Since the Travel Rule was first applied to cryptocurrency by FinCEN in 2019, and with the Financial Action Task Force (FATF) following suit with its own related recommendations, self-hosted wallets (also known as non-custodial wallets) have come under increased scrutiny.

In October 2021, FATF released its Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (VASPs). This guidance builds upon FATF’s initial 2019 recommendations, including directives on peer-to-peer (P2P) transactions—cryptocurrency exchanges that occur without the involvement of a VASP or other obliged entity. 

While the standards do not apply to transactions solely between self-hosted wallets, FATF highlighted the potential money laundering and terrorist financing (ML/TF) risks they pose. Moreover, FATF clarified that transactions involving self-hosted wallets can fall under the scope of the Travel Rule under certain circumstances.

VASPs: What to Expect When Transacting With Self-Hosted Wallets

VASPs face significant implementation challenges due to varying regulatory requirements across jurisdictions. 

• In regions such as the EU, UK, and Gibraltar, VASPs are required to collect information on their clients' self-hosted wallets. 
• In Singapore and Germany, VASPs must go a step further and verify the identity of the self-hosted wallet owner. 
• Liechtenstein mandates enhanced due diligence.
• Switzerland requires both identity verification and proof of ownership.

Many in the cryptocurrency community have expressed concerns about these measures. Since blockchain is inherently public, sharing personal information associated with a self-hosted wallet could potentially expose the entire transaction history of that client, going beyond what the Travel Rule requires from traditional financial institutions.

Despite these concerns, VASPs must integrate solutions and establish processes to comply with FATF’s recommendations. 

Below is an overview of what FATF expects from VASPs when interacting with self-hosted wallets:

‍

1. Obtain the Originator and Beneficiary Information from the VASP’s Customer (¶ 295)

When sending or receiving a virtual asset transfer to a self-hosted wallet, the originator and beneficiary information must be obtained from the VASP’s customer, as there is no other VASP from which to obtain the information. This requirement generally applies to transactions above USD 1,000/EUR, but this threshold might vary depending on how jurisdictions implement it.

To remain compliant, VASPs must collect all the necessary Travel Rule information, such as names, account numbers or wallet addresses, addresses or IDs, birth dates, and birthplaces, without compromising user experience. 

Blockchain analysis solutions like Chainalysis KYT enable VASPs to identify Travel Rule transactions, ensuring frictionless data collection automatically. In combination with solutions like Notabene, VASPs can gather the necessary data in a user-friendly way and automatically detect the jurisdictional requirements and thresholds applicable to each transaction.

‍

2. Enforce AML/CTF Obligations (¶ 295 & 296)

Travel Rule guidance applies only above certain thresholds, which vary depending on the jurisdiction. However, VASPs are required to perform Know Your Customer (KYC) checks and implement transaction monitoring, regardless of whether their customer’s transactions meet the Travel Rule requirements.

Tools like Notabene can assist compliance teams in efficiently implementing the data collection and verification process for the owner of a self-hosted wallet. Integrating a Travel Rule solution with an automated transaction monitoring tool allows VASPs to identify which transactions meet the Travel Rule threshold immediately. Additionally, these tools help compliance teams automatically detect if transactions are related to potential high-risk activities and take action when historical transactions become risky in light of new regulatory information through continuous monitoring.

Implementing the right solution enables compliance teams to adapt more efficiently to ongoing industry changes. If a solution flags a high number of false positives, analysts may have to allocate significant time to investigating non-critical alerts. Worse still, incorrect data could lead them to draw inaccurate conclusions.

‍

3. Implement Additional Risk Mitigation Measures (¶ 297)

Additional risk mitigation measures may be necessary when interacting with self-hosted wallets. FATF’s guidance considers transactions with self-hosted wallets potentially higher risk, providing VASPs with options to treat them accordingly. These measures can range from imposing additional limitations and controls to avoiding interactions with self-hosted wallets altogether.

FATF advises VASPs to observe patterns of conduct, evaluate local and regional risks, and review information and bulletins issued by regulators and law enforcement to form their own risk assessments. Although this recommendation is optional, it raises concerns about the potential impact on industry adoption, as self-hosted wallets are integral to the cryptocurrency ecosystem. They are commonly used for legitimate purposes, such as securely moving funds and holding long-term investments.

Blockchain analysis tools can equip VASPs with the necessary data regarding self-hosted wallets to conduct comprehensive risk assessments, mitigate risks, and support their decisions in front of regulators.

‍

‍Global Approaches to Self-Hosted Wallet Regulation

VASPs face numerous challenges due to differing requirements across jurisdictions. The FATF’s third targeted update on the global implementation of its standards revealed that around 70% of jurisdictions are still undecided on their approach to transactions between VASPs and self-hosted wallets. Among the jurisdictions that have made decisions, about 40% align with FATF recommendations, requiring VASPs to collect relevant beneficiary or originator information from their customers. Additionally, 25% of these jurisdictions have implemented mitigation measures or transaction limitations, such as identity verification of self-hosted wallet owners or enhanced due diligence procedures.

• In Liechtenstein, VASPs are not required to apply the Travel Rule to transactions with self-hosted wallets. However, they must enforce enhanced risk mitigation measures, such as using blockchain analytics to assess transaction risks, collecting documentation on the purpose of the transaction, and requiring customers to prove ownership of their self-hosted wallets when transacting with them.
• Japan closely aligns with FATF recommendations. VASPs in Japan are required to collect the necessary information from their customers regarding the owner of the self-hosted wallet involved in a transaction. However, there is no obligation to verify this information. This approach, requiring data collection without verification, is widely adopted and can also be seen in jurisdictions like Gibraltar and the European Union for transactions amounting to 1,000 EUR or less.
• The European Union follows a stringent approach when dealing with self-hosted wallets, as outlined in the revised Transfer of Funds Regulation. For transactions exceeding 1,000 EUR, European CASPs (Crypto Asset Service Providers) must verify the ownership of the self-hosted wallet, whether they are sending or receiving funds. This wallet ownership verification requirement aligns with FATF recommendations and is similarly applied in other jurisdictions like Hong Kong and Portugal.
• Switzerland has adopted one of the strictest approaches to self-hosted wallet transactions. Under Article 10 of FINMA’s guidelines, Swiss VASPs are required to identify and verify the identity of the self-hosted wallet owner, regardless of whether the transaction involves another VASP or a self-hosted wallet. This requirement ensures that VASPs can prevent problematic payments by ensuring all transactions meet stringent identity verification standards.

‍

What the data says about self-hosted wallets

In December 2020, when the Treasury’s 72-page NPRM for transactions with self-hosted wallets and certain foreign jurisdictions came out, Chainalysis analyzed the data on cryptocurrency transactions involving self-hosted wallets.

The data shows that the majority of the funds held in self-hosted wallets often come from VASPs, which are related to investing purposes or are used by individuals or organizations to move funds between regulated exchanges. It is important to mention that the 2021 data didn’t vary significantly in comparison to the 2020 analysis. There are still three trends related to the usage of self-hosted wallets.

1. The vast majority of the Bitcoin funds transferred to self-hosted wallets came from VASPs

During Q3 of 2021, almost 83% of the bitcoin sent from one self-hosted wallet to another originated from cryptocurrency exchanges, and only 2% came from illicit services. This means that in the vast majority of cases, law enforcement can investigate illicit activity related to self-hosted wallets by working with cryptocurrency exchanges, which are obligated entities, and obtaining KYC information from them through legal process.

2. The majority of bitcoin sent to non-VASPs are eventually sent to a VASP

Many transfers sent and received by self-hosted wallets have VASPs on the other side of the transaction. If cryptocurrency is being used for illicit purposes, criminals will eventually need to cash out their illicit proceeds. This means going through a cryptocurrency exchange (we can see this behavior reflected in our data). As long as they are in a country that regulates cryptocurrency exchanges – and this list is growing – exchanges will collect KYC information. Access to this information is vital to financial crime investigations.

During Q3 2021, the percentage of funds that were not sent to an exchange service decreased from 29% to 18% in comparison with Q2 2020. Meanwhile, the percentage of funds sent to exchanges increased from 62% to 71%. This means that crypto holders moved the funds they were holding inside self-hosted wallets to an exchange, maybe to take out some profits due to the crypto bull market we experienced this year.

‍

3. The transaction activity levels among self-hosted wallets highly suggest that their primary use is for investment

After funds are deposited to a self-hosted wallet from an exchange, the percentage of bitcoin moved to another self-hosted wallet in a given month is significantly low. The majority of the bitcoin stays in the original wallet for a long period of time. On average, the funds originated from a VASP to self-hosted wallets move only once a month, which likely indicates that the primary use case is investment.

Chainalysis’ robust blockchain dataset provides key insights into the role of self-hosted wallets in the cryptocurrency ecosystem. If the main purpose of these regulatory requirements is to decrease illicit transactions and avoid money laundering, targeting self-hosted wallets may not accomplish the intended objective.

Chainalysis's blockchain analysis data makes it clear that self-hosted wallets are not inherently risky and do not inhibit law enforcement’s ability to investigate the illicit use of cryptocurrency. Blockchain analytics can inform risk analysis and compliance programs so that compliance teams can mitigate risks responsibly and effectively.

What’s next?

Travel Rule guidelines have already been released by the regulators and VASPs have a deadline to build compliance programs to comply with it. We know this process can be overwhelming, but luckily, there are many available solutions to facilitate this process for VASPs, and there will likely be many more as the cryptocurrency industry continues to overlap with the traditional financial system.

Chainalysis and Notabene have created an integrated solution that helps VASPs save time and money while looking to meet the complete Travel Rule requirements and build their own risk assessment on self-hosted wallets.

Our integration covers a variety of compliance needs that can simplify the technical and operation integration process. Notabene’s end-to-end Travel Rule solution provides counterparty wallet identification tools, a VASP due-diligence directory, and a secure dashboard to help financial institutions manage counterparty risks without hindering user experience. In conjunction with Chainalysis, VASPs can immediately identify counterparties’ wallet types, get automatic transaction alerts on risky activity, and perform continuous monitoring, all in one place.

Choosing the right partners can save compliance teams time, resources, and protect the company from additional regulatory scrutiny or even fines.

Contact the Chainalysis and Notabene teams for more information.

The Travel Rule requires Virtual Asset Service Providers (VASPs) to identify and conduct due diligence on their counterparty VASP or financial institution. However, national Travel Rule frameworks tend to be silent or vague on this topic.

Conducting VASP due diligence generally involves obtaining information about the counterparty VASP’s registration/licensing status, its ability to securely hold Travel Rule information, whether it is tied to illicit actors or sanctioned persons, and its level of anti-money-laundering, counter-terrorism financing (AML/CTF) compliance. The aim of performing this due diligence is to ensure that VASPs avoid dealing with illicit or sanctioned actors and to gain assurance that a counterparty VASP can comply with the Travel Rule and protect the confidentiality of shared information.

‍

Counterparty VASP Due Diligence Challenges Faced by VASPs

VASPs face three main challenges in implementing due diligence processes:

1. Difficulty Accessing Information

Beyond identifying counterparties, VASPs struggle to make risk-based decisions due to the scarcity of publicly available information. Verifying whether a counterparty VASP is licensed or registered is particularly hard given the limited number of public registers. Furthermore, assessing a VASP’s adherence to AML/CTF standards is challenging without directly engaging each potential counterparty, which becomes impractical at scale.

2. Lack of Standardization

Currently, there is no uniform standard for conducting VASP due diligence. Additionally, national frameworks for the Travel Rule often lack clear criteria for due diligence.

3. Operational Costs

Conducting VASP due diligence requires resources, which involve either purchasing the relevant compliance tools (to the extent they are available) and/or allocating personnel to perform these due diligence assessments.

‍

The FATF acknowledged these challenges in its June 2023 Targeted Update, reporting that VASPs struggle to effectively conduct due diligence on counterparty VASPs ^[1]. This difficulty is further exacerbated by the existence of unregulated and unlicensed VASPs, making it even more challenging to gather information to assess these entities’ possible connections to illicit activities or sanctioned individuals, as well as their compliance with AML/CTF standards. Notabene’s industry survey supports these observations. Despite the significant drop in prominence since last year, a notable percentage of respondents (29%) continues to send Travel Rule information transfers to all VASPs, regardless of any due diligence assessment. Additionally, counterparty due diligence ranks as the least adopted compliance check among respondents, only ahead of the options “None” and “Other” (see Chapter 3, Section 8 of Notabene’s 2024 State of Crypto Travel Rule Compliance Report).

Approaches to VASP Due Diligence Challenges

FATF

The FATF can do little to solve the operational challenges associated with a VASP’s due diligence process apart from sharing recommendations on how a jurisdiction should implement VASP due diligence requirements. As such, the FATF does the following:

• Makes a clear distinction between the due diligence process required for establishing a correspondent relationship and the process required for Travel Rule purposes ^[2].
• Strongly encourages jurisdictions to maintain and publicize information on VASPs that are registered or licensed in their jurisdiction, to give VASPs access to information needed to perform counterparty due diligence in line with Recommendations 16 and 13 ^[3].
• Clarifies that VASPs need to independently perform due diligence ^[4] — a contentious point that has hindered Travel Rule interoperability efforts. Operators of Travel Rule protocols may resist interoperability to maintain control over the network. However, the FATF emphasizes that VASPs must still independently assess counterparty risk, highlighting that being part of closed Travel Rule networks does not eliminate a VASP’s need to verify information and meet domestic obligations.
• Suggests that the Wolfsberg Correspondent Banking Due Diligence Questionnaire be used as a starting point for the VA industry to develop its own risk-based best practices ^[5].

Regulators

It is not desirable that national regulators specify prescriptive criteria for conducting VASP due diligence, yet it is necessary that regulators understand the current challenges associated with evaluating counterparty VASPs and thus provide VASPs with practical guidance. In 2023, Hong Kong’s SFC offered valuable granularity in their detailed guidance on counterparty due diligence measures ^[6], identifying several criteria that VASPs should consider to determine whether a counterparty is eligible, such as the quality and effectiveness of regulations and supervision, the Travel Rule status in their jurisdiction, and the existent AML/CTF and data protection controls.

‍
National legislators and regulators should also strive to adhere to FATF guidelines on this topic to facilitate the emergence of a global standard for VASP due diligence. However, the European Transfer of Funds Regulation deviates from FATF guidelines by labeling the relationships between domestic CASPs and foreign VASPs as correspondent relationships due to their “ongoing and repetitive” nature. This divergence raises concerns about proportionality and scalability.
‍

Regulators may also consider incorporating exceptions for carrying out due diligence when appropriate, such as in the context of transactions between domestic VASPs that are both supervised by the same authority, or prescribing scenarios where simplified due diligence measures are permissible.

Joint Industry Initiatives

Finding solutions to some of the challenges associated with VASP due diligence can be championed by joint industry initiatives. In fact, there is already work underway to address this.
‍

In 2023, the Global Digital Finance (GDF) members association published the GDF Virtual Asset Due Diligence Questionnaire ^[7]. The questionnaire was designed to provide an overview of a VASP’s AML policies and practices, and it is suggested that VASPs use it to onboard counterparty VASPs or that financial institutions use it to onboard VASPs.

Travel Rule Solutions

Travel Rule solutions and other service providers can offer tools to assist VASPs in operationalizing and scaling due diligence efforts.

‍
Notabene customers can easily access and monitor their counterparties within the Notabene Network. By integrating with VASPNet and Global Legal Entity Identifier Foundation (GLEIF), Notabene provides real-time, verified data about counterparty VASPs’ regulatory statuses and incorporation information. Furthermore, VASPs can also request, review, and share an adapted version of GDF’s questionnaire between selected parties in a secure and encrypted manner.

‍

{{cta-learnmore10="/cta-components"}}

‍

VASPs

VASPs are encouraged to engage in global and local industry initiatives focused on VASP due diligence. Considering the significant impact of VASP due diligence on Travel Rule compliance, it is important that VASPs keep this in mind when selecting a Travel Rule solution to partner with.

Additionally, VASPs should cooperate with their counterparty’s due diligence efforts by providing any requested information. Ideally, VASPs should make their information available to as wide a network of trustworthy counterparties as possible. This would enable other VASPs to conduct due diligence more efficiently.

Notabene’s 2024 Status Check

In 2023, there was significant progress in clarifying and operationalizing counterparty due diligence obligations. The FATF clarified that this due diligence must be carried out independently, which helped the industry to advance with a unified understanding of these obligations. The publication of GDF’s questionnaire was a substantial contribution toward standardizing VASP due diligence. As detailed in Chapter 3, Section 8, our survey results indicate a substantial shift: the proportion of VASPs sending Travel Rule transfers to all counterparts without specific criteria dropped from 52% in 2023 to 29% in 2024. This change highlights a growing commitment to counterparty due diligence obligations.

‍

{{report2="/cta-components"}}

The European Union's Transfer of Funds Regulation (TFR) and the associated Travel Rule Guidelines from the European Banking Authority (EBA) are set to significantly impact how Crypto Asset Service Providers (CASPs) handle crypto-asset transactions. As these regulations come into effect, it is crucial for CASPs to understand the key requirements and prepare for compliance. 

This blog highlights the top 10 things European CASPs need to know about the upcoming Travel Rule compliance enforcement.

1. Comprehensive Data Collection Requirements

Under Article 14, paragraphs 1 and 2 of the TFR, CASPs must ensure that all transfers include specific details about the originator and beneficiary.

This includes:

Natural persons

Legal persons

This comprehensive data collection ensures that all parties in a transaction can be unambiguously identified.

2. Robust Monitoring Systems

Beneficiary CASPs must implement robust monitoring systems to detect and manage non-compliant transactions. These systems should be capable of identifying missing, incomplete, or meaningless information and should align with the risk levels associated with money laundering and terrorist financing. ^[1]

{{european2="/cta-components"}}

3. Handling Non-Compliant Transactions

When a transaction lacks the required information, CASPs have four options: execute, reject, return, or suspend the transfer. The appropriate action depends on the specific circumstances and the risk assessment results. ^[2]

4. Managing Non-Compliant Counterparties

Repeated non-compliance by counterparties requires CASPs to reassess their relationships. This includes applying stricter monitoring and verification measures, potentially terminating business relationships, and reporting non-compliant counterparties to the relevant authorities. ^[3]

5. Verifying Self-Hosted Wallet Transactions

For transactions involving self-hosted wallets, the requirement to use two methods for wallet ownership verification has been removed. CASPs are now required to use only one method by default for verifying wallet ownership/control. ^[4]

6. Understanding Different Self-Hosted Wallet Transaction Scenarios 

The TFR categorizes self-hosted wallet obligations based on the transaction amount and whether the wallet owner is a customer of the CASP. These scenarios include transactions of 1,000 euros or less, transactions over 1,000 euros where the wallet owner is a CASP customer, and transactions over 1,000 euros where the wallet owner is not a CASP customer.

‍

7. Implementing Appropriate Risk Mitigation Measures on Self-Hosted Wallet Transactions

CASPs should adopt a risk-based approach to transactions involving self-hosted wallets and implement any necessary risk mitigation measures proportional to the identified risks. These measures may include verifying the identity of the transfer's originator or beneficiary, requesting additional information, and conducting enhanced ongoing monitoring of transactions. ^[5]

8. Ensuring Compliance with General Obligations

CASPs must ensure compliance with several general obligations, such as:

• Information transmission infrastructure: Must be fully capable of transmitting information without technical limitations. A transitional period until July 31, 2025, allows for exceptions with compensatory policies in place. ^[6]
• Compliance timing: Information must be transmitted immediately and securely, before or at the same time the crypto-asset transfer is completed. ^[7]
• Joint accounts: Transfers from joint accounts, addresses, or wallets must include information about all holders. ^[8]‍
• Information submission changes: Initial information submissions cannot be changed unless requested by the beneficiary CASP or if an error is identified. Subsequent CASPs must be informed and required to detect any missing or incomplete information. ^[9]

9. Evaluating Payment and Messaging Systems (Travel Rule solutions)

Payment and messaging system requirements: CASPs must evaluate selected messaging or payment protocols based on the following aspects:

• Communication with internal core systems and counterparty messaging or payment systems.
• Compatibility with other blockchain networks.
• Reachability, including the ability to reach counterparties and the success rate of transfers.
• Detection of transfers with missing or incomplete information.
• Data integration, security, and reliability. ^[10]

10. Preparing for the Future

By July 1, 2026, the European Commission will assess the necessity for additional measures to mitigate risks associated with self-hosted wallet transactions. This evaluation will encompass examining the efficacy and proportionality of verification mechanisms and considering potential restrictions. ^[11]

‍

{{european1="/cta-components"}}

‍

The upcoming Travel Rule compliance regulation imposes comprehensive requirements on CASPs to ensure the integrity of crypto-asset transactions. By understanding and adhering to these requirements, CASPs can effectively manage transaction information, monitor compliance, handle non-compliant transactions, and manage relationships with non-compliant counterparties. This regulatory framework not only helps in mitigating risks associated with money laundering and terrorist financing but also fosters a more secure and transparent crypto-asset ecosystem in the European Union.

‍

Want to learn more? Read our blogs on beneficiary VASPs' transaction requirements under the TFR and the upcoming self-hosted wallet requirements.

The European Union's Transfer of Funds Regulation (TFR) enforces the Crypto Travel Rule to combat money laundering and terrorist financing. This rule, initially mandated by the U.S. Financial Crimes Enforcement Network (FinCEN), was extended in June 2019 by the Financial Action Task Force (FATF) to include virtual assets (VAs) and Virtual Asset Service Providers (VASPs). The Travel Rule requires VASPs to securely obtain, hold, and transmit originator and beneficiary information during VA transfers.

This article provides an overview of the crypto Travel Rule in the European Union, pulling from the Transfer of Funds Regulation (TFR) and the European Banking Authority (EBA)’s draft Travel Rule Guidelines.
‍

{{cta-learnmore1="/cta-components"}}

‍

Regulatory Milestones in the EU

The EU has been proactive in aligning its regulations with FATF’s recommendations:

• FATF Guidance (2019): The FATF issued its first guidance on a risk-based approach to virtual assets and VASPs, marking a significant expansion of AML/CTF measures.
• EU Regulation (2015/847): This regulation was adopted to apply FATF’s requirements uniformly across member states, ensuring fund transfers include payer and payee information.
• TFR Recast (2023): The TFR was extended to include crypto transfers, setting uniform Travel Rule requirements across all 27 EU member states.
• Travel Rule Comes into Force (2024): The European Banking Authority (EBA) will publish final Travel Rule guidelines in June 2024, and crypto Travel Rule obligations will become enforceable on December 30, 2024.

Information Transmission Requirements

The TFR mandates uniform obligations for crypto transfers, regardless of the transaction amount or whether they are cross-border. CASPs must include specific details about the originator and beneficiary in all transfers.

Required Information for Crypto Transfers

‍

Natural Persons

Legal Persons‍

* Note: Regarding the date and place of birth, the EBA does not clarify what would be required instead if the originator is a legal person. In some jurisdictions, VASPs are required to provide a date and place of incorporation, but the EU requirement is unclear. 

‍

{{cta-learnmore1="/cta-components"}}

‍

General Obligations for Information Transmission

CASPs must ensure their information transmission infrastructure is fully capable of compliance without technical limitations. The information should be transmitted immediately and securely before or at the same time as the crypto-asset transfer is completed. For joint accounts, transfers must include information about all account holders. Selected messaging protocols must enable seamless and interoperable transmission of information.

Travel Rule Obligations in Deposits

Beneficiary CASPs also have responsibilities upon receiving a transaction. They must implement robust policies and procedures to detect incoming transactions lacking necessary information and handle such transactions appropriately. If a transaction lacks the required information, beneficiary CASPs can choose to execute, reject, return, or suspend the transfer based on a risk-based approach.

Managing Non-Compliant Counterparties

When deposits lack Travel Rule data, CASPs must reassess their relationships with non-compliant counterparties. If a counterparty repeatedly fails to meet obligations, CASPs should consider enhanced due diligence measures, potentially terminating the business relationship, and reporting the non-compliance to competent authorities.

‍

Self-Hosted Wallet Transactions

Transactions between CASPs and self-hosted wallets fall within the scope of FATF’s Recommendation 16. The regulatory requirements vary depending on the transaction amount and whether the wallet owner is a CASP customer or a third party.

Transactions of 1,000 Euros or Less 

For transactions involving self-hosted wallets of 1,000 euros or less, CASPs must obtain and hold information about the parties to the transaction. This information should be cross-matched using suitable methods, such as blockchain analytics and third-party data providers, to verify the originator's or beneficiary's identity.

Transactions Over 1,000 Euros Where the Wallet Owner is a CASP Customer 

For transactions exceeding 1,000 Euros, CASPs must verify whether the customer owns or controls the wallet. The EBA’s Travel Rule guidelines specify that CASPs must use at least two methods for this verification. Methods include advanced analytical tools, sending a predefined amount from the wallet to the CASP’s account, and signing a specific message in the account and wallet software.

Transactions Over 1,000 Euros Where the Wallet Owner is Not a CASP Customer 

While the TFR is silent on the obligations for transactions involving third-party wallets, the Travel Rule Guidelines provide a framework. CASPs must verify wallet ownership/control and apply risk mitigation measures proportional to the identified risks, such as verifying the originator's or beneficiary's identity and requesting additional information about the transfer.

‍

{{cta-learnmore1="/cta-components"}}

‍

The EU’s implementation of the Travel Rule through the TFR sets a comprehensive regulatory framework for CASPs, ensuring that crypto asset transfers are transparent and secure. By adhering to these requirements, CASPs can help mitigate the risks of money laundering and terrorist financing, fostering a safer and more trustworthy environment for digital asset transactions. As the regulatory landscape evolves, staying informed and compliant with these obligations will be crucial for CASPs operating within the EU.

The European Union’s Transfer of Funds Regulation (TFR) and the European Banking Authority (EBA)’s Travel Rule Guidelines, updated with the EBA’s final Travel Rule guidelines published on July 4, set out specific requirements for transactions involving self-hosted wallets. These wallets, controlled by individuals rather than VASPs, pose unique challenges to regulatory compliance. This article summarizes the obligations for self-hosted wallet transactions under the TFR, focusing on different transaction scenarios and the required verification measures.

‍

Highlights of What Changed in the EBA’s Final Travel Rule Guidelines

1. More Flexibility in the Scope of Required Originator Information:

The final version of the Travel Rule guidelines clarifies that CASPs have the discretion to determine which “alternative information items” about the originator customer to transmit and demand receiving, as long as they achieve unambiguous identification and support sanction screening. This approach is intended to be better suited for cross-border transfers.

2. Eased Requirements for SHW Transfers Below €1,000:

The final version of the Travel Rule guidelines removes verification requirements. Only information collection obligations apply, eliminating the need for technical means like blockchain analytics to cross-match collected data in order to identify and verify the originator or beneficiary.

3. Simplified Verification for 1st-Party SHW Transfers ≥ €1,000:

The requirement to use two methods for wallet ownership verification has been removed. CASPs are now required to use only one method by default for verifying wallet ownership/control.

4. Clarification for 3rd-Party SHW Transfers Above €1,000:

The Travel Rule Guidelines now clarify the requirements, specifying that if the SHW is owned or controlled by a third party who is not a customer of the CASP, the requirements from Article 19a of Directive (EU) 2015/849 apply. Additionally, the originator/beneficiary identity verification required therein is deemed to be fulfilled by collecting additional information from other sources (e.g., blockchain analytics, third-party data, or recognized authorities’ data) or using other suitable means to ensure the originator/beneficiary’s identity is known.

‍

{{european1="/cta-components"}}

‍

Overview of Applicable Obligations

The TFR categorizes obligations based on the transaction amount and whether the wallet owner is a customer of the Crypto Asset Service Provider (CASP). These scenarios include:

• Transactions of 1,000 euros or less.
• Transactions over 1,000 euros where the wallet owner is a CASP customer.
• Transactions over 1,000 euros where the wallet owner is not a CASP customer.

Understanding these categories is crucial for CASPs to ensure compliance with the TFR and the associated Travel Rule Guidelines.

‍

A. Transactions of 1,000 Euros or Less

For transactions of 1,000 euros or less involving self-hosted wallets, the TFR mandates that CASPs collect and hold specific information about the parties involved. As outlined in Articles 14/5 and 16/2 of the TFR, transactions involving self-hosted wallets of 1,000 euros or less require CASPs to obtain and hold information about the parties to the transaction. The scope of information that CASPs are required to collect mirrors that which is mandated for CASP-to-CASP transactions.

The Travel Rule Guidelines clarify in paragraph 80 that this information must be sourced from the CASP’s customer. This includes:

• Full name of the originator and beneficiary

• Distributed ledger address

• Account number

The final EBA Travel Rule Guidelines removed the requirement for CASPs to cross-match this information using suitable methods such as blockchain analytics and third-party data providers to verify the identity of the originator or beneficiary. Now, CASPs are mandated to collect and retain specific pieces of information from their customers. ^[1]

‍

B. Transactions Exceeding 1,000 Euros Where the Wallet Owner is a Customer of the CASP

For self-hosted wallet transactions exceeding 1,000 euros, the TFR requires CASPs to verify whether their customer owns or controls the self-hosted wallet. ^[2] The originator CASP is tasked with evaluating whether the wallet is owned or controlled by the originator, while the beneficiary CASP must determine whether the wallet is owned or controlled by the beneficiary. ^[3]

The Travel Rule Guidelines set a non-exhaustive list of verification methods available to CASPs and mandate the use of at least one method for wallet ownership/control verification, such as:

• Advanced analytical tools
• Unattended verifications (e.g., displaying the address)
• Attended verifications (e.g., live customer interaction)
• Sending a predefined amount from the wallet to the CASP
• Signing a specific message in the account and wallet software
• Other suitable technical means, as long as they allow for reliable and secure assessment. ^[4]

Where one method on its own is not sufficiently reliable to reasonably ascertain the ownership or control of a self-hosted address, the CASP should use a combination of methods. ^[5]

‍

C. Transactions Exceeding 1,000 Euros Where the Wallet Owner is Not a CASP Customer

The TFR does not explicitly address transactions over 1,000 euros involving third-party wallets. However, the Travel Rule Guidelines include a framework governing these transactions. According to the guidelines, the requirements outlined in Article 19a(1)/(a) of Directive (EU) 2015/849—verification of the originator or beneficiary’s identity—are considered fulfilled if the CASP:

• Collects additional information from other sources to verify the submitted information (e.g., from blockchain analytics, third-party data, or recognized authorities’ data)
• Uses other suitable means as long as it is fully satisfied that it knows the originator’s or beneficiary’s identity. ^[6]

‍

Verification and Risk Assessment

CASPs must adopt a risk-based approach to all transactions involving self-hosted wallets. This includes assessing the risks associated with each transfer and applying enhanced due diligence when high ML/TF risks are detected. The verification process involves collecting additional data from various sources, such as blockchain analytics, third-party data providers, recognized authorities, and publicly available information.

‍

General Obligations for Self-Hosted Wallet Transactions

In addition to specific transaction-based requirements, CASPs must adhere to several general obligations when dealing with self-hosted wallets:

1. Self-Hosted Wallet Identification

Use technical methods to discern whether the transaction involves a VASP or a self-hosted wallet. If technical means are insufficient, acquire the necessary information directly from the customer. ^[7]

2. Threshold Calculation

Compute the transaction amount based on the exchange rate prevailing at the time of the transfer. ^[8]

3. Risk Assessment

Assess the risks associated with self-hosted wallet transactions and apply appropriate risk mitigation measures. ^[9]

‍

Additional Context and Considerations

‍

FATF’s Recommendation 16

Transactions between VASPs and self-hosted wallets fall within the scope of FATF’s Recommendation 16, following its revision in October 2021. Unlike VASP-to-VASP transactions, there is no mandate to transmit originator and beneficiary details to a counterpart. Instead, VASPs must adhere to specific obligations, which can vary significantly across jurisdictions.

Regulatory Expectations and Trends

Although regulatory expectations vary significantly across regions, the requirement for VASPs to verify their customer’s or a third party’s control over the wallet address involved in transactions is gaining traction. The TFR’s requirements reinforce this trend, as further detailed in the sections above.

Future Assessments

By July 1, 2026, the Commission will assess the necessity for additional measures to mitigate risks associated with self-hosted wallet transactions. This evaluation will encompass examining the efficacy and proportionality of verification mechanisms and considering potential restrictions.

The EU TFR sets comprehensive requirements for self-hosted wallet transactions to mitigate the risks associated with money laundering and terrorist financing. CASPs must ensure compliance by verifying wallet ownership, implementing robust monitoring systems, and adopting a risk-based approach to all transactions. By doing so, CASPs can enhance the security and transparency of crypto-asset transfers, contributing to a safer financial ecosystem.

‍

{{european2="/cta-components"}}

‍

The EU TFR sets comprehensive requirements for self-hosted wallet transactions to mitigate the risks associated with money laundering and terrorist financing. CASPs must ensure compliance by verifying wallet ownership, implementing robust monitoring systems, and adopting a risk-based approach to all transactions. 

Interested in learning more? Check out our blog on what the TFR says beneficiary VASPs should do when it comes to incoming transactions and the top 10 insights European CASPs need to know about their upcoming Travel Rule compliance framework.

With the European Union’s Transfer of Funds Regulation (TFR) taking effect on December 30, 2024, virtually all Crypto/Virtual Asset Service Providers (CASPs/VASPs) transacting with European customers must ensure compliance or face operational halts. Reachability and responsiveness are crucial for regulated VASPs, as non-responsiveness will prevent future transactions. We’re now at a critical juncture, as this regulation marks the end of the sunrise period and shifts the focus from protocol interoperability to compliant counterparty responsiveness.

At Notabene, we’re thrilled to announce a major milestone in our mission to integrate crypto transactions into the everyday economy. Our latest innovation, SafeTransact for Networks, aims to enhance counterparty responsiveness and bring Travel Rule compliance to existing ecosystems where transactions are already occurring today.

Notabene is uniquely positioned to deliver on this vision, as our extensive network already spans 27 countries, enabling us to process $71 billion worth of transactions in May 2024 alone. With 143 companies actively transacting daily, our clients have successfully integrated with us, setting up robust compliance processes and collaborating effectively with regulators.

Shifting Focus: From Interoperability to Reachability

It is widely understood that the fragmented nature of Travel Rule protocols has impeded widespread adoption. Initially, the industry thought solving protocol interoperability would boost Travel Rule adoption rates. This hypothesis seemed reasonable enough at the time, but it became evident that building a new network from scratch was very difficult. With many protocols with restricted access, low activity, or too few users, VASPs constantly struggle to reach all of their counterparties and achieve full compliance. We have since learned from experience in real-world applications from customers and regulators that the value of protocol interoperability is only as strong as the user adoption that protocols are able to achieve. 

Despite the impressive logos associated with various initiatives, we recognized that many of the biggest names in Travel Rule protocols had little to no activity occurring. To solve this, we shifted our focus from interoperability to reachability. This meant rethinking our approach entirely and not falling into the same trap of inventing yet another competing protocol, but instead solving our customers' core business needs – reaching and receiving responses from transaction counterparties.

Introducing SafeTransact for Networks

‍

‍

Instead of creating a new Travel Rule messaging network from scratch, SafeTransact for Networks integrates a compliance layer into existing networks, where millions of transactions already occur daily. This allows institutional custodians, settlement networks, multi-party computation (MPC) wallets, service providers, and stablecoin issuer ecosystems to seamlessly offer Travel Rule compliance. Networks can now integrate SafeTransact and offer Travel Compliance on top of their transactions. Members can perform checks and screen transactions to make automated authorization decisions without pure technical integration. SafeTransact for Networks helps businesses become compliant faster and seamlessly transact within the ecosystem.

Addressing Activation with SafeTransact for Networks

SafeTransact for Networks directly tackles the reachability challenge by bringing Travel Rule compliance where crypto businesses already transact with their counterparties today. To make SafeTransact for Networks work and reflect real-world transactions, we expanded the rigid Travel Rule, Alice-to-Bob flow, to transaction intermediaries, like custodians. We introduced flexibility and modularity into SafeTransact's transaction flow, which allows you to add as many transaction participants as real-world use cases require. 

Our solution uniquely operates at scale, managing Personally Identifiable Information (PII) in a compliant, risk-based manner, where only authorized businesses receive PII information. SafeTransact remains the only Travel Rule solution that offers this capability.

How it Works

Here’s a clear example of one multi-party transaction:

1. Initiating the Transaction

• Alice, a customer of BerlinEx, initiates a Bitcoin transfer to Bob.
• BerlinEx initiates the transaction by calling their wallet provider, SIGTrust, registered on the Seychelles.
• SIGTrust, being a network partner at SafeTransact, acts as the initiator for the Transaction authorization flow between the participants.

2. Chain of Intermediaries

• SIGTrust initiates the transfer in SafeTransact for Networks.
• Through our discovery methods, SIGTrust identifies that the recipient’s address belongs to TexEx. A first transfer initiation message is exchanged.
• TexEX responds and adds CryptoTrust, their custodian, to the transaction chain.

Once TexEx responds with adding their Custodian CryptoTrust:

‍

3. Transparency and Policy Implementation

• All parties involved recognize that this is a four-party transfer.
• TexEx establishes policies that require a Travel Rule exchange and flags the Seychelles jurisdiction from SIGTrust.
• The transfer appears in TexEx’s platform, listing all participants and their respective roles.

4. Compliance and Authorization

• The compliance team reviews and authorizes the transfer.
• Responses are sent to all participants to ensure everyone is informed.
• A request for a Travel Rule transfer is sent to the Originators about the Originator.

5. Completion and Notification

• All participants send and receive notifications detailing their roles and authorization policies in the transaction.
• Personally Identifiable Information (PII) is shared only with parties that require it.
• Once policies are fulfilled and the transfer is authorized, the transfer is completed and settled on-chain.

6. Policy Setup and Management

• BerlinEx has the option to apply for a profile with Notabene.
• This profile allows them to set up specific policies, including the ability to authorize or reject future transfers.
• The moment they onboard, they see all the historic transfers that they initiated via SIGTrust.

‍

SafeTransact for Networks ensures that even complex multi-party transactions are handled smoothly and securely, with careful management of PII and compliance with all necessary regulations.

Why Choose SafeTransact for Networks?

• Network Providers (e.g. institutional custodians, settlement networks, MPC wallet providers) deliver incremental value to their customers by offering network members a layer of compliance on top of their existing service. 
• Network members (e.g. exchanges, banks, lending desks) quickly and easily achieve Travel Rule compliance without the need for additional development resources by joining the SafeTransact ecosystem. 
• The Entire Ecosystem benefits from the network effects of expanding compliance reachability from individual networks across all integrated networks. This interconnected approach ensures that businesses can transact safely and compliantly within their existing ecosystems without needing to adjust to new frameworks.
  
  

Bringing the Power of SafeTransact to Established Networks

• Comprehensive Travel Rule Compliance: SafeTransact is designed to meet the stringent requirements of the Travel Rule and other regulatory frameworks. By facilitating the exchange of travel rule information and automating compliance processes, SafeTransact helps businesses stay ahead of regulatory demands. This is particularly important as more jurisdictions globally implement these compliance requirements.
• Pre-Transaction Authorization: SafeTransact enables businesses to make informed authorization decisions before a transaction is completed. This feature allows for instantaneous approvals, flags transactions for review, or rejects them based on predefined criteria. By identifying and screening all counterparties, SafeTransact performs thorough due diligence and risk assessments, ensuring that only legitimate transactions are processed.
• Real-Time Decision Making: One of SafeTransact’s standout features is its ability to make authorization decisions in real-time. This capability is crucial for businesses that need to operate at the speed of digital transactions without compromising security. With SafeTransact, businesses can automate their transaction flows and analyze insights, making the entire process seamless and efficient.

We’re excited to present SafeTransact for Networks as an innovative way of increasing Travel Rule adoption globally by meeting crypto businesses where they transact with their counterparties today. We allow existing networks, like institutional custodians and MPC wallet providers, to offer their customers a layer of compliance on top of their ecosystems. All of this is possible with Notabene’s new transaction flow expanding to intermediary and more complex, real-world use cases.

We believe that reachability, activation, and responsiveness are the most pressing issues facing our industry, which is why we are doubling down on expanding the Notabene Network to give our customers truly global reach. We understand that our industry cannot thrive with a one-size-fits-all approach to regulatory compliance, so we have invested in tools like our new PolicyEngine to enable customers to easily manage their unique workflows.

We are approaching a global tipping point for Travel Rule compliance, driven largely by the December 30 implementation deadline for the EU. We are here to help you prepare for that deadline in any way possible. Whether you are a customer participating in our Travel Rule certification programs or seeking a trusted resource for industry updates and education, please consider us a valuable resource. Our team are experts on these issues and is here to assist you with any questions you might have.

‍

To learn more about how SafeTransact can benefit your business and ensure compliance, contact our team for a custom demo.

The European Union's Transfer of Funds Regulation (TFR) and the European Banking Authority’s final Travel Rule Guidelines impose stringent requirements on Crypto Asset Service Providers (CASPs) to ensure transparency and security in crypto-asset transactions. Beneficiary CASPs, in particular, have critical responsibilities in managing incoming transactions despite their limited control over deposit flows compared to originating CASPs.

Beneficiary CASPs cannot proactively block incoming deposits and rely on the compliance of the originator CASP to meet obligations. Therefore, it is crucial to evaluate strategies for handling non-compliant deposits. This article focuses on the specific requirements for beneficiary CASPs and strategies for managing transactions that fail to meet compliance standards.

Required Information for Transactions

Under Article 16/1 of the TFR, beneficiary CASPs are obligated to receive specific information about both the originator and the beneficiary of each transaction. Articles 14(1) and 16(1) of the TFR specify the required information, including:

• Full name of the originator and beneficiary
• Distributed ledger address and account number
• Address and official personal document number of the originator
• Additional optional information, such as customer identification number or date and place of birth, to ensure unambiguous identification.

Monitoring Systems for Detecting Non-Compliance

The TFR mandates that beneficiary CASPs implement robust monitoring systems to detect non-compliant transactions. According to the Travel Rule Guidelines, these systems should include:

1. Methods for detecting missing, incomplete, or meaningless information.
2. Pre- and post-monitoring practices aligned with money laundering and terrorist financing (ML/TF) risk levels.
3. Criteria for recognizing risk-increasing factors. ^[1]

Managing Non-Compliant Transactions

Beneficiary CASPs must follow specific procedures to detect a transaction lacking the required information. Article 17 of the TFR outlines four possible actions:

1. Execute: The CASP can proceed with the transaction if the risk assessment allows it.
2. Reject: The transaction can be rejected if it does not meet compliance standards.
3. Return: The funds can be returned to the originator if the necessary information is not provided.
4. Suspend: The transaction can be temporarily suspended while additional information is requested.

The Travel Rule Guidelines provide more granularity on how CASPs should define the appropriate follow-up action:

• Beneficiary CASPs can request missing information from the originator CASP rather than immediately rejecting or returning the transfer. ^[2] 
• If the information is not provided within a specified timeframe (three working days for EU transfers and up to seven days for others), the CASP must decide whether to proceed based on a risk assessment. ^[3] 
• If the rejection is technically impossible (e.g., the crypto-assets have already been received), the transfer should be returned to the originator. ^[4]
• If returning the transfer to the original address is not possible, CASPs should hold the returned assets in a secure, segregated account while communicating with the originator CASP to arrange the proper return of the crypto-assets. ^[4]

‍

Managing Non-Compliant Counterparties

When beneficiary CASPs identify deposits missing Travel Rule data, it not only disrupts the transaction but also strains relationships with non-compliant counterparties. Here’s how CASPs should manage these situations according to Article 17/2 of the TFR:

1. Reassess the Relationship: Evaluate if the counterparty repeatedly fails to provide the required information.
2. Report Non-Compliance: Notify competent authorities about the non-compliance.

Assessment Criteria

To determine the appropriate course of action, CASPs must assess whether the counterparty has repeatedly failed to meet their obligations. The assessment involves both quantitative and qualitative criteria:

• Quantitative: Frequency of incomplete transfers and unanswered follow-up requests. ^[5]
• Qualitative: Counterparty cooperation, agreements for extended time, and reasons for missing data. ^[6]

Steps for Repeated Non-Compliance

1. Issue Warnings: Inform the counterparty of potential consequences and set deadlines for compliance.
2. Enhanced Due Diligence: Apply stricter measures to manage risk.
3. Terminate Relationship: If necessary, end the business relationship or reject future transfers.
4. Report Repeatedly Non-compliant CASPs: CASPs must report non-compliant counterparties within three months of identifying non-compliance and include details of the non-compliant counterparty CASP, nature and frequency of breaches, justifications provided, and actions taken. ^[7] 

‍

General Obligations

Finally, the Travel Rule Guidelines offer a concise overview of supplementary requirements that CASPs should consider when dealing with deposits. 

‍

Pre vs. Post Transaction Monitoring

CASPs are responsible for establishing policies and procedures to determine which transfers require monitoring before or during the transfer process. This decision should consider any factors that may increase risk, as specified in the “EBA’s Guidelines on Money Laundering/Terrorist Financing (ML/TF) Risk Factors.” ^[8]

Meaningless and Inconsistent Information

CASPs should treat information as missing if essential fields are left empty or if the provided information is deemed meaningless or inconsistent. For example, random strings of letters should be considered meaningless information. ^[9]

Communication Systems

When contacting the counterparty for clarification, CASPs should use the same messaging system utilized to transmit the initial information. ^[10]

Self-Hosted Wallet Deposits

For deposits from self-hosted wallets, any requests for clarification should be directed straight to the customer. ^[11]

Interested in learning more? Check out our articles on Self-Hosted Wallet Transaction Requirements Under the EU TFR and Top 10 Insights European CASPs Need to Know About the Upcoming Travel Rule Compliance Regulation.

On July 9, 2024, the Financial Action Task Force (FATF) released its fifth targeted review of the implementation of FATF Standards on Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs). This review provides an overview of the progress made by countries and the industry, as well as ongoing implementation gaps and concerns.

While the report covers a range of topics, we will focus here on the implementation of the Travel Rule. As a reminder, the Travel Rule requires VASPs and financial institutions to obtain, hold, and transmit specific originator and beneficiary information immediately and securely when transferring virtual assets. 

Let's dive in to the main takeaways from the report.

‍

More jurisdictions are passing Travel Rule legislation 

85% of jurisdictions have passed or are in the process of passing Travel Rule legislation, compared to 69% last year

‍‍Jurisdictions have made progress on implementing the Travel Rule. In fact, 70% of respondents (65 of 94 jurisdictions, excluding those that prohibit or plan to prohibit VASPs explicitly) have passed legislation implementing the Travel Rule.

The methodology used by FATF and the Global Network consists of 205 jurisdictions in total. However, 147 jurisdictions responded to the 2024 survey (35 FATF members and 112 FSRB members). It is worth noting that 58 jurisdictions did not respond to the survey. The report infers that these 58 have not made progress on R.15, including the Travel Rule implementation. Responses were self-reported and not verified.

‍

FATF is urging jurisdictions to make immediate progress to enact and enforce legislation implementing the Travel Rule

Despite the legislation, enforcement remains weak. Of the 65 jurisdictions that have passed legislation implementing the Travel Rule, only 17 have issued findings, directives, or taken enforcement or other supervisory actions against VASPs focused on Travel Rule compliance. ^[2]

The targeted update clarifies that a lack of interoperability and the Travel Rule tool’s deficiencies in comprehensive coverage are not excuses for not being compliant. FATF urges jurisdictions to make immediate progress in enacting and enforcing legislation implementing the Travel Rule. Specifically, the report shares the example that,‍

One jurisdiction shared that although regulated VASPs suffer from the lack of interoperability among Travel Rule compliance tools, non-compliant VASPs would still be penalised for their compliance shortcomings. [Paragraph 65]

Another jurisdiction reported imposing regulatory orders on a VASP for non-compliance related to Travel Rule tool deficiencies such as incomprehensive coverage of VAs or delayed data submission. [Paragraph 24]

In short, the FATF is urging jurisdictions to make immediate progress to enact and enforce legislation implementing the Travel Rule.

‍

FATF highlights specific public and private sector challenges in Travel Rule implementation

Both jurisdictions and VASPs continue to face a range of challenges in implementing the Travel Rule, as highlighted below:

Inconsistent implementation and lack of enforcement

VASPs use Travel Rule obligations to mitigate illicit finance risks. However, inconsistent implementation and lack of enforcement have not sufficiently motivated the private sector to enhance compliance.

Interoperability Issues

Although progress has been made, challenges persist due to architectural differences and data protection requirements. VASPs integrating multiple compliance tools face technical, operational, and financial burdens.

Discreet, rather than interconnected, Travel Rule tools with closed lists of participants (aka closed networks)  may also complicate the identification of counterparty VASPs and could result in the misidentification of a counterparty VASP as an unhosted wallet simply because the counterparty did not use the same Travel Rule compliance tool as the beneficiary. The FATF urges the private sector to progress towards increasing compatibility amongst Travel Rule compliance tools, whether through technological advancements that allow interoperability between tools, or by developing relationships that permit transactions to be made through a chain of interoperable tools or other methods. [Paragraph41]

Notabene’s SafeGateway facilitates VASP-to-VASP interactions across various protocols. 

Complex transactions

The industry reported widespread use of the interVASP Messaging Standards (IVMS) for Travel Rule information, akin to ISO20022 for the VA sector. They see potential in further developing standards to enhance message transitions, such as handling transaction rejections and follow-up queries. The increasing sophistication of VA transfers involving professional traders and over-the-counter brokers indicates that some Travel Rule compliance tools may not suit broader transaction types.

To address this, Notabene launched SafeTransact for Networks, which ensures the smooth handling of complex multi-party transactions, careful management of PII, and regulatory compliance.

Sunrise Issue

The report highlights ongoing challenges with the Sunrise issue, where jurisdictions implement the Travel Rule at different times.

• Phased Implementation and Grace Periods: Among the 80 jurisdictions implementing or planning to implement the Travel Rule, many are adopting a phased approach or granting grace periods with exemptions or flexible compliance expectations for VASPs.
• Interaction Restrictions: Most jurisdictions restrict domestic VASPs from interacting with foreign counterparts that lack Travel Rule legislation to mitigate associated risks.
• Risk Mitigation Measures: Specifically, of the 65 jurisdictions that have passed legislation enacting the Travel Rule, about half have measures in place to ensure domestic VASPs are only transacting with regulated and/or Travel Rule-complaint counterparts or are otherwise mitigating the risks.

‍

Despite the challenges mentioned above, FATF calls on all jurisdictions to rapidly enact and enforce the Travel Rule.

‍

VASP should perform counterparty due diligence, even when Travel Rule obligations differ

In order to transmit the required Travel Rule information, VASPs identify and conduct due diligence on their counterparty VASP. This remains a challenge due to difficulties in identifying the counterparty VASP based on VA wallet addresses and varying counterparty VASP due diligence requirements across jurisdictions. 

The FATF report suggests that for cases in which only one of the originator and beneficiary VASPs has Travel Rule obligations due to differences in national requirements, VASPs should still take steps to comply with targeted financial sanctions obligations. They further suggest to transact with unlicensed/unregistered foreign counterparts only if the originator VASP takes risk mitigating measures in place.

Counterparty due diligence ensures VASPs avoid dealing with illicit or sanctioned actors and helps ensure that a counterparty can comply with the Travel Rule, including protecting the confidentiality of shared information. Note that counterparty due diligence for the purpose of complying with R.16 is distinct from the obligations applicable to cross-border correspondent relationships (R. 13). [Page 22]

‍

FATF highlights issues with some Travel Rule compliance tools

The 2022 and 2023 Targeted Update reports highlighted that while the industry has developed various Travel Rule compliance tools in response to FATF standards, many tools still do not fully meet these standards and face interoperability challenges. Common shortcomings include a failure to transmit information immediately in information transmission, affecting sanctions screening and due diligence. 

Regulators and supervisors are encouraged to engage with VASPs to ensure compliance tools meet all FATF requirements and take enforcement actions for non-compliance. VASPs should “deliberative and make informed decisions and select a compliance tool(s) that will allow them to meet all FATF Travel Rule requirements”. The lack of interoperability between tools can hinder transaction monitoring and counterparty identification. The FATF urges the private sector to enhance tool compatibility through technological advancements or relationships among tool providers.

An increasing number of jurisdictions report VASPs using in-house developed compliance tools. There is interest in understanding how these tools interact with others and concerns about their effectiveness. Collaborative efforts between supervisory authorities, regulated VASPs, and tool providers are recommended to ensure tools meet regulatory requirements before use.

FATF shares guiding questions and considerations for Travel Rule compliance tool providers

‍

VASPs should take a deliberative and informed decision and select a compliance tool(s) that will allow them to meet all FATF Travel Rule requirements. Box 2.1 below sets out guiding questions that VASPs should ask to determine whether potential Travel Rule solution tools will comply with all FATF requirements. [Paragraph 40]

The following chart compares SafeTransact’s capabilities vs the VAGC’s guiding questions. 

‍

FATF proposes revisions to Recommendation 16 and implications for Travel Rule

In February 2024, the FATF initiated a public consultation on proposed changes to Recommendation 16 (R.16) and its Interpretive Note on payment transparency. The revisions aim to align the Standard with evolving payment systems and messaging standards (ISO 20022) while maintaining technological neutrality and the principle of "same activity, same risk, same rules." These updates could impact the VA sector by specifying the required originator and beneficiary information and defining the roles of VASPs in complex payment chains. The final revisions to R.16 will determine any changes to the Travel Rule requirements for VASPs. Read Notabene’s response to the public consultation here.

Summary of Recommendations from FATF to public sector

• Jurisdictions without Travel Rule legislation/regulation should urgently introduce it.
• Jurisdictions with the Travel Rule should quickly operationalize it through effective supervision and enforcement.
• Jurisdictions should publicize information on registered or licensed VASPs to facilitate counterparty due diligence.
• Jurisdictions should engage with the VASP sector to identify and ensure Travel Rule compliance tools meet FATF requirements.
• VASPs and compliance tool providers should review and improve tools to fully comply with FATF requirements and enhance compatibility for effective implementation.
• FATF will update and publish assessments of R.15 compliance by 2025.

‍

If you have any questions about the FATF report, or the implementation of the Travel Rule for your business or jurisdiction, let us know at [email protected].

And if you are in the process of determining the right Travel Rule solution for your needs, we'd be happy to offer a free consultation with our compliance experts.

The European Banking Authority (EBA) has issued new Travel Rule Guidelines to enhance the traceability of fund and crypto asset transfers, aiming to combat money laundering and terrorist financing. Stemming from Regulation (EU) 2023/1113, which aligns EU regulations with FATF standards, the Guidelines aim for consistent implementation across the EU, taking effect on December 30, 2024. After releasing a consultation paper in November 2023, to which Notabene responded, the EBA released the final Travel Rule Guidelines on July 4, 2024.

Relevance of the Travel Rule Guidelines: Aligning Travel Rule Supervisory Practices across the EU

The Guidelines reflect the EBA’s view on appropriate supervisory practices within the European System of Financial Supervision or how EU law should be applied in this area. Authorities should integrate these Guidelines into their practices, including adjusting their legal frameworks or supervisory processes as needed.

‍

Key Takeaways from the EBA’s Final Travel Rule Guidelines - July 2024

Key Takeaways from the EBA’s Final Travel Rule Guidelines - July 2024

‍

1. Flexibility in Originator Information

The final version of the Travel Rule guidelines clarifies that CASPs have the discretion to determine which “alternative information items” about the originator customer to transmit and demand receiving, as long as they achieve unambiguous identification and support sanction screening. This approach is intended to be better suited for cross-border transfers. ^[1]

‍

2. Eased Requirements for Self-Hosted Wallet Transfers Below €1,000

• ‍Consultation Paper: The EBA’s consultation paper required that CASPs “use suitable technical means to cross-match data, including blockchain analytics and third-party data providers, for the purpose of identifying or verifying the identity of the originator or the beneficiary.” ^[2]‍
• Final Guidelines: Now, only information collection obligations apply for self-hosted wallet transfers below 1,000, eliminating the need for technical means like blockchain analytics to cross-match collected data to identify and verify the originator or beneficiary. ^[3]

In response to the public consultation, Notabene argued that this requirement was disproportionate and technically unfeasible to implement. The framework initially proposed was stricter than the one set out in the Transfer of Funds Regulation (TFR), creating disproportionate obligations on small transactions. Additionally, Notabene argued that verifying identities through blockchain analytics is impractical, as these providers lack the capability to link personal identities with wallet addresses. We are pleased that the EBA adopted our suggestion, and this adjustment will make compliance more feasible for smaller transactions.

3. Simplified Verification for 1st-Party Self-Hosted Wallet Transfers ≥ €1,000

• ‍Consultation Paper: The draft guidelines initially required CASPs to use two methods for wallet ownership verification. ^[4] 
• ‍Final Guidelines: The requirement to use two methods for wallet ownership verification has been removed. CASPs are now required to use only one method by default for verifying wallet ownership/control. ^[5]

In our consultation response, we successfully argued that requiring two methods for verifying wallet ownership/control may not enhance the verification process and could force the adoption of potentially inefficient practices. In the final version of the guidelines, CASPs are required to use only one method by default.

Notabene’s product suite includes a pop-up user interface designed to identify and verify Travel Rule counterparties at the point of transaction without impeding the transaction flow. SafeConnect obtains proof of self-hosted wallet (SHW) ownership through cryptographic signatures, one of the methods explicitly permitted in the guidelines. 

‍

{{european1="/cta-components"}}

‍

4. Clarification for 3rd-Party Self-Hosted Wallet Transfers Above €1,000

While the TFR does not specify the requirements for third-party self-hosted wallet transfers above €1,000, the Travel Rule Guidelines clarify that if the SHW is owned or controlled by a third party who is not a customer of the CASP, the requirements outlined in Article 19a(1)/(a) of Directive (EU) 2015/849 (AMLD) apply. [6] 

According to this provision, CASPs must evaluate the risks associated with transfers to or from self-hosted wallets. Additionally, CASPs are required to implement risk mitigation measures commensurate with the identified risks. These measures may include:

1. Verifying the identity of the transfer's originator or beneficiary;
2. Requesting additional information regarding the origin and destination of the transfer;
3. Implementing enhanced ongoing monitoring of the transactions.

Therefore, CASPs should adopt a risk-based approach to transactions involving self-hosted wallets and implement any necessary risk mitigation measures proportional to the identified risks.

‍

5. Full Compliance from December 30, 2024, is Mandatory

Travel Rule obligations apply to crypto asset service providers (CASPs) starting December 30, 2024. The EBA states: “From December 30 2024, CASPs as defined in MiCAR will be subject to the EU’s AML/CFT regime and, therefore, these Guidelines,” emphasizing that “non-compliance with Regulation (EU) 2023/1113 is not accepted.” ^[7]

CASPs may use infrastructures or services with technical limitations until July 31, 2025, provided they fully compensate with additional technical steps to comply with these Guidelines. Full compliance is still mandatory. ^[8]

6. The EBA Provides Criteria to Evaluate Travel Rule Solutions

‍

When choosing the messaging or payment and settlement system(s), CASPs and ICASPs should

take proportionate, risk-sensitive measures to assess: [9]

• Seamless Integration: The system’s ability to communicate with other internal core systems and with the messaging or payment and settlement systems of the counterparty of a transfer and its compatibility with other blockchain networks

‍Notabene’s open network approach and integrations with top blockchain analytics, custodians, and sanction screening providers guarantee this connectivity. Additionally, Notabene’s SafeGateway builds secure clients for each Travel Rule messaging protocol, significantly expanding our users' connectivity and enabling them to engage with VASPs on previously inaccessible protocols. 

• The reachability of the protocol (i.e., the diversity and accuracy of counterparties that can be reached using the protocol – subject to the CASP's own due diligence assessment – and the rate of transfers that would successfully be sent to the intended beneficiary or received from the originator);

Notabene’s robust network ensures high transaction success rates.

• How the system enable the CASP or ICASP to detect a transfer with missing or incomplete information;

Notabene’s SafeTransact excels here, automatically identifying deposits lacking Travel Rule information and promptly requesting the necessary details from the originator VASP. 

The EBA’s final Travel Rule Guidelines mark a significant step in enhancing the traceability of fund and crypto asset transfers across the EU. With full compliance required by December 30, 2024, CASPs must prepare to meet these new requirements. Notabene’s solutions are designed to help CASPs navigate these changes efficiently, ensuring compliance while maintaining smooth transaction flows.

{{european2="/cta-components"}}

The sixth and final Plenary of the Financial Action Task Force (FATF) under the Presidency of T. Raja Kumar of Singapore marked significant progress and established future priorities. Here are the main takeaways from the plenary.

‍

Virtual Assets: Implementation Update

The FATF will release its fifth annual update on the implementation of FATF Standards for virtual assets (VA) and virtual asset service providers (VASPs) in July 2024. Since June 2023, the number of compliant jurisdictions has risen from 25 to 33. Despite this progress, 75% of jurisdictions (97 out of 130) remain only partially or non-compliant, indicating that VASP implementation still lags behind other financial sectors. The FATF urges jurisdictions to achieve rapid, full compliance and will continue providing support to this end.

Payment Transparency

Following a public consultation that ended in May 2024, to which Notabene publicly responded to here, the FATF is revising its standards to align with evolving cross-border payment systems and industry standards like ISO20022. These revisions aim to enhance the speed, cost-effectiveness, transparency, and inclusivity of cross-border payments while maintaining AML/CFT compliance. Further dialogue with experts is needed before finalizing these amendments.

Jurisdictions Under Increased Monitoring

Monaco and Venezuela have been added to the list of jurisdictions subject to increased monitoring. Congratulations to Jamaica and Türkiye which have been removed from this list, reflecting their improved compliance.

High Risk Jurisdictions - Call for Action

The FATF reiterated its concerns over certain high risk jurisdictions in its Call for Action.  Specifically for Democratic People’s Republic of Korea (DPRK), Iran, and Myanmar. 

‍

‍Democratic People's Republic of Korea (DPRK) 🇰🇵‍

FATF remains deeply concerned about the DPRK's failure to address significant AML/CFT deficiencies and the proliferation financing risks posed by its illicit activities related to WMDs. The FATF urges all jurisdictions to:

• Terminate correspondent relationships with DPRK banks.
• Close any DPRK bank branches or subsidiaries.
• Limit financial transactions with DPRK persons.

Greater vigilance and enforcement are required, especially given DPRK's increased financial connectivity and use of front companies to evade sanctions.

‍

Iran 🇮🇷

Since Iran has not completed its action plan, including enacting key conventions, the FATF calls for:

• Enhanced supervisory examination for Iranian financial institutions.
• Systematic reporting of financial transactions.
• Increased external audit requirements.

Until Iran fully implements the required measures, the FATF maintains concerns over terrorism financing risks from Iran.

‍

Myanmar 🇲🇲

Due to slow progress in addressing AML/CFT deficiencies, the FATF calls for enhanced due diligence measures. Financial institutions should:

• Increase monitoring of business relationships.
• Ensure legitimate financial flows, such as humanitarian aid and remittances, are not disrupted.

If no further progress is made by October 2024, the FATF will consider applying countermeasures.

Mutual Evaluation Reports: India and Kuwait

India has achieved a high level of technical compliance with FATF requirements, particularly in understanding ML and TF risks, international cooperation, and access to beneficial ownership information. However, improvements are needed in supervising non-financial sectors. Kuwait is also nearing compliance but requires further progress.

Review of Gatekeepers

FATF will publish its findings on the regulation of gatekeepers in July 2024. These entities, if unregulated, remain exposed to significant criminal risks and may fail to detect money laundering red flags.

Women in FATF and the Global Network (WFGN) Initiative

Notabene commends Minister Indranee Rajah who launched the e-book “Breaking Barriers: Inspiring the Next Generation of Women Leaders,” showcasing the resilience and expertise of women in combating financial crime. This initiative, part of the Women in FATF and the Global Network (WFGN), aims to inspire and support aspiring women leaders and complements the multicultural mentoring program.

Compliance with FATF Standards

The Plenary approved revised criteria for prioritizing countries for the International Cooperation Review Group (ICRG) review process. This will ensure that the listing process remains risk-based, fair, and transparent. Members also agreed on assessment methods for compliance with the revised FATF Standards on asset recovery and related international cooperation, adopted in October 2023.

Incoming Mexican Presidency’s Priorities (2024-2026)

As many know, Elisa de Anda Madrazo, is the incoming President.  She outlined the Mexican Presidency’s priorities, which include:

• Advancing financial inclusion through risk-based implementation of the Standards.
• Ensuring a successful start to the new round of assessments.
• Strengthening the cohesion of the Global Network by fostering transparency and unity.
• Supporting effective implementation of revised FATF Standards, focusing on asset recovery, beneficial ownership, and virtual assets.‍
• Continuing efforts to combat terrorist and proliferation financing.

The outcomes of this Plenary set a robust agenda for the FATF, emphasizing the need for rapid compliance, enhanced transparency, and international cooperation to combat financial crime effectively.  We at Notabene are excited to support this and eager to see how this will unfold in the coming year.

📥 Interested in more content like this? Sign up to receive regular updates via LinkedIn.

Authored by CryptoUK’s Travel Rule Working Group, the Travel Rule Good Practices Guide is a cornerstone document for virtual asset service providers (VASPs), cryptoasset businesses, and digital asset industry participants navigating the regulatory landscape in the UK.

This comprehensive guide is a culmination of the industry’s collective effort. It provides an in-depth overview of compliance strategies and valuable guidance on addressing associated challenges.

The UK’s Pivotal Role in the Travel Rule Compliance Landscape

According to Chainalysis (2023), the UK ranks third globally in transaction volume, with an estimated $252.1 billion received last year. The 44 VASPs currently registered with the FCA must comply with the Travel Rule, which came into force on September 1, 2023. This situation underscores the UK’s significant role in promoting Travel Rule compliance worldwide.

Insights from the 2024 State of Crypto Travel Rule Compliance Report

The UK, with its robust regulatory framework, leads in compliance rates. Our comprehensive State of Crypto Travel Rule Compliance Report 2024 revealed that the UK boasts a 100% compliance rate among surveyed respondents in the EMEA region, reflecting the country’s stringent standards since the rule’s enforcement.

Notabene’s Proactive Role in UK Travel Rule Compliance

Our team at Notabene is dedicated to assisting UK VASPs in understanding and complying with their Travel Rule obligations. In 2023, we spearheaded several initiatives:

• Regulatory Sandbox Testnets: As part of the Financial Conduct Authority's (FCA) regulatory sandbox, we conducted two testnets with firms such as Ramp, Bitstamp, Wirex, CoinPass, Altalix, Hidden Road, Bitpanda, Custody, Uphold, and Zodia Markets.
• Guidance Publication: We published a concise guide summarizing the Travel Rule obligations outlined in the Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022 (MLTFR 2022.)

Additionally, Notabene has actively engaged in the JMLSG consultation process, submitting a response to contribute to the development of practical and effective compliance strategies for the industry. Our efforts ensure the guidance remains relevant and supports VASPs’ compliance journey.

Key Insights from the Travel Rule Good Practices Guide

The CryptoUK Travel Rule Good Practices Guide is an invaluable resource for navigating the complexities of regulatory compliance in the crypto industry. With contributions from industry experts, this guide provides a clear path for VASPs to achieve and maintain compliance.

Key areas covered include:

• Counterparty VASP Due Diligence: In the absence of regulatory guidelines in this respect, this chapter outlines key considerations and best practices, featuring key insights shared by Notabene’s Head of Regulatory and Compliance Team, Lana Schwartzman.
• Withdrawal and Deposit Flows: Provides an overview of applicable obligations and approaches for operationalizing Travel Rule compliance within withdrawal and deposit flows.
• Unhosted Wallets: Discusses the regulatory framework, associated risks, and potential mitigations.

About the Working Group

The CryptoUK Travel Rule Working Group was established in 2023 to foster knowledge sharing and best practices. 

The group collaborates with policymakers, regulators, and key stakeholders, including HM Treasury, the FCA, the Electronic Money Association, and the JMLSG. The Working Group significantly contributed to the development of the JMLSG’s Guidance on Cryptoasset Transfers, published in August 2023.

For more insights and to stay informed about regulatory developments, download the guide and join the CryptoUK Travel Rule Working Group today.

This article provides an in-depth look at virtual asset service providers' (VASPs) current transaction restrictions and compliance measures as they navigate Travel Rule compliance.

Based on the results from Notabene's 2024 State of Crypto Travel Rule Compliance survey, we explore how crypto businesses and financial institutions are preparing to meet these regulatory requirements. Download the report here to gain deeper insights.

Key Findings

Global Survey Overview
The survey, conducted between October 2023 and January 2024, included 70 companies from Europe, the Middle East, Africa (45.7%), Asia-Pacific (30%), and the Americas (21.4%).

66% of VASPs Enforce Restrictions on Withdrawals That Do Not Comply With Travel Rule Requirements

66% of VASPs enforce restrictions on withdrawals that do not comply with Travel Rule requirements. Notably, 23% do not allow withdrawals unless a Travel Rule message can be sent to the beneficiary VASP, up from 8% last year. This shift reflects a growing trend towards stricter compliance measures within the industry. The percentage of respondents permitting customers to withdraw funds without being able to send Travel Rule messages to the beneficiary VASP has dropped significantly from 37% in 2023 to 19% in 2024. This decrease of 49% underscores a heightened focus on ensuring compliance with regulatory requirements.

Moreover, 40% of respondents adopt a risk-based approach when determining whether to allow a withdrawal. This method reflects an industry-wide effort to balance business considerations with regulatory compliance. Given the persistent limitations that hinder full compliance, such as the Sunrise Issue, this approach is particularly significant. The increasing adoption of stringent compliance measures marks a notable shift in the industry’s approach to risk management, demonstrating a mature, proactive, and compliant stance in navigating the evolving landscape of crypto regulations.

66% of Companies Impose Restrictions on Transactions With Self-Hosted Wallets

66% of companies impose restrictions on transactions with self-hosted wallets. Approximately one-third of companies (33%) exclusively allow first-party transactions with self-hosted wallets and require customers to demonstrate control over the wallet address before authorizing the transaction. Additionally, 27% of companies allow third-party transactions with self-hosted wallets but collect beneficiary information from their customers, showcasing a commitment to due diligence. A minority of 6% of companies outright prohibit transactions with self-hosted wallets. 

There is still a substantial portion of respondents (29%) that do not impose any restrictions on transactions with self-hosted wallets. The “Other” category, comprising 6% of responses, suggests a unique range of approaches that some companies have adopted to handle transactions with self-hosted wallets. The distribution of survey responses illustrates the diversity of approaches that regulators worldwide take when defining rules for transactions involving VASPs and self-hosted wallets.

Over 20% of VASPs Return Deposits Missing Required Travel Rule Information

Handling Deposits

Over 20% of VASPs return deposits missing required Travel Rule information. Specifically, 21% of companies, upon identifying the originator VASP, promptly send requests for missing Travel Rule information. If the information is not received, companies take the decisive step of returning the funds. This approach often creates additional operational challenges for VASPs, which is further discussed in Chapter 5, Section 7 of the report. Another 10% follow a similar protocol but opt to collect the required information directly from their end-customers in the absence of the necessary data, using this as an alternative means to assess transaction risk when counterparty collaboration is lacking.

Nearly half (49%) of the respondents take more lenient approaches. Notably, 30% adopt a risk-based approach, evaluating the associated risks before deciding whether to make the deposit available to end-customers. Meanwhile, 19% of respondents permit their customers to receive deposits without the mandated Travel Rule information. This variation in approach may stem from the need to balance compliance with business needs. A significant portion of deposits from VASPs still lack Travel Rule information due to hindrances like the Sunrise Issue and interoperability issues. For these firms, strict compliance would entail refusing all deposits except from self-hosted wallets, which would have a significant and potentially disproportionate impact on business.

Diverse Compliance Strategies

VASPs employ a range of strategies to manage non-compliant deposits, from providing grace periods to negotiating compliance practices with counterparties. Some respondents revealed ongoing efforts toward implementation, development, or the intention to implement in the future. Strategies included providing grace periods for clients, negotiating compliance practices with counterparties, and adopting selective compliance measures based on specific circumstances. These diverse responses underscore the complex and evolving nature of the regulatory landscape and the varied approaches taken by entities within the crypto ecosystem. This emphasizes the need for continued collaboration and standardization for comprehensive and effective risk mitigation practices.

As the regulatory landscape continues to evolve, VASPs must stay abreast of changes and adopt robust compliance strategies. The increasing adoption of stringent compliance measures marks a significant shift in the industry's approach to risk management, demonstrating a mature, proactive, and compliant stance in navigating the evolving landscape of crypto regulations. For VASPs, staying ahead of these changes will be crucial in maintaining competitive advantage and fostering trust in the digital asset space.

{{report1="/cta-components"}}