What is the FATF Travel Rule (Recommendation 16) for VASPs?

Table of Contents

1. Introduction

The cryptocurrency industry is currently at a pivotal juncture, facing sustained global regulatory pressure in 2020 that is pushing it to evolve into a legitimate and acceptable new asset sector for institutions and mainstream investors.

In June 2019, the Financial Action Task Force (FATF) shook the crypto industry with its adoption of an amendment to its Recommendation 16, colloquially referred to as the “FATF’s crypto travel rule”, to be implemented by countries by June 2020. The new regulation has far-reaching consequences for all cryptocurrency owners and is set to shape the future and destiny of the nascent virtual asset industry.

This article takes a comprehensive look at the new FATF measures, challenges and benefits it poses to the crypto industry, what type of global VASP solution is required, and the latest developments in response around the world.

We also take a brief look at Sygna Bridge, our messaging API that helps VASPs meet their national regulatory requirements as mandated by the FATF Recommendation 16.

2. The FATF’s Recommendation 16- The “Crypto Travel Rule”

What is the Financial Action Task Force (FATF)?

The FATF, established in 1989 by the G7, is the leading Anti-Money-Laundering (AML) and Combating-the-Funding-of-Terrorism (CFT) global authority. It issues non-binding recommendations to its member countries which it monitors and reviews. 

The FATF currently has 39 members that preside over 200 countries and almost every major global financial center. FATF also works closely with 8 regional associate members and 30 observer countries and organizations like the International Monetary Fund (IMF), United Nations (UN) and World Bank. 

The presidency of the FATF rotates annually and this year was held by the United States until 30 June 2019, when it was succeeded by China for 2019/2020.

The FATF’s paragraph 7(b)-R.16 rewrites virtual asset global policy

In February 2019, the FATF caused a ruckus when it introduced a far-reaching new update to its Recommendation 16 in its Interpretive Note to FATF Recommendation 15. The amendment was officially adopted by the FATF’s Public Statement on Virtual Assets and their Providers on June 21, 2019, at its plenary in Orlando, Florida.

A week later, following the crypto industry’s summit in Osaka, the FATF reported to the G20, also in Osaka, and published its June 2019 Guidance, titled A Risk-Based Approach To Virtual Assets and Virtual Asset Service Providers, which brings about a unique set of challenges for both VASPs and countries. 

FATF V20 poster June 2019 Osaka Japan
V20 2019 – Osaka, Japan

Previously, Recommendation 16 only mandated that wire transfers in the traditional finance sector include originator and beneficiary information. The FATF’s updated Standards now require that any VASP (as determined by Recommendation 15 on New Technologies) that transmitted digital funds to another VASP or financial institution should collect and exchange real-name user information with each other and make this available to relevant authorities if prompted.

What does the FATF’s Recommendation 16 say? 

Recommendation 15 Paragraph 7(b) R16 states the following changes pertaining to cryptocurrency transactions:

Countries should ensure that:

“…VASPs obtain and hold required and accurate originator (sender) information and required beneficiary (recipient) information and submit this information to beneficiary institutions… if any.

…beneficiary institutions…obtain and hold required (not necessarily accurate) originator information and required and accurate beneficiary information…”

What information must VASPs share according to the FATF’s Recommendation 16 “Travel Rule”?

Beneficiary and Originator VASP information required by R.16

The originator VASP must share the following sender information with the beneficiary VASP during a transmittal: 

  1. Originator’s name (customer)
  2. Originator account number used to process the transaction
  3. Unique identifiable information such as either a residential address, national identity number or date, and place of birth.

The beneficiary VASP must share the following recipient information with the originator VASP:

  1. Beneficiary name (customer)
  2. Beneficiary account number used to process the transaction

3. What Challenges does FATF Recommendation 16 present to VASPs?

Paragraph 7(b)-R16 might only be a few lines long, but it brings seismic changes to how the cryptocurrency industry will operate and be regulated going forward. 

During the V20 event in June 2019, VASPs raised several issues and challenges in interviews.

Originator and beneficiary VASPs will have to overcome a lack of native ownership attribution features in blockchain technology and find a way to share data with counterparties without breaking privacy laws or compiling inaccurate data. 

They will need to be able to identify each other and distinguish between a VASP and an individual crypto trader and ensure that whatever solution they employ keep cryptocurrency transmittals quick and low-cost despite sizable linguistic, jurisdictional and time zone barriers between VASP counterparts. In addition to this, exchanges will have to minimize the fallout that will come with the expected exodus of libertarian and privacy-concerned users from its platforms in favor of decentralized and (for now) anonymous personal crypto wallets. 

Lastly, VASPs will have to find a way to implement a solution before June 2020 that preferably forms part of a global network that embraces regulatory oversight, remains resilient against security threats and criminal activity and supports crypto-focused law enforcement efforts in local jurisdictions. 

4. How important and necessary is FATF Recommendation 16?

While it may have seemed to the casual observer that very little was done to curb the unbridled growth of cryptocurrencies over the last few years, the reality is quite the opposite. Organizations like the FATF and the U.S.’ Financial Crimes Enforcement Network (FinCEN), Department of Justice (DoJ) and the Securities and Exchange Commission (SEC) have worked hard behind the scenes to devise a cohesive plan that would illuminate and punish money laundering and terrorism funding activities facilitated via cryptocurrencies.

This long game was played for a number of very important reasons:

1) Increasing global adoption of cryptocurrencies

Crypto’s incredible two recent bull runs, the ascent of regulations-flouting private coins and paradigm-shifting proposed stablecoins like Libra have decreased the window of opportunity for regulators to exert their will before unregulated cryptocurrency use reaches a point of no return. 

2) A local AML/CFT standard and framework

Cryptocurrencies have changed the speed with which the digital economy can operate and allows funds to now be transferred cross-border within a very short period. This is forcing the world’s leading regulators to establish a united front across all borders in order to combat criminal crypto activities.

3) R.16 aligns the FATF policy with U.S.’ Bank Secrecy Act 

The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) is the leading AML/CFT watchdog in the United States. In May 2019, only a month before the FATF’s June plenary, FinCEN further refined its crypto policy to define VASPs as Money Service Businesses (MSBs). As a result, VASPs now have to comply with the Funds Travel Rule of the U.S. Bank Secrecy Act (BSA).

The FATF’s latest recommendations now essentially extend the U.S. Travel Rule, ubiquitous in traditional banking, to all VASP-intermediated cryptocurrency transactions worldwide.

4) Deterrent against crypto hacks and security threats

While cryptocurrencies are slowly becoming socially accepted, there remains a dark cloud over its security, with good reason. An estimated $4.3 billion in digital assets have already been looted from VASPs and investors within the first half of 2019, driven by exit scams like Quadriga, exchange hacks (Binance) and crypto-stealing malware that facilitates crypto mining, phishing, and cryptojacking. Improved identity measures will create a powerful deterrent against cybercrime and money laundering activities, as they improved the odds of locating and catching the perpetrators. 

5) Black & white markets 

With VASPs’ adoption of the travel rule, cryptocurrencies will eventually likely be divided into 2 camps; namely “white” (clean and vetted) and “black” (unregulated) digital assets. 

Clean assets will receive a clean bill of health from multiple AML and Know-Your-Client (KYC) checks, which will make them more fungible and valuable across both digital and traditional financial markets. 

Non-compliant digital assets might be destined for the black market, where their value is likely to suffer due to concerns about their legality and resale value. 

6) Privacy coin regulation

While Bitcoin still constitutes the vast majority of cryptocurrency used in Darknet transactions, cybercriminals are increasingly using sophisticated “privacy coins” like Monero, Dash, and ZCash to cover their tracks and retain their anonymity. 

As a result, there has been a recent deluge of cybercrimes that surreptitiously mine Monero (XMR) from victims over the Internet. With the FATF’s Travel Rule clearly aimed at deanonymizing privacy coin ownership, VASPs are feeling the pressure, and several leading Asian exchanges have started delisting these virtual assets, making it increasingly harder to freely trade privacy coins. This turn has led some privacy coins like ZCash to cry foul, separate themselves from the pack and justify that they do indeed comply with the FATF’s recommendations. 

7) Stablecoin Regulation

Governments and central banks worldwide are deeply concerned with the destabilizing impact that unregulated stablecoins like Libra could have on the global economy. At their latest plenary in October 2019, the FATF took a dim view and issued the following stern warning:

Emerging assets such as so-called global ‘stablecoins’…could potentially cause a shift in the virtual asset ecosystem… There are two concerns: mass-market adoption of virtual assets and person-to-person transfers, without the need for a regulated intermediary. Together these changes could have serious consequences for our ability to detect and prevent money laundering and terrorist financing. 

8) Deterrent for crypto-using criminals

Most transactions on the Darknet use cryptocurrencies as a payment form. With Recommendation 16, authorities will be significantly more able to reveal the real identities behind illicit transactions, a risk that will discourage many criminals from using crypto as a payment tool. 

9) Law enforcement support

VASPs will likely have to be able to work with law enforcement and produce compliance certificates and transaction records when needed. This will help authorities to target and prosecute criminals and indirectly remove them from the crypto sphere. 

5. How the FATF’s Recommendation 16 impacts countries and VASPs

While the FATF’s Recommendations are legally non-binding, the Financial Action Task Force expects its member countries to adhere to its policy changes through regional implementation. The FATF manages both a graylist and blacklist of non-compliant countries that are published in two documents and reviewed three times a year. 

The FATF’s graylist of high-risk and other monitored jurisdictions

Countries with high-risk AML/CFT policy deficiencies are continuously monitored by the FATF and added to a graylist of countries that are required to improve their systems within a set time frame or risk being demoted to the blacklist. While FATF named 68 countries in 2018 on their graylist, this dropped to only 8 in October 2019. FATF added Mongolia, Iceland and Zimbabwe to its greylist while removing Ethiopia, Sri Lanka and Tunisia in October 2019. Pakistan remains on the verge of being added on the blacklist due to increased terrorism funding and will face the music again on their next review in February 2020. 

These are the current graylisted FATF countries:

  • Botswana
  • Yemen
  • Ghana
  • Zimbabwe
  • Syria
  • Pakistan
  • Mongolia
  • Iceland (recently added)

What is the FATF blacklist?

The FATF has issued its blacklist, officially known as “Non-Cooperative Countries or Territories” (NCCTs) since 2000. Becoming NCCT comes with severe consequences, such as international economic sanctions, trade embargoes, boycotts and refusal of financial aid or loans, and turns your country in a global pariah, as the current blacklisted countries Iran and North Korea have discovered to their detriment. 

How does the R.16 “Travel Rule” Impact VASPS?

The FATF jurisdictions are currently considering and developing various solutions to implement Recommendation 16’s requirements and remain compliant. This means that on a country-level, VASPs will be subjected to higher domestic regulatory pressure and more comprehensive Know-Your-Customer (KYC) standards in order to prove that they’re compliant with FATF’s guidelines. 

VASPs and financial institutions that fail to meet their country’s requirements could expect punitive measures that prohibit them from operating on profitable global markets, opening traditional banking accounts or forces them to shut down altogether, as can already be witnessed in South Korea. 

The impact of cryptocurrency regulations in South Korea

A recent report indicates that 97% of South Korean exchanges are in danger of closing due to tougher local regulations, updated liability in the aftermath of hacks and a lack of cooperation from domestic banks. 

Korean VASPs are now required to share user data with other financial institutions and must open their bank accounts under their legal names at one of six banks. Unfortunately, only 3 of these banks offer these services and restricts it to Korea’s four biggest exchanges, Upbit, Bithumb, Coinone, and Korbit.

This leaves nearly 200 small to mid-sized Korean VASPs out in the cold as they cannot issue real-name virtual accounts to their users. Due to these prohibitive barriers, most South Korean blockchain startups now seek to list on foreign exchanges in the U.S. and other Asian countries.

6. When is the deadline for the FATF’s R.16 Travel Rule?

The FATF has set a 12-month review period for Recommendation 16, which will conclude in June 2020. When this deadline is reached, countries will have to show that they’ve taken the necessary steps to ensure jurisdictional compliance with the regulatory organization’s requirements.

In the interim, the Financial Action Task Force has scheduled meetings for the remainder of the 2019/2020 year, most of which involve regional FATF organizations. The FATF’s next plenary, FATF Plenary and Working Group Meetings, will be held on 16-21 February 2020 in Paris. This will be followed by their annual Private Sector Consultative Forum (4-8 May 2020) and conclude with their final plenary on June 21-26, 2020.

7. What would the ideal Recommendation 16 solution look like?

With roughly 8 months remaining till the FATF Rec.16 Travel Rule deadline, VASPs have their work cut out, needing to source a solution, do sandbox development and testing, conduct a live pilot trial and do a full audit on whether their new FATF compliance mechanism meets the necessary local jurisdictional regulatory requirements. Moreover, any solution will likely have to be adopted by a network of exchanges in order to make it cost-efficient and practical. 

 As a result, the chief compliance officers (CCO’s) of the world’s leading crypto exchanges have been in discussion with each other to identify what shape an ideal solution will take and which requirements it would have to fulfill. While earlier proposals like X509 security certificates generated substantial initial interest, data privacy concerns and legislation lead to more questions than answers. 

During the FATF’s V20 conference in June 2019, compliance leaders discussed various R.16 criteria that a solution should meet, to which we’ve added a few: 

10 Requirements for a FATF R.16 Travel Rule solution

  1. It should minimize the regulatory impact and avoid adoption barriers, by being quick and painless to integrate. 
  2. It should be affordable to implement and ideally open-source and/or non-profit, in order to accommodate smaller VASPs and keep technological innovation alive. 
  3. It should establish a global standard for virtual asset transmittals that can be used by all VASPs and applies to all virtual assets. 
  4. It should adhere to regulatory parameters, be adaptable to regional frameworks and be flexible enough to accommodate future regulations.
  5. It should have a timely implementation with VASP platforms, completed before June 2020.
  6. It should complement law enforcement activities to build cases against money launderers, terrorists and other serious financial crime suspects. 
  7. It should generate reliable data by verifying the integrity of shared information.
  8. It should proactively detect suspicious activities and the true origin of incoming transmittals. 
  9. It should be scalable, maintainable and reliable, around the clock.
  10. It should garner significant industry support and widespread VASP adoption.

Firstly an accurate global database of VASPs has to be compiled by a non-profit membership body that’s preferably based on neutral ground in Switzerland.

VASPs will then be able to register in their own countries and receive a SWIFT-like identification code to use during transmittals. The VASP code databases of each country will be uploaded to a global directory of virtual asset exchanges, in order to connect all compliant exchanges.

Next, VASPs would have to collect beneficiary data, mainly the VASP code and name, after which it’s finally screened for accuracy and then remitted to the originator in the third and final step.

8. How are countries and VASPs responding to Recommendation 16?

Cryptocurrency evokes mixed feelings with national regulators around the world, with some countries like China and India banning it outright and others like the United Kingdom proclaiming its virtues and leading the way to its global mass adoption. This August 2019 report offers an exhaustive list of regulatory sentiments around the world. 

The FATF member countries and jurisdictions are currently considering proposals and solutions to implement Recommendation 16’s requirements. Policymakers are working in tandem with regional associate FATF member organizations such as the Asia/Pacific Group on Money Laundering (APG), Caribbean Financial Action Task Force (CFATF), Council of Europe Committee of Experts on the Evaluation of Anti-Money Laundering Measures and the Financing of Terrorism (MONEYVAL) , Eurasian Group (EAG) Eastern and Southern Africa Anti-Money Laundering Group (ESAAMLG), Financial Action Task Force of Latin America (GAFILAT) and Middle East and North Africa Financial Action Task Force (MENAFATF).

Some blockchain tracking and security companies have entered into an arms race to introduce a global Travel Rule solution that will connect VASPs globally. CipherTrace, Shyft, and Netki have all drawn considerable recent praise and criticism for their proposed solutions. 

Japan leads the world in regulatory compliance

However, it is in Japan, the most regulated country for cryptocurrencies in the world, where arguably the most gains are being made.

The country’s Financial Services Agency (FSA) now issues only a handful of virtual currency licenses, which forces Japanese exchanges to implement rigorous KYC systems in order to be eligible. 

Most notably, major exchange Coincheck has made a remarkable turnaround after getting hacked for $530 million dollars in January 2018. Under new ownership and management, Coincheck has since implemented cutting-edge internal controls and compliance checks and was finally awarded an exchange license by the FSA in January 2019, only 12 months after its devastating breach. 

The FSA has also started a year-long piloting program that allows a handful of Japanese VASPs to trial different solutions and protocols that aim to help digital exchanges comply with Regulation 16 and other local requirements. 

For example, Japanese digital exchange giant SBI VC Trade launched a customized hardware wallet solution in August 2019. Created by Taiwan’s CoolBitX, the cold storage wallet enables compliant crypto withdrawals only after the completion of a multi-layered KYC process. SBI is currently developing and testing a groundbreaking new Travel Rule solution with CoolBitX called Sygna Bridge. 

9. Introducing Sygna Bridge- a compliant R.16 messaging service

Sygna Bridge is a simple and low-cost API messaging service that helps VASPs meet their national regulatory requirements as mandated by the FATF Rec. 16.

Sygna Bridge acts as a compliance layer and global database for all virtual asset service providers, without collecting or accessing any private data. It works with all virtual assets. The easy-to-integrate API creates an encrypted and private communication tunnel between VASP counterparts to share originator and beneficiary data for any virtual asset transaction.

Each VASP in the network is issued a unique identity shortcode after passing a compliance check, which helps exchanges to identify each other when transacting, verify the origin of transactions and choose whether to accept or reject any incoming transmittals. The process is automated and every message sent between VASPs is paired with a corresponding signature to ensure data integrity.

Sygna Bridge’s technology is considered unique as it connects VASPs with minimum disruptions to their business model at a very low cost, and provides the highest security standards for connections in HTTPs SSL certificates, API key and private data encryption. 

To find out more about this innovative Recommendation 16 network for VASPs, please contact [email protected].

Written by Werner Vermaak

Why Regulations Will Benefit the Crypto Industry in the Long Run