Navigating the Compliance Maze: How Crypto Businesses Can Master the Travel Rule Under MLR 2019

The rise of cryptocurrencies and blockchain technology has revolutionised financial services, offering decentralised and efficient ways to transfer value globally. However, the same benefits that make crypto attractive—anonymity, speed, and cross-border reach—also pose risks of misuse for money laundering and terrorist financing.

To mitigate these risks, on 10 January 2020, the UK implemented the

Money Laundering and Terrorist Financing (Amendment) Regulations 2019 (MLR 2019). This regulation aligns with the EU’s Fifth Anti-Money Laundering Directive (5AMLD) and incorporates the FATF Recommendation 16 or 'Travel Rule', requiring cryptocurrency businesses to adhere to robust AML standards.

This blog post explores how the Travel Rule applies to UK crypto businesses, the compliance requirements, and the best practices for implementing these regulations effectively.

What is the Travel Rule?

The Travel Rule, as outlined by the Financial Action Task Force (FATF), requires financial institutions, including cryptocurrency businesses, to collect and share specific information about the originator (sender) and beneficiary (receiver) of transactions. Initially designed for traditional banking, the Travel Rule has been extended to virtual asset service providers (VASPs) to mitigate the risks of money laundering and terrorist financing in the cryptocurrency sector.

Under the Travel Rule, certain information must "travel" with the transaction, ensuring that all parties involved in processing the payment have access to the necessary details to monitor and report suspicious activity.

How Does the Travel Rule Apply Under MLR 2019?

The MLR 2019 amendments incorporated the FATF’s recommendations and brought crypto businesses firmly within the scope of AML and CTF regulations. As a result, crypto businesses operating in the UK are required to comply with the Travel Rule by collecting and sharing information about their customers and transactions.

Key Compliance Requirements

Identify the Originator & Beneficiary

Crypto businesses must collect and verify information about both the sender (originator) and the receiver (beneficiary) of cryptocurrency transactions. This requirement applies to transactions exceeding a threshold of €1,000 (or its cryptocurrency equivalent). The required information includes:

• The originator’s full name.

• The originator’s account number or unique identifier, such as a wallet address.

• The originator’s residential address, national identification number, or date and place of birth.

• The beneficiary’s name and account number or wallet address.

Transmit Information

The collected information must be transmitted to the receiving VASP or financial institution along with the transaction. This ensures that the recipient entity has the necessary data to monitor and assess the transaction for compliance purposes.

Screen & Monitor Transactions

Crypto businesses must screen transactions and counterparties against relevant sanctions lists, such as those maintained by the Office of Financial Sanctions Implementation (OFSI) in the UK. Suspicious activity must be flagged and reported to the appropriate authorities, such as the National Crime Agency (NCA), through the Suspicious Activity Reports (SARs) process.

Retain Records

All information related to transactions, including customer identification and transaction data, must be securely stored for a minimum of five years. This ensures that regulatory authorities can access the data if needed for audits or investigations.

Apply Enhanced Due Diligence (EDD)

For higher-risk transactions, such as those involving jurisdictions with weak AML controls, crypto businesses must perform enhanced due diligence to assess the origin and purpose of the funds in greater detail.

Challenges of Implementing the Travel Rule in Crypto

Complying with the Travel Rule presents unique challenges for the cryptocurrency sector due to its decentralised nature and the technical complexity of blockchain transactions. Some of the key challenges include:

1. Lack of Built-In Customer Information: Blockchain transactions are pseudonymous by design and do not natively include customer information. Crypto businesses must develop off-chain mechanisms to collect and share this data.

2. Interoperability Issues: Ensuring seamless communication and information sharing between VASPs is challenging, as there is no universally adopted standard for compliance with the Travel Rule.

3. Cost and Technical Barriers: Smaller crypto businesses may face financial and technical constraints when implementing the systems and tools necessary for compliance.

4. Regulatory Uncertainty: The regulatory landscape for crypto is still evolving, and businesses must remain agile to adapt to new and updated requirements across jurisdictions.

Best Practices for Compliance with the Travel Rule

To overcome these challenges and ensure compliance, crypto businesses can adopt the following best practices:

Invest in Technology

Businesses should deploy advanced compliance tools to automate data collection, verification, and transmission processes. Solutions like the Travel Rule Information Sharing Architecture (TRISA) and OpenVASP provide frameworks for secure and interoperable information sharing between VASPs.

Use Blockchain Analytics Tools

Tools such as Chainalysis, Elliptic, and CipherTrace can help monitor transactions in real time, identify suspicious activities, and assess the risk of exposure to illicit funds.

Standardise Information Sharing

Participating in industry consortia and working groups can help crypto businesses establish common standards and practices for complying with the Travel Rule.

Strengthen KYC & CDD Processes

Crypto businesses must implement robust Know Your Customer (KYC) and Customer Due Diligence (CDD) procedures to collect accurate and reliable customer information.

Train Compliance Staff

Regular training ensures that compliance teams stay up to date on regulatory requirements and best practices for Travel Rule implementation.

Engage with Regulators

Maintaining open communication with regulators, such as the Financial Conduct Authority (FCA) in the UK, can help businesses ensure that their compliance frameworks meet regulatory expectations.

Monitor Regulatory Developments

Crypto businesses should stay informed about changes to the FATF guidance and updates to local implementation of the Travel Rule, as compliance requirements can vary across jurisdictions.

Consequences of Non-Compliance

Failure to comply with the Travel Rule under MLR 2019 can have serious consequences for crypto businesses, including:

• Substantial financial penalties imposed by regulatory authorities.

• Loss of operating licenses and registration with the FCA.

• Reputational damage, which could lead to a loss of customer trust and market share.

Conclusion

The Travel Rule is a critical component of global efforts to combat financial crime in the cryptocurrency sector. By complying with the Travel Rule, crypto businesses in the UK can help enhance transparency, build trust, and mitigate the risks of money laundering and terrorist financing. Whilst implementing these requirements may pose challenges, adopting advanced technology, collaborating with industry peers, and maintaining open communication with regulators can help businesses navigate compliance effectively.

If you need further guidance on implementing the Travel Rule or help in strengthening your compliance framework, download our free white paper on UK Funds Transfer Regulation.