Policy & Regulation

How Cryptocurrency Businesses Can Start Complying with  FATF Recommendations and the Travel Rule Today

Since the Financial Action Task Force (FATF) announced regulatory guidance in June 2019, the cryptocurrency industry has been eager to identify a solution that would allow them to comply with Recommendation 16, which mirrors the Travel Rule in the United States.

The industry is right to take this seriously. As Kenneth Blanco, the director of the Financial Crimes Enforcement Network (FinCEN), recently said: “You have to make sure that you comply with the law first and then you can execute and get to market … if you can’t comply with your BSA [Bank Secrecy Act] (including the Travel Rule), you’re going to have a problem.”

The good news is most cryptocurrency businesses are already positioned to achieve two-thirds of what is asked by the Travel Rule and FATF’s global regulatory guidance right now, and the final third can be achieved with a simple, lightweight procedural and technical framework that the industry can leverage immediately, either on their own or with the help of partners.

Core Components of Compliance

FATF’s Recommendation 16 requires Virtual Asset Service Providers (VASPs, which includes cryptocurrency exchanges) not only to verify their customers’ identities, but also to identify the originators and beneficiaries of transfers over 1,000 USD/EUR and transfer that information to their VASP counterparty, where one exists. (The BSA Travel Rule is essentially the same, but the threshold is 3,000 USD.). This also requires identification and verification of VASP counterparties.  While each FATF jurisdiction will implement their own versions, the standards should be no less than the FATF principles.

The steps to comply with this requirement can be summarized into three core steps, none of which require a single technical or governance solution to be globally agreed upon and adopted.

  1. Collection: Most cryptocurrency businesses already perform Know Your Customer (KYC) processes and can prompt users for extra collection on beneficiary / originator information when they have identified users withdrawing funds over the obligated threshold. This, in turn, streamlines step two.
  2. Identification of obligated transactions and systemic abuse: VASPs should develop a policy to identify obligated transactions and patterns of systemic abuse if they have not already. To do so, they can leverage self-reported and Chainalysis KYT (Know Your Transaction) data to identify these transactions as well as verify that the counterparty is a VASP.
  3. Transmission: Multiple viable means of secure transmission have been proposed, any number of which appear to work with this system.

Let’s look more closely at what cryptocurrency businesses need to do to complete each step.

Step 1: Collection

Many cryptocurrency businesses already collect KYC information on their customers, such as full names, residence addresses, citizenships, birth dates, photos of government issued IDs, social security numbers, tax identification, bank statements, utility bills, and photos of bank cards. Not only does this ensure compliance with the BSA and FATF recommendation 16, it can also be critical to law enforcement agencies in investigations into crimes such as money laundering, terrorism financing, drug trafficking, and the distribution of child abuse material.

In order to comply with Recommendation 16, VASPs can and should ask users sending amounts above the 1000 USD/EUR threshold if the transaction is going to another VASP. This could be entered in a text field or done through a dropdown that pulls from a database of VASPs.

Step 2: Identification of obligated transactions and systemic abuse

VASPs are required to monitor for systematic abuse. They may do so using Chainalysis KYT (Know your Transaction), or another blockchain analysis product that is capable of identifying whether or not a transaction is above the 1000 USD/EUR and is being sent to a VASP. In addition, Chainalysis KYT can validate the receiving entity, preventing potential customer abuse and circumvention of the requirement through false self-identification. This is important because transmission to the wrong vendor could result in data protection/data privacy violations.

Some VASPs may want to rely on their own systems to identify these transactions. This is their choice, but they should be prepared to show regulators how they ensure their systems are adequate for the task. In addition to using a product like Chainalysis KYT, compliance departments should ensure they know their users and execute proper enhanced due diligence / customer due diligence (EDD/CDD). Additionally, transaction patterns on-chain may not indicate abuse on its own, but when married with Know Your Customer (KYC) information, it may tell a different story.

Step 3: Transmission

VASPs may choose to transmit the required data through a variety of methods ranging from daily secure emails to real-time protocols with defined interfaces. Some VASPs may choose to define their own endpoint and protocol for communication between parties. Others may choose to rely on a third-party that provides the infrastructure and protocol to transmit. Eventually, there may be global consensus on a single protocol for transmission. However, VASPs should take action now rather than wait for what could be a long process for global consensus.

The industry needs a simple framework and set of resources that any VASP can use to guide itself towards compliance according to its own timeline and jurisdictional requirements. VASPs can start fulfilling the Travel Rule and FATF requirements today either through their own devices or with some assistance from third-parties willing to provide technology and assistance. Many different stakeholders and working groups have presented solutions ranging from highly-centralized transmission architectures to decentralized networks for sharing encrypted information. Our position is that the first two steps are the most critical to the substantive principles of the Travel Rule and Recommendation 16, and that there is flexibility to executing the third step, in line with the diverse actors in the cryptocurrency ecosystem.

This approach shows that Travel Rule and Recommendation 16 requirements can be implemented with greater immediacy and less impact on the individual organization or to the industry as a whole than many may realize. And, importantly, this approach is risk-based, which is a core tenant of successful overall AML compliance in the eyes of FATF, FinCEN, and local regulators.

Meaningful steps to achieving the principles of the Travel Rule and Recommendation 16 can be taken now to reduce risk and build trust in blockchains, growing the ecosystem through integrity.