It’s clear that Travel Rule is here to stay. Its introduction to the digital assets industry has been seismic, as stakeholders grapples with issues of how to operate and be regulatorily compliant. Any VASP who operates in the digital asset space, will have to contend and consider the application of the Rule. On a country-level, VASPs will be subject to higher regulatory pressure and scrutiny over a more comprehensive KYC standards in proving that they are compliant with local AML regulations, adapted from FATF’s guidelines.
Given the worldwide application of this Rule — rolled out by countries, at different times, the potential for varying levels of in-country local adaptation and enforcement of the Rule, to be less than uniform, is particularly high. Considering that all countries in the world have trouble agreeing on any one thing, the difficulties and challenges for Travel Rule implementation, becomes even more acute.
Importance of Travel Rule
Travel Rule has both positive and negative implications. With growing digitalization and online transactions, concern over money laundering, illicit proceeds from crime and scams, are expected to increase. A big positive on the successful introduction of Travel Rule, would make financial crimes even more difficult to carry out, and regulators will have a better understanding of how criminals are using virtual or digital asset (“VA”).
Another benefit is that the Travel Rule will lead to even stronger KYC policies and practices which, in turn, leads to higher customer confidence in VASPs. As a result, implementing the Travel Rule might actually attract new users and lead to stronger adoption in the crypto world, who would feel secured in the knowledge that the industry is better regulated and therefore, safer.
When VA was first introduced, the whole point about the distributed ledger technology, was that it was not tied to any one country, currency or government. However, with Travel Rule, FATF is asking for that to change and VA transfers can no longer be considered private and anonymous. Whilst the justification for it, is understandable (the prevention of criminal activity), the industry as a whole, has struggled to come to terms with it.
Challenges for Travel Rule compliance
With any broad based global adoption of rules, the Travel Rule suffers from the same “teething” issues. VASPs have their work cut out in finding a solution that meets the necessary local jurisdictional requirements, that are consistent with their regulated business activities, operating budgets and systems.
It’s not correct to consider VA transfer via blockchain like a simple fiat wire transfer, as VA transfers occur peer-to-peer, without a middleman and the means to collect the necessary personal information, in which accurate data sharing with counter-parties can occur, without breaking privacy laws. Whilst the Travel Rule were written for a world where funds were sent through intermediaries, VA transfers involving VA can occur directly from person to person, or, simply, via smart contracts, through any other potential endpoint — not just exchanges or other VASP.
Under the Travel Rule, VASPs are expected to share complete and accurate KYC information, immediately and securely with the VA transfers. Accordingly, VASPs must:-
collect and conduct KYC on their customers (Originators and/or Beneficiaries of VA transfer);
able to identify each other or other VASPs;
distinguish between a VASP’s wallet address (custodial wallet) & personal wallet address (non-custodial wallet);
screen/consider whether wallet address is high risk for ML/TF activities and therefore suspicious; and
if suspicious, consider whether to execute, suspend or reject VA transfer and follow up actions, including STR filing.
In the circumstances, VASPs, who will be the Ordering (sending) and Beneficiary (receiving) Institutions, will need to conduct a proper KYC process, involving positive identification, verification of ID documents and name screening of their end customers and wallet addresses. It is also noteworthy that whilst many users store their VA in custodial wallets on exchanges and accordingly will use such VASP for VA transfers, many transactions occur outside the VASPs environment.
As the Travel Rule applies to VASPs who are regulated / licensed and accordingly does not apply to non-regulated VASP, the importance of identifying the status of such VASP becomes important, as user data are being shared between different entities.
Where VA transfer involves only one VASP who is an obliged entity (i.e. regulated or licensed) and the other VASP is not, Travel Rule requires the obliged entity to continue collecting and verifying KYC information of the Originator or Beneficiary (as the case maybe). However, such obliged entity is not expected to submit the KYC information to the non-obliged entities.
How does a regulated VASP stop a bad actor from spoofing or pretend to be a regulated VASP and reaping all of the user personal data. Compounded by the fact that the data concerns financial transaction, which is among the most sensitive types of data, preserving privacy and security of user data is of critical importance. Ideally, the authorities maintain a list of regulated VASPs in its jurisdiction, which will greatly assist with the identification of regulated VASPs. In complying with the Travel Rule, VASP must also be mindful and in compliance with existing data privacy laws, such as the GDPR and Singapore’s Personal Data Protection laws. This offers another set of difficulties that will be addressed in a separate blog.
In short, VASPs are challenged, to demonstrate their ability to satisfy regulatory requirements without jeopardizing the privacy of its customers or protecting user data from being compromised.
In relation to the issue of technology and systems, how does a VASP share the KYC information with each other, effectively and securely? In this regard, it’s important to highlight that not only the VAs, VASPs not use the same blockchain technology, it is also anticipated that there will be a multitude of Travel Rule solution providers, with different protocols, technology and system, further exacerbating the interoperability consideration. FATF adopts a technology-neutral stance and does not prescribe nor favour any particular technology or software that VASPs should deploy to comply with Travel Rule, as long as it complies with AML/CFT obligations.
To solve the problem of interoperability, Travel Rule compliance will require some type of overall unification in the VA world and the need for harmonization and collaboration between the various stakeholders (i.e. VASPs, regulatory authorities and solution providers). FATF and authorities must be involved in the discussion with regulated VASPs and Rule service providers to pragmatically come up with practical solutions that complies in principle with the Rule, whilst simultaneously does not become a huge regulatory burden requiring significant investment in time and costs.
Travel Rule for VA will fundamentally change how VASPs operate in the future. Cooperation is going to become a key part of day to day operations. Given some countries dislike for VA and so as to not add fuel to their disdain, it is imperative that the community stands together and agree on how best to reach compliance. Travel Rule is neither a silver bullet that will drive mass adoption, nor is it an unsurmountable regulatory burden. Instead and like any other implementation of a broad based rule, it presents both, challenges and opportunities.
All businesses and individuals active in the blockchain space should think about how this Rule is likely to affect their operations in various jurisdictions, and put plans in place measures, to address likely implications, constructively. If enough do that, it can be a stepping stone for VA businesses to reach the next level of adoption and success.
As highlighted by FATF Virtual Assets Red Flag Indicators of Money Laundering and Terrorist Financing (Sep. 2020), it is evident that regulators is looking at the entire eco-system in order to combat ML/TF risks, as exchange and transfers between asset classes (i.e. between fiat currency, VA and vice-versa) are central to the ML/TF instances highlighted in the report and in those instances the ML/TF events did not occur in isolation, but in combination. With greater automation of transactions, it is foreseeable in the near future that regulators will be advocating the need for greater interaction amongst stakeholders and data sharing touch points as scenarios and instances are assessed and reviewed holistically to frame a macro view of the VA/fiat or fiat/VA transactions that are being conducted, in banks, VASPs and other financial institutions and greater collaboration to better assess if a ML/TF suspicion or risk had materialized.
The Travel Rule has the potential to spur global action that will allow VA to flourish in a clear, constructive regulatory framework that recognizes both the technology’s technological promise and its potential to bring into fruition the innovative disruption. With so much subtlety and complexity around the implementation of the Travel Rule, my fervent hope is for a more open engagement and collaboration amongst all stakeholders (from regulatory authorities alike, to VASPs and Travel Rule service providers) and thoroughly assess and effectively implement viable solutions, which are scalable, and cost effective.
Considering FATF has committed to work with regulatory authorities and the VA community as a whole, I also believed that the dust of uncertainty will eventually settle, and there will emerge a few Travel Rule service providers who are inter-connected and inter-operable between the different systems, enabling VASPs to comply with the Travel Rule, just like it did, with the SWIFT protocol.