Lessons Learned from Travel Rule Compliance as Prerequisite to Licensing
Licensing and regulations in the financial industry are powerful compliance mechanisms deployed by regulators to enforce Anti-Money Laundering (“AML”) and Combating the Financing of Terrorism (“CFT”) requirements. The Financial Action Task Force (“FATF”) Recommendation 15 requires regulators to extend AML and CFT standards applicable to traditional financial institutions to include Virtual Asset Service Providers (“VASPs”) by adopting regulative regime.
One of the focal points within VASP licensing regimes around the world is the introduction of FATF Recommendation 16: The Travel Rule, a requirement that was already applicable to wire transfers for several decades. The Travel Rule is a critical component of the FATF’s Risk-Based Approach for Virtual Assets and Virtual Asset Service Providers. Specifically, it aims to ensure that basic information on originator and beneficiary of transfers is made immediately available to facilitate screening and detect misuse by criminals or terrorists.
VASPs often need to demonstrate how they comply with Travel Rule requirements as a prerequisite to obtaining or maintaining a licence in the jurisdiction of their legal entity.
In this post, we draw on our experience in supporting VASPs to achieve Travel Rule compliance in accordance with both local regulations (or guidance) and the FATF standards. We categorised the lessons learnt from various licensing journeys into 2 broad themes: regulators’ key checkpoints and successful Travel Rule implementation process.
Regulators’ Key Checkpoints
There are 5 key elements that regulators will assess in the context of granting regulatory approval on a compliance plan: policy, IT systems, training, supervision and audit.
An implementation plan for the Travel Rule needs to be prepared in this broader context. Each element affects the others, defining requirements or limitations. In our experience, setting the proper policy and securing an enabling technical solution followed by training, supervision and an audit plan, aligned with the broader compliance framework is the determining path for VASPs to obtain regulatory approval on a Travel Rule implementation plan.
As a starting point, Travel Rule policy must be carefully considered, encompassing commercial and technical feasibility within the scope of local regulation. Given the nature of cross-border transactions, alignment with the FATF standards is necessary to enable global connectivity. Travel Rule policy needs to be well-documented within the context and framework of the VASP’s broader compliance policy. Travel Rule as it applies to virtual asset transfers (“VA transfers”), is a relatively new concept. A successful Travel Rule exercise is contingent upon interaction between the compliance department and most importantly, related stakeholders. Related stakeholders includes users, counterparty VASPs and the VASP’s internal departments responsible for the operation, monitoring and control of the Travel Rule policy.
Prior to or post-licensing, regulators will review the Travel Rule policy and actual implementation status. In some cases, regulators conduct inspections or require independent third party audit. From our experience of assisting a large number of VASPs in their successful licensing journeys, we have drawn a list of common reasons that regulators have cited as the basis to reject a Travel Rule implementation policy.
Common Rejection Reasons of Travel Rule Policy for Licensing Purposes
1. Counterparty — Absence of counterparty identification
2. Counterparty — Insufficient counterparty due diligence
3. Withdrawal — Absence of beneficiary VASP verification (reliance on user declaration)
4. Withdrawal — Absence of beneficiary verification prior to VA transfer (reliance on user declaration)
5. Withdrawal — Lack of confirmation on successful Travel Rule messaging prior to VA transfer
6. Deposit — Absence of ordering VASP verification (reliance on user declaration)
7. Deposit — Absence of originator verification (reliance on user declaration)
8. Personal Data — Insufficient protection measures resulting in personal data shared with wrong party
9. Insufficient risk mitigation towards Travel Rule non-obliged counterparty VASPs or unhosted wallet
The FATF Recommendation 16, otherwise known as the Travel Rule is one of the key standards of the global initiative for a VASP regulative regime. Regulators collaborate internationally and draw upon experiences from other jurisdictions. By accumulating direct and indirect experiences in dealing with the various types of VASPs, regulators are able to progress towards a more globally harmonized expectation of Travel Rule policy implementation. In the next section, we will share how a VASP can meet regulatory expectations using a step-by-step guide.
Travel Rule Policy Guide
Step 1: Identify Key Counterparties
The first and the most important step of a Travel Rule exercise is counterparty identification. Without counterparty identification, a virtual asset could be sent to a high-risk or even a sanctioned VASP or beneficiary. Also, there is a real risk of sending sensitive personal data to the wrong party. Without identification, a VASP cannot proceed to the next step: Counterparty Due Diligence.
If a VASP is already in operation prior to Travel Rule implementation, identifying and prioritizing existing counterparties (using on-chain analytical tools) can be good practice to minimize disruption to current business flow. The FATF suggests a 3-phase process to ascertain whether a transaction is with a counterparty VASP.
Determination is followed by identification and assessment of the counterparty VASP. The requirement is to be conducted at the legal entity level. For example, if a VASP has affiliated legal entities in multiple jurisdictions, the counterparty VASP is deemed to be the legal entity in which the account holder or user (the beneficiary or originator to that transaction) is onboarded and AML/CFT risk mitigation performed.
Step 2: Conduct Counterparty Due Diligence
Following identification and assessment, a VASP must conduct due diligence (“DD”) on its counterparties. The purpose of the counterparty DD is to prevent dealing with illicit or sanctioned actors. The FATF standards requires DD to be conducted prior to entering into any new business relationship and on a regular basis, thereafter.
Counterparty DD policy needs to be well-balanced. It has a decisive business impact by defining an allow-list of connected VASPs. Also, the DD is a bilateral exercise. A VASP needs to obtain documents from or even establish a contractual relationship with its counterparty VASPs. It is for this reason that we have seen a majority of regulated VASPs begin with a limited number of counterparties and gradually expand those numbers as more DD on VASPs is completed, in conjunction with the enforcement of Travel Rule regulations, in the VASP’s and the counterparties’ jurisdictions.
Any elevated AML/CFT risks identified according to FATF standards should be appropriately mitigated and the FATF suggests adapting the Wolfsberg questionnaire as a framework to conduct counterparty DD on VASPs.
Considerations on whether to enter into a counterparty relationship:
- Is the counterparty’s legal entity identified?
- Is the counterparty cooperative with DD?
- Is the counterparty domiciled in high-risk (sanction, FATF grey-listed, etc.) jurisdictions?
- Is there any risk flagged (name screen, adverse news, etc.) on the counterparty?
- Is there any risk flagged (name screen, adverse news, etc.) on its directors and beneficial owners?
- Is the counterparty licensed or regulated?
- Is the counterparty Travel Rule obliged?
- Is the ML/TF policy of the counterparty in line with FATF standards?
- Is the counterparty operating or soliciting business in a jurisdiction where it should not be?
- Is the counterparty associated with high risk activities (AECs or other anonymity enhancing tools)?
- Is the counterparty able to safeguard personal data shared for Travel Rule compliance?
Step 3: Establish a Legal Basis to Transmit Personal Data
It is critical to establish the legal basis for Travel Rule information transmission. This initiative includes sufficient disclosure to users, securing user consent on data sharing, establishing legal basis to transmit personal data to each counterparty VASP and establishing legal basis to transmit personal data to the Travel Rule solution provider.
Prior to Travel Rule implementation, there needs to be clear communication with users on the type of data being collected and shared. This process will involve updating the VASPs’ terms of use, privacy policy and any other similar user contract. For user protection, there also needs to be clear communication regarding the reliance on user declaration and consequences in cases where the declared information is verified to be inaccurate.
In compliance with personal data protection regulation, there needs to be specific user consent on each Travel Rule data sharing. Each transfer of Travel Rule information may involve different personal data controller (counterparty VASP). Hence, it is necessary to ensure available user consent for each transfer of virtual assets.
As Travel Rule exercise includes personal data submission to a counterparty VASP, it is crucial to establish the legal basis for such information sharing. During the course of the counterparty DD, it is necessary to assess if a certain counterparty has sufficient capability and the legal obligation to securely handle personal data. Also, it is important to understand personal data-related restrictions of your counterparty. If a certain counterparty is not obligated to comply with Travel Rule requirements, it may lack the necessary legal basis to share Travel Rule information. In such a case, enhanced risk mitigation measures need to be designed in a such a way that personal data is not shared.
Typically, the Travel Rule solution acts as the personal data processor. A VASP needs to ensure that the Travel Rule solution provider has sufficient capability to securely process the personal information. Depending on the local regulation on personal data protection, an audit may be required on the Travel Rule solution provider. In addition to establishing the legal basis, the local regulation may also require the VASP to enter into a data processing agreement with the Travel Rule solution provider in order to define the respective responsibilities of the VASP as data controller and the Travel Rule solution provider as data processor.
Step 4: Understand the User Experience and Communicate the Changes
For any VASP, the successful transfer of virtual assets is one of the most critical features of their offering. Any disruption or delay will lead to a serious impact on the user and at times, potential losses due to their inability to trade during periods of volatility. Travel Rule is a relatively new initiative and may be perceived as a hassle to the user. It is for this reason that there have been attempts to process Travel Rule information sharing at the server communication level, without affecting the user front-end experience.
We are, however, of the opinion that it is impossible to process the Travel Rule exercise entirely in the background for various reasons. In VerifyVASP’s solution, the ordering VASP needs to ask its users for the names of the beneficiary and beneficiary VASPs. The counterparty DD exercise will enable the VASP to define a list of approved VASPs, which may be useful to be shared with the user for their selection. A user may not know the full legal name and/or jurisdiction behind a certain VASP. The disclosure of certain personal information to the counterparty VASP will require a VASP to not only establish the legal basis for personal data sharing, but to also ensure that the counterparty VASP is obliged to implement personal data protection measures over the personal data received. Moreover, in case the beneficiary verification fails, it needs to be communicated to the user.
This can result in a VASP needing to prepare additional UX for virtual asset deposits and withdrawals. Given the importance of this feature, there should be clear communication with users around what will be affected and changed, well in advance. User communication should include any limitations on the counterparty VASPs, declaration and verification process. Also, there needs to be clear communication on the implication for cases of deposits received, without the necessary Travel Rule information.
Step 5: Collect Counterparty Data from User and Verify the Accuracy
A common mistake in Travel Rule implementation occurs when an ordering VASP focuses more on the submission of the required information than verifying the accuracy of declared information (beneficiary VASP and beneficiary). In such cases, the Travel Rule information can be transmitted to the wrong party, resulting in non-compliance with Travel Rule and breach of the personal data protection regulations. Even if data is transmitted to the right counterparty VASP, if the declared beneficiary information is not verified to be accurate, there is a risk of transferring virtual assets to illicit actors, undermining the intended objective of the Travel Rule.
Some VASPs rely on the Travel Rule solution to identify their counterparty VASP. But if the process of identifying counterparties involves the sharing personal data to a third party without the user’s specific consent, it may result in a violation of personal data protection regulations.
The FATF guidance does not specifically require ordering VASPs to verify the accuracy of beneficiary information. But the ordering VASPs are obliged to conduct name screening on beneficiaries. Also, in cases where the beneficiary information is not consistent, the beneficiary VASPs may not process the transfer in and may choose to return the virtual asset back, resulting in unnecessary user complaints to the ordering VASP. For these reasons, we are of the opinion that the verification of beneficiary information should be made compulsory, in practice.
Step 6: Understand the Implications of “immediately” and “securely”
The FATF guidance and most local regulations require the Travel Rule information to be submitted immediately and securely. But in our experience, there has been various degrees of misunderstanding of what each term actually means.
“Immediately” means that the ordering VASP should submit required information prior to, or simultaneously or concurrently with, the virtual asset transfer (i.e. the submission must occur before or at the same time as the virtual asset transfer is conducted, but not after). For example, transmitting Travel Rule information after the transfer of the virtual asset (for the purpose of obtaining TXID) is not deemed as ‘immediate’.
“Securely” means that the ordering institution should store and submit the required information in a secure manner to protect the integrity and availability of the required information and protect the information from unauthorised access or disclosure. Several measures are suggested or imposed to ensure security: undertake counterparty due diligence to determine whether the beneficiary institution and, where applicable, the intermediary institution can reasonably be expected to adequately and are legally obliged to protect the confidentiality and integrity of the information submitted to it; bilateral data sharing agreements with the beneficiary institution and, where applicable, the intermediary institution and/or a service-level agreement with the technological solution provider for travel rule compliance, using, or ensuring the technological solution adopted for travel rule compliance uses a strong encryption algorithm to protect the data.
Step 7: Develop an Effective Enhanced Risk Mitigation Measure
If a counterparty is unregulated or otherwise Travel Rule non-obliged, it may not have a legal basis to transfer personal data. In such case, the FATF guidance suggests obliged VASPs apply a risk-based approach and implement enhanced risk mitigation measures. Given the sunrise issue and the disparity in the types of VASPs, establishing enhanced mitigation measures is necessary to be compliant and commercially viable.
A common enhanced risk mitigation measure is to limit transactions to/from first party transfers only. In such a case, both the originator and the beneficiary are the same user of the VASP. The VASP can in such instance, rely on its own due diligence on its user including onboarding screening and on-going monitoring. In our experience, an absolute majority of virtual asset transfers are first-party for the purpose of transferring virtual assets from one VASP to another. Limiting to first party dramatically reduce ML/TF risk while still supporting this key usage scenario.
Step 8: Develop a Policy for Travel Rule Non-Compliant Deposits
Upon the implementation of the Travel Rule, there will inevitably be, Travel Rule non-compliant deposits. This is unavoidable due to the nature of blockchain transactions. Without clear policy and well-prepared workflows, it would lead to serious disruption to the user experience and in some cases, their loss.
When a beneficiary VASP becomes aware that Travel Rule information provided by ordering VASP is not sufficient, the beneficiary VASP must request additional information before making the assets available to the intended beneficiary. If further information is not forthcoming, then it should consider rejecting the transfer or returning the transfer to the originator’s account. In case a Travel Rule non-compliant deposit is being repeated, then a VASP needs to re-consider the counterparty relationship.
In practice, there will be 4 types of Travel Rule non-compliant deposits:
· Deposits originating outside of approved VASPs
· Deposits from approved VASP with insufficient Travel Rule information
· Deposits from approved VASP with inconsistent beneficiary information
· Deposits from approved VASP where originator is not an allowed person (in case of first party transfer limitation)
A VASP needs to prepare its policy and workflow to address each case well in advance. Communication with users on the policy is essential to minimize user disruption.
A common practice adopted by regulated VASPs is to withhold the assets until Travel Rule compliance has been achieved. Unless the necessary information is collected, verified and screened where necessary, the assets are not to be made available to the intended beneficiary. If necessary information is not secured, then the deposited asset may need to be returned back to the originator. To minimize user disruption or loss, the return needs to be processed in a timely manner within the Travel Rule compliance and broader ML/TF framework. This leads to the necessity of a Travel Rule non-compliant deposit return policy. In many cases, we have observed the lack of a streamlined return policy resulting in serious complications post Travel Rule implementation.
Step 9: Develop a Detailed Workflow for the Return Process
The FATF guidance or local regulations does not specifically prescribe requirements on Travel Rule non-compliance return policy. This leads to VASPs adopting various practices on return policies. Key considerations on a return policy are; i) where to return to, ii) who to return to, iii) applicability of Travel Rule compliance.
Most VASPs operate aggregated wallets (usually, hot wallets) to process multiple users’ withdrawal requests. While deposit wallet addresses are unique to each user, withdrawal wallet addresses (‘from’ address in blockchain transaction) are not. In case a VASP relies on a third-party custodian, a blockchain wallet which initiated a certain VA transfer may not be even managed by the particular VASP. For this reason, simply returning back to the ‘from or originating address’ identified by a blockchain explorer or scan may lead to the loss of the virtual asset. In case a VASP wishes to return the virtual assets back to the originator’s account managed by the ordering VASP, it may need to separately collect the deposit address of the originator with the consent of both originator and intended beneficiary.
In case the originator is not the same person as the intended beneficiary, there is a complication of who to return the assets to: back to the originator or to a wallet address in the name of the intended beneficiary managed in another VASP (among the approved VASPs in the context of counterparty DD).
This is an interconnected problem with iii) the applicability of Travel Rule on return process. In case Travel Rule compliance needs to be applied on the return transaction, sending the transfer back to the originator may not be feasible since there is no guarantee that the originator (not a user of the VASP) has an account amongst the approved VASPs. If it is possible not to apply Travel Rule on the return process, then returning the transfer back to the originator is a possible option. But even in this case, there needs to be specific consent from both originator and intended beneficiary regarding the collection of data and return of assets. Name screening on originator and on-chain screening on requested destination wallet address (not ‘from’ address) will be necessary to avoid transferring assets to illicit actors. This transaction will generate a withdrawal transaction towards an ‘out of approved VASP’ and may need to pass sufficient internal approvals processes with written record.
Considering such complications, we are of the opinion that returning the asset transfers back to the intended beneficiary’s other account kept in an approved VASP (upon the consent of originator) within Travel Rule or enhanced risk mitigation process is more straightforward solution. Still, this practice has the risk of a VASP being abused to form a chain of asset transfers, circumventing otherwise impossible transfers. For example, considering VASPs A, B, and C with counterparty relationships established only between VASP B and VASP C, the return policy can be abused to form a chain of transfer from VASP A then B then C, effectively allowing VASP A to indirectly transfer the assets to C. For this reason, the return can only be processed upon necessary considerations of relevant facts and internal approvals to discourage any abusive practice.
Lastly, if not required by regulation, a VASP needs to make the decision whether to apply the Travel Rule or an enhanced risk mitigation measure upon returning the transaction. We are of the opinion that the Travel Rule or an enhanced risk mitigation measure should be applied even in the case of a Travel Rule return transaction. As described in the section above, omitting Travel Rule does not make the return process any easier for a VASP or its user due to the responsibility of name screening and on-chain monitoring accompanied by data collection complications. Also, in case a user has a (Travel Rule not-compliant) deposit, the user usually has an account in another VASP, making the return more feasible. In case a VASP wishes to further mitigate the risk associated with a return transaction, limiting the beneficiary only to the first party (the user itself) could be a straightforward option as long as it can secure consent from the originator upon the intended return transaction.
Step 10: Develop an Enhanced Mitigation Measure for Unhosted Wallets
Just like banks allow cash deposits or withdrawals, transfers in and out from/to unhosted wallets are unavoidable. When a user has a legitimate property right on a digital asset, it is very difficult to reject a withdrawal request to an unhosted wallet owned by the user. A user may choose to use certain VASPs only for the purpose of exchange but not for storing their asset. In such a case, forcing the user to use the custodian or storage service offered by the VASP or other VASPs is not appropriate.Due to the complexity of returns of virtual assets, VerifyVASP’s platform offers immediate and secure verification of beneficiary information by the beneficiary VASP back to the ordering VASP so that effective screening can take place prior to a blockchain transaction.
But unlike cash transactions happening with a bank teller, a transaction with an unhosted wallet is not face-to-face. There exist various limitations on cash transactions or transportation (especially for cross-border) whereas blockchain transactions are by definition borderless. Transmitting a pile of cash is a relatively cumbersome exercise depending on the amount and traveling distance but sharing a private key of a certain unhosted wallet is instant, borderless and difficult to trace.
Conversely, blockchain transactions involving unhosted wallets leave an immutable record publicly available, unlike a wallet managed by a VASP, and any withdrawal from an unhosted wallet can be deemed to be made by the beneficial owner of the unhosted wallet. While cash transactions hardly leave a trace to re-construct the transaction back, unhosted wallets leave a rich and dynamic dataset to be used for ML/TF risk mitigation.
Transactions with unhosted wallets can be seen as a trade-off problem between property rights and ML/TF risks, requiring the need to find an equitable balance. But given the nature of blockchain transactions, it is at its core, a data problem. The prevailing question is how to obtain sufficient data for ML/TF risk mitigation to support users’ legitimate property right.
Whilst FATF specifies that unhosted wallets are out of scope for the Travel Rule, the FATF guidance and subsequent updates highlight their inherent risks and suggest a variety of mitigation measures. Under this guidance, most of the local regulations mandate certain risk mitigation measures towards unhosted wallets. Some jurisdictions are restricting transfers to or from unhosted wallets to first party transfers only.
However, establishing ownership (or control) of a self-hosted wallet can be challenging and there have been varying practices in the industry, which we summarise below.
- Level 1 — a simple declaration or digital signature from the user that they own the self-hosted wallet. This can be perceived as an ineffective control by most regulators.
- Level 2 — a manual test such as a Satoshi test that is a combination of user declaration coupled with a penny test of a specified amount to the self-hosted wallet. This method may not be reliable as a third party could simply transfer the required test amount. It is also manual and not scalable.
- Level 3 — involves user declaration and using the private key signature from within the VASP’s own interface with the limitation of same time, IP address and device. At the moment, this is generally perceived as relatively reliable.
- Level 4 — is similar to Level 3 but further enhances risk mitigation with global uniqueness and source verification. Global uniqueness means there is only one beneficiary owner of a certain unhosted wallet across multiple VASPs. Source verification traces deposit history of certain unhosted wallets to verify how much deposit was actually from the beneficiary owner. Unlike Level 3 approach, this provides a dynamic dataset, updating the risk profile of certain unhosted wallets in real-time.
Finally: Use a Proven Travel Rule Solution
Travel Rule compliance used to be a daunting task. Whilst Travel Rule compliance is a well-established concept in cross-border remittance, adopting it in the context of virtual assets represented a whole new challenge for the industry. It is noteworthy that traditional finance took decades to settle on its Travel Rule messaging protocol. VASPs and regulators have only had a few years to design, develop and implement a working Travel Rule solution for the virtual assets ecosystem, in the context of heightened ML/TF risk associated with virtual asset activities, further exacerbated by the challenge of building a VASP regulative regime. VASPs are not banks that perform within predictable frameworks, they operate in a myriad of business activities and sizes. In most cases, Travel Rule implementation requires an enterprise-wide focused sprint including compliance, personal data, user front re-design, wallet operation, data collection and verification, customer support and of course, collaboration with unwilling competitors.
However, the progress made thus far, has made such a challenge not seem formidable anymore. After a few years of operation, we now have Travel Rule solution providers with proven track records. VerifyVASP has processed over 6,000,000 Travel Rule verifications for regulated VASPs, which translates to more than $100B in value, as at the end of 2023. For third party assurance, VerifyVASP has completed its audit by a reputable independent assessor for SOC2, together with its responses to the FATF Guiding Questions for Travel Rule Compliance Tool providers in their June 2023 Targeted Update on Implementation of FATF Standards on VA-VASPs.
Various requirements and unseen nuances have been resolved and integrated into the protocols of the VerifyVASP platform. The services provided by VerifyVASP include policy consultation, counterparty verification, DD support, Travel Rule messaging, enhanced risk mitigation measures and on-going support. With the experience of supporting more than 100 VASPs around the world, we have accumulated an expertise to provide streamlined guidance toward Travel Rule implementation journey.
A VASP seeking a license today does not need to repeat the same mistakes that others stumbled upon. It is unnecessary and in this fast-paced sector, can prove to be fatal, as we have observed in certain scenarios where regulators have ordered the unfortunate VASPs to cease operations. With our collaboration, we are seeing more of our members securing regulatory approval on their Travel Rule implementation plans around the world. VerifyVASP is devoted to accelerating global adoption of Travel Rule in the virtual asset industry to thwart money laundering and terrorism financing around the world. Please reach out to us for guidance on Travel Rule implementation. As the largest Travel Rule solution provider in the world by measure of value of virtual assets verified, we are happy to share our hard earned experiences to shorten and accelerate your licensing journey.
