skip to Main Content
Home » cryptocurrency » Cryptocurrency Exchanges Grappling with New FATF Rule Requiring Disclosure of Customer Information
Crypto Matrix - AML - Q2 Report Summary

Cryptocurrency Exchanges Grappling with New FATF Rule Requiring Disclosure of Customer Information

Just-released Guidance Puts Strong Bank-like AML Controls on Virtual Asset Businesses

Governments have a new “travel rule” coming your way, and it has nothing to do with what you can put in your carry-on. In guidance released on June 21, 2019, the Financial Action Task Force (FATF) updated its recommendation regarding the need to adequately mitigate the money laundering and terrorist financing risks associated with virtual asset activities. Cryptocurrency exchanges and other virtual asset businesses are struggling with the meaning and impact of this new guidance, which, once adopted by FATF member countries, will require them to pass customer information to each other when transferring crypto assets. This is similar to the standard that U.S. banks are required to abide by for wire transfers under the Bank Secrecy Act (BSA), which is often referred to as the “Travel Rule.”

According to the FATF Interpretive Note to Recommendation 16, originator and beneficiary information should include the following:

  • Name and account number of the originator
  • Originator’s (physical) address, or national identity number, or customer identification number, or date and place of birth
  • Name and account number of the beneficiary

Cross-border transfers below the USD/EUR 1,000 threshold should also include the names and account numbers of originator and beneficiary. However, this information does not need to be verified for accuracy unless there is a suspicion of money laundering or terrorist financing.

How New FATF Rule Compares with Existing BSA Rule for U.S. Banks

Figure 1 shows a comparison of the current BSA travel rule applied to banks and the soon-to-be-implemented FATF travel rule applied to virtual asset service providers (VASPs). The FATF rule also requires VASPs to share originator and beneficiary information with recipient, although, as the chart shows, there are significant differences. Additionally, VASPs receiving transfers must also ensure they obtain “required originator information and required and accurate beneficiary information.”

Figure 1.

*Address can be substituted for national identity number, or customer identification number, or date and place of birth

Do Old-School AML Rules Designed for Banking Fit Crypto Assets?

The FATF’s intention was to set tougher operating procedures for exchanges and other virtual asset service providers (VASPs), going beyond current customer due diligence (CDD) rules to align more closely with bank regulations. But by applying rules designed for banking to virtual assets they may be trying to fit a square peg into a round hole. Typically, the fields one fills out in a wire transfer request either don’t exist in a cryptocurrency transaction, or obtaining that information would violate individual privacy to a degree potentially unacceptable to the majority of cryptocurrency users.

FATF standards do not dictate exactly how cryptocurrency exchanges must collect, verify or transfer this information, only stating that it is not necessary to attach the information directly to the transfers. This has left exchanges around the world scratching their collective heads and wondering how to implement these rules while preserving privacy. The difficulty in applying these recommendations to exchanges becomes clear when compared to the formal banking system. Whereas banks rely on established interbank communication systems to move funds, cryptocurrencies are quickly and easily moved by simply using a recipient’s public address of which exchanges often have no way of verifying ownership.

CipherTrace was pleased to have an opportunity to offer recommendations on the draft of the FATF’s updated rules. In our response, we advised: Today in cryptocurrencies, beneficiary information consists solely of a cryptocurrency address. There is no “real world” connection between this address and a human being or a bank account or a correspondent VASP account. These cryptocurrency addresses can be at another VASP or can be on a personally controlled computer or mobile phone, as a form of digital cash.

How to Mitigate Crypto Asset Risks While Protecting Confidential Personal Data  

The FATF’s objective is obviously not to violate the privacy of legitimate users, but to, as they say, “adequately mitigate the money laundering and terrorist financing risks associated with virtual asset activities.” Nevertheless, the new travel rule may have unintended consequences. Applying bank regulations to the crypto industry may drive more people to conduct peer-to-peer (P2P) transactions which lie outside the purview of VASP-controlled platforms, resulting in less transparency—the opposite of the FATF’s stated objective.

Additionally, the cryptocurrency world does not work the same way as the traditional banking industry, and the way we track the movement of funds is different. While one could imagine a future where all addresses containing or controlling virtual currencies have a name, address and account number associated with them, this is not the case now. In fact, it may well never be the case, as virtual currencies constitute a hybrid of cash, bearer instruments, traded securities and bank assets.

One solution is using blockchain analytics tools to aid in the legitimate investigation of criminals and terrorists using cryptocurrencies to hide their activities. However, given the new FATF rule and legitimate concerns for privacy, totally new technologies are required to maintain compliance with Anti-Money Laundering (AML) and Counter Terrorist Financing (CTF) regulations.

Using Deep Cryptography to Enable Privacy-Enhanced Compliance

To that end, we believe cryptographically controlled privacy mechanisms can make it possible to have both anonymity and responsible disclosure of the source of funds for legitimate purposes such as criminal or terrorist investigations and AML compliance. This is the vision that CipherTrace and its partners are working to realize — a collaborative know-your-customer (KYC) and AML ecosystem in which participating exchanges can securely transfer Proof of Knowledge without disclosing personally identifying information (PII). Our roots in cybersecurity and cryptography run much deeper than any other player in the industry, and our engineers and data scientists are developing cryptographically controlled ways to make KYC and AML faster, more efficient and open, all while maintaining a very high level of privacy and only revealing identity information when compelled to do so by legal authorities. This is how we are doing our part to foster the future growth of cryptocurrencies globally.

About the FATF

The Financial Action Task Force was founded to address concerns about money laundering and the threat it poses to the world financial system. The inter-governmental body advises 36 member countries and two regional organizations, and is one of the most influential voices globally on combating financial crimes. The FATF’s mandate was expanded in 2001 to include efforts to combat terrorist financing (CFT). Its influence also extends beyond its member countries, as a number of regional Financial Action Task Forces around the world provide guidance to regulators in the Caribbean Latin America, the Middle East, and North Africa. Its MoneyVal associate provides guidance to countries of Europe outside the EU, including Malta.

Back To Top