At first glance, when thinking about the challenges in applying the Travel Rule to cryptocurrency, the most immediate and common reaction is to exclaim that cryptocurrency is not engineered for transmitting customer information with the funds.
For those in crypto, it’s another square peg fitting into a round hole, an all too familiar refrain for Virtual Asset Service Providers (VASPs) operating under regulatory compliance requirements created in age of the deposit account passbook and handwritten banker logs.
Many in the crypto community are convinced this is the death sentence for cryptocurrency. “We’d have to create our own SWIFT network to bolt on to the blockchain,” they exclaim in a somewhat defeatist tone.
I’m not convinced this is the scorched earth that crypto hardliners would have us believe. Here’s why.
Cryptocurrency Compliance Protocols Are Already In Place
The fact of the matter is, many of the variables in the Travel Rule equation are already solved for.
First, the Travel Rule requires VASPs to obtain certain customer information to be sent with the transmittal of funds. Okay, no worries here. VASPs are already collecting this information (and more) through Know Your Customer (KYC) and the customer onboarding process. We’re off to a great start.
Next, we need to identify the funds destination in order to send the Travel Rule information. Not a big deal here either. Blockchain analytics software and blockchain forensic specialists have become adept at identifying the owners of cryptocurrency addresses, especially VASPs and other centralized institutions.
With these variables readily understood and, in many cases, already being addressed, we turn our attention to one of the most important and, ironically, least discussed feasibility requirements: flexibility.
Again, through existing compliance controls and available tools, we have the ability to gather the appropriate customer information and the means to identify the receiving party with a reasonable degree of certainty.
However, the greatest and most imperative remaining challenge is offering a solution with the flexibility to adapt to differing interpretations of the FATF Travel Rule, which vary by jurisdiction and institutional risk appetite.
The Genuine Challenge For Cryptocurrency Businesses
While cryptocurrencies are non-national and know no borders, regulations are national, differing from country to country. Complex geopolitical and other cultural influences shape financial regulations, public policy, and interpretive guidance.
Recognizing this reality, FATF standards are non-binding recommendations, meaning it is left up to the individual countries themselves to interpret and apply regulatory requirements as they deem appropriate.
In a world of 195 countries that could mean as many as 195 different interpretations, and thus 195 different requirements and expectations for the information that must “travel” from the sending to receiving institution.
For example, Country A is required to send a, b, and c for funds transfers of $1,000 or more, while Country B is required to send a, b, c, and e for funds transfers of $1,000 or more, while Country C is required to send a, b, c, d, e for transactions of $3,000 or more. And that’s just three countries, think of all the possible combinations when you include all 195 countries!
On top of all this, the VASPs themselves may obtain and share additional information in accordance with their AML program and risk-based approach, perhaps applying additional information to funds transmittal orders in higher denominations. Each VASP should be able to customize the information as it suits their risk tolerance and business needs, within the regulatory framework of course.
So, as you can see, any solution to the Travel Rule must be flexible from day one.
If this wasn’t enough to persuade you as to the need for flexibility, a cursory historical review of AML compliance requirements and best practices suggest that current requirements are just the beginning. Indeed, it’s not a stretch to assume that stricter and more nuanced regulatory expectations for the Travel Rule will evolve over time, as they have with virtually every other rule.
A solution that works out of the box today, may not, and likely will not, work tomorrow unless it has the flexibility to grow with ever-increasing regulatory expectations and demands.
The Travel Rule Will Expand In Scope
Recently, regulators and compliance experts have theorized that illicit actors and those seeking greater privacy, whether for good or for ill, may move their funds through software wallets avoiding VASPs altogether in an effort to sidestep the Travel Rule [1]. While it’s too early to tell if this phenomenon is playing out or will play out, it likely won’t stop regulators and policymakers from considering an expanded scope or application of the Travel Rule to confront such a possibility.
In fact, Swiss regulators have stated that they may apply the Travel Rule to any transaction, regardless of whether or not the parties are financial institutions.
Regulators are also compelled to contemplate the intersection of existing regulatory requirements outside of the Travel Rule framework, including, perhaps most notably, General Data Protection Regulation (GDPR) and sanctions screening.
The former, widely regarded as one of the European Union’s most important data privacy regulations, addresses the transfer of personal data outside the EU, effectively giving consumers greater control over their own personal data. Those institutions and entities in possession of personal or customer data must have in place appropriate technical and organizational measures to implement the data protection principles of GDPR.
That said, VASPs transmitting customer information in applicable jurisdictions must adhere to the strict requirements of GDPR in the course of carrying out their Travel Rule responsibilities.
As for sanctions screening, one need not venture far to read the countless media stories about sanctioned or rogue nations using crypto as an end-run around economic sanctions.
Whether it’s crypto mining in Iran or state-sponsored hacking activities carried out by or at the behest of pariah nation-states like North Korea, these accounts have exposed the shortcomings of sanction screening as it pertains to cryptocurrency. It is only a matter of time before regulators apply added pressure and regulatory expectations on VASPs and other businesses within the cryptocurrency space.
But not all countries impose the same sanctions; some even permit economic activities with jurisdictions that the U.S. has long considered rogue nation-states. Not to mention, program and country sanctions are fluid, often changing in response to geopolitical events and even normal election cycles.
Whether it’s pieces of customer information, transactional amount, or economic sanctions, the differences from country to country, however small, really start to add up, especially in the global marketplace of cryptocurrency.
The Bottom Line For Cryptocurrency Compliance
The crypto community should be identifying and building solutions that are flexible enough to address the differences today while planning and remaining ready to address future regulations yet to come.
The time to start is now. FATF and FinCEN have been crystal clear that June 2020 is the deadline with the latter stating that Travel Rule compliance expectations have already been in effect for several years now and will continue to be enforced.
Engineering viable solutions and integrating them within one’s institution is not something that happens overnight. It requires dedicated developer resources, as well as internal testing and vetting by AML personnel and legal counsel to ensure compliance with the Travel Rule.
Waiting until May to start figuring out a solution is a sure-fire way to put your business in the crosshairs of regulators.
If you’ve not done so already, take those first few steps, gather information, review and test solutions in the marketplace, and of course document your institution’s path to sustainable compliance with the Travel Rule.
BitAML offers cryptocurrency compliance advisory services to cryptocurrency businesses. If you have questions about Travel Rule compliance, or AML compliance generally, you can contact us to schedule a free consultation:
This article was originally published on Medium under the title “Crypto can’t ignore the FATF travel rule (and doesn’t need to).” It has been republished here with minor edits.
[1] The Travel Rule generally applies when there is ‘more than one financial institution’ to the transaction.