There’s been an enormous upsurge in interest in FATF Recommendation 16, widely known as the Travel Rule. On June 24, the FATF’s Plenary Meeting set a new milestone in the regulatory oversight of cryptocurrency transactions, with reviews of initial implementations of the rule.
Prevention of money laundering, terrorism financing, bribery and corruption, tax evasion, international sanctions breaches, and other illicit activity via the exchange of virtual assets such as bitcoin, ether, XRP, and others is at the centre of this activity.
The FATF expects Virtual Asset Service Providers (VASPs) and non-VASPs, law enforcement agencies, governments, and legislators to support the adoption and implementation of the Travel Rule to detect and prevent illicit activity via virtual asset transactions.
In simplest terms, the Travel Rule covers VASPs such as cryptocurrency exchanges and digital wallet providers, custodians, and some traditional financial institutions transacting in virtual assets. It ensures that originators, intermediaries, and beneficiaries of virtual asset transactions disclose a minimum standard of customer data.
Names and wallet addresses of the remitter and beneficiary can identify financial crime risks such as international financial sanction violations, money laundering, and the financing of terrorism. The rule is comparable to well-established industry rules for international wire transactions in fiat currencies, such as those transferred via the SWIFT system between banks. It simply requires a suitable technology to capture and manage this data at scale.
Comprehensive tools for the transfer, registration, and reporting of Travel Rule data are key:
- VASPs do not all currently have the requisite technology in place, and there are no shared standards for the capture, transfer, and analysis of customer data. Coinfirm and other blockchain AML and compliance companies have built solutions to address these technological gaps. We expect a wave of adoption as VASPs look to bridge the gaps.
- By design, individual regulatory regimes have latitude in interpreting the recommendations on their own. The Travel Rule itself is not a regulation and does not include specs for enabling technologies for compliance.
- Implemented regulations must operate in conjunction with existing local regulations such as the General Data Privacy Regulation in the EU.
- Not all transactions take place via VASPs from end-to-end, creating the potential for pockets of unregulated or underregulated activity unless they are also included
Six guiding principles are needed for Travel Rule implementation and standardisation. These principles should form the cornerstones of any technical solution that facilitates compliance with the Travel Rule.
- Data Minimisation: Limiting the collection and use of personally identifiable information about parties to a virtual asset transaction will help ensure compatibility with local data privacy legislation.
- User Consent: Both senders and receivers must consent to the transfer of information between VASPs.
- Local Compliance: Each party and intermediary owns the responsibility of complying with local data protection rules even when technical solutions are international in scope.
- Common Standards: The data set and messaging standards should be compliant with ISO standards. There is not yet a consensus on which standard to apply (i.e., whether ISO 20022 or others).
- Non-VASP Participation: Solution and regulatory considerations may only apply to VASP-to-VASP transactions at first, but this represents only a starting point. In future, tests such as transaction size, volume, and account size should be able to trigger Travel Rule requirements for transactions involving unhosted (i.e., P2P) wallet transactions. Eventually, implementation must extend to non-custodial wallets, to decentralised exchanges provided they do not hold private keys, to smart contract operators which transfer value, and to owners or administrators of protocols.
- Transaction Scope: While the FATF does not provide a formalised definition of a transaction, in the context of blockchain transactions, the term should also cover transactions generated as part of smart contract execution.
VASPs must be able, where applicable, to freeze transactions as well as block and prohibit transactions with designated persons, in line with sanctions lists, Politically-Exposed Person lists, blacklisted address lists, etc. A VASPs ability to manage and mitigate the risks of engaging in activities that involve the use of anonymity-enhancing technologies or mechanisms must also be a precondition for licensing. Critically, VASPs and other obliged entities should have the ability to flag unusual or suspicious movements of funds or transactions, including those involving or relating to virtual assets, for further scrutiny in a timely manner.
One final area of consideration is the ability of regulators to have meaningful information and remediation to enable them to license VASPs and oversee VASP activities in sufficient detail.
Without these case management and risk analysis mechanisms, VASPs and regulators cannot effectively spot or control activity that is otherwise indicative of potential involvement in illicit activity. New and more sophisticated AML solutions for blockchain based on analytics and risk profiling will help achieve this outcome, since transaction-by-transaction monitoring does not scale effectively when analysing copious numbers of transactions at high frequency.
The FATF continues to be engaged in discussions, but the hope is that the market overall is converging on global consensus. Such consensus depends on the operating solutions that individual entities put into practice.
Moreover, it will not happen overnight. Expect a patchwork of approaches in the interim. Early adopter jurisdictions may generate resistance with seemingly constraining standards and legislation that create a disadvantage versus more libertarian jurisdictions.
But our view is more pragmatic over the long haul. Effective and wide-spread adoption of enabling technologies is merely a question of time. Many institutions, banks, service providers, working initiatives, and industry groups are coming together to try to begin to offer services and solutions.
The market wishes to normalise virtual asset transactions and is willing to accept the prevention of illicit activity as part of the process of maturity. There is goodwill in place, and the innovations that realise such goodwill are coming.