An amendment to the UK Money Laundering Regulations which came into force on 1st September has ushered in additional regulatory requirements for cryptoasset businesses.
Firms will now be required to collect and verify information about cryptoasset transfers, and share them along with the transaction – this is known colloquially as the “Travel Rule”.
Evan McGookin and Chris Vaughan from fscom’s financial crime team discussed the new regulation and its impact on firms in the latest episode of our podcast, Partners in fincrime. They were joined by Jason McKinney, who is UK MLRO at Airwallex and, in this blog, we summarise their expert analysis of the Travel Rule.
New requirements for cryptoasset businesses
The Travel Rule is originally derived from Recommendation 16 of the Financial Action Task Force’s (FATF) 40 Recommendations, which sets out international standards on combatting money laundering and the financing of terrorism and proliferation. Full details of the new rule can be found on the Financial Conduct Authority’s (FCA) website, but the key requirement is that Virtual Asset Service Providers (VASPs) will now need to send information before or alongside a transaction. This should include:
- The account holder’s name.
- Their unique account information.
- A physical address.
- The beneficiary of the account or the transaction.
The overarching aim of the rule is to improve transparency of cryptoasset transactions and to tackle money laundering and terrorist financing by introducing additional requirements to the sector. In the FCA’s words, the rule is for “helping cryptoasset businesses detect suspicious transactions and carry out effective sanctions screening”. When the rule was first proposed, many industry experts pushed back against the idea – but a loose consensus has since been reached as to how it will be implemented.
Challenges to implementing the Travel Rule
An obvious challenge of the Travel Rule is that, unlike an IBAN number for retail bank accounts, for example, information relating to the overriding account holder is not readily available within a virtual asset address. So how are counterparties meant to send and/or receive the required information and how is the reporting now required meant to actually work?
We are still in early stages of implementation, but, around the world, different third-party protocols and commercial solutions are emerging which relevant firms can utilise to transfer information along with a cryptoasset transaction. Some of these protocols are likely to merge in due course, whilst others are likely to fall away as consolidation occurs.
Ultimately, the information required under the Travel Rule needs to be bundled into a transferrable piece of data that can be sent to a counterparty firm. The FCA will also expect the firm sending the information to detect whether the counterparty has the infrastructure in place to comply with Travel Rule requirements.
What happens in cases of unhosted wallets, or missing information?
It will be particularly difficult to apply the proposed regulations to transactions involving unhosted wallets – i.e. someone who holds a private key to their cryptoassets and does not require validation from a third party. Firms in the UK are advised to take a risk-based approach when dealing with these wallets, because their risk of money laundering and terrorist financing could be higher.
It is extremely challenging for VASPS to identify the beneficiary of a transaction if it involves unhosted wallets. One way for firms to mitigate this risk is that, if a large number of a firm’s transactions involve such wallets, is to clearly set out their risk appetite, policies, procedures and processes for requesting information. Some firms may be able to assess the provenance of the source of funds for transactions by using blockchain monitoring solutions. But, where firms are unable to be reasonably satisfied regarding the inbound payment, it may need to consider returning funds to the wallet.
Even if unhosted wallets are not involved, firms may not be able to get the information required under the Travel Rule. In these cases, they should also have in place a process which involves reaching out for information and then making a risk-based decision on what to do about the transaction in question.
Significant implications for crypto firms around AML risk management
The Travel Rule represents a big change for the crypto sector and carries significant implications for VASPs. It will require firms to put in place a number of measures including:
- Training to upskill staff in the regulations; and
- New systems and controls to comply with requirements and to ensure funds are not made available to a customer from a transaction until the firm has satisfied its obligations under the Travel Rule.
Implementing a compliance operation of this complexity, or bringing in the appropriate external tools to support with overseeing transactions, will be resource-intensive for companies. Nor is it likely to be a smooth process, because the crypto sector has not previously had to deal with much in the way of regulation. But it is something that companies simply have to do.
Another change the rule will bring is that, fundamentally speaking, crypto transfers are expected to be instant in receipt. But the need for information to be verified / sent along with the transaction and, to allow for investigation where information is missing, means that it is likely to require cool-down periods, in which firms consider the risk level of a transaction before it is carried out. Firms that fail to do this will not only be falling short of best practice, but they will be non-compliant with nascent regulatory obligations.
Overall, this is a good thing for the crypto industry. AML regulation is something which many people have been demanding for a long time. Cool-down periods will help to reduce the heightened risks of money laundering facing the sector, and improve its reputation and consumer protection as a result.
Blockchain monitoring: from nice-to-have to a must-have
How should firms overcome the challenge of gathering information about crypto transactions to comply with the new regulation? An increasingly important method used by firms is to employ third party tools and blockchain monitoring to assist with this process.
When guidance first came out from FATF, it said that blockchain monitoring by firms to tackle money laundering risk might be useful in certain circumstances. Now, the guidance says firms need to supplement their activity with blockchain analytics and sanctions screening. Firms will therefore be required to bring in blockchain tools – and using a third-party provider is usually the best way to bring that expertise in more cost-effectively.
fscom can help your firm to comply with the Travel Rule and improve your overall approach to AML.