UAE Corporate Compliance Update May 2022: The FATF Travel Rule for Crypto Transactions
Overview
Originally a rule for banks only to disclose personal data of all parties in each transaction, the Financial Action Task Force (FATF) Travel Rule branched out its effect into the crypto sector in 2019. Fast forward to July 2020, and the G20 as well as most other global jurisdictions incorporated these laws into their Anti Money Laundry (AML) regulatory frameworks. In the crypto-space, this builds on a so far non-existent communication network between Crypto companies.
The Travel Rule is the name given to the FATF Recommendation No. 16 against money laundering. Under said rule, any Virtual Asset Service Provider (VASP) is under the obligation to collect personal data of all participants in a transaction exceeding 1,000 USD/EUR. This directly helps authorities or financial regulators to take action against suspicious transactions by obtaining information about them. A VASP is understood as a financial institution as well as crypto company. These are required to not only collect the names but also account numbers of the sender and recipient of any such transactions above 1,000 USD/EUR.
Additional requirements exist for the sender, such as their physical address as well as national ID Number (think here of having to upload a passport or national ID card as part of an exchange’s KYC procedures), the customer identification number and the date and place of birth.
As part of the FATF Travel Rule, the data collected by the VASP has to be shared to the sender and recipient of a transaction alike – making it so that the two participants are accurately aware of each other’s data due to the transaction.
Which Companies?
As explained above, the law applies to financial institutions such as banks as well as Virtual Asset Service Providers, means Crypto Companies. It applies in extent to the FATF-member countries. Examples are Switzerland, Singapore, the United States of America and others – a full up to date list can be found at: https://www.fatf-gafi.org/countries/.
The clear distinction for this regulation lays within the activity of facilitating transfers between parties on a platform. A VASP that provides services related to Cryptocurrency that do not fall under the banner of monetary transfers would not be affected. As such, a company accepting Crypto payments would not find itself regulated by said rule, whereas a cryptocurrency exchange or a crypto payment app accepting wire transfers would have to comply with all rules laid forth by the regulation, meaning it would have to collect data on both the recipient and the sender involved in the transaction.
The sanctions upon non-compliance to the FATF Travel Rule are set by local governments. They will differ from country to country and there is no overarching system of sanction in place.
What does this mean in UAE context?
The UAE has adopted extended AML regulation, applying it to financial services activities which involve virtual crypto assets. Crypto business activities which fall under the new AML/CFT regulation are:
Exchange of crypto and fiat assets
Exchange of multiple forms of crypto assets
Any crypto asset transfers
The administration or management of crypto assets or any instrument allowing control over said asset
Any financial services related to the sale or offering of a crypto asset
A VASP is prohibited from executing a transfer in which the identity of the sender is not verified. Likewise, the recipient’s VASP is prohibited from crediting the recipient’s account or making the funds available if the recipient’s identity is not verified.
What to do to comply?
As described, VASPs are prohibited from executing orders on both sides until the identity of both the sender and recipient are verified. Therefore, companies need solutions for the collection and sending of data in order to adequately comply with this rule.
The collection process is usually covered by a company’s KYC procedures. Think here of an exchange requiring you to upload an ID, answer source of income questionnaires or uploading proof of funds before even being able to deposit or withdraw money. As an affected company (VASP), it is therefore now more than ever important to ensure comprehensive AML compliance.
On top of this, companies must establish a database of some sort of behavioral pattern, as to spot potential criminal activity in a user. Overall, this boils down to stronger KYC and AML compliance.
Of equal importance as the collection of data is the distribution or sharing of that data. Several networks exist which allow the encryption of data transfers, such as Trisa, Shyft or OpenVASP – they provide software which can be integrated into business systems, which securely transmits the customer data to other platforms. With this, the sending of data can be turned into a standard and automated procedure.
If both the expectation of correct data collection as well as transmission are met, the company effectively complies with the FATF Travel Rule.
About MCI CLT and its approach
With meanwhile 3 decades depth experience and competence in the fields of Corporate Finance, Treasury, Governance & Compliance, MCI CLT can look back on a strong track record in evaluating, installing and maintaining AML and CFT systems and arrangements in corporates of all kinds.
In focus are not only “old school” FIAT, but also Crypto related scenarios.
You may reach us for further assistance.