Travel Rule for Virtual Asset Service Providers

The Financial Action Task Force’s (“FATF”) review report reveals slow progress in the implementation of the revised FATF 40 standards for VASP’s. After more than two years of publication of the FATF standards on Virtual Assets (“VA”) and Virtual Assets Service Providers (“VASP”), many countries do not as yet have the basic regulatory framework for VASPs. The FATF covers more than 200 countries and jurisdictions, however, less than half (45%) of the 128 reporting countries reported that they have passed the necessary laws/regulations to permit or prohibit VASPs. The number of countries whose AML/CFT regime for VASPs is actually operational is even lower. Most countries and most VASPs are not complying with Recommendation 16, .aka. as the Travel Rule, of the FATF standards , with only 10 countries reporting that they have implemented and are enforcing the Travel Rule requirements for VASPs. FATF has indicated that its focus for 2022, will be to accelerate the implementation of the Travel Rule globally.

In the last quarter of 2021 , the industry witnessed a shift in sentiment from a year ago , where the debate against the travel rule regulation moved to how quickly the rule can be implemented. The key driver for the shift was a push by the regulators that have legislated the Travel Rule.

Operationally, the implementation of the Travel Rule continues to be challenged by the lack of interoperability and disparate levels of legislation among countries (‘sunrise issue”). Due to these challenges, the industry is observing the formation of a constellation of Exchange clusters as a way to meet the regulatory requirements and move forward.

Travel Rule

The Travel Rule, was developed with “the objective of preventing terrorists and other criminals from having unfettered access to electronically-facilitated fund transfers and for detecting such misuse when it occurs.”

It requires VASP’s to:

  1. include required and accurate originator information, and required beneficiary information, on wire transfers and related messages, and that the information remains with the wire transfer or related message throughout the payment chain;
  2. monitor wire transfers for the purpose of detecting those which lack required originator and/or beneficiary information, and take appropriate measures;
  3. take freezing action and should prohibit conducting transactions with designated persons and entities in the context of processing wire transfers.

The goal is to stop proceeds of crime -including ransom payments, illegal dark market sales, proliferation finance and terrorist financing , from using virtual assets as an anonymizing payment rail.

Travel Rule takes centre stage

The Travel Rule is the most focused piece in terms of VASPs’ compliance with the revised FATF 40 Standards, yet only 10 jurisdictions reported having actively enforcing the requirements. An additional 14 jurisdictions reported that they have introduced the regulation but have yet to enforce it . No jurisdiction reported being aware of any VASP that has fully complied with all elements of the Travel Rule. FATF has indicated that its next steps will be to accelerate the implementation of the Travel Rule globally.

Since the last quarter of 2021, we are witnessing an increase in momentum , both, in the development of standards and protocols, such as the Travel Rule Information Sharing Architecture (TRISA) which can now help enable interoperability between solutions and in implementation by VASP’s. The patchy approach to effecting the legislation by jurisdictions, also known as the “sunrise issue” together with a lack of unified technology for interoperability remain major obstacles to full & successful implementation.

Out of the 128 reporting jurisdictions that responded to the FATF’s questionnaire 52 jurisdictions claimed to now regulate VASPs, 6 jurisdictions prohibit the operation of VASPs, and the other 70 jurisdictions have not yet implemented or are in the process of implementing the revised Standards in their national law.

Travel Rule Obligations

i. Data Sharing Requirement
Prior to the introduction of the Travel rule for virtual asset transfers , financial institutions that conducted wire transfers of fiat currency had to reciprocate the originator and beneficiary’s personal information. Inspired by this, the Travel rule was extended to VA’s and VASP’s.

Under the Travel Rule , the originators and beneficiaries of all transfers of virtual assets must exchange identifying information. The rule is applicable to all VASPs, financial institutions and obliged entities. Additionally, the originators and beneficiaries involved in a transfer must be able to guarantee the accuracy of the information they send to the other. The identifying information must be exchanged /transmitted in near real time and before a virtual asset transfer is conducted on the platform.

Identifying information

ii. Counterparty VASP identification and due diligence
Different entities within the industry pose higher or lower ML/TF risks depending on a variety of factors, including products, services, customers, geography, the AML/CFT regimes in the VASP’s jurisdiction along with the strength of the entities compliance programs. The Travel rule requires VASP’s to identify and perform comprehensive due diligence on counterparties to assess the corresponding ML/TF risk impact and implement appropriate measures to mitigate and manage the risks.

The due diligence is to be performed prior to the transmission of the originator & beneficiary’s identifying information to the counterparty and is required to be refreshed periodically or when risks emerge from the relationship.

iii. Information Security
Risks to individual privacy and to personal safety are real. The information that is required to be shared includes physical location and possibly the value of a user’s virtual asset. This may lead to;

  • Hacks and PII data leaks and abuse of collected PII for identity theft
  • Transaction IDs can be used to determine how much cryptocurrency the holder controls
  • Physical and cyber-attacks against holders
  • Fake VASPs masquerading as legitimate VASPs to collect PII
  • Monitoring by oppressive regimes, data leaks, exchange hacks, data mining, poor security, data brokering;
  • Denial of service attacks.

To protect user information from unauthorised disclosures, VASP’s are required to ensure data security , particularly since the data transmittal occurs concurrently with the VA transfer.

The suggested technical specifications for data security include but are not limited to;

  1. Public & Private keys are created for each entity involved in a transmission such that the encryption and decryption of the information is restricted to the entities involved in the transmission.
  2. Establish TLS/SSL connections for securing the transmission.
  3. X.509 certificates that verify the identity of VASPs and serve as a dictionary for their public key certificates so that they can be identified and establish secure communications between VASPs.
  4. X.509 attribute certificates which can encode personal data and are cryptographically attached to the X.509 certificates administered by Certification Authority’s (“CA”);
  5. API technology
  6. Other commercially available technology or software or solutions.

The Travel Rule creates a technical challenge for VASP’s i.e., how to comply with the requirement while protecting user privacy? When a VASP wishes to send originator and beneficiary information to another VASP in support of Travel Rule requirements, they must establish secure communications. The solution requires the equivalent of a certificate authority (CA) that verifies the identity of VASPs and serves as a dictionary for their public key certificates so that they can be identified and establish secure communications between VASPs.

Mechanism proposed by Travel Rule Information Sharing Architecture(“TRISA”)

In a CA model, one or more third parties verify the identity of a VASP through a number of steps such as email identification, domain name ownership identification, phone call verification, and business paperwork verification. The CA can then issue a digital certificate signed by the CA and a way to establish secure encrypted communications with the verified VASP. These certificates would have an expiration date. They should also be subject to revocation by the CA through an Online Certificate Status Protocol (OCSP) mechanism or revocation list.

Sanction Screening

Using Zero Knowledge Proofs for Sanctions Screening
Mechanism proposed by TRISA suggests implementing a zero-knowledge proof based solution to perform sanctions screening. It works in the following manner. Each VASP generates a proof of non-membership in a sanctions list of its user, i.e., Alice’s VASP generates a proof claiming Alice does not belong to a sanctions list, and Bob’s VASP for Bob As shown in the picture below, these proofs are exchanged and verified by the two VASPs. By verifying that a proof is valid, a VASP can ensure that the counterparty does not belong to a sanctions list, and thereby fulfil its obligation.

The proof consists of two sub-proofs; the first is a proof to show a user’s KYC AML data is not on the sanctions list. The second proof shows that the KYC AML data used for the proof is the same one as encrypted under the regulator’s key (to be saved for when a regulator, such as OFAC or FINCEN, wishes to look up a particular user).

Both VASPs only make transactions once they’ve ensured due diligence is done. Data is still stored for regulators. All VASPs learn user information on a need-to-know basis, so the breach of Bob’s VASP database does not compromise Alice’s data. Each transaction contains an additional audit trail recording the version of the sanctions list used. Full confidentiality over communication channels for sanction checks.

Source: TRISA

Travel Rule information sharing architecture

Source: TRISA

iv. VA Transfers to/from unhosted wallets
The FATF standards require VASP’s to obtain the requisite originator and beneficiary information from their customers, as it is not feasible to obtain the relevant information from another VASP.

The standards also prescribe that VASP’s should collect data on their unhosted wallet transfers, monitor and risk assess the information to determine if the transactions are within the risk appetite and the appropriate risk-based controls to apply to such transactions/individual customers and meet SAR obligations.

Similar standards would apply to risks posed by VASP’s that are not yet licensed /registered and supervised for AML/CFT purposes, as they are based in jurisdictions that have not yet implemented the FATF standards for VA’s/VASP’s.

The VASP’s may choose to impose additional controls on transactions with unhosted wallets. Potential measures include;

  1. Enhancing the existing risk-based control framework to account for specific risks posed by unhosted wallets; and
  2. Studying the feasibility of accepting transactions only from/to VASP’s and other obliged entities, and/or unhosted wallets that the VASP has assessed to be reliable.

v. Travel Rule Solution Providers
The solution providers should enable VASP’s to carry out the following main functions;

  1. Enable a VASP to locate a counterparty VASP’s for VA transfers;
  2. Enable the submission of required and accurate originator and beneficiary information immediately when a VA transfer is conducted on the platform;
  3. Enable VASP’s to submit large volumes of transactions in an effectively stable manner;
  4. Enable a VASP to securely transmit data, i.e., protect the integrity and availability of the required information to facilitate record keeping;
  5. Protect the use of such information by receiving VASP’s as well as to protect it from unauthorized disclosures in line with data protection laws;
  6. Provide VASP with a communication channel to support further follow up with a counter party VASP for the purpose of;
    1. Due Diligence on the counterparty VASP
    2. Requesting additional information on certain transactions to determine if the transactions involve high risk or prohibited activities.

Compliance Program
VASP’s and other obliged entities are required to maintain AML/CFT programs and systems to adequately manage and mitigate their risks.

SAR Reporting and Tipping Off
VASP’s are required to implement appropriate systems for scrutinizing transactions in a time manner and determining whether funds or transactions are suspicious. The lack of required originator and beneficiary information should be considered as a factor in assessing whether a transfer is suspicious and if it is required to be reported.

Where a VASP requests further information on a counterparty from its customer in the case of a transfer from an unhosted wallet, it should expect its customers to respond in a timely fashion and provide documents/information to the level of detail requested. Where the customer does not respond, it may trigger concerns and should lead the VASP to consider filing a SAR on their customer. It should be followed by a reassessment of the customer’s attributes and risk profile when necessary.

The obligation for VASP’s to report suspicious transactions is not risk based. Suspicious funds and transactions are required to be reported promptly to respective jurisdictional authorities.

NIMBL will be happy to advise you on the Travel Rule & Anti Money Laundering Framework Requirements.