How to prepare your crypto business as regions and regulatory authorities more widely adopt the Travel Rule, with new data on unhosted wallet dynamics.
2019 FATF Travel Rule recommendation for VASPs
On June 1, 2019, the Financial Action Task Force (FATF) made an amendment to recommendation 16, where they officially adopted the Travel Rule as guidance for crypto.
Historically, the Travel Rule was applicable to financial institutions (FIs) and banks, with the Bank Secrecy Act (BSA) Travel Rule officially coming into effect for tradfi in 1996. The ruling requires FIs to share information about their customers and report suspicious activities.
The June 2019 amendment of FATF to Travel Rule expanded this requirement with Virtual Asset Service Providers (VASPs) and crypto exchange platforms now coming under this umbrella.
The FATF crypto Travel Rule requires VASPs to share the users’ identities involved with any virtual asset transfers valuing 1,000 USD USD or more. VASPs are required to obtain and verify customer identification, sharing this data with other VASPs and authorities upon their request. As part of AML/ CFT requirements, VASPs are obliged to conduct ongoing monitoring, identifying any suspicious patterns of transactional behaviors that could lead to criminal activities.
2020 FinCEN guidance for VASPs
Following the June 2019 FATF amendments to the Travel Rule, the Financial Crimes Enforcement Network (FinCEN) in December 2020 also published guidance on applying existing anti-money laundering rules to virtual currency businesses, including the Travel Rule. The guidance requires VASPs to collect and share customer data for transactions over a certain threshold.
While exchanging personal data between financial institutions and banks has been a long-established process, expanding the requirement to VASPs fundamentally changes the world for crypto exchange platforms. However, this is an effort to ensure that crypto providers maintain international rules to protect legitimate finance and prevent illicit finance such as money laundering or terrorist financing. The primary idea behind this development is that regulators want to protect the interests of consumers.
2021 FinCEN follow-up proposal
In January 2021, FinCEN issued a proposition named “Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets,” with a broader purpose to manage the criminal finance danger brought by unhosted or covered wallets. FinCEN suggested setting new reporting and recordkeeping conditions identical to standard money transfers.
All deposits, withdrawals, exchanges, or money transfers of virtual currencies and assets with legal tender status are subject to the new conditions that would apply to all dealings affecting unhosted wallets.
According to their proposal, if a transaction should exceed $10,000 (or is one of the multiple transactions within 24 hours which exceeds that amount), the financial institution or an MSB will be forced to report it with FinCEN and include certain information concerning the transaction. The counterparty (name and physical address) and the confirmation of the customer identity would need to be provided. If a transaction should exceed $3,000, banks and MBSs will be required to keep the trade records, including proof of their customer’s identity.
2021 risk-based approach updates for VASPs
In the updated FATF guidance on VASPs risk-based approach in October 2021, unhosted wallets have been mentioned as one of the risk factors relating to VAs and VASPs:
“Transactions from/to non-obliged entities (e.g., unhosted wallets with no obliged entity, VASPs in jurisdictions where they are not subject to regulation and supervision, etc.) and transactions where at an earlier stage P2P transactions have occurred provided that such data collection is in line with national privacy legislation.”
Furthermore, the FATF encourages the development of tools, such as blockchain analytics, to collect and assess P2P market metrics and risk mitigation solutions, risk methodologies to identify suspicious behavior, and determine whether wallets are hosted or unhosted.
Why are unhosted wallets deemed risky and targeted by this guidance?
Unlike customers who rely on the custody services of FIs subject to anti-money laundering and combating the financing of terrorism (AML/ CFT) requirements to send and receive virtual currency, users of unhosted or “self-hosted” wallets can transact directly with one another and with hosted wallets using their own private keys, creating potential illicit finance risks.
The ushering in of anti-money laundering requirements into the domain of private or unhosted wallets is something most countries are only beginning to realize is both crucial and necessary to the overall security, reputation, and longevity of the blockchain industry.
How have various countries responded to the Travel Rule?
Following initial guidelines by FinCEN, and subsequent support for the Travel Rule guidance from the FATF (which includes G20 countries) and the EU; Switzerland and Singapore are now requiring identification of transactions over $1,000 with what the FATF calls “unhosted wallets.”
Switzerland and Singapore have particularly stringent regulations when it comes to Travel Rule. FINMA (the Swiss regulatory authority), in particular, has always been at the forefront of implementing guidelines that the FATF encourages.
The Dutch National Bank (DNB) now obligates crypto service providers to register with the central bank and officially confirm their compliance with verification requirements under the 1977 Sanctions Act.
The UK FCA has also indicated plans to include Travel Rule recommendations into its cryptocurrency regulatory framework, as it makes big moves to protect its consumers.
How does Travel Rule information-sharing by VASPs look in practice?
Information to be exchanged
- Name of the Originator;
- Account number of the Originator, where an account is used to process the transaction. If no account number is available, a unique transaction reference number must be provided;
- Originator’s address, official personal document number, customer identification number or date, and place of birth.
- Name of the beneficiary;
- Beneficiary’s account number. If no account number is available, a unique transaction reference number should be provided.
Every VASP must identify the Originator VASPs and verify their identity:
Every Originator VASP needs to record the following information before transferring funds:
- KYC information on the Originator
- adequate details of the value transfer to permit its reconstruction, including but not limited to, the date of the value transfer, the type and value of digital payment token(s) transferred, and the value date” with the value date being defined as “the date of receipt of funds by the value transfer beneficiary.”
VASPs, when dealing with unhosted wallets, should collect the information on the beneficiary and Originator and make it available to the authorities if requested to do so. They also need to apply enhanced due diligence whenever they transact with unhosted wallets.
Crystal’s “Combined” or “Aggregated” Travel Rule solution
Crystal has now enabled the detection of unhosted wallets on its platform to meet compliance requirements. A new category in the alert settings specifies the activity of the unhosted wallet (the number of transactions) and the amount deposited or withdrawn. After that, you will receive alerts for transfers that match specified parameters.
Crystal’s end-to-end Travel Rule solution, supported by our partners at Notabene and Shyft Network, means that our customers and partners can ensure they are Travel Rule-compliant. The new regulations covering unhosted wallets are around the corner, so businesses operating within the cryptocurrency industry must make adequate preparations.
Travel Rule and tracking solutions, such as the ones offered by Crystal, will be a great way to ensure full compliance when the regulations are finalized and implemented.
Contact Crystal to start unhosted wallet tracking solutions ahead of the new law implementation.
