An Update on the Implementation of the New FATF Travel Rule Requirements

March 04, 2020

By Gregory Bilecki

In September, we touched on probably one of the biggest developments in the crypto community to date – the FATF’s implementation of the new “travel rules” (new requirements for the provisioning of personal identifiable information (PII) regarding users involved in crypto transactions totaling more than $1000 USD/EUR located in each of the FATF’s 39 member countries), as well as Virtual Asset Service Providers (VASPs - for example, CoinBase) now being required to store this information on record by the governing body. This is a hot button issue in the crypto realm today, due to the exchange of PII -- not actively available before due to technology limitations -- now being harvested and shared between VASPs.

It’s become apparent that many exchanges are now facing serious hurdles in successfully meeting the initial compliance date of June 2020. This has led to some exchanges in member countries already delisting some coins due to non-compliance. FinCEN has also been shown to be more of a force as the new regulations begin to take shape, and is quietly pushing harder for compliance of the new measures in America. One reason for this was the Q3 2019 Anti-Money Laundering (AML) report published by CipherTrace, which disclosed that the U.S. alone now currently processes almost $2 billion in crypto transactions unknowingly every year. Thus, the implications for money laundering within the U.S. banking system is already huge. Since the blockchain can’t be modified itself without a lot of heavy re-engineering, the solutions currently being offered are what as seen as augmented layers, or, in laymen’s terms, “plug-in” solutions -- with all exchanges involved needing to come to terms on mutual implementation in order for them to be effective.

One possible solution currently in the works is TransactID, developed by NetKi. This is a current digital currency identification solution that’s actually been around since 2016, but has gone under recent upgrades to further integrate the PII data needed within transactions to foster compliance with the new FATF requirements. Moving forward, each wallet would feature its own trusted connection between it and the TransactID service, which would never be a part of the actual blockhain itself. The way it works is simple in theory: After an initial transfer request is made (via an external URL instead of a wallet address), the recipient VASP verifies that the PII data is in fact stored on the originating exchange and is accurate via the TransactID protocol. This is done via a digital certificate sent pertaining to the wallet initiating the transfer, as well as a certificate related to the initiating VASP. TransactID itself never stores any PII data, but makes sure the VASPs are, that the data is correct, and able to be accepted. This is accomplished by utilizing a modified SSL protocol that allows for the transmission of PII data between exchanges, thus providing information needed between the exchanges, meanwhile mitigating security risks. TransactID would also impose minor user fees onto exchanges at around $1 per wallet in addition to other setup and licensing costs, since the protocol itself that it uses is proprietary.  

A more recent, open-source, solution designed by CipherTrace in conjunction with Shyft, is a new protocol called the Travel Rule Information Sharing Architecture, or TRISA. The method of action for TRISA is a bit different. It would utilize a decentralized Certificate Authority (CA) registry, which all VASPs would have to universally agree to use (and would also foster more self-governance within the blockchain). (This doesn’t exist in TransactID’s implementation due to the protocol it uses being based on an existing Bitcoin standard, BIP 75 (which NetKi also helped design).) The CA would store public key information from the VASPs, which would then allow for communication between each other. It is not known yet if transactions will be initiated via a unique URL such as with TransactID, since the technology is so new – but considering it uses TLS 1.3 (a more current and secure version of SSL), it could be assumed. Furthermore, the PII data transmittal process is somewhat pared down. The data would only be proven to exist by the CA issuing a signature request from the other VASP in an exchange, with the hashes of user identities between both VASPs then being swapped. With TRISA being open-source, there are no initial setup costs involved. In this case, each VASP would be required to take care of all initial implementation and ongoing maintenance themselves. The presumably minor overhead costs that would be incurred would most likely be funded from active user investments.

It’s all a lot to digest at this point for sure – but now the arms race is real between coins and exchanges to make this work, while maintaining the integrity of digital assets and the blockchain itself during the process.  Time will soon tell if the wild-west era that crypto seems to be currently reveling in will come to a close, with transactions becoming less anonymous due to these new measures.  

EisnerAmper LLP does not endorse any app, product or service or warrant that these apps, products or services are appropriate for any particular business.

Have Questions or Comments?

If you have any questions, we'd like to hear from you.