Last year, FATF and FINMA confirmed that, when executing payment transactions, blockchain service providers are subject to obligations in relation to anti-money-laundering and the combatting of terrorism financing. Hence, these providers are imposed with the same obligations as traditional financial service providers.
Yet they have not at their disposal a system as efficient as that which the latter are equipped with – the SWIFT network. FINMA has proposed lowering the current threshold for exchange transactions in cryptocurrencies the from CHF 5’000 to CHF 1’000 acknowledging the heightened money-laundering risks in this area.
What is the “travel rule” about and where did it originate from?
The “travel rule” originates from Recommendation 16 of the International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation issued in 2012 and updated in June 2019 (“FATF Recommendations”) issued by the Financial Action Task Force (“FATF”) – an international body providing guidance on anti-money-laundering (“AML”) and combatting of financing of terrorism (“CFT”) (together “AML/CFT”) as well as other related threats to the integrity of the international financial system.
According to that rule, when performing wire transfers, financial institutions must “include required and accurate originator information, and required beneficiary information, on wire transfers and related messages” and the information should remain “with the wire transfer or related message throughout the payment chain”.
In June last year, by way of an update to the said recommendations FATF clarified the application of this rule to virtual asset (“VA”) transactions. It took the position that virtual asset service providers (“VASPs”, singular – “VASP”) come within the scope of the rule in the same way as traditional financial institutions do (see e.g. Interpretative Note to Recommendation 15, 7., (b), FATF Recommendations). In other words, the organization undertakes a technology-neutral approach: it considers AML/CFT obligations applicable to service providers regardless of the type of technology through which the latter perform the transaction – traditional or new/emerging. FATF announced to monitor the implementation of the new requirements and conduct a 12-month review in June 2020.
What is the Swiss interpretation?
The Swiss Financial Market Supervisory Authority (“FINMA”) addresses the combat of money laundering and terrorism financing over the blockchain as well stringently. Following the revision of its recommendations, within which FATF specified the application of the “travel rule” to VA transactions, the Swiss regulator – through FINMA Guidance 02/2019, Payments on the blockchain, 26 August 2019 (“FINMA Guidance”) – provided its position that concerns financial service providers supervised by it. It, likewise, held the “travel rule” applicable for blockchain payments. As FATF, FINMA took an approach that does not differentiate between the kind of technology involved. The Swiss authority underlined that, for AML/CFT regulations, the anonymity inherent in the blockchain posed increased risk of circumvention of law. Hence, Switzerland had always applied its AML/CFT act to blockchain service providers. The latter were obliged e.g. “to verify the identity of their customers, to establish the identity of the beneficial owner (FINMA has proposed lowering the “crypto client” identification threshold from CHF 5’000 to CHF 1’000), to take a risk-based approach to monitoring business relationships and to file a report with the Money Laundering Reporting Office Switzerland (MROS) if there are reasonable grounds to suspect money laundering” (FINMA Guidance, p. 2). Article 10 of the FINMA Ordinance on the Prevention of Money Laundering and the Financing of Terrorism (“AMLO-FINMA”) required that information regarding the client and the beneficiary were transmitted with a payment order; that enabled the receiving financial intermediary, for instance, to check whether the sender was on a sanctions’ list.
Due to the technology-neutral approach, the information disclosure for blockchain transactions itself does not need to be realized via a blockchain technology – but by any means – and it can take place separately from the original transaction.
FINMA interpreting Article 10 AMLO-FINMA is, in fact, even stricter than FATF. In its view, as opposed to the FATF requirements, the said provision does not contain any exemptions for payments that involve unregulated wallet providers. The authority stresses that “such an exception would favour unsupervised service providers and would result in supervised providers not being able to prevent problematic payments from being executed” (FINMA Guidance, p. 3).
The second last and last paragraph of the FINMA Guidance point at certain – rather narrow – exceptions where the institution is unable to send and receive the required information and payment transaction is permitted. These are cases of payment transactions made from and to external wallets belonging to a customer of the institution (whereby the ownership of the external wallet by such own customer must be proven using suitable technical means) or of payment transactions executed between customers of the same institution; a transfer from or to an external wallet that pertains to a third party can be performed only if, as for a client relationship, the institution has verified the third party’s identity, established the beneficial owner’s identity and proven through suitable technical means that the third party is the owner of the external wallet. Similarly, in case of an exchange – from fiat to VA, from VA to fiat currency or from one VA to another – that involves an external wallet, it must be demonstrated via suitable technical means that the customer is the owner of the external wallet, or otherwise the rules on payment transactions apply.
FINMA, further, mentions that FATF expects data on the customer and beneficiary to be sent also for token transfers as this is done for bank transfers.
What is the challenge?
While VASPs, thus, are subjected to the AML/CFT obligations to which the traditional financial service providers are, no system exists, as it does for the latter, which can assist in complying with the respective duties. When executing payment transactions, the traditional institutions have a recourse to the SWIFT system. The blockchain transactions are currently restricted in technical terms, since most blockchain systems operate only pseudo-anonymous transactions – the originator and the beneficiary are identified via crypto addresses and the persons behind such addresses remain unknown. Therefore, at present it is technically impossible to pass on data on the originator and the beneficiary (which is also why FATF and FINMA allow for the transmission of information to take place independently of the initial blockchain transaction).
The lack of an appropriate system is recognized also by FINMA: “No system currently exists at either a national or an international level (such as, for example, SWIFT for interbank transfers) for reliably transferring identification data for payment transactions on the blockchain. Neither are bilateral agreements between individual service providers in existence to date. For such systems or such agreements to meet the requirements of Article 10 AMLO-FINMA in future, they would have to involve only service providers who are subject to appropriate anti-money laundering supervision.” (FINMA Guidance, p. 3).
Thus, at this stage there is no technical solution allowing compliance with the Swiss requirement for covering also transactions between a VASP and an individual user. Information is now passed on via a blockchain independent messaging protocol which implies either a registration with the protocol provider and/or use of certain technical tools. This would lead to the necessity that individuals utilize a variety of messenger protocols in order to exchange data with their VASPs upon transacting on the blockchain – something which is improbable to take place. Swiss VASPs now limit their transactions to external wallets that belong to their own clients and prove the ownership over the wallet through “proof of wallet ownership signature”, i.e. manually.
All in all, the Swiss VASPs need a technical solution in order to be able to perform their duties under the “travel rule” and to do so also where transacting with unregulated users.
How does virtual asset community cope with this challenge?
One approach consists of a second layer messaging protocol which uses cryptography to authenticate the participating VASPs. Such protocol is offered by companies (e.g. TRISA) or in an open source community. An example of the latter is the OpenVASP community which is an open protocol among VASPs for the exchange of information on the originator and beneficiary. It leverages secure peer-to-peer communication and capabilities of the Ethereum blockchain for authentication and is based on a set of principles, independently of the jurisdiction and the VA, without the need to be a member of or register with a centralized-party. The commercial approaches undertaken by companies use mostly own communication channels and a dedicated hardware; the OpenVASP utilizes Ethereum blockchain as an IT infrastructure.
Another approach is to use a “proof of wallet ownership signature” which was indirectly introduced by FINMA when stating that, where an institution is not able to send and receive the data prerequisite in a payment transaction, the transaction is permissible on the condition that the external wallet pertains to a customer of the institution and such ownership is proven via appropriate technical means.
A further idea is the automated (as opposed to manual) proof of wallet ownership achieved by linking the user’s extended public key with the user’s client-ID – namely the automatization of the process of proving the wallet ownership.
How EY may support?
EY can help financial institutions and VASPs manage their individual and corporate clients involved in the VA space, including cope with AML/CFT challenges.
EY has created the EY Blockchain Analyzer which supports VA related screening activities and provides the following functions: understanding wallets, understanding transactions, wallet verification, transaction verification, private key access verification and understanding relationships. When it comes to implementing the “travel rule”, especially in relation to the proof of wallet ownership, the private key access verification feature offers valuable assistance.
Find out in this brochure how to cope with the AML/CFT challenges ahead.
Contact us for further assistance. We will embrace your challenge as ours, we are eager to solve problems and help building a better working world.