What is the Crypto Travel Rule? (2024)

The Crypto Travel Rule requires virtual asset service providers (VASPs) like banks, exchanges, custodial solutions, and financial service providers to identify and share the origins and destinations of crypto transactions above a specific threshold. Mandated by the Financial Action Task Force (FATF) in 2019, this rule aims to combat money laundering and illicit activities.

The FATF, a global anti-money laundering (AML) authority, mandates the Crypto Travel Rule. In 2019, the FATF expanded its guidelines to include virtual assets and VASPs. Since then, companies dealing with cryptocurrency and DeFi must adhere to stricter regulations, known as Recommendation 16 or the “Travel Rule,” which is part of FATF’s 40 Recommendations.

Initially adopted in 2016 and updated again in 2021, the Crypto Travel Rule applies to businesses handling crypto transactions. It requires VASPs and financial institutions involved in VA transfers to share transaction details, including sender and receiver information, above a specified threshold to combat money laundering and illicit activities.

Different countries use various terms other than VASP for crypto service providers, such as the European Union’s Crypto Asset Service Providers (CASPs) and Money Services Businesses (MSBs). The common reporting transaction threshold is $1,000, though it’s $3,000 in the United States.

To avoid extra scrutiny or potential rejection, businesses must comply with the Crypto Travel Rule. Regular crypto users are also required to disclose their identity to exchanges and service providers. Therefore, it’s essential for businesses to fully understand and comply with these regulations regarding crypto assets.

‍

Understanding the Original FinCEN Travel Rule

In a publication published in January 1996, the Financial Crimes Enforcement Network (FinCEN) Advisory presented the original Travel Rule:

A Bank Secrecy Act (BSA) rule [31 CFR 103.33(g)]—often called the “Travel Rule”—requires all financial institutions to pass on certain information to the next financial institution, in certain funds transmittals involving more than one financial institution. (FinCEN 1997)

In 2019, the FATF updated its recommendations to extend them, including the Travel Rule, to virtual assets (VAs) and VA service providers (VASPs). Individuals who work in crypto and DeFi must understand and abide by these regulatory regimes. Though compliance may feel burdensome, the regulations are designed to prevent transactions with profound national security consequences.

Since the second half of 2019, several countries — including Germany, Singapore, Switzerland, Canada, the United States, South Africa, the Netherlands, and Estonia, among others — have adopted or introduced legislation that mirrors these FATF-driven AML compliance obligations in almost every aspect.
‍

What are the FATF Travel Rule Requirements?

The Travel Rule established by FATF) mandates that financial institutions share certain information about the originator and beneficiary of wire transfers and other similar types of payments. This rule is designed to prevent money laundering and terrorist financing by ensuring transparency in financial transactions. Here are the key requirements:

Key requirements for traditional financial institutions:

Information Collection:
- Originator Information:
  - Name
  - Account number (or unique reference number if no account exists),
  - Physical address
  - National identity number,
    Customer identification number, or date and place of birth.
- Beneficiary Information:
  - Name
  - Account number (or unique reference number).
Information Transmission
- The collected information must be transmitted to the receiving financial institution along with the transfer of funds.
Record Keeping
- Financial institutions must keep records of the information collected and transmitted for a minimum period (typically five years).
Compliance and Reporting:
- Institutions must have policies and procedures in place to comply with the Travel Rule.
- Any suspicious transactions must be reported to relevant authorities.

Key requirements for virtual asset service providers (VASPs, aka CASPs, or MSBs):

Information Collection and Transmission:
- Similar requirements as traditional financial institutions, collecting and transmitting originator and beneficiary information for virtual asset transfers.
Record Keeping:
- Maintain records of the information collected and transmitted for a specified period.
Compliance Programs:
- Implement effective compliance programs to adhere to the Travel Rule requirements, including risk-based measures to identify and mitigate risks.

How does the Travel Rule apply to crypto assets & virtual assets providers?

The Travel Rule for crypto assets states that any crypto transaction that crosses a certain threshold must be accompanied by the personal information of the customer. Additionally, VASPs must sanction screen the counterparty customer, and perform due diligence on the counterparty VASP. Crypto and DeFi businesses must take time to understand and prepare to abide by these regulations or run the risk of losing their operational licenses.

What is the Travel Rule threshold?

The threshold for the Travel Rule, as established by the FATF, typically requires financial institutions to collect and share information on transactions that are above a specified monetary amount. Here's a detailed look at the threshold requirements:

Threshold amount for traditional financial institutions

Threshold Amount: The Travel Rule applies to wire transfers and other similar payment methods when the amount is USD 1,000 or more (or the equivalent in other currencies).
Aggregated Transactions: If multiple smaller transactions that appear to be linked total USD 1,000 or more, the Travel Rule requirements apply.

Threshold Amount for VASPs, aka CASPs, aka MSBs

Threshold Amount: For virtual asset transactions, the FATF recommends a threshold of USD 1,000 (or EUR 1,000).
Aggregated Transactions: Similar to traditional financial institutions, if smaller virtual asset transactions that appear to be linked total USD 1,000 or more, the Travel Rule requirements must be followed.

Information required when threshold is met

When the threshold is met, the following information must be collected and transmitted:

Originator Information:

Name
Account number (or unique transaction reference)
Address, national identity number, customer identification number, or date and place of birth

Beneficiary Information:

Name
Account number (or unique transaction reference)

Key Points

Due Diligence: Even for transactions below the threshold, financial institutions and VASPs should conduct due diligence if there are suspicions of money laundering or terrorist financing.
Regulatory Variations: Different jurisdictions may have varying implementations and additional requirements, so it's important to be aware of local regulations.

Example Scenarios

Single Transaction: A single wire transfer of USD 1,200 would require the collection and transmission of the specified information.
Multiple Linked Transactions: Multiple transactions of USD 300 each, sent in quick succession and appearing to be linked, would also trigger the Travel Rule if their total exceeds USD 1,000.

The Travel Rule threshold ensures that significant transactions are monitored for compliance with anti-money laundering (AML) and counter-terrorism financing (CTF) regulations, contributing to global financial transparency and security.

‍

What is a Travel Rule data transfer?

All Travel Rule-regulated transactions must be accompanied by the customer’s and beneficiary’s personally identifiable information (PII). At Notabene, we call these messages Travel Rule data transfers. ‍

Is there a standard for data included in Travel Rule data transfers?

Naturally, a few questions arise when dealing with the exchange of customer PII:

What information should be exchanged?
In what format?
What happens when a VASP receives customer names formatted with different character sets than their systems are accustomed to?

The IVMS101 messaging standard, created by the Joint Working Group on interVASP Messaging Standards (interVASP n.d.), defines a standardized customer record data model for transmitting originator and beneficiary information. The FATF and critical regulators such as FinCEN, the Monetary Authority of Singapore (MAS), the United Kingdom’s Financial Conduct Authority (FCA), and Japan’s Financial Services Agency (JFSA) were kept informed during the development of IVMS101.

Requesting workflow using IVMS 101

To request a transfer, there must be a workflow that enables exchange of information and ultimately authorizes a transfer.

Exchanging Required Customer PII using IVMS 101

To exchange customer information through the industry-standard Travel Rule messaging protocol, it is essential to:

Verify that the recipient counterparty VASP is correct
Ensure the data doesn’t leak
Leverage several intermediary service providers

‍

Trust framework for VASPs and other Financial Institutions

One of the most significant problems in this space is knowing your counterparty VASP. Some questions you can ask to determine the trustworthiness of other VASPs and financial institutions (FIs) include:

Where are they incorporated?
Are they regulated?
What are their know-your-customer (KYC) policies?
Do they have a robust KYC/AML process? Which third-party services do they use for KYC/AML?
What are their data privacy rules (and which regulation ensures them)?
Who else trusts them?
How can I verify that a request belongs to them?
How can I verify I am sending a request to them (rather than an imposter)?

‍

A Risk-Based Approach to Trusting Correspondent VASPs

When implementing the Travel Rule, trust is imperative for VASP interaction. VASPs send their customers’ data and rely on their counterparties to do an excellent job KYC-ing their customers. While it is your counterparty’s responsibility to perform KYC on their customer, it is originator VASP’s responsibility to determine whether their counterparty’s KYC processes are robust.

The FATF recommends performing due diligence on counterparties like a bank would while creating a correspondent banking relationship.

FATF’s initial guidance states:

Recommendation 13 stipulates that countries should require FIs to apply certain other obligations in addition to performing normal CDD measures when they engage in cross-border correspondent relationships. Separate and apart from traditional FIs that may engage in covered VA activities and for which all of the measures of Recommendation 13 already apply, some other business relationships or covered VA activities in the VASP sector may have characteristics similar to cross-border correspondent banking relationships.
INR. 13 stipulates that for correspondent banking and other similar cross-border relationships, FIs should apply criteria (a) to (e) of Recommendation 13, in addition to performing normal CDD measures. “Other similar relationships” includes money or value transfer services (MVTS) when MVTS providers act as intermediaries for other MVTS providers or where an MVTS provider accesses banking or similar services through the account of another MVTS customer of the bank (see 2016 FATF Guidance on Correspondent Banking Relationships).
(FATF Initial Guidance, 2019, para. 105)

‍

The FATF emphasizes that VASPs should establish a rigorous due diligence process to choose which VASP they wish to engage with. Even after conducting successful due diligence, this information should be continuously integrated into the ongoing AML process for approving or denying transactions.

‍

FATF’s counterparty due diligence recommendations

FATF acknowledges that conducting counterparty VASP due diligence in a timely and secure manner is a challenge, and has provided guidance on how counterparty due diligence could be undertaken:

Perform due diligence on the counterparty VASP.
Know where their business is registered.
Know their licensing status with their local financial regulator.
Know the ultimate beneficial owners.
Establish whether any of the ultimate beneficial owners are politically exposed persons or on a sanctions list.
Investigate and approve of your counterparty’s KYC/AML processes.
Ensure that both parties understand their responsibilities with regard to the Travel Rule.
Approve the senior management of the VASP before accepting a relationship.

‍

As required by paragraph 6 of INR.15 countries should also have sanctions in place for VASPs and other obligated entities that engage in VA activities but don't meet their AML/CTF requirements. (FATF 2021, 108)

How do I Send Travel Rule Data Transfers With Notabene?

By signing up for Notabene’s VASP Network, clients are enrolled in Notabene’s free Sunrise Plan. Sunrise users can receive and respond to unlimited Travel Rule data transfers and send transfers up to USD 10,000.00 per month to any of their counterparties — regardless of which Travel Rule solution they use.

How Does Notabene’s Travel Rule Solution Support VASP Due Diligence?

We have incorporated the industry-standard VASP due diligence questionnaire into our client Dashboard.

Global Digital Finance, an industry association accelerating digital finance through adopting best practices and standards and engagement with regulators and policymakers, created a VASP-to-VASP due diligence questionnaire based on the Wolfsberg Correspondent Banking Due Diligence Questionnaire (CBDDQ.)

‍

‍

If implemented as industry standard, the CBDDQ could facilitate Travel Rule compliance. Additionally, Notabene’s VASP Network includes the licensing and registration information on 500+ VASPs.

How to access the Due Diligence Questionnaire (DDQ)

Create a free Notabene account
Navigate to the ‘My Company’ tab.
Scroll down to ‘Counterparty Due Diligence.'
You can either ‘Complete, Edit, or View DDQ.’