Compliance Challenges: Crypto and the Travel Rule

The “Travel Rule,” otherwise known as the funds transfer recordkeeping regulation, requires financial institutions, including non-bank financial institutions, to transmit transactions and customer details to the next institution for certain transmittals of funds. Federal regulators designed the rule to aid law enforcement agencies, both domestic and international, to detect, investigate and prosecute financial crimes such as money laundering by maintaining an information trail of transaction originators and beneficiaries.

The travel rule came into effect around 1996 following issuance by the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) under the Bank Secrecy Act (BSA). In March 2013, FinCEN issued guidance for people administering, exchanging or using virtual currencies. This interpretive guidance clarified the applicability of the BSA to virtual currency business models. In this guidance, FinCEN stated two rules affecting administrators and or exchangers of virtual currency.

These rules state that administrators and or exchangers of virtual currency will be considered as money transmitters and are therefore subject to the BSA if they admit to two acts:

• If they accept and transmit a convertible virtual currency (CVC).
• If they buy or sell convertible virtual currency.

FinCEN issued additional guidance six years later in May 2019; this guidance applies to certain business models involving convertible virtual currencies. It reaffirms that the Travel Rule, along with the BSA, applies to administrators and exchangers of convertible virtual currency because transactions involving CVC qualify as transmittals of funds. It also notes that the transmission of value and Travel Rule data are not required to use the same protocol or system.  According to the Travel Rule, any transfer that is equal to or exceeding $3,000 requires the originator to send the receiving financial institution a series of transmittals containing detailed information before or at the time of transaction.

Most recently, the Board of Governors of the Federal Reserve System and FinCEN issued a joint notice of proposed rulemaking on October 27, 2020.  In short, the proposed modification would reduce the threshold from $3,000 to $250 for funds transfers and transmittals of funds that begin or end outside the United States. FinCEN is likewise proposing to reduce from $3,000 to $250 the threshold in the rule requiring financial institutions to transmit to other financial institutions in the payment chain information on funds transfers and transmittals of funds that begin or end outside the United States.[1] Another important development is the official proposed change to the meaning of “money” to include “convertible virtual currency.”

Compliance with the Travel Rule has been shown to be difficult, if not currently impossible, for some. Some of the challenges have been addressed by the United States Travel Rule Working Group (USTRWG)[2], among others. The USTRWG is a group composed of U.S. Virtual Assets Service Providers (VASPs) that are collaborating to develop and maintain an industry-led solution to comply with the Travel Rule.

The goal of compliance with the Travel Rule is to create a solution to allow compliance with regulatory requirements, promote transparency and support law enforcement without compromising security and privacy.

Challenges and Potential Solutions

In an effort to achieve compliance, excessive fragmentation or division could occur, which would lead to a significant increase in the cost and complexity of the Travel Rule. In order to prevent that, VASPs must be willing to integrate with various solutions in order to achieve the full coverage of possible counterparty VASPs. It will also be extremely necessary for solutions that gain critical mass to be interoperable with one another.

Data security is another issue that arises because of the sensitive nature of data and information being transmitted to and from various institutions. A high risk of malicious attacks in the non-face-to-face domain is highly possible and, as a result, the parties must place a high priority on securing the transmitted data. Due to the need to protect the security of sensitive data, customer personally identifiable information (PII) and transaction data should never be shared or stored in a centralized setting. For the purpose of achieving a standardized security, strong encryption standards and data transfer protocols are required to ensure customer data is not compromised or leaked when it is transmitted or collected.

Amongst all mentioned challenges, the most complex challenge is the issue of counterparty identification. It arises from a compliance requirement of the Travel Rule to determine the identity of a counterparty that observes and controls the receiving address in a transaction made in the virtual currency industry.

The mode of transfer of value in the traditional banking industry occurs between individuals or entities. The funds are sent from financial institution “A” and are received at financial institution “B.” There is a straightforward method for “A” to identify “B” using a routing code or SWIFT code, which is provided when a transfer is requested. This method allows for the transmission of appropriate Travel Rule data to the correct counterparty.

However, with the decentralized nature of most crypto and virtual currencies, a participant is able to create an address as a destination for receiving value (typically a virtual currency “address”) without a corresponding registration of ownership in a centralized repository. When a customer of a VASP requests a withdrawal of funds to an external virtual currency address, there is no inherent mechanism or communication layer in the underlying virtual currency networks to identify the controlling entity of the receiving address. A customer of a VASP cannot determine whether the address is controlled by a VASP or by an individual, or perhaps even mutually controlled by a VASP and an individual (i.e., multi-signature addresses). Further, these networks do not allow VASPs to identify whether the entity that owns the underlying virtual currency is the same VASP that custodies the asset or controls the address.

Although blockchain analytics solutions are valuable tools that may suggest the controlling entity behind a virtual currency address, without validation from the entity itself, these tools are not 100 percent accurate and only offer a limited view of address ownership. These tools also have limited coverage, as many addresses are not clustered and identified or tagged.

For example, newly generated addresses by a VASP are typically not associated with the VASP by blockchain analytics software until one or more transactions have occurred with that address. While blockchain analytics tools offer some insight into potential ownership, they do not completely solve the “lookup” challenge of accurately identifying all transaction counterparties for Travel Rule compliance purposes. A necessary solution is to create an address-VASP lookup mechanism, which can enable VASPs to determine if an address they are transmitting to is controlled by a VASP and, if so, which VASP. However, this solution will require the participation of both the sending and receiving VASPs in order to accurately identify address owners to comply with the Travel Rule.

Implications of these Challenges on Crypto Users and Investors

When observed and analyzed from different angles, the Travel Rule is guaranteed to have major implications on the crypto sector. From an authority viewpoint, the rule presents a factual crisis that will tear apart cryptocurrency’s core material of anonymity (or pseudo-anonymity) and confidentiality. The Travel Rule looks like a forward try by international and domestic regulators to exert regulatory control over this industry. This extension of the Travel Rule could be a deterrent for some users of cryptocurrency.

On the flip side, could the Travel Rule be a blessing in disguise for cryptocurrency industry? This particular rule has been wrestling with gaining mass adoption since its origination. As cryptocurrencies have been associated with illicit transactions, regulators have repeatedly warned the general public against the mistreatment of cryptocurrencies, and banks have actively refused to trade with VASPs.

The introduction of crypto regulation announces a brand-new era that bears immense promise for virtual assets. First, it provides the much-coveted “official recognition” that has eluded the arena for years. Secondly, the recent change provides a bridge between VASPs, and therefore, the alleged financial sector. As such, it may become easier for users and VASPs to open bank accounts to facilitate crypto transactions. Third and most significant, the change provides the much-needed legitimacy for virtual assets that successively will increase their potential for mass adoption.

The Travel Rule brings a further layer of transparency for virtual assets and payments. It also helps to eliminate risky actors’ concealment behind the veil of anonymity afforded by some cryptocurrencies. Therefore, this extension of the Travel Rule may boost the usage and acceptance of cryptocurrencies as a medium of exchange.

Conclusion

Even though the new Travel Rule was brought forward to maintain the stability of the cryptocurrency industry, the shortage of technical resolution is proving to be a great challenge on various levels.

Virtual asset businesses and other crypto currency exchanges are struggling with the impact and meaning of this regulatory requirement. There is a concern that increased regulation could drive the industry into the “black market,” drive businesses from the U.S. or discourage them from entering the U.S. market. This result would decrease the amount of regulated options available for U.S. consumers.

What’s certain: The industry should continue working closely with regulators to develop compliant solutions that will not hinder the future of the cryptocurrency industry from thriving in the U.S.

[1] https://public-inspection.federalregister.gov/2020-23756.pdf

[2] https://www.gdf.io/wp-content/uploads/2020/10/USTRWG-Travel-Rule-Solution-V1.pdf