21 Analytics logo
Request a Demo
How the Travel Rule Fits In a Risk-based Approach

How the Travel Rule Fits In a Risk-based Approach

09 May, 2024

With anti-money laundering and countering the financing of terrorism (AML/CFT), the risk-based approach (RBA) plays a pivotal role in mitigating risks. The Travel Rule requires virtual asset service providers (VASPs) always to adopt an RBA stance. 

Below, we will explain how the Travel Rule fits in a risk-based approach, explaining key RBA concepts using the Financial Action Task Force (FATF) and the EU’s Transfer of Funds Regulation (TFR) implementation of the FATF recommendation as examples. Before diving in, we will first explain what an RBA is.   

What Is a Risk-based Approach? 

A risk-based approach (RBA) involves making informed decisions by considering the potential risks and taking appropriate actions to manage them effectively. It's a proactive way of dealing with uncertainty and protecting against possible threats.

The FATF’s Risk-based Approach 

According to the FATF, an RBA to AML/CFT entails that countries, regulatory bodies, and financial institutions must recognise, evaluate, and comprehend the money laundering and terrorist financing risks they face. 

They must then implement AML/CFT measures proportional to these risks to mitigate them effectively. When assessing money laundering and terrorist financing risks, these entities should thoroughly analyse and understand how the identified risks impact them. 

This risk assessment forms the foundation for the application of AML/CFT measures that are sensitive to the level of risk. However, an RBA doesn't guarantee a flawless outcome; despite employing reasonable measures to identify and mitigate AML/CFT risks, money laundering or terrorist financing may still occur. Moreover, adopting an RBA doesn't absolve countries, regulatory bodies, or financial institutions from addressing ML/TF risks deemed lower risk; mitigation efforts are still necessary even in such cases.

An RBA is believed to be more effective than a rigid rule-based approach. A rule-based approach for AML involves following a strict set of predefined rules. This approach is unable to accommodate unforeseen risk signals and often fails to adequately assess risk. 

[Source: FATF Guidance for a Risk-based Approach]

The EBA’s Risk-based Approach for the TFR

Per Regulation (EU) 2023/1113, Chapter IX, Article 36

the “EBA shall issue guidelines, addressed to competent authorities, on the characteristics of a risk-based approach to supervision of crypto-asset service providers and the steps to be taken when conducting such supervision”.

The European Banking Authority (EBA) proposed the following definition in its paper titled, The Travel Rule Guidelines: “[...] Means an approach whereby competent authorities, PSP, IPSP, CASPs and ICASPs identify, assess, and understand the ML/TF risks to which PSP, IPSP, CASPs and ICASPs are exposed and take AML/CFT measures that are proportionate to those risks.

Examples of How the Travel Rule Fits In a Risk-based Approach

Know Your Customer (KYC) and Customer Due Diligence (CDD)

Financial institutions and regulated entities to take know your customer (KYC) measures when onboarding a customer. This involves collecting customer data to verify customers' identities, assess associated risks, and understand their business activities. 

Customer due diligence (CDD), on the other hand, is the ongoing process of monitoring customers’ identities and potential risks as seen in the transfer of data with transactions, per the Travel Rule. 

The Travel Rule and Know Your Customer (KYC) / Customer Due Diligence (CDD)

Recommendation 16 states that for wire transfers involving virtual assets and VASPs, "Countries should ensure that originating VASPs obtain and maintain accurate originator information and required beneficiary information on virtual asset transfers."

("accurate" describes information that has been verified for accuracy [page 57], implying that VASPs must employ a KYC process for this purpose).

According to Article 14 of the TFR, crypto asset service providers (CASPs) are mandated to apply CDD processes in the following examples:  

Before transferring crypto, originating CASPs must verify the below information:

  • “the name of the originator;

  • the originator’s distributed ledger address, in cases where a transfer of crypto-assets is registered on a network using DLT or similar technology, and the crypto-asset account number of the originator, where such an account exists and is used to process the transaction;

  • the originator’s crypto-asset account number, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology;

  • the originator’s address, including the name of the country, official personal document number and customer identification number, or, alternatively, the originator’s date and place of birth; and

  • subject to the existence of the necessary field in the relevant message format, and where provided by the originator to its crypto-asset service provider, the current LEI or, in its absence, any other available equivalent official identifier of the originator.”

What’s more, CASPs need to verify the accuracy of the beneficiary’s information before making funds available to their customers. As per the EU Travel Rule, CASPs are to ensure: 

"(a) the identity has been verified in accordance with Article 13 of Directive (EU) 2015/849 and the information obtained pursuant to that verification has been retained in accordance with Article 40 of that Directive; or

(b) Article 14(5) of Directive (EU) 2015/849 applies to the originator."

Enhanced Due Diligence (EDD) 

Enhanced due diligence (EDD) involves a more detailed collection of information when compared to KYC and CDD, to authenticate clients' identities and evaluate the potential money laundering risks associated with individual customers. 

The Travel Rule and Enhanced Due Diligence (EDD)

The FATF proposes several steps for incorporating EDD:

  • increasing the collection of identifying details from various trustworthy and impartial sources,

  • commissioning an intelligence report on the customer or beneficial owner to obtain deeper insights into potential links to illicit activities,

  • confirming the origin of cash or assets in business collaborations,

  • obtaining additional information from clients regarding the intentions and characteristics of the business association.

The TFR mandates that CASPs perform EDD to assess and identify risks, similar to what is observed in traditional banking when establishing a new relationship. Additionally, when a CASP outside the EU receives crypto asset transfers on behalf of a client, the originating CASP should evaluate the beneficiary CASP's capability to receive and uphold the necessary information as per the GDPR.

Record Keeping 

Record keeping in the context of an RBA requires practices to identify, assess, and manage risks effectively. These practices could involve specific controls, procedures, or technology to mitigate risks. Regular audits of the records help mitigate risks. 

The Travel Rule and Record-Keeping 

Per the FATF, Travel Rule data must be retained for record-keeping and monitoring for at least five years or for an audit prior to this. Should VASPs not adhere to this data retention requirement, they can be penalised. Data retention is evidence of Travel Rule adherence. 

Timing of Verification

Data verification is another crucial step in mitigating risk with an RBA. Financial institutions can verify data before, during, and after a transaction. Transaction verification involves assessing the validity and legitimacy of transactions, reducing the risk of engaging in fraudulent or unauthorised activities.

The Travel Rule and Timing of Verification

The FATF instructs VASPs to address potentially suspicious virtual asset transfers in real-time. This requires timely transmission of information, before or immediately as the transaction occurs. Moreover, such data sharing must be conducted securely and in compliance with the relevant data protection regulations applicable to the region.

Per the TFR, customer information must be submitted securely before or simultaneously with the transfer of crypto assets, as per the GPDR. The originator CASP can not allow for the initiation or execution of any transfer of crypto assets before ensuring full compliance.

In conclusion, the Travel Rule compels VASPs to adopt RBA principles and evaluate, understand, and address the inherent risks associated with their operations. The relationship emphasises the importance of regulatory frameworks in safeguarding the integrity of financial systems against illicit activities.

Written by:
21Author (3)
The Content Team
Cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.