Updates to the FATF Travel Rule

The conflict in Ukraine saw many banking sanctions levied against Russia. Concerns were raised early on about the possibility of sanctioned Russian parties using the less regulated crypto industry to exploit loopholes that allow them to move money out of the country.

One of the ways financial institutions can enforce sanctions is through the Crypto Travel Rule. The Financial Action Task Force introduced an update to the Crypto Travel Rule. The rule originally required financial institutions to share data on transactions that meet a particular threshold, whereas the expanded rule extended to virtual asset providers (VASPs). 

It’s worth noting that the FATF (a global organization concerned with anti-money laundering (AML) and counter-terrorist financing (CTF) only has the power to make recommendations; however, they must be abided by if nations want to remain whitelisted.

What is the FATF Travel Rule?

The Crypto Travel Rule is an update to its Travel Rule, which states that VASPs must share originator and beneficiary data during crypto transactions that cross the threshold of $1000. The rule applies to transactions that occur between a VASP and a bank, and it includes requirements related to personally identifiable information (PII) such as names, addresses, and account numbers.

The Travel Rule has been slowly implemented since the 2019 recommendation, as many nations follow different timelines and monetary thresholds. 

‍

‍

The Updated FATF Travel Rule

In June 2022, the FATF produced a targeted update on the implementation of its Standards on Virtual Assets and Virtual Asset Providers with a focus on the Travel Rule. The report builds on the FATF’s previous reviews on implementation through a short update on the latest country's compliance with Recommendation 15 and its interpretative note. 

The FATF noted that private sector companies and some countries are facing significant challenges when it comes to enforcing safety measures and avoiding risks, especially in light of market developments, including Decentralised Finance (DeFi), Non-Fungible Tokens (NFTs), and unhosted wallets.

During a March 2022 survey, it was found that only 29 jurisdictions of the 98 that responded passed relevant Travel Rule laws, and only a few have started enforcement. This clearly shows that jurisdictions must urgently accelerate the implementation and enforcement of the rule to mitigate the misuse of virtual assets in their country. 

While the FATF has emphasized that there are numerous technological solutions able to facilitate Travel Rule compliance, the private sector needs to continue to increase interoperability between solutions and jurisdictions to achieve full compliance.

The FATF, in turn, will continue its discussion with member countries to raise awareness and will monitor market trends and developments that may necessitate further work. A further review of progress will be made by June 2023. 

Trends in the Use of Virtual Assets for ML/TF Purposes

The FATF’s latest report noted that the value of virtual assets used in money laundering and terrorist financing has thus far been relatively small. Most detected cases involved just one type of virtual asset, although criminals may use more virtual assets for layering purposes. 

The types of offenses involving virtual assets included:

• Money laundering
• The sale of controlled substances and illegal firearms
• Fraud and tax evasion
• Sanctions evasion
• Cyberattacks 
• Child exploitation 
• Human trafficking
• Terrorist financing 

Among these, narcotics-related and fraud offenses (including investment scams, blackmail, and extortion) were the most prevalent.

Some jurisdictions reported offenses related to operating unlicensed or unauthorized financial services, record keeping, and reporting requirements. The main risks that have been identified by the FAFT include:

• The use of VASPs operating in jurisdictions that lack effective AML/CFT, makes it difficult to follow the transaction trail; 
• The use of tools and methods that increase the anonymity of transactions, including tumblers and mixers and anonymity-enhanced cryptocurrencies. 

Technology Used to Enforce the Rule

There are international, industry-wide initiatives to set global technical standards for travel rule solutions to use, including the development of a common universal language and messaging standard for the communication of the required originator and beneficiary information between VASPs. 

Initial requirements included standards for public and private keys, secure sockets layer connections, 509 certificates, and API technology. Many of these solutions are being developed by VASPs to be integrated into their systems. 

The FATF noted that there seems to be a desire for multiple potential solutions rather than one centralized travel rule solution, which is aligned with their ethos of flexibility.

The Travel Rule in the UK

The United Kingdom’s HM Treasury has been in consultation to update the nation’s AML and CTF regulations, including the Crypto Travel Rule, which will likely come into effect in September 2023 following the approval of lawmakers. These regulations will also cover data privacy, the definition of an intermediary, and other matters concerning virtual asset service providers.

All indications are that the UK will stick close to the FATF’s recommendation and language. There was some debate about the grace period for compliance with the Crypto Travel Rule, with some arguing that it should be 20 months and others pushing for a short grace period of six months. The date that was eventually agreed upon was September 2023, which will give virtual asset providers in the UK over a year to comply with the recommendation. 

The consultation did not want to move away from the FATF’s recommendations related to data privacy and will likely follow the originator and beneficiary data collection as stipulated by Recommendation 16, but with a caveat that such PII data should be collected off-chain during cross-border transactions. Where there are transactions between VASPs based inside the UK, there will not be a requirement to share data.

There was also some debate about the term “intermediary” when defining which businesses were obligated to collect Crypto Travel Rule data. It was decided that it would only apply to crypto-asset exchanges as well as third-party custodial wallet providers and not other kinds of entities (e.g. software developers). Data collection will be mandated for unhosted wallets where there is a high risk of illicit fund movements. As for the monetary threshold, the UK government will measure this in Euros, set at €1000.  

Conclusion

It’s clear that various industries and businesses still face numerous challenges when it comes to adhering to the FATF travel rule. If you need help with optimizing your Sanctions compliance feel free to reach out to us and schedule a quick call with our team.