It has been one year since the Financial Action Task Force (FATF) released a global regulatory framework for the crypto industry. The Guidelines for Virtual Assets and Virtual Asset Service Providers (VASPs) was released in June 2019. One of its most notable requirements is Recommendation 16, the so-called Travel Rule. The guidelines also required that jurisdictions implement AML/CFT regimes in accordance with FATF’s guidelines, including the registration or licensing of VASPs. 

On July 7th 2020, FATF released a report containing a 12-month review and assessment, measuring implementation of these guidelines by jurisdictions and the private sector. The release of the report followed a virtual Plenary meeting held by the FATF on June 24th, 2020. In the review, the travel rule is highlighted as “the issue of most focus in terms of VASPs’ compliance with the revised FATF Standards.” What were the key findings of this review, and what does it mean for compliance teams in the crypto industry? 

Below is a short summary outlining high-level take-aways and what’s next from FATF, in addition to implications for your business.

Summary of the 12-month review

• The 12-month review was prepared by FATF to measure the implementation of the revised Standards that it introduced in 2019 by both jurisdictions and the private sector. It also covers any changes in risks, typologies and market structure of the virtual asset industry.
• FATF reports that there has been marked progress by jurisdictions in the implementation of a regulatory regime for virtual assets, with 35 out of 54 reporting jurisdictions having implemented the revised FATF standards. 32 of these jurisdictions introduced a regulatory framework for crypto businesses, with the majority by method of new legislation. A large number of these regulations apply to VASPs that operate in their jurisdictions but who may be domiciled in other jurisdictions. So far, 20 jurisdictions have reported a total of 1,133 registered or licensed VASPs.
• The FATF review highlights that there has been increased readiness by the private sector for travel rule compliance, with the emergence of multiple travel rule solutions as well as technical standards to facilitate interoperability. 
• Many issues were raised by jurisdictions and the private sector during the implementation of the regulatory framework. These include specific concerns with implementing the Travel Rule, like the identification and due diligence of VASPs in a timely manner, as well as broader concerns with how to deal with non-custodial wallets and stablecoins.
  

What’s next from FATF?

Going forward, FATF expects all of its members and its broader global network of FATF-Style Regional Bodies (FSRBs) to have fully implemented these guidelines by June 2021. While FATF has deemed that at this point there is no need to update its existing Standards, it will be providing additional Guidance to the industry by October 2020 (mainly in response to the concerns raised in the report). It will also continue its engagement with the private sector through its Virtual Assets Contact Group. 

Finally, the FATF will continue to closely monitor the risks posed by stablecoins and anonymous peer-to-peer transactions via non-custodial wallets. Should there be substantial changes in market trends, it may choose to revisit its guidelines.

What does this review mean for your business?

If your business is a VASP, it is recommended that your compliance team: 

• Assess which jurisdictions that you are incorporated in or operate in require that you are regulated. If you are not yet regulated, you need to determine how to become compliant and if there are licensing or registration requirements. If you are in doubt whether you need to be regulated, contact the local regulators for more information. Please note that requirements may change across jurisdictions, and you will have to keep up-to-date with the latest requirements. 
• Start early (if you haven’t already) implementing comprehensive AML/CFT policies in line with your regulating jurisdiction’s guidelines.
• Implement the travel rule as soon as possible. The travel rule requires changes to current compliance processes and flows. It is recommended that the compliance team start testing early and accommodate these changes into current processes, so that the impact of the travel rule on your daily operations is minimized.
• Perform an internal ML/TF risk assessment of existing and new products, in particular if they are of a cross-border nature or have been highlighted as sources of potential concern (eg stablecoins, non-custodial wallets). For new products, these risks are best addressed before their launch. 

On July 3rd 2020, Malcom Wright, Co-Lead of Global Digital Finance’s working group for the travel rule (“Joint Working Group for interVASP Messaging Standards”), wrote this article about the Travel Rule. In it, he describes the “Travel Rule Discovery” problem. Basically, how can an originator VASP know which Travel Rule protocol the beneficiary VASP is using? In the article, the proposed solution is to build a “Global List of VASP” (GLoV) which is a centralized registry that maps a “Common Shared VASP Code” (or GLoV VASP Code) to some VASP information, mainly which Travel Rule protocols they support. This solution, in our view, has the problem of being centralized, which could make it difficult for all VASPs to be part of.

Our founding team at Notabene comes from the Self-Sovereign Identity industry, and believe a simple decentralized solution can be built under those principles.‍

1. Notabene's protocol-agnostic solution

In the article, Notabene is named as an alternative solution to OpenVASP, TRP, Shyft and Sygna. In fact, we do not offer our own protocol but take a “protocol-agnostic” view. We support (or will support) many of the protocols named. VASPs who use Notabene will be able to send and receive Travel Rule information using any of the available protocols, starting with OpenVASP and TRP.

Regarding a solution to the Travel Rule deadlock problem, we propose a decentralized solution using a DID for every VASP. Every VASP can then describe in its DID Document which protocol they support and the particular parameters for it. We also propose to use Verifiable Credentials (VC) as a standardized way to manage trust and knowledge information (KYV) between VASPs.

This decentralized approach can lead to faster adoption by VASPs, since VASPs can “onboard” to the system by themselves, without asking permission from anyone, apply to anything or pay any fee.

2. VASP DID as common shared VASP identifier

Our proposal is to use VASP DIDs as a commonly shared identifier for VASPs. DID stands for “Decentralized Identifier”. It’s a standard that is being developed by the W3C, and is currently being used by many organizations and financial service companies around the world including Microsoft and MasterCard. As described in the W3C standards, 

DIDs are URLs that associate a DID subject with a DID document allowing trustable interactions associated with that subject.

Every DID can be created independently by any VASP, without the need for coordination. There are many DID methods available so VASPs can choose which one fits best for them. All of them are interoperable by design. Some examples of VASP DIDs can be the following:

did:ethr:0xE6Fe788d8ca214A080b0f6aC7F48480b2AEfa9a6

did:sov:CYQLsccvwhMTowprMjGjQ6

did:web:exchange-b.com

3. Implemented travel rule protocols on DID Document

Every DID “resolves” to a DID Document. The information on the DID document is controlled by the DID subject (the VASP in this case), and the way to define it and update it is specific to the DID method. The DID documents can have many “service” endpoints which describe services on how to interact with the DID subject. We propose to use this mechanism to describe which protocols a VASP supports and how to access them.

An example DID Document can be the following:

‍
In this example, the VASP identified by the DID did:example:123456789abcdefghi has implemented the OpenVASP and TRP protocol. The DID also defines the end points used to interact with them. In the case of OpenVASP, it points to the OpenVASP’s VASP Code which can be used to get the keys and start a session. In the case of TRP, the endpoint is the base endpoint for the TRP /address-query and /transfer-notification. The public keys for TRP can also be published in the DID Document (there is a publicKeysection for it).

4. Proposed flow

The flow in Malcolm’s article would change to look something like this:

• Customer A of Exchange A wants to send Customer B of Exchange B 1 BTC
• Exchange A supports Sygna, OpenVASP, and TRP
• Exchange B supports Shyft, and OpenVASP
• Customer B provides their name and VASP DID to Customer A
• Customer A provides Exchange A with the VASP DID that resolves to a DID document to see which protocols Exchange B supports (and the parameters of the protocol, like encryption keys).
• Exchange A then asks Customer A to request any additional proprietary information from Customer B (such as an OpenVASP VAAN), or wallet address
• Customer B supplies the information to Customer A, who provides it to Exchange A
• Exchange A then uses the common protocol information (OpenVASP in this example) to transmit the required information on Customer A to Exchange B.

This flow does not require any central service or database. It still has the problem that Customer A needs to ask Customer B for information twice: first the VASP DID, then the proprietary protocol routing information. There are possible ways to solve this, but are out of the scope of this proposal.

5. Know your VASP (KYV)

The last point of Malcolm’s article is about the need for VASPs to trust each other. In the case that every VASP is identified by a VASP DID, then the W3C Verifiable Credential standard will help to create VASP Credentials that can be transmitted and shared to ease the bi-directional KYV process.

We will discuss this in the relevant GDF working groups.

Today we are launching Notabene, a new crypto compliance platform for the financial industry. Notabene combines our expertise in financial markets and privacy-preserving systems to enable the industry to solve its most pressing challenge - regulatory compliance.

Our platform enables businesses to comply with new financial reporting requirements more efficiently, broadly known as the Travel Rule. These critical requirements are part of the new worldwide regulatory framework for Virtual Assets Service Providers (VASPs) from FATF, the global anti-money laundering watchdog.

June 24th marks the deadline for national regulators to put in place this new regulation. For crypto businesses, this means increased regulatory scrutiny and a need to comply with rules at the risk of severe penalties that could include both steep fines or even the loss of operating licenses. Our new product enables businesses to more easily adhere to the Travel Rule without any interruption to existing business operations.

1. Why You Should Care About the Travel Rule

Put simply; the Travel Rule requires financial institutions participating in a transaction to exchange both relevant beneficiary and originator KYC (know-your-customer) information.

Also known as the Wire Transfer Rule, this regulation was initially created for banks transferring funds on behalf of their customers. While this worked well for traditional financial systems, modern blockchain solutions make it impossible to adequately implement this rule for three main reasons:

• The pseudonymous and permission-less nature of existing blockchains makes direct implementation impossible
• No standardized frameworks exist for establishing trusted relationships between industry players
• There are no existing technical solutions that can be easily adopted and scaled to meet the requirements of the Travel Rule

Over the past year, several industry groups and bottom-up initiatives have proposed a variety of  protocols for solving the Travel Rule. This proactivity was welcomed by regulators, but the diversity of solutions creates confusion for companies looking for the best fit.

If implemented correctly, we see the Travel Rule as a competitive advantage for companies. It would optimize their revenue generation by building better relationships with a variety of partners (including banks). In contrast, failure to implement could seriously damage business operations and increase regulatory risk.

2. A Turning Point for Crypto

Cryptocurrencies and their underlying blockchains are at a turning point and ready to become more mainstream. As the technology continues to mature, use-cases are also becoming more apparent.

Fintech companies and institutional players are already building with the technology and getting ready to reap its many benefits and opportunities.

Since its infancy, our industry has had regulation and compliance hanging over us. However, some companies, operating in proactive countries like the US where regulatory systems were developed early, have used compliance as a competitive edge, and are now market leaders.

The presence of this new global regulatory framework regardless of jurisdiction is a game-changer for the industry. This framework provides a framework for existing crypto companies to become regulated and work with traditional financial institutions. At the same time, it allows traditional financial institutions to safely work with cryptocurrencies and public blockchains.

The framework still has to be translated into local law in many places around the world. But at least national regulators now know how to start applying the rules locally, instead of having to understand the technology from scratch.

If you ask banks and regulators how crypto should be regulated, they have always said just like the traditional institutions. But, crypto is very different from traditional banking systems. The underlying blockchains are permission-less and public. Traditional core-banking software and customer due diligence processes are hard to fit on top of this new technology.

3. How Notabene Solves the Travel Rule

The Travel Rule affects how your customers send or receive funds from your service. We built this product to minimize the impact of the Travel Rule on day-to-day business operations.

The primary reason for the Travel Rule is that it finally allows compliance officers to take a risk-based approach for analyzing incoming transactions and accept or decline them.

We provide compliance officers with a simple dashboard allowing them to monitor incoming and outgoing transactions and set rules for approving them automatically.

The dashboard also allows compliance officers to:

• Set compliance rules
• Automate transfer request handling
• Manually accept/decline transfer requests

Notabene allows you to start integrating the Travel Rule into your compliance workflow while avoiding concerns about new protocols. We are protocol and blockchain agnostic and will support the major protocols and blockchains within the industry.

4. Notabene Helps Build Trust Between Crypto Businesses

A significant change to how you do business will be that you now need to work more closely with other crypto businesses.

When you receive an incoming transfer request from Mr. Smith at Exchange A, how do you know that Exchange A performed proper KYC on Mr. Smith? Is the exchange even a legitimate one? Are the operators on a government sanctions list?

When you send a transfer request from Mrs. Jones to Mr. Smith at Exchange A, do you trust them with your customer’s private data?

These questions are all new for an industry built on decentralized, trust-less payment systems. Traditional banks solve this through a combination of licensing and trust frameworks like within payment associations like SWIFT and Visa. To manually perform due-diligence on another institution can be an expensive, time-consuming process.

Notabene takes a decentralized identity approach to this. When you receive an incoming transfer request from an unknown business, we present you with up-to-date information about the business. Where are they incorporated, registered, and licensed?

Businesses create profiles for themselves with a mixture of self-reported information and company details verified by us and others. These profiles are continuously updated.

Notabene’s system allows compliance officers to rapidly perform due-diligence, monitor changes, and even directly ask the compliance officer on the other side for additional information required. This leads to a massive reduction in due diligence costs, making it easier to establish bilateral relationships with new business partners.

5. Simple API Based Integration for Back- and Front End Systems

We provide a straightforward REST and GraphQL API, allowing your developers to integrate it into your flow. Because your customer fronting interface might require some changes, we also provide a simple JavaScript API making implementation painless.

Most of the protocols require special nodes to be running for sending and receiving transfer requests. We manage these nodes, so you don’t have to set up and maintain them yourself.

At launch, we support the OpenVASP protocol and the InterVASP IVMS-101 messaging standard. OpenVASP is an industry-led open protocol for the transmission of transaction information between VASPs and other parties. Its founding members include Bitcoin Suisse, SEBA, Sygnum, and Lykke. OpenVASP already has a vibrant multi-vendor ecosystem, and Notabene has joined the OpenVASP Association as a technology partner

David Riegelnig, Head Risk Management of Bitcoin Suisse and President of the OpenVASP Association, says

‍ "We are excited that Notabene is joining OpenVASP as an implementation partner. The industry is in need of a turnkey hosted solution so companies can easily comply with the new rules. In addition, Notabene's trust framework seems a promising solution to help VASPs with due diligence efforts of their counterparties."

Based on demand and readiness, we will also support the following protocols shortly: TRP, PayID, TRISA, and BIP-75

6. What about non-custodial wallets?

When the FATF guidelines were released in 2019, there was fear that a 2 class blockchain world would be created - one for regulated entities and one for users managing their own keys.

Luckily, regulators have been clear that they don’t want this to happen. Businesses will, however, have to take an extra step that wasn’t necessary before. They must now be able to prove that any transaction going to a non-Travel Rule account belongs to their customer.

We offer our customers a way of integrating account ownership proofs for non-custodial wallets into your compliance flow.

We can also help non-custodial wallet developers add a Self-sovereign Identity Verification flow to their wallets, allowing their users to easily onboard with regulated businesses.

As the first official “Identity Issuer” for the Concordium blockchain, we are already providing this solution for its users. "Concordium is designed from the ground up for regulatory compliance," says Lone Fønss Schrøder, Concordium's CEO. "Notabene helps with identity verification at the protocol level. Using zero-knowledge proofs, our users are able to verify their identity using the blockchain without sharing any private information.”

7. Our Team

The Notabene founding team consists of Pelle Braendgaard as CEO, Alice Nawfal as COO, Ania Lipinska as CPO, and Andrés Junge as CTO. Based in New York, Zug, and Santiago, the team worked previously together at uPort, ConsenSys’ Ethereum-based, decentralized identity protocol.

Pelle and Andrés were uPort co-founders as well as founders of early bitcoin startups (Kipochi, Mondome, Yaykuy, and 37coins). Several of their early bitcoin companies were affected by the lack of a proper crypto regulatory framework.

As part of our work at uPort, we pioneered many of the core concepts of user-controlled data and self-sovereign identity currently being deployed. Recent examples are the European Union’s eIDAS SSI initiative, the Inter-American Development Bank's LACChain initiative in Latin America, and Alastria in Spain.

Notabene Is built on a deep commitment to data ownership, privacy, and security.

8. Work with Notabene for Travel Rule Compliance

Over the summer, we will expand early access within Notabene. If Travel Rule compliance is critical to your business, let’s connect.

Read more about the Travel Rule and its national implementations here.

Since day one, crypto and blockchain technology have been about enabling permissionless transactions between people and businesses. Many of us in the industry have built incredible products to make crypto accessible to the wider audience. However, the primary stumbling block for wider adoption always pointed back poor ties to the traditional financial industry, primarily due to the lack of a regulatory framework.

The industry is now at a turning point. FATF's new global framework and, in particular, the Travel Rule itself, is the biggest opportunity crypto has had for crossing the chasm into mass adoption.

Once your company implements the Travel Rule, it will make it much easier for you, as a virtual asset service provider (VASP), to do business with traditional financial institutions and by extension commerce with non-crypto businesses.

1. Regulatory clarity

Outside of a few major jurisdictions such as the US, Switzerland, and Singapore, most countries have not prioritized regulating or understanding the technology and its benefits.

This has been particularly problematic for exchanges outside of the main global financial centers, who have had problems both directly with regulators and indirectly through the loss of financial partners.

‍Notabene co-founders, Pelle and Andres, have both had to shut their early Bitcoin businesses down because of this exact problem in Kenya and Chile.

This also affects countries with strong regulation, where interacting with unregulated institutions has always been a risky grey area.

The new 2019 FATF guidelines for Virtual Assets forces local regulators to take a stance. They are required to either create a roadmap for a regulatory framework for VASPs or, unfortunately, outright ban them. Of course, the second option is problematic, but there are already well-thought-out legal frameworks from countries like the US, Switzerland, South Africa, South Korea, and Singapore. They will hopefully provide a good example to more risk-averse regulators.

2. Easier access to banking services

For several years, we have heard from traditional banks that the primary reason they would not open bank accounts for crypto businesses was the inability to prove a reliable source of client funds. It was simply too risky for them to engage with customers holding crypto.

The new Travel Rule specifically solves this problem. It enables crypto businesses to fully participate in the global financial system by bringing them to the same level of accountability that the traditional financial institutions already adhere to. This finally allows crypto businesses to be treated seriously by the financial industry as a whole.

The most successful crypto businesses have invested a lot of time and money in convincing their banking connections that they have very strict KYC and AML policies in places.

Solving the Travel Rule by performing strong due diligence on partner VASPs will help crypto businesses reduce this risk and become trusted partners for traditional financial companies. This is also a great opportunity to start implementing the Travel Rule before your jurisdiction requires you to do so.

3. Improved fiat on/off ramps globally

With better access to banking comes much better access to local payment systems around the world. This alone could really improve the adoption of cryptocurrencies as well as bring whole new classes of untapped users around the world to the innovations in the DeFi space.

4. Crypto and DeFi could become the rails for future FinTechs

Most FinTechs today differentiate themselves by improving UX and on-boarding and finding new use-cases for what is, in essence, the same products the traditional financial industry has offered for years.

As crypto products become regulated, with Travel Rule adoption and more thorough blockchain specific KYC/AML, fintech will look to adopt many of the new products coming out of the DeFi space. This will help them add new revenue opportunities and find better ways to differentiate themselves from incumbent financial services.

5. Lower regulatory risk means easier access for institutional investors

Institutional investors from around the world are actively looking at adding crypto as a new asset class. Lack of regulatory certainty has been one of the largest issues holding them back from wider investment in the space.

Blockchain analytics tools have already helped lower the risk of dealing with crypto assets, but through our conversations with institutional investors, we have learned that new regulations like the Travel Rule will really help open up the asset class to them.

We believe this will help increase the demand for cryptocurrencies. It will also improve liquidity and demand in the DeFi space.

6. Learn more

It is paramount for both new and existing businesses in the crypto space to understand more about how the Travel Rule affects your business.

Email-based Travel Rule solutions may seem like a simple fix for compliance challenges, but they come with major pitfalls. From manual processes that buckle under heavy transaction volumes to security vulnerabilities that put sensitive data at risk, and a poor user experience that creates friction for beneficiaries, these systems leave VASPs ill-equipped to meet growing regulatory demands.

Why do email-based solutions fail to deliver?

It really comes down to three critical considerations:

1️⃣ Operational Scalability – Manual workflows can’t handle the demands of high-volume transactions.

2️⃣ Security and Privacy Risks – Email lacks the robust encryption needed to keep sensitive information safe.

3️⃣ Poor User Experience – Cumbersome processes frustrate beneficiaries and delay compliance efforts.

It's obviously more nuanced than that, so let's dive in and explore when a check-the-box email-based Travel Rule solution will suffice, and when it may be smarter to invest in building a modern, scalable operation to future-proof your Travel Rule compliance needs as your business grows.

💡 Learn more about the pros and cons of an email-based Travel Rule solution in our full article here