The travel rule: compliance guidance for cryptocurrency exchanges

Following the dramatic rise in investment in cryptocurrencies and Bitcoin over the last few years, regulators are now setting their sights on this dynamic, rapidly evolving corner of the financial services industry. The Financial Action Task Force (FATF), an independent inter-governmental body that develops and promotes Anti-Money Laundering (AML) and Know Your Customer (KYC), has published further guidance on how its 37 members should regulate cryptocurrency exchanges.

While many in the industry welcome regulatory oversight, as it provides clarity and certainty for both investors and operators, one piece of guidance — Recommendation 16 — has caused significant controversy. The so-called travel rule requires “obligations to obtain, hold, and transmit required originator and beneficiary information in order to identify and report suspicious transactions, monitor the availability of information, take freezing actions, and prohibit transactions with designated persons and entities.”

The FATF doesn’t refer to this recommendation as the travel rule. But it has a striking similarity to an earlier Bank Secrecy Act (BSA) rule [31 CFR 103.33(g)] with that moniker, which requires all financial institutions to pass on certain information to the next financial institution, in certain funds transmittals involving more than one financial institution.

Note that these obligations are reliant on member countries implementing the rules into their laws or regulations; the FATF does not have any direct enforcement mechanisms. However, the FATF does carry significant moral authority, as no member wants to be affiliated with money laundering and international crime. It seems just a matter of time before the travel rule for cryptocurrencies becomes enshrined in laws and regulations in the major economies around the world.

In that case, the rules will apply to virtual asset service providers such as cryptocurrency exchanges, transfer services, custodial or host wallet providers and other possible business models. They suggest a threshold limit of $1,000 or €1,000 to be in line with regulations covering wire transfers, but this limit will depend on specific country requirements.

In October 2020, financial regulators in the U.S. proposed rules to modify the BSA to reduce the general travel rule threshold from $3,000 to $250 for international transfers.

A new legal environment for cryptoassets

Unlike banks, cryptocurrency exchanges don’t currently have a legal or technological framework to obtain, hold and transmit identifying information of both parties of the transaction. On the legal side, while there has been progress in various jurisdictions regarding policy and regulatory approach to cryptoassets, there’s no global consensus or cross-border clarity. Exchanges operating in different countries could have widely different regulatory expectations.

While some cheer for clear legal standards, others think they are anathema to distributed ledger technologies, where the original concept is to exchange tokens without any need for third-party oversight. Many enthusiasts point to the fact that cryptocurrencies don’t need banks, governments or other organizations as their defining feature, making them a bastion of privacy and sovereignty.

The ability to obscure transactions is what’s prompting the FATF and regulators to demand insight and oversight for virtual assets. Cryptocurrencies have been used to launder money, transmit funds for illegal activities and otherwise circumvent financial controls, and governments are trying to close that loophole.

An unknown technology frontier

As the industry grapples with ensuring a fair and transparent exchange, rapidly onboarding customers, complying with all relevant regulations and many other issues of developing a new financial marketplace, the travel rule is a whole other level of technology.

Processes on verifying information, securing this information and safeguarding this information between only the specific parties will need to be addressed. In this era of data breaches and robust data privacy laws, coming up with a new framework that satisfies all requirements is a unique challenge.

Even more problematic is the decentralized nature of cryptocurrency. Virtual currencies operate across borders and systems, and there are numerous technologies and channels for transactions. Virtual wallets, P2P exchanges, cryptocurrency kiosks, dapps (decentralized applications), ICOs, internet casinos and multi-sig wallets (multiple signature) are among some of the technologies that require consideration.

Historically, there has been very little synchronization or coordination between these different cryptocurrency systems. They will now have to work together to create interrelationships and/or technology that works for all parties — and quickly. 

One potential solution that has the backing of ING Bank, Fidelity Investments, Standard Chartered and 25 VASPs is the Travel Rule Protocol. Their goal is to “Create a first-generation, minimal, workable, pragmatic API specification for compliance with the FATF Travel Rule in a timely manner. Minimize fragmentation and maximize interoperation of solutions” and their Version 2.0 launched in June.

Another option is the Travel Rule Information Sharing Alliance, which is a working group to provide “interoperability with open security standards and emerging messaging standards such as InterVASP, OpenVASP, and BIP75, and easy integrations backend systems.”

The initial FATF guidelines were published in June 2019, and have now been followed up by two 12-month reviews. The second 12-month review of the implementation of FATF’s revised Standards on virtual assets and VASPs, released in June 2021 notes:

• 58 out of 128 reporting jurisdictions advised that they have now implemented the revised overall FATF Standards.
• Only 23 jurisdictions have introduced travel rule requirements, of which only 10 reported that they were enforcing these requirements.
• There are not sufficient holistic technological solutions for global travel rule implementation that have been established and widely adopted.

The private sector has made progress in developing technological solutions to enable the implementation of the ‘travel rule’. However, the majority of jurisdictions have not yet implemented the FATFs requirements.”

In the U.S., FinCEN ruled that the previous existing travel rule requirements do apply to cryptocurrency exchanges. Switzerland’s Financial Market Supervisory Authority (FINMA) released guidance on August 26 that says, in part:

“No system currently exists at either a national or an international level (such as, for example, SWIFT for interbank transfers) for reliably transferring identification data for payment transactions on the blockchain. Neither are bilateral agreements between individual service providers in existence to date.”

However, it’s not necessary that the identity information transfer be on the blockchain, as “the provision must be interpreted in a technology-neutral way.” Payment transfers, whether by bank transfer, blockchain or other method, should be treated the same and face the same AML/KYC laws. Other payment channels can comply with this requirement, so FINMA “expects information about the client and the beneficiary to be transmitted with token transfers in the same way as for bank transfers.”

Under Recommendation 16, all virtual asset service providers will be required to provide the originator’s details (name, account number, physical address or national identity number) and the beneficiary’s information (name and account number).

Cryptocurrency exchanges will be well served to examine the existing AML/KYC regulations and ensure their compliance with those requirements. Additionally, if they are not currently meeting Recommendation 16 requirements, they should anticipate that they will soon need to.

Steps taken to facilitate compliance with these requirements will help the cryptocurrency industry transition to the new regulatory regime, improve the perception of trust with regulators and customers, enable better cross-border procedures and help develop a thriving industry ecosystem.

More crypto: ID verification | KYC for crypto | Resources | Posts

This article first appeared on CryptoBusinessNews and was published here on December 18, 2019. It has been updated to reflect the latest industry developments and best practices.