Sri Lanka -- Travel Rule Implementation Regulatory Overview

Sri Lanka has taken significant steps to implement the FATF Travel Rule, primarily through directives issued by its Financial Intelligence Unit (FIU).

Here's a detailed breakdown of the status:

1. Whether Adopted: Yes, Sri Lanka has officially adopted measures to implement the FATF Travel Rule. This was achieved through a specific directive issued by the FIU of Sri Lanka.

2. Effective Date: The primary directive, FIU Directive No. 01 of 2023 on Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) Obligations for Virtual Asset Service Providers (VASPs), was issued in July 2023 and came into effect from that date.

3. Threshold Amounts: The directive mandates the collection and transmission of originator and beneficiary information for virtual asset transfers under specific conditions:

• For domestic transfers between VASPs: Information must be collected and transmitted for transactions equal to or exceeding LKR 150,000 (approximately USD 470-500, depending on the current exchange rate).
• For cross-border transfers between VASPs: Information must be collected and transmitted for all transactions, with no de minimis threshold.
• For transfers to/from unhosted wallets (private wallets): VASPs must also conduct due diligence and risk assessments, regardless of the amount, and collect relevant information to the extent possible, especially for higher-risk transactions.

4. Which VASPs are Covered: The FIU Directive No. 01 of 2023 defines a Virtual Asset Service Provider (VASP) broadly, in line with FATF recommendations. It covers any natural or legal person who, as a business, conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

• Exchange between virtual assets and fiat currencies.
• Exchange between one or more forms of virtual assets.
• Transfer of virtual assets.
• Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets.
• Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

This effectively covers entities such as cryptocurrency exchanges, custodian wallet providers, and certain brokers operating in Sri Lanka.

5. Technical Implementation Requirements: The directive requires VASPs to:

• Collect and maintain specific information on both the originator and beneficiary of a virtual asset transfer.
  • Originator Information: Name, Virtual Asset Account Number (or wallet address), physical address (or national identity number/passport number/customer identification number), and the specific virtual asset (e.g., Bitcoin, Ethereum) and amount.
  • Beneficiary Information: Name, Virtual Asset Account Number (or wallet address), and the specific virtual asset and amount.
• Transmit this information to the beneficiary VASP (or to the originator VASP in the case of an incoming transaction) immediately and securely with the transaction.
• Verify the accuracy of the collected information.
• Implement robust record-keeping systems to store transaction data and originator/beneficiary information for at least five years.
• Monitor transactions for suspicious activity and report such activities to the FIU.
• Conduct due diligence on customers (KYC) and implement risk-based AML/CFT controls.

While the directive does not prescribe a specific technical solution (like TRISA, TRAVELER, etc.), it mandates the secure and immediate transmission of the required data. VASPs are expected to adopt interoperable solutions that enable this.

6. Penalties for Non-Compliance: Non-compliance with AML/CFT obligations, including those related to the Travel Rule, can lead to severe penalties under Sri Lankan law. These penalties are typically covered under the broader Financial Transactions Reporting Act No. 6 of 2006 and the Prevention of Money Laundering Act No. 5 of 2006, as amended.

Penalties can include:

• Fines: Significant monetary penalties for institutions and individuals.
• Imprisonment: For individuals found guilty of serious offenses.
• Suspension or Revocation of Licenses/Registrations: The FIU or other regulatory bodies may suspend or revoke the operating license or registration of a non-compliant VASP.
• Reputational Damage: Public disclosure of non-compliance can severely damage a VASP's reputation.

Relevant Legislation/Guidance with URLs:

• FIU Directive No. 01 of 2023 on AML/CFT Obligations for Virtual Asset Service Providers (VASPs):

  • https://www.fiusrilanka.gov.lk/docs/directives/DIR-01-2023-VA-VASPs.pdf (Direct PDF link)
  • You can often find it linked from the main FIU Sri Lanka website: https://www.fiusrilanka.gov.lk/ (Navigate to "Directives")

• Financial Transactions Reporting Act No. 6 of 2006:

  • While a direct government gazette link might be hard to find without specific legislative databases, it's the foundational act. You can find references on the FIU site.

• Prevention of Money Laundering Act No. 5 of 2006:

  • Similar to the FTRA, this is a foundational act.

In summary, Sri Lanka has a clear regulatory framework for the FATF Travel Rule for VASPs, with specific requirements for data collection, transmission, and record-keeping, backed by existing AML/CFT penal provisions.