Since June of this year, crypto companies must comply with the “Travel Rule” prescribed by the FATF - to communicate to each other the data of users who have completed transactions. However, this is not an easy task for cryptocurrency market players: you need to develop common standards and choose among several competing solutions that should ensure compliance with FATF requirements. What are the technical difficulties of developing such a solution and the main approaches to it, DeCenter understood.
What Travel Rule requires
In June 2019, the FATF, an international organization engaged in the fight against money laundering and the financing of terrorism, issued a guide to regulating the circulation of cryptocurrencies. The document requires cryptoplatforms to exchange user data (names, addresses and wallet numbers of the sender and recipient) who have committed transactions from $ 1,000 or euros. These requirements apply to all Virtual Asset Services Providers (VASPs): cryptocurrency exchanges, hedge funds, and crypto services providers.
39FATF member countries should have implemented the organization’s rules in their legislation by June of this year, otherwise they would have been added to the “FATF black list” . A similar requirement to control user data in May 2019 was also put forward by the United States Financial Crimes Unit (FinCEN). But American companies had a deadline until November last year. This spring, FinCEN began to fine crypto companies that do not comply with the Travel Rule.
The requirements of the Travel Rule created a unique problem for VASP - to comply with regulatory requirements and at the same time try to maintain user confidentiality, adhering to the core values introduced by Satoshi Nakamoto in 2008.
What should be the Travel Rule solution for crypto companies
For a year now, crypto companies have been working on a technical solution that will allow crypto sites to comply with the requirements of the FATF and, above all, the Travel Rule. This is not an easy task - there was no infrastructure in the industry to comply with the requirements of FATF and FinCEN. I had to create everything from scratch in a short time.
First of all, these solutions involve technological difficulties. It is not difficult to identify users of crypto sites - just enter a KYC check. But most often it is unclear what kind of wallet funds are spent on - exchange or personal. It was also unclear how the sites should exchange data about users, while maintaining their confidentiality. The rush due to the fast deadline didn’t help, because of which, in a short time, I had to think over the scheme of the solution’s work, write its code, test and conduct an audit for compliance with FATF regulations.
The FATF itself did not put forward specific requirements for the Travel Rule solution, but there was an active discussion in the industry about how it should be: centralized or decentralized, paid or not, uniform and unified, or it would be better to provide the market with several competing solutions.
In this connection, in June 2019, the 20 largest VASPs gathered for the V20 conference with the participation of FATF representatives and developed criteria that an ideal solution should meet. It should be:
Fast, easy to integrate and manage;
Inexpensive or free;
The global standard for the transfer of user data between sites;
Compatible with all digital assets and VASP;
Fully scalable;
Confidential regarding user data;
Protection against cyber threats;
Detecting suspicious transactions and criminal behavior;
It should also minimize the impact of the regulator, but comply with all FATF regulations and national laws, and be flexible for the new rules.
Key Approaches to Travel Rule
About 20 solutions based on competing concepts appeared on the market over the year. Consider the main approaches to the problem and the resulting products.
Crypto-analogue of SWIFT. This approach involves creating a centralized data exchange service through a single access point based on APIs, applying the same rules to all VASPs, using a standardized format for identifying them and exchanging information about transactions. This solution resembles a system of interbank information transfer and payment SWIFT. It protects information from unauthorized interference, archives copies of all transmitted messages and is responsible for technical failures.
In this vein, for example, Sygna Bridge messaging platform, developed by CoolBitX, a Taiwanese company, is developing. Its centralized solution allows crypto exchanges to transmit the identifiers of senders and recipients of each transaction. The main advantage of this solution for VASP is that to use it, the crypto platform only needs to integrate it with its API once, after which it receives a unique identification code and communicates with other VASP via a secure channel. Exchanges can identify each other when making transactions, check their origin and choose whether to accept or reject them. However, Sygna Bridge does not have access to this data. Now CoolBitX is testing a solution with several Japanese sites, and is also creating a consortium Sygna Alliance, whose goal is to build all the necessary infrastructure.
In June, the Netherlands-based ING Bank announced the development of a protocol to comply with the Travel Rule Protocol (TRP) . The solution is based on the REST protocol (“view state transfer”) and also resembles the SWIFT architecture. ING Bank currently does not consider transactions with cryptocurrencies, but will focus on security tokens and similar products. This is the first case of banking development in this direction. The solution was supported by the British bank Standard Chartered Bank, Fidelity Digital Assets, BitGo, Crypto Broker AG, Metaco, 21 Analytics and several other crypto companies.
Solutions with a certification authority. This approach also involves a common standard and use of an open API, but through a decentralized peer-to-peer connection without a central authority. This system is similar to how sites work, and the entire architecture is identical to the SSL protocol.
For identification, the public key infrastructure and certificate system are used - structures containing information about the owner of the public key, allowing the parties to exchange data without connecting to each other. In fact, this is a digital signature confirming the identity of the sender and containing basic data about him. After release, the certificate can no longer be changed, otherwise it will become invalid. Management and exchange of certificates takes place through a Certification Authority (also known as a Certification Authority). Sender VASPs create a transaction certificate that contains information about it. The certification authority checks it and transfers the VASP to the recipient. That, in turn, must confirm that he really received the transaction. To simplify the work, a catalog of trusted VASPs is also formed.
In this direction, for example, Netki's open source solution, TransactID, is developing. It has existed as a digital identity service since 2016, but has been updated to meet FATF requirements. TransactID is based on the most common form of certificates - X.509, used to verify ownership of a site or exchange identification information - in this case, it is responsible for identifying the sender and recipient in the transaction. The X.509 certificate contains personal information of each party, as well as a public key, which is signed by the Certification Authority and confirms the authenticity of the party’s identity for its counterparty. X.509 has been in use since 1988 and is widely recognized by government and regulatory authorities as a legally valid form of identification. According to the developers, this simplifies its adoption. For companies that use Netki certificates, the solution is paid - about $ 1 per user, in addition to other setup and licensing costs, and transaction fees are not provided. To manage the solution, as expected, it will be necessary to create some kind of global non-profit structure similar to that that manages SSL certificates.
Provider of analytic solutions CipherTrace, in partnership with the Shyft Network, has created a coalition of crypto companies to develop a Travel Rule compliance solution - the Travel Rule Information Sharing Alliance (TRISA). The self-titled solution helps VASP comply with FATF without changing the underlying blockchain protocol, exchanging transaction data privately. The test network was launched in January 2020. TRISA allows VASP to agree on rulesshare data and meet the requirements of several jurisdictions and data protection regulations, including the EU General Data Protection Regulation (GDPR).Due to its high scalability, the standard is resistant to security threats, such as DDoS attacks.
TRISA uses a public key infrastructure (PKI) - a combination of symmetric and asymmetric encryption (private and public keys), PKI allows VASP to first verify the recipient of the data and only then transmit it. For the solution, special certificates “know your VASP” were developed .
TRISA is an open source platform. Software vendors can modify its code or extend software to integrate with their applications. The basic use of TRISA as open source software is free, the company only charges for advanced services: configuration, security and maintenance. Since the project is open, TRISA also does not monopolize this right.
Back in March, TRISA was announced by Binance. At the end of June this year, TRISA announced cooperation with more than fifty crypto companies , as well as integration with the recently launched Ripple PayID payment service .
Blockchain solutions. This approach assumes compliance with the “Travel Rule” based on blockchain protocols.
The most famous example is the Swiss OpenVASP , launched at the end of 2019, Bitcoin Suisse in collaboration with the Lykke exchange and crypto banks Seba and Sygnum. OpenVASP is an open source decentralized protocol. According to the developers, decentralization will allow the project to avoid problems with the vulnerability of a single point of failure, central servers and directories. The OpenVASP team is now encouraging companies to develop a solution based on the Whisper protocol for Ethereum, which allows users to exchange messages on the same network as the blockchain. But the team does not insist on this decision and notes that other messaging systems that meet the necessary requirements can be used.
User identification in OpenVASP occurs through smart contracts with public keys. Whisper uses the so-called "dark routing" to hide from third-party observers the contents of messages and information about the sender and recipient (this is similar to anonymous browsing using Tor). As a result, it is not clear from the side how the two VASPs interact with each other.
OpenVASP developers are currently negotiating with many major exchanges, including Binance, Kraken and Bitstamp.
Unified data exchange standard already developed
One of the problems in developing a solution to comply with Travel Rule was the need to establish a uniform standard for the entire industry, due to which any VASP could work with another VASP without violating the requirements of regulators.
The United States Digital Chamber of Commerce (CDC), the World Digital Finance Organization (GDF) and the International Association of Digital Asset Exchanges (IDAXA) have created a joint working group to develop it. In May of this year, she introduced a single standard for the exchange of data that VASP should share with each other - InterVASP 101 (IVMS101). It allows you to identify anonymous senders and recipients of cryptocurrencies, automatically attaching data about them to each transaction.
This allows not only to comply with the requirements of the regulators, but also significantly reduce the number of possible errors and costs. IVMS101 received support from Sygna Bridge, TRISA, Notabene, Securrency, and OpenVASP.
Finally
So far, the choice of a specific solution is up to VASP, its jurisdiction, registration and existing partnerships. Regulators have not yet spoken out in favor of one of the decisions.
So, the head of the EXMO crypto exchange Sergey Zhdanov said that his site had previously used the CipherTrace solution to verify transactions - now it has switched to TRISA. “ If FCA [the British regulator] arranges this service, I think we will most likely use it because we like the partnership with CipherTrace, ” Zhdanov said.
For a year of active search for solutions, the industry has not come to a unified approach. Most likely, at first there will be competition on the market between several standards of the Travel Rule solution. But in the end, the main players will come to a common standard, and the competition will move to the suppliers of this solution.
Sergey Zhdanov argued the convenience and even the need to develop a common standard with an example from practice: “ Like any large cryptocurrency company, we often encounter fraud. For example, when Bithumb was hacked, most of the stolen $ 18 million flowed onto EXMO. We blocked absolutely all funds thanks to a very strong compliance team and only then received a message in a closed “exchange” chat in Telegram, in which there are representatives of absolutely all major exchanges, with a request to block funds on wallets. The market absolutely definitely needs a certain unified standard, which will allow us to identify and block fraudsters much more successfully and faster than in correspondence on Telegram.
