Published Dec 9, 2021
By Qredo Team
Travel Rule Compliance Made Simple
The growth of digital assets and decentralized finance (DeFi) has fuelled fears of dirty money and crypto-powered laundering, with regulators concerned they may be unable to intervene in a peer-to-peer financial system.
To the rescue, international money-laundering watchdog The Financial Action Task Force (FATF) updated recommendation 16 — also known as the Travel Rule — in June 2019 to bring the crypto ecosystem in line with traditional banking. This guidance was later expanded in October 2021.
Although FATF has no jurisdictional power, the Travel Rule is now gradually being transposed into local law around the world, and countries veering off course could ultimately be placed on the FATF Black or Grey list. On the other hand, fully-compliant jurisdictions — such as Switzerland and Singapore — are likely to find themselves at the forefront of institutional digital asset adoption.
As such, Travel Rule compliance is at the top of the agenda for almost every crypto business. But the infrastructure required to comply must reconcile regulatory needs with a diverse, decentralized ecosystem that is very different from the world of traditional finance.
What is the Travel Rule?
In a nutshell, the Travel Rule requires all Virtual Asset Service Providers (VASPs) to share identifying information — including names, physical addresses, and national ID numbers — for the originators and beneficiaries of digital asset transfers.
What is a VASP?
The updated guidance of October 2021 expands the definition of VASP to include not only entities such as banks and exchanges that deal in crypto assets, but also businesses providing safeguarding or administration such as licensed custodians.
Businesses undertaking any of the following activities on behalf of clients are captured by the guidance:
Exchange between virtual assets and fiat currencies;
Exchange between one or more forms of virtual assets;
Transfer of virtual assets;
Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and
Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.
Regarding decentralized finance (DeFi), the guidance indicates that a truly decentralized software protocol would not be considered a VASP, though the "creators, owners and operators who maintain control or influence" may still come under this category.
The obligations of VASPs
Reflecting recent scrutiny of crypto, October's new guidance extends the obligations of VASPs beyond sharing transaction data to include several additional requirements:
Recordkeeping, requiring VASPs to "maintain all records of transactions and CDD measures for at least five years in such a way that individual transactions can be reconstructed and the relevant elements provided swiftly to competent authorities."
Registration, requiring countries to "register or license individuals and entities that provide virtual asset services and ensure compliance with the relevant AML/CFT requirements."
Reporting, requiring countries to ensure that VASPs " to obtain, hold, and submit required originator and beneficiary information associated with VA transfers in order to identify and report suspicious transactions, take freezing actions, and prohibit transactions with designated persons and entities. "
The transaction threshold at which the full set of obligations kicks in is 1,000 USD / EUR, and at least one jurisdiction has set this value to zero, meaning that every transaction of a certain type must be assessed and appropriate compliance measures put in place.
Yet despite willingness to comply, our conversations with VASPs reveal them to be held back by technical and legal challenges that cannot easily be addressed with existing infrastructure.
Unlike banks that can easily share data via SWIFT, the various VASPs of the diverse crypto ecosystem have no universal messaging system to share transaction data, nor systems for storing and retrieving data on request that would enable compliance.
Qredo for Travel Rule compliance
Qredo Network is a decentralized custody and settlement network that enables easy Travel Rule compliance. The Network consists of a MPC protocol working with a Layer 2 blockchain, topped with a Layer 3 messaging network based on decentralized communications protocol Matrix. In essence, Qredo is the universal messaging system to share transaction data when dealing in cryptoassets.
When VASPs on Qredo send digital assets over the Layer 2 blockchain, a cryptographically bound data packet is sent simultaneously on the Layer 3 network. This packet binds compliance data — including originator and beneficiary information — to digital asset transactions, linking otherwise pseudonymous activity to real-world identities.
Through this mechanism, registered VASPs are able to send digital assets to: Other approved registered VASPs on Qredo Network; newly registered VASPs that have been automatically reviewed to meet compliance standards; and external platforms not found on Qredo Network.
When receiving transactions, the packet data Travel Rule information can be used to accept, reject, or quarantine (for review) the incoming digital assets in a process that can be managed programmatically through Qredo's combined Python libraries.
This elegant solution enables VASPs seeking Travel Rule compliance to overcome key challenges around privacy, identifying other VASPs, and managing transaction flows.
Qredo has selected Matrix for its decentralized architecture and end-to-end encryption. These features provide unprecedented levels of privacy and security, making it popular with secret services worldwide.
Unlike Travel Rule compliance solutions based on a secondary email system or Transport Layer Security (TLS), Matrix messages enable the compliance data packet to be bound to the execution flow on Layer 2. This provides full non-repudiation, as no party can deny that it has sent or received a message.
The result is a single in-band experience that never leaves businesses struggling to reconcile transactions with separate compliance communications. Instead, reconciliations are abolished and data can be shared with regulators with confidence.
Qredo's Travel Rule compliance features:
As per the Travel Rule guidance, VASPs are required to check transaction data for sanctioned or suspicious persons or entities before releasing funds.
This challenges them to not only securely store the personal data of customers, but also the data of everyone who has ever sent them funds — massively increasing the amount of data that needs to be protected from breaches.
To protect personal data as it is being shared, Qredo binds the Travel Rule information exchanged between VASPs cryptographically with end-to-end encryption in Matrix.
Each VASP on Qredo then stores the encrypted data on their own communications server (a Matrix homeserver) within their own infrastructure. The information remains available in real-time, but can only be decrypted into plaintext for processing by cryptographically authorized parties for the purposes of auditing and filing suspicious activity reports.
Identifying other VASPs 📖
As the “sunrise problem" describes, the dawning of the new regulatory regime is slowly bringing countries around the world into line with the international guidance. Sunlit states such as Switzerland and Singapore have already translated the Travel Rule into local law, while others are lagging behind — creating a varied landscape of compliance obligations that can make it difficult for registered VASPs to recognize others and make informed decisions about who to trade with.
To address this issue, Qredo is building a decentralized directory that enables registered VASPs to directly connect with each other.
As each VASP joins the directory, the information submitted is cryptographically bound to their address on Qredo Network. This includes Travel Rule specifics such as compliance requirements, contact information and KYC and AML factors, enabling VASPs to determine if they can facilitate an asset transfer and still remain in compliance with their local regulations.
Enabling batch transaction processing 📜
Under the guidance, both sending and receiving VASPs are responsible for checking transactions for sanctioned or suspicious persons or entities.
This requirement can disrupt the transaction workflows of VASPs, particularly exchanges which can be accustomed to batching as many as 50-200 payments into a single transaction to reduce blockchain processing fees. Manually reconciling the batching process compliance requirements can create delays and the risk of data breaches, as customers are forced to wait before accessing their funds.
Through Qredo's near-real time transaction finality and Integration Libraries, any VASP can quickly achieve compliance with the guidance without disrupting their transaction flow, enabling them to become compliant without creating delays and increasing costs.
“As the regulatory landscape continues to shift, digital asset businesses will need flexible compliance solutions to accommodate changing obligations. Qredo's unique model of decentralized multi-party computation provides the futureproof foundation to enable the architects of the new digital economy to comply with the Travel Rule — and quickly adapt to new regulatory requirements."