Table of Contents
- Introduction
- What is expected of an ideal Travel Rule solution?
- What is required of an ideal Travel Rule solution?
- The 3 types of Travel Rule solutions
- How do Alliance Networks, Certificate Authorities and Blockchain-based Protocols differ?
- Conclusion
1. Introduction
In June 2019, the Financial Action Task Force (FATF) issued the Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers.
To comply with the updated Recommendation 16 on Wire Transfers, their 200+ associated member countries now need to ensure that domestic virtual asset service providers (VASPs) like exchange share beneficiary (recipient) and originator (sender) transmittal information with each other, much like in traditional finance. The deadline? June 2021 (read our new guide on the FATF’s June 2020 review of the Travel Rule and Revised Standards)
These disruptive changes delivered a devastating surprise to a cryptocurrency industry largely unprepared for such a strong regulatory response.
Up until this point, VASPs hoped that the Know-Your-Customer (KYC) and Know-Your Transaction (KYT) measures they were taking to respectively identify clients and transaction origins would be enough to stave off the authorities a bit longer.
Yet, a 2019 report stated that two-thirds of the world’s top 120 VASPs had inadequate AML/KYC systems in place, likely due to the cost and time associated with managing this vital compliance process.
With no existing technology or protocol in place (by design) to counter the pseudonymous nature of virtual assets, and the industry severely lacking global standards and strong industry bodies, the race began for innovative enterprises to come up with cost-effective solutions that could connect exchanges and other financial institutions to help them avoid the future wrath of authorities.
2. What does the FATF expect from Travel Rule Solutions?
The newly updated Recommendation 16 states that countries should make sure that local VASPs collect required beneficiary and originator information during virtual asset transfers and share it with counterparts and authorities when required.
In its June guidance, the FATF made it clear that it was technology-agnostic and had no preference for whether the industry implemented existing or new technologies to help VASPs comply with the new requirements. According to Tom Neylan, senior FATF policy analyst, the task force wanted to establish a level playing field that avoided “regulatory arbitrage” and pushed member countries to improve their cryptocurrency policies.
The FATF even name-dropped current technologies that could be utilized in Travel Rule solutions, such as:
- Application Program Interface (API)
- Transport Layer Security/ Secure Sockets Layer (TLS/SSL)
- X.509 certification
- Public Key Infrastructure (PKI)
The FATF further maintained that it was aware of the compliance difficulties facing both countries and VASPs. Countries have to understand cryptocurrency technology, a still radically new concept, while VASPs need to understand and adhere to the financial rules in their sector. Ultimately, It is up to the industry to create technology that can meet FATF’s information-sharing requirements.
3. What is required of an ideal Travel Rule solution?
While the crypto industry and the FATF have been at loggerheads all year about the new regulations, there are certain things all parties and observers can agree on in regards to any Recommendation 16 solution.
Here are 10 industry requirements for an R.16 Travel Rule solution
An R.16 Solution should be:
- quick to implement
- easy for VASPs to manage
- affordable or free
- compatible with all virtual assets and VASPs
- fully scalable
- protect user data privacy rights
- secure against threats like DDoS attacks
- flexible enough to absorb future regulations
- share accurate data with the right party
- able to identify suspicious transmittals and dissuade illicit behavior
4. What types of R.16 Travel Rule Solutions are currently in the market?
Since June 2019 there has been a robust debate on what an ideal solution should look and behave like. Self-regulated organizations (SRO’s) worldwide have been convening regularly around the world with regulators and other stakeholders and weighing their options.
A handful of companies, most of them experts in their areas, have raised their hands to help the VASP industry with unique solutions. As this is new ground for virtual assets, the technology underlying these pioneering compliance tools differ tremendously and can be very hard to compare, let alone understand.
The leading Travel Rule solutions can broadly be split into one of 3 categories:
- Alliance Network
- Certificate Authority
- Blockchain-based Protocol
Solution Type 1: Alliance Network (Sygna Bridge)
To ensure that the same rules apply to all VASPs and that a standardized format is used to identify VASPs and share transaction information, Sygna Bridge has been developed as a messaging platform that will allow VASPs to share encrypted transmittal information with each other securely and privately.
An alliance network requires a degree of centralization to verify that all members are above board, have the necessary KYC systems in place and in essence, that they are who they say they are and are “safe” to do business with.
This type of alliance network is already well-established in the traditional banking industry thanks in part to SWIFT requirements for cross-border payments.
While a centralized solution like Sygna Bridge might initially raise data security and privacy concerns, the reality is in fact quite the opposite.
The Sygna Bridge messaging platform is highly resistant to DDoS attacks, has no access to decrypted private user data, and best of all, each VASP who wants to use Bridge needs to only integrate with its API once, in order to connect with other VASP members in a private and privacy-secure channel.
Solution Type 2: Certificate Authority (Netki, CipherTrace)
Certificate Authority (CA) solutions are open-source frameworks that exchange transaction identity information between counterparties via encrypted peer-to-peer (P2P) technology.
Netki’s TransactID, X.509 and BIP75 explained
The blockchain identity company Netki’s Travel Rule compliance solution TransactID is built on its Bitcoin Improvement Protocol (BIP) 75, a P2P protocol it developed in 2016 for custodial and non-custodial wallets. In response to the Travel Rule, Netki recently tweaked its offering to also issue X.509 certificates.
The X.509 certification format, first used in 1988, is an old cryptographic standard that is essential to several Internet protocols, most notably Transport Layer Security and Secure Sockets Layer, better known as TLS/SSL, to issue security certificates for the HTTPS protocol, currently a near-mandatory requirement for any website.
In Netki’s Travel Rule solution, the certificates are used to identify a crypto transaction’s originator and beneficiary parties, without the need for either party to connect with the other. The X.509 certificate holds each party’s Personally Identifiable Information (PII) as well as a public key which is signed by the Certificate Authority and validates the authenticity of the party’s identity to its counterparty.
CipherTrace and Shyft launches PKI-based TRISA
Blockchain analytics company CipherTrace, better known for its KYT investigations, has also proposed a Certificate Authority solution to help VASPs comply with the Travel Rule.
Its open-source Travel Rule Information Sharing Architecture (TRISA) framework, developed in partnership with the virtual identity company Shyft Network, aims to help VASPs comply with the FATF R.16 without altering the underlying blockchain protocol or adding additional costs for VASPs to absorb.
TRISA is a reference implementation that demonstrates the protocol’s capabilities and its scalability. According to the company, TRISA helps VASPs to share transaction information privately and thanks to its high scalability, the standard is resistant to security threats such as DDoS attacks.
The TRISA standard is free for exchanges to use as open-source software, however, enhanced services such as validation, security and revocation services offered by CipherTrace come with a price tag. Thanks to its vendor-neutral governance model, any third party can theoretically offer these services.
TRISA’s Public Key Infrastructure (PKI)
TRISA uses the Public Key Infrastructure (PKI) framework, a combination of symmetric and asymmetric (private and public key) encryption, to allow VASPs to first verify their counterpart’s target identity and then transfer the required transmittal data confidentially.
Its P2P-based VASP Address Confirmation Protocol uses a pair of private and public keys to minimize the risk of sending the required PII data to the wrong party, by checking that the recipient public address is owned by the claimed beneficiary party.
Once it has validated the recipient’s identity, it approves the sending of the PII over a peer-to-peer API connection.
Solution Type 3: Blockchain-based Protocols (OpenVASP)
Blockchain-based protocols aim to solve the Travel Rule “in-house”, by utilizing blockchain features such as decentralization, privacy, cost-effectiveness, and scalability.
The most well-known current example is the OpenVASP protocol, launched in late 2019 by a working group of blockchain organizations from around the world.
OpenVASP is as its name implies, an open-source protocol, which intends to facilitate “robust compliance for VASPs, solely based on a set of principles, regardless of jurisdiction or virtual asset and without membership or registration with a centralized third-party.”
The OpenVASP alliance is however open to any technical R.16 solution that can meet their manifesto’s requirements. At present, OpenVASP is encouraging companies to develop a solution based on Ethereum’s Whisper protocol, which allows users to exchange messages on the same network that the blockchain runs on.
What differences should be considered between the Travel Rule technical solutions?
Comparing the aforementioned solutions with each other can at times be as effective as comparing apples and oranges. Almost every solution offers significant regulatory fixes to VASPs, but also carry perceived weak points. However, a few points of distinction stand out.
Alliance Network | Certificate Authority | Blockchain-based protocol | |
Core Tech | Cloud-based messaging platform with back-end services | Open-source certificate frameworks (X.509) | Blockchain-based protocol |
Architecture | Centralized messaging service | Decentralized peer-to-peer connection | Decentralized P2P connection |
Comm Channel | DDoS-proof API Single endpoint connects all VASPs to share PII in private | P2P-based: VASPs exchange PII 1-to-1 over a public API | P2P Database Open to any solution (such as Whisper) |
Centralization vs Decentralization
The majority of cryptocurrency supporters cite the decentralized nature of digital assets as a major strength. Centralization is viewed as an outdated business practice that is inefficient, expensive and usually leads to exploitation. Does the same apply to the ideal Travel Rule solution though?
First off, let’s take a step back and acknowledge that importantly, VASPs themselves are centralized businesses. Exchanges onboard customers and require custody of their trading funds, which they protect in their own offline or online (“hot”) wallets.
Therefore, one could argue that VASPs, in turn, requires a solution that is similarly centralized. Though much-maligned, centralized solutions, if done right, present a host of benefits such as better security, support and are also pliant enough to respond to market needs quickly as they arise, as there’s no need for mass consensus to push through changes.
Decentralized solutions, on the other hand, can be difficult and slow to adapt to change, as Bitcoin and Ethereum hard forks have shown in recent times. Just because a decentralized Travel Rule solution fits the narrative, it doesn’t automatically make it a correct option. For example, a certificate authority also needs to keep its certificate authentication data in a server.
As long as a centralized Travel Rule solution such as an alliance network adheres to the necessary requirements, such as protecting data privacy, it shouldn’t matter. The best solution should be used.
Free vs Affordable
Some Travel Rule solutions offer their technology for free, likely in the hopes to get quick traction and win over smaller VASPs on a budget. However, there’s no such thing as a free lunch, as economists will tell you. VASPs will have to develop the software, integrate the API with their platforms, and then find a way to connect with trustworthy VASP counterparties after they’ve verified their identities and track records, all of which will add up in cost.
Profit provides the bedrock of capitalism. It incentivizes innovation and ensures continuous improvement and adaptation in the fight for survival. With the industry and regulators so often at odds with each other, an impartial mediator without any skin in the game might be the middle way to fast-track regulatory changes and minimize their impact on VASPs.
Implementation: All-for-One vs One-by-One
The Travel Rule places the onus on compliant VASPs to make sure that they are only dealing with other compliant counterparties. They need to demonstrably be able to verify that a counterparty’s identity is real and that its funds haven’t consciously been tainted by crime.
With thousands of VASPs operating worldwide, many in near obscurity, this will be incredibly difficult to achieve with decentralized options like Certificate Authority. Here’s why: A P2P connection requires VASPs to create a public API and integrate one-by-one with other VASPs to exchange API keys or authentication information. This means that VASPs will have to invest a lot of money, time and resources into completing AML/KYC and setting up arrangements with other VASPs on an individual basis.
Compare this for example with an alliance network option like Sygna Bridge, which only requires a single and DDoS-proof private API endpoint to connect all VASPs with each other, of course after they’ve been verified through enhanced KYC and due diligence checks.
Not only this, but decentralized solutions are unlikely to offer integration support free of charge, and there might be a recurring issue of poor customer support for VASPs having technical issues, which could very well sink any exchange with a reasonable following on social media for example.
Conclusion
The 2008 financial crisis provided the genesis for blockchain and cryptocurrency, two paradigm-shifting technologies that promised a better financial future for the world. Disruptive change is never simply linear but requires consistent and frequent iterations to reach its desired destination.
In 2020, the young virtual asset industry has had the opportunity to start the journey towards establishing a trustworthy alternative asset class for mainstream finance. With the type of initiative shown by the solutions discussed in this article, regulations need not be the death knell for the industry.
In fact, considering the massive changes that virtual asset ownership and adoption will undergo in the coming decade, and the increasing favor that compliant cryptocurrencies will find with institutional investors, they mark a new beginning.
Written by Werner Vermaak
(updated in August 2020)
About CoolBitX and Sygna Bridge
CoolBitX’s Sygna Bridge is a first-to-market travel rule solution and alliance network that is live and being used by our VASP partners to share compliant originator and beneficiary transmittal information.
Sygna Bridge completed a successful production test report (Big 4 audited) earlier this year, which was presented to the FATF Contact Group in May 2020. Sygna Bridge now also supports the IVMS101 messaging standard.
CoolBitX has signed MoUs with 18 VASPs worldwide and recently joined forces with Elliptic in a combined quest to help crypto companies comply with the FATF Standards.
For enquiries on the FATF Travel Rule and our Sygna Bridge solution for VASPs, please contact us at info@sygna.io.