Guidelines for Choosing Travel Rule Technological Solutions
This year, the 2024 FATF Targeted Update on Implementation of the Standards on Virtual Assets and Virtual Asset Service Providers includes a follow-up guide for VASPs choosing Travel Rule solutions.
It focuses on three main areas: the timing and scope of Travel Rule data submission, counterparty VASP identification and due diligence, and questions on interoperability with other Travel Rule compliance tools and “in-house” tools.
The FATF emphasised that the 2024 guide should be used in conjunction with the 2023 guide (summarised below).
Read the latest version, "How to Choose a Travel Rule Solution: FATF Guiding Questions", here.
2023's Guidelines for Choosing Travel Rule Technological Solutions
As part of their Targeted Update on Implementation of the FATF Standards on Virtual Assets and Virtual Asset Service Providers, the Financial Action Task Force (FATF) included guidelines to aid virtual asset service providers (VASPs) in choosing Travel Rule solutions and providers.
Through research, the FATF found that many VASPs were unsure of how to choose a solution. It was determined that the biggest issue experienced by most VASPs was that they did not know what they should be looking for in a solution.
The FATF advised that while the list published in their June 2023 Targeted Update is not exhaustive, it does offer a starting point.
The list can be broken down into 4 main categories, namely:
interoperability with other Travel Rule solution tools,
timing and scope of Travel Rule data submission,
counterparty VASP identification and due diligence, and
recording and transaction monitoring.
Below we will clarify each of these questions and provide further guidance to help your compliance team through the challenge of choosing a Travel Rule provider.
Interoperability With Other Travel Rule Solution Tools
The FATF posed the following questions regarding interoperability:
is the solution interoperable with other tools?
what kind of interoperability is embedded within the tool, and when will interoperability testing be conducted?
what kind of interoperability testing has been conducted?
In response to the above, interoperability is crucial for VASPs as there is no single solution or protocol for Travel Rule data exchange, but many. VASPs cannot be sure of what solution their counterparty is using but need to know that irrespective of the solution, they will be able to transact.
To be interoperable, two solutions need to use the same protocol. A protocol is the language used by a solution. If solutions have the same language, they can communicate.
To make it more straightforward: 21 Travel Rule is a solution; one of the protocols it uses is the Travel Rule Protocol (TRP). Suppose a VASP uses 21 Travel Rule and transacts with a VASP that uses a Travel Rule solution from another provider that also supports TRP, the data transfer will be successful as the solutions are interoperable - they speak the same language and will be able to communicate with each other.
Therefore, it is vital to check whether the providers have conducted tests with other solutions for the protocols that they support.
Moreover, 21 Travel Rule is multiprotocol. In other words, it speaks more than one language, enabling communication with more VASPs, resulting in more compliant transactions!
Our recommendation to VASPs is to ask the solution provider the FATF’s questions and our questions below:
which protocols does the solution use?
who have they tested with?
Timing and Scope of Travel Rule Data Submission
For the timing and scope of data rule submission, the FATF asked the following:
can the solution enable VASPs to submit Travel Rule data for small value virtual asset transfers to accommodate varying threshold requirements across jurisdictions? (For example, amounts under EUR 1000).
does the solution cover all virtual asset types?
does it enable receiving VASPs to obtain and handle a reasonably large volume of transactions from multiple destinations securely and stably?
does the solution provide a function that allows an originator VASP to choose not to send Travel Rule data to a counterparty VASP?
The above guiding questions form a sound basis of what to look for in a product.
If a solution cannot perform these basics, VASPs will be limited to the entities they can transact with.
A VASP’s main goal is to conduct transfers quickly and efficiently while remaining compliant with the Travel Rule - not just for their customer but for their business as well.
Therefore it makes sense to have a product that can provide them with the functionalities that make all of the above possible - nobody wants to be left dealing with minor details of what a solution can or can’t do. Both VASPs and their customers want simplicity.
On top of the FATF’s proposed questions, we suggest establishing if the solution can be customised. Here are some examples:
is there an option to deny transactions according to a VASP’s risk appetite and compliance program?
is it possible to configure sanctions checks in the solution to avoid transactions from sanctioned countries or people?
In response to the above, with 21 Travel Rule, even the most esoteric virtual asset is covered with our ever-expanding list of 422 supported virtual assets.
When using TRP, inbound transactions can be rejected or approved before any on-chain activity happens.
21 Travel Rule can be easily configured to fit the VASP’s choice of Know-Your-Transaction (KYT) provider. Examples include products such as Coinfirm and Chainalysis for risk assessment or identifying risk-related details about the beneficiary.
One final question that should be posed is: is the solution on-premises or Software-as-a-Service (SaaS)?
Why Does It Matter If Your Travel Rule Solution Is On-Premises or SaaS?
On-premises means the solution is set up and run on the VASP company’s servers. No third party can access the data exchanged through it since it is on their company’s premises.
No third party has knowledge of the transactions - except the VASPs that have been sent information to, since that is the goal of having a Travel Rule solution. It is all done in-house, which is important for security.
Using an on-premises solution, VASPs can better adhere to General Data Protection Regulations (GDPRs), as data is not shared with its Travel Rule provider and is as safe as the VASP handles it. In other words, VASPs have complete control over the stored customer data allowing full compliance with the European GDPR.
Counterparty VASP Identification and Due Diligence
The FATF suggested that the Travel Rule solution should facilitate the ordering VASP in identifying the counterparty VASP for virtual asset transfers. While the tool is not a mandatory requirement by the FATF, it will address the first challenge the ordering VASP faces.
Read How the TRP Travel Address Solves the FATF Travel Rule and Is There a Difference Between an IBAN and a Travel Address? to learn more about the Travel Address.
Moreover, the FATF recommends that the tool offer VASPs a means of communication to aid in contacting a counterparty VASP to:
gather information about the counterparty VASP for conducting necessary due diligence on the counterparty, and
request details about a specific transaction to determine if it involves high-risk or prohibited activities.
Again our chosen protocol, TRP, facilitates the lives of VASPs with its Travel Address. Similar to a Bitcoin address, a Travel Address looks like an opaque string of characters, but it contains the beneficiary VASP’s name when decoded.
It also allows the VASP to:
double-check with the originator where the virtual assets are being sent, as this information is present in the Travel Address provided,
check if the beneficiary VASP has been KYVed before any further information is shared, and
check if the VASP has been sanctioned.
Recording and Transaction Monitoring
The FATF had a critical question for record-keeping and transaction monitoring:
does the solution facilitate record keeping and transaction monitoring (retaining data for 5 years and allow user VASPs to download data)?
With the advancements in the regulations for crypto transactions, it stands to reason that record keeping and monitoring form an essential part of the package.
Jurisdiction-dependent, record keeping needs to be for a minimum of 5 years according to FATF recommendations to regulators. Moreover, the records need to be accessible if an inspection from financial and law enforcement agencies is required.
Additional questions to ask include:
can this information be extracted easily?
which formats can the information be extracted in? (i.e .csv, .xlsx, .pdf and so forth).
21 Travel Rule allows VASPs to store data for 5 years, and the information can be downloaded in various formats to fit their compliance needs and processes.
Choosing a solution for the Travel Rule shouldn’t be painful. Choose a solution that will make the compliance journey as streamlined as possible.
Want to see more 21 Travel Rule features? Check out our Version 6 release. Better yet, would you like to see 21 Travel Rule in action? Let us show you.