FATF Travel Rule and AML/KYC Guide For VASPs

The FATF Travel Rule” aims to identify crypto transmitters by obligating virtual asset service providers (VASPs) to share user information with each other during transmittals. How does it differ from current AML/KYC efforts and why is KYC still needed?

Table of Contents

  1. Introduction
  2. What is Know-Your-Customer (KYC)?
  3. What is the FATF Travel Rule
  4. Comparing AML/KYC and the Travel Rule
  5. How are AML/KYC and the Travel Rule different?
  6. What information is required by KYC and Recommendation 16?
  7. Does the Travel Rule remove the need for KYC?
  8. The relationship between AML/KYC and the Travel Rule
  9. Conclusion

1. Introduction 

The Financial Action Task Force (FATF)’s 2019 amendment to their Recommendation 16 on Wire Transfers, known as the “FATF Travel Rule” as it mimics the Travel Rule of the United States’ Banking Secrecy Act (BSA), heralded in a new era and challenges in the regulatory-compliant ownership of virtual assets. Yet, after 3 years since it was first announced, where are we with global implementation? For a detailed update, read our latest State of Travel Rule 2022 comprehensive guide here.

This article aims to explain the FATF Travel Rule, how it differs from KYC, its origins and objectives, and what virtual asset service providers (VASPs) should know in 2022 in order to comply with global AML/CFT regulations.

Background

The FATF Travel Rule, which requires the exchanging of real-name user identification during transactions, is currently being implemented by member countries and virtual asset service providers (VASPs) in domestic frameworks for better alignment with the FATF Standards, the de-facto global anti-money laundering (AML) and counter-terrorism financing (CFT) guidance. The FATF assessed the global response to the Travel Rule during its 12-Month Review in June 2021, and while it wasn’t unhappy with the efforts of its members, there was concern with the slow uneven rollout of regulations across the globe, known as the “sunrise problem”, which is leaving gaps in AML policing for bad actors to use.

Prior to the 2019 amendment, the crypto industry had been trying to clean up its own backyard through self-regulation measures, adopting AML/CFT policies prevalent in traditional finance to keep regulators at bay.  
Chief among these are Know-Your-Customer (KYC) and Know-Your-Transaction (KYT) verifications, which respectively reveal the real identities behind registered user accounts and dubious cryptocurrency transmittals. 

Many VASPs now wonder whether the FATF’s Recommendation 16 update supersedes the industry’s AML/KYC and KYT efforts. This is a case of comparing apples with oranges.

For example, Sygna Bridge, the FATF Travel Rule solution, helps companies relay compliant R16 data with verified other VASPs, while KYC/KYT specialists like its strategic partner Elliptic help VASPs to screen incoming transactions and users and investigate suspect addresses.

This article compares and contrasts these different regulatory mechanisms and reviews their relationship.

2. What is AML/KYC?

Know Your Customer (KYC) is an AML compliance process used to identify and verify potential customers, as well as monitor their behavior. Originating as a measure used to combat money laundering and terrorism funding in traditional finance, it is a legal requirement for money service businesses to receive an operating license from the local authorities. However, with no global standardized system in place, KYC’s implementation and execution vary greatly between jurisdictions around the world. 

KYC procedures aim to establish effective risk management, transaction monitoring, and new customer policies to ensure that new customers and their associated behavior do not harm the institution. 

KYC can be very expensive and time-consuming, therefore businesses take a risk-based approach (RBA) in onboarding new customers and partners, thus allowing themselves the flexibility to decide what measures are necessary to satisfactorily minimize their risk exposure. RBA is a more pragmatic approach, first proposed by the FATF in 2007 to help businesses cut KYC costs and labor.

A KYC investigation normally involves collecting and analyzing personally identifiable information (PII) and then screening this data ( real name, address, birth date, and more of the customer) against public information and AML/CFT blacklists. Next is looking at the customer’s available transactional history to determine the risk a potential client poses in terms of money laundering and terrorist financing, and finally, monitoring the customer’s behavior against that of their peers. 

KYC’s Risk-Based Approach (RBA): Customer and Enhanced Due Diligence 

A risk-based approach to KYC means that for new users considered low-risk, a company’s standard Customer Due Diligence (CDD) process usually suffices. During CDD, an FI collects government-issued identification, proof of address online or in situ. The FI could also contact the new customer with a phone call or video chat to ensure their real identity is consistent with their provided documentation. 

For new customers deemed a higher risk, such as politically exposed persons (PEPs) companies may conduct Enhanced Due Diligence (EDD), a deeper investigation into the background and dealings tied to the customer’s identity. 
There are increasingly sophisticated KYC software options (e.g. APIs) available for businesses to help automate this critical risk mitigation process. Sygna’s latest AML platforms Sygna Hub and Sygna Gate have integrated the industry’s leading solutions from Elliptic, Chainalysis, ComplyAdvantage, and more to offer our clients a streamlined, easy-to-use user interface.

3. What is the FATF Travel Rule? 

The FATF Travel Rule (Recommendation 16) obligates member countries since 2019 to take a risk-based approach (RBA) to virtual assets by requiring their virtual asset service providers (VASPs) to share beneficiary and originator information with counterparties during transmittals above $1,000. The required personally identifiable information (PII) includes names, account numbers, physical addresses, and unique identification numbers.

Due to a lack of existing technology and regulatory frameworks, the global implementation of the Travel Rule, which was inspired by legislation in the US’ Bank Secrecy Act (BSA), has been uneven and slow, hampered by cultural, financial and geographical differences referred to as the sunrise problem.

FATF Travel Rule: Recommendation 16 requirements
What does FATF Travel Rule require?

The FATF added it to its Recommendation 16 in June 2019 and did a final 12-month review during June 2021.

In February 2019, the FATF released its Interpretive Guidance to Recommendation 15, where paragraph 7(b) R16 introduced the FATF’s own version of the U.S. Travel Rule for cryptocurrency regulations. Formalized in June 2019, Recommendation 16 now dictates the following: 

Countries should ensure that:

“…VASPs obtain and hold required and accurate originator (sender) information and required beneficiary (recipient) information and submit this information to beneficiary institutions… if any.

…beneficiary institutions…obtain and hold required (not necessarily accurate) originator information and required and accurate beneficiary information…”

What is a Virtual Asset Service Provider (VASP)?

FATF defines a Virtual Asset Service Provider (VASP) as any natural or legal person or entity not covered elsewhere by its Recommendations, that provides these services as part of their business for or on behalf of another legal or natural person:

  1. Exchange between fiat currencies and virtual assets;
  2. Exchange between different types virtual assets;
  3. Transfer of virtual assets;
  4. Safekeeping and/or administration of virtual assets enabling their control ;
  5. Participating in and providing of services for the offering and/or selling virtual assets.

What is the U.S. BSA Travel Rule?

The Travel Rule originated in the United States as a direct measure against money laundering. It initially applied to traditional financial institutions that were required to comply with the U.S.’ Banking Secrecy Act (BSA). The Financial Crimes Enforcement Network (FinCEN) introduced it in this 1997 advisory document well before the invention of cryptocurrencies. After defining the legal requirements of convertible virtual currencies (CVCs) in its May 2019 guidance, FinCEN has made it clear that BSA Travel Rule applies to CVCs, and that therefore exchanges are required to disclose the identities of users involved in virtual asset transfers exceeding $3000 or higher, in accordance with the BSA. 

3. Origins of the Crypto Travel Rule

The Travel Rule is a counter-money laundering initiative that obligates traditional financial institutions to share information about their customers and assume the responsibility to report suspicious activities. It is important to note that the “Travel Rule” was initially created and first implemented in the U.S. in the previous century.

With the United States (specifically Mr. Marshall Billingslea) awarded the presidency of the Financial Action Task Force during 2018/2019, the economic and political powerhouse seized the initiative to push its domestic policy beyond its borders, in order to better regulate virtual assets which are essentially borderless in nature. This strong push helped to break the impasse between the FATF’s 39 member countries on how to decisively deal with the threat of unregulated and anonymously owned cryptocurrencies becoming a mainstream asset class.

4. Comparing AML/KYC and the FATF Travel Rule

The FATF and FinCEN’s 2019 guidances extending to virtual assets and financial institutions dealing with them made it clear that a united global AML/CFT front, with further regulatory controls, was needed in order to efficiently clamp down on money laundering and terrorism funding in the crypto industry. 

This finally brings a clear response to counter the risks identified by the FATF in 2014 (in their Virtual Currencies: Key Definitions and Potential AML/CFT Risks guidance) that cryptocurrencies have brought to AML/CFT policing, namely:

  • the anonymous nature of virtual currency transactions 
  • the limited identification and verification of virtual asset traders
  • the lack of a clear global policy to allocate responsibility for AML/CFT compliance, monitoring and enforcement of virtual asset transaction
  • the lack of a central overseeing organization

While KYC can be effective if implemented correctly by financial institutions (FIs), there isn’t a universal quality control system in place to separate compliant VASPs from non-compliant ones. A recent AML report claims that about two-thirds of the world’s top 120 digital exchanges have “weak and porous” KYC systems, which makes it easy for bad actors to move cryptocurrencies around up to 0.25 BTC per day without needing to undergo any KYC at all.

Also, surprisingly, nearly ⅓ of exchanges still offer privacy coins to users, making it even easier for users to cover their tracks. The CipherTrace report breaks down their KYC grading as follows:

KYC grading report 2019
KYC grading report 2019 (source: CipherTrace)
  • Good KYC exchanges: 37%
  • Porous KYC exchanges: 42%
  • Weak KYC exchanges: 21% (where users can withdraw up to 0.25 BTC per day without the need for any identification

5. How are AML/KYC and the FATF Travel Rule different?

While both AML/KYC and the FATF Travel Rule are risk-based approaches that combat illicit behavior associated with virtual currencies, there are critical differences in the way they apply to the crypto industry. 

  1. KYC is a legally required process for countries, while R.16 is legally a non-binding guidance for countries and VASPs
  2. KYC verifies a customer’s identity and monitors their behavior, while the Travel Rule identifies who is sending and receiving assets
  3. KYC is required so that VASPs can share Travel Rule-compliant information
  4. Non-compliance with KYC puts the company at risk. With R.16 the risk is on the country.
  5. KYC is an internal company process, while R.16 requires at least 2 parties to collaborate.
  6. The Travel Rule applies to over 200 countries, while basic KYC measures are determined by individual jurisdictions

6. What information is required by KYC and FATF Recommendation 16?

7. Does the Travel Rule remove the need for KYC?

KYC procedures play a key role in helping deter criminals from using cryptocurrencies for illegal purposes. This is not expected to change any time soon. Yet, it is not enough, as the theft of virtual assets worth billions of dollars stolen in 2019 and attempts to circumvent KYC registration show.

In addition, KYC breaches on exchanges like Binance and BitMex have made some observers recently question the true purpose behind AML/KYC and whether a centralized KYC data pool is worth the security and legal worries it brings with it, such as identity theft.

hacker in front of computer

8. The relationship between KYC and the Travel Rule

The Travel Rule complements, rather than seeks to replace, the need for KYC. 

Both regulatory measures share a symbiotic relationship and some ways represent two sides of the same (Bit)coin. Without sophisticated KYC processes that correctly identify the true entities behind cryptocurrency accounts, it will be nearly impossible for authorities and VASPs to ensure that the Travel Rule functions effectively. 


If VASPs cannot be trusted to collect and provide accurate user identification information, it potentially puts a counterparty or its country of registration at direct odds with regulators and intergovernmental organizations. This is a risk that countries specifically will not tolerate, especially in lieu of the FATF’s well-known history of placing non-compliant members on its gray and blacklists. 

The FATF’s gray list of monitored high-risk countries
The FATF’s gray list of monitored high-risk countries (2019)

In turn, the Travel Rule puts regulatory pressure on countries and the crypto industry at large to see to it that all VASPs develop adequate risk-mitigating KYC processes, or face the consequences. This ensures that forward-thinking financial institutions implement more robust and comprehensive KYC processes, that not only need to comply with financial industry standards, such as those set by FINRA’s Rule 2090, but also allows them to share accurate user data as required by the FATF and the U.S. regulatory heavyweights FinCEN, SEC and CFTC. 

9. Conclusion

Done right, the combination of KYC and the Travel Rule are major tools to help financial institutions comply with regulations worldwide.

Conversely, VASPs that cannot keep up with new regulatory requirements face extinction, as can be seen in closures of exchanges like CryptoBridge that cite new regulations as a reason they’re closing shop. 

The Travel Rule will not be the final difficult hoop that regulators will force the crypto industry to jump through. Yet, it will be one of the most important, and set the stage for a more mature regulation of crypto assets.

Depending on how you look at it, each new AML/CFT measure such as KYC, the Travel Rule, and other measures like Know-Your-Transaction (KYT) plays a vital part in helping to gradually illuminate the blockchain. 

Each process does its part to help grow this young technology into a mature, world-transforming force that, importantly, also increasingly appeals to a mainstream financial market that takes note of every new check and balance being put in place.

While they are different in many ways, the Travel Rule and AML/KYC have a united goal: they aim to clean up and fortify cryptocurrency transacting to ensure their survival for the long haul.

Written by Werner Vermaak

About CoolBitX and Sygna Bridge

CoolBitX’s Sygna Bridge is a first-to-market travel rule solution and alliance network that is live and being used by our VASP partners to share compliant originator and beneficiary transmittal information.

This image has an empty alt attribute; its file name is sygna-bridge-gif-1024x439.gif

About CoolBitX

CoolBitX Technology Ltd. (CBX) is an international blockchain security company that is building the infrastructure necessary to close the gap between the mainstream market and crypto industry. Founded in 2014 by Michael Ou and backed by SBI Holdings, CoolBitX provides solutions for a rapidly-changing blockchain industry in order to foster the mass adoption of virtual assets through its two product lines: CoolWallet S and Sygna. CoolWallet S is a credit card-sized hardware wallet that allows for Bluetooth-enabled pairing with users’ mobile phones. The Sygna line of regulatory compliance products are tailored toward Virtual Asset Service Providers (VASPs), simplifying the process for VASPs to meet the compliance standards of the traditional financial industry and improve the reputation of the virtual currency industry. For more information on CoolBitX, visit https://coolbitx.com/.

About Sygna Bridge

As part of CoolBitX’s new line of regulatory compliant products tailored toward Virtual Asset Service Providers (VASPs), Sygna Bridge is a compliant, user friendly, and secure data exchange solution that allows VASPs to communicate regulation-ready information. For VASPs licensed or registered in any of the 200 global jurisdictions committed to FATF Recommendations, Sygna Bridge is a first-to-market solution that simplifies the complex and labor-intensive task of meeting the “travel rule” as defined in FATF Recommendation 16. Sygna Bridge was created to close the gap in compliance standards between the mainstream market and the crypto industry. For more information on Sygna, visit https://sygna.io/ and for more information on CoolBitX, visit https://coolbitx.com/.

For inquiries on how to comply with the FATF Travel Rule and our Sygna Bridge solution for VASPs, please contact us at [email protected].

Disclaimer: CoolBitX provides these blog posts for general educational purposes only. Information on this blog does not constitute professional legal or financial advice and should not be considered as such. The author or company may update the information on this article at any time without prior notice and do not guarantee the work to be up to date and accurate. To the best of our knowledge the information provided here is factual at the time of writing.


What is AML/KYC in Crypto?

What is FinCEN? How Does It Regulate Virtual Currencies?