In the data requirements for Originator and Beneficiary VASPs in the Travel Rule, VASPs must legally identify each other and route the required transaction information to the appropriate VASP. Many VASPs have entities in more than one jurisdiction, and customers or blockchain analytics services likely won’t be able to determine which entity should receive the transaction. As crypto transactions are inherently cross-jurisdictional, using a unified, secure method of VASP name-matching supports seamless Travel Rule data transfers.
This article dives into Decentralized Identifiers (DIDs) and how Notabene’s market-leading Travel Rule compliance solution uses cutting-edge technology to identify VASPs.
What are DIDs?
Globally, individuals and companies use unique identifiers in a wide variety of contexts; phone numbers, email addresses, social media usernames, ID numbers (for passports, driver’s licenses, tax IDs, health insurance), and product identifiers (serial numbers, barcodes, RFIDs). Additionally, each website in a browser has a globally unique URL (Uniform Resource Locator).
External agencies control most globally unique identifiers; they decide what they refer to and when to cancel them. They're only valuable in specific contexts and by unelected bodies. Traditional unique identifiers may reveal private info, and they can be fraudulently copied and used by a third party, resulting in "identity theft."
DIDs are a component of a more extensive system, the Verifiable Credentials ecosystem, and are defined in this specification as a novel type of cryptographically verifiable globally unique identifier. DIDs are designed to enable individuals and organizations to generate their own trusted identifiers and prove control over them through authentication using cryptographic proofs such as digital signatures.
The World Wide Web Consortium (W3C) defines a DID as:
“A globally unique persistent identifier that does not require a centralized registration authority because it is generated and/or registered cryptographically.”
DIDs are entity-controlled, and each entity can have as many DIDs as it needs to keep its identities, personas, and interactions separate as desired. These identifiers can be used in a way that makes sense for each situation. They make it possible for entities to interact with other people, institutions, or systems that need them to identify themselves or the objects under their control. DIDs also allow entities to decide how much personal or private information should be shared without depending on a central authority to guarantee the continued existence of the identifier.
How do DIDs work?
A DID is a simple text string consisting of three parts:
1) the DID URI scheme identifier,
2) the identifier for the DID method, and
3) the DID method-specific identifier.
Building an Ethereum DID is equal to making an asymmetric key pair. As a mathematical relation between the DID hash and its public key exists the hash can be derived from a public key, and vice versa.
- DID ~= public key
DIDs are resolvable to DID documents. A DID URL extends the syntax of a basic DID to include other standard URI parts like path, query, and fragment in order to find a specific resource, like a cryptographic public key inside a DID document or a resource outside of the DID document. DIDs create an ecosystem/protocol for cryptographically secure data exchange & verification, and more. Anyone can create a DID as they are self-managed, open-sourced, and decentralized. Learn more on the W3 website.
How are DIDs used in relation to Travel Rule/VASP communication?
When Alice sends a transaction to Bob, she likely doesn’t know if his account is with Coinbase Singapore, Coinbase USA, or any other Coinbase entity. She simply inputs his alphanumeric address and sends the transaction. A normal crypto transaction flow puts the onus on providers to determine which entity controls Bob’s address.
Leveraging DIDs, Coinbase would create separate DIDs for each entity–which removes the VASP name matching operational friction without asking the end-user to submit unknown information.
DIDs allow for the following in relation to Travel Rule
- Matching a blockchain address to the correct VASP entity.
Blockchain analytics services only return the VASP name. Having a separate DID for each entity solves difficult counterparty identification by returning Coinbase EU, Coinbase DE, or Coinbase US. etc.
- DID’s define a standard market practice for including Legal Entity Identifiers (LEIs) in payment messages as recommended by the Financial Action Task Force (FATF.)
In paragraph 189, the FATF’s Updated Guidance for a Risk-Based Approach to Virtual Assets and VASPs notes that LEIs could be used as additional information in payment messages without changing the current message structure.
- Creating a decentralized SWIFT code network.
The traditional banking world uses SWIFT codes to identify companies. Keeping in line with the ethos of the space, DIDs can be used as a standardized decentralized way to identify VASP entities.
How does Notabene use DIDs?
We use DIDs as Legal Entity Identifiers (LEIs) for our clients. Every crypto company or financial institution in our VASP Directory. DID’s allow companies to create separate identities for each entity, meaning, if there are ten Coinbase entities, each one will have its own DID. DIDs cut out painstaking name matching during regulated data transfers.
In the Travel Rule context, DIDs resolve into a document that specify:
- VASP website
- VASP’s public key
- Which protocol a VASP supports, etc
Who provides DIDs for Notabene?
We work closely with Veramo to carrying out one of our two PII flows.
PII Escrow flow:
- Veramo securely encrypts PII data flow when sending Travel Rule data transfers from VASP A to VASP B.
- Only the Beneficiary VASP can decrypt the data
- This supplies security and comfort because, in any event of a data leak, no one can decrypt it but the recipient.
Hybrid PII Encryption flow:
- The Originator VASP sends two versions of the Travel Rule data transfer, one for us to decrypt and one for the Beneficiary VASP.
- Notabene accesses the version intended for us to perform sanction screening.
- As a SOC2 compliant company, we use unique keys per customer to minimize potential hacking cases, leaks, etc.
Currently, Notabene securely stores PII during the hybrid PII encryption flow. However, if customers want to run their own PII service, they can. Learn more about Notabene’s commitment to security.
Want to learn more? Book a demo with us.