Webinar Highlights: Are Singapore based Virtual Asset Service Providers (VASPs) Ready for the FATF Travel Rule?

Last Thursday, 14th May, Merkle Science hosted a webinar roundtable on the impact of the FATF travel rule on Virtual Asset Service Providers (VASPs) in Singapore. Merkle Science’s Lead Investigator Ian Lee moderated the panel discussion which featured:

• Alexandre Kech, Chief Executive Officer & Co-Founder, Onchain Custodian
• Grace Chong, Of Counsel, Simmons & Simmons JWS
• Anson Zeal, Chairman, ACCESS
• Justin Newton, Chief Executive Officer & Founder, Netki

This post highlights the key comments and insights provided by the panelists during the webinar.

Disclaimer: some of the comments have been paraphrased or edited from the original audio content.

Justin from Netki, who dialed in from the US kicked off the panel discussion with an overview of the FATF travel rule and how it applies to VASPs:

So the FATF travel rule actually originally comes out of United States based enforcement. Even though it’s called the “travel rule” it has nothing to do with the movement of people but of a requirement that identity information needs to “travel” with certain types of transactions. At a high level this is required for transactions over a threshold of US$ 1,000 or SG$1,500. Both ends of the transaction are usually VASPs or payment service entities. Most providers are not compliant today.

Besides the travel rule, sanctions requirements are also on the horizon. These would apply not just for service provider to service provider transactions but for transactions between service providers to any individual or entity and vice versa. So when you think about travel rule solutions, it is important to think about who we are sending and receiving transactions to and from.

In Singapore, there are different reporting requirements based on transaction amounts, if more than or less than SG$1,500. All details are in the MAS PSN02 guidelines. Section 13 (page 41) specifies these travel rule requirements, which applies to financial institutions as well as VASPs. The US has a different threshold for the travel rule, starting from US$3,000, FATF’s is US$1,000 and Switzerland’s is US$0, which means all transactions require additional identity details.

Therefore it is important to pay attention to different jurisdiction specific requirements, which means as a VASP you must also take into account requirements of counterparties based in other jurisdictions. They may be subject to more or less stringent requirements than in yours. Furthermore, the sanctions requirement will almost certainly come around, especially given speculation that the President of Venezuela might be hiding proceeds in cryptocurrency.

Some other things to bear in mind:

• The FATF cannot enforce anything.
• The travel rule is a FATF “recommendation” — BUT countries which are FATF members are required to comply with this recommendation.
• Countries which are subject to FATF membership rules can get cut off from the global banking system for non-compliance or at the least put on watch-lists.
• Therefore member countries are responsible for implementing these recommendations and the individuals and institutions (VASPs) resident in those jurisdictions are subject to them.
• So the country-level travel rule requirements are enforceable!

What are the consequences of non-compliance?

• Lose your license (according to the MAS you need to have a travel rule solution)
• Subject to fines or penalties
• Suffer loss of reputation
• Subject to criminal penalties and liabilities especially if companies do not have adequate policies to protect against travel rule violations

What’s the historical context of the Travel Rule?

The travel rule has always been applied in traditional financial services since the 1980s, although the crypto industry has always veered between considering itself finance or not really finance, etc. But FinCEN, the United States Financial Crimes Enforcement Network, has always considered crypto to fall within the remit of traditional financial regulation and said in 2013 that the travel rule applies to VASPs as well. In 2015, we saw the first enforcement action with the decision by Ripple to announce that they were in violation of the travel rule and so a solution was needed.

FinCEN has subsequently stated that since the travel rule has always applied to VASPs operating in the United States they would be looking at historical enforcement actions. In contrast, the MAS in Singapore has been up front to say they will not pursue any historical cases and the rules are clearly written for VASPs operating inside Singapore.

Ian from Merkle Science: What difficulties do you foresee the industry faces in implementing a Travel Rule solution?

Alex from Onchain Custodian:

I knew about the travel rule from my time at SWIFT. Banks have been trying to apply this for years. The main issue they were trying to agree on at bank level was the data standard. What information was required, what format, should they always share the same information to avoid having too much information etc.

So they came up with market practices, which meant sharing name, account and address. They dropped other information such as ID numbers etc. So now only these three categories of information are required to ensure compliance with the FATF travel rule. Both for the ordering and customer side. It’s never been a problem, especially as SWIFT provides all of this information based on the fields needed to transfer data to beneficiary banks.

Currently there are two challenges in the crypto industry. Firstly firms do not always collect these three categories of information and secondly there is no mechanism for transferring this information. So we currently don’t know what VASP is behind the address sending funds. Also we don’t know whether or how the VASP will keep this information private and secure.

So to address these challenges the industry must first define the standard for information sharing, which is done, thanks to IVMS-101. This looks like the standards banks are using so it could become interoperable with banks in the future. Then, there is the time needed for implementation. How to get to a stage where we can send information and make sure it is not sent to the wrong recipient, or sending to VASPs that cannot manage it securely, such as losing it in a massive data breach.

Anson from ACCESS expanded on the development of IVMS-101, which was published a week before the webinar:

So there was a scenario whereby the larger exchanges operating across many countries could mostly likely comply with the FATF requirements and so could in turn select which VASPs they want to work with, which might result in the formation of some sort of cartel.

Ultimately, we want crypto to be distributed and decentralized. So a few associations came together to form a standard to get this going. Initially the regulators were not really supportive, assuming we were too decentralized as an industry. Eventually the joint working group developed the IVMS-101 standard which proves to regulators we can get something done no matter how decentralized we are.

This was the result of ACCESS, IDAXA, GDF etc., meeting over a period of 18 weeks for at least two hours a week. It was not easy but the result was fulfilling. It is amazing that people wanted to come together to create this standard. Moving forward the members of the joint working group will decide what is critical and gather again.

Ian from Merkle Science: what are we seeing from the regulatory perspective?

Grace from Simmons & Simmons JWS:

South Korea has already implemented a version of the travel rule. Each Korean VASP must apply for an information security certificate and fulfil specific requirements. The official date to comply with this travel rule is September 2021 and is overseen by the South Korean Financial Intelligence Unit (FIU). Japan is also pursuing preparations. But if we look more generally at the movements of regulators in the region, they are looking at what the MAS has done and implementing this for their own countries.

One question we often get from our clients is, what does the MAS expect in terms of enforcement? Should they have a working solution done by day one of license application? So far the MAS has indicated to us that they do not expect firms to be granted digital payment token (DPT) licenses only after the industry as a whole has developed interoperable solutions to meet the travel rules’ value transfer requirements.

Instead what they are looking for during the review process is that applicants must be able to demonstrate compliance to the value transfer requirements even though they might have to pursue alternative means in the interim.

So nonetheless given the potential for further developments they have also noted that applicants must consider how to adapt their business processes and compliance programs ahead as these changes occur. So the long and short of it is, in our understanding the MAS remains open to applicants’ adjustments during the course of the application process in order to fully comply. In the first year, we see that applicants would work it out with the MAS and put forward how they expect to be compliant with the travel rule requirements and we don’t expect hard enforcement from day one basically.

Ian from Merkle Science: how can Singapore based VASPs can or should decide between different travel rule solutions.

Alex from Onchain Custodian:

As a VASP looking for a solution that is interoperable with other solutions, I don’t want to subscribe to 10 services to communicate with 10 different VASPs. It doesn’t make sense. So either that solution comes from a consortium of VASPs to create a peer to peer type of environment like SWIFT for VASPs and they use that as a way to exchange information and validate that receiver is the proper VASP that should receive that information, or it comes from a coalition of technical providers or at least collaboration between technical providers who can assure me if I subscribe to their service, I can reach everybody either through them or through another technical provider they connect me to.

And finally,

if the solution provider I’m meeting is not aware of IVMS101 or if they are aware but not planning to implement it they can already take their bag and leave the office, I would not use them.

Justin from Netki, added to this with a perspective on the technical challenges and design approach:

When we designed our solution, the idea was you can have multiple services and service providers but effectively you should all be speaking the same protocol. If I look at the web, there are hundreds of web service software vendors, there are dozens of web browser vendors but because they all speak http and all speak https we can all browse the web together.

When we look at the way the web works and the identity layer for exchanging data over the web which is https, right how you get that green lock in your browser which tells you that you are at the place you should be. That is a situation where everybody recognizes the SLL standard but there are hundreds, at least 300 SLL certificate providers. So what they’ve worked out is having a common communications protocol which everybody speaks but one that allows literally for hundreds of competitive service providers, providing services to the web hosting or web service providers out there.

So when we designed our protocol and tools based around the bitcoin standard, which we helped to develop in 2015 and 2016 we had that model in mind. One where there is a standard communication protocol, it’s peer to peer, which anybody can communicate on. And also one where Netki would be a service provider on that network but it is specifically designed to be a vendor agnostic network.

But I think there is one more piece though that comes in for cryptocurrency that is, I hate to say this, I think most of the other vendors out there have been ignoring. And I don’t know if it’s because they came from the traditional financial world or frankly because it’s hard to solve that problem. In banking if I’m wiring money or sending money over SWIFT the other end is always a financial institution. So having a system where only financial institutions transact with each other is the norm, it’s the way things work.

In the cryptocurrency world, we don’t want a scenario where only VASPs can transact with each other, we want a world where there is a free flow of transactions between the VASPs side of the world, which are the on and off ramps for cryptocurrency and the non custodial side, the dapp side, the web browser wallet, the phone wallets etc., which are not regulated entities. And as such will never get a VASP code and will never get connected into these networks and this is an important factor for cryptocurrency.

We have already seen some regulators saying that the travel rule applies not just for VASPs but for VASPs to any wallet conversations and I had spoken a little bit earlier about sanctions where the same thing applies.

So I think you have these challenges around interoperability, making sure that the network is open, so that everybody can come in transact and communicate on it. But that openness actually requires one more degree than what we see in traditional finance because it needs to include not just other regulated entities but the ability to exchange information and transact with anyone and do it in a way that keeps the user in control of their information and the privacy of their data.

Ian from Merkle Science: how effective is the travel rule at achieving the goal of addressing global financial crime compliance?

Anson from ACCESS:

We are in constant conversations with the JVCEA (Japan Virtual and Crypto assets Exchange Association) and one of the main things that is coming up with this travel rule which is a big challenge for the Japanese exchanges is that for any Japanese citizen they want to serve they must have a Japan issued license.

This means if you are serving a Japanese citizen from overseas and the Japan Financial Services Agency (JFSA) finds out you will get onto their flag list. So with that said if no Japanese resident can use any exchange outside of Japan how would the travel rule be effective for them? There are still a lot of problems. The existing rules might need to be changed.

All the existing crypto rules that are there are due to hype in the last couple of years to get something up, so some regulations might need to unwind or implement work arounds to get this whole travel rule thing going together otherwise there will be a lot of challenges moving forward.

Grace from Simmons & Simmons JWS:

We do service a number of Japanese firms that provide digital asset services so we understand there are lots of structural issues when serving Japanese clients. Especially when compared to operating in jurisdictions that you can use as a base for cross border business. So you need to understand how the Japanese exchange works within the context of all the other exchanges within your network. And those are very difficult issues.

What Singapore applicants have to bear in mind as well are the audit requirements that the MAS has brought out that within one year you are expected to be able to audit and have sufficient control over your compliance requirements.

There are obviously a few travel rule solutions but you must look at those that will support you going forward, especially in terms of customer service, scalability, compliance with regulatory issues such as data privacy rights, security against threats and expected updates.

Within the range of travel rule solutions, these can be split into alliance network solutions like Sygna Bridge, service authority solutions like TRISA, and blockchain based protocols like OpenVasp. They vary based on the types of communications and channels but whichever solution you decide to explore and tackle, think about Singapore compliance requirements in mind, can you match the audit requirements?

If you are operating a cross border business globally, how do you implement different solutions for different jurisdictions? You might need to explore a united solution that meets compliance requirements in different jurisdictions.

Ian from Merkle Science: What happens if VASPs try to transact with VASPs in other jurisdictions with different requirements ?

Justin from Netki:

Talk to your compliance counsel about what is the right thing to do. It’s a really tricky grey area. You need to balance business risk and regulatory risk. Each company will come to that decision in a different manner. If any of us could provide a flip of the cuff answer don’t trust anything else we tell you. It’s going to be a super complicated and hairy issue and one where you will wish someone could have given you a really easy answer but one won’t be available.

This is commonly recognized as the sunrise problem. The sun comes up everywhere in the world, but does not come up everywhere in the world at the same time. That’s happening with this regulation.

Singapore is leaning forward with this regulation and will be one of the first places globally where people are actually booting this up and getting this going and so what you will find in the early days is counterparties outside of the country won’t have a travel rule solution up and running yet. And some of counterparties inside the country won’t be using the same travel rule solution and they won’t be interoperable.

While many of us are working on interoperable solutions, most of the other folks haven’t even built their solution yet and so it’s hard to build interoperability until the next step after that.

So talk to counsel in advance. Get them or yourself to talk to your regulator. They (the regulator) won’t tell you what to do but they will give feedback on your plan as well as an idea of the risk appetite involved.

No one will have quick and easy answer to this.

Anson from ACCESS:

Regulators know about sunrise problems but they are pressured to get this done. Because this has been part of the mandate since last year. At the same time, FATF has a virtual asset contact group which was created to talk to the industry to see where the industry is at and provide an update. They also want to see how compliant the industry will be.

The MAS also has meetings with us, ACCESS, to see whether the VASPs can comply with PSN02. They are eager to know. We sent out requests for feedback on PSN02. All sides are pressured to get it done. So what is required right now is constant communication with the regulators.

Alex from Onchain Custodian:

I’m hoping the good will of the players will make a difference so regulators will assess you, talk to you and listen to you. For example if we can show our intent to comply and explain what we will do in absence of a global solution, due to the sunrise problem etc. By demonstrating goodwill, our regulator, MAS will be more understanding if they find something they are not happy with.

In Singapore we have an optimistic view based on past experience with the MAS and how they interact with the industry.

Grace from Simmons & Simmons JWS:

I agree that the MAS has been open and transparent. The sunrise problem is not new to digital assets. We have a tracker on regulations regarding digital assets across the world and found many discrepancies across several factors. Therefore players must pay attention to this when offering cross border services.

Ian from Merkle Science: Last question. When do you think the travel rule will be ready to be deployed?

Alex from Onchain Custodian:

It’s going to take years globally and will lead to revolution or at least a separation between institutional and retail players.

This will allow the industry to get rid of the bad players and result in true mainstream adoption of crypto.

Justin from Netki:

We released a global scale solution in 2016, which was recommended in a MAS study in 2017. There are a number of options nearly available, our solution has been available for a while and it’s great now to have standardization. But to roll this out globally it could take years. The pace of adoption in the United States depends on how aggressive enforcement is among regulators, some VASPs will prefer to delay things, but eventually they will face pressure from regulators. Once they have waited long enough, it will be interesting to see how pressures play out against each other.

Anson from ACCESS:

There are obvious rules and guidelines but it is not realistic to assume all FATF members will apply these at the same time.

Some FATF members will prepare in advance, others will delay, some will have no clue how to do this at all.

At least the members that are forward looking will get this in place first and can then start providing information, adding pressure to other countries. It is harder to predict than bitcoin price when we will get it done among all 36 member countries of FATF let alone the remaining ones. It will be a continuous process.

Grace from Simmons & Simmons JWS

We did a quick poll of the exchanges in the US, UK and Jersey. The majority are nervous about current developments, as they are struggling to come up with viable solutions for the long term. They are not sure if regulation will be accepted in other countries so they are worried about not complying.

It is technical, complex, requiring work with different teams who must understand how it all fits together.

If you missed the live discussion and had any questions for the panelists you can get in touch with them directly using their email addresses listed below:

• Alexandre Kech, alexandre@oncustodian.com
• Grace Chong, Grace.Chong@simmons-simmons.com
• Anson Zeall, azeall@idaxa.org
• Justin Newton, justin@netki.com

For further information about how Merkle Science could assist with your company’s compliance activities in Singapore or elsewhere please contact panel moderator Ian Lee (ian@merklescience.com).

Merkle Science hosts regular webinars on cryptoasset regulation and cybercrime. We also produce related articles and research. To stay updated about our upcoming events and recently published content subscribe to Merkle Science marketing updates.

We look forward to seeing you attend our future webinars and events!

Stay safe and best regards,

The Merkle Science Team

About Merkle Science

Merkle Science provides blockchain transaction monitoring and intelligence solutions for cryptoasset service providers, financial institutions and government agencies to detect, investigate and prevent money laundering, terrorist financing and other criminal activities. Merkle Science is headquartered in Singapore with offices in Bangalore, Seoul and Tokyo and backed by Digital Currency Group, Kenetic, SGInnovate and LuneX.