icon-clock 5 MINUTES

What is the FATF Travel Rule?

Last year, the FATF made a landmark recommendation regarding cryptocurrency and virtual assets. Here’s what you need to know.

Last year, the Financial Action Task Force (FATF) made an amendment to Recommendation 16, which covers wire transfers. This amendment is known as the Travel Rule. The Travel Rule is a recommendation that was originally created for banks, but has now been expanded to include virtual assets and exchanges.

As a result, it is set to have a major impact on the cryptocurrency industry as a whole. In this article, we will walk you through everything you need to know about the Travel Rule.

What is the Travel Rule?

The Travel Rule itself is not very complicated. Essentially, it is an anti-money laundering (AML) initiative that requires financial institutions to share information about their customers and assume the responsibility to report suspicious activities. The Travel Rule was previously limited to banks only, and closely mimics the Bank Secrecy Act (BSA) in the United States.

As mentioned earlier, the Travel Rule has now been expanded to include Virtual Asset Service Providers (VASPs). VASPs include any individual or business that conducts the following activities as part of their services:

Prior to the FATF’s mandate, the cryptocurrency industry was largely self regulating. Individual countries have made some rules in an effort to prevent money laundering and terrorist financing, but there has been a lot of confusion and no overarching international regulations.

Now under the Travel Rule, VASPs are required to share the identities of users involved with any virtual asset transfers valuing $1000 USD or more. This poses a number of unique problems, especially when you consider the decentralized and anonymous nature of many cryptocurrencies, but we will dive more into that later.

VASPs will now need to obtain and verify customer identification with one another. Here’s an example of what data needs to be shared. Alice is sending Bob $1500 USD worth of Bitcoin. Alice is sending the payment from her crypto wallet hosted by Exchange 123 to Bob’s wallet, provided by Exchange XYZ. 

Exchange 123 will need to send Alice’s name, account number, physical address (if she’s in the USA), and national ID number or customer ID number or place and date of birth to Exchange XYZ. In turn, Exchange XYZ will need to send Bob’s name and account number to Exchange 123. If the transfer is deemed to be suspicious, one or both exchanges will need to submit a suspicious transaction report to the relevant authorities. As you can see, it’s a process that requires a fair amount of information being exchanged.

Any Questions?

Our team is always ready to help you and your business.

How can VASPs comply with the Travel Rule?

Aside from sharing customer data with other VASPs or the authorities, VASPs also have a number of other duties they must fulfill in order to be compliant. 

The first is that ongoing transaction monitoring needs to take place. This means that VASPs will need to determine what typical transactions look like for each customer so that they are able to spot any suspicious changes to the established pattern. Financial institutions already do this in most countries and it is part of a risk-based approach to AML and CTF.

VASPs should also screen customer wallets and potentially share any blacklists with other VASPs and relevant parties. Additionally, VASPs should be licensed and/or registered in their jurisdiction. 

How does the Travel Rule differ from KYC?

At first glance, the Travel Rule might seem to be the same as Know Your Customer (KYC) processes. However, there are some key differences that make the Travel Rule unique.

First of all, KYC only verifies that a customer is who they say they are. KYC is generally part of the onboarding process of a new customer, and the information gathered is usually not shared. With the Travel Rule, the identity of both the originator and the beneficiary needs to be confirmed and shared between VASPs or the relevant authorities.

While KYC is an internal process, the Travel Rule is an external one. It is necessary for information to be shared and at least two parties will be collaborating on the sharing of this data. 

That being said, KYC is an important part of ensuring the Travel Rule is successful. Without KYC, VASPs will not have the required information that is needed to identify their users.

Challenges for Travel Rule compliance

As we mentioned earlier, complying with the Travel Rule presents a number of unique challenges. First and foremost is that cryptocurrencies’ blockchain does not have any underlying technology to collect the necessary personal information needed for compliance. One is going to need to be created, which is going to be a lot of work.

Any protocol to be adopted by VASPs will need to be cost effective, scalable, applicable to all virtual assets, and able to operate between different VASPs. This is a very big ask, especially when the deadline for Travel Rule compliance is June 2020

Another big issue is the competitive nature of VASPs and their dislike of government interference. In order to be compliant, VASPs will have to collaborate with each other and the necessary authorities. And then there is the problem of navigating cultural, linguistic, and regional barriers in order to come up with a global solution. VASPs from all over the world will need to work towards a common goal and agree on one solution. When you consider that all of the countries in the world have trouble agreeing on one thing, you can see the huge hurdle that VASPs face.

Complying with the Travel Rule is a massive request from the FATF, especially within the given time frame. It also shows that the FATF might not completely understand how VASPs and virtual assets work. For example, two of the most popular cryptocurrencies, Ethereum and Bitcoin, operate on completely different blockchains, which poses a huge problem for interoperability. If the FATF had a basic understanding of cryptocurrency, they would understand how hard complying with the Travel Rule will be for all VASPs.

Is there a solution?

The Travel Rule sets a precedence by treating VASPs like banks and requiring compliance on a global scale. The Travel Rule has several practical implications for custodial participants in the virtual asset space. One of the most crucial parts is that VASPs must work with other competing external participants.

For that reason, the VASP Compliance Hub has been put forward as a possible solution and it makes use of another blockchain tool – decentralized identity (DID). A VASP Compliance Hub facilitates compliance through secure exchange-to-exchange messaging using DID. From there, a whitelist of compliant VASPs can be made and the sharing of data is significantly minimized.

In order to achieve compliance, VASPs will need a method of transferring user information about wallet address ownership to other VASPs. Given the popularity of virtual assets, this is a lot of data that needs to be shared in a secure way. Using DID means that users only have to share their personal information once with a trusted third party, and VASPs can also request access to this information and share it when required for compliance.

Our sister company, SelfKey, provides DID services for consumers and will be making the necessary changes to help VASPs become compliant with the Travel Rule as well. The best part is that the system is already in place, and VASPs will only have to make some minor API integrations in order to take advantage of it. The SelfKey powered solution ties the DID of the VASP to a set of their cryptographic keys that issues Identity Claims in a trusted and verifiable manner

The system allows multiple VASPs to be interoperable, even with different internal data structures, and ensures that all data is private. To further enhance privacy, user data is not stored on a centralized database, so is not controlled by any one entity. Additionally, users can build a reputation and identity history across multiple platforms and exchanges, which can lead to re-usable KYC.

The VASP Compliance Hub takes advantage of multiple existing technologies and brings them together in one place, essentially streamlining the process. Data is easily verifiable and is not widely shared, making things more secure for everyone involved.

Conclusion

The Travel Rule marks a major change when it comes to virtual assets, and will fundamentally alter how VASPs operate in the future. Cooperation is going to become a key part of day to day operation; something which has never previously existed.

Given the short deadline, it’s vital that VASPs join together for a common solution. In this case, the VASP Compliance Hub, which takes advantage of existing technologies and applies them to Travel Rule compliance. So far, it is the only viable option that has been presented.

Failing to comply could have dire consequences for VASPs all over the world. While the FATF does not have the power to prosecute, it does actively name and shame countries who fail to comply with its recommendations, and it will likely do the same to non-compliant VASPs. As some nations have already taken a dislike to cryptocurrency and virtual assets, it is important that the community stands together and does its best to reach compliance. 

Want to learn more about the VASP Compliance Hub and how SelfKey is part of the solution? Get in touch.