The Travel Rule: History and Requirement

During the past decade, virtual currencies have become a well-known payment method and have become increasingly recognized around the globe for their flexibility, low costs, and speed of transfer. The anonymity associated with them has alarmed regulators who have determined that blockchain technology creates conditions for wrong-doers to fund malicious activities or commit crimes, including money laundering and terrorist financing. The approach towards these cryptocurrencies is not universal. Some countries have sought to encourage the virtual asset industry, albeit with the proper regulations, while others have adopted measures to restrict the use or even ban cryptocurrency completely.

From a very early stage the Financial Action Task Force (FATF) identified the need to conduct detailed research into these decentralised, mathematically based currencies (particularly Bitcoin) and assess the money laundering and terrorist financing risks associated with them. Even though FATF’s recommendations are not legally binding, they are considered the gold standard for the AML/CFT efforts and best practices and are based on the national experience of the governments that form FATF’s membership body. As early as June 2014, the international watchdog published a report, entitled VirtualCurrencies – Key Definitions and Potential AML/CFT Risks (1). This industry-oriented report provided the common vocabulary and definitions associated with cryptocurrencies, how they can be classified, and who participates in such decisions.

How Cryptocurrency is Abused

During the past decade, law enforcement authorities have documented many cases where criminals have taken advantage of cryptocurrencies' anonymous characteristics and have exploited them for illicit purposes. One example is the 2017 Wannacry ransom campaign in which hackers hijacked the computers of thousands of users and demanded that the victims pay ransom in Bitcoin in order to gain back access to their systems. More recently the attack on the American ColonialPipeline ransomware attack exposed a fundamental misconception about Bitcoin, it is not so difficult to trace. However, an increase in the use of privacy wallets is being closely examined as they make transactions close to impossible to track, especially if performed in series. In March this year, a court case was initiated against a Canadian-based company selling encryption devices that helped its clients transfer illegally obtained funds through cryptocurrencies (2).

Virtual assets have also attracted the attention of terrorist organisations as well. According to a 2019 report on the terrorist use of cryptocurrencies, prepared by RAND Corporation, the challenge involves not only Bitcoin but other currencies that have emerged after it and are more private and secure, such as Omni Layer (MasterCoin), BlackCoin, Monero and Zcash (3). In August 2020, the U.S. Department of Justice announced that a terrorist financing network, relying on more than 300 cryptocurrency accounts to raise funds was dismantled in what was described as “the government’s largest-ever seizure of cryptocurrency in the terrorism context” (4).

‍Inception of the Travel Rule

The first iteration of what we now call the travel rule was introduced in the US as the “Bank Secrecy Act” in the 1970, outlining a bank's data collection obligations to comply with government investigations into money laundering. Out of this act, SWIFTwas born. In the decades that followed SWIFT became the international standard for data collection and sharing for institutional financial transactions worldwide. As banking moved into the digital age, the Travel Rule has been refined and updated to remain useful and relevant to regulators and law enforcement in identifying financial crime.

Most notably, in October 2018 FATF amended its recommendations to apply to financial activities involving virtual assets. The international organisation also added two definitions – virtual asset (VA) and virtual assets service provider (VASP). The new Recommendation 15 (New technologies) requires that VASPs fall within the scope of AML/CTF regulations and are“licensed or registered, and subject to effective systems for monitoring or supervision” (5). Then in June 2019, the FATF adopted an ‘Interpretative Note’ to Recommendation 15 to provide further clarification on the risk-based approach that should be applied to VAs and VASPs, and to other compliance-related matters such as customer due diligence, record keeping, sanctions, and suspicious transaction reporting. In the same month, a detailed guidance on the risk-based approach that should be applied to VAs and VASPs was released in order to help both state authorities and private sector companies offering virtual assets understand their obligations (6). The aim is to identify and prevent terrorists and other offenders from accessing electronically facilitated fund/wire transfers and using them to move and disguise illicitly obtained proceeds domestically and across borders.

The new and relevant addition to the 2019 guidance is the clarification that the FATF travel rule requirements extend out from the traditional financial sector and also apply to “VASPs that provide services or engage in activities, such as virtual asset transfers, that are functionally analogous to wire transfers”. Recommendation 16 should be applied regardless of whether the wire transfer is conducted in a fiat currency or a virtual asset. A de minimis USD/EUR threshold may be applied depending on the risks associated with virtual assets. In essence, the travel rule as we know it and as it applies to cryptocurrency, is an update of the existing FATF Recommendation16, which focuses on wire transfers.

According to Paragraph 7(b) of Recommendation 15, VASPs and other entities that conduct virtual asset transactions must obtain, hold, and transmit required originator and beneficiary information to perform their compliance-related obligations, such as identifying and reporting suspicious transactions, monitoring the availability of information, taking freezing actions, and prohibiting transactions with designated subjects.

Additionally, FinCEN, the U.S. regulator competent on AML/CTF matters, amended its policy towards cryptocurrencies in May 2019 and defined VASPs as “money service businesses,” which means that they have to comply with the Funds Travel Rule of the U.S. Bank Secrecy Act.

The required information includes name, account number; physical address or national identity number, customer identification number or other unique identity number, date of birth or place of birth; beneficiary’s name and account number or virtual wallet number (where this is necessary to process the transaction) (7).