skip to Main Content

The Most Complete Guide to the FATF Travel Rule for Cryptocurrency

Cryptocurrency “Travel Rule” Summary

The Financial Action Task Force (FATF) modified Recommendation 16, what has been called the Travel Rule guideline, to guard against money laundering and other illegal actions. The new Travel Rule guidance recommends Virtual Asset Service Providers (VASPs), including exchanges, banks, OTC desks, hosted wallets and other financial institutions, to share certain identifying information about the recipient and receiver for cryptocurrency transactions over USD/EUR 1000 globally.

Since the issuance of FATF’s virtual asset guidance, some jurisdictions, such as Singapore, Switzerland and Hong Kong, have already forbidden exchanges from operating without licenses that enforce Travel Rule compliance—regulations that requires Virtual Asset Service Providers to securely share certain sender and receiver information with each other for cryptocurrency transactions. Other countries, such as Canada, will enforce compliance by July 2021. In the US, the rule has technically already been in place, though seldom enforced. However, in 2020, FinCEN decidedly refocused on the regulation by proposing several new rules for crypto payments that further complicate compliance.

Travel Rule Scope

BSA FATF
* Address can be substituted for national identity number, or customer identification number, or date and place of birth
Threshold USD 3,0000 USD/EUR 1,000
Originator information
Name Required Required
Account number When available Required
Address Required Required*
Identity of financial institution Required Not required
Transmittal amount Required Not required
Execution date Required Not required
Recipient information
Name When available Required
Address When available Not required
Identity of financial institution Required Not required
Account number When available Required
Any other specific identifier of the recipient When available Not required

Why the Travel Rule Matters

The Travel Rule is intended to share information to allow participants to:

  • Block terrorist financing
  • Stop payments to sanctioned individuals, entities, and countries
  • Enable law enforcement to subpoena transaction details
  • Support reporting of suspicious activities
  • Prevent money laundering of cryptoassets

Emerging Challenges for Travel Rule Compliance

Key strategic and operational risks VASPs face when implementing the Travel Rule include:

  • The ‘sunrise issue’ staggered enforcement of crypto AML regulations
  • How blockchain analytic tools can be used in travel rule compliance
  • How to identify counterparty VASPs and whether they are registered
  • How to undertake counterparty VASP due diligence
  • How to address cybersecurity, privacy and data protection

Sending PII

Sharing sensitive financial transaction and client PII information with unknown or untrusted VASPs creates numerous privacy issues for virtual asset users. As evidenced by dozens of successful exchange hacks, few VASPs are well prepared to defend against a dedicated adversary and have poor security around crypto assets, let alone stored PII. Many smaller VASPs have minimal security expertise and previously did not consider themselves to be financial institutions.

Risks to individual privacy, and to individuals, in the context of the Travel Rule include:

  • Hacks and PII data leaks
  • Fake VASPs masquerading as legitimate VASPs to collect PII
  • Harvesting, data mining, and selling user PII data
  • Monitoring by oppressive regimes leaks, hacks, data mining, poor security, oppressive regimes, data brokering, fake VASP
  • DDOS and market manipulation

The information needs to be retained by each VASP but it does not have to be viewed by the receiving party nor does it need to be stored in clear text

Fake VASPs

The FATF rules require crypto companies to share personally identifiable information (PII) for transactions over a certain amount. The TRISA testnet begins to address that looming challenge by including a dummy version of an “evil VASP” that will provide false authentication, attempt to steal data and so on. “The evil VASP isn’t part of TRISA and it will try and trick people into sharing information,” “The cool thing about having a proper certificate authority is that it has the concept of revocation,” said Jefferies. “So if a VASP turns evil – say they pull some sort of exit or fraud or their licenses are revoked – that public key infrastructure that sets up the relationship can also take it back if the whole community has to stop communicating with a VASP, at least for a little while.”

Travel Rule Solutions

It appears unlikely that the community will adopt a single Travel Rule solution, but rather utilize multiple. The interoperability of solutions is vital to ensure comprehensive coverage when facilitating transactions with VASPs across the crypto-community. Voices in the community agree that a solution should use an open-source architecture, decentralized, secure, scalable, reliable, interoperable, and globally available. In addition, CipherTrace believes that a system should also be customizable to fit each VASPs unique wants or needs.

Currently, there are open-source travel rule solutions on the market, such as the Travel Rule Information Sharing Architecture (TRISA), as well as enterprise solutions such as CipherTrace Traveler.

 

History of the Cryptocurrency Travel Rule

FATF Guidelines

What is FATF Recommendation 16

In guidance released on June 21, 2019, the Financial Action Task Force (FATF) updated its recommendation regarding the need to adequately mitigate the money laundering and terrorist financing risks associated with virtual asset activities. Cryptocurrency exchanges and other virtual asset businesses are struggling with the meaning and impact of this new guidance, which, once adopted by FATF member countries, will require them to pass customer information to each other when transferring crypto assets. This is similar to the standard that US banks are required to abide by for wire transfers under the Bank Secrecy Act (BSA), which is often referred to as the “Travel Rule.”

According to the FATF Interpretive Note to Recommendation 16, originator and beneficiary information should include the following:

  • Name and account number of the originator
  • Originator’s (physical) address, or national identity number, or customer identification number, or date and place of birth
  • Name and account number of the beneficiary
  • Cross-border transfers below the USD/EUR 1,000 threshold should also include the names and account numbers of originator and beneficiary. However, this information does not need to be verified for accuracy unless there is a suspicion of money laundering or terrorist financing.

https://ciphertrace.com/fatf-crypto-travel-rule/

Virtual Assets Contact Group (VACG) meeting

At the February 2019 FATF Public Consultation and at the May 2019 FATF Private Sector Consultative Forum, some private sector and public sector officials expressed concern that VASPs do not have a technical solution nor infrastructure to implement the travel rule immediately. In light of that feedback, FATF decided to establish the Virtual Assets Contact Group (VACG, co-chaired by Japan and the U.S.), to monitor the amendment of laws in FATF member jurisdictions as well as the progress of the private sector in developing technical solutions to meet the requirements of the travel rule. The Report addresses the results of the VACG’s monitoring activities.

On September 15th, 2020, the Virtual Assets Contact Group, a FATF working group to foster cooperative development of the Travel Rule by private industry, met to discuss the status of implementation. The meeting included a technological review of emerging solutions for VASPs, and address concerns related to peer-to-peer transfers and updated guidance for crypto red flag indicators.

1st 12-Month Review

On June 24, 2020, the Financial Action Task Force met, albeit virtually, for the third and final Plenary meeting under President Xiangmin Liu, of the People’s Republic of China, to review progress towards implementing new anti-money laundering guidance for virtual assets and virtual asset service providers (VASPs). Details of the session released in FATF’s 12-Month Review of the Revised FATF Standards on Virtual Assets and Virtual Asset Service Providers offered a hopeful outlook for VASPs and the greater cryptocurrency community.

FATF decided to not revise previous recommendations related to virtual assets or VASPs but has documented the need for future continued direction. Reassessment of progress towards a Travel Rule solution and further guidance is slated for June 2021 at the next 12-month review under the incoming German President, Marcus Pleyer.

Despite optimism, FATF recognizes the major barriers to implementation, such as identifying counterparty VASPs, broader compliance for private and unhosted wallets conducting transactions with VASP customers, batch processing of data, interoperability challenges, and the sunrise problem. Offering few immediate solutions, FATF’s Virtual Asset Contact Group—a working group designed to monitor and engage the virtual asset sector—reaffirmed commitment to partnership with the industry to identify and promote solutions to current and future obstacles as both VASPs and regulators push forward towards Travel Rule implementation. Calling upon the community to further diversity and redouble their efforts to engage reluctant VASPs and identify remaining issues, FATF expects significant progress towards a deployable Travel Rule solution throughout the next 12-months.

https://ciphertrace.com/revised-fatf-standards-on-virtual-assets-12-month-review/

Cryptocurrency Travel Rule Regulations by Country

Canada

The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), Canada’s Financial Intelligence Unit, has issued new guidance for MSBs operating in the country. Under the new rules, MSBs and foreign MSBs will be required to identify clients from which they are receiving virtual currency equivalent to $10,000. The transfer, exchange, or remittance of virtual currency equivalent to $1,000 CAD will likewise trigger KYC verification requirements.

VASPS that initiate virtual currency transfers worth $1,000 or more must send the following information to abide by Canada’s Travel Rule regulations:

  • the date of the transfer;
  • the type and amount of each VC that is involved in the transfer;
  • if the client is a person, their name, address, date of birth and occupation, or in the case of a sole proprietor, the nature of their principal business;
  • if the client is an entity, its name, address and the nature of its principal business;
  • the name and address of each beneficiary;
  • for every account affected by the transfer:
  • the account number and account type; and
  • the name of each account holder;
  • every reference number connected to the transaction that is meant to be similar to an account number;
  • every transaction identifier including transaction hashes or similar identifiers (if applicable) and every sending and receiving address;
  • and the exchange rates used and their source.

Canadian VASPs are expected to comply with Travel Rule guidance by June 1, 2021.

The full guidance can be found here: https://www.fintrac-canafe.gc.ca/guidance-directives/recordkeeping-document/record/fin-eng

Hong Kong

On January 31, 2021, the consultation period for the Hong Kong Financial Services and the Treasury Bureau’s consultation paper on a proposed regulatory regime for cryptocurrency exchanges ended. The proposed framework seeks to extend the Securities and Futures Commission (SFC)’s licensing and supervisory powers to include all virtual asset platforms operating in Hong Kong, regardless of whether or not the virtual assets on their platforms are “securities.”

The final proposal is set to be introduced to the Legislative Council in 2021, however, an exact date has yet to be set. If passed, Hong Kong’s traditional AML obligations for wire transfers will be extended to all VASPs operating in Hong Kong. A review of their current guidelines can give exchanges in the area a good idea of what to expect.

According to the Hong Kong Monetary Authority’s Guideline on Anti-Money Laundering and Counter-Financing of Terrorism, for funds transfers above $8,000 the originating institution must send the following information to comply with Travel Rule regulations:

  • the originator’s name;
  • the number of the originator’s account maintained with the ordering institution and from which the money for the wire transfer is paid or, in the absence of such an account, a unique reference number assigned by the ordering institution;
  • the originator’s address or, the originator’s customer identification number54 or identification document number or, if the originator is an individual, the originator’s date and place of birth;
  • the beneficiary’s name; and
  • the number of the beneficiary’s account maintained with the beneficiary institution and to which the money for the wire transfer is paid or, in the absence of such an account, a unique reference number assigned to the wire transfer by the beneficiary institution.

For transfers above $8,000 in value, originating institutions must ensure that all required originator information is accurate and beneficiary institutions should verify the identity of the recipient, if the identity has not been previously verified.

Transfers below $8,000 only needs to contain the following information:

  • the originator’s name;
  • the number of the originator’s account maintained with the ordering institution and from which the money for the wire transfer is paid or, in the absence of such an account, a unique reference number assigned by the ordering institution;
  • the beneficiary’s name; and
  • the number of the beneficiary’s account maintained with the beneficiary institution and to which the money for the wire transfer is paid or, in the absence of such an account, a unique reference number assigned to the wire transfer by the
  • beneficiary institution.

Singapore

The Monetary Authority of Singapore (MAS) issued the Payment Services Act (PSA) in January 2019 to provide for the licensing and regulation of payment service provider, however, the original publication did not cover VASPs. On December 5, the MAS published an amendment to the PSA, Notice PSN02 Prevention of Money Laundering and Countering the Financing of Terrorism – Digital Payment Token Service, which brought VASPs into the same regulatory fold as other payment service providers.

As a result of this regulatory expansion, crypto transactions of S$1500 and less fall under travel rule regulations in Singapore and require originator and beneficiary names and account numbers. Transactions over S$1500 will require additional beneficiary information, such as address and date.

Under the PSN02, Singaporean VASPs must comply with these travel rule obligations in order to qualify for licensing.

MAS FATF
* At least one required for transmittals above S$1500

** Address can be substituted for national identity number, or customer identification number, or date and place of birth

Threshold <=S$1500 USD/EUR 1,000
Originator information
Name Required Required
Account number Required Required
Address >S$1500* Required**
Identity of financial institution >S$1500* Not required
Transmittal amount >S$1500* Not required
Execution date >S$1500* Not required
Recipient information
Name Required Required
Account number Required Required
Address Not required Not required
Identity of financial institution Not required Not required
Any other specific identifier of the recipient Not required Not required

Switzerland

On August 26, 2019, the Swiss Financial Market Supervisory Authority (FINMA) introduced Travel Rule guidance for the crypto industry in their FINMA Guidance 02/19 on Payments on the blockchain. The guidance brought VASPs into Switzerland’s Anti-Money Laundering Ordinance (Article 10 AMLO-FINMA), requiring they comply with existing AML/CTF rules by January 1, 2020.

According to Article 10 AMLO-FINMA, VASPS must comply with the Travel Rule in transactions above $1,000 when transacting with VASPs “subject to appropriate anti-money laundering supervision.” Swiss VASPs should not conduct transactions with unhosted wallets, unless the sender can verify that they are the owner of the wallet.

Transfers to or from an external wallet belonging to a third party is only possible “if, as for a client relationship, the supervised institution has first verified the identity of the third party, established the identity of the beneficial owner and proven the third party’s ownership of the external wallet.”

Swiss VASPs should include the following in their Travel Rule data:

  • Originator name
  • Originator account number (or transaction-related reference number)
  • Originator address (or the date and place of birth, customer number or national identity number)
  • Beneficiary name
  • Beneficiary account number (or transaction-related reference number)

The beneficiary VASPs should ensure the information on the originator and beneficiary information is correct and complete and return the payment in the event of discrepancies.

United States

The BSA Travel Rule

In 1996, the US Bank Secrecy Act (BSA) issued a Funds Travel Rule for fiat currency transfers in the US. An amendment to the BSA in 2012 expanded the Rule to include electronic funds transfers. FinCEN is charged with enforcing BSA rules, and in May 2019 released guidance that the US Department of Treasury would classify many cryptocurrency exchanges as money service businesses (MSBs), meaning exchanges operating within the United States must now comply with the BSA Travel Rule. According to the rule, any time a transfer of funds is greater than or equal to $3,000, financial institutions must include the following in the transmittal order: the name, account details, and financial institution of the recipient and the transmitter. The regulation’s text does not dictate exactly how financial institutions must collect, verify or transfer this information.

In the US, the rule has technically already been in place, though seldom enforced. However, in 2020, FinCEN decidedly refocused on the regulation by proposing several new rules for crypto payments that further complicate compliance. The proposed rule would apply to convertible virtual currencies and would explicitly apply the Travel Rule to US exchanges, trading desks, ATMs and custody providers in the very near term.

FinCEN FATF
* Address can be substituted for national identity number, or customer identification number, or date and place of birth
Threshold USD 3,0000 USD/EUR 1,000
Originator information
Name Required Required
Account number When available Required
Address Required Required*
Identity of financial institution Required Not required
Transmittal amount Required Not required
Execution date Required Not required
Recipient information
Name When available Required
Address When available Not required
Identity of financial institution Required Not required
Account number When available Required
Any other specific identifier of the recipient When available Not required

Proposed Rule Changes to the Funds “Travel Rule” (NPRM)

On October 23, the Financial Crimes Enforcement Network (FinCEN) and the Federal Reserve Board proposed a rule change that would amend the recordkeeping and travel rule regulations under the Bank Secrecy Act. The proposal would require financial institutions, including banks and cryptocurrency exchanges, to collect and store transfer information on international payments at a much lower threshold.

Currently, financial intuitions must store and forward records for transfers of funds abroad in excess of $3000. The new rule would see much smaller transfers—anything over $250—come under the same requirements. Notably, the rule specifically includes cryptocurrency transfers as a class of transactions to which the proposal would apply.

The full text of the proposed rule change can be found on the federal register.

Travel Rule Standards and Protocols

IVMS

The interVASP Messaging Standards (IVMS 101) is an industry standard for exchanging Travel Rule information, establishing a universal common language for communication of required originator and beneficiary information between VASPs. IVMS 101 was created by the Joint Working Group on interVASP Messaging Standards (JWG)—a working group of over 130 technical experts from around the world.

A copy of the standards can be found at https://intervasp.org/

TRISA

The Travel Rule Information Sharing Architecture developed by the Travel Rule Information Sharing Alliance and sponsored by CipherTrace is built upon security and cryptography technologies that have been proven for years to secure banking, ecommerce, and government communications. TRISA applies trusted Public Key Infrastructure (PKI) to mutually authenticate VASPs and securely transmit sensitive transaction data.

TRP

The Travel Rule Protocol (TRP) is an API compliance solution developed by the ING Group, a Dutch multinational banking and financial service provider, that takes a cue from the fiat-based SWIFT network by creating a similar verification system by using publicly available information, such as a VASPs’ Legal Entity Identifier (LEI) and public key information, TRP reasonably determines the identities of blockchain addresses.  To decrease friction between tools, TRP is aligned with the IVMS101 Messaging Standards.

The solution is directed by a collaborative and self-selecting group of industry professionals to design a minimally invasive compliance tool that promotes FATF’s travel rule compliance requirements, data privacy standards, and discourages industry fragmentation.  Despite spearheading the endeavor, the ING Group reportedly has no plans to enter the crypto-assets business.

TRP is managed by the TRP working group that includes leading VASPs and industry organizations. Legal Entity Information is accessed from public records managed by relevant jurisdictional governments and supervisors and dependent on VASPs providing access to their public key information.

TRP relies on a REST (Representational State Transfer) API architecture that provides interoperability to web services and platforms. By providing a RESTful service, TRP can manipulate web data to a uniform representation that can be utilized by other users of the network regardless of their base-technology.

OpenVASP

OpenVASP is an open-source, decentralized common protocol designed for varied implementations across the blockchain environment supported by the OpenVASP Alliance. The Alliance seeks to provide a technologically neutral compliance solution that invites adoption without membership or registration without a centralized component. The technology offers VASPs communication capabilities across vastly different protocols and messaging standards with customizable extensions that ensure broad applicability for all possible use cases, including data transmission with unknown VASPs and transactions facilitated by smart contracts.

The OpenVASP protocol uses a communication handshake protocol that relies on structured messages and session keys to ensure encryption of the information transferred. Relying on Ethereum’s decentralized public key infrastructure, VASP’s initiate a standardized smart contract to identify themselves on the blockchain, with the last 32 bits of the address denoting the VASP code. The unique blockchain identity is used in the initial handshake to establish contact with another VASP, and subsequent messaging sessions.

Authentication of VASPs is performed by direct and mutual verification based on business relationships, and certified authentication by trusted third parties such as recognized industry organizations. Identity claims are stored publicly on the VASP contract for reference by other users and can be revoked by the issuing party.

PayString

Developed by the Open Payments Coalition in conjunction with Ripple (XRP), PayString—formally PayID— is a universal payment identifier that supports cross-platform communication by using a straightforward and human-readable identifier for each user when transacting currency digitally.  The free, open-source code released during the summer of 2020 and PayString bridges the gap between different users, institutions, and currencies (both fiat and crypto); allowing users to transact across a global payment network providers.

While designed to increase accessibility in the digital payments world, PayString was designed with regulatory compliance in mind, notably by a Travel Rule extension that supports record-keeping requirements and user identification through integration with the TRISA protocol. Furthermore, PayString is customizable and allows for compliance with the unique regulatory requirements applicable to participating organizations.

The Open Payment Coalition governance and performs standard setting for PayString.  As of September 2020, the coalition includes over 40 leading-industry organizations and digital payments-related businesses.

The free technology protocol used by PayString is web-based and uses the HTTP API secure by the standard web security stack, including TLS. The protocol’s messages use cryptographic certificates and signatures to ensure security for participating organizations, avoiding the need to trust an intermediate or counterparty.

To make integration easier, PayString uses Xpring SDK, a set of language-specific libraries for building XRP and Interledger Protocol (ILP) applications.

Technology for Travel Rule Compliance

X.509

X.509 certificates are a global standard for security protocols and the basis for HTTPS—the secure protocol for securely browsing the web. Certificates based on X.509 standards to represent the digital identity of a signer are even recognized by government and regulatory agencies around the globe as a legally valid form of identification.

A validated X.509 certificate from a CA protects communications between two VASPs by encrypting the connection between them. TRISA security relies on PKI infrastructure around roots of trust compiled into the software. If a VASP wants more capabilities than what is in the code—for example wanting to accept self-certifications because they know the VASP on other side—they can do that, making the software completely customizable to the VASP’s specific needs.

CipherTrace Traveler

CipherTrace Traveler helps Virtual Asset Service Providers comply with global “Travel Rule” regulations by securely sharing cryptocurrency transaction information with other vetted VASPs. It enables AML compliance and operational continuity in jurisdictions that enforce Travel Rule regulations by enabling secure exchange transaction confirmations.

Traveler is the first commercial product created to meet the standards developed by the Travel Rule Information Sharing Alliance (TRISA) in response to recent guidance by the Financial Action Task Force (FATF)—the global money laundering and terrorist financing watchdog.

Traveler leverages CipherTrace’s leading cryptocurrency intelligence to detect VASP-to-VASP payments, identifies receiving VASPs, and checks for sanctions violations and money laundering. Our CT103 messages meet FinCEN and FATF crypto transfer confirmation (CTC) requirements and are IVMS- and x.509-compatible.

Back To Top