Central Bank Digital Currency: the Future or…
The Travel Rule marks a major change when it comes to virtual asset compliance and may fundamentally alter how Virtual Asset Service Providers (“VASPs”) operate in the future. To prepare, Crypto exchanges must apply a risk-based approach, in addition to having clearly defined policies.
On March 15, 2019 at a Blockchain Symposium, FinCEN’s Director Kenneth A. Blanco made an announcement on the Travel Rule: “It applies to (Convertible Virtual Currency) CVC and we expect you to comply, period”. He added that “FinCEN, through delegated examiners at the Internal Revenue Service (“IRS”), has been conducting examinations that include compliance with the Funds Travel Rule since 2014. In fact, to date it is the most commonly cited violation by the IRS against MSBs engaged in CVC money transmission”.
Mr. Blanco’s comments followed FinCEN’s release, in May 2019, of its long-awaited guidance on the application of existing Anti-Money Laundering (“AML”) rules, including the Travel Rule, to virtual currency businesses.
Further, during its June 2019 plenary, the Financial Action Task Force (‘FATF”), the G20’s financial crimes watchdog, issued FATF Recommendation 16 requiring Virtual Asset Service Providers (“VASPs”) to share Personal Identifiable Information (“PII”) and Know-your-customer (“KYC”) data between transacting sender and receiver users before executing the transaction. VASPS include Cryptocurrency Exchanges, Bitcoin ATMs and Custody Providers.
The AML Act of 2020 broadens the definition of “financial institution” under the BSA to now include businesses that exchange or engage in the transmission of cryptocurrency. For almost a decade, FinCEN has been clarifying which cryptocurrency business models qualify as Money Transmitters and as such must follow the Travel Rule. In 2011, FinCEN issued a final rule stating that Money Transmitters are “persons accepting and transmitting value that substitutes for currency”, such as CVCs. Following that statement, in 2013 FinCEN issued Guidance on Virtual Currencies and Regulatory Responsibilities stating: only “exchangers” and “administrators” of CVCs, and not “users”, are Money Transmitters. This statement serves as a advisory for cryptocurrency firms to comply with the FinCEN Travel Rule.
Back in January 1995, the Board of Governors of the Federal Reserve and FinCEN jointly issued a Rule for banks and other nonbank financial institutions, relating to information required to be included on funds transfers. The Rule is comprised of two parts – the Recordkeeping Rule, and what’s come to be known as the Travel Rule. The Recordkeeping Rule requires financial institutions to collect and retain the information that in turn, per the Travel Rule, must be included with a funds transfer and passed along – or “travel” to each successive financial institution in the funds transfer chain.
The following information is required to comply with the Travel Rule:
In contrast to FATF’s guidance, FinCEN clarified that the recipient’s financial institution should retain the same information as the originator to the extent that the information has been provided by the originating money service business. The differences between the FATF and FinCEN guidance are limited, aside from the transaction thresholds: $1,000 (FATF) and $3,000 (FinCEN).
When the Travel Rule was originally enacted for bank-to-bank transfers, the information required under the rule was the same as the information already required to execute the wire transfer. Originally, the most significant feature of the Travel Rule was not the collection of any additional information, but rather the requirement to transfer that information to the recipient and the requirement to retain it in case of subsequent government inquiries.
Cryptocurrencies, like Bitcoin, that settle transactions on a blockchain have unique challenges regarding Travel Rule compliance in part due to the lack of counter-party information in blockchain.
It should be noted that under the FATF and FinCEN Travel Rules, compliance is only required where funds are transferred on behalf of a client or customer between two VASPs, or between a VASP and a financial institution.
The issue emerges because VASPs often have limited information on the counter-party without which they cannot distinguish which transactions fall under the Travel Rule. For a virtual currency transaction, all that is required to execute the transaction are the virtual currency addresses of the originators and beneficiaries.
On October 23, 2020, the Board of Governors of the Federal Reserve System and FinCEN issued a joint Notice of Proposed Rulemaking (“NPRM”) soliciting public comment on proposed amendments that seek to modify the existing Recordkeeping and Travel Rules by:
On December 18, 2020, FinCEN, issued a NPRM that would require banks, cryptocurrency exchanges and MSBs to collect Know Your Customer data on anyone transferring cryptocurrency worth $3,000 or more to or from a private wallet. The NPRM would impose new requirements that banks and MSBs must gather, maintain, and report information about customers engaging in virtual currency transactions with unhosted wallets. The NPRM would also impose these same requirements on transactions with hosted wallets held by a financial institution that are not subject to the BSA and are located in a foreign jurisdiction on the so-called FinCEN “Foreign Jurisdictions List.”
FinCEN has not issued any follow up information on these NPRMs.
There is still no clearly defined approach for “Travel Rule” compliance in the cryptocurrency industry. The industry has responded with various initiatives such as:
Cryptocurrency-based companies are building regulations into their AML platforms with API-centered solutions. Risk-based approaches are adopted to freeze or deny transactions that do not comply with AML / KYC regulations. Notably, most blocked transactions originate from Unhosted wallets.
Distributed Ledger Technology
Other “Travel Rule” compliance systems, such as OpenVASP and TRISA – which are open source, rely on Distributed Ledger Technology to exchange end-to-end encrypted messages between “trusted” VASPs.
The InterVASP working group, which is comprised of leading international associations representing VASPs as a coalition of trade bodies, presented the IVMS-101 in May 2020 which is the newly adopted messaging standard for communication between VASPs.
The Travel Rule marks a major change when it comes to virtual assets and may fundamentally alter how VASPs operate in the future. To prepare for the future, Cryptocurrency exchanges must apply a risk-based approach, in addition to having clearly defined policies and procedures. Specific examples include the following:
Instituting risk assessment into a cryptocurrency organization's AML program will allow for better protection, as well as detection, against any suspicious unhosted wallet transactions. Compliance solutions allow for transactions to be frozen or denied through self-regulating software.
A key to maintaining the decentralized nature of cryptocurrency will depend on standardizing access across other VASPs. Developing and instituting risk management standards for third parties will allow for transactions to be conducted within BSA guidelines.
Many smaller firms will have to largely consider the monetary implications of conducting business in the US market. Firms will have to risk assess their operations and ensure industry best practices are being met to prevent financial and reputational damage from regulatory scrutiny.
The key to compliance with the Travel Rule is a strong due diligence or KYC process that gathers the key information at customer on-boarding. Also, blockchain analytics software exists that can help identify risk-related details about the destination – owners of the cryptocurrency wallet address.
Alternatively, some exchanges have sought to comply by restricting outbound transfers that trigger the travel rule to wallets that are already owned by the customer, rather than by anyone else, so that the exchange or wallet provider can rely on information they have already collected.
Sia Partners works with cryptocurrency exchanges to draft their policies and procedures, as well as offer best practice recommendations for the BSA Travel Rule. We can design the most effective risk-based approach that is ideally suited to meet cryptocurrency business needs.