New GAFI/FATF’s AML/CFT Virtual Asset Travel Rule

(decentralized AML/KYC it’s better 😛)

It will take time to study the massive effects in the Virtual Assets (VAs) industry after the enactment of the interpretative note to GAFI/FATF Recommendation n. 15 (INR.15) and, above all, of the Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (RBA to VA& VASP Guide), released on the last 21 of June.

But since I have to help some friends 👨‍👩‍👦‍👦👪 to add certain AML features to a very cool Blockchain protocol 🦄 that they’re developing in a very special country 🚠, I decided to start focusing on a particular piece of the aforementioned RBA to VA& VASP Guide and new INR. 15: paragraph 7(b) of the latter, regarding the application of Recommendation 16 (INR. 16), and the related explanation notes of the former.

I refer to the most problematic section of the GAFI/FATF’ “desiderata” with the more significant implementation problems both by the national-states and by the private entities to which the AML/CFT international standards regarding VAs are addressed 😥. A part of the AML/CFT standards on VAs industry operators (VASPs) that goes beyond the basic “know your customer” (KYC) rules, and their additional duties of verifying and keeping records of their own users’ identities and operations, since it is aimed:

- to capture any VA transfer above 1.000 USD in the cross-border wire-transfer framework; and

- to oblige all VASPs to get and to pass their customer’s information to each other when transferring funds and to take freezing actions and prohibiting suspicious transactions just as banks or other financial entity are required to do.

But, this “travel rule,” as called in the U.S. — than in Europe, moreover, it could involve the application of the regulation on information data accompanying the transfer of funds (EU Regulation, 2015/847), and the following ESA’s provision — , is very complicated to be achieved 🚫.

As people from chief compliance officers of top VASPs and the best advocacy entities (i.e., Global Digital Finance) in the sector has tried to persuade GAFI/FATF during the public consultation has anticipated the adoption of the new INR. 15 and RBA to VA& VASP Guide, the new mentioned VAs transfer travel rule rather than complicated and expensive could be totally unworkable 👎🏻 because, in most cases, it’s impossible to consider a VAs transfer via Blockchain like a simple fiat wire transfer.

While the travel rule and similar regulations were written for a world when funds were always sent through intermediaries, VA transfers involving cryptocurrencies or digital token can occur directly from person to person, or, simply, via smart contracts. Basically, through any other potential endpoint — not just exchanges or other professional VASP — hardly assessable under an AML/CFT regulation, unless it would come in a very black future to an improbable extension of the categories of the obliged entities up to include also simple persons or any computer on the planet 😬 💀 💩.

Besides, there’re crucial differences between a transaction via Blockchain and one made through a bank or other authorized financial intermediary that prevent the “in toto” applicability of the AML/CFT travel rule also to VAs movements. In fact, unlike a bank transaction, where value is sent to a beneficiary bank’s private ledger and accounts, in a VA transaction conducted via a VASP or peer-to-peer, any single value shift is recorded and verified on the same shared ledger. And it is only required a beneficiary’s virtual asset address, a beneficiary’s one, and the value to be moved.

Moreover, unlike a fiat transaction based on the IBAN system, as deeply explained by Global Digital Finance in its position paper on INR. 15:

1. An originator’s VASP (if one is used) doesn’t know the beneficiary’s VASP nor beneficiary’s details.
2. The VA holder (i.e., the originator) doesn’t know the beneficiary name nor which VASP is used (if any it’s involved).
3. A Virtual Asset account (i.e., the address) doesn’t contain any beneficiary’ or destination details about a transaction.

Source: https://www.gdf.io/wp-content/uploads/2018/01/GDF-Input-to-the-FATF-public-statement-of-22-Feb-2019-FINAL.pdf

4. The beneficiary’s VASP (if one is used) receives the transaction only by reading the ledger and reconciling a change on the same ledger about a virtual asset address it maintains, without receiving any notification by nobody nor knowing who the originating address belongs to.

5. Even if an originator’s VASP could theoretically collect beneficiary’s VASP and the ultimate beneficiary’s details, there is no technical way to validate details entered or to grant that those details are accurate because if any incorrect information is supplied it would not prevent the transaction from being written to the ledger.

6. There’s no technical way to avoid Virtual Asset owners from creating alone their own payment addresses or an unlimited number of addresses.

7. There’s no technical way to restrict P2P Virtual Asset transfers between two counterparties.

8. There’s no possibility to understand whether an address belongs to a VASP (which could be a regulated entity where originator and beneficiary information would be required) or to a non-custodial wallet provider (unregulated technology where originator and beneficiary information would not be needed).

In regard to all the above, in fact, we need also to consider very carefully that:

- usually, in a VA transfer the presence of originator’s and beneficiary’s VASPs is not necessary to have a fund movement, since a VA holder — i.e., the originator — or a VA recipient — i.e., the beneficiary — can act with a non-custodial wallet and end and receive VAs directly and on a P2P basis.

- in cryptocurrencies market since its rise, the best and the most widespread and recommended practice is a massive use of the non-custodial web, paper, mobile, desktop and hardware wallets, the only VAs store solutions that grant security and full control of funds.

But — given what’s written mainly in paragraph 117 of the RBA to VA& VASP Guide — despite the fundamental GAFI/FATF’s awareness of the validity of the raised remarks mentioned above, it has chosen to adopt anyway the intact version of INR. 15. And this with the extension, trough paragraph 7(b), of the INR. 16 travel rule based on the clearly wrong assumption of a viable likeness of wire transfers to VA movements on a Blockchain, and with a very difficult entrustment of its applicability upon the only shoulders of a beneficiary’s VASP. This one, in fact, further its direct AML/CFT duties (i.e., assessing the associated ML/TF risks; licensing or registration; supervision or monitoring; preventive measures such as customer due diligence, record keeping, and suspicious transaction reporting), if it receives a P2P transaction from a non-custodial wallet — as it happens now typically — would have to perform the travel rule of INR. 16 collecting directly from its clients all the tons required information about the VA transfer originator from that has received funds 😱.

But apart from the huge privacy issue that such a thing would entail, especially if the VA transfer originator doesn’t coincide with a direct client of a beneficiary’s VASP. As said before, it’s totally impossible for any VASP to understand whether a VA transaction comes from a custodian or non-custodian entity or another VASP or a private individual.

On the other hand, the stupidity of an entity like GAFI/FATF — that seems to have capriciously issued a travel guide for VA transactions impossible to implement at every level — must be categorically excluded. How the reading of the RBA to VA& VASP Guide confirms us by capturing an insight very high level of acquisition of all the particularities of the Blockchain technology.

So to understand why the FATF/FATF’s will in adopting the travel rule for VA transfers was so stubborn we have to investigate in which direction GAFI/FATF would like to direct the VA transfers markets about AML/CFT risks. Because that’s what this is about 🏹🎱.

The answer is in the same RBA to VA& VASP Guide. Especially in the no. 188 explication note where is clearly affirmed that GAFI/FATF is technology-neutral and does not prescribe a particular technology or software approach that providers should deploy to comply with Recommendation 16, assuming with this that the solution about VA transfers travel rule concerns can be a technological choice. Or rather, a technological solution to be tackled through the use of the same Blockchain declined in terms of AML/CFT compliance.

After all, the technology exists in the form of DIDs (decentralized identifiers) resided on a distributed ledger, verified claims and Identity hubs for globally interoperable, digitally compatible, consumer consent-driven information sharing, through which, each entity may serve as its own root authority.

DISCLAIMER: Blockchain is a disruptive technology that introduces several doubts about its legal nature. LegalBlock aims at being an open forum in which its members and invitees can share views and comments on such technology and its impact on different legal systems. However, the views and discussions expressed in LegalBlock are merely personal and do NOT constitute legal advice of any sort and do NOT necessarily reflect those of LegalBlock.