Virtual asset service providers (VASPs) want more ownership, control, and security around their users’ data while complying with the FATF’s Crypto Travel Rule. With the Travel Rule regulation, VASPs must send personally identifiable information (PII) about the user sending the transaction to the receiving VASP. Currently, most VASPs use software or services like Notabene to comply with the regulation, which implies sending end-user data back and forth via third-party providers.

Suppose this information falls into the wrong hands, which has happened in the past via crypto exchange hacks and data leaks. In that case, malicious actors could use this data to target these persons of interest–either in the real world or virtually.

‍

Our approach to secure PII transmission

At Notabene, we've always believed that PII must be delivered securely. We were the first solution provider to elect to only release PII when the receiving VASP confirmed ownership of a blockchain address and after risk-based requirements defined by the Originating VASP were met. This was the cornerstone of our first-generation SafePII capability, which has been in production for more than a year.

With end-user data security being one of our fundamental values, we’ve added three encrypted escrowed PII transmission methods to our advanced security infrastructure. The protocol-agnostic SafePII service leverages state-of-the-art cryptography to secure PII–every piece of PII data is individually encrypted and stored in a secure, limited-access datastore.

‍

Introducing Notabene’s SafePII

Notabene adds a new PII service to our Travel Rule nodes. This industry-first feature allows VASPs to manage the secure exchange of encrypted PII to counterparties while simultaneously managing their own encryption keys.

As a separate first-class service run on behalf of our clients, SafePII is next to but complementary to our existing Travel Rule Service API. Separating this critical part of our API will allow VASPs to take a risk-based approach to better implement the Travel Rule from a data protection point of view. The escrow aspect of our service will enable us to perform address ownership and proprietary Notabene rule-based checks before encrypted PII is exchanged with the beneficiary VASP.

Encryption keys are, by default, managed by VASPs themselves. Still, VASPs can elect to utilize our key management infrastructure for some or all aspects of their service, similarly to how VASPs use a combination of local hot wallets and custodial wallet API services today. Unlike wallet API services, we explicitly designed our SafePII service around data encryption.

Regardless of how VASPs choose to use our SafePII service in the future, it is a considerable step up in data security over building your own service to integrate with an existing Travel Rule protocol. It also signals to counterparty exchanges that you take the data protection duties of implementing the Travel Rule very seriously.

How does Notabene’s SafePII service work?

‍

Based on their needs, VASPs can choose between three different options:

1. End-to-End 

End-to-End SafePII brings the most security, as the Originating VASP encrypts PII data so that only they and the Beneficiary VASP can decrypt it. 

In this flow, PII data traveling across the ether will be encrypted, meaning Notabene will never have access to the contents. Even in a hacking case or a leak, the attackers will not be able to decrypt the PII data because it’s simply cryptographically “impossible” – unless they can figure out the decryption key, which is only known by either of the VASPs.

‍

‍

2. Hosted 

During the Hosted SafePII flow, Notabene encrypts all raw Travel Rule transaction data created through our easy-to-use restful API without worrying about local key management. Each VASP has a dedicated encryption key managed by Notabene’s PII service and can be rotated on-demand. 

Our current API customers will automatically be migrated to the Hosted Escrow PII flow without any manual changes. The Hosted flow is beneficial for VASPs using hosted/white-label exchange software and/or VASPs that don’t feel comfortable managing encryption keys by themselves.

‍

3. Hybrid

The Hybrid SafePII mode extends the End-to-End flow, where the Originator VASP further encrypts the PII data selectively using their dedicated Notabene-managed encryption key, allowing Notabene to decrypt the PII (or parts of the PII data) for in-flow pre-transaction name sanction screening.

‍

‍

How to access this feature:

All customers have access to the Hosted SafePII flow. To encrypt/decrypt customer PII, login to the Notabene App -> Transactions -> Select the Transaction (i) -> Select “Conceal” at the top right hand corner. 

‍

‍
Built on best-in-class open crypto native standards

At its core, our new SafePII service is built entirely using open standards and libraries. We believe it is important not to reinvent the wheel, particularly regarding encryption. Our goal is to push some of the learnings we have made here into Travel Rule protocol groups and provide our core encryption libraries as open source.

The Notabene Travel Rule Network is built on top of the W3C standard of Decentralized Identifiers (DIDs), co-authored by two of our Notabene co-founders. Our new SafePII service utilizes the DID-Comm standard for securely exchanging encrypted and authenticated messages between entities such as VASPs.

Click here to learn how Decentralized Identifiers (DIDs) are shaping the Crypto Travel Rule infrastructure.

This set-up, in turn, is based on long-time industry standards for encryption JSON Web Encryption. We use the EdDSA encryption algorithm by default, which is currently recognized as the most secure public key encryption algorithm. We can easily upgrade to newer, better protocols in the future.

When encrypting a data item, an entirely new key is generated and encrypted to VASP’s public keys, encrypts the data, and is discarded. This ensures that even if bad actors could decrypt a single data item using massive national government-grade computing power, they will only be able to crack that specific data item–nothing more.

All data is additionally hashed and only identifiable by a content addressable identifier (CID) which stems from the InterPlanetary File System (IPFS) ecosystem. Knowing a CID is not enough to access the data; the client must be authorized and authenticated by the owner(s) to gain access. Typically the owners are the Originator & Beneficiary VASPs, but it could also be an intermediary such as Notabene. 

CIDs are useful as VASPs can use them as consistent internal identifiers of PII without exposing the risk of actual PII within their own services.

Additional Security considerations: 

• In the End-to-End and Hybrid SafePII flows, VASPs encrypt PII data to each other using their self-managed keys.

• VASPs publish their respective public keys on the Notabene VASP Network for key discovery.

• VASPs can rotate their self-managed keys by generating a new cryptographic key pair and publishing the public key on the Notabene VASP Network.
• PII service-managed keys (during hosted & hybrid flows) can constantly be rotated on-demand.
• Used encryption keys must comply with the new W3C “did:key” spec https://w3c-ccg.github.io/did-method-key/. 

‍

If a client requires more sophisticated encryption, they must utilize our SDK. Learn how to upgrade to End-to-End or Hybrid encryption here.

‍‍Hi there!

We’re excited to share our most recent product release with you. This release brings a mobile version of the wallet identification widget, Merkle Science integration, updating missing originator VASP information, and much more. 

1. Integrate Notabene’s beneficiary identification widget into mobile apps

Notabene’s widget allows you to dynamically collect beneficiary customer information, based upon the particular requirements of your jurisdiction. This ensures the creation of valid travel rule transactions. This update brings the widget to mobile devices.

To access this feature: Download and install the Notabene SDK, then render the widget. Click here for a developer deep-dive.

2. Know when your counterparty’s jurisdictional requirements call for a Travel Rule data transfer

Get notified when a transaction classified as “below threshold” in your jurisdiction is actually above the threshold in your counterparty’s jurisdiction. 

Different jurisdictions have varying “de-minimis” thresholds that trigger Travel Rule compliance. For example, Canadian VASPs must follow the Travel Rule for transactions above CAD 1000 while Estonian VASPs have to send and receive data transfers for all transactions over EUR 0.

From now on, Compliance Officers get alerted when a transaction is “below threshold” in their jurisdiction but “above threshold” in their beneficiary’s jurisdiction. This helps them to decide whether they wish to send additional data to assure that their transaction gets accepted by their counterparty VASP.  

3. Set Rules to send Travel Rule transfers to manual review 

Customers can now set up rules in the dashboard that sends transactions to their inbox for manual review. 

Get more sophisticated with your compliance rules. Specify criteria under which transactions are sent for manual review. 

Access this feature by heading to your Dashboard > VASP Name > Rules > Advanced.

‍

‍

4. Update missing originator VASP information

Customers (Beneficiary VASPs) can now update incoming transactions with Travel Rule data  

When receiving a Travel Rule transaction, Beneficiary VASP might request Travel Rule information about the Originator VASP and customer from their own customer, the Beneficiary. This feature gives them the ability to update the information accordingly within the dashboard.

Access this feature from your Travel Rule Dashboard > Transactions.

‍

‍

5. Merkle Science integration

Customers can now set up rules based on Merkle Science risk scores.

We've added Merkle Science to our marketplace to integrate blockchain cryptocurrency risk and intelligence platforms that our customers request.

This feature assists VASPs in two ways:

• Automatically Determine VASPs based on the blockchain addresses of the counterparty.
• Establish rules to approve or reject transactions based on the risk scores of blockchain addresses.
  
  

Access this feature by navigating to your Notabene Dashboard > Company Profile > Marketplace.

In July, we saw a 7.6% increase in VASPs signed up in the directory to 966 VASPs. The number of in-network VASPs, actively managing their accounts increased by 7% to a total of 240 VASPs. SuperVASPs increased by 13.25% to a total of 94. Activity window: June 25-July 25. 

A few months ago, the Estonian regulator, the Ministry of Finance’s Financial Intelligence Unit (FIU), enacted the Travel Rule on March 15, 2022, soon after the start of the Russian-Ukrainian War, with enforcement three months later, on June 15, 2022, the shortest turnaround in history. In order to help our customers navigate sanctions and for better visibility, we’ve added 30+ Russian VASPs so our customers can automatically restrict transactions with them using our rules engine.

VASP Directory Activity 

Notabene’s global VASP directory aggregates verified business profiles where clients perform counterparty due diligence to establish trusted bilateral relationships. Directory data is available to any VASP that signs up for Notabene as a paid customer or as part of the free Sunrise Plan. 

Below, we share some highlights from July.

1. 966 VASPs are in the directory, and 240 have earned in-network badges

The number of VASPs actively managing their profiles has grown 7.14% since June to 240 VASPs. VASPs with “In-Network” badges have an active administrator and are able to send or receive travel rule transfers.

‍

2. Originator VASPs have sent transactions to 140 Beneficiary VASPs in July

This month, Originator VASPs have sent Travel Rule data transfers to a record number of 148 Beneficiary VASPs. As Originator VASPs ramp up transfers to their counterparties, Beneficiary VASPs can now subscribe to Notabene’s Sunrise Plan and respond to unlimited incoming transfers for free.

‍

‍

3. We’ve added 30+ Russian VASPs to help with VASP identification

With the onset of global sanctions against certain businesses in Russia, we’ve added a list of over 30 Russian VASPs to help our customers with VASP identification and possible blocking of transactions. Russian VASPs exhibit “Russian Federation” as their jurisdiction. From there, Notabene users could set rules in their Rules Engine to automatically review or block transactions going to certain VASPs

‍

Learn how Notabene customers can block transactions to sanctioned individuals today.

4. Ninety-four companies have received a SuperVASP badge.

Since June, the number of SuperVASPs has increased by 13.25% to 94 companies. A "SuperVASP" badge indicates company profiles that are:
✅verified
✅claimed
✅in-network 

‍

Notable new SuperVASPs:

• Zipmex Indonesia 
• Bizonex
• Bit4you
• Luxolo financial
• HAYVN
• HKVAX

Three years after The Financial Action Task Force (FATF) released its original guidance on virtual assets, it published a ‘Targeted Update on Implementation of FATF’s Standards on Virtual Assets (VAs) and Virtual Assets Service Providers (VASPs).’ The new report includes an overview of areas in which countries and the sector have progressed and ongoing implementation concerns. Check out our four key findings from the FATF’s Targeted Update on Implementation. 

At the end of the report, the FATF published a non-exhaustive list of questions that two leading jurisdictions reported useful in dialogue to foster the functional improvement of solutions (page 26, Box 1.) We answer these questions below. 

Interoperability with other Travel Rule solution tools

1. Is the tool/solution interoperable with other tools?

Yes. Notabene is a protocol-agnostic Travel Rule solution. One of the differences between what we do and what a protocol does is that we primarily provide a software as a service (SaaS) solution to VASPs and Financial Institutions (FI) for implementing and operationalizing the Travel Rule. 

We believe that ultimately the industry needs a Travel Rule messaging protocol open to all VASPs or interoperability between a few that allows VASPs maximum reachability. In the absence of that today, we have built a universal Travel Rule protocol gateway. 

As we work on integrating with every live Travel Rule protocol, our protocol gateway ensures that our customers can reach the most expansive network of counterparty VASPs through our platform. In addition, Notabene offers an interoperability model for VASPs that are: 

• Not yet live with any Travel Rule solution, or 
• Using a protocol that is not yet integrated with Notabene. 

Our free Sunrise plan allows VASPs to receive and manage Travel Rule transfers from Notabene customers using our all-in-one dashboard. 

2. What kind of interoperability is embedded within your tool, and when will interoperability testing be conducted?

E.g. pilot test, functional test, capacity stress test, live data test, tested data scope, and tested VASPs. 

At Notabene, we aim to provide a solution that enables our customers to reach any VASP using any Travel Rule solution worldwide. This starts by using industry standards like IVMS101 for the messaging structure and a willingness to integrate with other solutions/protocols that go live. Additionally, we support various encryption standards, which are imperative to being protocol agnostic.

Our agile development team ensures that our back-end can communicate with other solutions in a way that requires the least amount of development work by our customers. Our customers deploy the enclave servers, set up end-points and certificates, etc. On the other hand, Notabene securely handles the data collection, VASP identification, and sending of the Travel Rule data transfer through those means.

3. What kind of interoperability testing has been conducted? E.g., pilot test, functional test, capacity stress test, live data test, tested data scope, and tested VASPs. 

Currently, we support TRP and OpenVASP and are in late discussion with providers like VerifyVASP, TRUST, and others about adding support. We are active in various technical and standards working groups where protocol interoperability is evaluated and will soon be conducted. 

‍

Timing and scope of Travel Rule data submission 

4. Could the tool/solution enable VASPs to submit Travel Rule data for small value VA transfers (i.e., below USD1,000/EUR 1,000) to accommodate varying threshold requirements across jurisdictions? 

Yes. Notabene reflects the requirements implemented across jurisdictions in terms of applicable thresholds and scope of required Originator and Beneficiary information in Travel Rule transaction flows. Also, per FATF requirements, the Notabene tool allows VASPs to collect counterparty information for every transaction, regardless of the threshold, and store it for data-collection purposes.

Notabene customers can:

• Collect the required information about the Beneficiary.
• Transmit all required Originator and Beneficiary information to the Counterparty VASP, considering the transaction amount and applicable threshold.
• Optionally transmit further Originator and Beneficiary information if the Counterparty VASP’s jurisdiction requires it.
  
  

5. Does the tool/solution cover all VA types?

Yes. Notabene covers all virtual asset types, as long as it is possible to convert the VA value to FIAT value to enable the threshold validation. Our CoinGecko integration instantly verifies the exchange rate when a user begins a withdrawal request.

6. Does it enable receiving VASPs to obtain and handle a reasonably large volume of transactions from multiple destinations in a secure and stable manner?

Yes. Processing Travel Rule transfers at scale is only possible through automation.

Notabene’s Rules Engine allows our customers to process outgoing/incoming Travel Rule transactions automatically based on several criteria, most relevantly:

• Sanction screening results on Beneficiary/Originator counterparty.
• The risk score of counterparty destination/origin wallet address according to blockchain analytics.
• Trusted/non-trusted jurisdictions.
• Trusted/non-trusted VASPs.

Notabene’s customers can also automate the beneficiary name matching process, i.e., cross-checking the beneficiary information received in a Travel Rule transfer and made available via webhook against internal know-your-customer (KYC) records. Our customers can also automate the wallet ownership check when transacting with unhosted wallets.

7. Does the tool/solution provide a function that allows an originator VASP to choose not to send Travel Rule data to a counterparty VASP?

Possible scenarios include the originator VASP needs to avoid providing financial services to certain sanctioned jurisdictions, high TF/PF risk areas, or lower levels of DPP regulation jurisdiction.

Yes. Our Rules Engine allows our customers to automatically cancel/reject any transactions going to/coming from non-trusted VASPs (e.g., due to sanctions or deficient data protection frameworks) or VASPs located in high-risk jurisdictions. Compliance Teams can also make an ad-hoc assessment to determine whether or not a Travel Rule data transfer should go through. In addition, the funds can then be automatically blocked from being sent to the Beneficiary. 

Click here to read what Notabene customers can do today to block transactions to sanctioned individuals.

Recordkeeping and transaction monitoring

8. What function does the tool/solution provide to facilitate recordkeeping and transaction monitoring (retaining data for 5 years/ allow user VASPs to download data)?

An overview of Notabene’s approach to recordkeeping and transaction monitoring:

• Our customers receive a copy of the entire Travel Rule payload when it is created and with every status update through a webhook. Additionally, we retain a copy of the records for as long as they are a customer or as long as their jurisdiction allows. If our solution is no longer required to retain a copy, customers can download a full copy of their Travel Rule payload into CSV. 
• The Notabene dashboard also includes Travel Rule performance metrics, allowing the VASP to track several key data points (such as the rate of non-custodial transactions, rate of accepted and rejected transactions, time to response, etc.). We will roll out additional data analytics tools in the coming months to support further reporting.
• VASPs can import Travel Rule data into transaction monitoring and market surveillance systems. The reverse also applies: transaction risk data can be imported to Notabene to support better Travel Rule data flows.

‍
Want to learn more? Book a demo to speak to sales.

The Travel Rule, like the sun, rises at different times around the world. Navigating the “sunrise issue” - the period where Travel Rule enforcement is staggered globally - presents unique challenges for Virtual Asset Service Providers (VASPs).

Given the borderless nature of crypto transactions, achieving full compliance becomes a complex task for VASPs, particularly those operating in jurisdictions where the Travel Rule is already enforced. They may face hurdles in executing or receiving responses to Travel Rule transfers from counterparts in locations where enforcement is still pending.

VASPs often grapple with premature requests for Travel Rule data transfers before implementing compliance measures. Those in early-enforcing countries may also find maintaining business relationships with counterparts in late-enforcing nations challenging. As FATF guidelines allow VASPs to require Travel Rule compliance even from jurisdictions where the rule is yet to be enforced, a proactive approach to compliance is crucial for all involved parties.

How is the sunrise period currently affecting VASPs?

The sunrise period remains one of the top three hindrances to complying with the Travel Rule, as reported by our survey respondents. 

As demonstrated in Chapter 2 of Notabene’s 2023 State of Crypto Travel Rule Compliance Report, many VASPs claim to be compliant but are not fulfilling the required pre-transaction obligations”; VASPs are in different stages of compliance: a substantial percentage (34.8%) are not yet complying at all. 

Those that are complying are in different phases - some comply pre-transaction (20.3%), others post-transaction (11.6%), and some currently respond to Travel Rule transfers but are not yet sending (18.8%). 

The above data shows that during the sunrise period, VASPs take a phased approach to compliance with Travel Rule obligations. Rather than jumping from not complying to being fully compliant, VASPs go through different stages, making a smoother and more successful rollout. 

What are the main challenges that compliant VASPs face when transacting with non-compliant VASPs?

Three main challenges that compliant VASPs face when transacting with non-compliant VASPs are as follows:

‍

1. Complying with the obligation to send a Travel Rule data transfer: 

If a Beneficiary VASP is unprepared for Travel Rule transfers, Originator VASPs may struggle to meet the core obligation of sending the required originator and beneficiary information with each transaction. Depending on a VASP's policies and local regulations, they might not process a transaction in these scenarios. 

However, most VASPs remain flexible, with 41.2% taking a risk-based approach to transactions if a Travel Rule message can't be sent, 37.3% allowing transactions regardless, and 7.8% disallowing transactions to proceed unless a Travel Rule message can be sent to the beneficiary VASP.

2. Identifying the counterparty VASP and managing counterparty risk: Without a confirmation of correct counterparty identification, the initiating VASP may need to rely on third-party data, like blockchain analytics, to decide whether to proceed with the transaction, potentially risking interaction with sanctioned VASPs.
   
   
3. Effective sanction screening/risk management on counterparty customer: Without a response or a Travel Rule message from a non-compliant VASP, the compliant VASP lacks verified information about the counterparty customer. This significantly impedes effective sanction screening and risk management processes.

As previously mentioned, most VASPs today still transact even without receiving a response from the beneficiary VASP confirming that they correctly identified the counterparty to that transaction and verifying the identity of the counterparty end customer. 

12% of VASPs only allow a transaction if they receive a response from the beneficiary VASP. The rest either do not wait for a response (22%), proceed in case they have not received a response within a specific timeframe (14%), or do not connect Travel Rule and transaction flows at all (52%) (see key finding 8 in chapter 2).

Ultimately, these challenges may result in the compliant VASP not being able to transact with counterparties that do not engage in Travel Rule flows. This is already the case for a minority of VASPs, as mentioned above. 

To learn more about how the sunrise period affects VASPs, download Notabene’s 2023 State of Crypto Travel Rule Compliance Report.

What is the FATF’s stance on the Crypto Travel Rule’s “sunrise issue”?

To mitigate risks during this period, the FATF suggests several measures that VASPs can implement to comply with Travel Rule requirements regardless of the stages of compliance at which their counterparties operate. 

Regardless of the regulation in a certain country, a VASP may implement robust control measures to comply with the travel rule requirements. Examples include VASPs restricting VA transfers to within their customer base (i.e., internal transfers of VAs within the same VASP), only allowing confirmed first-party transfers outside of their customer base (i.e., the originator and the beneficiary are confirmed to be the same person) and enhanced monitoring of transactions. (Emphasis added) [1] 

In its Targeted Update published in June 2022,  FATF recognizes the compliance hindrances of the sunrise period and highlights how different jurisdictions have been approaching those issues. [2]

However, FATF now pushes for a broad and rapid introduction of Travel Rule requirements as the ultimate solution to the sunrise issue: 

Going forward, broad and rapid introduction of the Travel Rule can reduce the scale of the sunrise issues and provide additional incentives for industry to accelerate compliance. [3] 

‍

What is the business impact of the Crypto Travel Rule’s “sunrise issue?”

Ultimately, the phenomenon of compliant VASPs restricting transactions with noncompliant VASPs carries a negative business impact for both sides. This impact is already being felt by 7.8% of the respondent VASPs, who have reported that they only allow transactions if they can send a Travel Rule message to the beneficiary VASP. It also impacts another 12% of VASPs that only allow a transaction if they receive a response from the beneficiary VASP  (see key finding 4). 

To mitigate the negative business impact on the industry and sustain the international nature of the crypto, VASPs could take a proactive approach and start complying as soon as possible, regardless of the stage of adoption of the Travel Rule in the jurisdiction where they are based. 

The survey responses show that VASPs are currently in very different implementation stages. However, the majority aim to be fully compliant in 2023 (see key finding 1). 

From the policymaker's perspective, it is essential to provide regulated VASPs with a clear framework for compliance with the Travel Rule, [4] VASPs in jurisdictions that do not provide a clear path toward Travel Rule compliance will ultimately face difficulties in interacting with compliant VASPs, which, in turn, will result in the jurisdictions becoming less competitive venues for crypto businesses. 

How does Notabene solve the Crypto Travel Rule’s “sunrise issue?”

Notabene has introduced a phased approach for Travel Rule implementation to assist VASPs seeking to simplify compliance and manage the "sunrise issue."

SAFE Implementation phases minimize operational risk and provide analytics to guide users through the Travel Rule rollout. This strategy allows customers to meet regulatory guidelines while tailoring their risk-based approach over time. 

Notabene's SafeTransact platform provides industry-unique support for multiple legal entities, facilitating seamless expansion into multiple jurisdictions without the headache of legal and compliance issues.
‍

‍

Notably, the first phase requires minimal technical integration and can be completed within a week. 

To assist businesses in navigating Travel Rule compliance, Notabene offers a free SafeTransact-Rise plan. This plan requires no integration, enabling users to immediately benefit from advanced compliance features.

SAFE Implementation phases are part of Notabene's broader efforts to support customers with regulatory compliance, recognizing the complexity and dynamic nature of regulatory compliance. We are dedicated to providing our customers with the necessary tools and expertise, constantly updating our solutions to meet the latest regulatory requirements, with a team of experts ready to answer any questions.

‍

{{cta-learnmore13="/cta-components"}}

‍

Navigating the intricate challenges of the Travel Rule’s “sunrise issue” is a dynamic journey. As shown, the disparate stages of compliance among VASPs have significant business implications and impact on maintaining the international nature of crypto. A proactive stance towards compliance is the key to mitigating this effect, a strategy exemplified by Notabene’s phased approach to Travel Rule implementation. A harmonized global adoption of the Travel Rule will minimize the sunrise issue and provide a firm foundation for the continued growth and maturation of the crypto industry. 

In the data requirements for Originator and Beneficiary VASPs in the crypto Travel Rule, VASPs must legally identify each other and route the required transaction information to the appropriate VASP. Many VASPs have entities in more than one jurisdiction, and customers or blockchain analytics services likely won’t be able to determine which entity should receive the transaction. As crypto transactions are inherently cross-jurisdictional, using a unified, secure method of VASP name-matching supports seamless Travel Rule data transfers. Decentralized Identifiers (DIDs) present an answer to this problem.

This article dives into DIDs and how Notabene’s market-leading Travel Rule compliance solution uses this innovative technology to identify VASPs.

What are DIDs?

Globally, individuals and companies use unique identifiers in various contexts: phone numbers, email addresses, social media usernames, ID numbers (for passports, driver’s licenses, tax IDs, health insurance), and product identifiers (serial numbers, barcodes, RFIDs). Additionally, each website has a globally unique URL.

External agencies control most globally unique identifiers; they decide what they refer to and when to cancel them. They're only valuable in specific contexts and by unelected bodies. Traditional unique identifiers may reveal private info and can be fraudulently copied and used by a third party, resulting in "identity theft."

DIDs are a component of a more extensive system — the Verifiable Credentials ecosystem — and are defined in this specification as a novel type of cryptographically verifiable globally unique identifier. DIDs are designed to enable individuals and organizations to generate their own trusted identifiers and prove control over them through authentication using cryptographic proofs, such as digital signatures. The World Wide Web Consortium defines a DID as: “A globally unique persistent identifier that does not require a centralized registration authority because it is generated and/or registered cryptographically.”

DIDs are entity-controlled, and each entity can have as many DIDs as it needs to keep its identities, personas, and interactions separate as desired. These identifiers can be used in a way that makes sense for each situation. They make it possible for entities to interact with other people, institutions, or systems that need them to identify themselves or the objects under their control. DIDs also allow entities to decide how much personal or private information should be shared without depending on a central authority to guarantee the continued existence of the identifier. 

How do DIDs work?

A DID is a simple text string consisting of three parts:

1. the DID URI scheme identifier,
2. the identifier for the DID method, and
3. the DID method-specific identifier.

Building an Ethereum DID is equal to making an asymmetric key pair. As a mathematical relation between the DID hash and its public key exists, the hash can be derived from a public key and vice versa.

• DID ~= public key

‍

‍

DIDs are resolvable to DID documents. A DID URL extends the syntax of a basic DID to include other standard URI parts like path, query, and fragment in order to find a specific resource, like a cryptographic public key inside a DID document or a resource outside of the DID document. DIDs create an ecosystem/protocol for cryptographically secure data exchange, verification, and more. Anyone can create a DID because they are self-managed, open-sourced, and decentralized. Learn more on the W3 website.

‍

How are DIDs used in relation to Travel Rule/VASP communication?

When Alice sends a transaction to Bob, she likely doesn’t know if his account is with Bitstamp Singapore, Bitstamp USA, or any other Bitstamp entity. She simply inputs his alphanumeric address and sends the transaction. A normal crypto transaction flow puts the onus on providers to determine which entity controls Bob’s address.

Leveraging DIDs, Bitstamp would create separate DIDs for each entity, which removes the VASP name-matching operational friction without asking the end user to submit unknown information.

‍

‍

DIDs allow for the following in relation to Travel Rule compliance:

• Matching a blockchain address to the correct VASP entity.
  Blockchain analytics services only return the VASP name. Having a separate DID for each entity solves difficult counterparty identification by returning Bitstamp EU, Bitstamp DE, or Bitstamp USA, etc.
• Using DIDs to define a standard market practice for including legal entity identifiers (LEIs) in payment messages as recommended by the FATF.
  FATF notes that LEIs could be used as additional information in payment messages without changing the current message structure. (FATF 2021b, p. 60, para 189)
  
• Creating a decentralized SWIFT code network.
  The traditional banking world uses SWIFT codes to identify companies. Keeping in line with the ethos of the industry, DIDs can be used as a standardized decentralized way to identify VASP entities.

‍

How does Notabene use DIDs?

We use DIDs as LEIs for every crypto company or financial institution in our Notabene VASP Network. DIDs allow companies to create separate identities for each entity, meaning that if there are 10 Bitstamp entities, each one would have its own DID. DIDs cut out the painstaking process of name-matching during regulated data transfers. 

In the Travel Rule context, DIDs resolve into a document that specifies:

• VASP website
• VASP’s public key
• Which protocol a VASP supports, etc.

‍

Who provides DIDs for Notabene?

We work closely with Veramo to encrypt the personally identifiable information (PII) data flow for VASP-to-VASP communication. Veramo is a JavaScript framework that simplifies the use of cryptographically verifiable data in software applications.

How the PII Escrow flow works:

• Veramo securely encrypts PII data flow when sending Travel Rule data transfers from VASP A to VASP B.
• Only the Beneficiary VASP can decrypt the data.
• This supplies security and comfort because, in any event of a data leak, no one can decrypt it but the recipient.

Hybrid PII Encryption flow:

• The Originator VASP sends two versions of the Travel Rule data transfer, one for us to decrypt and one for the Beneficiary VASP.
• Notabene accesses the version intended for us to perform sanction screening.
• As a SOC2-compliant company, we use unique keys per customer to minimize potential hacking cases, leaks, etc.

End-user data security and privacy are a part of our fundamental values at Notabene. Our SafePII service presents a unique data escrow system for safely transmitting encrypted customer information only when a beneficiary institution confirms ownership of a blockchain address and fulfills specific rules. Currently, Notabene securely stores PII during the hybrid PII encryption flow. However, customers are open to running their own PII service. Learn more about Notabene’s commitment to security.

June’s VASP Directory Report is filled with exciting updates. Before you hop in, be sure to check out our mission and vision and learn more about Notabene. 

At Notabene, we’re on a mission to make crypto transactions a part of the everyday economy. Our market-leading solution allows financial institutions to manage regulatory and counterparty risk in crypto transactions—creating the last needed connection between the traditional financial industry and the crypto industry. Financial institutions and crypto exchanges use our first-to-market FATF Travel Rule solution to identify virtual asset accounts, perform mandated VASP due diligence, and manage regulatory and counterparty risks from one holistic dashboard.

In June, we saw a 12% increase in VASPs signed up in the directory to a total of 898 VASPs. The number of in-network VASPs, actively managing their accounts increased by another 12%. SuperVASPs increased by 8.8% in June. Activity window: May 25-June 25. Find more details below. 

Click here to view Notabene's VASP Directory Activity | May 2022.

Continued activity through the industry downturn

Although the total value of all cryptocurrencies on the market has recently dropped below $1 trillion, down from $3 trillion in November 2021, taking transaction volume down with it, we’re noticing very little impact on growth and activity in Notabene’s directory. Industry players are taking this downtime to ramp up their compliance journeys and strengthen their compliance stack.

Additionally, Estonia’s enforcement date recently passed on June 15th, prompting a record number of Estonian VASPs to sign up to the directory, and become SuperVASPs (verified profile, claimed, and in-network) in record time. This region-specific uptake shows that VASPs will turn to the most accessible place to comply when the pressure is on.

VASP Directory Activity 

Notabene provides its customers and crypto companies widely with a directory to build verified business profiles, share metrics around Travel Rule adoption, and perform counterparty due diligence to establish trusted bilateral relationships.

Directory data is available to any VASP that signs up for Notabene as a paid customer or as part of the free Sunrise Plan. Below, we share some highlights.

1. 898 VASPs are in the directory, and 224 have earned in-network badges

The number of VASPs who actively manage their profiles has grown by 12% since May to 224 VASPs indicating that even during a downturn in the market, companies continue to invest in their compliance stack and focus on Travel Rule adoption. VASPs with “In-Network,” badges have an active administrator and will be responsive to incoming Travel Rule data transactions.

‍

2. Originator VASPs have sent transactions to 138 Beneficiary VASPs in June

This month, Originator VASPs have sent Travel Rule data transfers to a record number of 138 Beneficiary VASPs. As Originator VASPs ramp up transfers to their counterparties, Beneficiary VASPs can now subscribe to Notabene’s Sunrise Plan and respond to incoming transfers for free.

‍

‍

3. Both retail and institutional VASPs have joined the Notabene directory in the last 30 days.

Notable new VASP profiles include:

• Bitstamp Europe S.A.
• Coinmetro
• Orbital
• Cross River Bank
• Crypto2cash
• Hash Blockchain Limited
• Eurogroup technologies OU
• CoinField
• The Merkle Group
• PureFi
• Great South Gate Asset Management
• Kriptomat
• Paus
• SpectroCoin

‍

4. Eighty-three companies have received a SuperVASP badge.

Since May, the number of SuperVASPs has increased by 8.8% to 83 companies. A "SuperVASP" badge indicates company profiles that are:
✅verified
✅claimed
✅in-network 

‍

‍

Join in on the action! Sign up for a VASP Directory profile today.

As Notabene continues to grow at rocket speed, we continue to add features to help our clients roll out their Travel Rule compliance plans. This release allows you and your team to stay on track with your Travel Rule rollout, adds a new blockchain analytics provider–Coinfirm–to our marketplace to ease VASP discoverability, and allows easier management of transactions in your dashboard.

1. Coinfirm Analytics

Joint customers can now link their Coinfirm blockchain analytics account to Notabene. This feature helps VASPs with two things:

• Automatically Identify VASPs based on the counterparty's blockchain addresses
• Set up rules to automatically accept or decline transactions based on blockchain addresses' risk scores

Access this feature on your Notabene Dashboard > Company Profile Name > Marketplace.

‍

2. Filter transactions by status

Clients can now filter transactions by the current Travel Rule status on the dashboard. This feature allows Compliance Teams to determine which transactions are actionable quickly. 

Available statuses:

• Sent
• New
• Canceled
• Acknowledge
• Incomplete
• Missing Beneficiary Data
• Accepted
• Rejected
• Declined

Access this feature in the Transactions dashboard > ‘Filter by.’ 

‍

3. Confirm previous transactions in one click

Are you overwhelmed with the amount of pending incoming transactions? Clean up your transaction dashboard with one click!

When a customer provides a list of blockchain addresses to Notabene, every receiving blockchain address of an incoming transaction is checked against that list. This feature lets customers auto-confirm that their incoming transactions are intended for them.

Ways to upload a list of blockchain addresses to our Travel Rule compliance platform:

• Uploading an address book
• Adding an address webhook
• Manually registering a blockchain address

To Manually register blockchain addresses:

1. Go to the Notabene dashboard
2. Click your company logo in the top right corner
3. Select ‘Uploads’
4. Follow the instructions

It has now been three years since the Financial Action Task Force (FATF) extended its anti-money laundering and counter-terrorist financing (AML/CTF) Standards to financial activities involving Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs) to respond to the threat of criminal and terrorist misuse.

FATF's recently released ‘Targeted Update on Implementation of FATF’s Standards on VAs and VASPs, provides an overview of areas of progress that countries and the industry have made and continued implementation gaps and concerns.

Travel Rule Highlights:

• The FATF reflects on the progression of the private sector in a positive light. The document highlights the progress on developing and implementing Travel Rule solutions, and the final conclusion is that both countries and the industry need to move faster to ensure global application of the Travel Rule.
• The FATF reports that only 29 countries have implemented the Travel Rule requirement, and even fewer are actively enforcing it.
• The FATF urges countries to implement and enforce the Travel Rule to resolve the sunrise issue that slows the industry adoption rate of solutions.
• The report also calls on the private sector to accelerate the interoperability of Travel Rule solutions.

Below, we share our 4 key takeaways.

1. The FATF acknowledges the progress of VASPs in implementing the Travel Rule, sometimes ahead of legislators

The FATF notes that since June 2021, jurisdictions have made limited progress in implementing and enforcing the Travel Rule. 

Notabene’s commentary:

Conversely, especially in the second quarter of 2022, Notabene has seen a peak increase in Travel Rule adoption by VASPs. This willingness to comply is also explicitly acknowledged by the FATF. In many cases, this increase was directly attributable to regulatory urgency, with Travel Rule requirements coming into force in different jurisdictions (most notably, Estonia, where Travel Rule came into force on June 15th, and Japan’s April 2022 enforcement date. However, we understand that Japan’s Financial Services Agency allows softer, tiered enforcement). 

We have seen that VASPs are also primarily motivated by counterparty urgency. VASPs are looking to become compliant with Travel Rule to continue transacting with their counterparties based in jurisdictions where Travel Rule is already in force. Complying with the Travel Rule is increasingly being perceived as a competitive advantage.

2. Effective Travel Rule compliance requires global, interoperable, and nuanced Travel Rule solutions rather than regional and closed networks

The FATF stresses that global implementation and full compliance with FATF Standards require interoperability between Travel Rule solutions. A closed network approach where transmission of Travel Rule information is dependent on the approval of the network members or a third party hampers a global and effective approach to Travel Rule compliance.

Notabene’s commentary: 

Notabene is an open network. We do not act as gatekeepers and believe each VASP should be able to decide who to transact with and share Travel Rule information. Additionally, Notabene is a protocol-agnostic solution. To ensure that our customers can reach the most expansive network of counterparty VASPs through Notabene, we work on integrating with any live Travel Rule messaging protocols. Acknowledging the importance of interoperability, integrating with existing Travel Rule protocols is Notabene’s main priority in the product roadmap. 

The FATF recognizes that Travel Rule needs to be implemented at a global level, despite the differences in how each jurisdiction handles different Travel Rule components - the FATF highlights, in particular, the differences in how each jurisdiction approaches:

• Whether a de minimis threshold applies and the transaction amount that triggers Travel Rule requirements;
• The compatibilization between Travel Rule obligations and data protection frameworks; 
• Transactions with unhosted wallets;
• The scope of information that must be transmitted.

Notabene’s global Travel Rule solution accounts for jurisdictional nuances:

Crypto enables a global and borderless financial industry, and the design of crypto compliance solutions should help preserve this characteristic while accounting for the specificities that might exist in different jurisdictions.

Our solution achieves this by reflecting the requirements of different jurisdictions (in terms of the de minimis threshold that applies, if any, the scope of the required information about the originator and beneficiary customers and requirements applicable to transactions with unhosted wallets) in our systems and product offerings. A validation mechanism ensures that any Travel Rule transfer includes all the needed information according to the jurisdiction of the Originator VASP and issues warnings in case the requirements applicable to the Beneficiary VASP are more comprehensive. 

3. The FATF reports that most jurisdictions choose not to exclude unregulated VASPs from legal transaction flows

19.a‍

“22 out of 32 jurisdictions have decided to allow domestic VASPs to transact with any foreign VASP, whether they are licenced/registered or not,”

and

19.b

“most jurisdictions have decided to require domestic VASPs to apply the Travel Rule with all foreign VASPs, whether or not they are registered/licensed or have similar Travel Rule requirements .”

Notabene’s commentary: 

We are pleased to see this trend, as measures restricting transactions or Travel Rule flows with unregulated VASPs might have unintended consequences. On the one hand, this can result in excluding VASPs located in jurisdictions that do not yet offer robust frameworks to regulate the crypto industry and register/license crypto firms, regardless of how robust the VASP’s compliance program is. 

According to the FATF, “only 12 jurisdictions out of 53 (23%) have been assessed as largely compliant with R.15 [i.e., with the AML/CTF Standards for VAs and VASPs]”, which implies that this could potentially affect a large number of VASPs. 

The private sector, under close monitoring of the competent supervisory authorities, is better positioned to determine whether or not to transact with certain counterparties following a risk-based approach that takes into consideration the specificities of their businesses, the due diligence performed on these counterparties, and the risks associated with a particular transaction. 

This is, in fact, one of the advantages of the Travel Rule - it allows VASPs to manage risk at the transaction level and adopt a more targeted approach when enforcing restrictions, and avoid blanket exclusions that can be disproportionate depending on the context. 

On the other hand, restricting Travel Rule flows with unregulated VASPs is counterproductive. Presumably, managing counterparty risk is particularly relevant when transacting with unregulated VASPs, and that is better achieved by engaging in Travel Rule flows with those VASPs. Of course, performing appropriate counterparty VASP due diligence on the counterparty VASP before transacting and sharing Travel Rule information is a central element of the process. 

4. Rapid and broad enforcement of Travel Rule requirements across jurisdictions is key to overcoming the sunrise issue.

The Travel Rule was first introduced in the FATF Standards in June 2019. Since then, Travel Rule requirements have been transposed to national frameworks at different speeds across jurisdictions. This poses a challenge for VASPs that are already required to comply when interacting with counterparties based in jurisdictions where regulators might not even have passed Travel Rule into law. In these cases, counterparties are often unprepared to send, receive and process Travel Rule transfers. Even if their compliance teams are willing to collaborate, finding resources to engage in compliance processes that are not yet mandatory in their jurisdiction is a difficult sell internally.

To account for this, VASPs are often granted generous grace periods to comply in full, take a phased approach to compliance, or apply alternative risk mitigation measures in cases where Travel Rule flows cannot be completed successfully. 

The private sector has expressed that, although this flexibility is helpful, the industry can only overcome the sunrise issue with rapid and broad enforcement of the Travel Rule across jurisdictions.

At Notabene, one of our core product design principles is to ensure our customers are  able to achieve phased compliance even if a transaction’s counterparty had no Travel Rule compliance solution in place. Hence, we have launched a free plan (Sunrise Plan) for companies to securely and privately respond to pending Travel Rule data transfers. This plan grants access to our powerful Travel Rule compliance dashboard, allowing Compliance Officers to set up secure automated compliance workflows and benefit from our award-winning integrations with blockchain analytics and sanctions screening providers–even if they are not yet ready to integrate a Travel Rule solution.

In July 2021, the European Commission submitted a legislative proposal for a regulation on information accompanying transfers of funds and certain crypto-assets - the “Transfer of Funds Regulation.”

Subsequently, the EU Parliament reviewed the proposal and, in April 2022, adopted a Report expressing its first reading position. The Report introduced quite a few changes to the text initially proposed by the Commission. The Commission, the Council, and the Parliament then initiated trilogues–informal meetings between representatives of the three bodies to reach a provisional agreement acceptable to both the Parliament and the Council. The Commission acts as a mediator of the discussion.

All parties finally reached a consensus on June 29th, 2022, which leads us to the final step of the legislative process: the formal approval of the Regulation by the Parliament and Council.

Below we summarize key points:

*Please note that where the Financial Action Task Force (FATF) uses VASPs (virtual asset service providers), the European Parliament uses CASPs (crypto asset service providers.)

1. The Travel Rule will not apply to peer-to-peer transactions.

The EU Parliament states:

The rules do not apply to person-to-person transfers conducted without a provider, such as bitcoins trading platforms, or among providers acting on their own behalf.

‍
The FATF and local regulators have generally focused on enforcing AML/CTF controls on transactions that involve intermediaries, such as VASPs or other obliged entities. Thus, crypto transfers between unhosted wallets, so-called peer-to-peer transactions, are not explicitly covered by AML/CTF rules. This is in line with the regulatory paradigm of placing obligations on intermediaries rather than on individuals themselves.

The FATF opens the door to a future change of paradigm in case there is a distinct trend toward P2P transactions, as this would necessarily hurt the effectiveness of the AML/CTF frameworks as they exist today. The time for such a shift is not now, as:

• The available data on the P2P market is not reliable enough to make an informed policy decision.
• The intermediated transactions are still relevant enough to allow for effective implementation of the standards.
• P2P transactions that are visible on public ledgers enable financial analysis and law enforcement investigations.

2. Transfers between CASPs and unhosted wallets of third parties will be subject to enhanced due diligence measures. As a result of the trilogue negotiations, verifying the identity of a third-party beneficial owner is no longer mandatory. 

In its first reading of the Report, the EU Parliament proposed that CASPs should be required to verify the identity of a third-party beneficial owner of the unhosted wallet to/from which funds are sent. Due to the trilogue negotiations, we welcome that this is no longer proposed as a mandatory requirement.
‍
Although this is technically possible to do this with existing technology, it is unlikely that, with today’s adoption, CASPs will manage to implement these processes while ensuring that this does not cause undue delay to the execution of the transfers - a stated goal in the TFR. Until portable digital identities are widely adopted - which is an effort that the EU is leading with initiatives such as the eIDAS - verifying the identity of a third-party beneficial owner of the unhosted wallet to/from which funds are sent is a process that introduces significant friction in the transaction flow.

At least in the short/medium term, such a requirement would push CASPs only to allow first-party transfers to or from unhosted wallets (i.e., transfers to and from the wallets of their own customers).

3. Transfers of over 1000 euros between CASPs and unhosted wallets of their customers will trigger the obligation to verify whether the CASP’s customer effectively owns or controls the unhosted wallet.

Instead of relying on the self-declaration that a wallet belongs to the end customer, CASPs should verify beneficial ownership. This can be done by triggering the customer to perform a wallet ownership proof while in an authenticated session (therefore establishing a link between the identity and the wallet.)

The requirement to verify first-party ownership of the wallet is most helpful when there is also a requirement to verify the identity of a third-party beneficial owner (which, as said below, is not the approach of the EU). In those cases, the CASP must verify beneficial ownership. This ensures that the customer does not bypass the third-party verification requirement by falsely declaring they are transacting with their own wallet.

Nevertheless, this measure makes transaction risk management more robust by the following:

• CASPs can take a risk-based approach that facilitates transaction flows with unhosted wallets of their own customers and apply enhanced due diligence measures when transacting with third-party wallets;
• This will also bring additional data points that CASPs can rely on to evaluate and monitor customer risk. 

It’s also worth noting that different methods for wallet ownership verification will have additional integration costs and impact the user journey and drop-off rates. Some practices with a lower economic burden of implementation, like the Satoshi Test, have a more significant impact/friction on the user journey, which could lead to higher attrition and overall higher economic loss (this method requires users to perform a transaction and entails dead-end scenarios such as no funds being available on the wallet, etc.)

How Notabene verifies beneficial owners of unhosted wallets:

Notabene uses cryptographic signatures as proof. There is a considerable technical burden in integrating with private wallets for these purposes due to the variety of private wallets. If CASPs want to ensure wide coverage to allow their users to perform proof regardless of the private wallet provider they are using, then the CASP would need to integrate with several different providers. 

However, some aggregators, such as WalletConnect, can lower the effort significantly. Notabene integrates only with Metamask and WalletConnect, for instance. Using cryptographic signature aggregators should allow the proof process to scale fairly seamlessly, thus allowing smaller and larger CASPs to roll it out. 

4. Negotiators agreed that the set-up of a public register for non-compliant and non-supervised CASPs would be covered in the Markets in Crypto-assets rules (MiCA), currently being negotiated.

From our perspective, the public register list should be used to support CASPs’ counterparty due diligence processes rather than as a list that CASPs are required to enforce blindly. 

The European private sector, under close monitoring of the competent supervisory authorities, is better positioned to determine whether or not to transact with certain counterparties following a risk-based approach that takes into consideration the specificities of their businesses, the due diligence performed on these counterparties, and the risks associated with a particular transaction. 

This is, in fact, one of the advantages of the Travel Rule - it allows CASPs to manage risk at the transaction level and adopt a more targeted approach when enforcing restrictions, and avoid blanket exclusions that can be disproportionate depending on the context. 

Another question is what is meant by non-compliant and non-supervised CASPs. Recital 34a and Article 18aa of the Transfer of Funds Regulation (in the version proposed by the EU Parliament’s first reading Report) prevent CASPs from transacting with counterparties that are not established in any jurisdiction and are unaffiliated with a regulated entity. Our reading of the criteria is that it is cumulative - i.e., a CASP that is correctly established in a particular jurisdiction but is not regulated (e.g., due to the lack of a regulatory framework applicable to CASPs in that jurisdiction) would not be deemed a non-compliant CASP. 

We hope the reading of the MiCA text that is finally approved clarifies this aspect and avoids the exclusion of CASPs located in jurisdictions that do not yet offer robust frameworks to regulate the crypto industry and register/license crypto firms. According to the FATF, “only 12 jurisdictions out of 53 (23%) have been assessed as largely compliant with R.15 [i.e., with the AML/CTF Standards for VAs and CASPs]”, which implies that this could potentially affect a large number of CASPs.

Finally, it is of paramount importance (i) that the process to include CASPs in this list is adversarial and involves the CASPs at issue and that (ii) CASPs can request to be taken out of the list in light of implemented improvements.

Since our inception, Notabene’s mission has been to enable safe, secure, and private crypto transactions. From day one, we’ve prioritized a pragmatic approach to Travel Rule compliance and were the first to introduce a solution that solves the Sunrise issue. TR:Now is part of our proprietary protocol switch that connects our clients to the broadest number of counterparties. 

Implementing the Travel Rule brings novel complexity, and it requires ongoing assistance to set up new compliance and operational processes. One of our core principles was that if a VASP’s counterparty was not ready to be fully compliant, they could at least respond to transactions using our universal protocol switch. If a transaction’s counterparty had no compliance solution in place to respond, our customers should still be able to achieve phased compliance by sending the mandated Travel Rule data transfer. 

Today, major crypto exchanges and financial institutions worldwide use our end-to-end solution to send and receive Travel Rule data transfers across 210+ exchanges. We’ve achieved a high level of success, we have a response rate of over 50%, and we have maximum reachability in the market. 

With hundreds of exchanges using our VASP Directory to send and receive compliant transfers, and more coming live daily, we’ve gleaned two significant takeaways:

• There is a willingness to comply. Many companies are willing to respond to Travel Rule transactions before their prospective enforcement date. But they need easy tools to do so.
• Reachability is key. Initiating and sending transfers to an expansive list of VASPs is crucial to Travel Rule compliance.

These learnings have led us to launch a free and secure plan that solves the Sunrise issue. 

Introducing SafeTransact-Rise

Our customers’ success is critical — and they cannot succeed if their counterparties don’t have the tools readily available to respond to them. Hence, we have launched a free plan for companies to securely and privately respond to pending Travel Rule data transfers. This plan grants access to our powerful Travel Rule compliance dashboard, allowing Compliance Officers to set up secure automated compliance workflows, and benefit from our award-winning integrations with blockchain analytics and sanctions screening providers. 

How to sign up:

Any VASP can sign up. After going through the Notabene verification process, new VASPs can either claim their profile from our Directory or set up a new one:

1. Create your company profile
   Login to the VASP & Crypto Company Directory and follow the verification steps. Once verified, share your profile with your counterparties to alert them that you are ready to receive Travel Rule data transfers.
2. Access the Travel Rule dashboard
3. Manage transfer flow using the rules engine and bulk action functionalities.
4. Store data transfers from your compliant counterparties. Review, store and respond to transfers from your counterparties. 

SafeTransact-Rise users will be able to:

• Perform mandated VASP due diligence

We’ve partnered with VASPnet to provide comprehensive regulatory information and incorporation information on 800+ VASPs. Additionally, Compliance Officers can request the industry-standard due diligence questionnaire from counterparties and automate or block transactions accordingly using the Rules Engine.

• Respond to unlimited Travel Rule data transfers

We want our customers to win. To gain their operational licenses in their registered jurisdictions and maintain global transactions to worldwide counterparties. When their counterparties sign up for sunrise, they can respond to unlimited Travel Rule data transfers, as well as….

• Send transfers up to 10k USD.

To extend the sunrise benefit to the entire market, we added the capability to send transfers up to 10k USD. 

What does the Sunrise Plan mean for the crypto market?

Notabene’s Sunrise Plan addresses one of the top issues keeping VASPs from adhering to the mandated regulation. In our 2023 State of Crypto Travel Rule Compliance Report, respondents pointed to the Sunrise Period as one of the top two hindrances to Travel Rule adoption. 

Additionally, the FATF acknowledged the Sunrise issue in section 201of its Updated Guidance [OCT 2021] while also stating that the sunrise period should not preclude VASPs from implementing “robust control measures to comply with the Travel Rule requirements.” This research led us to launch the Sunrise plan. Enrolled VASPs can respond to and send a limited number of Travel Rule data transfers today.

Notabene’s client Luno receives its in-principle approval to provide crypto services in Singapore.

What happens next?

Notabene’s SafeTransact-Rise facilitating Travel Rule compliance for our customers is just the beginning. Once successfully onboarded, new members benefit from our ancillary services, including compliance webinars and access to our Travel Rule certification program that help our clients learn how to scale responses, kickstart transaction flows, and introduce proper compliance flows. 

Once ready, Sunrise users can choose to upgrade their subscription to a paid plan and start integrating the Travel Rule for more fully automated transfers.

{{cta-bookademo="/cta-components"}}

In a previous webinar, FATF’s Final Guidance for Virtual Assets and VASPs. What now?, Bitso’s Chief Compliance Officer, Patricia Risso, shared her personal experience with Travel Rule implementation. Bitso is a global crypto platform with operations in Latin America, operating in the Gibraltar jurisdiction. Bitso is a client of Notabene.

How does the Travel Rule impact your business?

From a business perspective, it will be challenging in terms of time, how you can deliver, and how long it will take to sign-up. From a business perspective, one of our primary concerns is the Travel Rule data transfers that we will be receiving. Bitso’s regulators are in Gibraltar; we have to adhere by June 2022. We must ensure that we align ourselves with the data requirements for our home jurisdiction and counterparty jurisdictions as well. 

Right now, the FATF requires the collection of an ID, address, or account number, which represents a challenge to transacting with a counterparty jurisdiction that might require the assembly of data points from the beneficiary. That could create inconsistencies and friction.

From a VASP perspective, we’re focused on the practicalities of implementing various requirements from jurisdictions and dealing with that friction within the codebase.

Dealing with incoming transfers from VASPs that have not implemented the Travel Rule

As incoming transactions from VASPs that have not implemented the Travel Rule will automatically be routed to our high-risk and monitoring systems, our queuing system will increase exponentially, which means more manual interaction. 

Receiving these transfers prompts many questions:

• What do we do in these cases?
• Do we have the risk appetite to accept these transactions? 
• What is the Travel Rule enforcement mandate date of the jurisdiction of each transaction? 

The sunrise issue brings forth implementation concerns:

• When do we go live? 

Implementing a staged approach to Travel Rule compliance for our end users

We need to understand how Travel Rule compliance impacts our clients; this is our key priority. I think the FATF is great, and I can understand what it’s trying to achieve in terms of transparency in AML, CTF, proliferation financing, etc. That’s the positive side. 

Conversely, like any other company, we also have day-to-day challenges with users sending assets to unhosted wallets and getting the address wrong. Adding beneficiary details to the mixture will increase user friction. We are concerned that our average user might not understand the implications of the Travel Rule. There will be teething issues during the education phase, which will impact our users to a certain extent, as happened with SWIFT.

As we advance, this pushes the implication to the content and marketing teams, who now have to educate our users about what is needed to send a transaction. Their knowledge will be critical when dealing with a retail mass market of VASPs such as FinCEN. 

Travel Rule compliance ensures VASPs’ future

Travel Rule requirements will give our users confidence in what we’re trying to achieve as an ecosystem. Our goal in the crypto space is for the last one to be financially included. As an industry, we must ensure that we are aligned and not just criticized by the rest of the financial services sector in terms of how we’re going forward to mitigate money laundering risks and terrorist financing risks, and proliferation financing. And that is why we decided to have our Gibraltar license to operate as well, to comply with the industry’s highest standards while giving confidence to the users and the financial ecosystem. 

When FATF first rolled out the Travel Rule, the industry waited for the other shoe to drop. Yet now, it’s becoming very evident: the FATF and the Travel Rule will be here to stay. Either you embrace it, or you don’t, and if you don’t embrace it, you won’t have a place within the VASP ecosystem. Per FATF, VASPs are recommended to stop interacting with VASPs that do not comply. They will essentially be phased out.

Challenges with rolling out Travel Rule compliance

Operational: It’s always challenging when something gets rolled out initially because you’ve got the key stakeholders of the business saying, Okay, now we’re going to do this? How is this going to affect our users? From a compliance perspective? 

Compliance Team: Most of our compliance team at Bitso comes from either a banking or an e-money background. The Travel Rule just made sense to us; we were very used to it as a department. Now, the challenges of rolling it out are another thing. Compliance teams are not formed of techies or engineers. They’re composed of compliance officers, analysts, and people who may not necessarily have a technical skill set. We needed a user-friendly solution that allowed us to be efficient as an organization. 

Choosing a Travel Rule solution: Bitso’s journey 

Bitso has a long history of leveraging adherence to international requirements and standards. Now, Travel Rule implementation changes will impact our operational capability.  We spent 18 months talking to different (Travel Rule solution) providers. I’ve been in some meetings learning about membership-based protocols that were not agnostic.

We want, and what the industry is craving for, is that agnostic solution that allows all of us to interact. Crypto is not about exclusion; it is about inclusion. That is the point of the ecosystem. Inclusion is at the forefront of the minds of Bitso founders, especially our CTO. The crypto ecosystem is supposed to interact and help, by all means, meet the requirements — but let’s do this intelligently. Let’s shift the organization and the industry from going down a “SWIFT” path. 

There are elements in different jurisdictions still being developed, and not many products reflect those elements. So that presented another challenge: going to many meetings where no one had a beta version, just a wire chart. When choosing a solution, we wanted to know if the solution was:

• An open-sourced industry alliance network, a closed network, or a commercial solution.
• Interoperable with various protocols and Travel Rule solutions.
• Live and in production.

When we first met with Notabene, we realized that their Travel Rule compliance solution ticked every single box. We’ve made the correct decision with onboarding to Notabene, and to be quite honest, it was a massive relief for all of us. It’s a very public record; we’ve signed up with Notabene, and I’m very thankful for that. 

Going forward, I think that we’ll be testing for a while. We will spend a lot of time testing to ensure that we don’t burden the ultimate user. We want to ensure that our users get used to the new requirements, so we’re making the transmission of beneficiary data optional until they are used to it. So this is kind of the trajectory that we want to follow, which also tracks us to meet our local regulatory redline in June 2022.

‍

‍