Navigating The Travel Rule in UAE’s Cryptocurrency Landscape
The Travel Rule: Origin and Significance in Crypto Compliance
During a webinar hosted by VAF Compliance and organized by Unlock, Gilson Costa, CEO of VAF Compliance, moderated a panel discussion wherein industry experts discussed the origin, significance, and challenges of the Travel Rule, with a particular focus on the UAE crypto landscape.
The origin of the travel rule can be traced back to the recommendations of the Financial Action Task Force (FATF). The travel rule is one sub-element of these recommendations, known FATF Recommendation 16, and applies to the context of crypto.
In traditional finance, transactions pass through systems like SWIFT, requiring the transfer of specific information to prevent financial crimes. Similarly, the travel rule serves as the equivalent requirement in the crypto space, aiming to combat money laundering and terrorist financing.
Concerns about anti-money laundering (AML) and compliance in crypto arise from the goal of combating financial crimes. Samir Safar-Aly, Financial Regulatory, Compliance & Investigations Counsel at Baker McKenzie, highlights that both crypto and traditional finance can be associated with facilitating illicit activities. Therefore, understanding the position of the travel rule in the crypto and AML landscapes is crucial for VASPs as well as other participants involved in cross-border transactions facilitated by VASPs.
Navigating the Technical Challenges of the Crypto Travel Rule
From a technical standpoint, cryptocurrencies present significant differences compared to traditional fiat systems, particularly in terms of standardized methods for transactions. In response to this disparity, regulators have intervened to combat misconduct in crypto operations, as recommended by FATF.
Harm Aarts, Co-founder and Chief of Product at 21 Analytics, highlights the challenge of machine-to-machine communication in effectively transferring beneficiary and originator information. Switzerland enforced the travel rule, mandating VASPs to comply, but cross-jurisdictional transactions add complexity. Most Swiss VASPs avoid transferring coins to other VASPs, bypassing the travel rule, which raises concerns about ownership claims for self-hosted or unhosted wallets. To address this, Switzerland implemented the Satoshi test for verification, ensuring authenticity and mitigating potential dishonesty or mistakes.
Implementing the data gathering and transmission process becomes increasingly complex due to various challenges specific to the crypto space. Harm mentions the “sunrise issue“, where compliance with the travel rule is required, but counterparties in other jurisdictions lack the same obligation. The “VASP discovery” problem also arises when a user wants to withdraw coins to an address with an unknown owner, necessitating a discovery process.
Navigating Commercial Realities: Streamlining Compliance in the Crypto Industry
Andrew Kimbrough, Senior Manager at XWISS AG, focuses on the practical objective of combating money laundering and streamlining the process of filing suspicious activity reports (SARs) in the crypto industry. Unlike the traditional fiat space with established procedures for information exchange, the crypto space often involves unregulated entities exchanging information. Verifying control over unhosted wallets poses a challenge for Virtual Asset Service Providers (VASPs).
Verification processes vary among regulators and individual VASPs, introducing complexity within the industry. In Switzerland, banks are allowed to whitelist wallets for a limited period, while different jurisdictions may have different approaches. Risk appetite also influences verification requirements, with some firms demanding verification for every transaction. Inconsistencies and unclear regulations further complicate matters, necessitating meticulous documentation of procedures and consultation with regulators or law firms for guidance.
Samir examines compliance from a commercial standpoint, highlighting the practical implications of sanctions. For instance, a UAE-based bank without U.S. ownership or control may need to comply with U.S. OFAC sanctions due to “commercial realities.” Commercial agreements often require adherence to U.S. sanctions for U.S. dollar clearing or access through a U.S. dollar clearing bank. This scenario highlights the need to address the sunrise issue promptly, considering practical implications over purely legal perspectives.
Regulatory Harmonization: The Widespread Impact of the Travel Rule
Referring to Samir’s concept of “commercial reality,” Harm asserts that the travel rule holds a contagious influence. If a VASP operates in Seychelles, for instance, but conducts business with entities situated in Dubai, compliance with the travel rule becomes imperative as failing to do so would result in users’ transactions being rejected. Therefore, commercial reality necessitates this adherence without escape.
Regulators are increasingly aware and exploring possibilities like the aforementioned Satoshi test in the crypto space. Harm expects the existing knowledge gap to diminish as regulators actively engage and learn from each other. Currently, different jurisdictions have varying travel rule thresholds for virtual asset transfers, but Harm predicts a future where everyone defaults to zero.
Disparity in Regulatory Treatment: Apprehensive Regulators
Soham Panchamiya, an Associate at Reed Smith, notes the lack of equivalence in financial services regulations between crypto and traditional finance (TradFi). This disparity is not solely due to the different nature of activities in the crypto industry. The issue stems from regulators’ apprehension due to their limited understanding of crypto, understaffed and underpaid workforce, and high turnover rates, says Soham. He emphasizes that the challenge lies in regulators struggling to comprehend and adapt to the crypto landscape, rather than how they interpret the regulations.
The UAE’s Progressive Stance on Crypto Regulation: Navigating the Sunrise Issue and Beyond
In most jurisdictions, finding regulators who both understand crypto and are willing to take a clear stance on it is quite rare, Soham noted. However, he believes that the UAE is fortunate in this regard. Notably, figures like Peter Loo and Malcolm Wright at the Virtual Asset Regulatory Authority (VARA), as well as Brian Biagabi and Brian Yeoh at the Financial Services Regulatory Authority (FSRA), have taken bold positions on crypto and engage in open and transparent discussions with firms regarding policies, the travel rule, and technological capabilities. This enables firms to communicate their limitations in dealing with certain types of Virtual Asset Service Providers (VASPs), minimizing the sunrise issue.
To address the sunrise issue, companies in jurisdictions without travel rule adherence typically establish a de minimis threshold for compliance. In the UAE, for instance, the threshold is 3,500 AED, while FATF regulators require compliance for amounts above 1,000 EUR. If a jurisdiction does not adhere to the travel rule, companies often choose not to engage with counterparties from that jurisdiction, effectively creating a barrier.
Some companies even establish separate structures, one regulated and one unregulated. However, as seen in the ongoing SEC proceedings against Binance, separating regulated and unregulated entities can introduce uncertainty and necessitate the development of new rules using existing ones, adapted in a more efficient manner, according to Soham.
Addressing FATF Guidelines in Crypto Compliance: Segregation as a Solution
Soham highlights the importance of referring to your regulatory authority’s adopted rules within the FATF guidelines. For instance, the UAE’s VARA regulations have adopted the FATF guidelines which entail collecting originator and beneficiary information. The information needs to be recorded for regulatory review in the annual report.
However, as pointed out by Harm, technological challenges of implementing this surface when the beneficiary is an unhosted wallet without associated identity information. Currently, the solution involves distinguishing crypto companies that operate within KYC/AML frameworks and those that do not. Non-compliant entities are facing increasing difficulties in finding suitable jurisdictions, leading to the popularity of lenient regulatory jurisdictions. Thus, Soham suggests segregation as a solution.
Potential Penalties for Non-Compliance with the Travel Rule in the UAE
Samir explains that in the UAE, there are two types of penalties: criminal and civil penalties. The UAE’s federal AML law was amended in 2001 to include VASPs, expanding its scope beyond financial institutions and Designated Non-Financial Businesses and Professions (DNFPPs). Compliance with AML obligations, including KYC, due diligence, enhanced due diligence, and risk assessments, is necessary. Failure to comply, including with the travel rule, can result in penalties ranging from 200,000 to 5 million AED and potential imprisonment. However, proving money laundering offenses can be challenging due to the requirement of establishing knowledge.
Apart from criminal penalties, regulators such as VARA, DFSA, or FSRA have the authority to impose civil penalties. VARA, for instance, differentiates between compliance-related and non-compliance-related penalties. Compliance-related penalties may involve disgorgement of profits, penalties on individuals up to 20 million AED, and penalties on VASPs up to 50 million AED or 15% of annual revenue or 300% of gained profits or avoided losses, whichever is greater. The amount for a minor non-compliance of the travel rule depends on the severity of the case as the regulator has discretion within those specified limits, explains Samir.
Challenges faced by VASPs
Achieving Interoperability Among Platforms
VASPs face challenges primarily in achieving interoperability among various platforms in the cryptocurrency sector. Unlike traditional financial systems with centralized mechanisms like SWIFT, the crypto industry lacks such infrastructure.
VASPs, banks, and other entities must develop their own procedures for collecting and transmitting information. However, there is uncertainty about whether these procedures will work effectively with the recipients or senders. To address this, VASPs should establish bilateral procedures for information exchange, albeit with variations among partner VASPs, suggests Andrew. This approach can be cumbersome and may result in rejecting one-time transactions from new VASPs to maintain compliance.
Recognizing this challenge, organizational efforts are underway to establish industry standards resembling a SWIFT-like system for crypto, but VASPs must prioritize their business interests when investing in bilateral relationships, says Andrew.
Having VASPs level up
Soham recognizes that implementing the travel rule poses significant challenges, requiring collaboration among consultants, lawyers, and solution providers. However, he believes that the primary challenge lies in VASPs needing to level up. While VASPs allocate funds for marketing and operations, they often neglect investing in internal organization, which is crucial in the evolving landscape of the industry. With numerous licensed players entering the market, unlicensed ones will face greater difficulties in operating successfully.
Soham advises VASPs to allocate a portion of their budget to improve internal organization He emphasizes the importance of hiring top-quality consultants, lawyers, and advisors, urging VASPs not to ignore their recommendations. By taking these steps, the overall process will become smoother.
Additionally, Soham emphasizes the importance of VASPs proactively engaging with regulators and formulating their own plans instead of relying on regulators to create plans for them. This communication and collaboration will enable firms to operate more effectively.
Software Solutions for VASPs to Comply with the Travel Rule
Harm highlights the availability of software solutions, like Travel Rule Messaging Protocol (TRP) and Travel Rule Universal Solution Technology (TRUST), for VASPs to comply with the travel rule. However, he suggests a straightforward starting point for compliance.
To comply with the FATF travel rule, VASPs can securely and promptly transmit information to the counterparty through an encrypted email. Storing and retaining the data for regulatory access afterwards fulfills the travel rule obligations.
For single transactions, Harm agrees with Andrew that it can be complex. To address this, 21 Analytics proposes a solution with a designated travel rule email address for receiving necessary information. Their AI system then processes the data and stores it for easy access.
Harm expects this approach to persist. By exchanging travel rule email addresses and collaborating with technology service providers, VASPs can take meaningful steps towards compliance and foster positive relationships with regulators.
Given the ongoing sunrise period, Harm believes that there won’t be a one-size-fits-all solution, and VASPs need to remain adaptable in their approach to compliance.
Key Takeaways and Insights
To understand the global landscape in fintech, crypto, and virtual assets, Samir recommends considering initiatives like interVASP Messaging Standards, OpenVASP, and private sector initiatives. In terms of cybersecurity, Samir states that the UAE significantly emphasize cybersecurity, with the UAE Information Assurance Standard setting stricter requirements compared to ISO 27001, and VARA providing tech governance and compliance measures applicable to the UAE.
Samir advocates for good governance and compliance as key roles in the industry, suggesting that companies behaving as regulated entities build trust, reduce liability, enable cross-border transactions, and attract investors. Moreover, venture capitalists should act as activist shareholders to encourage good governance and compliance in portfolio companies, ensuring proper incubation of future unicorns and investor protection.
Andrew simplifies the formula for success: understand regulations, establish internal policies and procedures, follow guidelines, and cultivate a positive relationship with regulators. Open exchange of information establishes credibility and fosters goodwill with regulators, he believes.
Soham questions the importance of regulation for VASPs, emphasizing that if they ask people to trust them with their money, some form of regulation is inevitable. He adds that merely having a smart contract does not make them DeFi, but surrendering control to a community does.
Harm acknowledges the vastness of the field and suggests tangible first steps. This includes establishing a designated email address, identifying reputable counterparties, assessing risk appetite, and deciding on storing PII data with a third-party solution provider or keeping it in-house.