The Financial Action Task Force (FATF) is an inter-governmental body that has, as its main aim, the prevention of money laundering and terrorist financing. It is referred to as the global money laundering and terrorist financing watchdog. As a policy-making body, the FATF issues recommendations or standards on a regular basis. These are primarily aimed at aiding jurisdictions around the world in their mission to combat and prevent organised crime, corruption and terrorism.
The recommendations issued by the FATF are not legally binding on its member countries however, it is in the best interests of the member countries to adopt them. This is due to the fact that the FATF is a behemoth of a regulator in the financial sector and has its own ways of ensuring that countries implement its recommendations.
The most popular mechanisms in this regard are those of placing jurisdictions on the list of “High-Risk Jurisdictions Subject to a Call for Action”, otherwise known as ‘Blacklisting’, and placing jurisdiction on the list of “Jurisdictions under Increased Monitoring”, otherwise known as ‘grey listing’. Where a country does not adhere or implement the FATF’s recommendations in an effective manner, the FATF holds these countries to account by virtue of its grey-listing and black-listing mechanisms.
The Blacklist contains a list of countries which have ineffective and deficient AML and CFT frameworks. Countries on the FATF’s blacklist are more susceptible to economic sanctions and other prohibitive measures by the member countries of the FATF. Similarly, the Greylist offers a list of countries that are under increased monitoring due to their higher risk of money laundering and terrorist financing. Countries on the Greylist are given a grace period within which to rectify their AML/CFT deficiencies. If they do not do so, they would then be blacklisted.
The Travel Rule is not a novel legal mechanism by any means. Its origin can be traced back to the USA’s Bank Secrecy Act (1970). However, it was only recently that such a rule was made applicable to the virtual asset industry by the Financial Action Task Force. The FATF had also taken a similar approach with regards to Fiat currency wire transfers in 2012, wherein it adopted the Travel Rule for the first time by virtue of Recommendation 16.
In June 2019, the FATF issued a public statement relating to virtual asset service providers. One of the most important aspects of this public statement was the subjection of virtual asset service providers to Recommendations 10 to 21. One of these recommendations was Recommendation 16, ergo the so-called ‘Travel Rule’.
This recommendation rendered the ‘Travel Rule’ applicable to virtual asset service providers (VASPs) and other obliged entities that engage in virtual asset transfers. In the ‘Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers’ document, the FATF defines the term ‘Virtual Asset Service Provider’. The definition states that any service provider that carries out the following activities is deemed to be a VASP; Exchange between virtual assets and fiat currencies, exchange between one or more forms of virtual assets, the transfer of virtual assets, safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets, participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.
When implementing the aforementioned definitions to the actual operations in the cryptocurrency sector, one can safely state that the following asset services are classified as virtual asset service providers and may thus be obliged to conform with the Travel Rule by their respective member country. The entities are mostly the following:
One may notice that the FATF did not specifically mention peer to peer platforms, DApps and Decentralised Finance in Recommendation 16. However, even though these are not directly addressed, they may still fall within the definition of a virtual asset service provider depending on how they are structured.
The Travel Rule was made applicable to the cryptocurrency space by virtue of a supplementing amendment to the FATF’s Recommendation 16, which rendered it applicable to Virtual Asset Service Providers on the 21st of June 2019. The FATF gave its member countries a 12 month period within which they had to implement the necessary changes to their VASPs. However, in June 2020, only 32 member countries had implemented the necessary changes. Following this, the FATF issued another 12-month review to conclude in June 2021. Until this period elapses, the FATF has stated that it will carry out more case studies so as to gain a better understanding of the money laundering and terrorist financing risks associated with the virtual asset industry.
In the interpretative note to recommendation 15, the FATF is persistent in its intention to have member countries license and register Virtual Asset Service Providers. The Task Force makes it clear that the licensing and registration of VASPs is a vital step in ensuring that money laundering and terrorist financing activities are prevented and mitigated.
The FATF introduced the Travel Rule by virtue of clause 7 of the interpretative note to recommendation 15. Clause 7(a) starts off by stating that recommendation 10 (which envisages steps for effective Customer Due Diligence/CDD mechanisms), shall be applicable to Virtual Asset Service Providers. Furthermore, it stipulates that an occasional transaction which is equivalent to or over 1000 Euros/USD must be subjected to the necessary customer due diligence by the Virtual Asset Service Provider.
Clause 7(b) (Recommendation16) envisages the salient characteristics of the VASP Travel Rule. To gain a comprehensive understanding of the Travel Rule, one needs to dissect the obligations stipulated in it. The first requirement that must be fulfilled for the Travel Rule mechanism to come into play is the 1000 Euro/USD transaction threshold. Following the fulfilment of this criterion, VASPs are then required to obtain and hold the required and accurate originator information and the required beneficiary information of the parties carrying out the virtual asset transfer.
With regards to the Originator data, the FATF requires the virtual asset service provider to obtain and hold name of the originator, the account number of the originator (the one used to process the transaction) or the wallet address of the originator if the transaction is by way of a virtual asset, and the physical address or national ID number or customer identification number that uniquely identifies the originator to the ordering institution or date and place of birth.
With regards to the Beneficiary’s data, the FATF requires the virtual asset service provider to obtain and hold the Beneficiary’s name and the Beneficiary’s account number where such an account is used to process the transaction, or the wallet address as the case may be.
Upon the collection of such data, the originators of virtual asset transfers must submit the aforementioned data to the relevant beneficiaries. Similarly, the beneficiaries must submit their collected data to the originators. Furthermore, the VASPs must make their relevant information available on request to the appropriate authorities. The underlying intention for the transfer of such data is to address the ever-increasing AML and CFT challenges associated with the global use of virtual assets. This process was not always present in the transactional phase of a virtual asset. Normally, the originator collects the relevant data (name ID etc.) with the beneficiary benefitting from anonymity. By virtue of the Travel Rule mechanism, financial authorities would be reducing the difficulty of tracking down cryptocurrency payments and transfers as they would now have access to the beneficiary account wherein the transfer would be effected.
An efficient manner to tackle the Travel Rule obligations is the setting up of a VASP global database. Within this database, VASPs would be able to securely communicate with each other whilst also limiting the possibility of data breaches. To limit the chance of data breaches, VASPs also need to enhance their cybersecurity measures to prevent and combat any attempt to gain illegitimate access to their collected data.
In conclusion, a vital element that VASPs must address is that of data protection. Since the mechanism involves the transfer of personal data, the VASPs must make sure that in transferring such data between each other, they do not breach a person’s right to effective data protection as stipulated by the General Data Protection Regulation or any other applicable legal instrument.