Most of the conversation around Travel Rule recommendations for cryptocurrency transactions has focused on two aspects of what is required to help prevent money laundering and other financial crimes.
Firstly, the information about counterparties to a transaction that must be transmitted. Secondly, the requirements for VASPs who originate, transmit, and settle virtual transactions.
When considering solutions that deliver on Travel Rule requirements, however, the ability for regulators to carry out effective oversight must also become a priority. VASPs must be aware that regulatory oversight is coming and know what they should expect as the minimum in order to maintain full audit trails of compliant transactions.
In the Travel Rule recommendations, the FATF recognised the need for the appropriate supervision. Simply put, regulators need tools that give them the ability to supervise and monitor VASP activities appropriately.
Because of the transparent nature of blockchain transactions, this audit trail can and should include the wallet addresses that are involved and the “fingerprint” of data transfer (timestamp, owner, and verified content) from originator to beneficiary and each step in between.
In other words, the compliance framework must be consistent with that applied to a traditional regulated financial service provider processing payments and funds transfers.
Such audit capabilities are essential to the success of any Travel Rule implementation which is why we made them an integral part of Coinfirm’s All-in-One Travel Rule solution.
The Expectations of VASPs
In our view, VASPs must be licensed at the jurisdiction level and be subject to supervision and monitoring by competent national authorities rather than be self-regulating. Jurisdictions must also implement penalties, sanctions, and other enforcement measures when service providers fail to comply with their Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) obligations.
This regulatory control hinges on effective oversight. With Coinfirm’s solution, the wallet data available to regulators includes address profile/owner, risk score, and around 300 risk assessments along with further behavioral and risk analysis data. The audit trail displays data container names, document hashes, and document custody information.
Regulators must also be able to expect VASPs to do the following and be able to demonstrate compliance by providing a full audit trail:
- Freeze transactions where applicable. Transaction freezes apply to transactions involving designated persons or locations in line with local and international sanctions lists. They also apply to other regulatory scenarios, such as transactions involving Politically Exposed Persons.
- Manage and mitigate the risks of activities that involve anonymity-enhancing technologies or mechanisms. Within the world of crypto transactions, these include mixers, tumblers, and other similar technologies that bundle together transactions as a way to obfuscate the identity of the sender, recipient, holder, or beneficial owner of a Virtual Asset.
- Flag unusual or suspicious movements of funds or transactions for further analysis. As obliged entities, VASPs should have appropriate systems so that they can scrutinise such funds or transactions in a timely manner and make a determination whether funds or transactions are suspicious.
- Report suspicious funds or transactions. Such suspicious activities would include those involving or relating to wallets or providers (either VASPs or unregistered providers), escalating them as warranted to a jurisdiction’s financial intelligence unit. Reporting must be prompt, sufficient, and delivered in the manner specified by competent authorities.
- Create and make available a list of blacklisted wallet addresses. If a VASP uncovers VA addresses that it has decided not to establish or continue business relations with or transact with due to suspicions of money laundering, terrorist financing, or other illicit activity, subject to the laws of the VASP’s jurisdiction. In turn, VASPs should screen customer and counterparty wallet addresses against available blacklisted wallet addresses as part of its ongoing monitoring and mitigation processes.
The key to meeting regulatory expectations effectively and efficiently is taking a Risk-Based Approach. Even for the largest VASPs, time and resources are limited. It is impossible to scrutinize each transaction. In fact, that level of scrutiny is not even necessary.
The Key Balance of Risk
The Risk-Based Approach focuses on proportionate responses to managing financial crime risks based on characteristics such as:
- Customer
- Jurisdiction of the originator or beneficiary
- Product or service
- Transaction amount or variance from past behavior
- Channel of delivery (e.g., non-face-to-face or anonymous)
VASPs and regulators should be able to view this information delivered via an easy-to-use and comprehensive platform, allowing overall monitoring as well as the ability to drill down into specific wallets and transactions.
By defining risk characteristics and profiles in this way, VASPs can meet regulatory requirements without an extreme strain on resources. They can also demonstrate how their risk assessment policies and procedures are used to flag suspicious activity, and ultimately validate how their AML/CFT compliance and risk management program is adequate to meet the regulatory requirements.
But how do we get there from where we are today?
A Question of Timing
As various jurisdictions draft and then implement their own regulatory frameworks in line with Travel Rule recommendations, they should be mindful of the degree of oversight and control available to them. The FATF continues to be engaged in discussions, but many countries have yet to legislate solutions or put them into practice.
Given that this will likely take some time, some countries may hesitate. They want to avoid creating a regulatory “disadvantage” that inhibits VASPs from operating and innovating. As a result, they have taken a more wait-and-see approach to monitor the development of solutions. Among these, we would include the United Kingdom and, to an extent, Japan.
Other authorities, most notably FINCEN in the U.S., have taken the view that requirements equivalent to the Travel Rule requirements have been in place for many years. They have quickly applied them to Virtual Assets, at the risk of creating difficulties such as removing decentralization and other core benefits of cryptocurrency.
There is a happy medium between inaction and premature, aggressive requirements. Others take the more pragmatic stance that adoption and implementation is a question of time, bringing government authorities, banks, VASPs, and industry groups together to try to begin to offer services and solutions.
In our view, this deliberate approach, combined with a pragmatic view of risk-based transaction monitoring, strikes the right balance for VASPs and regulators. Critically, it helps avoid the risk of unintentionally becoming a haven for illicit financial activity via crypto, while at the same time leaving the door open to the right level of innovation and openness to an evolving virtual asset economy.
