The FATF Travel Rule sets out recommendations for compliance in the world of cryptocurrency exchange and other value-bearing virtual assets (VA). It intends to identify and prevent financial crime risks such as international financial sanctions, money laundering, bribery and corruption, tax evasion, and the financing of terrorism.
Many in the world of crypto and blockchain understand the basic contours of the Travel Rule — transmitting at a minimum the names and account numbers of the remitter and beneficiary in a transaction provides transparency. It also moves us a step further to normalising these transactions as an integrated part of the global economy.
While such basic details are known, we also should put particular focus on who the Travel Rule is intended to help regulate, just as much as what it regulates. The Rule will apply to Virtual Asset Service Providers (VASPs). VASPs include cryptocurrency exchanges and digital wallet providers, and even some financial institutions, including banks dealing with crypto assets.
One significant challenge here lies in what the definition of VASPs does and does not cover. There is also the gap around interactions between VASPs and non-VASPs. I have written in-depth about that second challenge recently. It is a solvable problem with a crypto analytics solution such as Coinfirm’s AML Platform.
I want to go into greater depth here about potential ambiguities in the definition of VASPs. Those ambiguities open up the risk of asymmetries of information in the VA ecosystem. As a result, they could diminish the effectiveness of the Travel Rule and its potential to contribute to a safer world.
The term VASP was introduced by the FATF to describe those firms that perform services relating to VAs, i.e., cryptocurrencies and other blockchain assets. The term creates a new category of a financial service provider that can, in turn, be subject to regulatory oversight. It reflects underlying similarities in the services provided, including providers of custodial digital wallet services, transfer services, and brokerage or investment-related services.
Under this umbrella, all of these become “obliged entities” that must be licensed or registered. They must, therefore, comply with comparable standards to those for traditional financial institutions such as banks.
As such, I see significant gaps that emerge in the definition of VASPs. There is no universal register of wallet addresses. There is no simple way of assessing whether a wallet is linked to a VASP or not. A VASP dealing only with an institutional business would find it relatively simple to monitor and control for this. It is much harder, however, for larger exchanges or wallet providers who potentially transact with any wallet address.
A blockchain data analytics solution such as Confirm could monitor the profile of specific wallet addresses. Such analysis would help determine VASP or non-VASP related addresses. But the technology is currently ahead of guidance on the characteristics that would be defined by regulators.
A second gap I see is the potential for differences in how individual country regulatory regimes implement their definition of VASPs. FATF recommendations such as the Travel Rule are intentionally open for regulators to interpret. Not all regulators will do so in exactly the same way, which could create openings for malicious actors to exploit.
Because the scope of the FATF definition includes both virtual-to-virtual and virtual-to-fiat transactions or financial activities or operations, it goes beyond that of The Fifth Anti-Money Laundering Directive (5AMLD), which set out to harmonise national money-laundering regulation. Many jurisdictions may leave out purely virtual-to-virtual activity (i.e., C2C or crypto to crypto) as well as certain forms of VAs and tokens since 5AMLD only captures custody-related wallet activity and exchange-related activity where there is a fiat touchpoint.
Others have taken or will take this further, such as Gibraltar. It explicitly defines ‘value’ such that the concept of a ‘transfer of value’ captures virtual-to-virtual activity. This means that all DLT-regulated firms within Gibraltar will almost certainly trigger the definition of a VASP, while exactly comparable firms in looser jurisdictions will not.
The final gap I’d like to discuss is the open door created by including the transfer of VAs alongside their exchange. Businesses such as providers that host VA wallets, those that maintain custody or control over another natural or legal person’s VAs, custodians of private keys, providers of services relating to the issuance of a VA (such as in an ICO), safekeeping and administrative service providers, and so forth—ostensibly, all of these could be VASPs, at least in some contexts.
The open door created by regulating third-party providers of VA transfer services seems very wide indeed. It could also extend to services which may occur via decentralised models referred to in the FATF Guidelines as “Decentralized (or distributed) applications (DApp)”.
DApps operate on a peer-to-peer network of computers running a blockchain platform, designed such that they are not controlled by a single person or group of persons. They thus do not have an identifiable administrator. The definition of VASP applies to DApps, in theory at least, with wide margins of interpretation. The issues are vast—in a DApp environment, who or what is the entity subject to licensing and regulatory oversight? In which jurisdictions? Who maintains the duty to comply with Travel Rule requirements? Who carries out activities such as KYC and suspicious activity monitoring?
What I believe is called for here is further accompanying guidance on the criteria that would bring a DApp’s activity under the scope of the definition of a VASP. It is difficult to see how a fully decentralised platform or exchange could fall within the definition of a VASP even though it may unarguably be used to facilitate both transfer and exchange services generally speaking. But unless we start with clarity, the issue is moot.
Taken together, these ambiguities in the definition of VASPs need to be resolved with explicit and careful distinctions. The FATF Recommendations do not purport to regulate the technology that underlies VA’s or VASP activities, but rather the natural or legal persons behind technology that may be used for primarily financial activity or conduct as a business.
They are also not meant to capture ancillary services or products to a virtual asset network, such as hardware wallet manufacturers and non-custodial wallets (to the extent that they do not also engage in or facilitate other VA activities on behalf of their customers).
While technology solutions could potentially address or mitigate any of the gaps I have highlighted in this article, I would still argue that the onus is on the side of guidance and decision making. Without these, we risk too many jurisdictional differences to allow for the fundamental point of all of this—the prevention of funding illegal, harmful, and destructive activity through collectively agreed AML standards.