by Erika Federis and Dominique Simon
With the implementation of the Travel Rule right around the corner, big players in the crypto scene are scrambling to come up with numerous solutions in an attempt to comply with the Financial Action Task Force’s (‘FATF’) requirement.
Recommendation 16 of the FATF’s handbook obliges Virtual Asset Service Providers (‘VASPs’) (i.e., crypto exchanges, wallet providers, custodians etc.) to ensure that all identifying information of originators and beneficiaries of digital assets are exchanged between transacting VASPs. This information will essentially ‘travel’ with those digital assets being sent. Additionally, transacting VASPs must also ensure the accuracy of any such information travelling with all crypto transactions.
The intention behind the Travel Rule is to address the anti-money laundering and counter-terrorist financing challenges associated with the increasing global use of cryptocurrencies. The FATF’s aim is to allow for the creation of better audit trails for crypto-based transactions.
A broad range of ideas has been proposed by a number of institutions on how best to implement the right solution to cryptocurrency AML/CTF concerns. The solutions seek to address two main concerns:
- How to come up with the best means to systematically identify different VASPs.
- How to ensure safe transmission of the identifying data, which travels with each crypto transaction.
Early last month, the InterVASP Messaging Standard (‘IVMS101’) was announced, which sets out a uniform model of data to be exchanged by VASPs, similar to the SWIFT messaging standard. IVMS101 creates a universal common language to transmit the information required by the Travel Rule. Whilst undoubtedly, the creation of such a standard proves to be a positive first step towards solving the Travel Rule problem, the implementation of IVMS101 is as of yet unclear.
The problem lies in the need to quickly develop and adopt a global solution for a very young and emerging new industry. While most VASPs do adhere to AML concerns, many still do not. In fact, there are those who believe cryptocurrencies are antithetical to AML concerns because they are fundamentally designed to be anonymous. Any type of solution here would mean a universally adopted standard adopted industry-wide, as well as all VASPs coming on board to the notion of AML as it applies to cryptocurrencies. Organisations and countries themselves are therefore considering a central global database to collect and store VASPs and customer information.
While many believe the Travel Rule will undermine one of the key aims of blockchain technology, anonymity, many others welcome the innovation and centralisation requirements such as the Travel Rule will encourage, particularly in relation to the wider payments industry. A global, centralised database focused on cryptocurrency transactions could quickly grow into common use in the broader payment space, particularly for Fintechs providing both cryptocurrency and payments services. Adhering to the Travel Rule may actually encourage global innovation and uniformity.
Given that the Travel Rule question is centred on cryptocurrencies, it is only natural to default to thinking that a blockchain-based solution might be the holy grail – after all, without blockchain, there is no crypto. And there are indeed blockchain-based solutions which are currently being explored, particularly ones which rely on smart contracts.
The use of smart contracts advocates a decentralized approach, which arguably stays true to the essence of blockchain technology. In addition, the near-immutable nature of the technology would more likely than not guarantee the accuracy of identifying data uploaded on the blockchain – ticking off at least one requirement from the FATF checklist.
Notwithstanding, a blockchain solution is not a necessity when it comes to solving the Travel Rule problem – and there exist viable solutions which do not necessarily rely on the use of blockchain technology. Either way, blockchain or no blockchain, any solution implemented which seeks to solve the Travel Rule issue will need to be sensitive to domestic data protection and privacy laws; for instance, the European Union’s (‘EU’) General Data Protection Rules (‘GDPR’).
A Brief Look: The Travel Rule in the Context of GDPR
All identifying data obtained and exchanged by VASPs for the purposes of compliance with the Travel Rule will be subject to the GDPR if such data belongs to citizens and residents of the EU (the information would count as ‘personal data’, which can be linked to ‘identifiable natural persons’).
Given the increasing global use of cryptocurrencies, it will be crucial for VASPs to give some serious thought towards their data protection obligations, particularly when it comes to their EU-based clientele. You might recall the case of Maximillian Schrems v Data Protection Commissioner, where the Court of Justice of the European Union (‘CJEU’) ruled that any transfer of identifying data from the EU to the US could no longer rely on the Safe Harbour agreement – an agreement which essentially allowed companies to self-certify that they were providing adequate protection for personal data being transferred from the EU to the US.
Evidently, the transfer of data from the EU to non-EEA countries has not halted in its entirety — this of course still occurs, subject to EU approved measures, such as the implementation of Standard Contractual Clauses (‘SCC’). SCCs are a set of standard contractual terms and conditions which owners of the personal data consent to sign up to and looks to protect any such data that leaves the EU. This in effect is a guarantee provided by companies to provide an adequate level of data protection, in line with the GDPR.
However, firms should be aware that another case was heard by the CJEU (Schrems II case C-311/18), which questions the validity of SCCs and the adequacy of protection such clauses provide. In a non-binding decision, the Attorney General, in this case, opined that SCCs are valid – though caveated to say that if personal data cannot be adequately protected, then transfers of such data should be suspended. Whilst it appears SCCs remain valid in their own right, firms should remain vigilant when it comes to complying with their data protection obligations.
The full judgment of this case has not yet been delivered, though it is anticipated that this will be reported in July 2020.
What these new developments mean for VASPs adhering to the Travel Rule is that where a VASP was once providing services in a limited country or region, a VASP may suddenly face important considerations of data transmission globally to adhere to the Travel Rule requirements. Many jurisdictions around the world, such as Singapore, the EU, and California have specific data protection legislation. The interplay between the Travel Rule requirements and data protection regulations again highlights the need for a global solution adopted industry-wide, and may well pave the way for further uniform payments regulations around the world.
A brief look: The Travel Rule in domestic legislation
How are countries implementing the Travel Rule? Taking a closer look at the different implementations in the United States and Singapore sheds some light on country-specific implementations.
In the US, the Travel Rule is essentially the Bank Secrecy Act (‘BSA') requirement of exchanging information related to certain threshold transactions, applied to VASPs. And indeed, this has been the position of the Financial Crimes Enforcement Network (‘FinCEN') since 2013. FinCEN issues further guidance in May 2019 to clarify the application of the BSA’s travel rule to VASPs and has even issued fines to companies like Ripple for violating BSA Rules. Here, the US has expanded older legislation to encompass VASPs, although the country has yet to issue specific legislation on cryptoassets.
Singapore, in contrast, has issued specific legislation on cryptoassets, or digital assets as they are referred to in the Payment Services Act 2019 (‘PS Act'). The PS Act seeks to regulate both traditional payment services and digital asset services in one piece of legislation, which is quite innovative and groundbreaking in the field of payments regulations. The PS Act includes a specific requirement to adhere to the value transfer rule, which is Singapore’s version of the Travel Rule. While an industry-wide solution has not yet been identified, Singapore expects VASPs to provide some sort of adherence to this requirement in order to be licensed under the PS Act.
In both of these approaches, either applying old legislation to a new industry or merging digital asset services with payment services in new legislation, the focus on expanding the Travel Rule to VASPs is clear.
The Travel Rule – Where are we Headed?
Blockchain or no blockchain, when it comes to implementing a solution to address the Travel Rule question, at least one thing is for certain: crypto entities dealing with data originating from jurisdictions with specific data protection regimes, such as the EU or California, will need to ensure that any information it receives and exchanges are adequately protected.
Let’s not also forget about the usual KYC/AML requirements – ultimately these due diligence exercises will still need to be carried out prior to the travel of any data ie., before any crypto transactions take place. Crypto entities need to ensure that they continue to develop their KYC/AML processes, in order to not only guarantee the accuracy of the information travelling with all crypto transactions but to also ensure the filtering of potential criminal activity at the onset of each transaction.
The Travel Rule also presents unique operational challenges, such as factoring in the time and cost of transmitting required data along with every transaction. Existing technology can be leveraged to meet these challenges, such as API technology, but will require further expansion of pre-existing relationships and technology platforms.
Ultimately, the Travel Rule requirements may lead to a global, centralised method of storing and sharing payments data, which would be invaluable to the expansion of the new payments system and increasing financial inclusion around the world. There’s no doubt the crypto-industry will rise to the challenge to adhere to new requirements and continue pushing the boundaries of payments innovations.
Erika Federis trained as a lawyer at a Top 100 UK law firm and was first introduced to the blockchain and crypto arena during her training contract. Since discovering her passion for the space, Erika has written articles on issues surrounding the topic (published on Medium) and continues to follow the development of cryptocurrency regulations across the globe.
Dominique Simon‘s legal experience stretches across compliance, corporate governance, and financial regulatory matters including blockchain and fintech. He's worked with SAP SE, Barclays, Deutsche Bank, and Standard Chartered Bank, among others on international compliance and regulatory issues. Dominique continues to develop his understanding of the blockchain and payments industry globally through his work at Wirex, a company pioneering best practices in an already-innovative industry.
Also published on Medium.