21 Analytics logo
Request a Demo
4 Tips for VASPs When Performing Counterparty Due Diligence

4 Tips for VASPs When Performing Counterparty Due Diligence

12 Jun, 2024

As more regions implement the Travel Rule, counterparty due diligence is imperative since it forms an integral step in the risk-based approach, which the Travel Rule advocates for. Moreover, the Travel Rule demands that virtual asset service providers (VASPs) know where they are sending funds before initiating the transaction. 

Below, we discuss why counterparty due diligence is required and what VASPs should look for and consider when conducting this process. 

Why Is Counterparty Due Diligence Required? 

As with all financial transactions, there are associated risks. In the case of crypto transfers to and from VASPs and/or self-hosted wallets, these risks can include: 

  • Transferring to a VASP registered/located in a high-risk or sanctioned jurisdiction. 

  • Transferring to a VASP with a history of being used as a mixing service or serving entities or individuals sanctioned or flagged as risks. 

  • The intention of the transaction could be to fund terrorism or money laundering. 

  • As the Travel Rule mandates that VASPs must collect and share customer data when transacting, there is the added risk of a data leak or data not being stored by the counterparty VASP according to data protection policies, like the GPDR.  

To mitigate these risks, counterparty due diligence measures must be applied.    

4 Tips for VASPs to Consider When Performing Counterparty Due Diligence

VASPs or other regulated entities must perform counterparty due diligence the first time they transact with a counterparty or when there is suspicion of a risk.  It is recommended that VASPs perform counterparty due diligence at regular intervals to monitor whether their counterparty VASP has remained Travel Rule compliant. Should a counterparty lose its accreditation, the originator VASP is not permitted to transact until the counterparty is certified again.

An example of counterparty due diligence can include collecting proof that the VASP is regulated and evidence of the region's compliance framework. Moreover, collecting information on the types of transactions the VASP performs is valuable—does it transact with high-risk jurisdictions or bodies (as mentioned above)?  Adverse media monitoring is another low-effort and high-impact measure. There’s no strict set of measures one must take, and no risk appetite is the same. The major question VASPs should ask themselves is: Can I explain what I did to the regulator?

Below, we provide 4 tips for VASPs starting their counterparty due diligence processes. 

Tip 1: Understand the Regulatory Environment

When conducting due diligence on a VASP, it is important to identify the jurisdiction where the service provider is registered or operating to ensure what its regulatory framework for crypto assets entails. These frameworks are often freely available and can be downloaded from the regulators’ websites. For example, VARA’s Compliance and Risk Management Rulebook explains Dubai’s AML/CFT policy and interpretation of the Travel Rule. 

Thereafter, it is key to verify if the service provider is licensed or registered with relevant regulatory bodies and ensure they comply with AML/CFT regulations. This, too, can usually be done on the regulator’s site, as with Luthiania’s CSSF and VARA. Alternatively, VASPs can use services like VASPNet, which allows VASPs to access the regulatory status of counterparties in real-time. 

Tip 2: Review the VASP’s Company Profile and Business Practices

To thoroughly assess a VASP, obtain details on the company’s ownership, management team, and corporate structure. Perform background checks on the management team and key personnel to assess their expertise and integrity. 

Look for publicly available financial information to evaluate the provider's financial stability.  This can be done in many ways. Most big VASPs make their proof of reserves available on their homepages, or regulatory frameworks can be used to get a rough estimate of the VASP's financial status, e.g. in the EU, firms issuing ARTs must be licensed under MiCA and are obligated to have their own funds equal to or higher than one of these following:

  • EUR 350,000; 

  • 2% of the average reserve assets; 

  • or 25% of the previous year's fixed overheads.

Additionally, investigate the provider’s partnerships and associations with other organisations in the crypto space to ensure they maintain reputable and strategic alliances.

Ascertain which services your counterparty offers to ensure they align with your needs and regulatory requirements. Test the responsiveness and quality of their customer support, and look for reviews, testimonials, and any negative news related to the service provider to assess their reputation.

Tip 3: Verify KYC/AML Procedures and Review Risk Management Framework

Ensure the provider has robust know-your-customer (KYC) procedures. Evaluate their technological infrastructure to measure the effectiveness of the security in protecting assets and user data. Furthermore, check for third-party security audits and certifications to ensure adherence to industry standards. Investigating any past security incidents, breaches, or operational failures is crucial to understanding the provider's incident history and response mechanisms.

Review the jurisdiction's risk management framework to understand what is expected from VASPs in the region regarding risk assessment and mitigation. Check if the framework requires the provider to have insurance coverage for crypto assets and operational risks.

Tip 4: Transitive Due Diligence

It would be foolish to disregard the work your counterparties have done themselves. Suppose a counterparty of yours does business with a potential other counterparty. In that case, some value is to be had in that existing business relationship, provided that you thoroughly know and trust your counterparty. In a very real sense, MiCA provides for this by saying that if your counterparty is in the EU, you can assume they are safe to send PII to.

Looking for a more detailed approach, or couldn’t find the answer you were looking for? 

Contact us, and one of our experts will help you on your way. 

Request a Demo
Written by:
21Author (3)
The Content Team
Cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.