How to Choose a Travel Rule Solution: FATF Guiding Questions
In 2023, the FATF released its first version of Guiding Questions for Travel Rule Compliance Tool Providers. Through research, they established that many VASPs do not know where to start or what they should consider when choosing a Travel Rule solution and provider.
The FATF stated that while the guiding questions provided may not be exhaustive, they do provide a starting point for VASPs.
This year, a follow-up guide was printed in the 2024 Targeted Update On Implementation Of The FATF Standards On Virtual Assets And Virtual Asset Service Providers. It focuses on 3 main areas: the timing and scope of Travel Rule data submission, counterparty VASP identification and due diligence, and questions on interoperability with other Travel Rule compliance tools and “in-house” tools.
The FATF emphasised that 2024’s guide should be used with 2023’s list.
Timing and Scope of Travel Rule Data Submission
Over 2023 and 2024, the FATF posed the following questions for VASPs.
Can the solution allow VASPs to submit Travel Rule data for small-value virtual asset transfers to meet varying threshold requirements across different jurisdictions (e.g., amounts under EUR 1000)?
Does it enable receiving VASPs to securely and reliably manage a large volume of transactions from multiple sources?
Does the solution cover all VA types offered or transferred by a VASP? If not, what is the alternative plan for Travel Rule compliance?
Does the solution use an embedded and structured data format that meets global industry standards such as ISO20022, enabling effective sanction screening and transaction monitoring?
Does the solution allow a VASP to securely submit and obtain Travel Rule information in time for originating, beneficiary, and intermediary institutions, either simultaneously or before the transaction is executed on the blockchain?
Does the solution enable ordering VASPs to submit Travel Rule information to certain beneficiary VASPs, or allow an originator VASP to choose not to send TR data to a counterparty VASP, automatically or pre-programmed, to avoid providing financial services to certain jurisdictions?
21 Travel Rule on the Timing and Scope of Travel Rule Data Submission
21 Travel Rule ticks all the FATF’s boxes. The solution requires VASPs to submit Travel Rule data irrespective of the transaction’s value. Moreover, it allows VASPs to submit and receive infinite transactions from multiple locations and sources.
As the solution leverages ISO 24165, it supports more than 2400 tokens, with this number increasing regularly. In fact, 21 Travel Rule’s native protocol, TRP, was the first Travel Rule protocol to adopt the DTIF-managed ISO 24165, DTI standard.
IVMS 101, a building block of TRP, serves as the globally accepted communication standard for exchanging essential originator and beneficiary details among VASPs. It has been universally adopted by major Travel Rule solution providers. IVMS 101 formats Travel Rule data in a standard manner, allowing any solution to interpret it. By doing so, appropriate sanction screening and transaction monitoring methods can be applied.
With 21 Travel Rule’s Travel Address, VASPs can learn where the crypto assets will be sent, verify if the beneficiary VASP has undergone KYV procedures (sanctions checks and PEP checks) and ensure that their counterparty hasn't been subjected to sanctions, all before disclosing additional information.
Additionally, 21 Travel Rule has the added feature of accepting or rejecting transactions before any on-chain activity, adding even more security. VASPs can identify the country from which a transaction originates, enabling them to decline transactions from countries on a sanctions list immediately. They can also determine the sender's identity and decline the transaction accordingly if the person is on a watch or sanctions list.
This process not only saves time but also promotes further due diligence by the VASP, allowing them to inspect transaction details such as names and physical addresses before proceeding. Another security measure is that the payment address becomes visible only after the payment has been accepted, which further reduces the risk of mistakes and unwanted transactions.
Using these outcomes, the VASP can determine how to proceed with the transaction, preventing non-compliant transactions. Also, by conducting thorough KYV procedures and adhering to Travel Rule compliance standards, VASPs can ensure the security of transactions while protecting privacy.
Lastly, to enhance the security of PII transfers, 21 Travel Rule mandates transactions exclusively with vetted VASPs: no Travel Rule data is shared with VASPs that were not added to the list of trusted counterparties. This vetting process guarantees that PII is shared only with trusted entities that have undergone rigorous verification.
Counterparty VASP Identification and Due Diligence
Does the solution provide VASPs with a secure communication channel to:
Seek information on the counterparty VASP for required due diligence.
Request information on a transaction to determine if it involves high-risk or prohibited activities.
VASPs must independently assess counterparty risk as per the FATF’s 2021 Guidance. Using the same Travel Rule compliance tool or being within the same financial group does not remove the need for independent verification and meeting all relevant domestic obligations.
21 Travel Rule on Counterparty VASP Identification and Due Diligence
Firstly, it is a VASP’s responsibility to conduct due diligence on their counterparty VASP before adding it to the list of trusted counterparty VASPs, irrespective of the selected Travel Rule solution as this is a key requirement of the Travel Rule. The Travel Rule requires that a VASP has assessed the counterparty's anti-money laundering and counter-terrorism financing policies and regulatory status before initiating transactions.
Once a VASP has completed this step, they can add said VASP to their 21 Travel Rule software. Thereafter, the software (21 Travel Rule) allows users to check and manage the list of trusted VASPs.
Regarding the request for information on a transaction, all incoming transactions from trusted VASPs are accompanied by Travel Rule information and the beneficiary's wallet address. With the help of blockchain analysis tools like 21 Travel Rule’s built-in tool, Chainalysis, VASPs can better assess the risks associated with all the transactions based on the allocated risk score.
Questions on Interoperability with Other Travel Rule Compliance Tools and “In-house” Tools
This section was added in 2024 and has a deeper focus on interoperability. Questions include:
How does the solution transmit and receive Travel Rule data from external counterparty VASPs (including transaction types and amounts not covered by the solution)?
Does the solution have limitations on which VASPs it can send or receive data from?
What is the solution's customer base, and does it sufficiently meet a VASP's need to transfer virtual assets internationally?
21 Travel Rule on Questions on Interoperability with Other Travel Rule Compliance Tools and “In-house” Tools
21 Travel Rule has no limits regarding transaction amounts or VASPs it can transact with; however, per the Travel Rule, VASPs must be KYCed before any interactions can commence. While the solution has TRP as its native protocol, it is interoperable with various other protocols, therefore not limiting its reach. Moreover, if a VASP finds that their counterparty is not Travel Rule compliant or cannot transact with 21 Travel Rule, we have 21 Sunrise, which offers several fallback options.
What the FATF Failed to Tackle: Self-hosted Wallets
The FATF discusses self-hosted wallets in Section Three: Market Developments and Emerging Risks (page 30). One issue noted was the “data gaps” when studying the risks that self-hosted wallets pose followed by the FATF noting they will continue to monitor its market developments.
“The FATF will continue to monitor market developments in order to ensure that FATF Standards remain relevant in light of rapid changes and evolving risks in this space, including related to DeFi and unhosted wallets, including P2P transactions.”
[SECTION FOUR: Next Steps for the FATF and VACG. Point 72.]
While it is imperative that the FATF continue its studies on self-hosted wallets, we are convinced this topic needs to be addressed sooner rather than later. VASPs need guidance regarding choosing Travel Rule solutions that offer self-hosted wallet verification methods for a number of reasons.
Many regions that have adopted the Travel Rule are focused on transactions involving self-hosted wallets and VASPs, sometimes requiring proof of ownership of the self-hosted wallet address.
From a transaction monitoring perspective aligned with AML/CFT standards, this is an effective safety mechanism to prevent the transfer of illicit funds. However, the challenge for VASPs (and their customers) lies in providing proof of ownership.
Firstly, not all wallets support the same signing capabilities. Some wallets do not allow owners to select input addresses when constructing a transaction, making a Satoshi Test difficult. Additionally, some wallet owners find the traditional manual signing method too complicated. While the screenshot method is an option, it is not very secure—a novice could easily tamper with the image to produce a false outcome.
Therefore, VASPs must opt for a Travel Rule solution with at least one self–hosted wallet verification method to ensure no business loss. But more importantly, from a compliance perspective, offering a self-hosted wallet verification method reduces the risk of transferring to sanctioned addresses or an unknown VASP.
Read: Regulatory Frameworks that Include Self-hosted Wallets
21 Travel Rule on Self-hosted Wallets
We suggest the following guiding questions as a starting point for VASPs when selecting a Travel Rule solution to support self-hosted wallet verification methods.
Does the solution offer at least one verification method?
Does the solution have a mechanism for recognising a self-hosted wallet address over an address held by a VASP before the transaction takes place?
Does the solution support various self-hosted wallets?
If offering the Satoshi Test, can the VASP set the transaction amount to be exchanged, for various crypto assets, and the time frame?
If offering a visual proof method, what options are available to the VASP to upload the proofs?
Does the solution allow VASPs to download the proofs?
Does the solution provide a risk score for the self-hosted wallet address?
Does the solution support XPUBs?
21 Travel Rule supports all of the above recommendations and offers 4 verification methods, allowing VASPs to choose the one that best suits their needs.
For every question and recommendation from the FATF, 21 Travel Rule has a solution. Contact us to find out how you can easily tackle the Travel Rule and its challenges.