FATF Publishes Targeted Update on Implementation of the FATF Standards on Virtual Assets and Virtual Asset Service Providers

The FATF published its much anticipated Targeted Update on Implementation of the FATF Standards on Virtual Assets and Virtual Asset Service Providers (VASPs) on 27 June 2023 following mutual evaluations and surveys conducted earlier this year.

Pertaining to Travel Rule (Recommendation 16), the FATF reports that jurisdictions have made insufficient progress in implementation and enforcement. Of the 135 survey respondents from jurisdictions that do not ban Virtual Assets or VASPs, only 35 (58 including the countries in the European Union jurisdictions with MiCA and TFR) have implemented or are enforcing Travel Rule regulations and 27 are in the process of passing Travel Rule legislations. As FATF reports “the lack of progress in this area is a serious concern”, it calls for immediate action to enact and enforce Travel Rule legislation consistently and globally.

Has the jurisdiction passed the Travel Rule for VASPs? Ref: Figure 2.1 of the Update

Differences in Jurisdiction Requirements and Timelines: Sunrise Issues

The Update recognises that there are differences in jurisdiction requirements of Travel Rule regulations, such as the de minimis thresholds and the information to be collected and submitted. Delays in implementation and different enforcement timelines have also resulted in sunrise issues. In particular, Travel Rule-obliged VASPs (regulated entities in jurisdictions that enforce Travel Rule) will encounter difficulties in ensuring full compliance of all VA transfers until all VASPs become obliged entities. In the interim, jurisdictions have accorded grace periods for Travel Rule compliance or are taking a phased approach with some allowing for manual processing of Travel Rule information.

Jurisdictions that have implemented Travel Rule continue to adopt varying approaches in dealing with the sunrise issue. Some of the risk-mitigating measures include allowing their domestic VASPs to:

• transact only with licensed/registered foreign counterparties (3 of 62 responding jurisdictions);
• transact only with licensed/registered and Travel Rule obliged foreign counterparts (13 of 62 responding jurisdictions);
• transact only with foreign VASPs that are licensed/registered in specific jurisdictions and/or complying with the Travel Rule (3 of 62 respondents); or
• transact with unlicensed/unregistered foreign counterparts but only with risk-mitigating measures in place (e.g. verified first-party transfers) (11 of 62 respondents).

In spite of the above, a significant portion of jurisdictions (17 of 62 respondents) allow domestic VASPs to transact with any foreign VASP, therefore creating a regulatory loophole.

The Update reiterates the need for VASPs to conduct VASP counterparty due diligence but recognises that this remains a challenge due to challenges faced in identifying counterparties, or the lack of available information to ascertain the risk profile of counterparties. In jurisdictions that allow domestic VASPs to transact with unlicensed/unregistered VASPs, additional risk mitigation measures are necessitated to avoid submitting Travel Rule information to inappropriate counterparties.

Travel Rule Solutions

The Update further notes that many Travel Rule solutions do not meet FATF standards. Most pertinently, the Travel Rule solution provider must accord VASPs with sufficient time to detect suspicious transactions, i.e. Travel Rule information needs to be submitted immediately before or simultaneously to the blockchain transaction. Examples of some shortcomings of various Travel Rule solutions are summarised in the table below.

Examples of shortcomings in available Travel Rule compliance tools: Ref: Table 2.1 of the Update

Accordingly, the FATF suggests that regulators should engage with their industry to warn against the use of tools/solutions that fall short of the FATF standards and/or local regulations.

On the topic of interoperability between Travel Rule solutions, the FATF updated that there is still limited progress with solution providers citing challenges with complying with cross-border data protection and privacy laws. While interoperability is not mandatory, it is valuable in improving the effectiveness of Travel Rule and reducing compliance costs for VASPs. In this regard, VerifyVASP is currently interoperable with one other solution and processes a healthy volume daily through this interoperable channel.

Some solutions including VerifyVASP, also screen their users to ensure adequate data protection and support counterparty due diligence. Ultimately, the FATF highlights that VASPs are still required to conduct their own independent counterparty due diligence processes and should not rely solely on the information provided by their solution provider.

Evaluation of Travel Rule solution providers

The FATF has also provided a checklist for VASPs to evaluate Travel Rule Solutions. This is replicated below for easy reference:

Timing and scope of Travel Rule data submission:

Does the tool enable VASPs to submit Travel Rule data for small value VA transfers (i.e., below USD/EUR 1 000) to accommodate varying threshold requirements across jurisdictions?

Does the tool cover all VA types?

Does the tool enable beneficiary VASPs to obtain and handle a reasonably large volume of transactions from multiple destinations in a secure and stable manner?

Does the tool enable ordering VASPs to submit the required and accurate originator and required beneficiary information to beneficiary VASPs immediately upon or prior to a VA transfer on a blockchain/distributed ledger technology platform?

Counterparty VASP identification and due diligence

Does the tool enable an ordering VASP to locate the counterparty VASP for VA transfers? (This is not a mandatory tool function but identifying the counterparty can be the first challenge for ordering VASPs).

Does the tool provide VASPs with a communication channel to help followup with a counterparty VASP to:

• seek information on the counterparty VASP to allow the VASP to conduct required counterparty due diligence; and
• request information on a certain transaction to determine if the transaction involves high-risk or prohibited activities?

Record-keeping and transaction monitoring

What function does the tool provide to facilitate meeting record-keeping, transaction monitoring, and reporting obligations (e.g., securely retaining data for 5 years/ allow user VASPs to download data), while being in line with national data protection requirements?

Questions on interoperability with other Travel Rule compliance tools

Does the tool allow Travel Rule information to be submitted to VASPs using different tools?

VerifyVASP can help solve for all of the above.

We can also help VASPs carry out the following main actions (as set out in FATF (2021) Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers):

1. locate counterparty VASPs for VA transfers;

2. enable submission of required and accurate originator and beneficiary information in a VA transfer;

3. enable the submission of a reasonably large volume of transactions to multiple destinations in a stable manner;

4. enable the secure transmission of data;

5. protect the use of such information;

6. provide VASPS with a communication channel to support follow-up with counterparty VASPs.

Crucially, we are able to do all of these at a production scale across various jurisdictions.

We also pride ourselves on being a solution built for the industry, by the industry through close industry and regulatory engagements. We are open to feedback and continuously evolve to ensure adherence to FATF standards and also to cater to nuances in different jurisdictions’ Travel Rule regulations. Do reach out to us at corporate@verifyvasp.com.