5 Travel Rule Issues and How to Solve Them

5 Travel Rule Issues and How to Solve Them

19 Jan, 2024

The Financial Action Task Force’s (FATF) Travel Rule is no longer a novel initiative, and while global adoption is slow and inconsistent - enter the sunrise issue - it is happening.  Simply put, the Travel Rule is the exchange of information when there is an exchange of crypto assets between financial intermediaries, like virtual asset service providers (VASPs), or between VASPs and self-hosted wallets. However, this Rule does pose challenges to the implementors. 

5 Travel Rule Issues with Solutions for VASPs

Issue: Different Interpretations of the Travel Rule

Per the FATF, Travel Rule adoption has been slower than anticipated, and regions that have adopted the Travel Rule, especially those with a larger global impact, have opted to implement a variation of the Travel Rule suited to their region’s reality.   For example, the EU asks for a multitude of data for all transfers irrespective of value; the UK is more flexible for local transfers, and those under EUR 1000, and Switzerland has a zero threshold but has kept the required data set similar to the FATF’s suggestion. 

Solution:  

Recently, it has become more common for regulators to request input and feedback from the industry to shape and define regulations. However, even with these requests, we ultimately still rely on their interpretation and implementation rulings of the Travel Rule. 

As a VASP or other financial institution, the best option available would be to select a Travel Rule solution that is multiprotocol, ticks the compliance boxes in your region and those that you are dealing with, and allows you the flexibility to define rules within the solution to ensure you are always compliant irrespective of the situation.

Issue: Different Travel Rule Solutions 

In short, different solutions have different features and functionalities. Some are equipped to deal with the Sunrise Issue, some not. Some can accept or reject transactions before any blockchain activity happens, others don’t, and few have a way to handle self-hosted wallets. 

The problem with certain Travel Rule solutions is that they lack fundamental functionalities to ensure compliant proceedings. While VASPs can forego certain aesthetic functionalities, like choosing a font your team likes, some cannot be overlooked.  Examples include:

  • No Travel Rule data retention option, 

  • Limited crypto asset support, 

  • Travel Data to be sent only after on-chain transfer. 

Read Deficiencies in Travel Rule Solutions 

Solution:  

The FATF has provided guidelines on how to choose a technical solution in its latest Targeted Update, which provides a good starting point for VASPs in the market for a solution. Moreover, 21 Analytics published a blog with further questions to guide VASPs in making this decision. 

Assuming that you have already chosen a Travel Rule solution and realise it does not tick a required box, the best thing to do would be to contact your provider to see if the missing feature can be built into your existing solution - without it, you are not conducting Travel Rule compliant transactions.  If the feature cannot be added, the best bet would be to seek a provider that can help you meet the compliance expectations of your region.  

Issue: The Sunrise Issue 

The Sunrise Issue; a VASP’s nightmare. Your region has the Travel Rule in place, and your counterparty’s doesn’t, so getting the required Travel Rule data to and from them can be challenging. 

As the originator VASP, sending the data to your counterparty, who does not have the Travel Rule in place, is tricky as the data needs to be sent securely and you need to know who your counterparty is. As the beneficiary VASP, the challenge increases as you need to collect data from a counterparty that may or may not be open to sending it.     

Solution: 

Option 1 is to decline the transaction altogether when you realise the VASP is in a region without the Travel Rule in place, but that comes at a cost: you could lose your customer. 

Option 2 is to rely on emails, a viable option if you don’t have a plan B as it will ensure you get the required information that you need, and while sending emails is easy and compliant, receiving emails is cumbersome. In that case, you need to do manual work to check both the originator and beneficiary. If you get an email at all! 

Option 3 is to opt for a Travel Rule solution that provides a solution to the Sunrise Issue, like 21 Sunrise. Using 21 Sunrise, VASPs can send their counterparty a secure link for data exchange; the plus side is you only need to share this link once to enable communication. 

Issue: Different Protocols 

A protocol is a set of rules for transmitting data between entities. The most popular Travel Rule protocols are the Travel Rule Protocol (TRP), TRISA, TRUST and VerifyVASP, each with its own set of pros and cons. 

A Travel Rule solution will have at least one specific protocol implemented. When it transmits data to another Travel Rule solution, that solution will need to have the same protocol implemented for the data to be successfully communicated. Different protocols will result in unsuccessful communication. 

Solution: 

The only solution is to ensure that your counterparty VASP supports the same protocol that your solution does. When you are doing 100s of transactions per day chances are enormous that they come from different counterparties. You can be sure that not all your counterparties are using the exact same protocol. And you can’t exactly phone up every VASP to ask if they can switch to your protocol.

A better solution would be to ensure you use a solution that is multiprotocol, which means it supports more than one protocol, increasing your chances of uninterrupted business.  Additionally, when shopping for a Travel Rule solution, figure out who your current counterparties are and what protocol they use. Make sure the Travel Rule solution you are currently considering supports them.

Issue: Self-hosted Wallet Verification 

Many regions that have adopted the Travel Rule have placed emphasis on transactions to and from self-hosted wallets and VASPs, requiring proof of ownership over the self-hosted wallet address in certain instances.

In terms of transaction monitoring in line with AML/CFT standards, this is a great safety mechanism to avoid the transfer of illicit funds; however, the issue that arises for VASPs (and customers), apart from the required data exchange, is the proof of ownership. 

For starters, not all wallets have the same signing capabilities; some wallets do not allow owners to select input addresses when constructing a transaction, which poses an issue when attempting a Satoshi Test. Some wallet owners find the traditional manual signing method too complicated. Of course, there is always the screenshot method, but that is by no means the most secure method - a novice can tamper with the image to produce the desired outcome.

Solution:  

VASPs should select a Travel Rule solution that offers a variety of verification methods to ensure customers are presented with an option they are comfortable with and that their wallet can perform. 

Furthermore, there is Address Ownership Proof Protocol (AOPP), which is a fully automated version of manual signing for both the VASP and customer, provided both parties support it.  VASPs that are currently using it have reported that they have sped up processes and cut down processing costs.  

Ownership Proof Methods Analysis
An Analysis of Ownership Proof Methods

For every issue presented by the Travel Rule, 21 Travel Rule has a solution. Contact us and find out how you can tackle the Travel Rule and its challenges with ease. 

Request a Demo
Written by:
Harm Aarts
Senior Software Engineer
Cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.
Accept