In June 2019, the Financial Action Task Force (FATF) advised its members that anti-money laundering and countering of terrorism financing (AML/CTF) efforts must extend to activities involving Virtual Assets (VA) and Virtual Asset Service Providers (VASPs) in line with its recommendations.

Notably, FATF Recommendation 16 for wire transfers requires that VASPs exchange originator and beneficiary information with a counterparty immediately and securely following a VA transfer. As the data must “travel” between VASPs, the term “travel rule” was coined.

The Sun is Shining

Globally, implementation of the travel rule has been slow, with the FATF reporting that only a fraction of its wider network of members had established relevant travel rule legislation by June 2020, one year after the AML/CTF global standards were published. In the absence of a harmonized global framework, VASPs today have to cope with varying degrees of implementation in each jurisdiction, a challenge commonly referred to as the “sunrise issue”.

Meanwhile in Switzerland, the sun has been brightly shining in the picturesque Crypto Valley since August 2019, when the Swiss Financial Market Authority (FINMA) clarified that the FATF travel rule was already established in the local legislation.

Notably, Article 10 of the Swiss AMLO-FINMA clarified that VASPs or financial intermediaries (FI) that process payment orders with other FIs must:

“…disclose the client's name, account number and address as well as the name and account number of the beneficiary. If no account number is available, the institution shall provide a transaction-referenced identification number. The address may be replaced with the client's date of birth and place of birth, his/her client number or his/her national ID number.”

Financial Intermediation 101

As a friendly reminder, a service provider in the blockchain space engages in financial intermediation (and is therefore subject to the provisions of the Swiss AML Act and its Ordinances, including Article 10) when offering the following professional services:

  • custodial wallets;
  • trading platforms that exert technical controls or otherwise influence a client’s transaction (e.g. by confirming, approving, or blocking orders via smart contracts);
  • currency exchanges (professional purchase and sale of VAs);
  • crypto funds
  • issuance of payment tokens or hybrid payment tokens (that offer both payment and other asset or utility functionalities)

The above financial intermediation activities are in addition to the traditional activities that may be undertaken by blockchain-based providers, all of which are listed in Article 2 of the Swiss AML Act. They include entities that:

  • offer banking, collective investment or insurance services,
  • deal in securities or offer security deposit services;
  • accept cash as part of a commercial transactions above CHF 100,000;
  • carry out money or asset transfer transactions (transmit liquid financial assets to a third party on behalf of a contractual party).

In Switzerland a VASP is deemed to practice its activity professionally if it:

a) achieves a gross revenue of more than CHF 50,000 per calendar year;

b) established business relationships with more than 20 contractual parties who engage with the FI more than once per calendar year;

c) has unlimited control of third-party funds in excess of CHF 5 million, or

d) performs transactions at a volume of more than over CHF 2 million per year.

Same Same but Different

While the clarity provided by FINMA in its 02/2019 Guidance on the application of the travel rule was welcomed by the community, FINMA equally took the opportunity to establish several other requirements to strengthen the fight against money laundering and terrorism financing involving digital currencies.

Unlike the FATF, which only requires a VASP to transmit blockchain transaction data where the beneficiary’s wallet or address is hosted by another VASP, FINMA requires that Swiss FIs identify the beneficial owner of all external wallets or addresses, in the same manner as they would a client, prior to engaging in any VA transaction. Specifically:

  • for transfers to/from an external private wallet (i.e. unregulated, non-custodial) belonging to an existing onboarded client, a FI must verify that the client has the power of disposal over the assets contained in his/her external private wallets by using “suitable technical means”; or
  • for transfers to/from an external private wallet belonging to an external third party (not an existing client), the financial intermediary must (a) verify the identity of the third party, (b) establish the beneficial owner, and (c) verify the third party's power of disposal over the external wallet by using suitable technical measures.

Concretely, this means that if John (who has an account with a Swiss VASP) wishes to transfer CHF 100.- to his brother Bob (who has a private Mycelium wallet) to repay him for the birthday gift they jointly offered their mother, John’s VASP will be required to validate Bob’s identity and prove that he’s the beneficial owner (i.e. has the power of disposal) over his MyCelium wallet.

The technical means used to prove that an individual has the power of disposal over digital assets is not defined by FINMA, however common practices include sending micro-transactions (a.k.a. Satoshi test) or digitally-signed messages, both enabled by using the private key of a wallet or addresses, or by demonstrating that an individual has access to a wallet account using digital means (e.g. video).

Travel Embargo

FINMA equally states that the transmission of originator and beneficiary information under the travel rule should only take place with VASPs "which are subject to appropriate AMLA supervision". This means that Swiss VASPs must not only identify all 3rd party wallet owners, but also establish the identity, jurisdiction and supervisory status of their counterpart VASP prior to transmitting transaction information.

Essentially, this means that if you’re a VASP registered in a country identified by the FATF as “high risk” (i.e. DPRK and Iran) or jurisdictions “under increased monitoring” (e.g. Albania, Pakistan, Jamaica and a dozen others), your chances of exchanging blockchain transaction information with a Swiss VASP under the travel rule are slim to none.

The Compliance Run: Alpine Hurdles

Currently, various entities are working on SWIFT-like second-layer protocols for transmitting transaction information in conformity with the travel rule (e.g. OpenVASP and its SaaS implementation providers Lykke, 21 Analytics, Nota Bene, etc.). Until then, compliance may be achieved by exchanging the relevant information by means of secure email or alternative forms of secure communication. Prior to transmitting transaction information using this method, Swiss VASPs must first take steps to establish a bilateral agreement with a counterparty VASP that clarifies what and how information will be transmitted between parties.

Additionally, while the FATF recommends that the requirements of the travel rule apply only to VA transactions above USD/EUR 1,000, in Switzerland, parties involved in a FIAT or VA exchange transaction currently only need to be identified for transactions above CHF 5,000 (a value that will be further reduced to CHF 1,000 by FINMA later this year). However, for such a threshold to apply, a 2-party transaction must be ensured (i.e. the identity of the owner is verified, beneficial ownership is known, and ownership of the wallet is proven using suitable technical means). Failure to technically ensure that a transmission involves only 2 parties results in the classification of the transaction as a payment transaction involving 3 parties, where the threshold for identity verification is zero, meaning all parties must be identified at all times. This is why, in our previous example, John’s brother Bob will need to be KYC’d by John’s VASP, even if the transaction was only CHF 100.

As a final differentiating step, the FATF recommends a minimum data retention period of 5 years, however Swiss VASP must abide by the proscribed 10-year retention period.

The Struggle is Real

Until most jurisdictions implement similar travel rule requirements and VASPs implement a SWIFT-like second-layer protocol to communicate transaction data immediately and securely, Swiss VASPs will face considerable additional operational costs in the road to AML and travelrule compliance.

The above requirements are compounded by the use of privacy mechanisms in blockchain transactions, such as HD wallets that use dynamic addresses, making the process of identifying the beneficial owner and proving power of disposal over each new address much more challenging. While solutions exist and have been implemented by a limited number of Swiss crypto banks and exchanges, resulting in some of the most advanced and robust AML/CTF programs in operation globally, the hurdle for smaller startups is high.

To facilitate compliance with the travel rule, Swiss FIs wishing to send and receive VAs from external wallets are recommended to establish a process to distinguish external addresses that are:

a) belonging to clients or prevetted 3rd parties, which have already been identified and for which beneficial ownership and power of disposal has been confirmed; or

b) are unknown and hosted by a VASP, for which originator and beneficiary information must be exchanged under the travel rule;

c) are unknown and must be blocked pending additional due diligence (e.g. beneficial ownership, etc.).

Light at the End of the Tunnel

In the blockchain space, Switzerland is currently recognized as a jurisdiction with the highest standards in regards to AML/CTF, closely followed by Singapore (MAS recently requiring evidence of controls with regards to private wallets prior to the issuance of mandatory licensing) and the US (FINCEN reportedly warned industry that enforcement with the BSA will begin early 2021).

By ensuring full visibility into transactions to/from external wallets, including beneficial owners of private wallets, Swiss VASPs will not only be ahead of the curve in the fight against money laundering and terrorism financing, but also be in a position to transact with all market players, including counterparty VASPs operating from the most compliant jurisdictions or with low-risk appetites.

There is no doubt that the Crypto Valley will continue to attract blockchain innovators that will value its political stability, highly educated workforce and tax advantages. And while FINMA’s AML requirements may present additional challenges to VASPs in the short term, pending the development of automated travel rule solutions, we anticipate that licensing and registration in one of the world’s most stringent jurisdictions will give greater confidence to institutional investors that assets will be safeguarded and transacted with lower risk.

In short, good things come to those who don’t cut compliance corners in the block of the long financial revolution marathon.