FATF Travel Rule Solution — the 2020’s Vision
Intro
This summer, the Financial Action Task Force issued a guidance requiring Virtual Asset Service Providers (VASPs) to share Personal Identifiable Information (PII) and Know-your-customer (KYC) data between transacting sender and receiver user before executing transactions. This guidance, called the Travel Rule, is enforced in the traditional finance space between counterparties such as banks who use SWIFT for both transaction settlement and identity data sharing.
In this post, we break down the complexity and risks presented by this guidance for cryptocurrency exchanges and their users, as well as the broader risk of allowing traditional compliance standards applicable to today’s centralized financial system to be enforced in the public blockchain ecosystem.
The Key Stakeholders
Financial Action Task Force: Intergovernmental organization that focuses on the development of policies to combat money laundering and terrorism financing. It monitors progress in implementing the FATF Recommendations through “peer reviews” (“mutual evaluations”) of member countries; it also maintains two lists of nations depending on their level of compliance or adherence to AML regulation and controls: FATF Blacklist and FATF Greylist.
VASPs: any entity engaged in digital asset custody
- Cryptocurrency exchanges
- Non-custodial wallets
- OTC desk
- Brokerage firms
- Etc.
Blockchain Solves for Simplified Transaction Settlement, But Not PII Sharing
In the traditional financial system, a multitude of independent counterparties are required to achieve the same transaction settlement that blockchain achieves in mere minutes.
The SWIFT network is the central authority that is responsible for the transmission of information across financial institutions globally, acting as a global coordination and accounting system. Only financial institutions that are regulated by the Federal Deposit Insurance Corporation (FDIC), or the equivalent in respective countries, can be members of SWIFT. SWIFT is designed as a non-profit cooperative society, relies on funding from its members, and is regulated by several intergovernmental regulatory bodies globally.
The same coordination layer that handles transaction settlement is also responsible for account reconciliation, KYC validation, and sharing of PII associated with user transactions. Accordingly, the framework that enables transaction settlement also enables compliance with the Travel Rule.
Today’s blockchain networks are effective transaction settlement layers. Every day, billions of dollars of value are transferred across public blockchain networks. Settlement is achieved by global consensus of participating network nodes and miners.
In blockchain ecosystems, transaction settlement is decoupled from KYC validation processes with any associated PII-based transference requirements. There is no platform today that enables VASPs (read: cryptocurrency exchanges and other custodians) to comply with the Travel Rule.
User Transactions To and From Exchanges Today
- Alice is a Bitfinex user. Alice wants to send 1BTC to Bob. Bob is a TurkeyEx user. Bitfinex does not know that Bob is a TurkeyEx user, and TurkeyEx does not know that Alice is a Bitfinex user.
- Alice inputs Bob’s TurkeyEx BTC address in Bitfinex, and initiates a withdrawal request.
- Bitfinex processes the transaction on Alice’s behalf, and Bob receives BTC in his TurkeyEx BTC wallet.
Throughout this process, Bitfinex has no idea where Alice is sending BTC, and TurkeyEx has no idea where Bob is receiving BTC from.
Assuming TurkeyEx and Bitfinex are both using blockchain analytics services, such as Chainalysis, the two exchanges may be aware (read: able to identify) that their entities are exchanging BTC. But then again, maybe not — addresses are changed frequently, for example. The two exchanges are not required to collect destination/origination prior to processing transactions on behalf of their users.
User Transactions To and From Exchanges Under the FATF Travel Rule Guidance
- Alice is a Bitfinex user. Alice wants to send 1BTC to Bob. Bob is a TurkeyEx user. Bitfinex does not know that Bob is a TurkeyEx user, and TurkeyEx does not know that Alice is a Bitfinex user.
- Alice inputs Bob’s TurkeyEx BTC address in Bitfinex, and initiates a withdrawal request.
Bitfinex is in a difficult situation as it’s now responsible for somehow discerning the following information:
Identifying the receiving VASP
- Who is the receiving entity?
- Is the receiving entity a VASP? How does Bitfinex validate that it is a real exchange?
- If the receiving entity is a VASP, Bitfinex will be required to share and receive PII pertaining to users participating in this transaction. How can Bitfinex find out if the receiving entity is a VASP?
Establishing communications with the receiving VASP
Assuming Bitfinex identifies that the receiving address belongs to a TurkeyEx account, Bitfinex must now establish connecting with TurkeyEx. How?
Data sharing between VASPs
Assuming Bitfinex establishes a line of communication with TurkeyEx, the two exchanges will have to decide to share their users’ PII.
- What channel will they use to share this data to ensure it isn’t vulnerable in the transfer process?
- How does Bitfinex decide if TurkeyEx is trustworthy, and will take care to custody Alice’s PII securely? How does Bitfinex verify TurkeyEx’s compliance in international standards of AML, CDD, etc.?
- Does Alice have any say in executing this transaction? Does she have a right to know how her data will be custodied, or to stop the transaction from occurring at this point?
- Will Bitfinex be liable if TurkeyEx exposes Alice’s PII? Who will be liable?
- Do Bitfinex and Alice have a say in how TurkeyEx uses Alice’s data? Is TurkeyEx allowed to reach out to Alice, attempting to onboard her as a user? Can TurkeyEx now sell Alice’s data to data markets?
The issues with coordination, user address discovery, VASP discovery, data security, and liability/risk presented by the FATF Travel Rule guidance are enough to put exchanges out of business.
The Shyft Network FATF Travel Rule Solution
Shyft Network acts as a coordination and discovery layer for global VASPs. Shyft Network is partnering with the most trusted VASPs in the crypto space who will act as the first set of data custodians on the network; these VASPs will work together to:
- Form and manage semi-trusted VASP coalitions
- Pre-validate each VASP’s compliance and custody procedures
- Pre-determine rules of doing business, such as which external, encrypted channels will be used to share user PII
- Authenticate their users onto Shyft Network, generating key-pair attestations against user PII, and giving users transparency into and consent over their PII flows
- Whitelist exchange addresses and privacy-preserving individual PII data attestations on a shared registry internal to the coalition
- Develop procedures for validating user compliance with KYC/AML standards
- Leverage Shyft APIs to enable encrypted communication
Other, smaller exchanges that are not part of the initial Shyft Network group of partners can also set up coalitions with their semi-trusted partners to comply with the Travel Rule. Coalitions can all communicate with each other, and set up the same business rules and procedures interoperably across coalitions.
Importantly, Shyft infrastructure does not hold or facilitate send/receive of any private or regulated data.
Also, current transaction systems don’t provide users the ability to see and control how their data moves post-required PII sending. Compliance with the FATF rule is one thing, but once that’s done, allowing exchanges that have been transferred your PII to then sell it to data market brokers (ad agencies etc.) for example should be under the user’s direct consent requirements for further sharing. Shyft Network is built with consent as a key pillar and the starting point of PII data transactions; users remain in control of who can access their data, and for how long.
Conclusion
Using Shyft Network, exchanges that transact frequently and are comfortable with each others’ compliance and custody procedures will leverage semi-trusted SWIFT-like infrastructure powered by a public POW blockchain network.
Shyft Network is built-for-purpose to specifically allow for compliance with impending regulation pertaining to the FATF Travel Rule and Identity guidance (the latter to be discussed in a future post). The network was designed as a federated, permissionless, and global KYC and identity network based on learnings from:
- Bitcoin
- Existing open-banking procedures
- Private identity systems like Secure Key
- Regulated KYC procedures inherent in everyday financial transactions
We’ve also designed our technology to be flexible and customizable to adapt to the needs of future FATF guidelines as well as nuanced local jurisdictional regulations. We believe our enterprise integration suite will aid global institutions in quickly adhering to incoming compliance requirements, thereby accelerating digital identity development.
In the future, as FATF guidelines and regulatory approaches need to apply not just to exchanges but also to other custodial and potential non-custodial intermediaries (including user wallets), Shyft Network’s flexible solution will evolve to meet these requirements with minimal friction, maintaining the standards of transaction timeliness that users of public blockchains experience today and standards of privacy that users experience in traditional financial markets.
As we build this architecture and open source structures, we look for and openly welcome partners to co-create an ecosystem of exchanges, blockchain analytics providers, and identity verification providers. Ours is an ambitious project; however, we are confident that through merging traditional and open-source ecosystems to allow for optimal compliance, privacy, and user experience, the roadmap for crypto users into the 2020’s will be best-in-class.
—
This piece was written by the Shyft Network team.
Shyft Network aggregates trust and contextualizes data to build an authentic reputation, identity, and creditability framework for individuals and enterprises.
Join our Newsletter
Telegram (https://t.me/shyftnetwork)
Follow us on Twitter (https://twitter.com/shyftnetwork)
Check out our GitHub (https://github.com/ShyftNetwork)
Check out our website (https://www.shyft.network)
