UK Travel Rule Hard-To-Comply Points & How To Overcome Them
It has been more than a year since the UK government announced its plans to make the UK a global cryptoasset technology hub, after the country doubled the number of adults who are crypto users, up to 10% of the population. Although there is a clear rise in market demand, 85% of crypto firms that applied to the Financial Conduct Authority (FCA) failed to meet minimum standards required regarding anti-money laundering (AML) and counter-terrorist financing (CTF).
From this week on, crypto businesses in the UK will face an additional compliance challenge, the Travel Rule. Made in 21 July 2022 and coming into force this 1 September 2023, the Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022 defines the obligations for UK crypto business regarding the collection, storage and transmission of data on the originator and beneficiary persons involved in crypto transactions.
The details of the regulation, including the types of businesses that must comply, the threshold of application, the data points required and more, are listed and summarised in the UK Travel Rule Regulation page. In this blog, we will uncover the specific challenges brought forth by the Travel Rule in the United Kingdom and possible approaches crypto firms can take to ease compliance and keep business great as usual.
Quarantining and Returning Crypto Funds
In the context of a Travel Rule transfer, cryptoasset businesses may be positioned either in an originator or in a beneficiary position. Intermediary businesses generally face the same issues as beneficiary ones, as, to be compliant, they need to receive information from their counterparty - while originators can more easily comply with the data collection requirements, but may struggle to communicate them to their counterparty due to a number of reasons (sunrise issue, different Travel Rule protocols supported, uneven jurisdictional obligations, etc).
Apart from collecting data to allow the tracing of crypto funds in criminal activity, the goal of the Travel Rule, according to the FATF, is to give crypto firms all the information needed to perform a transfer risk assessment before or during its execution. Inherently pushed by the FATF and based on its Recommendations, the UK law demands that beneficiary and intermediary businesses check if the required information was received and if it corresponds with its own customer due diligence’s verified information before making the funds available to the beneficiary (see regulation 64D).
Becoming aware of a discrepancy or missing information, the crypto business must request it from the crypto business of the originator and consider, based on risk assessments, whether to delay making the funds available or return them (see regulation 64D). The Guidance by the Joint Money Laundering Steering Group (JMLSG) even highlights that beneficiary crypto businesses need to consider the risks and complexities of returning a transfer prior to doing so, and should make reasonable efforts to ensure that the transfer is able to be returned to the originator.
It is visible how this may negatively impact both crypto businesses involved in the operation and their customers: from transaction delays to the burdens (and costs) of returning a transaction. However, it is also clear to see that, if the transfer of Travel Rule data happens before the transfer of crypto funds, the scenario of returning crypto funds is completely avoided.
Crypto companies leveraging TRP can natively do that, completely staying away from funds return. With TRP’s Travel Address, a transaction notification can be sent in advance of the transfer of the cryptoasset, which requires approval or rejection from the beneficiary business. This allows the originator firm to only become aware of the beneficiary’s wallet address once Travel Rule data has been exchanged and the transaction has been approved to take place.
This prevents transfers from being completed without the beneficiary business approval; hence, there would never be the need to quarantine or return any assets - and the crypto business would never hold any assets that still need Travel-Rule-clearance. Once again, the design of TRP protocol guarantees complete and maximum efficiency for compliance with the Travel Rule.
Self-hosted Wallet Transfers
According to the UK Travel Rule (see regulation 64G), crypto businesses may need to collect Travel Rule information in transfers involving self-hosted wallets, depending on the threshold and risk-based approach performed. According to the JMLSG Guidance, in higher-risk cases, firms should take further steps to ascertain the source of funds in the self-hosted wallets, and should only allow the transfer if their customer can prove control over the wallet via appropriate solutions, citing micro deposit and cryptographic signature as examples.
The requirement to collect information on the owner of the self-hosted wallet is present in several countries’ Travel Rule implementations, with some demanding wallet ownership verification. The methods used by each type of business, or accepted by authorities, often vary. However, the UK market has clear guidance on which technological processes firms can use.
Micro deposits are also known as Satoshi Tests. Led by the compliance and customer care team, businesses may take a manual approach and put the customer through a lengthy and complicated process. Usually through chat or email, the firm agrees on a small cryptocurrency amount and a time-window for the onboarded customer to send funds to a specific address. Once they complete the transaction, they have proved wallet control by an onboarded, identified, user. The cryptobusiness can whitelist that address, green-lighting transactions involving that wallet, and the user is reimbursed.
Crypto businesses in the UK, using 21 Travel Rule, will be able to record, manage and store Satoshi Test proofs. However, depending on the type of the business, we may recommend using other types of verification of wallet address ownership, including the cryptographic signature mentioned in the Guidance.
Every crypto wallet can cryptographically sign a message that attests the address ownership. In fact, that is precisely what a wallet does when performing crypto transactions. For this reason, a cryptographically signed message received by the business from its customer is the most reliable method of tying an identified customer to an address, since the signature can only be provided by a person holding the wallet's private key. Moreover, it is a faster and uninterrupted way customers can prove wallet ownership and proceed to perform transactions as always.
This is why 21 Travel Rule supports signed messages and encourages crypto companies to leverage it, so they can offer the most frictionless and fastest experience for customers while fully complying with the Travel Rule. We have gone a step further and developed an automated protocol for this: AOPP, which allows an even more seamless experience for customers, while achieving the same result for compliance teams.
As discussed, there are specific Travel Rule challenges that crypto businesses registered with the FCA will face. However, protocols, like TRP, that are open, extensible and fit for global use may have these issues figured out. 21 Analytics is a leader contributor to the messaging protocol, but its 21 Travel Rule solution is comprehensive by covering the self-hosted wallet ownership requirement to offer crypto businesses with the verification methods that best fit their current processes and market.
To learn more about how 21 Travel Rule can support your compliance with the UK Travel Rule, reach out to us.