On 21st July 2022, amendments to The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the “MLRs”) introduced the requirement for in-scope cryptoasset businesses (cryptocurrency exchanges, digital wallet providers, and financial institutions that exchange, hold, safekeep, convert, and sell cryptoassets) to collect and transmit information when executing a cryptoasset transfer.
The ‘Travel Rule’ is set to take effect on the 1st September 2023 and the Financial Conduct Authority (FCA) has recently set out its expectations for UK cryptoasset businesses to comply with the Travel Rule.
Background of the “Travel Rule”
The Travel Rule is an update (officially adopted on 21 June 2019) to the FATF Recommendation 16 (R.16) regarding cross-border and domestic wire transfers that extend to Virtual Assets Services Providers (VASPs) the requirements for originators and beneficiaries of all transfers of digital funds to exchange identifying information.
What are the requirements of the Travel Rule?
In essence, cryptoassets providers in scope of the Travel Rule must (pre-transaction) disclose specific customer information when transacting cryptoassets. The originator customer and beneficiary’s personally identifiable information (PII) must accompany any crypto transaction with certain additional information required for transactions that crosses a specific threshold. Additionally, cryptoasset businesses must screen the counterparty customer for sanctions and perform due diligence on the counterparty cryptoasset business before accepting any incoming or outgoing cryptoasset transfer. If this information is not disclosed then cryptoasset firms face the risk of fines, loss of transaction flows, or loss of regulatory licenses.
As we approach the implementation date of 1st September, it is important for firms to review the requirements and consider potential changes in their policies and procedures. In this sense, let’s review the main Travel Rule requirements and challenges that must be factored in firms’ implementation plans.
1. Information requirements accompanying transfers of cryptoassets
The Travel Rule requires cryptoasset firms to put in place systems for ensuring that personal information of the originator and beneficiary of a cryptoasset transfer is transmitted and received alongside the transfer, in an appropriate format. The required information must be transmitted regardless of the transaction amount with a requirement to transmit further data when the following criteria is met:
- At least one counterpart in the transactions (the originator, the beneficiary or the intermediary) carries out business outside the UK with respect of the transaction; and
- The transfer is equal to or exceeds the equivalent in cryptoassets of EUR 1,000.
The provision of the required information must occur before or at the moment the transaction is completed. Where the transfers are to a jurisdiction with higher requirements than those required in terms of the travel rule, a cryptoasset business complies with its obligations by providing the information as required.
The cryptoasset business of the originator may need to consider executing the transfer after the cryptoasset business of the beneficiary has checked the beneficiary information corresponds with verification of its CDD, if it does not unduly impact time required to complete the transaction and is in line with its procedures. For batch file transfers, the Travel Rule requirements apply to each of the underlying transfers forming the bundle. In this case, information on the batch must be submitted securely and simultaneously with the transfer.
In summary, for an inter-cryptoasset business transfer the originating cryptoasset business must ensure that the cryptoasset transfer is accompanied by the following information:
- For single and linked inter-cryptoassets business transfers in the UK or for international transactions below €1,000, the originating cryptoasset business is required to provide the name or legal name and account number (or unique transaction identifier) or both the originator and beneficiary in the transaction. Upon the cryptoassets business beneficiary request, the originating cryptoassets business shall also provide the customer identification number, address, passport number or identity number. For legal persons, it is expected that the originating cryptoasset business provide the registered address and/or principal place of business;
- For single and linked international transactions (where at least one of the cryptoasset businesses involved in the transfer is not carrying on business in the UK) above €1,000, the following information is expected to be provided by the cryptoassets business of the originator:
- Information on the originator: For individuals, firms need to provide the customer’s name, account number or unique transaction identifier, and customer identification number; or address; or birth certificate number, passport number or national identity card number; or date and place of birth. For legal persons, it is expected that firms provide registered company name or trade name, account number or unique transaction identifier, and customer identification number; or address of registered office or principal place of business;
- Information on the beneficiary: Name or registered company name and account number or unique transaction identifier.
2. Validation of information and detection of missing information
Cryptoasset businesses are required to implement effective procedures to detect whether the required beneficiary and originator information is missing from an inbound transfer. This will include monitoring in real time or after the transfer.
In terms of delaying or refusing cryptoasset transfer on a risk-sensitive basis, cryptoasset businesses should have regard to:
- The purpose and nature of its business relationship with the beneficiary and of the transfer;
- The value of the transfer and any linked transactions;
- The frequency of the transfers; and
- The duration of its business relationships with the beneficiary.
Firms should document any steps taken along with their reasoning as part of their risk-based approach.
3. Obligations on intermediary cryptoasset service providers
Intermediary cryptoasset business must ensure that all information required about the originator and the beneficiary that should accompany a cryptoasset transfer is received and retained with the transfer. When an intermediary firm becomes aware of missing information it must request the information from the cryptoasset business it received the transfer from. Also, it must consider, on a risk-sensitive basis, whether to delay the onward transfer until the information required is received.
4. Wallet screening and counterparty due diligence
Cryptoasset businesses should adopt a documented risk-based approach to identify the transaction counterparty and whether the wallet involved in the transaction is hosted or unhosted. The firm’s risk-based approach could be based on the following:
- Blockchain analysis;
- Query the wallet address using discoverability methods provided by the travel rule solution being used;
- Consult the cryptoasset business’ own address book;
- Obtain information on the wallet status and/or identity of the cryptoasset business from the beneficiary.
Cryptoasset businesses should consider rescreening wallets and counterparties as part of their ongoing transaction monitoring systems.
5. Treatment of unhosted wallets
Cryptoasset businesses should adopt a risk-based approach when dealing with unhosted wallets. Where a transfer is being made from a cryptoasset business to an unhosted wallet, the originating cryptoassets business is not expected to send transaction information to an unhosted wallet, though it should still collect information on the intended beneficiary and the wallet where it has been determined that there is a higher risk of Money Laundering, Terrorist Financing or Proliferation Financing. In assessing the level of risk associated with the unhosted wallet, a cryptoasset business must consider the following:
- The purpose and nature of the business relationship with its customer and the unhosted wallet transfer;
- The value of the transfer and any linked transfer;
- The frequency of transfers made by or to the customer;
- The duration of the business relationship with the customer.
Where the firm’s risk assessment has determined that information on the unhosted wallet must be collected, the cryptoasset business must take reasonable steps to obtain the information from its own customer and, in higher risk cases, the firm should also take steps to ascertain the source of funds in the unhosted wallet and consider authorising the transaction only if the control over the wallet can be established via, for example, micro deposits or cryptographic signature.
Firms unable to obtain the required information from customers must not make the unhosted wallet transfer nor make the cryptoasset available to the beneficiary. If the transaction raises suspicion on potential financial crime activity, then the cryptoasset business must consider submitting a Suspicious Activity Report (SAR) where relevant.
6. Record keeping
The receiving cryptoasset business is required to retain the above originators and beneficiary information for a period of five years from the date it reasonably believes the transaction is complete.
Records should include:
- The information relating to the identification and verification of relevant parties;
- The public keys (or equivalent identifiers) of relevant parties;
- The addresses or accounts involved (or equivalent identifiers);
- The nature (e.g., deposit, transfer, exchange) and date of transactions; and
- The amounts transferred.
The “sunrise issue” which refers to the persistent problem of the Travel Rule not being fully implemented across all jurisdictions continues to present a challenge to cryptoasset businesses dealing with counterparties in jurisdictions where the travel rule has not been yet implemented, or where it has been implemented but by following different standards to those in the local jurisdiction.
Additionally, cryptoassets businesses still face challenges in performing due diligence on their counterparties. According to FATF’s recent report (“Virtual Assets: Targeted Update on Implementation of the FATF Standards” (“Targeted Update 2023”)), these challenges are mainly associated to the following:
- Subsistence of unregistered/unlicensed cryptoasset businesses;
- Lack of public information about licensed/registered cryptoasset businesses;
- Insufficiency of information available in some Travel Rule compliance tools.
How Cosegic can help
Effectively, cryptoasset businesses must review their policies and procedures to reflect the new requirements while they work with a technical solution provider to implement the Travel Rule at the system level, whilst also being aware that their policies and procedures to implement these new requirements will now form an element of the FCA’s assessment of registration applications.
At Cosegic, we have experience in successfully supporting cryptoasset firms with the preparation of their compliance frameworks and registration applications in line with the regulatory requirements and the FCA’s expectations. We would be happy to discuss further your firm’s requirements and support you on your compliance set-up journey.
Related resourcesAll resources
Regulatory News: Policy Statement PS23/13
Consumer Duty FAQ - 3 weeks to go
FCA issues Consumer Duty updates with one month to go - 28 June 2023
Webinar: The transformed FCA: what has changed about the way the Regulator interacts with firms?