In June 2022, the Financial Action Task Force (FATF) published a report, “Targeted Update on Implementation of FATF’s Standards on Virtual Assets (VAs) and Virtual Assets Services Providers (VASPs)”, which focuses on the state of the implementation of the travel rule, among other things. The travel rule is provided for in Recommendation 16 (R16) of the FATF standards and requires firms within the private sector to obtain and/or exchange beneficiary and originator information when making VA transfers across different jurisdictions.
This regulatory analysis looks at the framework that included VAs and VASPs in the scope of FATF’s standards and provides details on legislative provisions which have been or will be implemented in various countries, as well as the consequences for a breach, when provided.
Background
In October 2018, FATF amended Recommendation 15 (R15) to clarify how the FATF standards apply to activities or transactions involving virtual assets. The amendments aimed to combat the use of virtual assets for money laundering and terrorist financing, requiring exchanges and wallet providers to implement anti-money laundering and counter-terrorist financing (AML/CTF) controls, and to be licensed or registered and supervised or monitored by national authorities. The main objective was to address the AML/CTF risks associated with the use of VAs, specifically the swift rate of transactions and the anonymity of the transactions involving VAs, which have contributed to their attractiveness for criminal purposes.
In June 2019, FATF adopted the new Interpretive Note to Recommendation 15 (INR15) as part of the FATF standards and issued Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers. INR15 was reviewed in June 2021 to clarify that VASPs must identify, assess and take steps to mitigate their proliferation financing risks.
Recommendation 16 (R16) provides for wire transfers, defined by INR16 as “any transaction carried out on behalf of an originator through a financial institution by electronic means with a view to making an amount of funds available to a beneficiary person at a beneficiary financial institution, irrespective of whether the originator and the beneficiary are the same person”. R16, also called the “travel rule”, requires countries to ensure that financial institutions gather information on the originator and beneficiary of the wire transfers.
Implementation Status of R15
According to FATF’s latest report, “since June 2021, no jurisdiction has received a fully compliant rating with R.15. Only 12 jurisdictions out of 53 (23%) have been assessed as largely compliant with R.15”. It is worth noting that the assessment is not limited to the implementation of the travel rule, but to the overall inclusion of VASPs under the scope of AML/CTF. A total of 33 of the assessed jurisdictions have been found to be partially compliant and eight of them non-compliant. The report does not specify which countries fall into either of these categories. The following are the possible levels of compliance of a country with the standards:
- Compliant, meaning that there are no deficiencies.
- Largely compliant, only minor deficiencies are identified.
- Partially compliant, moderate deficiencies.
- Non-compliant, significant deficiencies.
The same report refers to a survey conducted by FATF in March 2022, which found that 42 jurisdictions (43 percent) out of the 98 responding jurisdictions had introduced a licensing or registration regime for VAs and VASPs, in comparison with 52 out of 128 (41 percent) in June 2021. FATF’s announcement accompanying the release of the report states that these numbers “demonstrate an urgent need for jurisdictions to accelerate implementation and enforcement to mitigate criminal and terrorist misuse of virtual assets”.
Implementation Status in Europe
European Union
On June 29, 2022, the European Council announced that the Council and the European Parliament had reached a provisional agreement to update the rules which accompany the transfer of funds to include crypto-assets. According to the announcement, “the new agreement requires that the full set of originator information travel with the crypto-asset transfer, regardless of the amount of crypto assets being transacted”. The proposal is part of the European Commission’s package of proposals to strengthen the AML framework. Once the provisional agreement receives approval from the Council and the European Parliament, it will go through the formal adoption procedure and will enter into force on the 20th day following that of its publication in the Official Journal of the European Union and will become directly applicable in member states. Some countries across Europe, such as Estonia and Germany, have already implemented the travel rule.
The proposal noted that implementation of the travel rule “will also bring benefits that are not easy to assess either: being the introduction of new global FATF standards which have to be applied simultaneously in several jurisdictions around the world, it will make easier the provision of cross-border services”.
Consequences of a breach
Article 23 of the proposal updating the rules provides that member states must ensure that their administrative sanctions and measures include at least those laid down by the following articles of the proposal for the 6th Anti-Money Laundering Directive (6th AMLD), which is also part of the AML package mentioned above:
- Article 40(2), where the maximum pecuniary sanctions that can be applied amount to at least to twice the amount of the benefit derived from the breach where that benefit can be determined, or at least €1m.
- Article 40(3), where the obliged entity concerned is a credit institution or financial institution, the following sanctions can also be applied:
- In the case of a legal person, maximum administrative pecuniary sanctions of at least €10m or 10 percent of the total annual turnover according to the latest available accounts approved by the management body.
- In the case of a natural person, maximum administrative pecuniary sanctions of at least €5m or equivalent amount in the national currency.
- Article 41(1) provides administrative measures other than sanctions, including recommendations, temporary ban, suspension or withdrawal of the authorisation, which may be applied when the breaches are not deemed sufficiently serious to be punished with an administrative sanction.
Estonia
On March 15, 2022, amendments to the Money Laundering and Terrorist Financing Prevention Act entered into force, introducing the travel rule into the Estonian national legislation. The amendments require virtual currency service providers to:
- Collect at least the person's phone number and email address as contact data when verifying identity (Section 25(22)).
- Identify the identity of each customer performing a virtual currency exchange and transfer transaction and collect at least the following data about the transaction initiator (Section 25(24)):
- In case of a natural person, name, unique identifier of the transaction, payment account or virtual currency wallet identifier, identity document name and number and personal identification number or date of birth, place of birth and residential address.
- In case of a legal entity, the name, unique identifier of the transaction, payment account or virtual currency wallet identifier, registry code, if it is not available, the relevant identification code of the country of residence (a combination of numbers or letters equivalent to the registration number) and the address of the location.
Consequences of a breach
Chapter 10 of the Money Laundering and Terrorist Financing Prevention Act provides penalties for failure to comply with the provisions of the same act, specifically Section 961, which provides for breach of duties of providers of virtual currency services:
- The penalty for failure by an executive or employee of a provider of a virtual currency service to ascertain or verify any information relating to a payer, or for providing the service outside a business relationship, or for a breach of any other duties of providers of virtual currency services provided by Section 25 of the act is a fine of up to 300 fine units, where each unit according to the Estonian government portal is €4. The penalty for the same act committed by a legal person is a fine of up to €400,000.
Germany
Germany has implemented the travel rule via the Ordinance on Enhanced Due Diligence Requirements for the Transfer of Crypto Assets (Crypto Asset Transfer Ordinance - KryptoWTransferV) (Verordnung über verstärkte Sorgfaltspflichten bei dem Transfer von Kryptowerten (Kryptowertetransferverordnung – KryptoWTransferV)), which entered into force on October 1, 2021. Section 3 of the ordinance requires entities to collect, store and transmit data for transfers between crypto value service providers.
The ordinance does not provide consequences for the breaching of its provisions.
As Germany is a member state, this means that VASPs operating in Germany will be ready to comply with the EU provisions related to the travel rule once these come into force. It is worth noting that Section 7 of the ordinance provides that it will expire when the new version of Regulation (EU) 2015/847, as provided by the new proposal for a regulation of the European Parliament and of the Council on information accompanying transfers of funds and certain crypto-assets (recast), enters into force.
Switzerland
Switzerland implemented the travel rule amending Article 10 of the “Ordonnance de l’Autorité fédérale de surveillance des marchés financiers du 3 juin 2015 sur la lutte contre le blanchiment d'argent et le financement du terrorisme dans le secteur financier” (FINMA ordinance on money laundering, OBA-FINMA), which establishes, among other things, the responsibility for financial intermediaries to ensure that the details related to the originator of a transaction are exact and complete and that the details of the beneficiaries are complete. This provision came into force on January 1, 2020, making the country one of the first jurisdictions across the globe to implement the travel rule.
In November 2021, the Swiss Financial Market Supervisory Authority (FINMA) specified that contracting parties must be identified if they are executing cryptocurrency exchanges with a value above CHF1,000.
EU regulations do not directly apply in Switzerland as it is not part of the union. However, the country may decide to voluntarily align with EU regulations.
Consequences of a breach
Article 9 of the ordinance provides for consequences for the breaches of the provisions of the ordinance; in particular, serious breaches may result in a ban on carrying out the activities.
United Kingdom
Regulation 64B of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) defines “inter-crypto-asset business transfer” as “a transaction carried out by two or more crypto-asset businesses which involves the making available of a crypto-asset of an originator to a beneficiary, provided that at least one of the crypto-asset businesses involved in the transaction is carrying on business in the United Kingdom in respect of the transaction (whether that is a crypto-asset business acting for the originator or a crypto-asset business acting for the beneficiary or an intermediary crypto-asset business)”.
Regulation 5 of the Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022 implements the travel rule in the UK and will enter into force on September 1, 2023. It follows HM Treasury’s consultation launched in July 2021 and inserts Regulation 64C in the MLRs. Paragraph 1 of the MLRs requires that when an inter-crypto-asset business transfer occurs, the originator ensures that the crypto-asset transfer is accompanied by the following information:
- The name of the originator and the beneficiary.
- If the originator or beneficiary is a firm, the registered name of the originator or beneficiary, or if there is no registered name, the trading name.
- The account number of the originator and the beneficiary, or if there is no account number, the unique transaction identifier.
Paragraph 3, Regulation 64C of the MLRs requires crypto-asset businesses executing the inter-crypto-asset business transfer (including any intermediary crypto-asset business) that carry out business in the UK in relation to the transaction to provide the information specified in paragraph 6 when requested by the crypto-asset business of the beneficiary.
Consequences of a breach
Article 74C of the MLRs states that the Financial Conduct Authority (FCA) may impose a direction in writing in relation to crypto-asset providers. A direction may be imposed for the purpose of remedying a failure to comply with a requirement under the regulations, preventing a failure to comply, or continued non-compliance with a requirement under these regulations and preventing the crypto-asset business from being used for money laundering or terrorist financing.
Conclusion
Characteristics of VAs, such as making possible transactions without identifying the identities of the persons involved in the transaction, have made them attractive for criminal purposes. Therefore, the need to prevent their use for illicit activities led FATF, via R15, to include them within the scope of its standards, including R16 on wire transfers (the travel rule). In June 2022, FATF reported on the status of the implementation of R15, specifying that no jurisdiction has been classified as fully compliant with said recommendation, and in a statement alongside the findings stated that jurisdictions needed to accelerate implementation and enforcement.
Across Europe, steps have been taken to implement the travel rule, with Estonia, Germany, Switzerland and the UK having already transposed it into their national legal framework. Whereas at EU level, although the provisional agreement on the application of the proposal updating the rules to include transfers of crypto-assets has been approved, the agreement still needs final approval and then to go through the formal adoption procedure before it becomes directly applicable in member states. Once the proposal enters into force, Germany’s Ordinance on Enhanced Due Diligence Requirements for the Transfer of Crypto Assets will no longer be applicable, as expressly provided by the ordinance. A similar provision is provided by Estonia’s Law to amend the Money Laundering and Terrorist Financing Prevention Act and other laws. EU regulations prevail over national law, in case of conflict, because they have direct effect.
It is too early to evaluate the impacts of implementation, as the provisions are still to be implemented or to enter into force or have only entered into force recently. However, consequences for their breaches are provided and VASPs are already expected to be compliant in jurisdictions such as Switzerland, Estonia and Germany. In other jurisdictions, such as the UK, the regulations are still to enter into force, allowing obliged entities time to adapt to avoid enforcement action from the authority deterring and punishing the use of VAs for illicit purposes.