Tom Neylan, senior policy analyst at the Financial Action Task Force, a global body tackling money laundering and terrorist financing, spoke to OMFIF about the challenges of applying anti-money laundering rules to the crypto ecosystem and the importance of rapid implementation.
OMFIF: What is the travel rule and why has it assumed such importance in the cryptocurrency market?
Tom Neylan: The travel rule is part of the suite of rules that includes customer due diligence, understanding the nature of a customer’s business, making suspicious transaction reports, conducting additional due diligence on high-risk activities and customers – such as politically exposed persons – and also being licensed, supervised and regulated by the proper authorities. The purpose of the travel rule is to ensure you know who you’re doing business with, so you can apply financial sanctions and block transactions if necessary, and to ensure an audit trail for investigators to follow in the event that the payment was for terrorist financing.
The travel rule has become particularly important because it’s among the most difficult of the tools to apply in a crypto context. It requires virtual asset service providers to exchange the identity information of the originators and beneficiaries of crypto transactions above $1,000. In traditional finance, payment messages that include personally identifiable information are sent on a private network, visible only to banks, with strong protection for privacy. In crypto, those payment messages could be sent publicly, so including personal information would expose people’s identities.
To achieve the equivalent outcome in a crypto context, we’ve allowed messages including personal identifying information to be sent on a parallel private network to protect privacy. And we have given the industry time and support to develop the tools and protocols it needed to do this.
O: How broadly is this rule being applied?
TN: Advanced economies have made good progress in requiring VASPs to register and get licensed, and implementation of the travel rule is a few steps behind licensing and regulation. But elsewhere, progress has been much slower. Around 70% of countries are yet to regulate the sector.
Given businesses in this sector are executing cross-border transactions as a matter of routine, it poses a serious risk because unregulated countries can provide safe havens – offering an avenue for money to flow to terrorists outside of the regulated sector.
O: What about uniformity? Not all jurisdictions are applying the rules in the same way. Does that introduce problems?
TN: We regularly engage with the virtual asset industry, and they report that differences in national requirements – including for the travel rule – can prove challenging. Interestingly, we conducted a survey of over 150 jurisdictions earlier this year that found, when it comes to the travel rule, most jurisdictions have broadly the same requirements in terms of the information VASPs need to collect and transmit.
As with all regulation, complete global harmonisation is unrealistic – there are too many differences in national frameworks, risk, context and approaches to risk mitigation. This is the same reason why we see a lack of harmonisation in other financial sectors. But we also need to make sure that national requirements are clear and that authorities are co-ordinating to help the private sector deal with common challenges and considering harmonisation where possible.
O: What about prohibiting access entirely? That’s an approach China has taken.
TN: The thing about prohibition is that it is not really an easy option from a technical perspective. Just making something illegal is not enough. You have to enforce the prohibition, which means you have to develop the technical capacity to find and identify the people or businesses conducting the activity and get them to stop. Very few countries have the internet surveillance infrastructure to do that.
Even identifying which businesses are offering services in your country can be difficult. If a country has a rarely spoken language, advertising can be a useful predictor, but for many countries, that’s simply not a guide and they need more sophisticated tools to identify activity.
O: Many people are using VASPs, but one of the principles of crypto is that it can function peer to peer, without intermediaries. Does that limit our ability to curtail illicit activity via tools like the travel rule?
TN: Yes, to some degree. It is certainly a concern and it’s a risk that we are keeping a close eye on. However, to some extent, it’s self-limiting. Just as with the use of cash in money laundering, there are problems with going peer to peer with crypto. In the first place, it’s more technically demanding. There’s also more risk and no protection in the event of an error. Second, many money launderers rely on intermediaries as filters, so removing that element makes their jobs more challenging.
Those factors have so far limited the overall amount of money laundering taking place on a peer-to-peer basis – but this is a risk that we are continually monitoring.
O: That sounds like a serious problem. What is being done about it?
TN: We’re doing a lot of work to fill geographic gaps – the countries which don’t yet regulate the crypto sector, helping them to make progress as a matter of urgency. A lot of that work involves getting advice and assistance from experienced countries.
What we’ve learned from them is that applying the travel rule and supervising the crypto sector is immensely demanding of supervisors. They need new tools, different data feeds than they use for monitoring traditional financial transactions and staff that are technically literate and understand the crypto ecosystem.
O: Can central banks build that capacity from scratch? That sounds daunting.
TN: It’s certainly a challenge, particularly because of the pace of change in the crypto market – things are developing there much more quickly than in traditional finance.
In many cases, we’ve found that national authorities implementing this have been very slow to get off the ground. That’s understandable. They have to stand up new capacity for a whole new sector. This is the first time we’ve exposed a new sector to regulation for several generations.
The good news is that they don’t have to do this on their own. We have forums to help share experience and information. And there is a growing ecosystem of blockchain analytics companies, risk assessment companies and other countries with experience that can help to provide them with the tools and guidance on how to implement the requirements.
The key message is: start designing your regulatory regimes yesterday. They need to be in place within a year or two, so work needs to be started straight away on understanding the risks, identifying the players in the sector and what they do, and which activities are risky. They should reach out, take advantage of the advice available from the FATF and other experienced countries and the tools available from the private sector.