The last few years have been marked by a clear evolution in the way cryptocurrencies are viewed and regulated by national and international authorities. As the popularity, transaction volumes and market caps of cryptos have grown, so too have the Anti Money Laundering (AML) and Counter-Terrorist Financing (CTF) regulatory regimes designed to prevent cryptocurrencies from being used for illicit purposes.
Rather than reducing the use of cryptocurrencies, the emergence of more far-reaching and considered regulation has provided the crypto space with the chance to grow and steadily become more widely accepted as a legitimate, decentralized financial ecosystem.
However, greater regulation has not been a simple context to adapt to, both for actors in the crypto space such as Virtual Asset Service Providers (VASPs), as well as national regulators that have had to transpose international financial regulatory regimes related to VASPs into their national law codes.
Two terms that are of key importance in any discussions on crypto-related compliance issues are Know Your Customer (KYC) and the Travel Rule. Put simply, KYC involves gathering data on individuals and companies that use a Financial Institution (FI) or VASP’s services, while the Travel Rule refers to the collection and transmission of data relating to transactions that an FI or VASP facilitates.
While Travel Rule Compliance and KYC frequently come up in discussions of VASP and crypto-related regulatory issues, the concepts are not interchangeable. However, they are somewhat symbiotic and related. The two concepts are also both frequently discussed within the crypto space for good reason: ignoring them is simply not an option for any VASP that wants to remain on the safe side of the rapidly expanding regulatory axe, both from a jurisdictional and global perspective.
In this article, we’ll briefly expand on what each term/concept refers to, and how they relate to one another.
KYC does not refer to a specific set of data, or a process that is unique to a single organization or jurisdiction. KYC is a process that has been developed in order to allow companies to enact robust CDD/AML policies and to comply with regulatory regimes that require specific information to be gathered on individuals or companies that register for and use their services.
Although KYC is most commonly associated with companies involved in facilitating financial transactions, such as Financial Institutions (FIs) and Virtual Asset Service Providers (VASPs), other types of companies can use KYC too.
Most banks will want to have clear and verified KYC information on individual and corporate customers they onboard. For individuals this usually means providing a proof of address, government-issued ID and potentially other more detailed information, such as credit history if you’re applying for a loan. Similarly, most crypto exchanges also require some kind of identity verification before providing an individual with an account, such as a screenshot of your passport and often a video-call interview to ensure they are dealing with who you claim to be.
Corporate KYC can be more complicated, and involve running checks of sanctions lists and understanding often opaque ownership structures of businesses before an FI or VASP can onboard them.
Gathering and verifying KYC information can be a resource-intensive activity for any company, and many of them do not do it well as a result. A CipherTrace report from 2019 and updated last September found that two thirds of crypto exchanges it reviewed had weak KYC processes in place. Many VASPs and FIs spend big chunks of their budgets on employing large and expensive compliance teams for manually checking clients; a process that can be significantly optimized by taking a Risk-Based Approach (RBA) that automates low-risk KYC checks and only refers more high risk customers for Enhanced Due Diligence (EDD), carried out by humans.
Different jurisdictions also have different laws for what kind of KYC information companies need to gather on their customers. For example, in most countries, FIs need to gather KYC data on their customers, but not all telecommunications companies do; some countries still allow people to buy SIM cards without providing any form of ID whatsoever.
However, while the degree and extent of KYC gathering required of FIs can vary across jurisdictions, when it comes to financial services, most jurisdictions seek to comply with global financial regulatory regimes – such as the Financial Action Task Force (FATF)’s Recommendations and Wolfsberg standards – and doing so involves national regulators ensuring that FIs and VASPs operating in their jurisdictions are obtaining the necessary degree of KYC information from individual and corporate clients they onboard.
Which brings us to the Travel Rule.
The Travel Rule
The ‘Travel Rule’ is a colloquial term commonly used for the FATF’s Recommendation 16, which stipulates that FIs and VASPs need to gather and transmit specific pieces of information on the originators and receivers of transactions equalling or above 1000 USD/EUR – similar to the US’ Banking Secrecy Act (BSA), which first established the term ‘Travel Rule’.
We discuss the Travel Rule frequently, because it is one of the trickiest and most important for VASPs to comply with. This is because compliance is not something that is just attained once and forgotten; the Travel Rule involves constantly registering transactions occurring on or through a VASPs network that fall equal or above its threshold, which for some crypto exchanges total in the millions per year.
The FATF expects its signatory countries, which currently number 39 – as well as any other country that doesn’t want to be placed on one of its ‘black’ or ‘grey’ lists and face exclusion or sanctioning from its network of signatories – to transpose its Recommendations into their national law codes.
The Travel Rule stipulates that FI and VASP originators or senders of transfers of over $1000 need to submit the following pieces of information to beneficiaries, whether they are other VASPs or other financial institutions:
- Sender name
- Sender account number
- Sender address, national ID or passport number, or date and place of birth
- Beneficiary name
- Beneficiary account number
So, the Travel Rule involves compelling FIs and VASPs to gather and transmit KYC information.
And therein lies the crux of the difference between the two terms. KYC is a process that FIs, VASPs and some other types of companies need to carry out as part of their AML/CDD efforts, while the Travel Rule is a global regulatory guideline that national governments need to implement in their own national regulatory regimes. By adopting and effectively implementing the Travel Rule, national regulators will be establishing a standardized AML protocol for FIs and VASPs to gather and share KYC information on their users and customers.
KYC-Chain is making the process of gathering and transmitting KYC information easier, faster and safer for companies, without the need for establishing large and vulnerable centralized databases to store this sensitive information. In parallel, our partner network SelfKey is also taking on the challenge of making end-to-end Travel Rule compliance more straightforward for VASPs through its Compliance Hub Solution.
Is your organization looking for a way to ensure compliance in today’s fast-changing regulatory environment? Get in touch and we’ll be happy to discuss ways we can help, or you can also book a demo to see how our solutions work.