Inside the Standards Race for Implementing FATF’s Travel Rule

shutterstock_305873375-scaled
4 February 2020

The Takeaway:

  • Crypto businesses are figuring out how to comply with the Financial Action Task Force’s “Travel Rule,” where all crypto transactions above a certain amount must be accompanied by identifying information.
  • Competing visions for the technical implementation have emerged, though there appears to be general agreement on the need for messaging standards.
  • Legal and operational issues will be as challenging as putting technical solutions in place.
  • The FATF is set to kick the tires of a range of proposed tech solutions in June 2020.

Imagine SWIFT’s interbank messaging system but for crypto.

Hardcore blockchain libertarians would probably rather not. But firms that deal in cryptocurrency have been asked to abide by the so-called “Travel Rule,” and the clock is ticking.

Although it goes against the grain to shoehorn an identity layer onto a technology specifically designed to be pseudonymous, firms have no choice if they want to abide by the law. The shape and form this will take is something the industry must agree on, and fast.

In June 2019, the Financial Action Task Force (FATF), the global anti-money laundering (AML) watchdog, updated its guidance to explicitly state that virtual asset service providers, or VASPs, must share sender (originator) and receiver (beneficiary) information in cryptocurrency transactions above a certain threshold.

With the one-year mark fast approaching, the FATF will review progress on Travel Rule solutions at its June 2020 plenary meeting

Meanwhile, U.S. regulator FinCEN issued its version of the regulation pertaining to VASPs in May 2019, stating that firms had 180 days to get their houses in order. This means the Travel Rule now carries the weight of law regarding U.S.-based VASPs. (VASPs are businesses that conduct the exchange, transfer or safekeeping of virtual assets, as well as activities relating to issuing or underwriting virtual assets.)

There are differences of opinion over the best technical solution, with some favoring a blockchain-based approach and others not. Equally challenging are the operational and legal hurdles crypto exchanges face in rolling out a compliant system en masse.   

To DLT or not to DLT?

There are two parts to the problem. First, there needs to be some means of identifying VASPs. This could be broadly equivalent to the Bank Identifier Code (BIC) used by SWIFT or something like the International Bank Account Number (IBAN) system. 

The second part of the problem concerns data transmission. The ideal solution crypto businesses and industry groups are working towards would be a standards-based and interoperable message layer between VASPs, allowing identity, authentication and messaging to be pinned onto blockchain transactions.

There are some 20-plus solutions being built to tackle the problem. Some are relatively small-scale commercial endeavors, while others involve groups of participating firms and behave more like open protocols.

Some of the offerings mentioned in the working group arena include Bitcoin Suisse’s OpenVASP, CipherTrace’s TRISA, Sygna Bridge, Netki, Shyft and KYC Chain. Dedicated crypto-sleuthing firms including Elliptic, Coinfirm and Chainalysis have all been working on this as well. Indeed, Chainalysis recently hired former FinCEN staffer Mike Mosier to help build Travel Rule capabilities.

There are proposals that favor a more traditional battle-tested approach – such as having a centralized global registry of VASP addresses as a necessary trust anchor – and then there are the solutions taking a more decentralized approach, involving blockchains or DLT.

“The assumption that blockchain must have the solution to something that is a blockchain problem may not necessarily be true – as desirable as that may be for folks at an aspirational level, philosophically,” said Siân Jones, senior partner at XReg Consulting and convener of the Joint Working Group for InterVASP Messaging Standards (JWG-IVMS).

Malcolm Wright, head of the AML Working Group at trade group Global Digital Finance said his view (and the view of some regulators) is there needs to be more than one tech provider. 

“So it might be that Coinbase chooses Tech Provider A; Binance uses Provider B,” he said. “So we end up with a matrix, with smaller exchanges copying the larger ones they want to work with.”

Turning to ethereum

Switzerland’s OpenVASP project is what you might expect from a country that’s relatively advanced when it comes to meeting FATF recommendations, and has even gone beyond them in some respects.

The project is helmed by Bitcoin Suisse and also includes Lykke exchange and crypto banks Seba and Sygnum. The Swiss have taken a practical approach, building a solution the industry can start using as quickly as possible.

A key design principle for OpenVASP is decentralization, which means avoiding the mistakes of the past, say its developers, like having a single point of failure, central servers and directories. In order to achieve decentralization where it’s deemed desirable, OpenVASP is leveraging a selection of features from ethereum.

For instance, at its messaging layer, OpenVASP proposes using Whisper, ethereum’s off-chain peer-to-peer messaging system. (To be clear, the OpenVASP white paper points out other messaging systems can be used.)

Whisper employs so-called dark routing to obscure message content and sender and receiver details to observers, a bit like anonymous web browsing using Tor, making it a neat way to meet privacy requirements.

“This means that nobody would be able to understand that two VASPs are interacting with each other,” said David Riegelnig, head of risk management at Bitcoin Suisse. “With respect to competitiveness, it should be nobody’s business to know which VASPs interact, as long as the VASPs comply with their Travel Rule requirements and can do their sanctions checks screening and so forth.”

Who’s in charge?

The addressing and authentication parts of the OpenVASP solution use ethereum’s decentralized public key infrastructure, meaning the VASP must deploy a smart contract that represents identity on the blockchain. Using smart contracts on ethereum creates a blockchain public key directory for the VASP and an IBAN-like numbering format: the virtual asset account number (VAAN).

“The alternative could be a global directory of VASPs with their public keys, which sounds very simple,” said Riegelnig. “But then you have to ask, ‘In which country is this server going to stand? In which jurisdiction? Who controls it?’ And so on.”

Obviously there are going to be people who are concerned that OpenVASP is tied to ethereum, Riegelnig said. “They think it’s everything on the blockchain. But the only thing we actually use on ethereum is the smart contract where you store the public key,” he said. “Then these concerns tend to get much smaller.”

OpenVASP said it is in talks with all the big exchanges and named Binance, Kraken and Bitstamp as three that are looking at its solution. Having read the other white papers, Riegelnig said that, with the possible exception of very centralized commercial projects, they all involve some intangible parts that are basically high-level ideas.

Riegelnig said OpenVASP was “on the same page” as CipherTrace when it comes to exchanging end-to-end encrypted messages and not having a persistent blockchain data layer. But elsewhere there are shortcomings, he said.

“They [CipherTrace] somehow still rely on blockchain addresses as the identifier between VASPs. That is not very practical because public blockchain addresses change all the time,” said Riegelnig. “When you have a client and you want to transfer crypto to other VASPs, it’s much easier if you can refer to this client or their account by a client number, instead of an ever-changing blockchain address number.”

Disagreements

CipherTrace’s TRISA uses public key infrastructure (PKI) and certificate authorities. A “know-your-VASP” certificate would be sent from the exchange originating a transaction to the one receiving it. These certificates would be verified through a trusted third-party certificate authority.

CipherTrace Chief Financial Analyst John Jefferies pointed out that while a certificate authority might be controlled by a central entity, there are typically multiple distributed instances and therefore does not constitute a single point of failure.

“By avoiding global directories, OpenVASP is also avoiding known good security, and betting the whole thing on the ethereum blockchain,” said Jefferies.

“The thing about public key is that there are a lot of service providers and there can be numerous competing service providers. So while it’s not like the one grand VASP PKI in the sky, if one comes and another goes then people can change and they can adopt those certificates,” he said.

As far as interoperability is concerned, ethereum keys on OpenVASP can be supported by PKI, said Jefferies: PKI is extensible so the two approaches are not mutually exclusive. This speaks to a wider issue. 

“Switzerland has some strict rules, but they don’t have a lot of interoperability with the U.S., and so I think the interoperability in this case is an important component,” Jefferies said.

‘SWIFT for crypto’

While firms duke it out for the best technical solution, agreeing on a standard format to handle the message payloads will simplify things, at least on one level.

“The timeline could be dramatically reduced and the costs minimized if there was an open standard, like ISO or IEEE standards,” said Jones of the InterVASP group. This would be a common universal language for the transfer of data, regardless of any national legislation, and regardless of which technological solution the VASP plugs into, she said.

The InterVASP group has been joined by a coalition of trade bodies including Global Digital Finance, the Chamber of Digital Commerce and the International Digital Asset Exchange Association (IDAXA). The goal of the InterVASP group is to have a standard in place and ready for adoption by May 8, during New York Blockchain Week.

Standardizing the underlying messaging packet is a good path to follow, said Wright of Global Digital Finance. In situations like this, something as simple as date of birth, for example, might cause problems, Wright said. DOBs could be in U.K. format, U.S. format or long-form actual format.

“If every provider chose its own format, the cost of actually deciphering it on receipt and then making sure you have accurately transposed it is quite significant,” he said. “So having even the simplest of things like that in a format that makes sense goes a long way to standardize the industry.”

Wright acknowledged the stigma around the idea of a “SWIFT for crypto,” which instantly raises hackles. “If you’ve got the same order of fields and the same name of fields, and you know how to deal with transliteration and so forth, all agreed by the industry, then that part of SWIFT, in essence, is a reasonable thing,” he said.

Call the lawyers

Exchanging personal data between VASPs in different parts of the world could require detailed legal frameworks in order to not run afoul of regulations like GDPR, said Coinfirm CEO Pawel Kuskowski.

For this reason, Coinfirm, which has also formed a working group and claims to have government backing for that endeavor, has pulled in Gibraltar-based crypto lawyer Joey Garcia, partner at ISOLAS LLP, and London-based Dean Armstrong QC, head of chambers at the 36 Group.

Coinfirm is using a high-throughput permissioned blockchain for writing the “fingerprint” of a compliant transaction, built on the enterprise-grade DLT Hyperledger Fabric. The latter employs a private channel architecture, which has been compared to private message channels on Slack.

“There are two parts to consider when you are talking about the Travel Rule,” Kuskowski said. “One is part is technological and the other is regulatory. Really anyone who is touching this has to have someone from the legal space.”

Jefferies of CipherTrace said solving the technical challenge is not any greater than the operational hurdle, or “sunrise problem” of switching on the system for 500 VASPs at once.

As G20 countries gradually begin to roll this out, increased jurisdictional arbitrage seems likely, he added.

“People are going to lean towards the countries with either weak implementation or enforcement,” Jefferies said. “It will be interesting to see how this scenario plays out.”