Overview
At its most basic level, the travel rule requires providers of virtual asset services (VASPs) to obtain, hold, and transmit specific originator and beneficiary information immediately and securely when transferring virtual assets (the Travel Rule). Many jurisdictions around the world have already or are in the process of implementing the Travel Rule into their national laws.
In this article we take a closer look at the key components of the Travel Rule, how it is being implemented in a few jurisdictions and the compliance challenges that it presents.
What is the Travel Rule?
Requirements to transfer information about the originator and beneficiary of a transfer are well established in the context of transfers of funds and originate from Recommendation 16 of the Financial Action Task Force (FATF) Standards (FATF Standards) on wire transfers. The FATF Standards set out a framework of measures that countries should implement to combat money laundering and terrorist financing (ML/TF). In 2018, FATF updated the FATF Standards to extend anti-money laundering and counter-terrorist (AML/CTF) requirements to virtual assets1 and VASPs (under Recommendation 15).
The aim of the Travel Rule is to ensure that information on the identity of the originator and beneficiary of virtual asset transfers is available so that VASPs can better identify when they may be sending/receiving virtual assets to/from persons and jurisdictions presenting ML/TF risks and law enforcement authorities can better detect and prosecute terrorists and other criminals. FATF calls on countries to fully and effectively implement the FATF’s Standards for virtual assets as a priority.
Many jurisdictions around the world either have already or are in the process of implementing the Travel Rule into national law. According to FATF’s June 2024 report on the implementation of the FATF Standards on virtual assets and VASPs (FATF’s June 2024 Report), 65 of 94 jurisdictions have passed legislation implementing the Travel Rule and 15 jurisdictions reported that they are in the process of adopting legislation to do so (e.g., have tabled draft legislation, issued a draft law, undertaken public consultations on draft legislation, etc.). However, they have noted that progress remains slow. The report recommends that jurisdictions that have not yet introduced legislation/regulation to implement the Travel Rule should urgently do so.
Why is it important to know about the Travel Rule?
It is important for firms to know about the Travel Rule because firms may be subject to requirements to comply with it if they are involved in transferring virtual assets as a VASP. Even firms providing services related to virtual assets in a jurisdiction that has not and has no plans to implement the requirements may still be impacted where services involve sending/receiving virtual assets cross-border and/or other VASPs in the transfer chain are based in other jurisdictions.
The consequences of not sending or receiving the required information about the originator and the beneficiary of the virtual asset transfer can be significant depending on the way that the Travel Rule is implemented in a particular jurisdiction. For example, if transferring virtual assets to an EU VASP, if the required information on the originator and beneficiary is not transmitted, the transfer may be rejected and the virtual assets returned (and more severe consequences may follow a repeated failure).
Similarly, if a non-EU VASP’s client wishes to be the recipient of a virtual asset transfer where the transfer chain involves an EU VASP, the transfer may only be permitted if the EU VASP is able to transmit information about the non-EU VASP’s client alongside the transfer (which in practice will mean that the information will need to be provided to the EU VASP). It is therefore critical that VASPs consider how they will comply (whether in practice or under law/regulation) with the Travel Rule when conducting transfers of virtual assets.
What are the key components of FATF’s Travel Rule?
They key components of the Travel Rule are set out in the diagram below.
| Common terms | General definitions |
|---|---|
| Originator | Person who allows the transfer or places the order to transfer the virtual asset from their account/address |
| Originator VASP2 | Originator’s VASP |
| Beneficiary | Intended recipient of the virtual asset |
| Beneficiary VASP | Beneficiary’s VASP |
| Intermediary VASP | VASP that receives and sends on a transfer of virtual assets as part of a transfer chain (on behalf of another VASP) |
After a person places an order with a VASP for transfer of a virtual asset to a Beneficiary, broadly speaking FATF’s version of the Travel Rule requires that the following key steps be taken by VASPs when making the transfer:
Key Travel Rule obligations for VASP to VASP transfers
Additional points to note:
- Intermediary VASPs that send or receive virtual assets from/to another VASP as part of a transfer chain (e.g. a VASP that is acting as a sub-custodian for the Originator’s VASP and sends and receives virtual assets on the Originator’s VASP’s behalf) are also subject to obligations to ensure all information received from the sending VASP (whether the Originator or another Intermediary VASP) is passed on, identify missing information and have effective risk-based policies/procedures to determine when to execute and when to reject/suspend a transfer where information is missing.
- FATF’s 2021 Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (FATF’s Updated Guidance for VASPs) provides that jurisdictions may adopt a de minimis threshold for transfers no higher than USD/EUR 1,000, below which a less onerous set of requirements apply.
- While the information requirements applicable to domestic transfers of funds are slightly less onerous than cross-border transfers of funds, FATF’s Updated Guidance for VASPs provides that jurisdictions should treat all virtual asset transfers as cross-border given the cross-border nature of virtual asset activities and VASP operations.
- VASPs transferring virtual assets to / receiving virtual assets from an unhosted wallet on behalf of an Originator/Beneficiary (respectively) are also subject to obligations. FATF’s Updated Guidance for VASPs states that in such circumstances, a VASP should obtain the required information on the Originator/Beneficiary from their customer because they cannot obtain the relevant information from another VASP.
- Other key obligations include obligations to conduct VASP counterparty due diligence, keep records, and make information available to competent authorities.
- VASP to VASP transfers acting on their own behalf are not within scope of the Travel Rule.
For further information, see the FATF Standards as well as FATF’s Updated Guidance for VASPs.
How is the Travel Rule being implemented around the world?
Key differences in implementation
Jurisdictions are implementing the Travel Rule into their national laws in different ways and are at different stages of implementation, which provides for compliance challenges. As a snapshot, the table in the Appendix provides a brief high-level summary of the ways in which the Travel Rule has been or is in the process of being implemented in the EU, the UK, Jersey, Australia and South Africa. As you will see, key differences include, for example:
- whether a jurisdiction has decided to implement a de minimis threshold pursuant to which transfers below a certain amount are subject to fewer or no Travel Rule requirements; e.g., the EU regime contains no such de minimis threshold, whereas under the UK regime, transfers below €1,000 are subject to less onerous requirements;
- differences in the precise information on the Beneficiary and Originator of a transaction that is required to be transferred; these differences may be minor, however such differences may present challenges when thinking about implementing systems to comply with such requirements under multiple regimes (which may be needed as a practical matter if undertaking transfers with cross-border elements);
- differences in the obligations that apply to a Beneficiary VASP/Intermediary VASP that is receiving a transfer where information is missing; e.g. in the UK and Jersey, VASPs are required to make a risk-based assessment as to whether to execute the transfer; in the EU, while a risk-based assessment is still required, if the Originator/Beneficiary cannot be unambiguously identified, the transfer should not be executed (see the EBA's Travel Rule Guidelines at paragraph 64);
- differences in the obligations that apply to a VASP that is sending a virtual asset to or receiving a virtual asset from an unhosted wallet; e.g. in the UK and Jersey a VASP should adopt a risk-based approach, whereas in the EU, VASPs must obtain required information and in the case of transfers exceeding €1,000, assess whether the address is owned/controlled by their customer using one or more prescribed methods of verification; and
- differences in the obligations that apply to cross-border transfers where sending to/receiving from a jurisdiction that has not implemented the travel rule or has implemented it in a different way (known as the “Sunrise Issue”); e.g. in the UK and Jersey, a VASP that has received a virtual asset transfer with missing/incomplete information should take into account a jurisdiction’s status of implementation of the Travel Rule when making a risk-based assessment as to whether to make the virtual assets available to the Beneficiary. However, the UK and Jersey guidance are not prescriptive as to how this factor should be taken into account. In the EU, the EBA’s Travel Rule Guidelines identify a transfer involving a jurisdiction that has not yet implemented the Travel Rule as a transfer involving a high ML/TF risk jurisdiction (in the context of procedures to monitor and detect information missing from transfers).
It is worth noting that as well as differences in implementation of the Travel Rule, there are also differences in the way that virtual assets and related services are defined in each jurisdiction. On these latter differences, see aosphere’s Crypto Surveys for more information.
Practical challenges firms may be grappling with as they implement procedures and systems to comply with the Travel Rule
Complying with the Travel Rule may present significant practical challenges for firms. FATF’s June 2024 Report identifies issues and challenges such as:
- identifying counterparties and successfully sending and receiving Travel Rule information given a lack of interoperability among Travel Rule compliance tools (e.g. there is not yet an accepted solution for transmitting information as exists in the context of wire transfers of funds, i.e. SWIFT, although FATF noted that the industry had reported the common use of interVASP Messaging Standards for Travel Rule information replicating ISO20022 for the virtual asset sector);
- complying with data protection requirements when transmitting required information;
- complying with the Travel Rule where transfers involve jurisdictions that do not require compliance with the Travel Rule or that are at a different stage of implementation (the Sunrise Issue); and
- identifying and conducting due diligence on VASP counterparties, for example where a jurisdiction’s regulatory regime lacks a public data source on licensed/registered VASPs (potentially requiring the information to be collected manually for each transaction).
In relation to the issue of interoperability among Travel Rule Compliance tools, FATF’s June 2024 Report and June 2023 report include helpful lists of guiding questions and considerations to help VASPs engage with compliance tool providers.
The obligation to return a transfer may also present practical difficulties. This issue is acknowledged in the EU regime in the EBA’s Travel Rule Guidelines, which state that,
“where the rejection is technically not possible, the transfer should be returned to the originator. Where returning the transfer to the original address is not possible, CASPs should apply alternative methods…[e.g.] holding the returned assets in a secure, segregated account while communicating with the originator to arrange a suitable return method to the originator”.
Further developments to come?
Yes, as many jurisdictions have not yet or are in the process of implementing the Travel Rule or are at an early stage of supervising compliance (FATF’s June 2024 Report notes that even among jurisdictions that have implemented the Travel Rule, supervision and enforcement remains low: less than one third (26%; 17 of 65) have issued findings or directives or taken enforcement or other supervisory actions against VASPs focused on Travel Rule compliance), we can expect significantly more developments on this topic.
At aosphere Rulefinder Crypto Assets, we are monitoring developments relating to AML/CFT requirements, including the Travel Rule, and variations in implementation from jurisdiction to jurisdiction. Our in-depth country analysis include coverage of how the Rule is being adopted in the EU, UK, Jersey, Australia and South Africa.
1. FATF defines a virtual asset as “a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations”.
2. VASP is used here to refer to the provider of virtual asset services as this is the terminology used by FATF (see here). However, particular jurisdictions may use different terminology/definitions. In this article, the terms virtual asset and VASP are used except where discussing jurisdiction specific implementation of the Travel Rule in the Appendix.
How aosphere can help
Rulefinder Crypto Assets offers practical analysis of crypto asset regulation in key financial markets, helping you understand the latest positions, tackle regulatory challenges and see what's coming. Our service also includes a horizon-scanning, curated alerts service.
