Travel Rule legal implications

Avoid costly fines and reputational damage.

Since the FATF Recommendations are not legally binding, they need to be implemented into domestic legislation by the relevant legislative bodies on a national/regional level. Therefore, such bodies have a high degree of flexibility when implementing the FATF recommendations into domestic legislation.

As a result, several complications may arise, which are listed below.

Sunrise issue

Cryptocurrency exchanges and other virtual asset service providers are working on solutions to comply with the Travel Rule, such as implementing identity verification processes and information-sharing protocols.

However, they are implementing their AML/CFT frameworks at a different pace. As a result, some jurisdictions require their VASPs to comply with the Travel Rule before others.

This creates a challenge for VASPs when determining what approach to deal with VASPs in jurisdictions where the Travel Rule is not yet in force.

Sumsub solution

Sumsub allows its clients to verify non-Travel Rule eligible transactions by contacting a counterparty VASP via a secure data exchange protocol or via the Email Notification Tool (for the VASPs that are not in any of the supported networks).

Sumsub may also provide a free account to exchange required data if the counterparty is ready to transfer/receive data.

Apart from that, Sumsub performs counterparty VASP due diligence via its partners to determine potential risks posed by the target VASP and help its clients decide whether to transact with a specific VASP.

Transactions with unlicensed/unregistered VASPs

Based on the local authorities' recommendations, VASPs should determine whether to perform transactions with unlicensed/unregulated foreign VASPs.

Jurisdictions may take the following approaches regarding how domestic VASPs can interact with their foreign counterparts:

  • Allowing domestic VASPs to transact with any foreign VASPs, regardless of licensing/registration, Travel Rule compliance, or related risk mitigation measures.
  • Limiting transactions to only foreign VASPs that are licensed/registered.
  • Limiting transactions to foreign VASPs that are licensed/registered and complying with the Travel Rule.
  • Limiting Travel Rule requirements to foreign VASPs that are licensed/registered in specific jurisdictions and/or complying with the Travel Rule.
  • Allowing transactions with unlicensed/unregistered foreign VASPs with appropriate risk mitigations in place.

Sumsub solution

Sumsub is able to determine whether the VA transaction is carried out with a VASP or an unhosted wallet as well as establish the identity of the Counterparty VASP.

Sumsub performs VASP attribution based on several inputs:

  • Information provided by the Client attempting to complete a VA Transfer.
  • Sumsub's own information based on prior similar transfers.
  • Wallet attribution data.
  • Data provided by data partners.

Interactions with unhosted wallets

Businesses should also determine their actions in case of transactions with unhosted wallets. For example, local regulators may oblige them to collect relevant Travel Rule information.

Jurisdictions may take the following approaches:

  • Requiring VASPs to collect relevant Travel Rule information on unhosted wallets from their customer.
  • Applying additional mitigation measures or limiting transactions with unhosted wallets (such as verifying the identity of the unhosted wallet owner or performing enhanced due diligence).
  • Restricting limiting transactions with unhosted wallets.
  • Verifying the control of the unhosted wallet via a variety of methods.

Sumsub solution

In case the counterparty is identified as an unhosted wallet, in addition to the above, Sumsub will attempt to verify such wallet as described in this article.

Situations when the Counterparty VASP cannot be contacted

In such situations (mainly when you are the originating VASP), businesses need to collect the relevant evidence of their attempt to contact the counterparty.

Sumsub solution

In such situations particularly, when the Sumsub client is the originating VASP, Sumsub uses the Email Notification Tool

Additionally, Sumsub also provides a set of default rules and custom rules for VASPs to conduct a risk based approach to handle transactions in real time.

Interoperability issue

The counterparty VASPs may have different data exchange protocols, which will prevent them from sharing the required information.

In general, the issue can be solved on multiple levels:

  • On the VASP level, if a VASP choses to integrate multiple data exchange protocols.
  • On the solution provider level, if a Travel Rule solution provider integrates multiple data exchange protools within its solution.
  • On the protocol level, whereby there is a protocol-level bridge between data exchange protocols.

Sumsub solution

Sumsub offers two options to address the interoperability issue:

  • A VASP can use the Sumsub Travel Rule solution by setting up the free account. The free account allows VASPs to manually transfer the data about originator and beneficiary directly, and/or confirm travel rule transactions.

📘

Note

Transactions confirmation, in this case, refers to the ability of the counterparty VASP to certify that the wallet address belongs/does not belong to it and its respective customer.

  • Sumsub Travel Rule solution integrates with [Protocol Partners](doc: protocols) to broaden the scope of VASPs with which counterparties can interact. Current integrated protocols include GTR (Global Travel Rule), TRP, and CODE.

Other Issues

  • Differences in travel rule requirements. Jurisdictions implement Travel Rule differently by establishing different de-minimis transaction value thresholds, the scope of information required to be collected/transmitted, and so on.
  • Data protection and privacy issues. Most jurisdictions require licensed/registered VASPs to meet local DPP regulations when processing personal data following national AML/CFT requirements. Some jurisdictions imposed additional data security requirements on VASPs in the process of registration/licensing approvals, such as asking to obtain an information security certificate.
  • Processing cross-border transfers. Due to jurisdictional differences, a VASP needs to be able to distinguish between a domestic VA Transaction and a cross-border VA Transaction to determine which rules and regulations to follow.
  • Dealing with inaccurate or incomplete information. Where the beneficiary VASP becomes aware that the information is missing or incomplete, when receiving VA Transfers transfers of virtual assets, it shall reject the transfer and ask for the required information on the originator and the beneficiary before determining whether to makemaking the virtual assets available to the Beneficiary.

Sumsub solution

Sumsub addresses these issues by creating preset combinations of Rules for each jurisdiction and offering sophisticated rules engine that allows to create Rules and tailor the solution to their specific policies, procedures, and situations.