Summary: In FATF’s latest guidance, it broadly defines DeFi operators as VASPs that have to deal with AML/CFT obligations. On the Travel Rule, the big news is that FATF expands these requirements to include all financial institutions (FIs) who deal with virtual assets. FATF also clarified many outstanding questions by adding new requirements such as sanction-screening of counterparties and collection of beneficiary names, even with unhosted wallets. VASPs will need to move quickly on the Travel Rule or risk not receiving licenses for operation and being outcompeted by FIs entering the market today with strong compliance expertise.

On March 19th, 2021, the Financial Action Task Force (FATF) released its updated guidance on the risk-based approach for virtual assets (VAs) and virtual asset service providers (VASPs). 

The original guidance was published in June 2019, placing anti-money laundering and countering the financing of terrorism (AML/CFT) obligations on VAs and VASPs. It also extended Recommendation 16 to VASPs, commonly known as the “travel rule”. 

Following the publication of this revised guidance, there is a 4 week public consultation period in which private sector participants will provide feedback and commentary. Notabene will be providing input directly to FATF as part of the FATF Virtual Asset Contact Group (VACG) and indirectly through its participation in various forums like the Global Digital Finance (GDF) and the Chamber of Digital Commerce.

With this revised guidance, FATF aims to achieve two goals:

• Level the playing field for VASPs in line with existing standards applicable to financial institutions and other AML/CFT-obligated entities
• Minimize the opportunity for regulatory arbitrage across financial sectors and jurisdictions
  

We describe below FATF's general approach as well as summarize the main takeaways. We supplement the sections with our assessment of how this may impact the crypto industry.

1. Virtual assets is not higher risk than other financial service sectors, but some aspects of it are deemed riskier 

FATF maintains a technology neutral approach to virtual assets. 

FATF states that VASPs should be regulated similarly to financial institutions (FIs) that provide functionally similar services with similar ML/TF risks. In addition, FATF requirements should apply to all VAs and VASPs regardless of the underlying technology.

“The FATF Standards are intended to be technology neutral. As such, the FATF does not seek to regulate the technology that underlies VAs or VASP activities, but rather the natural or legal persons behind such technology or software applications that facilitate financial activity or conduct as a business the aforementioned VA activities on behalf of another natural or legal person.” (Section 68, Page 26)

Our assessment: FATF would like to maintain its view on technology neutrality and that VAs are not treated differently from other financial sectors of similar risk. However, they also apply this argument within the crypto sector - with what some may consider as direct jabs at ‘decentralized’ projects who may not be completely decentralized and for all intents and purposes would be considered VASPs. 

FATF provides recommendations to local regulators to treat certain aspects of VAs as higher risk.

FATF recommends that jurisdictions manage rather than avoid risk, and thus should not ban VAs completely. They should assess the risk introduced by VA activity and whether they can manage that risk. If they cannot manage it effectively, then they can take actions to limit or restrict certain activities.‍

“The FATF recommendations do not prejudge any sector as higher risk. … however the overall risk at a national level should be determined by individual jurisdictions through an assessment of the sector - in this case, the VASP sector.”  (Section 28, Page 12)
‍

Our assessment: FATF is giving the green light to local jurisdictions to implement stricter rules. We expect some regulators over the next year will deem certain activities such as transactions with unhosted wallets as higher risk.‍

VASPs are expected to "build compliance into their product".‍

FATF recommends that VASPs build sufficient AML/CFT controls into the design of their product before they launch it.‍

"Authorities may also require that appropriate AML/CFT mitigations must be built into products and services before they are brought to market, as it is much more difficult to do so later. (...) Once licensing and registration has taken place, AML/CFT mitigations which are built into products and services should be maintained and be the subject of active supervision." (Section 119, Page 43)‍

Our assessment: Regulators will increasingly expect products to have built-in compliance. This should not be an after-thought, and VASPs need to make compliance an integral part of their product design and development.

2. FATF plans to regulate certain Defi protocols, stablecoin platforms and multi-signature providers

No financial asset should ever fall outside of FATF standards.

FATF broadens both the VA and VASP definitions. It would like to ensure that every financial asset is either a VA or a traditional financial asset. 

It defines VAs as the following:

“ VAs must be digital, and must themselves be digitally traded or transferred and be capable of being used for payment or investment purposes.” (Section 38, Page 18)

This excludes digital representations of fiat currencies such as central bank issued digital currencies (CBDCs). 

With regards to VASPs, FATF did not update the definition from its 2019 guidance, but instead provided more examples as to what is considered a VASP and guidelines for regulators. 

Our assessment: FATF is looking to close the loop here on what is considered under its purview and who should be regulated. Previously unregulated segments of the crypto industry will find themselves under additional scrutiny. 

FATF believes that in the majority of crypto protocols a VASP is involved at some stage. 

In a direct jab at the decentralized community, FATF cautions regulators from buying into the “marketing terms and innovative business models”, and instead separating the function of a VASP from the underlying technologies. 

The VASP definition is expanded to potentially include multisig and MPC service providers:

“Where custodians need keys held by others to carry out transactions, these custodians still have control of the asset. A user, for example, who owns a VA, but cannot send it without the participation of others in a multisignature transaction, likely still controls it for the purposes of this definition. Service providers who cannot complete transactions without a key held by another party are not disqualified from falling under the definition of a VASP, regardless of the numbers, controlling power and any other properties of the involved.” (Section 55, Page 22)

FATF’s standards do not apply to underlying software (e.g. a DApp or software program), but the owner/operator of a DApp or a person conducting business development for a DApp are considered VASPs. (Section 57, Page 23)

Likewise, in stablecoin issuance, the developers building the platform are not VASPs unless they use it to engage as a business in conducting financial activities. Persons forming the governance body could also be considered VASPs, depending on the amount of influence and control they have. (Section 72, Page 27)

Non-custodial wallet providers are excluded from being VASPs. So are network participants and service providers solely engaging in the operation of a VA network (e.g. miners and validators). (Section 69, Page 26)

A company launching a business that could fall under VASP definition and then gives up control after launching it may still qualify as a VASP. 

“The FATF takes an expansive view of the definitions of VA and VASP and considers most arrangements currently in operation, even if they self-categorize as P2P platforms, may have at least some party involved at some stage of the product’s development and launch that constitutes a VASP.” (Section 75, Page 29)

“The use of an automated process such as a smart contract to carry out VASP functions does not relieve the controlling party of responsibility for VASP obligations. For purposes of determining VASP status, launching a self-propelling infrastructure to offer VASP services is the same as offering them, and similarly commissioning others to build the elements of an infrastructure, is the same as building them.” (Section 79, Page 30)

Our assessment: FATF is clearly taking a more rigid stance at projects in the crypto space who may market themselves as decentralized but in fact maintain power or control over financial activities (and are profiting from them). We expect lots of pushback from the industry here, but also projects to go one way or another: either launch fully decentralized or get regulated.

 3. Regulators will introduce stricter crypto rules in their jurisdictions

FATF leaves regulators to take a risk-based approach with regards to P2P transactions.

If a jurisdiction deems the risks associated with P2P transactions too high, then it needs to limit its exposure to them. FATF provides examples of measures it can take for VASPs who transact with unhosted wallets, including introducing reporting requirements similar to currency transaction reports (CTRs), enhanced recordkeeping and due diligence requirements, guiding VASPs in applying a risk-based approach, or even denying them licensing. (Section 91, Page 37)

Virtual Assets in non-compliant jurisdictions or with decentralized governance structures are also considered at higher risk. 

Our assessment: We expect that multiple jurisdictions will take this as a green light to pass more stringent rules on unhosted wallets. We caution regulators to take the time to learn about why unhosted wallets do not pose necessarily more risk, and also recommend that the industry educate regulators so they do not take the easy way out and ban them.‍

Regulators are responsible for introducing a regulatory regime, but have flexibility in picking the approach.

FATF is not prescriptive, but recommends that countries do not outright ban virtual assets as that can lead to higher ML/TF risks (e.g. crypto users move to offshore exchanges). Instead, they should introduce registration and licensing regimes. Regulators can ask VASPs to introduce enhanced due diligence measures and devote more resources to AML/CFT compliance.

They should require VASPs to conduct CDD for transactions above USD/EUR 1000 and perform the travel rule. The rest of the recommendations more or less apply similarly as they do with FIs.‍

Our assessment: This is consistent with FATF’s general approach. Many jurisdictions who have not allocated resources as yet to regulating VAs may find it difficult over the next few years as they look to close the gap.

4. FATF adds additional clarity and requirements to the Travel Rule

VASPs must now perform sanctions screening on originators and beneficiaries.

We summarize the new requirements for VASPs:

Originating VASP must:

• Verify originator information (e.g. their own KYC process)
• Collect beneficiary information but not verify it
• Perform sanctions screen
• Be prepared to freeze and prohibit transactions
  

Beneficiary VASP must:

• Not verify originator information provided
• Detect if the required originator or beneficiary data is missing
• Verify provided beneficiary information with their own KYC’d information
• Perform sanctions screen
• Be prepared to freeze and prohibit transactions
  

Our assessment: Adding a sanction screening requirement is not a surprise, but in this case it could lead to many false positives. There is a lot of gray area here that can lead to a big burden on compliance teams today as they manually need to address issues that come up in transactions.

Originator VASPs must collect beneficiary names for all transactions.

It does not matter if a transaction is under the travel rule threshold  (Section 167, Page 56) or going to an unhosted wallet (Section 180, Page 60). In fact, FATF calls out that the travel rule applies to transfers between a VASP and an unhosted wallet, and that unhosted wallets could be treated as higher risk.

Our assessment: We expect pushback from the industry regarding end-user privacy and treating unhosted wallets as higher risk. 

Travel Rule data transfers must be immediate and secure.

They should be done at the same time (or presumably before) performing the underlying VA transaction. It does not have to be attached to the blockchain transaction itself. Batching is allowed as long as it is submitted immediately.

Our assessment: We expect the implementation to be a challenge in the sunrise period for some VASPs as they grapple with insufficient data, timely identification of counterparty VASP, and determining what travel rule solution they support.‍

Intermediaries have record-keeping and sanction-screening requirements.

Intermediaries only pass information along, so they aren’t required to verify originating or beneficiary customer information. However, they are required to perform record keeping and sanctions checks.

Our assessment: We expect a standard travel rule compliance flow for intermediaries to emerge in the industry in the next 6 months. Today, there have been some individual efforts, but industry cooperation will be important here to implement a standard flow across the industry.

5. VASP due diligence is a core requirement of the Travel Rule

VASPs are required to conduct counterparty VASP diligence before initiating a transfer.

A VASP should consider treating a counterparty VASP as a correspondent banking relationship and conduct thorough due diligence on the counterparty VASP. (Section 146, Page 50)

It can collect information directly from the VASP, but it must be verified. Beyond that, the VASP should assess the level of risk in the jurisdiction (e..g. AML/CFT laws of the jurisdiction, country assessment reports) as well as the counterparty VASP’s AML/CFT controls. After an initial due diligence, the VASP should periodically refresh it or have mechanisms in place to identify if a new risk emerges. 

FATF recognizes due diligence is a challenge and summarizes it in a 3 phase approach:

Our assessment: Conducting thorough due diligence at scale can be a challenge. Platforms like Notabene will provide solutions to help streamline the data collection and verification, as well as facilitate the relationship between the VASPs. However, regulators will also have to provide databases of verified information about VASPs.

Sunrise period is a challenge but not an excuse.

VASPs who want to interact with counterparty VASPs in a jurisdiction where the travel rule is not yet implemented could require them to implement it. 

“This can be a challenge for VASPs regarding what approach they should take in dealing with VASPs located in jurisdictions where the travel rule is not yet in force. Regardless of the lack of regulation in the beneficiary jurisdiction, originating entities can require travel rule compliance from beneficiaries by contract or business practice.“ (Section 176, Page 59)

VASPs who want to be compliant can consider taking additional robust control measures:

“Examples include VASPs restricting VA transfers to within their customer base (i.e., internal transfers of VAs within the same VASP), only allowing confirmed first-party transfers outside of their customer base (i.e., the originator and the beneficiary are confirmed to be the same person) and enhanced monitoring of transactions. The absence of relevant regulations in one country does not necessarily preclude the effectiveness of measures introduced by a VASP on its own.”  (Section 177, Page 59)

Our assessment: In the latter part of 2021, many VASPs will adopt the travel rule for business reasons - mainly that their counterparty VASPs already require it. 

Are you interested in learning more about how we can help you comply with the latest crypto compliance rules? Reach out to us at hello@notabene.id.‍

View the original article

Cryptocurrency businesses are working hard to meet new regulatory requirements regarding counterparty risk. Perhaps the most notable of these requirements is the Travel Rule, which is relevant to nearly all cryptocurrency businesses operating in FATF jurisdictions. The Travel Rule dictates that Virtual Asset Service Providers (VASPs), such as exchanges, must identify the originators and beneficiaries of cryptocurrency transactions initiated by their users above a certain size. In cases where the counterparty of those transactions is also a VASP, the original VASP must then transmit that user information to the second VASP.

In order to comply, VASPs need simple tools that allow them to identify transactions that meet the rule’s requirements, pull users’ KYC information, and send it to VASP counterparties as the transactions are completed. All of this needs to happen instantly to avoid compromising user experience, which is no easy task for cryptocurrency businesses processing thousands of transactions per day.

Today, we’re excited to announce that we’ve partnered with Notabene to provide a frictionless, scalable tool that does exactly that. With our integrated solution, cryptocurrency businesses can automate transactions with trusted counterparties, while providing them with the data they need to detect suspicious activity and meet their regulatory requirements. By adopting now, cryptocurrency businesses can start complying with the Travel Rule immediately, put themselves in a better position with regulators, and gain a market advantage.

Additionally, Notabene's partnership with Chainalysis has been named one of Fast Company's top 10 most innovative joint ventures of 2022! Click here to learn more.

‍

1. The Travel Rule’s requirements and challenges

The Travel Rule is meant to help cryptocurrency businesses mitigate counterparty risk and establish a source of funds for cryptocurrency received by their users. While some jurisdictions have implemented the rule differently, the version recommended by FATF says that VASPs must exchange counterparty information with one another on cryptocurrency transactions valued above $1,000 or €1,000. Specifically, the originator and beneficiary VASPs must provide each other the following:

At first glance, the Travel Rule appears to be a simple matter of transmitting counterparty information between two VASPs. But in reality, the Travel Rule requires end-to-end changes to existing compliance processes, as VASPs must identify and take action on all transactions that meet the rule’s threshold in real time. This presents significant technical challenges, especially to implement at scale, as blockchain analysis shows that roughly 12% of all VASP transactions in February 2021 — roughly 2 million transfers overall — would qualify under the current FATF recommended threshold of $1000. We lay out the technical challenges introduced by the Travel Rule below.

- Challenge 1: Identifying a Travel Rule transaction

When a customer initiates a transaction, the originating VASP needs to automatically determine whether or not the transaction meets Travel Rule requirements. That means they must:

• Determine if the transaction amount meets the Travel Rule threshold in the relevant jurisdiction(s)
• Identify whether the counterparty wallet is hosted by another VASP
• Collect any missing counterparty information
  

All of this needs to happen instantaneously.

- Challenge 2: Performing due diligence on the counterparty VASP

Once the originating VASP has determined that a transaction meets Travel Rule requirements, it must then:

• Identify the counterparty VASP
• Assess the counterparty VASP’s risk level to determine whether it’s safe to share users’ personally identifiable information (PII)
  

In assessing counterparty risk, the originating VASP must take into account the counterparty VASP’s reputation, compliance program quality, security practices, and exposure to risky entities.

- Challenge 3: Initiating and completing the travel rule transfer

Finally, the originating VASP must have an appropriate communication channel to conduct a secure data transfer with the counterparty VASP. Both VASPs must have a secure means of storing the data they each receive in order to protect customers’ privacy and prevent internal misuse of that data.  

That leaves us with two questions: Can all of these challenges be met at scale with minimal impact on transaction flow? And how can VASPs comply without introducing unnecessary friction for users?

2. With Chainalysis data and Notabene’s compliance platform, cryptocurrency businesses can follow the Travel Rule frictionlessly and at scale

Notabene and Chainalysis have partnered to help VASPs meet the challenges outlined above and comply with the Travel Rule at scale.

Here’s what we each bring to the table.

Notabene provides an end-to-end travel rule platform that allows VASPs to manage regulatory and counterparty risks at scale. With its rule-setting tools, compliance officers can automate the exchange of Travel Rule data across the cryptocurrency business’s preferred communication protocols.

Chainalysis is the blockchain analysis platform trusted by investigators and compliance teams around the world. Our platform allows cryptocurrency businesses to identify Travel Rule transactions in real time, analyze counterparty wallets, and perform instant due diligence on counterparty VASPs so that they can get the information they need to stay compliant.  

Through this partnership, Notabene customers can now use Chainalysis’s powerful blockchain analytics data to make smart decisions and set rules based on their own risk-based approach.

“Notabene’s platform provides a comprehensive, seamless, accessible offering that meets and exceeds the unique requirements of VASPs around the world,” said Chainalysis Chief Government Affairs Officer Jesse Spiro. “Through this integration, VASPs will have an additional tool for regulatory compliance, risk mitigation and data-driven decisioning.”

Users can view counterparty blockchain addresses identified by Chainalysis — including wallet type, hosting VASP, and risk score — directly on the Notabene dashboard. In addition, with Notabene’s API integration, they can automatically send or receive Travel Rule transfers based on data supplied by Chainalysis, allowing them to be Travel Rule-compliant at scale.

The Chainalysis-Notabene integration enables VASPs to meet all of the challenges necessary for Travel Rule compliance.

3. Why you should start meeting Travel Rule requirements today

Getting an early start on Travel Rule compliance signals to regulators that your cryptocurrency business is taking regulations seriously. That helps ensure your business receives its licenses on time without disrupting go-to-market strategy.

Further, as other VASPs become Travel Rule compliant, they may be forced to stop doing business with you if your compliance program isn’t up to par. By meeting Travel Rule requirements now, you can give your customers and partners the confidence to keep working with you, open up new opportunities, and gain an advantage in the market.

"In a fast-growing and increasingly competitive industry, we are seeing that crypto companies who view regulatory compliance as a market advantage are performing better. By taking action on requirements like the Travel Rule on time, they are able to unlock new opportunities: build the next suite of regulatory compliant financial products, receive licenses to operate in the biggest financial hubs, and expand their reach into new customer segments”, said Pelle Braendgaard, CEO of Notabene. “We are excited to play a pivotal role in helping companies achieve their growth plans. Through our partnership with Chainalysis, we provide crypto companies with a full solution to do compliance at scale."

Want to learn more about the Notabene-Chainalysis Travel Rule integration? Join us Monday, March 29 at 11am ET for a webinar in which we’ll explain in-depth how the integration works and show a live demo.

Want to start using the integration right away? Contact the Notabene team at hello@notabene.id.

Over the past year, the crypto Travel Rule has become a critical issue for many crypto businesses. Throughout 2020, companies focused on finding a solution that would allow them to transmit their customers’ data to other crypto businesses in a secure and privacy-preserving way. 

However, when you take a closer look at the Travel Rule and how its implementation impacts day-to-day business processes, being compliant requires a lot more than just data transmission.

A complete compliance solution seamlessly integrated into your product

To help crypto companies fully comply with the Travel Rule, we’re launching today a set of new tools for data collection and wallet identification. This enables businesses to integrate the Travel Rule solution seamlessly into their products.

Rather than introducing standalone, disjointed compliance measures, we offer a comprehensive tool, that allows you to comply automatically and at scale. When compliance stops being an afterthought and catch-up game and becomes an inherent part of your product, it turns into a business asset.

‍

Immediately identify which transactions fall under the Travel Rule

The Travel Rule is required only for transactions between custodial wallets. However, it’s impossible to determine the account type and owner just from a blockchain address. 

Existing blockchain analytics services can identify some of this information. Unfortunately, their research-based approach is probabilistic and can sometimes take weeks before identifying address types. This is time that compliance teams don’t have when assessing transactions, leaving room for many Travel Rule transactions to fall through the cracks.

With Notabene’s pre-built user interface components, you can collect the missing data from your users, as they initiate a payment. This lets you instantly identify the wallet type and counterparties involved in the transaction and apply necessary regulatory requirements. 

Easily collect and store data without adding friction to user experience

Until recently, most crypto businesses didn’t need to collect and store beneficiary data. The Travel Rule has changed that. This brings up many user experience, security, and data privacy concerns.

Companies must now run a complex process of analyzing every transaction that goes through their system. Then they have to ensure they gather from their customers only the minimum personally identifiable data required to satisfy regulatory rules. 

With our dynamic, data collection form, you request only the information required by relevant regulations, based on the jurisdiction, transaction threshold, and wallet type that cannot be retrieved from other sources (blockchain analytics services, etc). This not only minimizes the amount of PII businesses collect, store, and share but also helps you become compliant without sacrificing user experience.

Generate Travel Rule transfers automatically and comply at scale

After identifying relevant transactions and collecting the necessary data, Notabene creates Travel Rule transfers and automatically sends them to intended counterparty institutions. This way, most of the data transfers are generated seamlessly and in the background, freeing up your compliance officers to focus only on edge cases (which are also flagged by Notabene’s system, but that’s a different topic for another blog post :)). 

Save valuable time and resources 

New compliance requirements often create additional resource burdens on product and dev teams. For this reason, we built our data collection and wallet verification tool with developers in mind! An easy integration that’s also fully customizable gives dev teams time back, which would otherwise go towards designing, building, and testing an in-house compliance solution.

If you still want to build your own UI components (we get it!), our API allows for seamless integration directly into your front-end. 

Interested in learning more?

Book a demo today!

Participating virtual asset service providers (VASPs) are preparing to roll-out compliance with the Travel Rule for the Singapore market as early as April 2021.

Notabene is excited to announce the launch of our Singapore Testnet, a testing environment created for a select group of our customers to perform Travel Rule transfers using the Notabene service. The participating companies consist of Crypto.com, Luno, Xfers, Onchain Custodian and Sparrow Tech Pte Ltd.

New anti-money laundering (AML) rules, commonly known as the “Travel Rule”, require crypto companies to share personal customer information with each other as part of a transaction. Jurisdictions around the world are implementing these rules as a prerequisite to granting operating licenses. Singapore’s MAS has been at the forefront of this. As companies rush to comply, they are faced with some practical challenges on how to trust counterparty exchanges and perform these data transfers securely and at scale. With an end-to-end Travel Rule platform, Notabene can help. With our rule-setting tools and VASP diligence service, compliance officers can now automate the exchange of Travel Rule data with trusted counterparties. 

The Testnet is running for 6 weeks, starting the beginning of March 2021. Participant VASPs have already successfully completed a first phase of testing on March 5th, 2021.

Pelle Braendgaard, CEO of Notabene, says:

‍Through this Testnet, participating VASPs are paving the path for the broader crypto industry. We are very happy to be working closely with their teams. They are setting a great example for companies faced with questions on how to best implement these new requirements while minimizing impact on day-to-day business. Their learnings will have a big impact ultimately on how the Travel Rule gets rolled out more widely.

The Testnet consists of simulations that mimic real-time scenarios between the participants, as well as with companies that are not part of this network. This allows VASPs to assess what new processes they need to introduce and how to deal with more complex scenarios. 

As a trusted derivatives platform and member of the FinTech community, Sparrow aims to ensure we meet regulatory compliance standards. Notabene's Testnet has given us valuable insights into implementing the Travel Rule while helping us design robust internal processes to meet regulatory requirements,

affirms Kenneth Yeo, the CEO of Sparrow.

The Testnet allows participants to perform rigorous testing of different cases. This includes performing diligence on new VASPs and setting rules to automate secure transfers between trusted parties. The goal by the end of the Testnet is for companies to be ready to roll out the Travel Rule to their Singapore operations.

Antonio Alvarez, Chief Compliance Officer at Crypto.com said:

We are thrilled to be a part of testing and implementing cutting edge compliance technology that will resonate globally. We look forward to testing how this can be scaled up in our systems with fellow VASPs.

For many companies including those participating in our Testnet, the Travel Rule extends beyond the compliance department. They recognize that the Travel Rule adds a new layer of trust to crypto transactions by lowering counterparty risk. This presents an opportunity to launch new regulatory compliant products to their customers. 

Aymeric Salley, Head of StraitsX at Xfers, says:

At Xfers and with our group of Singapore based partners, we are excited to take global leadership in providing the world's first Travel Rule compliant settlement network for Digital Assets, starting with our native token, the digital Singapore Dollar XSGD.

Apart from the established custody solution that we provide to our clients, Onchain Custodian is also actively working with the industry participants to fulfil Travel Rule requirements. As the industry grows rapidly, a secure, interoperable and efficient Travel Rule solution is vital for every participant including custodians,

comments El Lee, Chief Operating Officer of Onchain Custodian.

For the participating VASPs, Singapore is a great market to roll-out the Travel Rule first. MAS’s clear guidance and exemption periods have provided a safe environment for companies to make a head start on compliance before global roll-out. 

Sherry Goh, Country Manager of Singapore at Luno, says,

Operating in a well-regulated financial centre like Singapore has given us the opportunity to be forerunners in Travel Rule compliance. Industry cooperation is critical to its successful roll out here, and we are glad to have found like-minded partners to embark on this journey together. We look forward to seeing how the key learnings of this exercise could pave the way for an effective and consistent regulatory landscape for crypto players globally.

If you are interested in learning more about the Testnet or would like to implement the Travel Rule, please reach out to us at hello@notabene.id. 

TL;DR - To comply with new AML/CTF requirements, crypto companies in Singapore are partnering with compliance companies like Notabene. We are deeply committed to data security and privacy, and as such, we have taken significant steps to meet MAS’s new requirements for technology service providers. We have also successfully completed an Independent Assessment from ACCESS and are working on a SOC2 Audit. Our efforts will help companies streamline the vendor assessment process and allow them to start implementing the Travel Rule quicker.

Singapore’s financial regulator, the Monetary Authority of Singapore (MAS), has been at the forefront globally in implementing a regulatory framework for crypto companies operating in the country. In short, crypto companies will need to follow similar AML/CTF requirements to traditional financial institutions. They also have to apply for a Payment Service Provider Licence (activity type: digital payment token service) under the Payment Services Act (PSA) to continue operations.

Once the first licenses are issued, it will be a boon for these businesses as it allows them to expand services to the traditional financial world. We are seeing many international crypto companies applying for licenses in Singapore to take advantage of these benefits.

Most of the focus has been on the new AML/CTF processes that licensees will have to implement such as the Travel Rule and non-custodial wallet identification. We are working closely with many Singaporean PSA license applicants to solve these issues.

There is a lot more to it than AML though. Data security, privacy, and customer protection are equally important. 

In particular, MAS requires licensees to implement the following:

• Personal Data Protection
• Outsourcing Guidelines
• Technology Risk Management

Most of these requirements are about protecting customers’ data and financial transactions. The Outsourcing Guidelines specifically deal with how regulated financial institutions in Singapore have to deal with service providers like Notabene. 

The Technology Risk Management Guidelines are a new set of guidelines issued on January 18th, 2021, and require financial institutions to assess whether third party vendors employ a high standard of care and diligence in protecting data confidentiality and integrity as well as ensuring system resilience.

Financial institutions need to assess whether technology vendors can fulfill their security obligations, and then ensure that this is reflected in legal agreements with them. During a time when companies are looking to quickly adopt new AML/CTF tools quickly, we understand that this can be a challenge and delay the procurement process.

To make this process more seamless for our Singaporean customers, we have taken the following steps:

First, ACCESS completed an Independent Assessment of our service

The report contains an assessment of various aspects of our business as required by the outsourcing guidelines, including data security and business continuity processes. Per their assessment of both the Notabene product as well as these guidelines, we satisfy the requirements put forth by MAS. 

ACCESS also engaged an external vendor  to  conduct a rigorous cybersecurity assessment of the Notabene product using the Gray Box Testing Method and then benchmarked against Open  Web Applications Security Project (OWASP) standards. The objective was to uncover vulnerabilities in our API by setting up a rogue VASP with malicious intent. No vulnerabilities were identified.

The report has been shared with MAS, FATF and IDAXA. If you are an ACCESS member, you can purchase the report here. We are able to provide a limited amount of codes that will allow you to download it at no cost. Please reach out to us for a code.

Second, we are fully SOC 2 certified

Notabene has achieved a clean SOC 2 Type II report, underscoring our adherence to top-tier security standards through robust information security measures. This accolade, coupled with AICPA's three-month evaluation affirming our compliance with key service and system standards, highlights our commitment to security and privacy. Supported by Vanta's compliance platform and our dedicated team, we ensure our product's integrity, with our SOC 2 audit report available to customers upon request.

Finally, we are one of the first third-party vendors to meet the new Technology Risk Management guidelines put forth by MAS

‍This is now reflected in a special version of our commercial agreement, which includes specific addendums surrounding personal data protection, outsourcing guidelines, and technology risk management. We are offering this as an option to Singaporean companies.

Has your company applied for the Digital Payment Token Service License in Singapore, or are you considering it? With our end-to-end Travel Rule solution, we can help you meet the latest requirements. You can reach out to us at hello@notabene.id.

In the light of our recent fundraising round, I wanted to share some thoughts on Notabene today and on our future to help mark this important milestone for our team.

1. Our mission is to give everyone the confidence to perform crypto transactions

My co-founders and I are all big believers in the underlying mission of cryptocurrencies, DeFi, and their underlying blockchain protocols. The permissionless nature of these protocols is a requirement for them to function correctly. It also allows developers and startups to create groundbreaking new innovative products that just would not be possible in a permissioned world.

However, it is easy to forget that behind each transaction flowing through these protocols are real people and businesses. They do need to be able to make educated decisions if they want to perform a transaction or not.

I firmly believe that one of the biggest problems affecting the adoption of crypto is that most people and businesses are still finding it difficult to trust the counterparties to a transaction:

• Who sent me this BTC?
• How do I know I’m sending my ETH to the correct DeFi address?
• Is my customer who is withdrawing funds sending it to themselves, or am I inadvertently interacting with someone from a sanctions list?
• Who do I reach out to if I sent the funds to the wrong address?

For some, such as end-users, it is primarily about the risk of losing funds. Will I lose money sending a transaction to the wrong address or a fraudulent business? As someone who sent his first Bitcoin transaction in 2010, I am still worried every time I send a crypto transaction.

Regulated companies like banks and crypto exchanges also have a regulatory requirement to know with whom they are transacting, which increases the risk of doing business. This risk is present regardless of whether they send funds to their customer’s Ledger Nano or send funds to another exchange.

Sending or receiving funds to another exchange adds multiple parties to the transaction, thus substantially raising the risk. Not managing these risks can have very extreme consequences for a regulated company like an exchange. There may be fines involved, but you could also lose your license or go to jail in some severe cases.

We started Notabene specifically to help regulated companies have the confidence to send and receive more transactions on behalf of their customers. I believe this will ultimately allow broader adoption of crypto and DeFi by everybody and push the technology into mainstream usage.

This year we have seen a remarkable resurgence in Bitcoin and an incredible amount of innovation in DeFi. These two technologies, together with stablecoins, are now no longer just the talk of crypto Twitter. They have reached the top of mind for central bankers, regulators, investors, and bankers. The main reason is that the value proposition of these protocols has become so much clearer to them.

There has never been a more important time to grow the amount of value transferred through these decentralized protocols. Not just by 2x or 10x. Let’s shoot higher to 100x and 1000x.

As an early Bitcoiner, I have never felt more confident in us reaching the broad and inclusive adoption goals that we have been speaking about at conferences and on podcasts for the last ten years.

2. New global regulations are challenging for the crypto industry

Last year the global Anti Money Laundering watchdog FATF laid down a new global framework for regulating crypto businesses based on applying their existing recommendations to crypto businesses. In 2013 the US was the first country to apply its existing regulatory framework to crypto businesses. Now regulators from most major economies are figuring out how to implement this framework.

Unfortunately, in many jurisdictions, such as Singapore and the Netherlands, established companies struggle to fulfill the new licensing requirements required to continue operating.

Since its start, the crypto industry has had a problem with regulation. Regulation seems antithetical to the technology’s permissionless aspect. Also, when it comes to a decentralized protocol like Bitcoin, whom do you regulate? I, like many others, joined the space because of this promise of permissionless innovation.

3. Lack of access to financial institutions

Lacking access to the traditional financial system ended up being one of the most significant issues for many startups working with crypto. After all, how can I sell Bitcoin if my customers can’t pay for it?

Our CTO Andrés Junge launched the first Bitcoin brokerage, Yaykuy, in Chile back in 2012. The banks shut off access to Yaykuy one by one since they did not know how to manage the risk of having an unlicensed crypto exchange as a customer. They finally had to shut down. I went through something similar in Kenya with my old startup Kipochi when mPesa shut down our operational account within a week of our press launch.

In both of these cases, it wasn’t the regulators closing these startups down. It was traditional financial institutions shutting them out since they had no clear path towards regulation. More importantly, they couldn’t prove the source of funds for our customers’ transactions.

“Derisking” is the term usually used for this process of banks shutting off access. Without access to the correct tools, there is a real risk that well-regulated exchanges start derisking away transactions to less well-regulated ones.

When the last significant change in regulation happened in the US in 2013, it became a competitive advantage to actively seek out and manage relationships with both regulators and banking connections.

4. The Travel Rule gives companies the tools to manage risk

The most controversial part of the FATF framework for crypto regulation has to be the “Travel Rule,” which many saw as impossible to implement for blockchain applications.

The Travel Rule comes into effect when a regulated financial institution sends funds on behalf of a customer to an account at another regulated institution. The rule requires the sending institution to transmit information about its customer to the receiving institution, who have to take this information into account when managing the risk of the transaction.

One of the main reasons regulators require companies to implement the Travel Rule is to perform better sanctions list checking. Governments, the EU, the UN, and others create sanctions lists to list known terrorists, corrupt politicians, and organized crime members. In some cases, they include known blockchain addresses of sanctioned people, but checking only for sanctioned addresses is insufficient for compliance.

If an institution accidentally facilitates a transaction with someone on one of these lists, it can lead to fines. A lawyer friend who has advised companies accused of this calls it an extinction-level event for many unprepared companies. Defending it becomes a case of proving you have set up correct processes to avoid it.

Sanctions list checking is a requirement for both the sending and the receiving institution. Doing so based solely on public data from blockchains is impossible, so the Travel Rule sets up a new layer on top of the underlying blockchains enabling them to do so correctly.

In reality, the Travel Rule is not new, and most traditional payment systems such as SWIFT have implemented it since the 90s. When banks say they can’t trust the source of funds for crypto companies, they are typically referring to the lack of the Travel Rule.

5. How are we helping crypto businesses today?

Notabene takes a very holistic view of managing the regulatory risk of crypto transactions. Our current offering consists of a unified API and dashboard helping compliance officers within crypto businesses manage risk for both Travel Rule and regular non-custodial transactions in a single place.

While the Travel Rule is used to help regulated institutions manage risk, we also see it as an excellent way to give their end-users the confidence to transact more. We provide innovative companies with the tools to help use the travel rule to increase their transaction volume and, ultimately, revenue.

There are currently many protocols for solving the Travel Rule today. All of them help businesses involved in a particular transaction to exchange information about their customers. They also require every transacting party to be on the same protocol. This lack of a clear winner amongst all of the protocols has made it even more difficult for crypto businesses to pick just a single protocol.

From talking with leadership and compliance staff at countless crypto companies, I believe this has only caused confusion and slowed the industry’s overall implementation. Notabene provides a switch on top of them and even allows our customers to continue transacting with exchanges that aren’t yet actively implementing the Travel Rule. Our Travel Rule switch gives our customers access to by far the broadest amount of crypto businesses.

Since we launched in August, over a dozen companies, have started using Notabene for Travel Rule compliance. Ania Lipinska, our head of product, has personally had deep dives with compliance teams at over 100 different crypto businesses this year. Our team’s strong focus on their needs has made us the default choice for most exchanges looking to implement the Travel Rule. By the end of 2021, I expect the majority of exchange to exchange transactions globally to have their risk managed at least partially through Notabene.

6. Privacy concerns

Data privacy and surveillance are always subjects that rightly come up when thinking about KYC and AML. There is also a fundamental paradox between the transparent public aspects of blockchains and the goals of privacy.

Notabene helps our customers manage sensitive data about their internal business operations, including identity data about their customers. Being part of this process is a big responsibility that we take very seriously.

We designed our core architecture around privacy-preserving identity data to ensure the privacy and integrity of our customers’ data and the privacy of their end-users. We do not and will not ever maintain a global identity graph as Facebook or Google do around financial data.

My entire team is very passionate about this data privacy. We all worked together to build the framework for privacy-preserving user-centric identity at ConsenSys’ uPort project. Many of the architectural decisions we have made were specifically to ensure privacy also made our platform much more difficult to develop. We will share more about our approach to data privacy in future posts.

7. A unique international family

My incredible co-founders Alice Nawfal, Ania Lipinska, Andrés Junge, and I worked together before at ConsenSys. There we built the foundational decentralized identity platform, uPort. The technology and ideas that we pioneered at uPort now form the basis for many sizable regional identity initiatives such as the EU’s eIDAS SSI bridge, Spain’s Alastria, and the Inter-American Development Bank’s groundbreaking LACChain project.

Early this year, right before COVID-19 hit the world, the four of us decided we wanted to use our unique experience and knowledge to solve fundamental problems the crypto industry has been facing pretty much since its inception. With its seven nationalities (several dual), our five-member team is global, just like our customers. We are based in New York, Santiago de Chile, Switzerland, and Zoom.

8. We only just started on our mission

The crypto industry is continually changing. DeFi and stablecoins have shown regulators and the financial world that the basic building blocks are soon ready to replace traditional financial products.

Regulators are anxious about money laundering and fraud in these platforms and are already discussing how to apply existing rules to this technology. At the recent V20 event, FATF agreed that they have to work closely with the industry. I spend a lot of time with regulators and industry groups to help solve their concerns in ways that don’t halt innovation.

There is a lot to do if we want to enable everybody to perform crypto transactions with confidence, particularly in an industry as innovative and fast-moving as ours. We are looking for new team members who share our mission to help us get there. In particular, we are looking for technical and operational roles.

Thank you so much to our customers and investors for placing their trust in us and our mission.

We are thrilled to announce a significant milestone for Notabene — we have raised $1.765 million in venture capital led by Castle Island Ventures, joined by Green Visor Capital, Lynett Capital, Dialectic, Pardon Makumbe, and more. 

This seed round brings our total funding to date to $2.3 million with some of our early supporters including Y Combinator, Signature Ventures, Joachim Sonne, and others.

We are also excited to welcome Matt Walsh of Castle Island Ventures to the Notabene Board of Directors. Matt explains why they invested in us:

Regulatory compliance has been a barrier to entry to public blockchain assets for most financial services firms. The Notabene team has built a best in class solution that is the safest and most convenient way to immediately address these compliance requirements.

Lou Forster from Green Visor Capital adds:

Green Visor believes that compliance in the entire cryptocurrency ecosystem will be a growth area. As cryptocurrency and blockchain solutions are developed for more and more use cases, regulatory authorities will focus keenly on the sector and will demand guardrails, disclosure and oversight. Notabene is well-positioned to develop tools to address the regulatory concerns whilst influencing the regulatory process itself.

We are incredibly excited to work with these great investors and have already benefited from the great insight and experience they bring.

1. The promise of regulatory clarity is opening crypto to the world

This year, we have seen a remarkable resurgence of interest in virtual assets by central bankers, regulators, and institutional investors. Despite that interest, adoption is still only just starting to happen more broadly. Traditional-finance actors have most often noted a lack of regulatory clarity and trust in transactions preventing broader and faster adoption.  

The global Anti-Money Laundering watchdog, FATF, recently started to change this by introducing the first global regulatory framework for crypto assets. It consists of extending existing rules for financial service firms to the crypto industry. Major economies are currently implementing these rules locally by introducing new licensing regimes for crypto businesses. 

One of the most challenging requirements is the “Travel Rule”, which requires businesses to exchange customer information when performing transfers between an originator and beneficiary customer. 

The Travel Rule is not new and has been a foundation of most traditional payment systems such as SWIFT since the 90s. Implementing it will not only allow crypto businesses to receive operating licenses but will also open up banking relations with traditional financial service firms. This can have a serious positive business impact.  

Complying with these new rules is quickly becoming a major competitive advantage. One of our clients, Wirex, is the first crypto native platform to have received MasterCard principal member status. Wirex CEO Pavel Matveev says: 

One of Wirex's key value propositions to customers is remaining secure and compliant with any regulatory changes, including the Travel Rule. The simple fact is that Travel Rule compliance will be a must for companies like Wirex going forward. In Singapore, it's already a requirement and we are working with local providers to integrate Travel Rule compliance there. Likewise in the US, Wirex is regulated as a Money Service Business with Fincen, and we are exploring solutions to ensure compliance with Fincen rules. Regulatory compliance is a top priority for us, as ultimately it ensures we can continue to provide quality services to our customers.

2. How we are helping crypto businesses today

We started Notabene with a mission to give people and businesses more confidence in crypto transactions. Our CEO, Pelle Braendgaard, explores our mission and product vision in this blog post. 

We take a holistic view of managing the regulatory risk of crypto transactions. Our current offering consists of a unified API and dashboard helping compliance officers within crypto businesses to manage risk for both Travel Rule and non-custodial transactions. We provide our customers with access to the widest reach of crypto businesses for them to interact with. Notabene does more than simplify compliance for them. We also bring more confidence to transactions on their platforms - ultimately helping them grow the number of their transactions and, thus, revenue. 

We believe in the importance of data privacy and are deeply committed to it, just like our customers. Our founding team has worked together before at uPort (ConsenSys) to build the framework for privacy-preserving, user-centric identity. We started Notabene bringing this prior knowledge and expertise to help the crypto industry solve these new regulatory burdens the right way - without compromising privacy. We have built our core architecture around privacy-preserving identity data, and customer data is always segregated and encrypted.

Since we launched our product in August, over a dozen companies have started using Notabene for Travel Rule compliance. We have had deep dives with compliance teams at over 100 crypto businesses. This strong focus on their needs is quickly making us the default choice for exchanges looking to implement the Travel Rule. By the end of 2021, we expect a significant portion of exchange-to-exchange transactions to be managed through Notabene.

3. What is next for Notabene

The crypto industry is rapidly evolving, and innovation must be allowed to continue as it already has. However, we need to channel this innovation into safe products that can be used by everyone. 

With our current momentum and this new funding, we’re excited to continue simplifying compliance for the crypto industry. The new investment will help us grow our traction among crypto businesses and extend our market to meet the needs of traditional financial institutions. We will also introduce an offering for service providers operating with Defi and layer 2 technologies, as they develop increasingly acute risk management needs.

As we continue to build out our platform, we will be growing our team. 

Thank you to our investors, customers and partners for joining us on this journey. It is only the beginning!

Merkle Science, a leading provider of blockchain transaction monitoring and intelligence solutions, has partnered with Notabene to help companies dealing with cryptocurrencies comply with the Travel Rule. Notabene is a compliance platform designed to bridge crypto markets with traditional financial systems. The company helps financial service companies comply with new crypto regulations coming into effect such as the Financial Action Task Force’s (FATF) Travel Rule for virtual asset service providers (VASPs). 

What’s the Travel Rule

FATF, a global intergovernmental organization to combat money laundering and terrorism financing, announced in June 2019 that its Recommendation 16 — which relates to the inclusion of sender and beneficiary information during wire transfers — would also apply to Virtual Asset Service Providers on cryptocurrency transactions. This guideline is commonly referred to as the crypto Travel Rule and is currently being implemented and enforced locally by the FATF’s members in their jurisdictions. For instance, the Monetary Authority of Singapore (MAS) has enacted this rule as part of its Payment Services Act, which went into effect on January 28, 2020. VASPs are required to be compliant with this new rule or face consequences including not receiving a license for continued operations in a jurisdiction, receiving fines, or being shut down. To comply, VASPs need to solve for multiple technical and operational challenges:

• Identifying who’s behind a blockchain address, and assessing the risk associated with the transaction.
• If it is a custodial address, performing due diligence on the counterparty VASP.
• Sharing customer information with the counterparty in a secure way.

Why the Merkle Science and Notabene Partnership is Crucial for VASPs

Merkle Science and Notabene have partnered to help VASPs comply with the Travel Rule and local anti-money laundering regulation. Notabene provides a comprehensive travel rule solution for VAPSs, allowing them to easily perform due diligence on counterparties and securely share customer information. Through a product integration with Merkle Science, compliance officers at VASPs who use both services will be able to better assess the risks of counterparty VASPs and blockchain wallets. They would be able to view risk scores in the Notabene platform and set rules to manage these transactions accordingly.

“Complying with local as well as international crypto crime prevention regulations is now a mandatory criterion for VASPs. Our partnership with Notabene is aimed at making regulatory compliance seamless for VASPs and financial institutions. The joint platform will enable organizations to effectively manage high-risk transactions, customize transaction monitoring rules according to local laws, seamlessly download and file STR/SAR reports, and comply with stringent regulatory requirements,” said Mriganka Pattnaik, Co-founder and CEO of Merkle Science, on the occasion.

“Juggling regulatory compliance while enabling growth into new markets is quickly becoming a competitive advantage among VASPs. The new global regulatory framework from FATF is becoming not only a requirement to do business, but also opens up a wider segment of retail and institutional customers. We believe that holistically managing risk around crypto transactions will end up enabling businesses to increase their transaction volume. We are excited to work together with Merkle Science on helping our customers manage regulatory requirements and transaction risk,” explained Pelle Braendgaard, Co-founder and CEO of Notabene, about the potentials of the partnership.‍

About Merkle Science ‍

Merkle Science provides blockchain transaction monitoring and intelligence solutions for cryptoasset service providers, financial institutions and government agencies to detect, investigate and prevent the use of cryptocurrency for money laundering, terrorist financing, and other criminal activities. Merkle Science is headquartered in Singapore with offices in Bengaluru, Seoul, and Tokyo and backed by Digital Currency Group, Kenetic, SGInnovate, and LuneX.‍

About Notabene‍

Notabene helps crypto asset service providers and other financial institutions manage risks around transactions by intelligently combining identity data around their customers and financial counterparties. This allows their customers to implement the new requirements of the FATF Virtual Assets guidelines including the Travel Rule and ownership proofs of blockchain accounts. Notabene is a Y Combinator company and has offices in New York, Zürich, and Santiago de Chile.

FATF's Recommendation 16, informally called the Travel Rule, requires VASPs (Virtual Asset Service Providers) that transact with each other to exchange relevant customer information. However, before they can even begin transferring data and funds, they first have to identify and perform due diligence on each other.

In response to the new regulations, multiple industry groups are building different protocols that focus on secure VASP-to-VASP information-sharing. While much needed, these protocols work under the assumption that all companies will be using the same protocol. We can already see that this single-protocol future is still a long way off, if at all ever possible. 

1. Companies are forced to implement multiple protocols to operate in a truly global fashion and interact with any VASP. 

Even then, the lack of an overreaching cross-protocol framework still poses critical challenges:

Let’s suppose an Originator VASP wants to send customer information to a Beneficiary VASP.

• ‍How does the Originator know which protocol(s) the Beneficiary supports?

To exchange customer information, the Originator VASP must first figure out if they and the Beneficiary VASP support any common protocols. If they do, then they have to determine each others’ unique VASP identifiers. These are created to enable VASP-to-VASP discovery and establish a secure communication channel. The challenge is that there is not a universal VASP identifier, and protocol-specific identifiers work only within their particular network. 

• ‍How does the Originator verify a Beneficiary? 

Even when the VASPs find a common protocol and identify each other within that network, to fully comply with the Travel Rule, they’re still required to due diligence each other. Such business-to-business verification often results in a burdensome back and forth between compliance officers that can take up to 6 weeks.  

2. Notabene created a free, public-data network for all VASPs, regardless of which Travel Rule protocol they support. 

The Notabene Network allows companies to search for counterparties and easily determine which, if any, Travel Rule protocol they are using. It also provides access to relevant business information, helping counterparties build trusted relationships and take first steps towards Travel Rule compliance.

Using Notabene's VASP Network, companies can:

• Create their VASP profile, so it's easily discovered by counterparties 
• Search for other VASPs and view their incorporation, licensing and registration information 
• Determine which Travel Rule solutions counterparties are using  
  

3. First steps towards Travel Rule compliance with VASP verification

Many businesses worry (and rightfully so!) that complying with the Travel Rule will significantly slow down both incoming and outgoing transactions. 

Currently, it takes time and resources to identify and get in touch with a Beneficiary VASP. And after that, compliance officers on both sides are still wrapped up in an endless back and forth to gather the necessary information for accurate risk assessment.

With Notabene's public network, a compliance officer can simply look up a business and quickly access verified information about them. To help perform due diligence even faster, we introduced three verification levels:

• Verified by Notabene: Every VASP that creates or claims their profile has their business details vetted by the Notabene team. After ensuring data accuracy, the VASP receives a "Verified by Notabene" badge. Remember though, while we can verify information about a VASP, it is always up to a VASP to make the decision if they want to do business with them.
  

We will be adding third-party providers specializing in business identity verification. Contact us if you're interested in this type of partnership. 

• Pending Verification: After a VASP creates or claims their profile, we confirm its accuracy. During this time, the VASP has a "Pending Verification" status. If there are any questions or issues, they must be resolved before we provide the "Verified by Notabene" badge.
  

• Not Verified: This designates a VASP profile that we created based on publicly available data. Because this profile is unclaimed and Notabene cannot fully verify its accuracy, "Not Verified" provides some information but is not at the same level as a fully vetted profile with the "Verified by Notabene" badge.
  

4. Travel Rule protocols directory

When VASPs create or claim a profile, we also ask them to provide a list of Travel Rule protocols they use and relevant VASP identifiers. This way, an Originator VASP can easily determine which protocol they should use to transfer customer data to a Beneficiary VASP securely.

5. The goal of the free and open VASP directory is to address the challenges of multiple Travel Rule protocols and to build a trusted network of verified crypto businesses. 

We hope to bring the community together in efforts of making compliance easier, regardless of the technical solutions each individual company supports.  

As the extension of that mission, Notabene’s Travel Rule compliance platform enables a seamless cross-protocol data exchange between VASPs by supporting all major protocols. This allows our customers to not be limited by any one protocol, and send / receive transfer requests with all their counterparties. In addition, companies using Notabene can streamline their counterparty due diligence process even further, beyond the public business information available in the directory. Our platform allows VASPs to securely share private data with each other for further diligence and quickly establish bilateral relationships for Travel Rule transactions.

6. Notabene’s directory is a community-driven initiative. 

As you create your profile, contact us with any input or suggestions you may have. We’re looking forward to hearing how we can make it better for you and your business partners.

We invite organizations from the space to partner with us to build a truly global network of crypto companies. Interested? Contact us. 

We're excited to announce that Notabene is a part of Y Combinator's Summer 2020 batch! 🎉

At Notabene, we help financial companies comply with the latest crypto regulations that came into effect in June. The urgency in the market and participation at YC made the last three months quite a ride! 

Y Combinator is a Silicon Valley-based,  globally-known fund that invests twice a year in early-stage startups. Besides financial support, YC offers its portfolio companies advice and resources to help them go from "great idea" to "market-leading business." It's a recipe that's worked well for alumni like Stripe, AirBnB and Dropbox.  

These last three months at YC have been invaluable and highly rewarding. We learned first-hand from the founders of top companies like Stripe and Brex, as well as leading investors, marketers, and YC partners. We're beyond grateful for the opportunity and will remember this as a time full of incredible lessons and advice from our group partners: Tim Brady, Aaron Epstein, and Kevin Lin.

During our time at YC, we launched our first commercial product and onboarded key customers - compliance officers at crypto companies. Thanks to our unique technology solution, users are able to comply with the most pressing regulation in the space, the Travel Rule, from day one. Notabene enables digital asset providers to save time and money on complex technical integrations and multi-protocol interoperability challenges. The financial sector spends today $180B on compliance costs. As crypto building blocks continue to gain adoption in the financial sector, we aim to serve the market's compliance needs.

We’ve received great initial feedback from our users and are excited to continue building a platform that helps companies transfer crypto assets in a compliant way. We believe this will fuel the growth of the industry and bring crypto to the world's financial markets.   

YC has been a special experience and with a clear roadmap ahead, we’re excited to see what the future brings 💚.

It’s been a year since the FATF (Financial Action Task Force) released comprehensive guidelines for crypto companies to implement anti money-laundering processes for virtual asset transactions. In July 2020, FATF recognized in its annual review (we summarized it for you here) that many companies have demonstrated willingness and effort to implement the Travel Rule into their day-to-day business.

1. Travel Rule brings many challenges into the crypto world.

While the crypto industry has made significant stride toward proposing technical solutions for the Travel Rule, crypto companies still face many challenges when it comes to implementation of the guidelines:

• ‍Lack of interoperability between protocols: Multiple Travel Rule protocols lead to interoperability issues where one VASP (Virtual Asset Service Provider) cannot transact with another because they’re supporting different protocols.‍
• Time spent on integration: Companies need to spare weeks of development effort to integrate with a protocol and maintain it over time. As a consequence of the issue mentioned above, many companies might be forced to implement more than one protocol. This leads to a lot of development resources spent on compliance, which otherwise could have been spent building the core business product.‍
• Change of internal processes and user flows: In many cases, Travel Rule implementation forces companies to introduce significant changes to their user flows. Until there are Travel Rule solutions broadly adopted, it’s difficult to predict at this point how seriously those changes will impact businesses’ internal processes and user experience. ‍
• Waiting on the sidelines: High implementation costs lead to a situation where VASPs are waiting on the sidelines to see which solution other VASPs will choose. Obviously, no one wants to invest in implementing a protocol that no one else uses. This is an issue because it delays compliance with the Travel Rule.‍
• Pressure from local regulators: The challenges above are causing delays in adoption. Local regulators in multiple jurisdictions are starting to pressure companies to move forward with integrations and prove that they are working towards Travel Rule compliance.
  

2. Notabene’s TR:Now as a jumpstart towards compliance

To help companies overcome challenges related to implementation of the Travel Rule, Notabene built TR:Now, a lightweight email-based solution that helps VASPs comply from day one.

TR:Now consists of sending Travel Rule requests to any VASP via email, regardless if they have implemented the Travel Rule or not. The counterparty VASP can then access IVMS-101 Originating Customer information via a secure dashboard. We built TR:Now based on demand from compliance teams to start testing Travel Rule flows within their systems and to show regulators that they are taking steps toward compliance.

This lightweight solution has the following benefits:                

• ‍No need to decide on a protocol yet‍

TR:Now does not require companies to be on a protocol yet, so it solves the chicken/egg problem of implementing the Travel Rule. VASPs can start securely exchanging data between each other regardless of which protocol they use or if they don’t use any protocol.          

• ‍Easy jumpstart to future protocol integrations 

The originating and beneficiary customer data is stored in IVMS101 format (industry technical standard), and securely saved on the dashboard. This solution acts as a bridge to the TRP protocol and OpenVASP.

• ‍Fast onboarding, no technical work required 

To use TR:Now, compliance officers just need to create their VASP’s profile and they're ready to go. There is no need to involve developers to implement APIs into the backend or make changes to existing user flows.

• ‍First step towards compliance

TR:Now allows compliance officers to test and learn about the potential impact of the Travel Rule on their daily operations and user flows. It already comes with built-in counterparty verification, helping compliance teams perform due diligence on other VASPs. By using TR:Light, they familiarize themselves with these new processes and can start planning ahead how to create more seamless flows for their business. In addition, this could serve as proof to local regulators that a VASP is taking its first steps towards Travel Rule compliance.    

If the challenges above sound familiar, contact us to learn more about TR:Now.

It has been one year since the Financial Action Task Force (FATF) released a global regulatory framework for the crypto industry. The Guidelines for Virtual Assets and Virtual Asset Service Providers (VASPs) was released in June 2019. One of its most notable requirements is Recommendation 16, the so-called Travel Rule. The guidelines also required that jurisdictions implement AML/CFT regimes in accordance with FATF’s guidelines, including the registration or licensing of VASPs. 

On July 7th 2020, FATF released a report containing a 12-month review and assessment, measuring implementation of these guidelines by jurisdictions and the private sector. The release of the report followed a virtual Plenary meeting held by the FATF on June 24th, 2020. In the review, the travel rule is highlighted as “the issue of most focus in terms of VASPs’ compliance with the revised FATF Standards.” What were the key findings of this review, and what does it mean for compliance teams in the crypto industry? 

Below is a short summary outlining high-level take-aways and what’s next from FATF, in addition to implications for your business.

Summary of the 12-month review

• The 12-month review was prepared by FATF to measure the implementation of the revised Standards that it introduced in 2019 by both jurisdictions and the private sector. It also covers any changes in risks, typologies and market structure of the virtual asset industry.
• FATF reports that there has been marked progress by jurisdictions in the implementation of a regulatory regime for virtual assets, with 35 out of 54 reporting jurisdictions having implemented the revised FATF standards. 32 of these jurisdictions introduced a regulatory framework for crypto businesses, with the majority by method of new legislation. A large number of these regulations apply to VASPs that operate in their jurisdictions but who may be domiciled in other jurisdictions. So far, 20 jurisdictions have reported a total of 1,133 registered or licensed VASPs.
• The FATF review highlights that there has been increased readiness by the private sector for travel rule compliance, with the emergence of multiple travel rule solutions as well as technical standards to facilitate interoperability. 
• Many issues were raised by jurisdictions and the private sector during the implementation of the regulatory framework. These include specific concerns with implementing the Travel Rule, like the identification and due diligence of VASPs in a timely manner, as well as broader concerns with how to deal with non-custodial wallets and stablecoins.
  

What’s next from FATF?

Going forward, FATF expects all of its members and its broader global network of FATF-Style Regional Bodies (FSRBs) to have fully implemented these guidelines by June 2021. While FATF has deemed that at this point there is no need to update its existing Standards, it will be providing additional Guidance to the industry by October 2020 (mainly in response to the concerns raised in the report). It will also continue its engagement with the private sector through its Virtual Assets Contact Group. 

Finally, the FATF will continue to closely monitor the risks posed by stablecoins and anonymous peer-to-peer transactions via non-custodial wallets. Should there be substantial changes in market trends, it may choose to revisit its guidelines.

What does this review mean for your business?

If your business is a VASP, it is recommended that your compliance team: 

• Assess which jurisdictions that you are incorporated in or operate in require that you are regulated. If you are not yet regulated, you need to determine how to become compliant and if there are licensing or registration requirements. If you are in doubt whether you need to be regulated, contact the local regulators for more information. Please note that requirements may change across jurisdictions, and you will have to keep up-to-date with the latest requirements. 
• Start early (if you haven’t already) implementing comprehensive AML/CFT policies in line with your regulating jurisdiction’s guidelines.
• Implement the travel rule as soon as possible. The travel rule requires changes to current compliance processes and flows. It is recommended that the compliance team start testing early and accommodate these changes into current processes, so that the impact of the travel rule on your daily operations is minimized.
• Perform an internal ML/TF risk assessment of existing and new products, in particular if they are of a cross-border nature or have been highlighted as sources of potential concern (eg stablecoins, non-custodial wallets). For new products, these risks are best addressed before their launch.