How To Perform Travel Rule VASP Due Diligence like Capgemini

We sat down with David Soiles, who leads Fintech Financial Crimes Compliance at Capgemini and Counterparty Due Diligence for TRUST, a Travel Rule network of major VASPs such as Coinbase, Gemini, Kraken and more.

As the Travel Rule continues to expand globally, Virtual Asset Service Providers (VASPs) face increasing expectations to demonstrate a deep understanding of their counterparties and their associated risks. 

Counterparty Due Diligence (CDD) is key in achieving full compliance and maintaining trust with customers, authorities, and partners across the digital asset ecosystem.

To explore this topic further, we spoke with David Soiles, who leads the Fintech FCC vertical at Capgemini, a global consultancy serving many top 50 banks with over 400,000 employees across more than 50 countries.

As a Financial Crimes Compliance Fintech Practice Leader, David’s team helps firms implement robust financial crime controls and risk management frameworks, helping both traditional and digital financial institutions navigate evolving regulatory expectations. Closely collaborating with top crypto companies, he has also led the due diligence for over 100 VASPs onboarding TRUST from more than 30 countries.

After starting his career in traditional finance at Goldman Sachs, Dave worked on the HSBC monitorship at Exiger, a financial crime compliance consulting firm, and then transitioned to the digital asset and fintech FCC functions six years ago. His experience in independent audit and compliance advisory helps identify both challenges and best practices for VASP Due Diligence, not only regarding the Travel Rule but also in other areas.

Q: How does Capgemini help VASPs with Counterparty Due Diligence, in and outside of TRUST?

David: We’ve been a long-time partner of the TRUST network, where we conduct due diligence on all prospective members before admission, and ongoing due diligence on existing members. It’s not simply about admitting anyone into the network; each participant must pass a defined due diligence process to ensure the ecosystem remains viable and trusted.

Beyond this, our advisory team assists firms with core functions such as their annual financial crime compliance (FCC) risk assessment, a process that has been long established in traditional finance and is now being standardised in the digital asset space. 

Counterparty Due Diligence forms a key part of this, identifying each firm’s risk exposure and assessing the controls in place, as well as those that still need to be developed.

Q: What are the main areas a VASP should consider when performing due diligence on its counterparties? Is there guidance from authorities?

David: The most important factor is regulatory status; whether the counterparty is a registered and supervised entity or not.

Regarding guidance, we have seen global authorities, such as the FATF, increasingly encouraging firms to quantify their exposure to self-hosted wallets and to identify when they are dealing with individuals versus other companies. 

Regulatory actions in the US, such as recent New York State Department of Financial Services consent orders, have highlighted the impacts of weak Counterparty Due Diligence.

The key takeaway is that you can’t simply trust that customers are transacting with who they claim to be. Relying on customers to be forthcoming is not sufficient. Firms must continuously verify and monitor their counterparties.

“You can’t simply trust that customers are transacting with who they say they are.”

David Soiles, Lead for Fintech Financial Crimes Compliance at Capgemini and Counterparty Due Diligence for TRUST, Capgemini.

21 Analytics: This is a very timely point. We have also seen this issue arise as other Travel Rule providers offer self-declaration checkboxes for customers to "verify” their ownership over wallet addresses - an easily bypassed, weak control in this very new space. 

Q: How does Counterparty Due Diligence differ between traditional finance and crypto? Does it hold more relevance in the digital asset space?

David: We perform a lot of due diligence in both worlds, but it’s even more important in crypto.

In traditional finance, controls and processes have been refined over decades, resulting in fewer opportunities for bad actors to exploit the system. New financial products tend to be incremental variations on existing ones, making their risks more comprehensible.

In crypto, however, products are far more exotic and innovative, which makes the ecosystem dynamic but also riskier. Money launderers tend to gravitate towards new technologies and untested processes. This makes a deep understanding of counterparties and why they are using a certain product or structure absolutely critical.

Innovation is a double-edged sword: it drives growth but also introduces new risks and control challenges.

21 Analytics: Speaking of traditional finance controls that have been refined over the years…

Q: Some crypto firms base their Counterparty Due Diligence on the Wolfsberg Questionnaire. Can this be considered a gold standard?

David: It’s close to a gold standard and definitely a strong starting point.

However, it’s not enough on its own. The digital asset landscape evolves too quickly for any static framework to remain fully relevant. Products that exist today may look entirely different a year from now.

Firms need to customise the Wolfsberg approach with questions that capture the nuances of the digital asset ecosystem, for instance, the difference between a Bitcoin exchange and a retail token issuer. The controls each requires are very different, and due diligence needs to reflect that.

Q: How is a deep due diligence process imposed by a Travel Rule network like TRUST beneficial to its members?

David: External due diligence adds an extra layer of comfort, reassuring members that they’re transacting with legitimate and well-controlled counterparties. When a network like TRUST has its own due diligence process, it enhances the compliance posture of every participant and strengthens the ecosystem as a whole.

That said, this should never replace internal due diligence. Each firm still needs to assess its own risk tolerance and decide whether to transact with a particular VASP. But TRUST’s process provides an additional, independent data point that helps firms make more informed decisions and refine their controls.

TRUST also brings value from a data privacy perspective, as firms must meet high security standards to keep information sent from other members safe as their own. The technology in TRUST enables mechanisms for secure, peer-to-peer data exchange that align with both regulatory and privacy requirements.

Q: What do you see as the most challenging aspects of VASP Due Diligence today?

David: Onboarding digital asset firms, in general, is challenging because of the complexities of certain business models. Furthermore, digital asset firms innovate extensively in terms of products, customers, and geographies. 

Consequently, the same firm may have a very different risk profile in 2025 than it does in 2026 or 2027. Periodic due diligence is therefore more important in the digital asset ecosystem than it is in traditional finance, due to the pace of change - firms need to be aware of how the risk profile of their counterparties is changing and evolving. 

Compliance teams are already stretched, so it is challenging to keep up with the cadence of periodic review in the midst of other core initiatives. A deep understanding of counterparties' licensing and AML posture is required for appropriate Travel Rule compliance, and firms need to monitor that not just at onboarding, but on an appropriate periodic basis thereafter. 

Closing Thoughts

David's insights on how to approach due diligence in the crypto ecosystem, particularly when onboarding counterparties or complying with the Travel Rule, highlight the dynamics that differ from traditional finance. 

As digital assets enter a regulated phase, which is needed for institutional adoption, it is expected that networks of trusted players will arise; TRUST standing out as a leader with the top 5 global VASPs and many more as members.

Since the Travel Rule obliges crypto firms to know their counterparty, their legitimacy and associated AML risks before engaging in transactions, Counterparty Due Diligence is clearly a key step for compliance in Travel Rule transactions. 

However, as the regulation also mandates sharing customers’ identifiable, sensitive data with external businesses, Counterparty Due Diligence becomes an even more critical part of any compliance program, protecting the firm from data, reputational, and AML risks.

About Capgemini

With over 400,000 employees across more than 50 countries, Capgemini is one of the world’s leading consultancies, working with dozens of top global banks. 

In 2022, the company expanded its Financial Crime Compliance Team by creating a Digital Asset Practice, offering end-to-end advisory services across Know Your Customer (KYC), sanctions screening, transaction monitoring and broader financial crime compliance governance.