A couple of years ago, as you may have read in the Financial Times at the time, the Financial Action Task Force (FATF) extended their recommendations to include cryptocurrency exchange and wallet providers and such like, referred to as Virtual Asset Service Providers (VASPs). This meant that all countries must supervise and monitor these, and that they should apply anti-money laundering and anti-terrorist financing controls: that is, customer due diligence (CDD), suspicious transaction reporting (STR) and the “travel rule”.
The decision to apply the same travel rule on VASPs as on traditional financial institutions was greeted with some dismay in the cryptocurrency world, because it means that the service providers must collect and exchange customer information during transactions. The technically non-binding guidance on how member jurisdictions should regulate their ‘virtual asset’ marketplace included the contentious detail that whenever a user of one exchange sends cryptocurrency worth more than 1,000 dollars or euros to a user of a different exchange, the originating exchange must send identifying information about both the sender and the intended recipient to the beneficiary exchange. The information must also be recorded and made available to “appropriate authorities on request”.
This identifying information, according to the FATF Interpretive Note to Recommendation 16, should include name and account number of the originator and benefactor, the originator’s (physical) address, national identity number (or something similar) or date and place of birth. In essence, this means that personal information will be smeared all over the interweb tubes. My good friend Simon Lelieveldt, who is very well-informed and level-headed about such things, said at the time that this is a “disproportional silly measure by regulators who don’t understand blockchain technology”, which may be a little harsh even if not too far from the truth.
Anyway, some folks from the land of crypto have put together a standard for implementing the travel rule in the hope of spurring interoperability and reducing the costs for all involved. The standard, known as IVMS101, defines a uniform model for data that must be exchanged by virtual asset service providers (VASPs) alongside cryptocurrency transactions. The standard (you can download it here) will identify the senders and receivers of crypto payments, with such information “traveling” alongside the cryptocurrency transactions but along a separate path (that is, the IVMS101 messages do not themselves need the blockchain or any other crypto infrastructure).
(If you are wondering why it’s called IVMS101, it’s because the SWIFT MT101 message is the global standard request for the electronic transfer of funds from one account to another. For those of us in the payments world, MT101 is mother’s milk: mandatory Tag 20 Sender Reference, optional Tag 21 Customer Specified Reference and so on and so on. The MT101 message is used throughout the business world to send bulk payment instructions (ie, a header and multiple payment instructions in a single message). There is also the MT103 message that instructs a single transfer but this is mainly used to move funds between banks and other financial institutions such as money transfer companies.)
IVMS101 is pretty thorough and it sets out in detail what messages should be passed from (eg) one Bitcoin exchange to another, along the lines of:
if the originator is a NaturalPerson then either (
with an addressType value of GEOG or HOME or BIZZ
and/or dateAndPlaceOfBirth )
This sort of thing is needed because there’s no global standard digital identity that could be attached to messages so market participants have to make do with national solutions or proxies. Nevertheless, it’s a good standard (as you’d expect when you see who wrote it) but uncharitable persons might well be asking what the point of it is because law enforcement agencies can already get this information by presenting a warrant. What the travel rule does is to, essentially, automate mass surveillance without a warrant or any other oversight and force personal information on to marketplace intermediaries (where, in my opinion, it doesn’t belong – my date and place of birth is no business of either intermediary exchanges or, indeed, the destination exchange). What’s more, since the travel rule is for value transfers between exchanges, it seems rather unlikely that it will catch any criminal flows at all.
I, for example, have a Coinbase hosted Bitcoin wallet and a Bitcoin wallet on a USB stick. If I want to send money to criminals, I will transfer it from my Coinbase wallet to my USB wallet and then from my USB wallet off via mixers to the criminal’s USB wallet and the travel rule is irrelevant. The uncharitable people mentioned earlier will undoubtedly observe that since the actual travel rule doesn’t seem to have stopped money laundering which is a massive global industry, there’s no obvious reason why the virtual travel rule will stop electronic money laundering on a similar grand scale.
Writing in this month’s Chartwell “Compass” magazine, Omar Magana hits the nail on the head with respect to the travel rule, asking if “the enforcement of a regulation that was created over 20 years ago for a fast-evolving industry, may not be the best approach”. Note that he is not arguing against regulation, he is arguing (as I do) for a form of regulation more appropriate for our age (for which I use the umbrella term “Digital Due Diligence”, or DDD) using artificial intelligence and machine learning to track, trace and connect the dots to find the bad actors.
I am genuinely curious to learn more about whether the travel rule will make the slightest difference to the money launderers, so please do let me know in the comments whether such scepticism is misguided or whether the travel rule will make the world a safer place.