The FATF Travel Rule is an update to the existing FATF Recommendation 16, which concerns cross-border and domestic wire transfers. The update is intended to address the AML/CFT challenges associated with the increasing global use of cryptocurrency and to help law enforcement agencies better track criminals who use cryptocurrency to launder money. The Travel Rule’s regulatory focus means that it will have specific implications for virtual asset service providers (VASPs), such as cryptocurrency exchanges and cryptocurrency wallet providers.
Officially adopted by the FATF on June 21, 2019, the progress that member-states have made in implementing the Travel Rule will be reviewed during the FATF plenary session in June 2020 as well as whether the guidance has remained fit for purpose given the speed with which the technology is moving. Given its far-reaching regulatory scope, all VASPs and other obligated entities should be familiar with the Travel Rule and the AML/CFT compliance obligations that it entails.
What is the FATF Travel Rule?
Under Recommendation 16’s Travel Rule, the originators and beneficiaries of all transfers of digital funds must exchange identifying information. The rule will apply to all VASPs, financial institutions and obliged entities. Additionally, the originators and beneficiaries involved in a transfer must be able to guarantee the accuracy of the information they send to the other.
Prior to the introduction of the Travel Rule, companies that conducted wire transfers of conventional funds already had to issue a range of reciprocal information. The new rule essentially extends that obligation to cryptocurrency transfers. In principle, the Travel Rule is similar to a number of existing global audit regulations: the United States’ Bank Secrecy Act, for example, requires an exchange of information for funds of a value equal or greater than $3,000.
As part of FATF Recommendation 16, originators of virtual asset transfers must submit the following information to beneficiaries:
- Originator name
- Account number (where this is being used to process the transaction)
- Physical address
- National identity number, customer identification number or other unique identity number
- Date of birth and place of birth
Beneficiaries must submit the following information to originators:
- Beneficiary name
- Account number or virtual wallet number (where this is necessary to process the transaction)
The rapid growth of cryptocurrency usage has led to regulatory inconsistency in jurisdictions across the world and has created opportunities for money launderers and terrorists to commit financial crimes using virtual assets. The anonymity of blockchain technology is particularly useful for money launderers: while the originator of cryptocurrency transfers provides verified information (name, address, etc.), the beneficiary is able to remain anonymous.
The Travel Rule will help AML/CFT efforts by enhancing the audit trail when virtual assets are transferred between entities such as exchanges and wallets. The new information collection rules will mean that financial authorities are better able to detect and prevent money laundering activities involving cryptocurrency and will also help deter criminals by reducing the number of VASPs through which they can move funds.
Information sharing is at the heart of the Travel Rule, but given the relative lack of regulation in the cryptocurrency industry, it represents a significant compliance obligation for many VASPs.
The lack of identifying ownership information necessary to facilitate cryptocurrency transfers means that VASPs and financial institutions must develop AML solutions that allow them to share the necessary data and that comply with existing privacy laws, such as the EU’s General Data Protection Regulation and California’s Consumer Privacy Act.
In addition to fulfilling those regulatory obligations, VASPs must consider the costs and administrative effort that their Travel Rule solutions will involve and find a way to keep cryptocurrency transactions efficient and cost-effective for customers.
An ideal Travel Rule solution should satisfy regulatory obligations without disrupting customer service needs. Accordingly, the FATF has suggested a range of characteristics that a Travel Rule solution should feature to meet the objectives of Recommendation 16:
- The solution should minimize both regulatory impact and barriers to adoption and be easy to integrate with an existing AML/CFT program.
- It should be affordable and open source (or non-profit) in order to be accessible for smaller VASPs and innovative start-ups.
- It should contribute to a global regulatory standard of virtual asset transfers.
- It should be flexible enough to accommodate future innovations and advances in technology.
- It should complement the efforts of law enforcement agencies to prosecute money launderers and terrorists by proactively detecting suspicious activities.
- It should be scalable and maintainable and be able to gain widespread industry support.
- Public and private keys: Created in pairs for each entity involved in a digital transmission, keys encrypt and decrypt information only for originators and beneficiaries.
- Transport layer security/secure sockets layers: TLS and SSL connections also make use of public and private keys to secure transmissions made over the internet.
- X.509 certification: Digital certificates administered by authorities using the X.509 PKI standard. X.509 certificates (and attribute certificates) further reinforce the veracity of public keys and are used worldwide in the public and private sectors.
- API technology: Providing routines and protocols for software applications and specifying how different applications should interact with each other.
FATF organizations and authorities in FATF member states are considering implementation approaches to Recommendation 16, including establishing a centralized, global database that would collect information on every VASP worldwide and their customers.
Under this proposal, VASPs would register in their home countries to receive a unique identification code (similar to a bank SWIFT code). The unique code attached to each VASP would then be uploaded to the global database that would connect all VASPs operating under the Recommendation 16 Travel Rule. Accordingly, during subsequent digital asset transfers, VASPs would use their respective identifier codes to verify the information they are exchanging in compliance with the Travel Rule.