The AML “travel rule”: a new challenge for VASPs and GDPR

Since the birth of cryptocurrency, it was argued that virtual currencies and assets are  worthy alternatives to the existing financial system.

Governments and regulators have fought long and hard to deny crypto’s legitimacy, but its popularity has made it increasingly difficult to ignore.

The news in June 2019 that Virtual Asset Service Providers (VASPs) would be subject to the Financial Action Task Force’s (FATF) “travel rule” represents an acknowledgement for crypto.

As VASPs are integrated into the global financial system, they must now abide by regulations such as FATF’s Recommendation 16. Also known as the travel tule, this requires financial services firms to collect identifying information from the originators and beneficiaries of domestic and cross-border wire transfers to create a suitable AML/CFT audit trail.

This presents its fair share of challenges for the VASPs, which are built on the principles of anonymity and decentralisation.

It already requires careful thinking and innovative solutions for the industry to adopt the travel rule safely while protecting our clients’ interests, on top of the GDPR compliance requirements for VASPs based in the EU and the UK.

Challenges

The first challenge for VASPs in meeting the travel rule starts with how to identify customers’ addresses and then to safely associate customers’ personally identifiable information (PII) with each transaction.

It’s difficult to see how VASPs can do this without affecting the transfer speed or adding significantly to the costs associated with compliance of navigating the vastly varying AML/CFT approaches required in different parts of the world.

Developments are already happening around the world specifically addressing the travel rule challenges; however it is likely that we will see regional solutions rather than a global one in the coming years.

As regards GDPR, this is a conversation that continues to evolve. The next question for our industry must address is “What happens to our GDPR obligations for the EU and UK VASPs?”.

Some requirements of GDPR and travel rules seem incompatible at this stage, not least the fact that bulk transfer of personal data to the US is not allowed under GDPR.

What most concerns me is the issue of sharing clients’ information with global VASPs, each of which have varying levels of security standards, as well as being based in different jurisdictions with different levels of data protection and AML/CFT requirements and strengths. With so much divergence, the potential risk is the weak links providing perfect opportunities for criminals to take advantage of.

Regulatory gaps

The timeline of the travel rule’s adoption varies from jurisdiction to jurisdiction and we are likely to be in situations where a regulated VASP will need to deal with an unregulated VASP. Early adoption of the travel rule by the EU and UK will require VASPs to put a lot more effort into complying with all applicable laws and regulations governing other financial firms with which they do business.

One of the biggest problems is that the inconsistencies across the various regulatory frameworks create a competitive advantage for those based in jurisdictions with low compliance requirements. These regulatory cracks have encouraged a “catch me if you can” mentality, which does little for our industry’s reputation, or the security of our customers.

Compliance and regulatory overheads for VASPs in regulated jurisdictions are already very high, comprising on average about 30 per cent of the total costs — compared to next to none for the competition based in light-touch jurisdictions.  And the VASPs that list multiple virtual assets will likely have their problems multiplied by the number of virtual assets they list.

The challenges we face are widely recognised and we have seen both industry participants and regulators putting their heads together to find solutions that enable the successful adoption of the travel rule around the globe.

It is important for EU- and UK-based VASPs to be mindful of the risks that can result from sharing their customer information with VASPs located in countries that have weak privacy and data protection rules.

These are obstacles that we must and shall overcome if VASPs are to take their seat at the table with traditional financial services providers. It will take a lot of work to ensure that we have a lawful basis for processing personal data without compromising the revolutionary benefits that make virtual currencies so attractive to so many.

By Teggy Altankhuyag, chief operating officer,  Coinfloor

Altankhuyag is a keynote speaker at FinCrime World Forum on December 1. Click here for more information.


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.