The travel rule: new compliance guidance for cryptocurrency exchanges

Following the dramatic rise in investment in cryptocurrencies and Bitcoin over the last few years, regulators are now setting their sights on this dynamic, rapidly evolving corner of the financial services industry. So much so that the Financial Action Task Force (FATF), an independent inter-governmental body that develops and promotes Anti-Money Laundering (AML) and Know Your Customer (KYC), has published guidance on how its 37 members should regulate cryptocurrency exchanges.

While many in the industry welcome regulatory oversight, as it provides clarity and certainty for both investors and operators, one piece of guidance — Recommendation 16 — has caused significant controversy. The so-called travel rule requires “obligations to obtain, hold, and transmit required originator and beneficiary information in order to identify and report suspicious transactions, monitor the availability of information, take freezing actions, and prohibit transactions with designated persons and entities.”

The FATF doesn’t refer to this recommendation as the travel rule. But it has a striking similarity to an earlier Bank Secrecy Act (BSA) rule [31 CFR 103.33(g)] with that moniker, which requires all financial institutions to pass on certain information to the next financial institution, in certain funds transmittals involving more than one financial institution.

Note that these obligations are reliant on member countries implementing the rules into their laws or regulations; the FATF does not have any direct enforcement mechanisms. However, the FATF does carry significant moral authority, as no member wants to be seen as contributing to money laundering and international crime. It seems just a matter of time before the travel rule for cryptocurrencies becomes enshrined in laws and regulations in the major economies around the world.

In that case, the rules will apply to virtual asset service providers such as cryptocurrency exchanges, transfer services, custodial or host wallet providers and other possible business models. They suggest a threshold limit of $1,000 or €1,000 to be in line with regulations covering wire transfers, but this limit will depend on specific country requirements.

A new legal environment for cryptoassets

Unlike banks, cryptocurrency exchanges don’t currently have a legal or technological framework to obtain, hold and transmit identifying information of both parties of the transaction. On the legal side, while there has been progress in various jurisdictions regarding policy and regulatory approach to cryptoassets, there’s no global consensus or cross-border clarity. Exchanges operating in different countries could have widely different regulatory expectations.

While some cheer for clear legal standards, others think they are anathema to distributed ledger technologies, where the original concept is to exchange tokens without any need for third-party oversight. Many enthusiasts point to the fact that cryptocurrencies don’t need banks, governments or other organizations as their defining feature, making them a bastion of privacy and sovereignty.

The ability to obscure transactions is what’s prompting the FATF and regulators to demand insight and oversight for virtual assets. Cryptocurrencies have been used to launder money, transmit funds for illegal activities and otherwise circumvent financial controls, and governments are trying to close that loophole.

An unknown technology frontier

As the industry grapples with ensuring a fair and transparent exchange, rapidly onboarding customers, complying with all relevant regulations and many other issues of developing a new financial marketplace, the travel rule is a whole other level of technology.

Processes on verifying information, securing this information and safeguarding this information between only the specific parties will need to be addressed. In this era of data breaches and robust data privacy laws, coming up with a new framework that satisfies all requirements is a unique challenge.

Even more problematic is the decentralized nature of cryptocurrency. Virtual currencies operate across borders and systems, and there are numerous technologies and channels for transactions. Virtual wallets, P2P exchanges, cryptocurrency kiosks, dapps (decentralized applications), ICOs, internet casinos and multi-sig wallets (multiple signature) are among some of the technologies that require consideration.

Historically, there has been very little synchronization or coordination between these different cryptocurrency systems. They will now have to work together to create interrelationships and/or technology that works for all parties — and quickly. The FATF has asked for a report by June 2020 to check on progress.

Regulators already taking action

Although the guidelines were only published in June 2019, many jurisdictions already have regulations in place to comply, or soon will.

In the U.S., FinCEN ruled that the previous existing travel rule requirements do apply to cryptocurrency exchanges. Switzerland’s Financial Market Supervisory Authority (FINMA) released guidance on August 26 that says, in part:

“No system currently exists at either a national or an international level (such as, for example, SWIFT for interbank transfers) for reliably transferring identification data for payment transactions on the blockchain. Neither are bilateral agreements between individual service providers in existence to date.”

However, it’s not necessary that the identity information transfer be on the blockchain, as “the provision must be interpreted in a technology-neutral way.” Payment transfers, whether by bank transfer, blockchain or other method, should be treated the same and face the same AML/KYC laws. Other payment channels can comply with this requirement, so FINMA “expects information about the client and the beneficiary to be transmitted with token transfers in the same way as for bank transfers.”

Under Recommendation 16, all virtual asset service providers will be required to provide the originator’s details (name, account number, physical address or national identity number) and the beneficiary’s information (name and account number).

Cryptocurrency exchanges will be well served to examine the existing AML/KYC regulations and ensure their compliance with those requirements. Additionally, if they are not currently meeting Recommendation 16 requirements, they should anticipate that they will soon need to.

Steps taken to facilitate compliance with these requirements will help the cryptocurrency industry transition to the new regulatory regime, improve the perception of trust with regulators and customers, enable better cross-border procedures and help develop a thriving industry ecosystem.