Three years after the global money laundering and terrorist financing watchdog extended its anti-money laundering and counter-terrorist financing standards to financial activities involving virtual assets and virtual asset service providers, a new report has identified gaps and concerns.
In 2019, the Financial Action Task Force (FATF) extended its anti-money laundering and counter-terrorist financing (AML/CFT) measures to VAs and VASPs to prevent criminal and terrorist misuse of the sector.
Referred to as the FATF Travel Rule, the update applied to an existing FATF recommendation 16, concerning cross-border and domestic wire transfers. The rule requires companies and service providers to share information about senders and recipients in cryptocurrency transactions.
A new report finds that, despite some progress, only 29 out of 98 countries have implemented the Travel Rule requirement, and even fewer are actively enforcing it. Only 11 jurisdictions have started enforcement and supervisory measures.
“This gap leaves VAs and VASPs vulnerable to misuse, and demonstrates the urgent need for jurisdictions to accelerate implementation and enforcement,” said the watchdog. “Countries that have not introduced Travel Rule legislation should do so as soon as possible, and FATF jurisdictions should lead by example by promoting implementation, and by sharing experiences and good practices.”
Clear message
David Carlisle, VP of policy and regulatory affairs at blockchain analysis provider Elliptic, says the FATF report sends the clear message that countries and the crypto industry must do more to ensure compliance and address emerging risks in the space.
He says: “Elliptic’s research has shown that criminals are increasingly using cross-chain bridges to launder funds, and that cybercriminal hacks of cross-chain bridges total more than $1billion in the first half of 2022 alone. Crypto businesses need to implement compliance solutions that enable them to monitor and detect risks related to cross-chain bridges to ensure they can manage and detect these growing risks.”
“The report makes clear that the FATF is concerned that the growing ability of criminals to access DeFi platforms that currently operate largely outside of regulation presents a major risk. It also underscores that the crypto industry needs to accelerate the implementation of Travel Rule solutions. The FATF sees the lack of comprehensive Travel Rule compliance across the industry as a major risk that could make crypto increasingly vulnerable to risks such as sanctions evasion.”
Sore heads
However, for Jerome Dickinson, chief legal counsel for crypto wealth manager OSOM.finance, FATF’s crypto travel rule push causes many headaches for the sector, with no clear bullet-proof solutions in sight.
“For starters, the travel rule is not well-adapted to crypto. A strict application of it would entail unprecedented levels of personal data collection, going far beyond what is done in the banking world. It is important to remind people that crypto exchanges are increasingly regulated (which is a good thing), and already conduct thorough AML checks on its users (e.g. all KYCied, ongoing monitoring of bank and crypto transactions etc).
“But the mapping of individuals’ identities behind each private crypto wallet (which interacts with exchanges) creates huge privacy and security risks. In the banking world, you can’t use someone’s account number to find out how much they have or who they interacted with – this is confidential. On public blockchains, however, real-time balances and whole transaction histories are always available online. All you need to do is put a given wallet number on an online search engine / scanner like Blockchain.com, Etherscan etc, and you will see everything.
“FATF’s crypto travel rule push causes many headaches for the sector, with no clear bullet-proof solutions in sight.”
“The regulated crypto industry’s position has therefore always been clear: the application of the travel rule entails disproportionate amounts of PII collection far beyond what is needed to address any legitimate AML concerns. In the EU, it may not even be compliant with the GDPR.”
Dickinson believes there are better solutions, such as allowing crypto exchanges to apply a risk-based-approach (a core concept of AML law) and use increasingly advanced AI-powered blockchain analytical tools to track illicit flows like never before, all without breaching privacy law.
“The EU’s compromise this week on unhosted wallets seems to have struck a better balance and should hopefully leave some space for the industry to find more workable solutions,” he adds.
Compliance challenge
Ben Whitby, head of regulatory affairs at Qredo – a network of digital asset custodian tools for financial institutions, says the expansion of the travel rule “represents possibly the greatest compliance challenge to the digital asset space, and projects are going to be tasked with finding ways to minimise the regulatory burden.”
“Many critique the travel rule as a breach against privacy because it requires all digital asset firms to share transactional data,” says Whitby. “While digital asset firms may have to share data, the travel rule is an essential step towards integrating the crypto ecosystem into the mainstream financial system.”
“With just a few jurisdictions having submitted their interpretations, we are already seeing a significant competitive divergence. Solid preparation will be key to success. Unlike most regulations, first movers will gain the advantage protecting their business from moving to competing, becoming compliant entities and capturing flow from laggards.”
Next steps
FATF believes there are now technical solutions available to facilitate Travel Rule compliance, but the private sector needs to continue to increase interoperability between solutions and across jurisdictions.
It acknowledges that member countries had expressed increasing concerns about decentralised finance and nonfungible tokens as difficult areas to implement FATF standards.
It will conduct a further review on progress and remaining challenges for implementation by June 2023. It will facilitate discussions with member countries on common implementation issues and challenges, and by raising awareness through G7/G20 and other high-level policy bodies.
