASPs) transacting with European customers must ensure compliance or face operational halts. Reachability and responsiveness are crucial for regulated VASPs, as non-responsiveness will prevent future transactions. We’re now at a critical juncture, as this regulation marks the end of the sunrise period and shifts the focus from protocol interoperability to compliant counterparty responsiveness.

At Notabene, we’re thrilled to announce a major milestone in our mission to integrate crypto transactions into the everyday economy. Our latest innovation, SafeTransact for Networks, aims to enhance counterparty responsiveness and bring Travel Rule compliance to existing ecosystems where transactions are already occurring today.

Notabene is uniquely positioned to deliver on this vision, as our extensive network already spans 27 countries, enabling us to process $71 billion worth of transactions in May 2024 alone. With 143 companies actively transacting daily, our clients have successfully integrated with us, setting up robust compliance processes and collaborating effectively with regulators.

Shifting Focus: From Interoperability to Reachability

It is widely understood that the fragmented nature of Travel Rule protocols has impeded widespread adoption. Initially, the industry thought solving protocol interoperability would boost Travel Rule adoption rates. This hypothesis seemed reasonable enough at the time, but it became evident that building a new network from scratch was very difficult. With many protocols with restricted access, low activity, or too few users, VASPs constantly struggle to reach all of their counterparties and achieve full compliance. We have since learned from experience in real-world applications from customers and regulators that the value of protocol interoperability is only as strong as the user adoption that protocols are able to achieve. 

Despite the impressive logos associated with various initiatives, we recognized that many of the biggest names in Travel Rule protocols had little to no activity occurring. To solve this, we shifted our focus from interoperability to reachability. This meant rethinking our approach entirely and not falling into the same trap of inventing yet another competing protocol, but instead solving our customers' core business needs – reaching and receiving responses from transaction counterparties.

Introducing SafeTransact for Networks

‍

‍

Instead of creating a new Travel Rule messaging network from scratch, SafeTransact for Networks integrates a compliance layer into existing networks, where millions of transactions already occur daily. This allows institutional custodians, settlement networks, multi-party computation (MPC) wallets, service providers, and stablecoin issuer ecosystems to seamlessly offer Travel Rule compliance. Networks can now integrate SafeTransact and offer Travel Compliance on top of their transactions. Members can perform checks and screen transactions to make automated authorization decisions without pure technical integration. SafeTransact for Networks helps businesses become compliant faster and seamlessly transact within the ecosystem.

Addressing Activation with SafeTransact for Networks

SafeTransact for Networks directly tackles the reachability challenge by bringing Travel Rule compliance where crypto businesses already transact with their counterparties today. To make SafeTransact for Networks work and reflect real-world transactions, we expanded the rigid Travel Rule, Alice-to-Bob flow, to transaction intermediaries, like custodians. We introduced flexibility and modularity into SafeTransact's transaction flow, which allows you to add as many transaction participants as real-world use cases require. 

Our solution uniquely operates at scale, managing Personally Identifiable Information (PII) in a compliant, risk-based manner, where only authorized businesses receive PII information. SafeTransact remains the only Travel Rule solution that offers this capability.

How it Works

Here’s a clear example of one multi-party transaction:

1. Initiating the Transaction

• Alice, a customer of BerlinEx, initiates a Bitcoin transfer to Bob.
• BerlinEx initiates the transaction by calling their wallet provider, SIGTrust, registered on the Seychelles.
• SIGTrust, being a network partner at SafeTransact, acts as the initiator for the Transaction authorization flow between the participants.

2. Chain of Intermediaries

• SIGTrust initiates the transfer in SafeTransact for Networks.
• Through our discovery methods, SIGTrust identifies that the recipient’s address belongs to TexEx. A first transfer initiation message is exchanged.
• TexEX responds and adds CryptoTrust, their custodian, to the transaction chain.

Once TexEx responds with adding their Custodian CryptoTrust:

‍

3. Transparency and Policy Implementation

• All parties involved recognize that this is a four-party transfer.
• TexEx establishes policies that require a Travel Rule exchange and flags the Seychelles jurisdiction from SIGTrust.
• The transfer appears in TexEx’s platform, listing all participants and their respective roles.

4. Compliance and Authorization

• The compliance team reviews and authorizes the transfer.
• Responses are sent to all participants to ensure everyone is informed.
• A request for a Travel Rule transfer is sent to the Originators about the Originator.

5. Completion and Notification

• All participants send and receive notifications detailing their roles and authorization policies in the transaction.
• Personally Identifiable Information (PII) is shared only with parties that require it.
• Once policies are fulfilled and the transfer is authorized, the transfer is completed and settled on-chain.

6. Policy Setup and Management

• BerlinEx has the option to apply for a profile with Notabene.
• This profile allows them to set up specific policies, including the ability to authorize or reject future transfers.
• The moment they onboard, they see all the historic transfers that they initiated via SIGTrust.

‍

SafeTransact for Networks ensures that even complex multi-party transactions are handled smoothly and securely, with careful management of PII and compliance with all necessary regulations.

Why Choose SafeTransact for Networks?

• Network Providers (e.g. institutional custodians, settlement networks, MPC wallet providers) deliver incremental value to their customers by offering network members a layer of compliance on top of their existing service. 
• Network members (e.g. exchanges, banks, lending desks) quickly and easily achieve Travel Rule compliance without the need for additional development resources by joining the SafeTransact ecosystem. 
• The Entire Ecosystem benefits from the network effects of expanding compliance reachability from individual networks across all integrated networks. This interconnected approach ensures that businesses can transact safely and compliantly within their existing ecosystems without needing to adjust to new frameworks.
  
  

Bringing the Power of SafeTransact to Established Networks

• Comprehensive Travel Rule Compliance: SafeTransact is designed to meet the stringent requirements of the Travel Rule and other regulatory frameworks. By facilitating the exchange of travel rule information and automating compliance processes, SafeTransact helps businesses stay ahead of regulatory demands. This is particularly important as more jurisdictions globally implement these compliance requirements.
• Pre-Transaction Authorization: SafeTransact enables businesses to make informed authorization decisions before a transaction is completed. This feature allows for instantaneous approvals, flags transactions for review, or rejects them based on predefined criteria. By identifying and screening all counterparties, SafeTransact performs thorough due diligence and risk assessments, ensuring that only legitimate transactions are processed.
• Real-Time Decision Making: One of SafeTransact’s standout features is its ability to make authorization decisions in real-time. This capability is crucial for businesses that need to operate at the speed of digital transactions without compromising security. With SafeTransact, businesses can automate their transaction flows and analyze insights, making the entire process seamless and efficient.

We’re excited to present SafeTransact for Networks as an innovative way of increasing Travel Rule adoption globally by meeting crypto businesses where they transact with their counterparties today. We allow existing networks, like institutional custodians and MPC wallet providers, to offer their customers a layer of compliance on top of their ecosystems. All of this is possible with Notabene’s new transaction flow expanding to intermediary and more complex, real-world use cases.

We believe that reachability, activation, and responsiveness are the most pressing issues facing our industry, which is why we are doubling down on expanding the Notabene Network to give our customers truly global reach. We understand that our industry cannot thrive with a one-size-fits-all approach to regulatory compliance, so we have invested in tools like our new PolicyEngine to enable customers to easily manage their unique workflows.

We are approaching a global tipping point for Travel Rule compliance, driven largely by the December 30 implementation deadline for the EU. We are here to help you prepare for that deadline in any way possible. Whether you are a customer participating in our Travel Rule certification programs or seeking a trusted resource for industry updates and education, please consider us a valuable resource. Our team are experts on these issues and is here to assist you with any questions you might have.

‍

To learn more about how SafeTransact can benefit your business and ensure compliance, contact our team for a custom demo.

The European Union's Transfer of Funds Regulation (TFR) and the European Banking Authority’s final Travel Rule Guidelines impose stringent requirements on Crypto Asset Service Providers (CASPs) to ensure transparency and security in crypto-asset transactions. Beneficiary CASPs, in particular, have critical responsibilities in managing incoming transactions despite their limited control over deposit flows compared to originating CASPs.

Beneficiary CASPs cannot proactively block incoming deposits and rely on the compliance of the originator CASP to meet obligations. Therefore, it is crucial to evaluate strategies for handling non-compliant deposits. This article focuses on the specific requirements for beneficiary CASPs and strategies for managing transactions that fail to meet compliance standards.

Required Information for Transactions

Under Article 16/1 of the TFR, beneficiary CASPs are obligated to receive specific information about both the originator and the beneficiary of each transaction. Articles 14(1) and 16(1) of the TFR specify the required information, including:

• Full name of the originator and beneficiary
• Distributed ledger address and account number
• Address and official personal document number of the originator
• Additional optional information, such as customer identification number or date and place of birth, to ensure unambiguous identification.

Monitoring Systems for Detecting Non-Compliance

The TFR mandates that beneficiary CASPs implement robust monitoring systems to detect non-compliant transactions. According to the Travel Rule Guidelines, these systems should include:

1. Methods for detecting missing, incomplete, or meaningless information.
2. Pre- and post-monitoring practices aligned with money laundering and terrorist financing (ML/TF) risk levels.
3. Criteria for recognizing risk-increasing factors. ^[1]

Managing Non-Compliant Transactions

Beneficiary CASPs must follow specific procedures to detect a transaction lacking the required information. Article 17 of the TFR outlines four possible actions:

1. Execute: The CASP can proceed with the transaction if the risk assessment allows it.
2. Reject: The transaction can be rejected if it does not meet compliance standards.
3. Return: The funds can be returned to the originator if the necessary information is not provided.
4. Suspend: The transaction can be temporarily suspended while additional information is requested.

The Travel Rule Guidelines provide more granularity on how CASPs should define the appropriate follow-up action:

• Beneficiary CASPs can request missing information from the originator CASP rather than immediately rejecting or returning the transfer. ^[2] 
• If the information is not provided within a specified timeframe (three working days for EU transfers and up to seven days for others), the CASP must decide whether to proceed based on a risk assessment. ^[3] 
• If the rejection is technically impossible (e.g., the crypto-assets have already been received), the transfer should be returned to the originator. ^[4]
• If returning the transfer to the original address is not possible, CASPs should hold the returned assets in a secure, segregated account while communicating with the originator CASP to arrange the proper return of the crypto-assets. ^[4]

‍

Managing Non-Compliant Counterparties

When beneficiary CASPs identify deposits missing Travel Rule data, it not only disrupts the transaction but also strains relationships with non-compliant counterparties. Here’s how CASPs should manage these situations according to Article 17/2 of the TFR:

1. Reassess the Relationship: Evaluate if the counterparty repeatedly fails to provide the required information.
2. Report Non-Compliance: Notify competent authorities about the non-compliance.

Assessment Criteria

To determine the appropriate course of action, CASPs must assess whether the counterparty has repeatedly failed to meet their obligations. The assessment involves both quantitative and qualitative criteria:

• Quantitative: Frequency of incomplete transfers and unanswered follow-up requests. ^[5]
• Qualitative: Counterparty cooperation, agreements for extended time, and reasons for missing data. ^[6]

Steps for Repeated Non-Compliance

1. Issue Warnings: Inform the counterparty of potential consequences and set deadlines for compliance.
2. Enhanced Due Diligence: Apply stricter measures to manage risk.
3. Terminate Relationship: If necessary, end the business relationship or reject future transfers.
4. Report Repeatedly Non-compliant CASPs: CASPs must report non-compliant counterparties within three months of identifying non-compliance and include details of the non-compliant counterparty CASP, nature and frequency of breaches, justifications provided, and actions taken. ^[7] 

‍

General Obligations

Finally, the Travel Rule Guidelines offer a concise overview of supplementary requirements that CASPs should consider when dealing with deposits. 

‍

Pre vs. Post Transaction Monitoring

CASPs are responsible for establishing policies and procedures to determine which transfers require monitoring before or during the transfer process. This decision should consider any factors that may increase risk, as specified in the “EBA’s Guidelines on Money Laundering/Terrorist Financing (ML/TF) Risk Factors.” ^[8]

Meaningless and Inconsistent Information

CASPs should treat information as missing if essential fields are left empty or if the provided information is deemed meaningless or inconsistent. For example, random strings of letters should be considered meaningless information. ^[9]

Communication Systems

When contacting the counterparty for clarification, CASPs should use the same messaging system utilized to transmit the initial information. ^[10]

Self-Hosted Wallet Deposits

For deposits from self-hosted wallets, any requests for clarification should be directed straight to the customer. ^[11]

Interested in learning more? Check out our articles on Self-Hosted Wallet Transaction Requirements Under the EU TFR and Top 10 Insights European CASPs Need to Know About the Upcoming Travel Rule Compliance Regulation.

On July 9, 2024, the Financial Action Task Force (FATF) released its fifth targeted review of the implementation of FATF Standards on Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs). This review provides an overview of the progress made by countries and the industry, as well as ongoing implementation gaps and concerns.

While the report covers a range of topics, we will focus here on the implementation of the Travel Rule. As a reminder, the Travel Rule requires VASPs and financial institutions to obtain, hold, and transmit specific originator and beneficiary information immediately and securely when transferring virtual assets. 

Let's dive in to the main takeaways from the report.

‍

More jurisdictions are passing Travel Rule legislation 

85% of jurisdictions have passed or are in the process of passing Travel Rule legislation, compared to 69% last year

‍‍Jurisdictions have made progress on implementing the Travel Rule. In fact, 70% of respondents (65 of 94 jurisdictions, excluding those that prohibit or plan to prohibit VASPs explicitly) have passed legislation implementing the Travel Rule.

The methodology used by FATF and the Global Network consists of 205 jurisdictions in total. However, 147 jurisdictions responded to the 2024 survey (35 FATF members and 112 FSRB members). It is worth noting that 58 jurisdictions did not respond to the survey. The report infers that these 58 have not made progress on R.15, including the Travel Rule implementation. Responses were self-reported and not verified.

‍

FATF is urging jurisdictions to make immediate progress to enact and enforce legislation implementing the Travel Rule

Despite the legislation, enforcement remains weak. Of the 65 jurisdictions that have passed legislation implementing the Travel Rule, only 17 have issued findings, directives, or taken enforcement or other supervisory actions against VASPs focused on Travel Rule compliance. ^[2]

The targeted update clarifies that a lack of interoperability and the Travel Rule tool’s deficiencies in comprehensive coverage are not excuses for not being compliant. FATF urges jurisdictions to make immediate progress in enacting and enforcing legislation implementing the Travel Rule. Specifically, the report shares the example that,‍

One jurisdiction shared that although regulated VASPs suffer from the lack of interoperability among Travel Rule compliance tools, non-compliant VASPs would still be penalised for their compliance shortcomings. [Paragraph 65]

Another jurisdiction reported imposing regulatory orders on a VASP for non-compliance related to Travel Rule tool deficiencies such as incomprehensive coverage of VAs or delayed data submission. [Paragraph 24]

In short, the FATF is urging jurisdictions to make immediate progress to enact and enforce legislation implementing the Travel Rule.

‍

FATF highlights specific public and private sector challenges in Travel Rule implementation

Both jurisdictions and VASPs continue to face a range of challenges in implementing the Travel Rule, as highlighted below:

Inconsistent implementation and lack of enforcement

VASPs use Travel Rule obligations to mitigate illicit finance risks. However, inconsistent implementation and lack of enforcement have not sufficiently motivated the private sector to enhance compliance.

Interoperability Issues

Although progress has been made, challenges persist due to architectural differences and data protection requirements. VASPs integrating multiple compliance tools face technical, operational, and financial burdens.

Discreet, rather than interconnected, Travel Rule tools with closed lists of participants (aka closed networks)  may also complicate the identification of counterparty VASPs and could result in the misidentification of a counterparty VASP as an unhosted wallet simply because the counterparty did not use the same Travel Rule compliance tool as the beneficiary. The FATF urges the private sector to progress towards increasing compatibility amongst Travel Rule compliance tools, whether through technological advancements that allow interoperability between tools, or by developing relationships that permit transactions to be made through a chain of interoperable tools or other methods. [Paragraph41]

Notabene’s SafeGateway facilitates VASP-to-VASP interactions across various protocols. 

Complex transactions

The industry reported widespread use of the interVASP Messaging Standards (IVMS) for Travel Rule information, akin to ISO20022 for the VA sector. They see potential in further developing standards to enhance message transitions, such as handling transaction rejections and follow-up queries. The increasing sophistication of VA transfers involving professional traders and over-the-counter brokers indicates that some Travel Rule compliance tools may not suit broader transaction types.

To address this, Notabene launched SafeTransact for Networks, which ensures the smooth handling of complex multi-party transactions, careful management of PII, and regulatory compliance.

Sunrise Issue

The report highlights ongoing challenges with the Sunrise issue, where jurisdictions implement the Travel Rule at different times.

• Phased Implementation and Grace Periods: Among the 80 jurisdictions implementing or planning to implement the Travel Rule, many are adopting a phased approach or granting grace periods with exemptions or flexible compliance expectations for VASPs.
• Interaction Restrictions: Most jurisdictions restrict domestic VASPs from interacting with foreign counterparts that lack Travel Rule legislation to mitigate associated risks.
• Risk Mitigation Measures: Specifically, of the 65 jurisdictions that have passed legislation enacting the Travel Rule, about half have measures in place to ensure domestic VASPs are only transacting with regulated and/or Travel Rule-complaint counterparts or are otherwise mitigating the risks.

‍

Despite the challenges mentioned above, FATF calls on all jurisdictions to rapidly enact and enforce the Travel Rule.

‍

VASP should perform counterparty due diligence, even when Travel Rule obligations differ

In order to transmit the required Travel Rule information, VASPs identify and conduct due diligence on their counterparty VASP. This remains a challenge due to difficulties in identifying the counterparty VASP based on VA wallet addresses and varying counterparty VASP due diligence requirements across jurisdictions. 

The FATF report suggests that for cases in which only one of the originator and beneficiary VASPs has Travel Rule obligations due to differences in national requirements, VASPs should still take steps to comply with targeted financial sanctions obligations. They further suggest to transact with unlicensed/unregistered foreign counterparts only if the originator VASP takes risk mitigating measures in place.

Counterparty due diligence ensures VASPs avoid dealing with illicit or sanctioned actors and helps ensure that a counterparty can comply with the Travel Rule, including protecting the confidentiality of shared information. Note that counterparty due diligence for the purpose of complying with R.16 is distinct from the obligations applicable to cross-border correspondent relationships (R. 13). [Page 22]

‍

FATF highlights issues with some Travel Rule compliance tools

The 2022 and 2023 Targeted Update reports highlighted that while the industry has developed various Travel Rule compliance tools in response to FATF standards, many tools still do not fully meet these standards and face interoperability challenges. Common shortcomings include a failure to transmit information immediately in information transmission, affecting sanctions screening and due diligence. 

Regulators and supervisors are encouraged to engage with VASPs to ensure compliance tools meet all FATF requirements and take enforcement actions for non-compliance. VASPs should “deliberative and make informed decisions and select a compliance tool(s) that will allow them to meet all FATF Travel Rule requirements”. The lack of interoperability between tools can hinder transaction monitoring and counterparty identification. The FATF urges the private sector to enhance tool compatibility through technological advancements or relationships among tool providers.

An increasing number of jurisdictions report VASPs using in-house developed compliance tools. There is interest in understanding how these tools interact with others and concerns about their effectiveness. Collaborative efforts between supervisory authorities, regulated VASPs, and tool providers are recommended to ensure tools meet regulatory requirements before use.

FATF shares guiding questions and considerations for Travel Rule compliance tool providers

‍

VASPs should take a deliberative and informed decision and select a compliance tool(s) that will allow them to meet all FATF Travel Rule requirements. Box 2.1 below sets out guiding questions that VASPs should ask to determine whether potential Travel Rule solution tools will comply with all FATF requirements. [Paragraph 40]

The following chart compares SafeTransact’s capabilities vs the VAGC’s guiding questions. 

‍

FATF proposes revisions to Recommendation 16 and implications for Travel Rule

In February 2024, the FATF initiated a public consultation on proposed changes to Recommendation 16 (R.16) and its Interpretive Note on payment transparency. The revisions aim to align the Standard with evolving payment systems and messaging standards (ISO 20022) while maintaining technological neutrality and the principle of "same activity, same risk, same rules." These updates could impact the VA sector by specifying the required originator and beneficiary information and defining the roles of VASPs in complex payment chains. The final revisions to R.16 will determine any changes to the Travel Rule requirements for VASPs. Read Notabene’s response to the public consultation here.

Summary of Recommendations from FATF to public sector

• Jurisdictions without Travel Rule legislation/regulation should urgently introduce it.
• Jurisdictions with the Travel Rule should quickly operationalize it through effective supervision and enforcement.
• Jurisdictions should publicize information on registered or licensed VASPs to facilitate counterparty due diligence.
• Jurisdictions should engage with the VASP sector to identify and ensure Travel Rule compliance tools meet FATF requirements.
• VASPs and compliance tool providers should review and improve tools to fully comply with FATF requirements and enhance compatibility for effective implementation.
• FATF will update and publish assessments of R.15 compliance by 2025.

‍

If you have any questions about the FATF report, or the implementation of the Travel Rule for your business or jurisdiction, let us know at [email protected].

And if you are in the process of determining the right Travel Rule solution for your needs, we'd be happy to offer a free consultation with our compliance experts.