The Implementation of the FATF Travel Rule in terms of Virtual Assets

Introductory Analysis

During its June 2019 plenary meeting, the Financial Action Task Force (“FATF“) approved a significant change to one of its 40 Recommendations. Previously, Recommendation 16 required originator and beneficiary information for wire transactions in the conventional finance industry. Any Virtual Asset Service Provider (“VASP“) that sends digital funds to another VASP or financial institution is now required by the FATF’s revised Standards to gather and exchange real-name user information with one another and to make this information available to appropriate authorities upon request. This is dubbed as the FATF Travel Rule.

It mainly requires that financial institutions which are engaged in virtual asset (“VA”) transfers and crypto companies which are collectively referred to as VASP obtain the ‘required and accurate originator information and required beneficiary information’ and share it with counterparty VASPs or financial institutions during or before the transaction. In its updated guidance of October 2021, the FATF discusses in particular the nomenclature VA and defines it as a ‘digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes.’ It is a broad interpretation leaving jurisdictions to take a functional approach to incorporate technological advancements and innovative business models in accordance with the fundamental concepts it holds.

However, with regards to digital assets encompassing the characteristics of uniqueness and which are mainly used as collectibles rather than as payment or investment instruments, also known as non-fungible tokens (“NFTs”), these do not generally fall under the remit of the aforementioned definition. However, one should go beyond the mere nomenclature of NFTs and delve into the characteristics of the particular asset in question, as it may satisfy the conditions of the definition.

Implementation of the Rule

If the travel rule is globally implemented, it could have a pivotal role in the present Anti-Money Laundering (“AML”) regime. In terms of application and adherence to this FATF standard, there is still a sense of caution and difficulties that countries must overcome. In addition, de minimis criteria, data privacy concerns, and approaches to transactions using unlicensed/unregistered and unhosted wallets continue to exacerbate the disparate responses taken by various governments to the requirements of the Travel Rule.

Consequently, this has given rise to the ‘sunrise issue’ which has been identified in both the first and second 12-month reviews conducted by the FATF. In turn, this transitory period is posing a challenge to already-compliant VASPs, leaving a loophole for criminals to base their ML from activity in countries that have not yet implemented FATF standards. Since its implementation, out of the 98 jurisdictions that responded to FATF’s March 2022 survey, a mere 29 jurisdictions reported having passed Travel Rule legislation and only 11 jurisdictions have started enforcement and supervisory measures.

The European Union (“EU”) has reached a provisional agreement on 29 June 2022, on the text regarding the European Commission’s proposal for a recast of Regulation (EU) 2015/847 (Transfer of Funds Regulation (“TFR“). This proposal is part of a larger package of four legislative proposals to achieve a more coherent anti-money laundering regulatory and institutional framework within the EU. The proposal extends the Travel Rule to transfers of crypto assets following the recommendation of the FATF. Moreover, in terms of EU regulators, in particular, the Austrian Financial Market Authority (“FMA”) already requires to a certain extent that Crypto-Asset Service Providers (“CASPs”) comply with FATF Travel Rule.

As for Malta, despite that it is not an official member of the FATF, nevertheless it is a member of one of the FATF-Style Regional Bodies (“FSRB”), the Committee of Experts on the Evaluation of Anti-Money Laundering and the financing of terrorism (“MONEYVAL”). Malta prides with a solid regulatory infrastructure which is overseen by the Malta Financial Services Authority (“MFSA”). However, in order to maintain its standards and preserve its reputability, Malta must abide by FATF regulations. Presently, Malta already has a process whereby ‘VFA Service Providers’ are obliged to apply for a license from the MFSA in accordance with the guidance of a registered VFA Agent in terms of article 14 of the Virtual Financial Assets Act (“VFAA”).

Furthermore, in terms of implementation of the FATF Travel Rule in Malta, there is currently ongoing consultation with the MFSA whereby a proposal is set out on how it is envisaged that the requirements of Recommendation 16 shall be implemented in terms of transfers of VFAs carried out by service providers licensed under VFAA.

The proposal is in the form of a draft regulation, the Prevention of Money Laundering Act (Transfer of Virtual Financial Assets) Regulations, which is still in its consultation stage. It shall be essential as it will clarify the applicable requirements in Malta relating to the Travel Rule. In terms of the MFSA, it still lacks guidance on certain matters especially in terms of what is expected from applicants in relation to the Travel Rule.

As for the risk of data protection or AML/CFT breaches, a risk assessment is suggested to be conducted. Prior to transferring the VFAs, the MLRO must perform this on the beneficiary’s VASP. This evaluation will primarily focus on VASPs that are not subject to regulatory control or that are located in jurisdictions where Recommendation 16 has not been properly applied to VASPs. The evaluation must, above all, attest to the fact that the counterparty’s AML/CFT controls are the subject of an independent audit (which may be internal or external). Ultimately, it would be up to the applicant to reserve the discretion not to send customer information when it reasonably believes that a counterparty VASP will not handle it securely, whereas if it believes the AML/CFT risks are acceptable, it shall continue to execute the transfer.

Feel free to contact us for assistance or more information on the above.