In June 2020, the Financial Action Task Force (FATF) reviewed the FATF Travel Rule and made updates for cross-border and domestic wire transfers to address the increasing use of cryptocurrency and combat money laundering. With the Travel Rule, Virtual Asset Service Providers (VASPs), such as cryptocurrency exchanges and wallet providers, are now required to collect personal data on whoever participates in transactions. In short, that means that the rule removes the option to transfer cryptocurrencies anonymously. Companies who fail to comply risk sanctions. The recent investigations into the crypto exchange Binance for regulatory compliance issues in the US can be seen as a sign that regulators are placing particular scrutiny on a formerly largely unregulated industry.
While implementing the Travel Rule in member states has been uneven, now is the time for crypto businesses to implement identity verification ahead of regulation. Becoming compliant with the Travel Rule and other AML/CTF compliance regulations will also require navigating other regulations such as GDPR in the EU and the California Consumer Privacy Act (CCPA). In this post, we outline how crypto companies can incorporate features into their product to cover the Travel Rule requirements.
What is the FATF Travel Rule?
The Travel Rule is an update to the FATF’s Recommendation #16, is a list of recommendations against money laundering for countries to follow as best practices for AML/CFT efforts. The rule as such does not have an effect for companies until countries make laws in accordance with it. Countries that are moving to create laws to align with the Travel Rule so far include the US, countries within the EU in accordance with the 6AMLD, Canada, Singapore, and South Korea.
Crypto companies that fit the FATF’s definition of a VASP fall under the Travel Rule, which means they need to perform Know Your Customer (KYC) checks for every transaction, removing the possibility for anonymous transactions in cryptocurrencies like Bitcoin or new altcoins. The Travel Rule requires that the originators of virtual asset transfers must submit to beneficiaries:
- Originator name
- Account or virtual wallet number
- Physical address
- National identity number, customer identification number or another unique identity number
- Date and place of birth
Beneficiaries must also submit the following information to originators:
- Beneficiary name
- Account number or virtual wallet number
Who counts as a Virtual Asset Service Provider (VASP)?
A VASP as defined by the FATF is a company that facilitates transfers of virtual assets, such as crypto exchanges, OTC Desks, Bitcoin ATMs, and more. Countries might diverge from terminology used by the FATF in their local regulations, such as the EU using cryptocurrency asset service providers. The basic principles of how to perform KYC checks and become compliant, however, are usually consistent across markets.
What do crypto companies need to do to comply with the FATF Travel Rule?
Even though regulations for the crypto industry are still developing and rollout is uneven, it is expected that they will eventually align with regulations for traditional financial institutions. For VASPs who want to future-proof their businesses, it is therefore a good idea to follow AML/CFT requirements for the financial industry and not just the KYC check required for a transaction in the Travel Rule.
In the US, implementing a Customer Identification Program (CIP) that includes name, date of birth, address, and identification number covers basic AML requirements. Digital identity verification, then, supports a company’s CIP program by gathering and verifying this information during user onboarding or to authorize transactions online. An identity verification process typically includes:
- Verification of a government-issued ID or passport: usually includes necessary details such as name, date of birth, address, and identification number
- Biometric authentication: Facial matching of a selfie with the ID document to verify that the person sitting in front of the screen is who they say they are. If a video selfie is used, the technology can also perform liveness detection during this step.
- Proof of address: usually an additional document to confirm the address provided, such as a utility bill.
The information submitted for identity verification online then supports customer due diligence (CDD) as part of AML/CTF requirements. For example, an end user’s submitted information is screened against global watchlists to ensure the individual is not on a sanctions list and also to assess the risk profile if they are a politically exposed person (PEP).
How can product teams integrate identity verification?
One of the reasons crypto services may be hesitant to adopt identity verification is for preserving user privacy. While adopting identity verification removes anonymity, steps can, and should, be taken to preserve privacy in accordance with other regulations such as GDPR and CCPA.
There are, however, ways to conduct identity verification that are secure and transparent. By choosing a third-party provider, for example, a company does not store sensitive user information on their own platform and thus keeps it out of reach for hackers in the event of a security breach. As crypto grows more mainstream, companies will need ways to convert new users who are more concerned about securing their account than the anonymity of their transaction information.
Companies can take steps to build trust when integrating identity verification into your transactions. We have outlined some of them below.
Provide transparency and education
Use every opportunity to educate your end users about how identity verification works, why it might be necessary to meet regulatory requirements, and beneficial to secure accounts against theft, fraud, or money laundering. For example, Gemini, has created a Cryptopedia to help potential and existing customers understand everything from terms such as stablecoin to Anti-Money Laundering. To address concerns and increase adoption, include FAQs and explainers about identity verification and how you handle your users’ personal information and digital identity. Also give end users a heads up with custom text when they are about to perform identity verification, such as by listing out the steps, necessary documents, and including a link to an information page.
Weave identity verification into your brand experience
If you are considering third-party KYC and identity verification providers like Passbase, look for a solution that can integrate smoothly into your product, whether it is for iOS, Android, or web. Identity verification or KYC checks can be designed with the same attention to user experience as other product features. Creating a consistent user experience across your platform will give your end users more confidence in your service than being redirected to a third-party platform. For example, ask if a provider offers you an easy way to insert custom logos, colors, and copywriting.
Give incentives to opt-in
While financial institutions are required to perform customer due diligence even for account opening, some crypto services may not have the same stringent requirements in certain markets if virtual assets are not considered to be currencies, securities, or another financial instrument. Take advantage of this to introduce identity verification to customers. Instead of forcing customers to go through identity verification at the very beginning, incentivize them to complete the step later, such as when they are ready to make a transaction. Another opportunity could be encouraging them to perform identity verification so that they can enjoy biometric authentication for future logins, transaction authorizations, and accelerated document submissions for as a verified user.
Serve global customers from day one
When companies incorporate KYC checks that meet global AML/CFT standards, they can be more confident about serving global customers from day one. For example, Passbase client Ramp is available in over 170 countries providing infrastructure for cryptocurrency to fiat exchanges. Crypto companies are in a strategic position to make use of this global market opportunity to introduce industry-leading user experiences for identity verification.
When you’re comparing providers, pay attention to their localization options. Working with a provider that has supported documents in your operating markets, offers multilanguage support, and translation interfaces helps you focus on business development and scale rapidly into new markets.
Crypto regulations might still be confusing and uneven across markets, but companies that invest in compliance now ensure they stay part of the crypto boom in the long term and differentiate themselves from competitors.
Considering an ID verification solution for your business? Try Passbase for free.