Most of the conversation around Travel Rule recommendations for cryptocurrency transactions has focused on two aspects of what is required to help prevent money laundering and other financial crimes.
Firstly, the information about counterparties to a transaction that must be transmitted. Secondly, the requirements for VASPs who originate, transmit, and settle virtual transactions.
When considering solutions that deliver on Travel Rule requirements, however, the ability for regulators to carry out effective oversight must also become a priority. VASPs must be aware that regulatory oversight is coming and know what they should expect as the minimum in order to maintain full audit trails of compliant transactions.
In the Travel Rule recommendations, the FATF recognised the need for the appropriate supervision. Simply put, regulators need tools that give them the ability to supervise and monitor VASP activities appropriately.
Because of the transparent nature of blockchain transactions, this audit trail can and should include the wallet addresses that are involved and the “fingerprint” of data transfer (timestamp, owner, and verified content) from originator to beneficiary and each step in between.
In other words, the compliance framework must be consistent with that applied to a traditional regulated financial service provider processing payments and funds transfers.
Such audit capabilities are essential to the success of any Travel Rule implementation which is why we made them an integral part of Coinfirm’s All-in-One Travel Rule solution.
The Expectations of VASPs
In our view, VASPs must be licensed at the jurisdiction level and be subject to supervision and monitoring by competent national authorities rather than be self-regulating. Jurisdictions must also implement penalties, sanctions, and other enforcement measures when service providers fail to comply with their Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) obligations.
This regulatory control hinges on effective oversight. With Coinfirm’s solution, the wallet data available to regulators includes address profile/owner, risk score, and around 300 risk assessments along with further behavioral and risk analysis data. The audit trail displays data container names, document hashes, and document custody information.
Regulators must also be able to expect VASPs to do the following and be able to demonstrate compliance by providing a full audit trail:
The key to meeting regulatory expectations effectively and efficiently is taking a Risk-Based Approach. Even for the largest VASPs, time and resources are limited. It is impossible to scrutinize each transaction. In fact, that level of scrutiny is not even necessary.
The Key Balance of Risk
The Risk-Based Approach focuses on proportionate responses to managing financial crime risks based on characteristics such as:
VASPs and regulators should be able to view this information delivered via an easy-to-use and comprehensive platform, allowing overall monitoring as well as the ability to drill down into specific wallets and transactions.
By defining risk characteristics and profiles in this way, VASPs can meet regulatory requirements without an extreme strain on resources. They can also demonstrate how their risk assessment policies and procedures are used to flag suspicious activity, and ultimately validate how their AML/CFT compliance and risk management program is adequate to meet the regulatory requirements.
But how do we get there from where we are today?
A Question of Timing
As various jurisdictions draft and then implement their own regulatory frameworks in line with Travel Rule recommendations, they should be mindful of the degree of oversight and control available to them. The FATF continues to be engaged in discussions, but many countries have yet to legislate solutions or put them into practice.
Given that this will likely take some time, some countries may hesitate. They want to avoid creating a regulatory “disadvantage” that inhibits VASPs from operating and innovating. As a result, they have taken a more wait-and-see approach to monitor the development of solutions. Among these, we would include the United Kingdom and, to an extent, Japan.
Other authorities, most notably FINCEN in the U.S., have taken the view that requirements equivalent to the Travel Rule requirements have been in place for many years. They have quickly applied them to Virtual Assets, at the risk of creating difficulties such as removing decentralization and other core benefits of cryptocurrency.
There is a happy medium between inaction and premature, aggressive requirements. Others take the more pragmatic stance that adoption and implementation is a question of time, bringing government authorities, banks, VASPs, and industry groups together to try to begin to offer services and solutions.
In our view, this deliberate approach, combined with a pragmatic view of risk-based transaction monitoring, strikes the right balance for VASPs and regulators. Critically, it helps avoid the risk of unintentionally becoming a haven for illicit financial activity via crypto, while at the same time leaving the door open to the right level of innovation and openness to an evolving virtual asset economy.