The global anti-money laundering watchdog, Financial Action Task Force (FATF), recently published its updated recommendations, one of which now requires Virtual Asset Service Providers (VASPs) and financial institutions engaged in virtual asset (VA) transfers to collect and share personal data of a transaction’s sender and recipient. This is stated in Recommendation 16, commonly referred to as the Travel Rule.

Initially, this requirement only applied to financial institutions; however, in 2019, the FATF expanded its recommendation to include VASPs, or platforms that provide cryptocurrency services. 

Members of the FATF and FATF-style regional bodies are already beginning to incorporate the Travel Rule into their respective anti-money laundering (AML) laws. According to the FATF Targeted Update on Implementation of FATF Standards on Virtual Assets-VASPs, as of March 2022, 29 out of 98 responding jurisdictions reported having passed Travel Rule legislation, while only 11 jurisdictions have begun implementing enforcement and supervisory measures. Most recently, Japan announced that it would bring crypto transactions under the Travel Rule by May 2023. In the UK, Regulation 5 (on cryptoasset transfers) of the Money Laundering and Terrorist Financing Regulations comes into force on September 1, 2023—the same is expected in Lithuania in 2025.

This regulatory shift has jolted the crypto sector and resulted in confusion on how to implement and comply with the new FATF recommendation. In this article, we’ll go over the Travel Rule’s requirements and provide some tips on how businesses can ensure compliance effectively.

The Highlights

1. What is the FATF Travel Rule?
2. Issues with the Travel Rule
3. Who is affected?
4. How to comply
5. Key takeaways
6. What is the Bank Secrecy Act Travel Rule?
7. FATF vs BSA Travel Rule
8. FAQ

What is the FATF Travel Rule

The Travel Rule is a term used to refer to FATF Recommendation 16, which covers measures to combat money laundering and terrorism financing (ML/TF).

It requires financial institutions engaged in VA transfers and crypto companies—collectively referred to as VASPs—to obtain “required and accurate originator information, and required beneficiary information” and share it with counterparty VASPs or financial institutions during or before the transaction.

Because the personal data of the transacting parties ‘travels’ with their transfers, the regulation was dubbed the “Travel Rule”.

The FATF recommends that countries adopt a de minimis threshold of 1,000 USD/EUR for VA transfers, while keeping in mind that there would be comparatively fewer requirements for VA transfers below the threshold compared to those above the threshold. 

For VA transfers under the threshold, VASPs must collect:

• The name of the originator (sender) and the beneficiary (recipient)
• The VA wallet address for each or a unique transaction reference number

Such information does not need to be verified unless there are suspicious circumstances related to ML/TF, in which case information pertaining to the customer should be verified.

For transfers exceeding the threshold, VASPs must collect:

• Originator’s name 
• Originator’s account number for the account used to process the transaction (e.g., wallet address)
• Originator’s physical (geographical) address; national identity number; customer identification number (i.e., not a transaction number) that uniquely identifies the originator to the ordering institution; or date and place of birth
• Beneficiary’s name 
• Beneficiary’s account number for the account used to process the transaction (e.g., wallet address)

Recommendation 16 applies to VASPs whenever their transactions, whether in fiat currency or virtual assets (VA), involve either: 

• A traditional wire transfer
• A VA transfer between a VASP and another obliged entity (e.g., between two VASPs or between a VASP and another obliged entity, such as a bank or other financial institution)
• A VA transfer between a VASP and a non-obliged entity (i.e., an unhosted wallet). This is a special case, as the FATF does not expect that VASPs, when originating a VA transfer, should submit the required information to individuals who are not obliged entities (e.g., to an unhosted wallet).

While the transfer of personal data between financial institutions has been a long-established process, it is still a relatively new requirement for the crypto industry—one that entails building an unprecedented communication network between crypto platforms.

Issues with the Travel Rule

Implementation of the Travel Rule has been slow because of the many questions it raises. Some of these issues include:

• The “sunrise issue”, an analogy wherein one VASP wants to tell another VASP about a sunrise it’s experiencing, but the second VASP has yet to experience a sunrise at all. This exchange about the sunrise is an analogy for the miscommunication that can arise between VASPs if one hasn’t implemented the Travel Rule.  
• Different approaches to Travel Rule requirements, such as de minimis thresholds, data privacy issues, approaches to transactions with unlicensed/unregistered and unhosted wallets
• Determining an appropriate technological solution, or a combination of solutions, to meet FATF and local compliance obligations

Who is affected

The FATF requires all jurisdictions to impose the Travel Rule on:

1. Financial institutions, such as banks, that are engaged in VA transfers 
2. VASPs

According to the FATF, a company is considered a VASP if it provides the following services:

• Exchange between virtual assets and fiat currencies
• Exchange between one or more forms of virtual assets 
• Transfer of virtual assets
• Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets
• Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset 

Under certain conditions, decentralized services (DeFi) and other P2P platforms may also be considered VASPs and are therefore obliged to comply with the FATF Travel Rule.

The definition of VASP may also differ depending on the jurisdiction, since the FATF’s definitions and recommendations are not mandated. However, many FATF member states—including the US, South Korea, and Singapore, among others—have implemented the Travel Rule in their national legislation in one form or another.

Sanctions: If a business operating in a jurisdiction where the Travel Rule is implemented fails to comply, it could face local regulatory sanctions. For example, in Estonia “the penalty for failure by an executive or employee of a provider of virtual currency service to ascertain or verify any information relating to a payer, or for providing the service outside of a business relationship (…) is a fine of up to 300 fine units. The penalty for the same act committed by a legal person is a fine of up to 400,000 euros.”

Suggested read: The Revised FATF Guidance on Virtual Assets: How Does It Affect DeFi?

How to comply

The Travel Rule’s main requirements are:

• To conduct due diligence of the counterparty before sharing data
• For originating VASP:
  • Identify its client (originator)
  • Obtain the necessary information from the originator, retain a record and share the information with the beneficiary VASP after all checks
  • Screen to confirm that the beneficiary is not a sanctioned name
  • Monitor transactions and report when they raise suspicion 
• For beneficiary VASP:
  • Obtain the necessary information from the originator’s VASP, verify the accuracy and consistency of the necessary information, and retain a record
  • Screen to confirm that the originator is not a sanctioned name
  • Monitor transactions and report when they raise suspicion

In short, a company needs to introduce two solutions to stay compliant: one for collecting data and another for sharing it. Luckily, the FATF does not dictate the specific method or technology companies can use for sharing data—it is up to the discretion of each individual company.

Here is our take on the most efficient approach to Travel Rule compliance.

Obtaining sender and recipient information

In most cases, companies already have a client’s personal data by the time a transaction occurs, thanks to previous KYC processes.

But, if a company doesn’t conduct KYC checks, it should consider a regular KYC process to remain compliant with the Travel Rule. And when doing the transfer, the company must remember to collect additional data about its clients (e.g., customer identification number, or date and place of birth).

Regardless of the data collection/sharing technology it chooses, a company must also ask customers to fill in the name and account number of the individual they want to send money to.

The most efficient way to manage these processes is to find a KYC and crypto transaction monitoring tool that:

• Ensures comprehensive AML compliance: There are plenty of other AML requirements besides the Travel Rule or which accompany the Travel Rule, such as the requirement to verify customers at onboarding, and to conduct sanctions screenings of both the originator and beneficiary. An automated KYC/AML solution can help with this while reducing costs and the possibility of human error.
• Conducts transaction checks. Providers can verify that a client’s assets aren’t coming from criminal sources, such as darknet marketplaces, fraudulent exchanges, or mixing services (services that conceal one’s identity).
• Ensures compliance with data protection laws: Now that crypto companies must collect personal data, they fall under data protection regulations like GDPR, CCPA, and other national and local laws. A GDPR-complaint KYC/AML solution is a safe bet for companies wanting to keep up and remain compliant.
  

So you’ve collected the relevant personal data. How do you securely transfer it to another financial institution or crypto business?

Data sharing

To quickly recap, the Travel Rule requires VASPs to share the personal information of a transaction’s sender and recipient with other financial businesses or VASPs. Since the FATF does not advise the use of any specific data sharing technology, there is no single protocol or network for data transfer. That is why a number of networks for encrypted data transfers already exist, including OpenVASP, Shyft, and Trisa. But there are still issues associated with these networks, like protocol compatibility, which is why combining a data gathering solution and data sharing solution will ensure that businesses can stay compliant with the Travel Rule.

What is the Bank Secrecy Act Travel Rule?

In 1996, the US Financial Crimes Enforcement Network (FinCEN), under the Bank Secrecy Act (BSA), introduced a rule similar to FATF Recommendation 16 for financial institutions operating within its jurisdiction.

Initially, this rule applied to traditional money only, but in 2019 FinCEN confirmed that the BSA Travel Rule would also apply to VASPs, which in the US are called money-services businesses (MSBs) or money transmittors. 

Therefore, the FinCEN rule served as the foundation for the FATF Travel Rule. Although both Travel Rules appeared at different times, the FATF recommendation can be applied by any country worldwide. The US Travel Rule is a national interpretation of this requirement and has its own specifics.

Like the FATF Travel Rule, the FinCEN Travel Rule requires financial institutions and VASPs to collect and exchange information on a transaction’s originator and beneficiary. VASPs are also required by the US to confirm that crypto transactions do not originate from or are sent to sanctioned countries or companies.

However, the FinCEN Travel Rule has a different threshold. Only transfers equal to or greater than 3,000 USD—including any foreign equivalent and VA—are subject to this rule, regardless of whether currency is involved. In 2020, financial regulators in the US—the Board of Governors of the Federal Reserve System, FinCEN, and the Treasury—proposed that the BSA be modified to reduce the general Travel Rule threshold from $3,000 to $250 for international transfers; however, the amendments have yet to be enacted.

All transmittor’s financial institutions must include and send the following in the transmittal order:

• The name and, if the payment is ordered from an account, the account number of the transmittor
• The address of the transmittor
• The amount of the transmittal order
• The execution date of the transmittal order
• The identity of the recipient’s financial institution

As many of the following items as are received with the transmittal order:

• The name and address of the recipient
• The account number of the recipient
• Any other specific identifier of the recipient
• Either the name and address or numerical identifier of the transmittor’s financial institution.

FATF vs BSA Travel Rule

Key takeaways

The FATF Travel Rule is a requirement that targets the anonymity of crypto transactions in order to prevent money laundering. By following this rule, you can detect suspicious users and avoid fraud, all while keeping your reputation flawless and avoiding fines from regulators.

FAQ

• What is the Travel Rule in AML?

  The Travel Rule is a key AML/CFT measure, which mandates that VASPs obtain, hold, and exchange information about the originators and beneficiaries of virtual asset transfers. This enables financial institutions and VASPs to conduct sanctions screenings and detect suspicious transactions so that any necessary measures can be taken.

• Why is the FATF Recommendation 16 called “the Travel Rule”?

  The application of the FATF’s wire transfer requirements (Recommendation 16) in the VA context is called the “travel rule” because the personal data of the transacting parties ‘travels’ along with their transfers.

• What is the VASP Travel Rule?

  The FATF’s Travel Rule requires VASPs, along with other financial institutions, to share relevant originator and beneficiary information from virtual asset transactions, with the aim of preventing money-laundering, terrorist financing, and other fraud activity. Recommendation 16 applies to VASPs whenever their transactions, whether in fiat currency or virtual asset, involve either:

  • A traditional wire transfer
  • A VA transfer between a VASP and another obliged entity (e.g., between two VASPs or between a VASP and another obliged entity, such as a bank or other FI)
  • A VA transfer between a VASP and a non-obliged entity (i.e., an unhosted wallet).

• What is the Travel Rule threshold?

  The FATF recommends a de minimis threshold of 1,000 USD/ EUR. If companies apply a lower threshold, they can enjoy less stringent requirements (e.g., less information may be transferred). However, it should be noted that countries can establish their own threshold or forego one altogether. In the US BSA Travel Rule, for example, has a threshold of 3,000 USD.

• Does the Travel Rule apply to automated clearing house (ACH) transactions?

  The Automated Clearing House (ACH) is the primary system that agencies use for electronic funds transfers. With ACH, funds are electronically deposited in financial institutions, and payments are made online. The US BSA Travel Rule does not apply to ACH transactions.