Crypto AML Compliance: 3 Travel Rule Problems To Solve For VASPs

The ever-changing regulatory landscape for crypto assets may at times represent a minefield of uncertainty for even the most experienced compliance officer to navigate through. This month alone has seen new EU anti-money laundering (AML) legislation proposed this month by the European Commission, the second 12-Month Review of the FATF’s Standards for Virtual Assets and VASPs facing the implementation of the Travel Rule (with updated guidance scheduled for November 2021) while U.S. federal agencies like the SEC and FinCEN continue to take aim at better regulating crypto exchanges and custodians and the services and products they provide. 

If you work in crypto compliance, there are most likely 3 Travel Rule issues giving you sleepless nights: Data privacy, the sunrise problem and how to establish a broad yet cohesive AML strategy. 

In this article, we’ll look at your most pertinent questions (FAQs), and give examples of how a crypto AML compliance solution like our Travel Rule protocol Sygna Bridge and browser gateway Sygna Gate can help to give you some peace of mind ( and a good night’s sleep). 

Before we continue, feel free to recap with our previous 5-part Lens series on how to assess Travel Rule solutions:

Problem 1: Data Privacy 

A common refrain we hear is: How can I be sure that my client’s personal data is not going to be broadcast to the world, mined, reused, or hacked? 

With personal data protection an increasing priority for jurisdictions and new legislation being rolled out globally, from GDPR in Europe to the POPI act in South Africa, there is a lot of uncertainty on how a FATF Travel Rule solution, which enables VASPs to share personal user information with each other as required by the FATF Standards, avoids legal pitfalls. 

Let’s try to unpack these gray areas when implementing Travel Rule compliance using Sygna Bridge

How can I be sure that personal data won’t be exposed during the transmission?

The answer to maintaining data privacy is simple: Encryption.
Sygna transmits encrypted personal data exclusively peer-to-peer (P2P) to ensure that only the sender and the receiver have access to it. We designed the protocol to ensure that the data is encrypted before it is forwarded and that only the receiver is able to decrypt it (by using their private key). 

Through this design, even if the data were to somehow get lost in the process, no other third party would be able to access it, thanks to the encryption used in our current API.

Is there any risk that my data will be shared automatically to an unauthorized third party?

No crypto compliance solution should allow sensitive data to leak to third parties. Sygna is designed to completely avoid two-way data exchange, where a sender VASP delivers the sender data and the receiver VASP replies with the receiver data. 

Two-way exchanges, though popular, present a security threat as senders can create false transactions to try to obtain personal information. One-way data exchange can occur when user information is only shared with the receiver’s approval then passed down to sender VASPs. Sygna uses this model then only requires the sender to confirm the accuracy of the information which greatly reduces data mining risk. 

Problem 2: Sunrise Issue

Another industry concern is around the Travel Rule’s so-called “Sunrise Issue”. The FATF Travel Rule’s sunrise headache stems from the different timelines adopted by various jurisdictions to develop and roll out their virtual asset regulatory frameworks.
How can a VASP be fully Travel Rule compliant during the sunrise period when others won’t be? We unpack this question below:

Should I wait to implement a TR solution? 

The travel rule is being rolled out in each of FATF’s jurisdictions one by one, and service providers are getting denied licenses due to insufficient AML measures. Being proactive and ready ahead of pending but inevitable travel rule regulation reduces the risk of getting fined, disqualified from getting a license but also demonstrates AML efforts to regulators, investors, and customers. 

Some Travel Rule protocols such as Sygna are fully developed now and solution providers have created a suite of integrated AML solutions that can help businesses become compliant ahead of the pack.

Will I have to choose one protocol and be restricted by it?

Yes, you should begin with one protocol to start the integration to transfer the required information or you can also choose a solution that is included with multiple protocols so that your platform can benefit from the multiple protocol networks. 

For example, Sygna designed its own Travel Rule protocol, Sygna Bridge, in order to provide an environment with maximum security for VASPs to exchange mandatory Travel Rule information. 

In addition, we also created Sygna Gate, a software solution to implement different Travel Rule protocols so that users are not limited to one specific network and can send and receive the required data to other different Travel Rule protocol VASPs. 

This is in line with the FATF’s expressed wishes during the first 12-Month Review in 2020 that Travel Rule solution providers seek interoperability between their solutions. Since then, Sygna has partnered with AML compliance companies like Elliptic, ComplyAdvantage and CipherTrace to foster interoperability and integrate the best possible analytical tools into our offering. More partnerships and integration are in the pipeline.  

What should I do when my counterparty VASP is not Travel Rule compliant?

There are three different scenarios that a VASP could encounter using Sygna’s Travel Rule compliance service when it comes to counterparty VASPs. 

  1. Both VASPs are on the Sygna network. 
  2. A counterparty VASP is using another Travel Rule protocol
  3. A counterparty VASP has not implemented any Travel Rule protocol at all (sunrise problem)

The first scenario is straightforward enough: VASPs simply use our protocol and API to compliantly share the necessary information with each other. 

In the second scenario where the counterparty is using a different protocol, Sygna provides integrated software that can be installed on your local server. The software will identify which VASP the counterparty wallet address belongs to and which protocol it is using, will translate it, and exchange the Travel Rule required information accordingly. 

To resolve the last scenario, where a counterparty VASP has not implemented any protocol, we offer an email-based workaround to pre-register the relationship of the wallet and email addresses to help the counterparty VASP manually provide the required data before technically implementing a Travel Rule protocol.

3. Broader AML Compliance

MICA, FATF draft guidance, KYC, Sanction screening, AMLD5 and 6… it’s often said that a week in crypto is a long time, and ever-evolving regulations can make even the most switched-on compliance team feel like they’re stuck on that time-warping planet in the movie Interstellar. 

Fear not. While compliance is a marathon, you can certainly sprint your way to the front of the pack with the right approach. 

I am an accomplished compliance professional but with little crypto experience. How do I get up to speed quickly on its AML landscape?

Sygna can assist you in completing a full compliance review, leveraging our deep experience in integrating the various components of an AML strategy: travel rule but also transaction monitoring, risk screening, etc. We can alleviate a lot of the burden of trying to piece together a solution by offering you a single platform for crypto AML compliance.

Final Thoughts

We understand that crypto AML compliance can be a daunting challenge for even the most battle-hardened compliance professional. Thankfully, most regulators are aware of this fact and are taking a rather lenient and patient approach to help VASPs get their compliance ducks in a row. 

The key takeaway here is that VASPs should be actively engaged in a demonstrable process of reviewing, strengthening, and improving their AML systems in line with these regulations, which in most cases feature some crossover requirements such as customer due diligence, sanction screening, licensing requirements, and suspicious activity reporting as they are rolled out by countries. 

We’re here to help guide you through that process. Simply contact us at [email protected] and we can get started. If you have any other questions you’d like answered, please send them to us via the email provided. 

Written by Vince Lee (Product Manager) and Elsa Madrolle (General Manager International)

FATF Plenary Publishes Second 12-month Review of Revised Guidance on Virtual Assets and VASPs

EU Proposes New AML Law to Implement Travel Rule on Private Wallets