- The Travel Rule (in force in the UK from 1 September 2023) requires UK-based cryptoasset businesses to collect, verify and share specific transaction information relating to transfers of cryptoassets. It advances anti-money laundering and other financial crime efforts by requiring cryptoasset businesses to detect suspicious transactions and carry out effective screening.
- UK-based cryptoasset businesses must comply with the Travel Rule before permitting an inter-cryptoasset business transfer and should verify the information it receives on the basis of a "reliable source".
- The pseudonymity of cryptoassets is a foundational attraction of the technology. In many instances, this only requires the wallet address of the beneficiary and private cryptographic key of the originator and as such can make the Travel Rule an inherently difficult requirement for cryptoasset businesses to fulfil.
On 1 September 2023, the Travel Rule requirements for cryptoassets1 came into force in the UK. The Travel Rule will require cryptoasset businesses ("CBs") to collect, verify, and share information relating to certain cryptoasset transfers.
The FCA states the Travel Rule is designed to bring "greater transparency to cryptoasset transfers" and help cryptoasset businesses "detect suspicious transactions and carry out effective sanctions screening". Although the Financial Action Task Force ("FATF") has called on other jurisdictions to implement the Travel Rule on an expedited basis, not all are acting quickly. Consequently, the application of the Travel Rule across jurisdictions will vary.
This article explains: (1) what the Travel Rule for cryptoassets is; (2) what steps are required for compliance; and (3) the challenges that CBs face to navigate the Travel Rule effectively.
What is the Travel Rule?
The Travel Rule's history is rooted in wire transfers as an anti-money laundering mechanism. It is aimed at ensuring that sufficient information would be available to the authorities to investigate the legality of a transfer and the identity of the recipients.
The Travel Rule for CBs, which has been implemented pursuant to the updated FAFT recommendations, is enacted in the new Part 7A of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (SI 2017/692) ("MLRs").
To whom does the Travel Rule apply?
The Travel Rule will apply only to UK-based CBs, defined in the MLRs as a "cryptoasset exchange provider or a custodian wallet provider". Therefore, US or Asian or other non-UK CBs will not fall within scope of these requirements.
A cryptoasset exchange is defined broadly to include an entity which engages in exchanges, or arranges for the exchange of, cryptoassets. A custodian wallet provider is an entity who provides services to hold cryptoassets or cryptographic keys on behalf of its customers. A custodian wallet provider excludes non-custodial wallets (where the custodian is not involved in the transfer of the assets as the owner of the asset interacts directly with the payments system).
What steps are required for compliance?
As with the Travel Rule for wire transfers, the information required from parties to the transfer of cryptoassets varies based on the value of the transfer and whether all CBs involved in the transfer are carrying on business in the UK. UK-based CBs must collect, where relevant, inter-cryptoasset business transfers takes place:
- below the €1,000 de minimis threshold, only "basic information" relating to the name and account number of the originator (i.e. the sender) and beneficiary (i.e. the receiver);
- above the de minimis threshold, the 'basic information' of the originator and beneficiary, and also:
- if the originator is a firm, the customer identification number or address of the originator's registered office; or
- if the originator is an individual,2 the customer identification number, or address, or birth certificate number / passport number / national identity card number, or date and place of birth; and
- above the de minimis threshold, but involving only UK-based CBs, the basic information, subject to a requirement to provide (within three business days) further information to the beneficiary CB on request. Multiple linked transactions from one originator which collectively exceed the de minimis threshold will be considered as exceeding the threshold.
What challenges will cryptoasset businesses face to comply with the Travel Rule?
The challenges cryptoasset businesses may face in complying with the Travel Rule include:
- Complications arising from the prevention of an inter-cryptoasset business transfer before ensuring full compliance with the Travel Rule, and that information should be verified by the CB of the originator on the basis of a "reliable source" which is independent of the person whose identity is being verified.
- Cost of compliance to a CB who must build an internal system capable of transmitting and collecting data securely and quickly, in order to facilitate transactions for their customers.
- Cryptoasset market volatility (e.g. fluctuating price of Bitcoin) can complicate whether a transaction meets the de minimis threshold of €1,000. HM Treasury’s consultation paper stated that CBs should use a "reasonable and justifiable" method to calculate the transaction amount, but the lack of legislation on calculating transaction quantum may indicate a willingness to accept a practical approach to this assessment.
- Although the UK has adopted the Travel Rule, and despite the FATF heavily encouraging other countries to follow, the disparity between jurisdictions who have and have not enacted the Travel Rule can create practical problems for CBs. At best, CBs will need to make important internal policy decisions on how to deal with transactions which involve a jurisdiction where the Travel Rule is not yet legislated.
What guidance has the FCA provided on compliance with the Travel Rule?
Amongst other things, the FCA has issued a set of expectations for CBs subject to the Travel Rule, these include:
- Take all reasonable steps and exercise all due diligence to comply with the Travel Rule.
- Firms remain responsible for achieving compliance with the Travel Rule, even when using third-party suppliers.
- Fully comply with the Travel Rule when sending or receiving a cryptoasset transfer to a firm that is in the UK, or any jurisdiction that has implemented the Travel Rule.
- Regularly review the implementation status of the Travel Rule in other jurisdictions and adapt business processes as appropriate.
Sending a cryptoasset transfer to a jurisdiction without the Travel Rule
- Take all reasonable steps to establish whether the firm can receive the required information.
- If the firm cannot receive the necessary information, the UK cryptoasset business must still collect and verify the information as required by the MLRs and should store that information before making the cryptoasset transfer.
Receiving a cryptoasset transfer from a jurisdiction without the Travel Rule
- If the cryptoasset transfer has missing or incomplete information, UK cryptoasset businesses must consider the countries in which the firm operates and the status of the Travel Rule in those countries.
- The UK cryptoasset business should take these factors into account when making a risk-based assessment of whether to make the cryptoassets available to the beneficiary.