Our industry response to FATF Travel Rule’s requirements will determine the future of Digital Currency

The new requirements from global regulatory body Financial Action Task Force (FATF) around Travel Rule present a serious challenge to the digital currency ecosystem today.

Justin Newton
November 1, 2019
Last updated:
May 26, 2022

[Editors note: This is the first of a 4 part series on Travel Rule solutions for the cryptocurrency ecosystems. Joe Ciccolo of BitAML’s post can be found here: https://medium.com/@joeciccolo/crypto-cant-ignore-the-fatf-travel-rule-6da43667436d ]

The new requirements from global regulatory body Financial Action Task Force (FATF) around Travel Rule present a serious challenge to the digital currency ecosystem today. Exchanges and service providers alike are scrambling to come up with adequate solutions to these emerging and expanding requirements. The tl;dr on the Travel Rule is that for transactions over a certain value <think along the lines of $1000 in many cases, but it can vary by jurisdiction>, if both ends of the transaction are an exchange or other regulated service, they are required to exchange and store identity information about the transacting parties. The easy way to solve for this problem is to simply re-create the SWIFT network, or something like it, but that isn’t the right way to solve this problem, not now, and definitely not for the future.At Netki we were first alerted to this problem in 2015, when Ripple had a consent decree with FinCEN. In it FinCEN cited and Ripple agreed, that as an MSB they needed to comply with Travel Rule and would need to do so going forward. With no available solutions in the marketplace, Ripple had to vastly limit the number of companies they directly interacted with, and built a very manual solution to address the requirement. Netki viewed this as an existential threat to the cryptocurrency ecosystem as a whole and immediately started working on a solution that would keep the community’s ethos in place and still meet regulatory requirements. We launched our first implementation of the solution in 2016. We were maybe a little ahead of things, having a solution long before the regulatory requirements showed up in force.

We used that time to collect feedback from both the industry and regulators, and have arrived at what we believe should be the guiding principles for any solution the industry adopts. These principles will ensure that solutions will satisfy the interests of both regulators and digital currency proponents.

In this article I am going to primarily focus on two of those areas:

  1. the importance of any solution to support both custodial <regulated> and non-custodial platforms <where users control their own keys>.
  2. How this regulation has already negatively impacted privacy coins and how we can fix that.

Custodial and Non Custodial Wallets

What differentiates networks like bitcoin and ethereum from the existing global financial systems is that they are:

  • Open and permissionless to use and
  • Open and permissionless to innovate on

The existing financial systems, like SWIFT and ACH, are still very closed and permissioned. Taking away the open and permissionless aspect of digital currency networks, or breaking the smooth flow of transactions between regulated entities and Dapps or DeFi projects takes away the reason that many of us joined the ecosystem to begin with.

There are two groups within the cryptocurrency ecosystem that enjoy a symbiotic relationship. The first group is the regulated Virtual Asset Service Providers (VASPs). Effectively, these are the exchanges, custodial wallets, OTC desks, payment processors, and others who hold or manage digital currency or assets on behalf of others. The other group consists of the unregulated Dapps, wallets where users control their keys, and defi apps that run on the chain itself. Each of the groups needs the other. The unregulated side needs the regulated side to provide the on and off ramps, as well as to provide custodial and other services that mass market and mainstream adoption needs to transition to this new environment more smoothly.

Similarly, the Dapps and other non custodial services are essential to the ecosystem as a whole because, for lack of a better way to put it, this is where the magic happens. The primary reason that digital currency is an exciting new platform and asset is because it is both the same, as well as different, than traditional financial networks. The main difference between older networks and newer decentralized ones is that anyone can build or use an application on top of the network, without getting anyone else’s permission first.

Unless these two parts of the ecosystem can continue to transact, we don’t have an adequate solution. Any solution that is dependant on a company being registered or listed on a centrally controlled list of “approved” participants not only risks breaking that connection, but irreversibly shattering it.

Why This Will Matter Later, and Why It Already Matters Now

Today, regulators are focused on Travel Rule. Next, it is clear, they are going to be focused on sanctions. Iran, Venezuela, Russia, and North Korea have all been publicly connected to using cryptocurrency as a way to make an end run around sanctions regimes, and they are planning to expand those operations. Regulators are watching this and are certain to respond. This is important because sanctions requirements apply to ALL TRANSACTIONS, not just those where both parties in the transaction are VASPs/regulated entities.

So, hypothetically, if you wanted to send digital assets from your Coinbase account to your friend’s BRD wallet, Coinbase would need to know the validated identity of your friend in order to complete the transaction. Any solution that tries to re-create a SWIFT style network of trusted entities, or otherwise relies on both ends of the transaction being a regulated entity will instantly cause a schism, breaking the network in two. Exchanges won’t be able to send to apps, and apps won’t be able to send to exchanges <or, more specifically, the exchanges will have to quarantine the funds that come from apps>. This is nearly the worst thing that can happen.

We don’t have to wait for the future to see this happening. Switzerland’s FINMA has issued very strict guidance in this area already:

“FINMA-supervised institutions are thus not permitted to receive tokens from customers of other institutions or to send tokens to such customers. This practice applies as long as information about the sender and recipient cannot be transmitted reliably in the respective payment system. Unlike the FATF standard, this established practice applies in Switzerland without the exception for unregulated wallets and is therefore one of the most stringent in the world.”

They, today, require all transactions involving a regulated entity on either end to exchange identity as a part of the transaction flow and protocol, exactly the same outcome that the implementations of sanctions for digital currency will require globally. “Our protocol doesn’t support this,” only leads to the response “Well then you can’t do the transaction.” Game over. We need to do better than that.

The incredible disappearing privacy coins

One of Netki’s key tenets when designing our solution for Travel Rule was that it had to support “any coin or token on any public or private chain”. Yes, that even includes privacy coins. Today, privacy coins such as Zcash, Dash, and Monero, are being delisted at exchanges in Asia and Europe, reportedly because of the new guidance around Travel Rule.

Privacy coins are a particularly tricky case to handle because the blockchain itself may hide information about the sender, receiver and amounts being transacted. All of these things are mandatory parts of Travel Rule reporting and record keeping, along with the identity information discussed above. Solutions based primarily on only blockchain analytics or monitoring the blockchain will have challenges tracking transactions in the same way they do with bitcoin or other blockchains that today leave all transactions more public.

In response, exchanges in Korea, Europe and other jurisdictions have begun de-listing of privacy coins in an attempt to keep themselves safely within the law, as regulators are starting to ramp up their Travel Rule guidance and enforcement. On the other side, Bitcoin and other major cryptocurrency networks are looking at ways to enhance their privacy-related features for the benefit of their end users.

The current trajectories put compliance and the right to privacy on a collision course, and we can’t afford to compromise in either area if our industry is going to be successful long term. Any solution to Travel Rule needs to acknowledge this and take it into account.

Avoiding reverse alchemy

It’s clear that our industry is at a crossroads, one where the decisions that we make today will reverberate long into the future. These decisions will not only impact the platforms on which we build, but whether we can actually realize the incredible potential blockchain has to make lasting, positive change in the world.

There is magic in what we all have created here. Our community created digital gold out of thin air by creating something that is open and permissionless, invites all kinds of innovation, and respects the privacy of the users of the platform. Let us take this moment to ensure that the decisions we are making now, in response to the new regulatory reality, support and enhance that magic.

If we respond to regulation by recreating the traditional banking world — a locked down system where only “trusted providers” can interact then we have broken the magic, destroyed the alchemy, and turned digital gold into digital lead.