When it comes to complying with the so-called travel rule, the cryptocurrency industry has a long way to go.
And it’s unclear when it will reach the destination – if, indeed, it can or even wants to.
More than two and a half years after the Financial Action Task Force (FATF) announced that it intended to require cryptocurrency firms to retain the same customer data as banks and money services businesses for certain transactions, there is widespread unanimity among crypto groups on two points.
The first is that, despite strong initial resistance, the industry has come together to make remarkable progress toward a shared set of standards that allow virtual asset service providers (VASP), as the FATF calls them, to comply with the requirement, commonly known as the “travel rule.”
The second point of agreement is that the day when all crypto transactions meeting the FATF threshold of $3,000 or more are actually compliant with that rule is still far away.
Rob Garver is a longtime Washington, D.C., journalist who has written for American Banker, the Fiscal Times, Voice of America and ProPublica. This article is part of CryptoX’s Privacy Week series.
The real compliance work has been done by just a small fraction of the thousands of VASPs that will eventually have to come into compliance with the requirements as the FATF’s 39 member jurisdictions adopt the standard.
“I would say that the number of VASPs actually doing anything directly with a travel solution would be numbered in hundreds, no more than that,” said Siân Jones, a senior partner with XReg Consulting. That’s just a sliver of the 30,000 or more registered or licensed in different jurisdictions around the world.
Among the relatively few VASPs that have taken any steps, “not all of those are in what you might describe as a ‘live’ mode,” Jones said. “You can imagine these 30,000 VASPs around the world all have to talk to each other eventually, and we’re nowhere near the critical mass that would make that realistic. We are still way off.”
The situation is apt to frustrate governments that are worried about blind spots when fighting financial crime, and businesses that can’t be fully compliant with the rule until all or most of their peers are.
On the other hand, crypto users who are in no rush to have their personal information shared with strangers in foreign countries are likely to be relieved by the slow progress. If anything, they would prefer that companies in the field think twice before actively participating in efforts to implement the travel rule.
“Anyone in the ‘crypto’ industry who is eagerly attempting to comply with FATF guidelines should take a moment to employ some introspection and ask why they are here in the first place,” said Marty Bent, a prominent bitcoin investor and critic of the expansion of anti-money laundering requirements into the crypto space. “Bitcoin was created to completely obliterate this type of demonic control. Those who tell themselves that they align with the mission of Bitcoin should reject FATF guidelines and engage in civil and corporate disobedience.”
Nevertheless, a recent survey conducted by Notabene, a company that offers travel rule compliance software, suggested that the industry is marching toward compliance, though perhaps not as quickly as many participants think.
The survey asked 56 companies around the world about their travel rule compliance plans. In response, 67% said they intend to be fully compliant by the end of June 2022. At the same time, however, 60% said that they have not yet begun implementing the rule.
And for many of those VASPs, finding a way to be compliant with their home countries’ implementation of the travel rule could be particularly tricky, given that more than half of the countries around the world where VASPs operate have, so far, failed to issue rules or legislation explaining what compliance would look like.
Indeed, in the Notabene survey, lack of legal clarity was the most frequently cited reason given by companies for not yet being compliant.
“It’s been much slower than we anticipated,” Teana Baker-Taylor, chief policy officer for the Chamber of Digital Commerce, a lobbying group based in Washington, D.C., said of the regulatory rollout. “If everybody’s not on the same page, it creates quite a challenge for compliance.”
Travel rule and FATF origins
The FATF, based in Paris, is an intergovernmental body that was founded in 1989 to deter money laundering and, later, terrorist finance. The 39-member organization includes all of the world’s largest economies, which typically require financial services companies within their borders to comply with FATF recommendations. Because those rules often require that counterparties to transactions meet certain standards, there is a major incentive for non-member countries to require FATF compliance within their own borders.
The travel rule is an anti-money laundering (AML) measure that grew out of the United States’ Bank Secrecy Act, a law passed in 1970, and which regulators have applied to mainstream financial services providers for years. The basic requirements are that when a financial institution sends or receives a transfer of money on behalf of one of its customers, it must collect and retain specific information about the transaction, including the personally identifiable information (PII) of the originator and beneficiary.
That the crypto world’s initial reaction was resistance is hardly a surprise. In an industry built on blockchain technology, with user privacy coded into its digital DNA, the idea of somehow adding an identity layer to peer-to-peer transactions was anathema.
(In some jurisdictions, such as the European Union, data privacy rules require that companies in possession of individuals’ PII hold it for no longer than regulations require. In the EU, for example, the retention requirement is five years, after which time the data must be erased.)
But regulators soon made it plain that the firms that make it possible for individuals around the world to conduct crypto transactions were never going to have much choice in the matter. Law enforcement agencies saw the anonymity of crypto transactions as an open door to the transmission of criminal proceeds, terrorist finance and other illicit activities – one that needed to be closely monitored.
In the months after the requirement was announced, the industry came together to begin building the Inter-VASP Messaging Standard, a shared protocol for communicating information about customer identities, and to develop additional protocols for sharing that information in transactions between VASPs in different jurisdictions around the world.
“Back in the early days, when we first started looking at this, there was still a lot of hesitation – looking at how to understand the nature of the problem,” said Malcolm Wright, chair of the global practitioner advisory board of the International Compliance Association and, as of early this month, head of regulatory and compliance strategy for Shyft Network, a compliance platform.
Since then, he said, there has been a “huge” amount of progress.
“The majority of the industry now understand their obligations. The FATF have released [its] final guidance, which is very, very clear on what is expected of countries in terms of how they should be regulating this and how the industry would then look to comply,” Wright said.
Proposed solutions to the Travel Rule
To the relief of many, FATF largely stood back and allowed the industry to work toward a set of solutions that would satisfy the agency’s requirements without forcing it into a preconceived set of protocols developed outside the crypto world.
The result has been a flowering of multiple different proposed solutions to the travel rule problem.
The different compliance systems take a range of approaches to the problem. Some are modeled on the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network, in which a central authority maintains a list of member institutions and facilitates transactions between them. Others have stayed closer to the ethos of the crypto world, using smart contracts and other features to keep the system as decentralized as possible and to limit the number of institutions in possession of customers’ PII.
In the U.S., a group of the largest domestic exchanges and custodians formed the U.S. Travel Rule Working group, which began work on a protocol that would allow members of a closed network to share information on transactions made within the network. Later rebranded as Travel Rule Universal Solution Technology (TRUST) the network is exploring ways to extend membership to VASPs outside the U.S.
Two other industry alliance models, Open VASP and the Travel Rule Protocol, out of Switzerland and Asia, respectively, have published open-source protocols designed to allow VASPS to share data required under the travel rule.
Additionally, there have been multiple commercial efforts to create travel rule compliance systems.
Internationally, a group of some of the world’s largest exchanges came together to create a travel rule compliance tool based on smart contracts. The result was Veriscope, operated by Shyft Network, which uses smart contracts to facilitate the transmission of PII. Early adopters included Binance, Bitfinex, BitMex, Tether, Huobi and some two dozen others.
CipherTrace, which was acquired by Mastercard last year, offers a system compatible with the Travel Rule Information Sharing Architecture, which was developed with the cooperation of more than 100 industry stakeholders.
Notabene, a startup founded in 2020 to address travel rule compliance, has built a system that is protocol-agnostic, seeking to solve what’s become known as the “interoperability problem” — basically making sure that VASSPs using different travel rule compliance protocols are able to talk to each other.
Other significant players in the effort to make compliance achievable for VASPs include Sygna’s Bridge protocol, Netki’s TransactID and VerifyVASP.
Regulators, lawmakers MIA
In early January, Marcus Pleyer, deputy director general of Germany’s Federal Ministry of Finance and president of the Financial Action Task Force, published an op-ed in CryptoX with an update on progress toward the implementation of the travel rule.
Though the headline of the piece seemed to be directed at the industry — “Crypto Firms Can’t Outrun the Travel Rule” — the most revealing fact in the article had little to do with the industry and everything to do with the regulations with which VASPs are supposed to be preparing to comply.
Of 128 jurisdictions contacted by FATF only 58 – fewer than half – reported they had the necessary rules and regulations in place to allow crypto companies to comply with FATF’s requirements in the first place. In total, more than 200 jurisdictions around the world aim for compliance with FATF guidance, meaning the vast majority of countries have yet to provide VASPs doing business within their borders meaningful direction on how to comply with the travel rule.
However, for many VASPs around the world, the incentive to achieve at least some level of compliance with the travel rule is coming not from their home country regulators but from abroad.
While regulators in the overwhelming majority of countries have been slow to give explicit guidance on compliance, some have been much more aggressive. The Monetary Authority of Singapore, for example, has mandated compliance with the travel rule for all crypto transactions, regardless of amount.
Likewise, regulators in Canada, Japan, South Korea, and Switzerland have put rules in place requiring compliance. In the United States, no new rulemaking was necessary. Regulators have long made it clear they expect VASPs to comply with rules similar to those applied to money services businesses and other financial institutions.
‘Sunrise problem’
The hit-or-miss rollout of travel rule compliance guidance has created what industry experts refer to as the “sunrise” problem. As individual countries roll out travel rule compliance requirements, VASPs within those jurisdictions find it difficult, if not impossible, to abide by the rules while transacting with non-compliant VASPs in other jurisdictions.
The nature of the travel rule is such that an individual VASP cannot, by itself, remain in compliance. For every transaction subject to the travel rule information retention standard, a VASP can only be fully compliant if it is certain that the counterparty VASP on the other end of the transaction is also complying by providing the true PII of its customer.
“What’s actually changed a lot right now is that people are realizing it’s not just about whatever your national regulator is telling you to do, because the travel rule is about collaborating,” said Pelle Braendgaard, CEO of Notabene.
“If you perform international transactions, and most VASPs do, then you have to not just worry about what FinCEN says, for example, you have to worry about what the [Monetary Authority of Singapore] says or what the South Korean regulator says, or it’s going to start really affecting your transaction volume. This is what we’re seeing that’s actually driving most of the adoption right now.”
Justin Newton, the founder and CEO of Netki, pointed out the stakes vary depending on the location of the counterparty VASP.
“If you are in a relatively well-regulated jurisdiction, say somewhere like Singapore or Switzerland, and if the counterparty is also in another well-regulated jurisdiction that may just not have this coming, you may be fine with doing the transaction,” he said.
But it gets tricky when doing business with firms in jurisdictions that the FATF has put on warning for falling short of the intergovernmental body’s standards.
“If the other end of the transaction is in a FATF gray-listed country, you might have second thoughts about doing a transaction with them if they don’t have a travel solution live,” Newton said. “The risks start piling on top of each other and cascading.”
Increased transactional friction
What this adds up to for VASPs is an increase in transactional friction. Every transaction that requires special attention translates into a frustrated customer who simply wants to send or receive assets as efficiently as possible.
The situation is extremely frustrating to the industry, which originally balked at the requirement on privacy grounds but made a good faith effort to comply, said Baker-Taylor, of the Digital Chamber of Commerce.
“The industry was challenged to comply with a directive without having any means to do so, and since 2019 the industry has figured out how to do that and has made material progress both technologically and in the mindset to comply,” she said.
“Two years on, people have not warmed up to the idea but have accepted that this is happening and have asked, ‘How are we best going to solve for this?’ So, from an industry perspective, I honestly cannot see what else we could do. And now we’re kind of at the mercy of governments to get it together.”
Joseph Weinberg, co-founder of Shyft Network, echoed that frustration. Regulators, he said, “are ultimately dictating the pace.”
“Infrastructure-wise, we’ve been ready for a while,” he said. “At this point, we’re just working with the exchanges, making sure that the product fits all of their [regulatory] requirements.”