The FATF travel rule, also known as “FATF Recommendation 16,” is a common topic for crypto businesses who want to understand their compliance obligations with respect to Anti-Money Laundering (AML) and Know Your Customer/Customer Due Diligence (KYC/CDD). Yet, many in the industry have misconceptions about the recommendation, its impact, and its potential compliance implications.
The Basics: What Is the FATF Travel Rule?
Note: Keep in mind that the Travel Rule is technically not a regulation. Instead, it provides a standard that countries are expected to follow when putting regulations in place.
The Financial Action Task Force (FATF) is an international organization that designs and promotes non-binding guidance used by policymakers and regulators to combat financial crime. In its simplest terms, FATF Recommendation 16 calls for providers of virtual assets to collect and share customer data for transactions over a threshold of US$1,000.00.
It is often called the FATF Travel Rule because it resembles U.S. requirements to exchange information on the originator and beneficiary as a transaction “travels” through financial networks. The name “Travel Rule” derives from such U.S. regulations.
FATF Recommendation 16 expands the meaning of the Travel Rule to cover companies that offer cryptocurrency services: exchanges, digital wallets, and traditional financial institutions that work with virtual assets. These companies are called Virtual Asset Service Providers (VASPs).
FATF Recommendation 16 is at the heart of a risk-based approach to regulating crypto providers by calling for adherence to international rules. These rules ensure the protection of legitimate finance and help prevent illicit finance. They involve the handling of data with care, the need for privacy, and the use of due diligence measures.
Where did the FATF Travel Rule Originate?
The Travel Rule is one of many recommendations issued by the FATF that help combat money laundering and the financing of terrorism.
Although there has been progress, an FATF review in July 2021 highlighted that only 58 out of 128 jurisdictions (45%) reported that they have the necessary rules in place for virtual assets and their providers. By contrast, jurisdictions including the U.S., the U.K, EU nations, Singapore, and Hong Kong have regulations to prevent money laundering and terrorist financing that go beyond FATF guidance.
What Does the Travel Rule State?
For any transaction over US$1,000, VASPs must share certain identifying information about the originator and recipient.
- Originator: Name, Account Number, and Address (or another identifying number such as a Social Security Number or other national ID)
- Recipient: Name and Account Number
This information must be transmitted as part of the transaction (“traveling” with it, as the rule’s name implies). Several technical standards and protocols specify digital formats for this information, such as the InterVASP Messaging Standard (IVMS 101).
Other optional information includes details about the VASP or financial institution, transaction amount, or transaction dates.
Does My Company Have to Comply with the Travel Rule?
Technically, companies do not comply with the FATF Travel Rule directly because it is not a binding regulation. But understanding FATF’s approach provides essential guidance on the underlying principles that support local AML and KYC regulations and make them applicable to crypto transactions.
FATF Recommendation 16, therefore, is valuable when considering the requirements that local regulators may adopt to impose on various businesses beyond fiat currency, such as a digital broker-dealer regulated by securities law or an exchange regulated by money transmitter laws.
Is the Travel Rule Relevant in the United States?
In the U.S., the Financial Crimes Enforcement Network (FinCEN) sets requirements and defines thresholds, which are currently at $3,000 rather than $1,000. FinCEN has had similar principles in place for many years, not only before the invention of cryptocurrencies but before the terrorist attacks of September 11, 2001 transformed U.S. banking regulations.
These requirements and thresholds are central elements in the original Travel Rule. For U.S. companies operating internationally, complying with FinCEN standards and the Travel Rule is the most prudent approach.
What is the Impact on DeFi Companies?
The trend toward decentralized finance (DeFi) has been an area of concern for regulators and authorities. The idea of making traditional financial products, such as loans, available through blockchain technology potentially has numerous benefits, in particular to those without access to traditional financial products, such as the unbanked.
However, the widely publicized hacks and scams that have plagued the sector highlight the persistent risks of criminal exploitation, fraud, and financial crime.
Earlier versions of the Recommendation 16 focused only on VASPs (essentially synonymous with centralized platforms and exchanges). Therefore, it left many ambiguities about whether the developers or owners of a DeFi application would face compliance expectations. For example, it initially stated that companies that merely provide infrastructure would not be subject.
Furthermore, the decentralized nature of DeFi seems to conflict with the requirement to collect and transmit information about counterparties.
In October 2021, FATF released updated guidance addressing the compliance risks related to virtual assets. However, decentralized operations remain a vital gap to address. According to Marcus Pleyer, president of FATF, “no company should give a free pass to ransomware creators, drug traffickers or human smugglers to launder their illicit profits, or to terrorists to finance their activities.”
Regardless of the Travel Rule and similar local regulations, DeFi companies should pay close attention to regulations in their jurisdictions. Even if they do not consider themselves a VASP, AML and KYC standards may well apply. KYC and AML should be cornerstones of any reputable company’s operations.
How Should Companies Adapt Their Compliance Processes?
The fundamental questions of preventing the funding of crimes and other bad actions dictate understanding where money comes from and where it goes.
What Steps Should You Follow?
- Ensure that you have the technology in place to capture originator and recipient data and transmit it in a form that fits recognized industry data standards (i.e., make sure you do not reinvent the wheel)
- Validate that you are capturing all data required by local regulators as well as following the international principles in the FATF Travel Rule recommendations
- Align your digital and non-digital KYC/AML mechanisms if you service multiple types of assets (digital and non-digital) to avoid creating data silos
- Conduct thorough risk assessments and define risk profiles for digital asset transactions that flow to, through, or from your company, and ensure that your approach to transaction monitoring can scale
- Take data protection requirements into account since the FATF Travel Rule requires you to collect personal data that falls under additional regulations such as GDPR and the CCPA
Where Can You Turn for Help?
If you are a business that operates in crypto or other digital assets, you should recognize that bad actors could try to take advantage of the financial services you provide. The lack of clear regulatory direction compounds this uncertainty.
We recommend that companies seek help from industry experts, legal counsel, and regulatory experts such as InnReg. If you have specific questions about FATF recommendations, the Travel Rule, or your company’s readiness, we invite you to get in touch.