Why Travel Rule and Counterparty Risk Management is Required to Get Your VARA License

A recent webinar organized by Notabene discussed Dubai’s implementation of the Financial Action Task Force’s (FATF) Travel Rule requirements and the importance of counterparty risk management for Virtual Asset Service Providers (VASP) seeking Dubai Virtual Assets Regulatory Authority (VARA) licensure. The webinar was hosted by Lana Schwartzman, Notabene’s Head of Regulatory & Compliance, and included a panel of industry compliance experts.

The participating panelists included: 

• Amardeep Thandi, Compliance and Regulation EMEA at Chainanalysis
• Tracy Ellen Angulo, J.D., CFE, CAMS, Director at Guidehouse
• Laurent Girouille, General Manager at Komainu

Background

In June 2019, FATF extended Recommendation 16, commonly known as the Travel Rule, to crypto-transactions through the publication of guidance for VASPs and virtual assets (VAs). The recommendation was updated in October 2021, and since then, several countries have been developing legislation in line with the recommendation. 

VARA was established on February 28, 2022, under Law No. (4) of 2022 Regulating Virtual Assets in the Emirate of Dubai. As the world’s first independent regulator for virtual assets and VASPs, VARA seeks to facilitate collaborative engagement between global VASPs and industry thought leaders. 

On February 7, 2023, VARA issued its Virtual Assets and Related Activities Regulation of 2023, setting out a comprehensive framework for governing VAs and all related activities in Dubai. The guidance includes various rulebooks, such as the Compliance and Risk Management Rulebook, which details the framework for Travel Rule compliance.

Highlights from Dubai’s Implementation of Travel Rule Requirements

1. Prior to entering into any transaction with a counterparty VASP, VASPs must complete risk-based due diligence on the counterparty to mitigate AML/CFT risks.
2. Travel rule policies should address:
   a. Transactions with non-obliged entities (e.g., unhosted VA wallets).
   b. Anonymity-enhanced transactions.
3. The “sunrise issue,” which is defined as transactions with VASPs in jurisdictions that are not yet subject to travel rule requirements. must be addressed in VASPs’ policies.

Panel Discussion

Schwartzman then brought the conversation to the panelists to gather additional insight on some of the implications VARA’s implementation of the Travel Rule has in relation to their respective areas of expertise. 

Relationship Between Travel Rule and Blockchain Analytics

Thandi discussed the complementary relationship between Travel Rule and Blockchain Analytics. Thandi stated that the often pseudonymous and ubiquitous nature of virtual assets often creates challenges for VASPs in identifying illicit transfers. Prior to the extension of the Travel Rule to VASPs, many VASPs across the world have been using blockchain analysis to gather intelligence on illicit on-chain activity to comply with regulations, which does not include any Personal Identifiable Information (PII) on individuals. As Travel Rule requirements are strengthened across jurisdictions, VASPs will be required to provide PII of the sender and recipient of transactions. This additional information helps to close the loop when it comes to ambiguity with transactions and can provide the clarity that VASPs need to understand and manage the risk.

Counterparty Due Diligence and Risk Management in VARA Rulebooks

Angulo discussed the role of counterparty due diligence and risk management as set forth in VARA rulebooks. She highlighted VARA’s explicit approach to outlining risk management requirements. The Compliance and Risk Management Rulebook sets forth the requirement that VASPs establish and maintain an effective risk management function, policies and procedures, and risk measurement and reporting methodologies. The guidance identifies key types of risks that VASPs are required to manage, and specifically lists outsourcing and counterparty risks. This aligns with the Travel Rule requirement that VASPs complete risk-based due diligence on counterparties prior to engaging in any transaction. VARA guidance is straightforward in highlighting the need for VASPs to fully address their counterparty due diligence processes. VASPs have an independent obligation to assess and manage this counterparty risk.

Challenges for VASPs seeking VARA Licensing

Girouille discussed his experience through Komainu with the VARA MVP licensing process. He found VARA’s approach to be atypical from his experiences with other regulators. The process included open dialogues and Girouille felt VARA was receptive to the challenges that Komainu faced. Girouille expressed that the main challenges have been on the operational aspects of Travel Rule compliance; specifically, exchanging information with counterparties. For example, Girouille highlighted the challenges of communicating with VASPs across different systems, ensuring compliance with data protection laws across VASPs in different jurisdictions, and data retention.

Following the insight from the panel, Schwartzman opened the floor to questions. The group discussed additional challenges faced by VASPs, including cybersecurity risk concerns and General Data Protection Regulation requirements. Schwartzman concluded the discussion by emphasizing the importance of sound counterparty due diligence and counterparty risk management for VASPs seeking VARA licensure.

This webinar was organized by Notabene and was held on March 7, 2023.

Watch Webinar Recording