On March 15, 2019 at a Blockchain Symposium, FinCEN’s Director Kenneth A. Blanco made an announcement on the Travel Rule: “It applies to (Convertible Virtual Currency)  CVC and we expect you to comply, period”.  He added that “FinCEN, through delegated examiners at the Internal Revenue Service (“IRS”), has been conducting examinations that include compliance with the Funds Travel Rule since 2014. In fact, to date it is the most commonly cited violation by the IRS against MSBs engaged in CVC money transmission”.

Mr. Blanco’s comments followed FinCEN’s release, in May 2019, of its long-awaited guidance on the application of existing Anti-Money Laundering (“AML”) rules, including the Travel Rule, to virtual currency businesses.

Further, during its June 2019 plenary, the Financial Action Task Force (‘FATF”), the G20’s financial crimes watchdog, issued FATF Recommendation 16 requiring Virtual Asset Service Providers (“VASPs”) to share Personal Identifiable Information (“PII”) and Know-your-customer (“KYC”) data between transacting sender and receiver users before executing the transaction. VASPS include Cryptocurrency Exchanges, Bitcoin ATMs and Custody Providers.

Back in January 1995, the Board of Governors of the Federal Reserve and FinCEN jointly issued a Rule for banks and other nonbank financial institutions, relating to information required to be included on funds transfers. The Rule is comprised of two parts – the Recordkeeping Rule, and what’s come to be known as the Travel Rule. The Recordkeeping Rule requires financial institutions to collect and retain the information that in turn, per the Travel Rule, must be included with a funds transfer and passed along – or “travel” to each successive financial institution in the funds transfer chain.

Information Requirements:

1. The transmitter’s name;
2. The transmitter’s account number;
3. The transmitter’s address;
4. The identity of the financial institution;
5. The amount transferred; and,
6. The date of transfer.

In contrast to FATF’s guidance, FinCEN clarified that the recipient’s financial institution should retain the same information as the originator to the extent that the information has been provided by the originating money service business. The differences between the FATF and FinCEN guidance are limited, aside from the transaction thresholds: $1,000 (FATF) and $3,000 (FinCEN).

When the Travel Rule was originally enacted for bank-to-bank transfers, the information required under the rule was substantially the same as the information already required to execute the wire transfer. Originally, the most significant feature of the Travel Rule was not the collection of any additional information, but rather the requirement to transfer that information to the recipient and the requirement to retain it in case of subsequent government inquiries.

Cryptocurrencies, like Bitcoin, that settle transactions on a blockchain have unique challenges regarding Travel Rule compliance in part due to the lack of counter-party information in blockchain.

It should be noted that under the FATF and FinCEN Travel Rules, compliance is only required where funds are transferred on behalf of a client or customer between two VASPs, or between a VASP and a financial institution.

The issue emerges because VASPS often have limited information on the counter-party without which they cannot distinguish which transactions fall under the Travel Rule. For a virtual currency transaction, all that is required to execute the transaction are the virtual currency addresses of the originators and beneficiaries.

On October 23, 2020, the Board of Governors of the Federal Reserve System and FinCEN issued a joint Notice of Proposed Rulemaking (“NPRM”) soliciting public comment on proposed amendments that seek to modify the existing Recordkeeping and Travel Rules by:

• Lowering the requirement to collect, retain, and transmit information on funds transfers and transmittals of funds from $3,000 to $250 for transactions that begin or end outside the United States; and,
• Superseding the existing definition of money to include CVCs.

On December 18, 2020, FinCEN, issued a NPRM that would require banks, cryptocurrency exchanges and MSBs to collect Know Your Customer data on anyone transferring cryptocurrency worth $3,000 or more to or from a private wallet. The NPRM would impose new requirements that banks and MSBs must gather, maintain, and report information about customers engaging in virtual currency transactions with unhosted wallets. The NPRM would also impose these same requirements on transactions with hosted wallets held by a financial institution that are not subject to the BSA and are located in a foreign jurisdiction on the so-called FinCEN “Foreign Jurisdictions List.”

FinCEN has not issued any follow up information on these NPRMs.

There is still no clearly defined approach for “Travel Rule” compliance in the cryptocurrency industry. The industry has responded with various initiatives such as:

Risk-based Approach
Cryptocurrency-based companies are building regulations into their AML platforms with API-centered solutions. Risk-based approaches are adopted to freeze or deny transactions that do not comply with AML / KYC regulations. Notably, most blocked transactions originate from Unhosted wallets.

Distributed Ledger Technology
Other “Travel Rule” compliance systems, such as OpenVASP and TRISA – which are open source, rely on Distributed Ledger Technology to exchange end-to-end encrypted messages between “trusted” VASPs.

Standardized Communication
The InterVASP working group, which is comprised of leading international associations representing VASPs as a coalition of trade bodies, presented the IVMS-101 in May 2020 which is the newly adopted messaging standard for communication between VASPs.

The Travel Rule marks a major change when it comes to virtual assets and may fundamentally alter how VASPs operate in the future. To prepare for the future, Cryptocurrency exchanges must apply a risk-based approach, in addition to having clearly defined policies and procedures. Specific examples include the following.

The key to compliance with the Travel Rule is a strong due diligence or KYC process that gathers the key information at customer on-boarding. Also, blockchain analytics software exists that can help identify risk related details about the destination – owners of the cryptocurrency wallet address.

Alternatively, some exchanges have sought to comply by restricting outbound transfers that trigger the travel rule to wallets that are already owned by the customer, rather than by anyone else, so that the exchange or wallet provider can rely on information they have already collected.