Learn what the controversial Travel Rule is, the difficulties countries may face with its incorporation, why you need to get ready for its widespread implementation, and how it’s different from the US FinCEN’s Travel Rule.
The global anti-money laundering watchdog, Financial Action Task Force (FATF), recently published its updated recommendations, one of which now requires Virtual Asset Service Providers (VASPs) and financial institutions engaged in virtual asset (VA) transfers to collect and share personal data of a transaction’s sender and recipient. This is stated in Recommendation 16, commonly referred to as the Travel Rule.
Initially, this requirement only applied to financial institutions; however, in 2019, the FATF expanded its recommendation to include VASPs, or platforms that provide cryptocurrency services.
Members of the FATF and FATF-style regional bodies are already beginning to incorporate the Travel Rule into their respective anti-money laundering (AML) laws. According to the FATF Targeted Update on Implementation of FATF Standards on Virtual Assets-VASPs, as of March 2022, 29 out of 98 responding jurisdictions reported having passed Travel Rule legislation, while only 11 jurisdictions have begun implementing enforcement and supervisory measures. Most recently, Japan announced that it would bring crypto transactions under the Travel Rule by May 2023. In the UK, Regulation 5 (on cryptoasset transfers) of the Money Laundering and Terrorist Financing Regulations comes into force on September 1, 2023—the same is expected in Lithuania in 2025.
This regulatory shift has jolted the crypto sector and resulted in confusion on how to implement and comply with the new FATF recommendation. In this article, we’ll go over the Travel Rule’s requirements and provide some tips on how businesses can ensure compliance effectively.
The Travel Rule is a term used to refer to FATF Recommendation 16, which covers measures to combat money laundering and terrorism financing (ML/TF).
It requires financial institutions engaged in VA transfers and crypto companies—collectively referred to as VASPs—to obtain “required and accurate originator information, and required beneficiary information” and share it with counterparty VASPs or financial institutions during or before the transaction.
Because the personal data of the transacting parties ‘travels’ with their transfers, the regulation was dubbed the “Travel Rule”.
The FATF recommends that countries adopt a de minimis threshold of 1,000 USD/EUR for VA transfers, while keeping in mind that there would be comparatively fewer requirements for VA transfers below the threshold compared to those above the threshold.
For VA transfers under the threshold, VASPs must collect:
Such information does not need to be verified unless there are suspicious circumstances related to ML/TF, in which case information pertaining to the customer should be verified.
For transfers exceeding the threshold, VASPs must collect:
Recommendation 16 applies to VASPs whenever their transactions, whether in fiat currency or virtual assets (VA), involve either:
While the transfer of personal data between financial institutions has been a long-established process, it is still a relatively new requirement for the crypto industry—one that entails building an unprecedented communication network between crypto platforms.
Implementation of the Travel Rule has been slow because of the many questions it raises. Some of these issues include:
The FATF requires all jurisdictions to impose the Travel Rule on:
According to the FATF, a company is considered a VASP if it provides the following services:
Under certain conditions, decentralized services (DeFi) and other P2P platforms may also be considered VASPs and are therefore obliged to comply with the FATF Travel Rule.
The definition of VASP may also differ depending on the jurisdiction, since the FATF’s definitions and recommendations are not mandated. However, many FATF member states—including the US, South Korea, and Singapore, among others—have implemented the Travel Rule in their national legislation in one form or another.
Check Sumsub’s global guide on KYC crypto regulations here:
Sanctions: If a business operating in a jurisdiction where the Travel Rule is implemented fails to comply, it could face local regulatory sanctions. For example, in Estonia “the penalty for failure by an executive or employee of a provider of virtual currency service to ascertain or verify any information relating to a payer, or for providing the service outside of a business relationship (…) is a fine of up to 300 fine units. The penalty for the same act committed by a legal person is a fine of up to 400,000 euros.”
The Travel Rule’s main requirements are:
In short, a company needs to introduce two solutions to stay compliant: one for collecting data and another for sharing it. Luckily, the FATF does not dictate the specific method or technology companies can use for sharing data—it is up to the discretion of each individual company.
Here is our take on the most efficient approach to Travel Rule compliance.
In most cases, companies already have a client’s personal data by the time a transaction occurs, thanks to previous KYC processes.
But, if a company doesn’t conduct KYC checks, it should consider a regular KYC process to remain compliant with the Travel Rule. And when doing the transfer, the company must remember to collect additional data about its clients (e.g., customer identification number, or date and place of birth).
Regardless of the data collection/sharing technology it chooses, a company must also ask customers to fill in the name and account number of the individual they want to send money to.
The most efficient way to manage these processes is to find a KYC and crypto transaction monitoring tool that:
So you’ve collected the relevant personal data. How do you securely transfer it to another financial institution or crypto business?
To quickly recap, the Travel Rule requires VASPs to share the personal information of a transaction’s sender and recipient with other financial businesses or VASPs. Since the FATF does not advise the use of any specific data sharing technology, there is no single protocol or network for data transfer. That is why a number of networks for encrypted data transfers already exist, including OpenVASP, Shyft, and Trisa. But there are still issues associated with these networks, like protocol compatibility, which is why combining a data gathering solution and data sharing solution will ensure that businesses can stay compliant with the Travel Rule.
In 1996, the US Financial Crimes Enforcement Network (FinCEN), under the Bank Secrecy Act (BSA), introduced a rule similar to FATF Recommendation 16 for financial institutions operating within its jurisdiction.
Initially, this rule applied to traditional money only, but in 2019 FinCEN confirmed that the BSA Travel Rule would also apply to VASPs, which in the US are called money-services businesses (MSBs) or money transmittors.
Therefore, the FinCEN rule served as the foundation for the FATF Travel Rule. Although both Travel Rules appeared at different times, the FATF recommendation can be applied by any country worldwide. The US Travel Rule is a national interpretation of this requirement and has its own specifics.
Like the FATF Travel Rule, the FinCEN Travel Rule requires financial institutions and VASPs to collect and exchange information on a transaction’s originator and beneficiary. VASPs are also required by the US to confirm that crypto transactions do not originate from or are sent to sanctioned countries or companies.
However, the FinCEN Travel Rule has a different threshold. Only transfers equal to or greater than 3,000 USD—including any foreign equivalent and VA—are subject to this rule, regardless of whether currency is involved. In 2020, financial regulators in the US—the Board of Governors of the Federal Reserve System, FinCEN, and the Treasury—proposed that the BSA be modified to reduce the general Travel Rule threshold from $3,000 to $250 for international transfers; however, the amendments have yet to be enacted.
As many of the following items as are received with the transmittal order:
The FATF Travel Rule is a requirement that targets the anonymity of crypto transactions in order to prevent money laundering. By following this rule, you can detect suspicious users and avoid fraud, all while keeping your reputation flawless and avoiding fines from regulators.
The Travel Rule is a key AML/CFT measure, which mandates that VASPs obtain, hold, and exchange information about the originators and beneficiaries of virtual asset transfers. This enables financial institutions and VASPs to conduct sanctions screenings and detect suspicious transactions so that any necessary measures can be taken.
The application of the FATF’s wire transfer requirements (Recommendation 16) in the VA context is called the “travel rule” because the personal data of the transacting parties ‘travels’ along with their transfers.
The FATF’s Travel Rule requires VASPs, along with other financial institutions, to share relevant originator and beneficiary information from virtual asset transactions, with the aim of preventing money-laundering, terrorist financing, and other fraud activity. Recommendation 16 applies to VASPs whenever their transactions, whether in fiat currency or virtual asset, involve either:
The FATF recommends a de minimis threshold of 1,000 USD/ EUR. If companies apply a lower threshold, they can enjoy less stringent requirements (e.g., less information may be transferred). However, it should be noted that countries can establish their own threshold or forego one altogether. In the US BSA Travel Rule, for example, has a threshold of 3,000 USD.
The Automated Clearing House (ACH) is the primary system that agencies use for electronic funds transfers. With ACH, funds are electronically deposited in financial institutions, and payments are made online. The US BSA Travel Rule does not apply to ACH transactions.