Two key regulatory bodies recently rocked the foundation of the crypto economy with new guidance that will have major impacts on exchanges and other virtual asset service providers (VASPs). The global anti-money laundering watchdog, the Financial Action Task Force (FATF), recently updated guidance that includes a “Funds Travel Rule.” In short, the new rule requires virtual asset service providers (VASPs) to share and store sender (originator) and receiver (beneficiary) information related to A cryptocurrency (or crypto currency) is a digital asset des... More transactions. Also, in May 2019 the US Treasury’s Financial Crimes Enforcement Network (FinCEN) clarified its guidance to categorize VASPs as money service business (MSBs), which means they must now comply with the long-standing Funds Travel Rule under the Bank Secrecy Act (BSA).
G20 Makes Implementation of FATF’s Virtual Asset Guidelines a Virtual Certainty
At the close of their summit held in Osaka, Japan on June 29, finance ministers and central bankers of the G20 economic bloc formally announced their support for FATF’s updated virtual guidelines, including the Travel Rule. Subsequently, a number of major voices in the crypto economy have complained that the new rule is not only impractical given current A blockchain—the technology underlying bitcoin and other c... More technology but also antithetical to the pseudo-anonymous nature of cryptocurrencies.
At the end of their annual summit held in Osaka, Japan in June 2019, G20 finance ministers and central bank governors declared: “We reaffirm our commitment to applying the recently amended FATF Standards to virtual assets and related providers for AML and CFT.
A Compliance Conundrum
As regulators around the globe begin implementing the clarified FATF guidelines into local laws, VASPs face a huge technical challenge—how to comply with the Travel Rule in a trusted and reliable manner. According to the FATF, “… it is vital that countries ensure that providers of VA transfers—whether VASPs or other obliged entities—transmit the required originator and beneficiary information immediately and securely, particularly given the rapid and cross-border nature of VA transfers…”
Modify Blockchains or Add an Overlay Layer?
Developing a solution that will help VASPs to overcome this compliance challenge presents major technical obstacles. For example, trying to modify the existing blockchain protocols is bound to fail, as there are many different protocols, and forcing hard forks is simply not feasible.
Enforcement of a FATF Travel Rule had long been expected since February 22, 2019, when the Interpretive Note on virtual currencies was issued. IT set out implementation requirements for effective regulation, supervision, and monitoring of (“VASPs”), which is why CipherTrace has already architected a solution that enables securely sharing and storing transaction identity information without modifying the core blockchain and cryptocurrency protocols. Rather than modify existing blockchains, reference architecture creates a separate out-of-band mechanism to augment existing blockchains and cryptocurrencies for compliance purposes.
This Travel Rule Information Sharing Architecture (TRISA) applies the trusted Public Key Infrastructure to identify and verify VASPs reliably. It is similar to the way clients and servers establish trusted communication on the web and other internet applications.
A Solution Based on Proven Cryptographic Controls
The CA is the cornerstone trust for public key infrastructure (PKI), by issuing trusted digital certificates and managing, distributing, and revoking these certificates. The CA issues digital certificates that identify the entity associated with a given pubic key to ensure users are confidently working with the said entity and not a fraudster posing as the entity. PKI is the key to trusted information sharing.
VASP Address Confirmation Protocol Prevents Leakage
The FATF recognizes that unlike traditional fiat wire transfers, not every virtual asset transfer may involve two obliged entities. VASPs, when originating a VA transfer, do not have to submit the required information to individual users who are not obliged entities. However, the FATF does not address the difficulty VASPs now face in determining whether a transfer is coming or going to an obliged entity or not, or the security risks that could arise in sending private information to the wrong entity.
TRISA promotes the VASP Address Confirmation Protocol, which mitigates the risk associated with sending private information to the wrong VASP by verifying that the receiving address is actually controlled by the declared beneficiary VASP. This protocol requires a high-speed lookup whereby the sending VASP can query the beneficiary VASP about the address and confirm that the receiving address actually belongs to that VASP. A CipherTrace TRI white paper describes this VASP Address Confirmation Protocol in more detail.
Furthermore, FATF guidelines require both ordering and beneficiary institutions to take freezing actions and prohibit transactions with designated persons and entities. The VASP Address Confirmation Protocol also offers a solution for this through Enhanced Validation Know Your VASP (EV KYV). Receiving VASPs should return receipts, ideally digitally signed, to sending VASPs to confirm that the transaction identity information has been received. It may be desirable to be able to reject a transaction in a receipt, for example if the sender’s identity or purported beneficiary’s identity data fails sanctions or other blocking tests by the receiving VASP. In such cases, the sending VASP should not proceed with the blockchain transaction and should notify the originator of a failed transaction.
To learn more about the architecture laid out by the Travel Rule Information Sharing Architecture, read the whitepaper here.