Everything VASPs Need to Know about the FATF Travel Rule

What Is the FATF Travel Rule?

In 2019, the Financial Action Task Force (FATF) broadened its scope of anti-money laundering and counter-terrorist financing (AML/CFT) measures to cover virtual assets and virtual asset service providers (VASPs), represented in Recommendation 16, commonly referred to as the Travel Rule.

This expansion aimed to curb criminal and terrorist misuse within the virtual asset sector. Following this development, the FATF conducted three reviews to assess the implementation of its standards regarding virtual assets and VASPs.

Upon implementation, Recommendation 16 acts as a regulatory framework that VASPs must adhere to when executing virtual asset transfers. As outlined in Recommendation 16, VASPs are mandated to gather, verify, and exchange specific customer information before facilitating any virtual asset transfer. Additionally, it outlines the protocols governing transactions involving self-hosted wallets.

The FATF's Travel Rule is a significant measure in the ongoing battle against AML/CFT. Its primary objective is to empower VASPs and financial institutions to prevent terrorists, money launderers, and criminals from using wire transfers, including those involving virtual assets, to transfer funds.

Moreover, the Travel Rule aids in the detection and mitigation of such illicit activities, should they occur. Its principal aims ensure the accessibility of originator and beneficiary information for the following purposes:

• Assisting law enforcement authorities in detecting, investigating, prosecuting, and tracing terrorists or other criminals and their assets.
• Facilitating financial intelligence units in the scrutiny of suspicious or unusual transactions.
• Equipping ordering, intermediary, and beneficiary VASPs and financial institutions with the means to identify and report suspicious transactions, freeze funds, and preempt transactions involving sanctioned individuals or entities.

[Source: https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html]

Which Businesses Are Affected by the Travel Rule?

In 2019, the FATF recommended that the Travel Rule apply to VASPs for both fiat and virtual asset transactions. It was determined that the Travel Rule is to be implemented if

• The transactions involve a traditional wire transfer or
• A virtual asset transfer between a VASP and another obliged entity or
• A virtual asset transfer between a VASP and a self-hosted wallet.

The latter two points were recently included in the 2021 FATF's revised guidance on a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers. VASPs are also required to undertake due diligence on their counterparties before transferring any information and trust the counterparty with their customers' data

What Do VASPs Have to Do to Comply with the FATF Travel Rule?

To comply with the Travel Rule, VASPs must furnish virtual assets transfers with information on their originator and beneficiary. This information must be obtained, held, and shared with the counterparty before the virtual asset transfer takes place. Additionally, the information must be available on request to competent authorities upon request and be stored for a minimum of 5 years.

Please note that the implementation of the Travel Rule does vary from jurisdiction to jurisdiction. The information above is merely a guide.

What Information Does the Travel Rule Require?

As per the FATF Travel Rule, the following information is to be verified by the originator VASP before transacting,

• Originator's name,
• Originator's account number,
• Originator's physical address OR
• Originator's national identity number, or customer identification, or date and place of birth.

With the below information to be verified by the beneficiary VASP before transacting,

• Beneficiary's name,
• Beneficiary's account number.

The verification process is only a piece of the Travel Rule's core. To implement the Travel Rule successfully, this information is to be transmitted to the beneficiary VASP and stored.

The information provided above is a guide; please note this can vary from country to country. Before transacting, verify what information is required in the jurisdiction you will be transacting in.

What Is the Travel Rule’s Threshold?

The FATF recommends a threshold of EUR/USD 1000, but there are exceptions to this amount.
For example, in Switzerland, where the threshold is 0. For any transaction that surpasses this amount, information will need to be exchanged between the originator – the person sending the virtual assets and the beneficiary - the person receiving the virtual assets. Another example of a regulation that stipulates a zero threshold is the Transfer of Funds Regulation (TFR).

Does the Travel Rule Apply to Every Crypto Transfer?

The Travel Rule applies to every crypto transaction between VASPs if the Travel Rule is active in at least one of the transacting VASP's jurisdictions. Moreover, jurisdiction-dependent, the Travel Rule may apply to transactions between VASPs and self-hosted wallets.

What Is the Travel Rule for Self-hosted Wallets?

Self-hosted wallets earn a separate section - 179 and 180 - in the updated guidance from the FATF. For one, self-hosted wallets are considered of higher risk in general. Also, when receiving a deposit from a self-hosted wallet, a VASP must gather the same data as in a VASP-to-VASP transaction. That means that the VASP needs to obtain the originator's information, but that data can be unverified. The beneficiary data should again be acquired from the originator.

Self-hosted wallet requirements vary from jurisdiction to jurisdiction. I.e. in Liechtenstein, enhanced due diligence must be applied when dealing with self-hosted wallets; wallet owners are to provide proof of ownership. In contrast, the US implementation of the Travel Rule does not include self-hosted wallets.

Read more about self-hosted wallet verification methods here.

Read: Regulatory Frameworks that Include Self-hosted Wallets.

What Is VASP Counterparty Due Diligence?

Due diligence is the process of conducting a thorough investigation or research into a potential business partner, client, or any other entity with which you intend to establish a business relationship. The goal is to gather relevant information to assess their credibility, financial stability, legal compliance, and other factors that could impact the business relationship.

In the context of VASPs, this would involve investigating the background and legitimacy of another VASP before establishing any kind of financial or operational connection. Examples of conducting due diligence are through the collection and storage of identification data, copies or records of official identification documents like passports, identity cards, driving licenses or similar documents.

Read: 4 Tips for VASPs When Performing Counterparty Due Diligence.

How to Comply with the Travel Rule as a Crypto Business?

The Travel Rule requires data to be exchanged between the originator and beneficiary. For a VASP to successfully do so, it needs to implement a Travel Rule protocol or a Travel Rule solution.

What Is a Travel Rule Solution?

A Travel Rule solution is a complete package, like 21 Travel Rule. It is software with an existing protocol. Depending on the capabilities of the software, more than one protocol can be utilised, resulting in a multiprotocol solution.

What Is a Travel Rule Protocol?

A Travel Rule protocol is a set of rules that define how to transmit customer data between Travel Rule solutions. Often, a Travel Rule protocol follows IVMS 101 to ensure a standard format when transmitting this data.
Usually, if a standard format is not adhered to, your counterparty’s Travel Rule software will not be able to process the transaction, and an error message will be sent back to you. A protocol can not be “seen” by a compliance professional because it consists of machine data transmission over a network.

21 Travel Rule’s main protocol is the Travel Rule Protocol (TRP)

How to Know Which VASP Owns a Specific Address

Regular blockchain addresses do not contain any VASP information; VASPs can determine which VASP owns a specific address via the Travel Address.
The Travel Address provides information on where the assets are being sent and who controls the address. Moreover, the user experience for the end user remains unchanged

This is also known as the Discovery Problem.

Read: Is There a Difference Between an IBAN and a Travel Address?

What Is the Discovery Problem?

The Travel Rule requires VASPs to send customer information to their counterparty, as a crypto transfer must be accompanied by personally identifiable information (PII).
However, a standard wallet address contains no information on the VASP that holds it. So, how to know where to send the required Travel Rule data - this is the discovery problem.

What Is the Travel Rule’s Sunrise Issue?

The FATF Travel Rule guidance is relatively new. Only in October 2021 was the guidance finalised. But it is merely that, a guidance. It is up to the myriad of different legislators worldwide to take this guidance and convert it into law.

Some jurisdictions are quick to adopt the guidance, others less so. That means that the legislature is coming into effect in a staggered manner. Switzerland, the UK and Singapore have already enforced it, while other countries still need to take the initial steps.

What are the Challenges to Implementing the Travel Rule?

As the FATF Travel Rule is only a guideline, different jurisdictions have implemented it with various levels of severity, resulting in 3 main challenges: interoperability, the sunrise issue (discussed above), and issues regarding data protection.

Interoperability

Interoperability is a necessity for VASPs because Travel Rule data exchange does not rely on a single solution or protocol but encompasses multiple options. VASPs cannot guarantee the specific solution their counterparties are employing, but they must ensure that they can engage in transactions seamlessly, regardless of the solution.

Achieving interoperability requires that two solutions adopt a common protocol. In this context, a protocol functions as the shared language used by each solution.

Data Protection

As the Travel Rule mandates the collection, holding, and sharing of delicate customer data, VASPs need to ensure that their solution can do so while conforming to their jurisdiction’s data protection laws. 

Moreover, VASPs need to consider their counterparty's data protection laws. Perhaps their counterparty’s data protection laws are less stringent, or perhaps their counterparty does not have appropriate data protection methods in place. In circumstances like these, sharing customer data could put both the originator and the customer at risk.

How Will the Travel Rule Benefit AML/CFT Efforts?

The FATF conceived the Travel Rule to help law enforcement agencies keep track of persons sending and receiving funds through official funds transfer systems. This vigilance prevents, detects, investigates and prosecutes money laundering, sanction breaches and other financial crimes.

Where Can I Find More Information about the FATF Travel Rule?

Read more about the FATF Travel Rule on 21 Analytic’s blog, or you can find a list of useful primary sources below:

List of FATF documents in chronological order

• Virtual Assets: Targeted Update on Implementation of the FATF Standards on VAs and VASPs (2024)
• The FATF Recommendations
• Virtual Assets: Targeted Update on Implementation of the FATF Standards on Virtual Assets and Virtual Asset Service Providers (2023)
• Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers

Development of the FATF and Its Recommendations

For a comprehensive history, click here.