Global Travel Rule Regulations:
What Are the Requirements?
What is the FATF Travel Rule, and how do you comply?
Fighting against financial crime has always been a top priority for Regulators around the World, and the crypto industry is no exception.
The Financial Action Task Force (FATF) is an inter-governmental body with the objectives to set standards and promote effective implementation of legal, regulatory and operational measures for combating money laundering, terrorist financing and other related threats to the integrity of the international financial system.
The FATF has developed a series of Recommendations that are recognised as the international standard for combating money laundering and the financing of terrorism and proliferation of weapons of mass destruction. Virtual asset service providers (VASPs) are in scope and thus should comply with those recommendations.
The FATF monitors the progress of its members in implementing necessary measures, reviews money laundering and terrorist financing techniques and counter-measures, and promotes the adoption and implementation of appropriate measures globally.
What is a Virtual Asset (VA)?+
The FATF defines a virtual asset as a “digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes”.
The FATF generally does not consider Non-Fungible Tokens (NFT) as virtual assets, but this depends on their characteristics. They may fall under the definition if they are used for “payment or investment purposes”.
It does not matter what an asset is called. What matters are the characteristics of the asset and how it functions. This is called a “functional approach”.
In practice: any cryptocurrency (like bitcoin and ether)
What is a virtual asset service provider (VASP)?+
The FATF defines a VASP as: “any natural or legal person who (…) as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person:
- Exchange between virtual assets (VA) and fiat currencies;
- Exchange between one or more forms of VA;
- Transfer of VAs (eg moving “a virtual asset from one virtual asset address or account to another”); and
- Safekeeping and/or administration of VAs or instruments enabling control over VAs;
- Participation in and provision of financial services related to an issuer’s offer and/or sale of a VA“.
The definition of VASPs is very broad and covers CeFi and most of DeFi services. Unhosted wallets are still out of scope, depending on their settings.
Unhosted wallets (also known as non-custodial or private wallets) can be defined as a software or hardware that allows to hold, store and transfer virtual assets which are not under custody with a VASP. The owner of the virtual asset is the only one with full-control. No third-party can access them. With unhosted wallets, the owner is responsible for providing wallet security and protecting the private keys that he/she fully controls.
In practice : currencies exchanges, trading platforms, crypto funds, brokers, custodial wallet providers, issuer of payment and hybrid tokens, financial institutions dealing in virtual assets, etc...
What is the FATF Travel Rule?+
The FATF travel rule is nothing new to the traditional financial world and has been in force since a couple of decades. Today, everyone knows about SWIFT messages and the requirements to input at least the name, address, and account number before being able to make a transfer from your bank account to the bank account of someone else. Your bank will ask for this rule in order to comply with the so-called Travel Rule.
The travel rule relates to the exchange of information on originator and beneficiary for any funds transfers carried out on behalf of an originator with the view of making funds available to a beneficiary. Required information has to be transmitted immediately and securely.
It has been designed with the view to help law enforcement agencies prevent, detect, investigate and prosecute money laundering, sanction breaches and other financial crimes by allowing them to keep track of persons sending and receiving funds through official funds transfer systems.
Since 2019, the Financial Action Task Force (FATF) has strongly recommended that the Travel Rule applies to VASPs, whether the transactions are in fiat or virtual assets. The Travel Rule is to be implemented if: the transactions involve a traditional wire transfer, a virtual asset transfer between a VASP and another obliged entity, or a virtual asset transfer between a VASP and an unhosted wallet. The latter was recently included in the 2021 Financial Action Task Force (FATF)'s revised guidance on a Risk-Based Approach: Virtual Assets and virtual asset service providers.
Interestingly, the FATF emphasized that “transaction fees relating to a VA transfer are not within scope of the travel rule”.
The required information to be obtained, transmitted and kept includes the originator's name, account number, physical address, national identity number, or customer identification, or date and place of birth, or the beneficiary's name and account number.
The FATF has set up a threshold of a minimum of USD/EUR 1000. Under that threshold, countries are only required to ask VASPs to collect the name of the originator and the beneficiary as well as the virtual asset wallet address for each or a unique transaction reference number.
VASPs are also required to undertake due diligence on their counterparties before transferring any information, as well as trust the counterparty with their customers' data.
In practice : Before sending funds, VASPs should practise due diligence on their counterparty, then obtain, hold and transfer verified data on the customers. The information received from the counterparty does not need to be verified but it needs to match the VASP's existing records. Travel rule helps prevent and mitigate the risk of money laundering, sanction circumvention, and financing of terrorism.
The Financial Action Task Force, which is an intergovernmental body, started looking at virtual assets in June 2014 with a report called “Virtual Currencies: Key Definitions and Potential AML/CFT Risks”.
In June 2015, it published the first guidance for a risk-based approach to virtual currencies focusing on regulated exchanges.
In October 2018, the FATF adopted changes to its Recommendations to explicitly clarify that they apply to financial activities involving virtual assets, and added two new definitions to its glossary namely Virtual Asset (“VA”) and virtual asset service provider (“VASP”).
In June 2019, the FATF published the interpretative Note to Recommendation 15 on New Technologies and the guidance for a Risk-Based Approach: Virtual Assets and virtual asset service providers. In those documents, FATF clarifies how its recommendations apply in relation to VA and VASPs, in particular with regard to the application of the risk-based approach (RBA) to VA activities or operations and VASPs; supervision or monitoring of VASPs for AML/CFT purposes; licensing or registration; preventive measures, such as customer due diligence, recordkeeping, and suspicious transaction reporting, among others; sanctions and other enforcement measures; and international cooperation.
In a nutshell the guidance subjects VASPs to the same requirements as financial institutions.
In June 2020, FATF published a 12 month review of the revised FATF standards on VA and VASPs where it acknowledges gaps in global implementation and addresses stablecoins, the travel rule and unhosted wallets.
In September 2020, it published a report identifying red flags indicators to help authorities, financial institutions and VASPs detect whether VAs are being used for criminal activity.
In March 2021, FATF published a draft updated guidance, in which it clarifies the definitions of VA and VASPs, giving concrete examples on what is in scope. This draft has been criticized by the industry as it is incredibly extensive including in scope almost all types of VAs' activities, especially DeFi which was not previously included.
In July 2021, FATF published the Second 12 month review of the revised FATF standards on VAs and VASPs in which it found that gaps in implementation created vulnerabilities, pressed implementation of the travel rule, and provided market metrics on peer to peer transactions.
The FATF published the final version in October 2021 where it confirms that “exchange of services may [...] occur through DeFi” and thus is in scope. The FATF clearly confirms that as long as “creators, owners and operators” maintain “control or sufficient influence” and that the service provides “financial services”, then it falls under the definition of a VASP.
The FATF gives examples of what it means by “control or sufficient influence”: creation and launch of a virtual asset, developing DApp functions and user interfaces for accounts holding an administrative “key” or collecting fees, setting parameters. The notion of “providing financial services” is key.
For safekeeping and administration, the term “control should be understood as the ability to hold, trade, transfer or spend the VA”.
FAFT gives a set of indicia to determine who maintain control or sufficient influence:
- “who profits from the use of the service or asset
- who established and can change the rules
- who can make decisions affecting operations
- who generated and drove the creation and launch of a product or service
- who maintains an ongoing business relationship with a counterparty party or another person who possesses and controls the data on its operations
- who could shut down the product or service”.
The FATF is also pushing countries to implement the Travel Rule as soon as possible while acknowledging that this might still be challenging and allowing countries “to take a staged approach to the enforcement of the Travel Rule requirements”.
When should you get ready?+
FATF recommendations are not binding and need to be implemented by each country to become legally binding. Even if it is not yet binding in your country of operations, your customers may interact with customers located in jurisdictions where this is already a requirement, so you will have a touch point with it. It is better to always be prepared and have a plan in place for when it is enforced in your jurisdiction. It will enable an easy transition and will deeply lower the impact on your customer journey.
So when should you start getting ready? the short answer is NOW. Have a plan in place and start interacting with the right providers that can help you comply with the Travel Rule without impairing your customer relationship.
How to comply?+
Choose the right partner for implementation or implement it yourself by using open, permissionless protocols such as TRP from the OpenVASP Association.