What FATF R.16 Crypto Travel Rule Solutions are Currently in the Market?

  1. Introduction
  2. What is expected of an ideal Travel Rule solution?
  3. What is required of an ideal Travel Rule solution?
  4. The 3 types of Travel Rule solutions
  5. How do Alliance Networks, Certificate Authorities and Blockchain-based Protocols differ?
  6. Conclusion

1. Introduction

In June 2019, the Financial Action Task Force (FATF) issued the Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers.

To comply with the updated Recommendation 16 on Wire Transfers, their 200+ associated member countries now need to ensure that domestic virtual asset service providers (VASPs) like exchange share beneficiary (recipient) and originator (sender) transmittal information with each other, much like in traditional finance. The deadline? June 2020. 

The FATF's R.16 expectations of countries and VASP

These disruptive changes delivered a devastating surprise to a cryptocurrency industry largely unprepared for such a strong regulatory response.

Up until this point, VASPs hoped that the Know-Your-Customer (KYC) and Know-Your Transaction (KYT) measures they were taking to respectively identify clients and transaction origins would be enough to stave off the authorities a bit longer.

Yet, a recent report stated that two-thirds of the world’s top 120 VASPs had inadequate AML/KYC systems in place, likely due to the cost and time associated with managing this vital compliance process.

With no existing technology or protocol in place (by design) to counter the pseudonymous nature of virtual assets, and the industry severely lacking global standards and strong industry bodies, the race began for innovative enterprises to come up with cost-effective solutions that could connect exchanges and other financial institutions to help them avoid the wrath of authorities by June 2020. 

2. What does the FATF expect from Travel Rule Solutions?

The newly updated Recommendation 16 states that countries should make sure that local VASPs collect required beneficiary and originator information during virtual asset transfers and share it with counterparts and authorities when required. 

In its June guidance, the FATF made it clear that it was technology-agnostic and had no preference for whether the industry implemented existing or new technologies to help VASPs comply with the new requirements. According to Tom Neylan, senior FATF policy analyst, the task force wanted to establish a level playing field that avoided “regulatory arbitrage” and pushed member countries to improve their cryptocurrency policies. 

FATF's R.16 expectations of countries (link to Sygna.io)

The FATF even name-dropped current technologies that could be utilized in Travel Rule solutions, such as:

  • Application Program Interface (API)
  • Transport Layer Security/ Secure Sockets Layer (TLS/SSL)
  • X.509 certification
  • Public Key Infrastructure (PKI)

The FATF further maintained that it was aware of the compliance difficulties facing both countries and VASPs. Countries have to understand cryptocurrency technology, a still radically new concept, while VASPs need to understand and adhere to the financial rules in their sector. Ultimately, It is up to the industry to create technology that can meet FATF’s information-sharing requirements. 

3. What is required of an ideal Travel Rule solution?

While the crypto industry and the FATF have been at loggerheads all year about the new regulations, there are certain things all parties and observers can agree on in regards to any Recommendation 16 solution. 

Here are 10 industry requirements for an R.16 Travel Rule solution

An R.16 Solution should be:

  • quick to implement (before June 2020).
  • easy for VASPs to manage.
  • affordable or free.
  • compatible with all virtual assets and VASPs. 
  • fully scalable.
  • protect user data privacy rights
  • secure against threats like DDoS attacks. 
  • flexible enough to absorb future regulations
  • share accurate data with the right party
  • able to identify suspicious transmittals and dissuade illicit behavior

4. What types of R.16 Travel Rule Solutions are currently in the market?

Since June 2019 there has been a robust debate on what an ideal solution should look and behave like. Self-regulated organizations (SRO’s) worldwide have been convening regularly around the world with regulators and other stakeholders and weighing their options.

A handful of companies, most of them experts in their areas, have raised their hands to help the VASP industry with unique solutions. As this is new ground for virtual assets, the technology underlying these pioneering compliance tools differ tremendously and can be very hard to compare, let alone understand.

The leading Travel Rule solutions can broadly be split into one of 3 categories:

  1. Alliance Network
  2. Certificate Authority
  3. Blockchain-based Protocol
types of FATF R.16 Travel Rule solutions
FATF Recommendation 16 Travel Rule solutions

Solution 1: Alliance Network (Sygna Bridge)

To ensure that the same rules apply to all VASPs and that a standardized format is used to identify VASPs and share transaction information, Sygna Bridge has been developed as a messaging platform that will allow VASPs to share encrypted transmittal information with each other securely and privately. 

An alliance network requires a degree of centralization to verify that all members are above board, have the necessary KYC systems in place and in essence, that they are who they say they are and are “safe” to do business with. 

This type of alliance network is already well-established in the traditional banking industry thanks in part to SWIFT requirements for cross-border payments. 

Sygna Bridge messaging API

While a centralized solution like Sygna Bridge might initially raise data security and privacy concerns, the reality is in fact quite the opposite.

The Sygna Bridge messaging platform is highly resistant to DDoS attacks, has no access to decrypted private user data, and best of all, each VASP who wants to use Bridge needs to only integrate with its API once, in order to connect with other VASP members in a private and privacy-secure channel. 

Solution 2: Certificate Authority (Netki, CipherTrace)

Certificate Authority (CA) solutions are open-source frameworks that exchange transaction identity information between counterparties via encrypted peer-to-peer (P2P) technology.

Netki’s TransactID, X.509 and BIP75 explained

The blockchain identity company Netki’s Travel Rule compliance solution TransactID is built on its Bitcoin Improvement Protocol (BIP) 75, a P2P protocol it developed in 2016 for custodial and non-custodial wallets. In response to the Travel Rule, Netki recently tweaked its offering to also issue X.509 certificates. 

The X.509 certification format, first used in 1988, is an old cryptographic standard that is essential to several Internet protocols, most notably Transport Layer Security and Secure Sockets Layer, better known as TLS/SSL, to issue security certificates for the HTTPS protocol, currently a near-mandatory requirement for any website. 

In Netki’s Travel Rule solution, the certificates are used to identify a crypto transaction’s originator and beneficiary parties, without the need for either party to connect with the other. The X.509 certificate holds each party’s Personally Identifiable Information (PII) as well as a public key which is signed by the Certificate Authority and validates the authenticity of the party’s identity to its counterparty. 

Ciphertrace and Shyft launches PKI-based TRISA

Blockchain analytics company CipherTrace, better known for its KYT investigations, has also proposed a Certificate Authority solution to help VASPs comply with the Travel Rule. 

Its open-source Travel Rule Information Sharing Architecture (TRISA) framework, developed in partnership with the virtual identity company Shyft Network, aims to help VASPs comply with the FATF R.16 without altering the underlying blockchain protocol or adding additional costs for VASPs to absorb. 

 TRISA is a reference implementation that demonstrates the protocol’s capabilities and its scalability. According to the company, TRISA helps VASPs to share transaction information privately and thanks to its high scalability, the standard is resistant to security threats such as DDoS attacks.

The TRISA standard is free for exchanges to use as open-source software, however, enhanced services such as validation, security and revocation services offered by CipherTrace come with a price tag. Thanks to its vendor-neutral governance model, any third party can theoretically offer these services. 

TRISA’s Public Key Infrastructure (PKI)

TRISA uses the Public Key Infrastructure (PKI) framework, a combination of symmetric and asymmetric (private and public key) encryption, to allow VASPs to first verify their counterpart’s target identity and then transfer the required transmittal data confidentially.

Its P2P-based VASP Address Confirmation Protocol uses a pair of private and public keys to minimize the risk of sending the required PII data to the wrong party, by checking that the recipient public address is owned by the claimed beneficiary party.

Once it has validated the recipient’s identity, it approves the sending of the PII over a peer-to-peer API connection. 

CipherTrace’s Enhanced Validation protocol ( Source: Ciphertrace.com)

Solution 3: Blockchain-based Protocols (OpenVASP)

Blockchain-based protocols aim to solve the Travel Rule “in-house”, by utilizing blockchain features such as decentralization, privacy, cost-effectiveness, and scalability. 

The most well-known current example is the OpenVASP protocol, launched in late 2019 by a working group of blockchain organizations from around the world.

OpenVASP is as its name implies, an open-source protocol, which intends to facilitate “robust compliance for VASPs, solely based on a set of principles, regardless of jurisdiction or virtual asset and without membership or registration with a centralized third-party.”

The OpenVASP alliance is however open to any technical R.16 solution that can meet their manifesto’s requirements. At present, OpenVASP is encouraging companies to develop a solution based on Ethereum’s Whisper protocol, which allows users to exchange messages on the same network that the blockchain runs on.

What differences should be considered between the Travel Rule Solutions?

Comparing the aforementioned solutions with each other can at times be as effective as comparing apples and oranges. Almost every solution offers significant regulatory fixes to VASPs, but also carry perceived weak points. However, a few points of distinction stand out. 

Alliance NetworkCertificate AuthorityBlockchain-based protocol
Core
Tech
Cloud-based messaging
platform with back-end services
Open-source
certificate
frameworks
(X.509)
Blockchain-based protocol
ArchitectureCentralized messaging serviceDecentralized
peer-to-peer connection
Decentralized
P2P connection
Comm
Channel
DDoS-proof API Single endpoint connects all VASPs to share PII in private
P2P-based:
VASPs exchange
PII 1-to-1 over a public API
P2P Database
Open to any solution (such as Whisper)

Centralization vs Decentralization

The majority of cryptocurrency supporters cite the decentralized nature of digital assets as a major strength. Centralization is viewed as an outdated business practice that is inefficient, expensive and usually leads to exploitation. Does the same apply to the ideal Travel Rule solution though?

centralized vs decentralized solutions (link to sygna.io to use)

First off, let’s take a step back and acknowledge that importantly, VASPs themselves are centralized businesses. Exchanges onboard customers and require custody of their trading funds, which they protect in their own offline or online (“hot”) wallets. 

Therefore, one could argue that VASPs, in turn, requires a solution that is similarly centralized. Though much-maligned, centralized solutions, if done right, present a host of benefits such as better security, support and are also pliant enough to respond to market needs quickly as they arise, as there’s no need for mass consensus to push through changes. 

Decentralized solutions, on the other hand, can be difficult and slow to adapt to change, as Bitcoin and Ethereum hard forks have shown in recent times. Just because a decentralized Travel Rule solution fits the narrative, it doesn’t automatically make it a correct option. For example, a certificate authority also needs to keep its certificate authentication data in a server.

As long as a centralized Travel Rule solution such as an alliance network adheres to the necessary requirements, such as protecting data privacy, it shouldn’t matter. The best solution should be used. 

Free vs Affordable

Some Travel Rule solutions offer their technology for free, likely in the hopes to get quick traction and win over smaller VASPs on a budget. However, there’s no such thing as a free lunch, as economists will tell you. VASPs will have to develop the software, integrate the API with their platforms, and then find a way to connect with trustworthy VASP counterparties after they’ve verified their identities and track records, all of which will add up in cost. 

iceberg half exposed
Free solutions often come with hidden costs

Profit provides the bedrock of capitalism. It incentivizes innovation and ensures continuous improvement and adaptation in the fight for survival. With the industry and regulators so often at odds with each other, an impartial mediator without any skin in the game might be the middle way to fast-track regulatory changes and minimize their impact on VASPs. 

Implementation: All-for-One vs One-by-One 

The Travel Rule places the onus on compliant VASPs to make sure that they are only dealing with other compliant counterparties. They need to demonstrably be able to verify that a counterparty’s identity is real and that its funds haven’t consciously been tainted by crime. 

Network vs blockchain-based Recommendation 16 Travel Rule solutions (link to sygna.io to use)
Network vs blockchain-based Recommendation 16 Travel Rule solutions

With thousands of VASPs operating worldwide, many in near obscurity, this will be incredibly difficult to achieve with decentralized options like Certificate Authority. Here’s why: A P2P connection requires VASPs to create a public API and integrate one-by-one with other VASPs to exchange API keys or authentication information. This means that VASPs will have to invest a lot of money, time and resources into completing AML/KYC and setting up arrangements with other VASPs on an individual basis.

Compare this for example with an alliance network option like Sygna Bridge, which only requires a single and DDoS-proof private API endpoint to connect all VASPs with each other, of course after they’ve been verified through enhanced KYC and due diligence checks. 

Not only this, but decentralized solutions are unlikely to offer integration support free of charge, and there might be a recurring issue of poor customer support for VASPs having technical issues, which could very well sink any exchange with a reasonable following on social media for example. 

Conclusion:

The 2008 financial crisis provided the genesis for blockchain and cryptocurrency, two paradigm-shifting technologies that promised a better financial future for the world. Disruptive change is never simply linear but requires consistent and frequent iterations to reach its desired destination.

In 2020, the young virtual asset industry has the opportunity to start the journey towards establishing a trustworthy alternative asset class for mainstream finance, if it can figure out a way to play by the rules of regulators (such as R.16) and remain compliant. With the type of initiative shown by the solutions discussed in this article, regulations need not be the death knell for the industry.

In fact, considering the massive changes that virtual asset ownership and adoption will undergo in the coming decade, and the increasing favor that compliant cryptocurrencies will find with institutional investors, they mark a new beginning. 

What is the Crypto-Currency Act of 2020? (March Update)

What are the FATF’s 40+9 Recommendations and Standards?