2024 FATF Targeted Update Summarised with Recommendations
2024 marks the 5th targeted review of the Targeted Update on Implementation of the FATF Standards On Virtual Assets and Virtual Asset Service Providers, which includes the implementation of the Travel Rule.
In their recent findings, the FATF noted marginal improvements in the implementation of Recommendation 15 (R.15). The only notable progress appears to be in the areas of VASP registration or licensing. Although the number of responding jurisdictions has increased from 98 (2022) to 130 (2024), the results remain relatively the same, with 75% of jurisdictions being partially or not compliant with R.15.
Many jurisdictions struggle with fundamental R.15 requirements, with 29% having not conducted virtual asset risk assessments. Over 25% of jurisdictions are undecided on regulating the VASP sector, while 60% permit virtual assets and VASP activities, and 14% opt for partial or explicit prohibition. Prohibiting VASPs proves challenging, as only two of twenty jurisdictions with prohibitions are largely compliant with FATF requirements.
Moreover, little progress has been made on the Travel Rule, with 30% of jurisdictions not passing legislation and low supervision and enforcement in those that have.
Below, we further break down the FATF’s Targeted Update with suggestions for the ecosystem to move forward.
Jurisdictions’ Implementation of FATF Standards on VAs/VASPs (R.15)
Despite an increase in jurisdictions largely compliant with FATF standards on virtual assets and VASPs to 25% as of April 2024, global implementation remains limited. Most jurisdictions (75%) are still only partially or non-compliant with the FATF’s requirements, with the proportion unchanged from April 2023.
Based on their findings, the FATF concluded that jurisdictions are still struggling with the basic requirements of R.15, which include conducting risk assessments, developing policies for VASPs, and implementing the Travel Rule.
Implementation of FATF’s Travel Rule
The Travel Rule, which mandates VASPs and financial institutions to securely obtain, hold, and transmit specific originator and beneficiary information for virtual asset transfers, has seen significant progress in implementation.
As of the 2024 survey, 70% of jurisdictions have enacted legislation for the Travel Rule, up from previous years, and 15 more are in the process. However, almost a third of jurisdictions have yet to pass such legislation, and enforcement remains weak, with less than a third of compliant jurisdictions actively supervising Travel Rule adherence.
Challenges Faced by Public and Private Sectors
Jurisdictions and VASPs face ongoing challenges with the implementation of the Travel Rule. While there have been positive developments, such as increased virtual asset transaction volumes and some progress in interoperability among compliance tools, gaps in global implementation and enforcement persist.
Industry stakeholders note that differences in tool architecture and data protection requirements continue to hinder full interoperability, and existing approaches to mitigate these issues still present technical and operational challenges.
While the industry has adopted the interVASP Messaging Standards (IVMS 101) for Travel Rule information, mirroring ISO20022 for the virtual asset sector, there is potential for further development of these standards to enhance message transitions. Examples include handling transaction rejections and follow-up queries. Additionally, the increased sophistication of virtual asset transfers, involving professional traders and over-the-counter brokers, suggests that some current Travel Rule compliance tools, primarily designed for transactions between individual users, may not be entirely suitable for all types of transactions.
Read: How to Choose a Travel Rule Solution: FATF Guiding Questions
VASP Counterparty Due Diligence
Transmitting the required Travel Rule information requires identifying and conducting due diligence on the counterparty VASP. As crypto transactions are often made with only a wallet address, identifying the counterparty is challenging for VASPsand varying due diligence requirements across jurisdictions make it even harder.
Public national lists of registered or licensed VASPs are FATF's suggestion to support this process, but at least 34 jurisdictions lack such information. Many jurisdictions still allow transactions with foreign VASPs that are unlicensed or non-compliant with the Travel Rule, posing risks of breaching economic sanctions. VASPs should take steps to comply with sanctions, even when only one party has Travel Rule obligations.
Issues with Travel Rule Tools
The industry has developed various Travel Rule compliance tools, but many fall short of the FATF’s standards. Common issues include delays in transmitting information, which undermines sanctions screening and counterparty due diligence.
The FATF has urged VASPs to choose tools that fully meet FATF requirements carefully. Lack of interoperability among these tools can impede counterparty identification and information exchange, affecting transaction monitoring and detecting suspicious activity. The FATF encourages the private sector to enhance compatibility by developing interoperable solutions. On the upside, the use of in-house (on-premises) Travel Rule compliance tools by VASPs has increased, with 7 jurisdictions reporting this in 2024, up from 3 in 2023.
Read: Why 21 Travel Rule Is Safer for Your Customer's PII
Proposed Revisions of R.16 and Implications on the Travel Rule Implementation
In February 2024, FATF started a public consultation on potential changes to Recommendation 16 and its Interpretive Note on payment transparency.
Proposed revisions aim to adapt the Standard to new payment system business models and messaging standards (ISO 20022) while ensuring technology neutrality and consistent rules for similar activities and risks.
Market Developments and Emerging Risks: Self-hosted Wallets
Even among jurisdictions with advanced VASP regulations, 64% have not evaluated risks related to self-hosted wallets or P2P transactions. Data gaps remain a significant challenge. However, 15% are working on collecting and assessing P2P market metrics to evaluate risks from self-hosted wallets.
According to the FATF’s findings in 2023, the volume of transactions through self-hosted wallets decreased, but they are still used in money laundering processes. Some jurisdictions are developing guidelines and enhanced due diligence (EDD) measures for self-hosted wallets. Many require VASPs to take risk mitigation measures, such as using blockchain analytics and following the Travel Rule. The FATF views the implementation of the Travel Rule as critical for increasing risk awareness and identifying transactions involving self-hosted wallets.
The Next Steps for the FATF and VACG
Similar to 2023’s plans going forward, the FATF clarified that support will be provided to lower-capacity jurisdictions to improve the implementation of R.15. This will be achieved by using internal online platforms to share R.15-related materials such as training, legislation, guidance, and risk assessments. As well as organising forums, workshops, and webinars for experience sharing and capacity building, collaborating with international organisations like the IMF, World Bank, and IOSCO.
Like 2023, the FATF confirmed that it will continue monitoring virtual asset ecosystem developments, including Travel Rule tools, DeFi, and self-hosted wallets, and will share practices on managing emerging risks like stablecoins, DeFi, and P2P transactions among its network. The FATF intends to publish a Targeted Update in 2025 detailing jurisdictions’ progress and regulatory responses to virtual asset risks.
The only difference between 2023 and 2024 is that the FATF aims to expand VACG participation to Financial Stability Board Regional Consultative Groups (FSRBs) to boost global R.15 implementation.
Next Steps for the Ecosystem
Public Sector Recommendations
Jurisdictions should identify and assess ML/TF risks associated with virtual assets and VASPs, implementing appropriate risk mitigation measures to manage regulatory and supervisory challenges. Policies on VASPs should be developed and implemented, whether permitting or prohibiting their use, with monitoring, supervision, and enforcement against non-compliance to ensure adherence to regulations.
To mitigate these risks, jurisdictions must ensure VASPs are licensed or registered, conduct supervisory inspections, and take necessary enforcement actions. When developing licensing or registration frameworks, jurisdictions should also consider risks associated with offshore VASPs and incorporate suitable risk mitigation measures.
Jurisdictions must urgently introduce legislation or regulations to implement the Travel Rule and ensure its rapid operationalisation through effective supervision and enforcement.
Additionally, jurisdictions should engage with the VASP sector to enhance their understanding of Travel Rule compliance tools and ensure these tools meet FATF requirements.
Private Sector Recommendations
VASPs and Travel Rule compliance tool providers should review their tools to ensure full compliance with FATF requirements and improve compatibility between tools.
This includes technological advancements and mechanisms to facilitate effective implementation of the Travel Rule, supporting sanctions screening and transaction monitoring.
How 21 Analytics Plays a Part
As explained above, VASPs must know where they are sending the funds to as part of AML/CFT practices; that is, they need to identify their counterparties before transacting. To aid this process, we rely on the open standard by TRP, the Travel Address.
Like a Bitcoin address, a Travel Address appears as a string of characters but serves to identify the VASP that controls the receiving address. When the beneficiary wishes to receive crypto assets, they inform their VASP, which then generates a Travel Address for them. The beneficiary shares this Travel Address with the originator, like sharing bank account details in traditional finance. The originator provides the Travel Address to their VASP along with the beneficiary’s details.
Behind the scenes, the originator's VASP performs sanctions and PEP checks on the beneficiary, while the beneficiary's VASP conducts similar checks on the originator. If all checks are satisfactory, the beneficiary's VASP accepts the transfer from the originator's VASP, allowing the transaction to proceed in compliance with the Travel Rule. Finally, the Transaction ID is relayed to the beneficiary's VASP, completing the transfer process.
Additionally, to combat the “risks” associated with self-hosted wallets, 21 Travel Rule allows VASPs to verify self-hosted wallet addresses via means like the Satoshi Test. Through this process, VASPs are able to perform the relevant checks before a transaction takes place and avoid transacting with sanctioned entities and individuals. This feature also safeguards VASPs against mistaking a self-hosted wallet address for a VASP-hosted address. This is an issue as transfers between VASPs and transfers between VASPs and self-hosted wallets require different Travel Rule data in most instances. Should a VASP make this error it would be non-compliant with the Travel Rule.
Moreover, our team has developed various tools, such as the Travel Address Encoder, LEI Generator, and IVMS Validor, and we have published our open-source Blockbook, LEI, and IVMS 101 libraries.
When the team is not crafting Travel Rule solutions and tools, we focus on providing valuable resources that further educate on the Travel Rule, helping VASPs understand the complexities of compliance in digestible blogs and downloadable content.
Find out more about our solutions, or contact us to have your Travel Rule question answered.
