The FATF Travel Rule” aims to identify crypto transmitters by obligating virtual asset service providers to share user information with each other during transmittals. How does it differ from current AML/KYC efforts and why is KYC still needed?
Table of Contents
- What is Know-Your-Customer (KYC)?
- What is the FATF Travel Rule
- Comparing AML/KYC and the Travel Rule
- How are AML/KYC and the Travel Rule different?
- What information is required by KYC and Recommendation 16?
- Does the Travel Rule remove the need for KYC?
- The relationship between AML/KYC and the Travel Rule
The Financial Action Task Force (FATF)’s 2019 amendment to their Recommendation 16 on Wire Transfers has heralded in a new era and challenges in the regulatory-compliant ownership of virtual assets. Prior to this, the crypto industry has in recent years been trying to clean up its own backyard through self-regulation measures, adopting Anti-Money-Laundering (AML) and Combating-Financing-of-Terrorism (CFT) policies prevalent in traditional finance to keep regulators at bay.
Chief among these are Know-Your-Customer (KYC) and Know-Your-Transaction (KYT) verifications, which respectively reveal the real identities behind registered user accounts and dubious cryptocurrency transmittals.
Many observers now believe that the FATF’s Recommendation 16, also colloquially called the FATF Travel Rule as it mimics the Travel Rule of the United States’ Banking Secrecy Act (BSA), supersedes the industry’s AML/KYC and KYT efforts. Is this an accurate assessment though? This article compares and contrasts these two regulatory mechanisms and reviews their relationship.
2. What is AML/KYC?
Know Your Customer (KYC) is an AML compliance process used to identify and verify potential customers, as well as monitor their behavior. Originating as a measure used to combat money laundering and terrorism funding in traditional finance, it is a legal requirement for money service businesses to receive an operating license from the local authorities. However, with no global standardized system in place, KYC’s implementation and execution vary greatly between jurisdictions around the world.
KYC procedures aim to establish effective risk management, transaction monitoring, and new customer policies to ensure that new customers and their associated behavior do not harm the institution.
KYC can be very expensive and time-consuming, therefore businesses take a risk-based approach (RBA) in onboarding new customers and partners, thus allowing themselves the flexibility to decide what measures are necessary to satisfactorily minimize their risk exposure. RBA is a more pragmatic approach, first proposed by the FATF in 2007 to help businesses cut KYC costs and labor.
A KYC investigation normally involves collecting and analyzing personally identifiable information (PII) and then screening this data ( real name, address, birth date and more of the customer) against public information and AML/CFT blacklists. Next is looking at the customer’s available transactional history to determining the risk a potential client poses in terms of money laundering and terrorist financing, and finally, monitoring the customer’s behavior against that of their peers.
KYC’s Risk-Based Approach (RBA): Customer and Enhanced Due Diligence
A risk-based approach to KYC means that for new users considered low-risk, a company’s standard Customer Due Diligence (CDD) process usually suffices. During CDD, an FI collects government-issued identification, proof of address online or in situ. The FI could also contact the new customer with a phone call or video chat to ensure their real identity is consistent with their provided documentation.
For new customers deemed a higher risk, such as politically exposed persons (PEPs) companies may conduct Enhanced Due Diligence (EDD), a deeper investigation into the background and dealings tied to the customer’s identity.
There are increasingly sophisticated KYC software options (e.g. APIs) available for businesses to help automate this critical risk mitigation process.
3. What is the FATF Travel Rule (Recommendation 16)?
The FATF Travel Rule requires member countries to ensure their virtual asset service providers (VASP), such as crypto exchanges, collect and exchange beneficiary and originator information with VASP counterparties during any transmittal exceeding USD1,000. The required personally identifiable information includes names, account numbers, physical addresses, and unique identification numbers.
In February 2019, the FATF released its Interpretive Guidance to Recommendation 15, where paragraph 7(b) R16 introduced the FATF’s own version of the U.S. Travel Rule for cryptocurrency regulations. Formalized in June 2019, Recommendation 16 now dictates the following:
Countries should ensure that:
“…VASPs obtain and hold required and accurate originator (sender) information and required beneficiary (recipient) information and submit this information to beneficiary institutions… if any.
…beneficiary institutions…obtain and hold required (not necessarily accurate) originator information and required and accurate beneficiary information…”
What is a Virtual Asset Service Provider (VASP)?
FATF defines a Virtual Asset Service Provider (VASP) as any natural or legal person or entity not covered elsewhere by its Recommendations, that provides these services as part of their business for or on behalf of another legal or natural person:
- Exchange between fiat currencies and virtual assets;
- Exchange between different types virtual assets;
- Transfer of virtual assets;
- Safekeeping and/or administration of virtual assets enabling their control ;
- Participating in and providing of services for the offering and/or selling virtual assets.
What is the U.S. BSA Travel Rule?
The Travel Rule originated in the United States as a direct measure against money laundering. It initially applied to traditional financial institutions that were required to comply with the U.S.’ Banking Secrecy Act (BSA). The Financial Crimes Enforcement Network (FinCEN) introduced it in this 1997 advisory document well before the invention of cryptocurrencies. After defining the legal requirements of convertible virtual currencies (CVCs) in its May 2019 guidance, FinCEN has made it clear that BSA Travel Rule applies to CVCs, and that therefore exchanges are required to disclose the identities of users involved in virtual asset transfers exceeding $3000 or higher, in accordance with the BSA.
3. Origins of the Crypto Travel Rule
The Travel Rule is a counter-money laundering initiative that obligates traditional financial institutions to share information about their customers and assume the responsibility to report suspicious activities. It is important to note that the “Travel Rule” was initially created and first implemented in the U.S. in the previous century.
With the United States (specifically Mr. Marshall Billingslea) awarded the presidency of the Financial Action Task Force during 2018/2019, the economic and political powerhouse seized the initiative to push its domestic policy beyond its borders, in order to better regulate virtual assets which are essentially borderless in nature. This strong push helped to break the impasse between the FATF’s 39 member countries on how to decisively deal with the threat of unregulated and anonymously owned cryptocurrencies becoming a mainstream asset class.
4. Comparing AML/KYC and the FATF Travel Rule
The FATF and FinCEN’s 2019 guidances extending to virtual assets and financial institutions dealing with them made it clear that a united global AML/CFT front, with further regulatory controls, was needed in order to efficiently clamp down on money laundering and terrorism funding in the crypto industry.
This finally brings a clear response to counter the risks identified by the FATF in 2014 (in their Virtual Currencies: Key Definitions and Potential AML/CFT Risks guidance) that cryptocurrencies have brought to AML/CFT policing, namely:
- the anonymous nature of virtual currency transactions
- the limited identification and verification of virtual asset traders
- the lack of a clear global policy to allocate responsibility for AML/CFT compliance, monitoring and enforcement of virtual asset transaction
- the lack of a central overseeing organization
While KYC can be effective if implemented correctly by financial institutions (FIs), there isn’t a universal quality control system in place to separate compliant VASPs from non-compliant ones. A recent AML report claims that about two-thirds of the world’s top 120 digital exchanges have “weak and porous” KYC systems, which makes it easy for bad actors to move cryptocurrencies around up to 0.25 BTC per day without needing to undergo any KYC at all.
Also, surprisingly, nearly ⅓ of exchanges still offer privacy coins to users, making it even easier for users to cover their tracks. The CipherTrace report breaks down their KYC grading as follows:
- Good KYC exchanges: 37%
- Porous KYC exchanges: 42%
- Weak KYC exchanges: 21% (where users can withdraw up to 0.25 BTC per day without the need for any identification
5. How are AML/KYC and the FATF Travel Rule different?
While both AML/KYC and the FATF Travel Rule are risk-based approaches that combat illicit behavior associated with virtual currencies, there are critical differences in the way they apply to the crypto industry.
- KYC is a legally required process for countries, while R.16 is legally a non-binding guidance for countries and VASPs
- KYC verifies a customer’s identity and monitors their behavior, while the Travel Rule identifies who is sending and receiving assets
- KYC is required so that VASPs can share Travel Rule-compliant information
- Non-compliance with KYC puts the company at risk. With R.16 the risk is on the country.
- KYC is an internal company process, while R.16 requires at least 2 parties to collaborate.
- The Travel Rule applies to over 200 countries, while basic KYC measures are determined by individual jurisdictions
6. What information is required by KYC and FATF Recommendation 16?
7. Does the Travel Rule remove the need for KYC?
KYC procedures play a key role in helping deter criminals from using cryptocurrencies for illegal purposes. This is not expected to change any time soon. Yet, it is not enough, as the theft of virtual assets worth billions of dollars stolen in 2019 and attempts to circumvent KYC registration show.
In addition, KYC breaches on exchanges like Binance and BitMex have made some observers recently question the true purpose behind AML/KYC and whether a centralized KYC data pool is worth the security and legal worries it brings with it, such as identity theft.
8. The relationship between KYC and the Travel Rule
The Travel Rule complements, rather than seeks to replace, the need for KYC.
Both regulatory measures share a symbiotic relationship and some ways represent two sides of the same (Bit)coin. Without sophisticated KYC processes that correctly identify the true entities behind cryptocurrency accounts, it will be nearly impossible for authorities and VASPs to ensure that the Travel Rule functions effectively.
If VASPs cannot be trusted to collect and provide accurate user identification information, it potentially puts a counterparty or its country of registration at direct odds with regulators and intergovernmental organizations. This is a risk that countries specifically will not tolerate, especially in lieu of the FATF’s well-known history of placing non-compliant members on its gray and blacklists.
In turn, the Travel Rule puts regulatory pressure on countries and the crypto industry at large to see to it that all VASPs develop adequate risk-mitigating KYC processes, or face the consequences. This ensures that forward-thinking financial institutions implement more robust and comprehensive KYC processes, that not only need to comply with financial industry standards, such as those set by FINRA’s Rule 2090, but also allows them to share accurate user data as required by the FATF and the U.S. regulatory heavyweights FinCEN, SEC and CFTC.
Done right, the combination of KYC and the Travel Rule are major tools to help financial institutions comply with regulations worldwide. A shining example is the progress that the Japanese exchange platform SBI VC has made in 2019 to ensure that both its KYC and Travel Rule measures meet the approval of regulators.
Conversely, VASPs that cannot keep up with new regulatory requirements face extinction, as can be seen in recent closures of exchanges like CryptoBridge that cite new regulations as a reason they’re closing shop.
The Travel Rule will not be the final difficult hoop that regulators will force the crypto industry to jump through. Yet, it will be one of the most important, and set the stage for a more mature regulation of crypto assets.
Depending on how you look at it, each new AML/CFT measure such as KYC, the Travel Rule and other measures like Know-Your-Transaction (KYT) plays a vital part in helping to gradually illuminate the blockchain.
Each process does its part to help grow this young technology into a mature, world-transforming force that, importantly, also increasingly appeals to a mainstream financial market that takes note of every new check and balance being put in place.
While they are different in many ways, the Travel Rule and AML/KYC have a united goal: they aim to clean up and fortify cryptocurrency transacting to ensure their survival for the long haul.
Written by Werner Vermaak
About CoolBitX and Sygna Bridge
CoolBitX’s Sygna Bridge is a first-to-market travel rule solution and alliance network that is live and being used by our VASP partners to share compliant originator and beneficiary transmittal information.
Sygna Bridge completed a successful production test report (Big 4 audited) earlier this year, which was presented to the FATF Contact Group in May 2020. Sygna Bridge recently partnered with AML pioneers Elliptic and now also supports the IVMS101 messaging standard.
CoolBitX has signed MoUs with over 20 VASPs worldwide and joined forces with Elliptic in a combined quest to help crypto companies comply with the FATF Standards.
For inquiries on how to comply with the FATF Travel Rule before June 2021 and our Sygna Bridge solution for VASPs, please contact us at email@example.com.
Disclaimer: CoolBitX provides these blog posts for general educational purposes only. Information on this blog does not constitute professional legal or financial advice and should not be considered as such. The author or company may update the information on this article at any time without prior notice and do not guarantee the work to be up to date and accurate. To the best of our knowledge the information provided here is factual at the time of writing.