Travel Rule for crypto-asset service providers goes live in the EU Artwork

Integrity Insights

Integrity Insights is a podcast from Berlin Risk, a Berlin-based corporate intelligence and compliance advisory firm. In the podcast, we cover the latest developments in the fields of financial crime, political risk, sanctions, open source investigations and much more. The podcast is hosted by Filip Brokes, consultant at Berlin Risk.

All Episodes

Integrity Insights

Travel Rule for crypto-asset service providers goes live in the EU

January 06, 2025 • The Berlin Risk Podcast • Season 1 • Episode 10

In this episode of Integrity Insights, our host Filip Brokes engages in a deep dive with Lana Schwartzman, Head of Regulatory and Compliance at Notabene, into the evolving landscape of cryptocurrency regulation. With over two decades in compliance, including 13 years specializing in crypto, Lana shares her expertise on the implications of the EU's Transfer of Funds Regulation (TFR), the travel rule, and the challenges of compliance in the crypto space. Whether you're in financial services, compliance, or crypto, this episode is packed with insights you should not miss.

Show Notes

Introduction

Lana Schwartzman’s background and journey into crypto compliance.
Overview of Notabene and its role in crypto transaction compliance.

Crypto and Money Laundering

Debunking myths: less than 1% of crypto transactions are illicit.
Comparisons between crypto and fiat in laundering activities.

Techniques Used for Crypto Money Laundering

Mixers, tumblers, and chain hopping.
Privacy coins like Monero.
Regulatory challenges and enforcement efforts.

The Travel Rule

Origin and purpose of the Financial Action Task Force’s (FATF) travel rule.
How the rule prevents illicit transactions before they occur.
Key milestones: U.S. implementation since 1999 and EU's December 30 deadline.

EU’s Transfer of Funds Regulation (TFR)

Comprehensive requirements for Crypto Asset Service Providers (CASPs).
Verification of unhosted wallets and self-declaration methods.
Role of the European Banking Authority (EBA) in shaping guidelines.

Global Landscape of Crypto Regulation

FATF report: 89% of jurisdictions implementing travel rule compliance.
Closing regulatory loopholes across regions.
Industry-driven pressure for travel rule adoption.

Effectiveness and Future Trends

Indicators of success: SAR filings and increased enforcement actions.
Predictions for harmonization of global crypto standards.
Anticipated regulatory scrutiny and cross-border collaboration.

Resources Mentioned

Connect with Us:

LinkedIn: https://www.linkedin.com/showcase/integrity-insights/?viewAsMember=true
Berlin Risk Linkedin: https://www.linkedin.com/company/berlinrisk/?viewAsMember=true
Website: https://berlinrisk.com/

Hi Lana. Welcome on the podcast. Hi, I am so excited to be here. Thank you for having me. Well, thank you for coming. Uh, can you, uh, first, uh, tell our listeners a little bit about yourself, like, about your background and what you do at the moment? Sure. Um, so, uh, my name is Lana Schwartzman. I am head of regulatory and compliance at a company called not and, uh, not specializes, um, in, uh, travel world, but essentially is a.

Crypto pre-transaction authorization and decision making company, um, for transactions. Um, and as mentioned, the heart of it is essentially travel rule compliance. Um, personally I've been in compliance for 20 years. 13 of it has been in crypto compliance and um, I've been a chief compliance officer for two different crypto companies by now.

Um, so I'm one of the OGs in the space, I would say for sure. And I got to do some cool things back in the day, um, such as mining my own Bitcoin back when you could still do it with a, a supercomputer at home. So that was fun. That's, that's really interesting. And do you actually u do you actually still use crypto, like in your daily life?

Uh, no. In my daily life right now, um, I'm just huddling, I'm using it as an investment. Understood. And you mentioned the travel rule regulation, which we will discuss with in detail Yeah. In this podcast. But before we do that, I. I just wanted to ask you a general question, like how widespread would you say the use of, uh, crypto, uh, is for, for money laundering?

Uh, yeah. The, the age old question. Um, so while crypto is. Often portrayed as a haven for criminals. Studies from, uh, chain analysis TRM and elliptic all showed that illicit activity accounts for less than 1% of the overall crypto transactions. Um. Analysis recently pointed out that in, uh, 2023 illicit cryptocurrency addresses sent approximately 22 billion worth of digital assets to various services, which.

Um, is a decrease from, I think it was 31 billion, uh, record that they had in 2022. Um, and by the way, if wondering about fiat, traditional fiat currencies are more commonly used in illicit financial activities. Uh, the United Nation estimates that annually between two and 5% of the global GDP, which is approximately 80 billion.

To 2 trillion is laundered through fiat currencies. So I know we're all quick to point fingers at crypto, but when you look at the grand scheme of things, uh, I think fiat is still preferred. No, that's really, that's really interesting statistics. Um, but we will still stick to, uh, crypto, uh, in this conversation.

And, uh, I mean, even if you say that there is less money laundering actually taking place, like the, the money laundering, that that is actually happening in this, in this space. How does it, how does it actually, you know, work in, in sim simple terms, how do the criminals use cryptocurrency into, to launder?

Funds? Uh, yeah, that's a good question. And um, you know, I would certainly leave this question to my friends at the various blockchain analytics companies, but I can tell you from my experience as a former chief compliance officer has mentioned that I think criminals use a variety of techniques to obfuscate the origin of funds.

Um. Of course, I would hope you know that that is obvious. But most common would be, uh, mixers and tumblers where they, they basically blend funds from multiple sources to hide their origin. Then there's chain hopping, which would move funds between different blockchains, and then you have privacy coins where.

Using cryptocurrencies like Monero that are specifically designed to hide transaction detail. And then you may have the typical layering through VSPs where you are, uh, simply depositing and withdrawing through virtual asset service providers to obscure, um, the source of funds basically. And, and is it then if you do one of, if you use one of those techniques or, or even like all of them.

Is it then still possible for investigators to actually track back the, the original source, or is it then completely impossible? I don't think it's impossible because if it was impossible, we wouldn't have such success with some of the cases that have been solved. Um, I think. You know, criminals, they get smart and uh, you know, they try to figure out the next best way to do this.

But, um, I have faith in our friends at blockchain analytics companies. I think, uh, the, the sophistication, um, of what they do behind the scenes and then guess whatever their secret sauce is, um, it works quite well and they think, you know, that's the beauty of. Of crypto and blockchain is that everything is transparent.

So it's just a way of figuring out how we can get to the source. Mm. But let's say those groups or, or those criminals that actually manage to somehow obfuscate the, the, the source of this crypto. And, and then, um. Want to actually use the money. We had the, on a recent podcast episode, we talked about, um, like Russian, uh, ransomware groups that, uh, accept payments with crypto and then obviously want to use this to, you know, buy whatever assets they're interested in.

Then, you know, I guess these individuals, once they use these sophistication techniques, they'll still need to convert the script to, to fiat, right? Yeah. At some point. Yeah. Um, I think simply put in, in most cases, you're right, they do need to convert crypto into fi a to fully kind of integrate into the traditional financial system.

However, this is getting harder as banks and other financial institutions are enhancing their a ML controls. And then plus you have, um, you know, one of my favorite regulations, travel regulations in place, uh, as well, which is something that we're gonna talk about as well, which I think helps with this.

Hmm. And before we get into the travel rule itself, I was wondering is there some sort of a global regulatory framework, uh, that the travel rule is a, is a, is just a part of, or is, is the travel rule really like the only regulation in the space? No, of course not. There are all sorts of kind of regulations depending on the various jurisdictions, but generally you are looking at regulations around your A ML and CFT and, and sanctions, uh, which.

Kind of govern, you know, the anti-money laundering risk that can happen with crypto, with fiat, with, with anything. It's, it's, it's cross board, I would say. Um, travel rule happens to be one of the newer regulations within the scope of, of, of a ML, uh, essentially. And, and so, so what, what is it? So my favorite topic now.

Okay, so the crypto travel rule is a regulatory framework that was initiated by the Financial Action Task Force known as faf in 2019. And that requires virtual asset service providers to share specific transaction information between the originator and the beneficiary. Of the transaction to enhance anti-money laundering and counter-terrorist financing efforts.

It's essentially an adaptation of the wire transfer rule, which has been a cornerstone in preventing money laundering and illicit activity in traditional finance for decades, um, and ensuring. The secure and compliant transfers of funds globally. Now before travel rule. The issue has been that little to no checks were performed when a Vasp s customer would send a transaction to a counterparty, and therefore the originating vasp had very little to no visibility.

On who they were transacting with on the other side. This always increased that inherent counterparty risk when it comes to sanctions, illicit transactions, and high risk activity. Now, when implemented correctly, this regulation is revolutionary because for the first time in crypto history, we have the ability to prevent potential illicit and sanctioned transactions from reaching the vast before they're even created on the blockchain.

And this. Gives Vasts the power to reject such transactions, thereby reducing the overall risk exposure to sanctions. Brilliant, right? I mean, let me beautiful repeat that, that we have the ability to stop potential illicit transfers before they are created on the blockchain. And by the way, the main goal of travel rule is not just to transmit this information, but to do something with it.

Meaning file a suspicious, suspicious activity report. There is a suspicious transaction and the, the travel rule, as far as I understand, it was first kind of put forward by the financial action task force in 2019, which is not, this is not a binding. Uh, sort of regulation. It was then up to the individual, I don't know, countries or correct, uh, entities such as European Union to implement it.

Correct. And that, and the 2019 mark was more so for the crypto community, um, the concept of, uh, travel rule. Um, some call it the transfer of funds regulation. Um. Transmittal of funds regulation, depending on the jurisdiction and has different names. So it's been around for quite some time in the us for example, this goes back to 1999 as a matter of fact.

Um, so it really depends, but it, it wasn't for crypto, right? What Fab did was they put it for, um, crypto, basically. Mm-hmm. And since obviously we are, uh, particularly interested in, in Europe, uh, how has the rule been implemented in. In, in the European Union. Yeah, so this for sure has been fully entrenched in the u eu, um, especially this year, given the upcoming deadline to comply with the transfer of funds regulation, uh, also known as the TFR that goes into force on December 30th.

And this will be applicable to all 27 member states in the EU and EEA and it sets uniform travel rule regulation for all. And then. Aside from the transfer of funds regulation, you also have the accompanying, uh, European Banking Authority travel rule guidelines as well to follow. And if like my team, you've, uh, delved into these regulations in exhaustive detail, you'll find that they're highly prescriptive as they provide CSPs with clear and specific instructions on how to achieve full compliance with travel rule.

You have already mentioned, uh. You just mentioned CSPs, I think you mentioned before, VAs VSPs. Yeah. Can you, can you explain the, the difference? Yeah. It's, it's a, it's a minor difference. So faf return, the FAT F term is vast, which stands for Virtual Asset Service providers in the eu. It's csp, which stands for, uh, crypto Asset Service Providers.

Um. I don't recall the def the, the nauseating details in the definition off the top of my head, to be honest with you, but it surely is, uh, quickly available online. It's, it's a minor, minor differences in what constitutes a CASP versus a a Vasp and other jurisdictions. Also, they'll have, you know, some call it DSPs, digital asset Service providers.

I've heard that one as well. Uh, essentially it, it, it's, uh, a broader definition of what would constitute as a, a player in the industry. Uh, essentially it comes down to differences in if you're custodying or not, and if you're transmitting a transaction or not. Those are the general kind of, um, and so with the, the, the new amendments to the travel rule taking effect, uh, you said, uh, the end of December this year in the European Union.

What, what are, what are the vasts actually oblig, uh, you know, obliged to do by the end of the year? Yeah. So there, there's a lot in the TFR and the EBA guidelines, but thankfully, Nota Benna breaks it all down on our website with different guides. And we also have launched an EU deep dive course, um, in addition to our existing travel rule certification.

But when we think about the elements, I tend to break them down into. Requirements for around the scope of information and then requirements around how to handle missing information. Where in the EU you have three working days to provide this information and five working days if outside of the eu. Then requirements for reporting of non-compliance, and this is like your tattle tailing on CSPs that do not basically respond to you and provide missing information.

And lastly, requirements around self-hosted wallet, where the obligations vary based on the transaction amount, so if it's over or below 1000 euros, and whether the wallet owner is a customer of the Casper or not. Also, I want to point out that with the requirements for providing missing information and the reporting of non-compliance, that is all because.

CSPs should be fully responding to travel rule transactions. Regulators want to see the effectiveness of travel rule, which in essence means it is no longer okay to just send the transaction and say, Hey, I as a CSP am now travel rule compliant because I just sent the transaction. This needs to be two-way.

We need to be responding. We need to be effective at using, um, travel rule for its intended purpose. So if, if I understand this correctly, the, the main kind of, the key, the key element is that the, the VSPs are, uh, they, they always have to identify the ultimate, uh, or the, the, the beneficiary. Of the, of the transactions on both, on both end, is that correct?

So the, the originator and the beneficiary of the transactions? Yes. And this is also the case when it comes to unhosted wallets. Yeah. So under 1000. Yes, so great question. So, to understand the obligation requirements for an hosted wallet, one really has to look at the TFR language and the EBA travel rule guidelines, and also the money laundering terrorist financing guidelines by the EBA holistically, all three of these, so specifically for transactions, um.

Above a thousand Euro where the wallet owner is a CASP customer. The TFR requires CASP to verify that the customer truly owns or controls the wallet. The E eBay A outlines various verification methods, mandating the use of one primary method and additional methods if the primary one is unreliable. So we at not of support four different methods.

You have a cryptographic signature proof, and this is where the CASP customers, they can seamlessly and securely sign a message using their private keys, enabling verification of wallet ownership via their blockchain address. So think of the analogy of when you buy something. And you have like checkout with PayPal button, for example, right?

And you click that PayPal button, you log into your PayPal. But in this case, let's say it would be your meta mask wallet, right? You choose your account and then you complete the transaction. So similarly, a cask customer would go to, let's say a withdrawal screen. They would select the asset, enter the address, and the amount they would, uh, check that this wallet belongs to them.

They connected. Meta mask and, and again, meta mask is one of the many, but I'm using that as an example. And they signed for verification and it's done. It sounds longer than it is, but I promise you the whole process takes seconds when you actually do it. Um, and then you have micro, uh, micro transactions, uh, AKA like satoshi test, basically, where CASP customers confirm wallet control by sending a specified amount of cryptocurrency within a set timeframe.

Then you have screenshots, which is less robust than, uh, the other ones that I've uh, mentioned. Uh, and this is the option for ownership proof, but it is not accepted in certain EU states. Um, and as you guys are actually in Germany. Boffin was one of the ones in their guidelines that said, we do not accept screenshot method.

Um, for unhosted wallets, it's, they don't consider it, um, as ownership proof. Uh, I, I commend them for being bold and coming out and saying that I fully agree with it. And the last and fourth, uh, method that we support is a checkbox at the station, which is like a self declaration basically. And this is where a cast customer would self declare the ownership of the wallet address, um, as a last resort.

Now, personally, um. As a former chief compliance officer, I would, I don't like the screenshot method and I don't like the checkbox at the station. I think those are weak. They're weak controls for the industry, and that's why I commend Boffin for standing up for this. However, from an industry perspective, that is something that the industry has been requiring and asking for, so we fully support it.

So we basically support all EVM compatible blockchains, including Ethereum and others, such as Polygon and Binance Smart Chain. And while Bitcoin and Solana are not EVM compatible, they're also supported in our platform. Um, oh, and if anyone doesn't know. EVM compatible Blockchains are blockchain platforms that support and are compatible with the Ethereum virtual machine.

That's what that stands for. And, and Lana, since you already mentioned Baffin, the German financial regulator, everything concerning Baffin is always an interesting discussion. But, uh uh, so which one of these four verification methods they actually approve of if they don't like the screenshot? They didn't, I did not see what they approved.

They just said what they do not like. Okay. I think most regulators tend to be as neutral as possible when it comes to generally speaking to technology. So I haven't seen what they would prefer. Uh, I personally think, again, this is not me answering on behalf of Buffin. This is my personal opinion. I think the most secure and the easiest.

Is the cryptographic signature proofs. Mm. It's really, I find, it's really fascinating how many ways there are to identify, uh, that you own a, a crypto account. But what I, what I, what I really wonder, uh, as I listen to you is, uh, obviously all these cyber criminals who, uh, want to launder funds through cryptocurrency, they don't want their, uh, names to be identified and.

Uh, is it maybe possible then to, uh, to just simply, uh, use, uh, the infrastructure outside of the European Union, uh, where the regulation is perhaps not, not as strict to, uh, uh, kind of, uh, maintain your anonymity. Um, so interesting fact actually. Um, so kind of what you're alluding to, I think, um, sometimes is known as the sunrise issue, and that's when different regulations come on in different jurisdictions, right?

They're not all on like at the same time you could say. Um, and it, it's, it's a common. Challenge and an issue. And this was more so a challenge and an issue back in, let's say 2019 when in the crypto space we didn't exactly know how we were going to be, uh, doing travel rural compliance technically, how this would have to be figured out and, and how to think about this.

And similarly, regulators, um, as well, they didn't all have their, um, ducks in a row. Put out guidance for travel rule compliance within the crypto industry. Um, however, now we're five years later and this, uh, sunrise, uh, issue and challenge in my opinion, is no longer of one. I like to talk about that as we're now at the dawn of travel rule.

It's no longer. Sunrise. Um, and the reason behind this is, for example, as early as this year in March, I believe it was, uh, fat DAF came out with a report and they basically stated that 89% of material jurisdictions already have travel rule regulation either in place or in the process of having it in place.

And then since that report, um, there are so many more jurisdictions that are coming on. Of course, the biggest one being eu, that, that's a huge chunk of it. Uh, most recently, I think it was maybe a, a month ago or so, don't quote me on that. Uh, South Africa for example, had their travel regulation come, come online, Seychelles, I mean, the list goes on and on and on.

Uh, new Zealand's Australia. Um. Again, of either having it in place or it will be in place by the end of the year or in process. So this loophole is really closing in, and then aside from the regulatory angle of having this regulatory pressure, right, of different jurisdictions having travel regulations in place, you also starting to have.

Counterparty pressure where, um, counterparties want to see travel road compliant transactions and they will not. Allow the transfers through. Otherwise, we actually saw this in our last, uh, um, state of crypto travel rule report. It's a report that we do annually, and in there we had huge numbers where, uh, 66% of the surveyed vasp were not allowing transactions, um, uh, that were not travel rule compliance.

Interesting. I have to, I have to say that is a bit of a surprise for me. I didn't realize that this, uh, this regulation was so widespread globally. Um, I wonder, is there also a way to, or maybe something you've developed internally to measure the effectiveness of, uh, of this regulation? You know, in terms of combating money laundering through crypto.

Yeah, so internally we're able to kind of figure out, um, from our population, um, what effectiveness looks like. Um, but I'm curious to actually have this, um. Qualified, they may be quantified from faf, from regulators to have a common definition of what effectiveness looks like. Some of the regulators that I've spoken to in NCAs, uh, they are already going onsite.

They're already examining for travel rule. Um, they are starting enforcements. Some are just, you know, kind of doing a light touch approach. Um, fines are gonna come a little bit later on. Um, others that I know, they're. Already starting to look if there have been, um, SARS suspicious activity reports that have been filed.

Right? So again, if you are seeing this, that the transaction is potentially suspicious, you should be doing something with it. And I think that's a strong indication of the effectiveness, um, of travel role. And, um, just one last question. I understand obviously that you don't have any. Crystal ball, but, uh, you know, this, uh, this regulation has been in place for, for a while and now the, the u has started these amendments.

What do you, and you have been in this field for such a, for such a long time, how do you see, you know, the evolution of the, of the travel rule in the, in the next years to come? I can only predict so far, um, if I had a crystal ball and I'd be right all the time, I'd be, uh, a lot richer and own a lot more Bitcoin probably.

No. But, um, my hunch would be that there will be increased, uh, regulatory scrutiny and enforcement, um, specifically on travel rule as national regulators are starting to get more pressure from FATF and stressing the importance of dysregulation. Enforcement actions around non-compliance will likely rise.

Also, I think we may start to see a global harmonization of standards as more and more different jurisdictions have been rolling out travel rule regs and guidelines. As I said before, there will most likely be an increased effort towards harmonizing regulations and this. Includes cross border collaboration to streamline the flow of information between virtual asset service providers, I think in in different countries.

Alright, well Lana, thank you so much for your time. This is, uh, especially now before Christmas. Uh, it's, uh, it's a, it's a challenging topic, uh, but, uh, it's very, it's very relevant, especially for us in the European Union. So thank you again for taking, uh, taking the time and, uh, yeah, I wish you, uh, happy Merry Christmas.

Thank you so much and happy holidays everybody.