In June 2019, the Financial Action Task Force (FATF) released a global regulatory framework for the crypto industry. One year later, on July 7th 2020, FATF released a report containing a 12-month review and assessment that measures implementation of these guidelines by jurisdictions and the private sector.

To read a summary of the report, check our blog post: “Time is running out to implement the travel rule, says FATF in its 12-month review”.

In this review, FATF found that there has been substantial progress made by jurisdictions in implementing the revised FATF standards. It is important to note that these assessments are based on members’ self-assessment and not any official FATF assessment. It also found that the private sector has made progress in working on the travel rule, but will need to focus on implementation and interoperability going forward.

Marked progress by jurisdictions 

35 out of 54 reporting jurisdictions have now implemented the revised FATF standards. Of these, 3 jurisdictions have prohibited VASP operations altogether. Meanwhile, 19 jurisdictions have not yet implemented a regime, and wide variation exists in terms of progress. 2 out of the 19 plan to prohibit VASP operations, and 4 are still undecided. The below chart outlines the state of implementation across jurisdictions.

Among the 32 jurisdictions who decided to regulate VASPs, it is noteworthy to point out that implementations vary across:

• A majority introduced new legislation for virtual assets. However, a smaller number of jurisdictions decided to extend current existing AML/CFT guidance to cover VASPs. 
• No common terminology exists for virtual assets and VASPs among these jurisdictions, with at least 11 different terms reported for VASPs. 
• 18 jurisdictions have introduced registration requirements, and 12 have introduced licensing regimes. These requirements generally apply to VASPs who are incorporated in their countries, but also apply in many cases to VASPs selling products/services in their jurisdictions even if incorporated overseas (18 VASPs) or VASPs operating from their jurisdiction (20 VASPs). So far, 20 jurisdictions have reported a total of 1,133 registered or licensed VASPs.
• 15 jurisdictions have started conducting on- and/or off-site inspections of VASPs and 8 reported that they have already imposed sanctions on VASPs for noncompliance with existing guidelines. 
  

These emerging complex and non-uniform regulatory landscapes present challenges for VASPs looking to be regulated. 

Increased readiness by the private sector for Travel Rule compliance

The FATF acknowledges progress by the private sector in developing comprehensive technological solutions for the Travel Rule, but notes that none is yet widely adopted. This has delayed the introduction of travel rule guidance by jurisdictions, with only 15 jurisdictions having implemented the travel rule. However, FATF believes that jurisdictions should not wait any longer to fully implement AML/CFT obligations for VASPs, including the travel rule, and calls on the industry to “redouble its efforts towards the swift development of holistic technological solutions encompassing all aspects of the travel rule”.

FATF is technology-neutral, and is supportive of industry efforts to develop technical standards like messaging standards that allow interoperability among the different solutions.

What happens next?

Going forward, FATF expects all of its members and its broader global network of FATF-Style Regional Bodies (FSRBs) to have fully implemented these guidelines by June 2021. It also expects the virtual asset industry to be compliant with the travel rule. FATF will be releasing additional guidance by October 2020 to shed light on any issues that have arisen in implementation.

In June 2019, the Financial Action Task Force (FATF) released a global regulatory framework for the crypto industry. One year later, on July 7th 2020, FATF released a report containing a 12-month review and assessment that measures implementation of these guidelines by jurisdictions and the private sector.

This report highlights a number of issues that regulators and representatives from the private sector have raised during implementation and asked for greater clarity and guidance on them. We have summarized these issues below. To shed more light on these issues and how to resolve, FATF is likely to introduce additional guidance by October 2020. 

1. Definitions in the FATF guidelines

• Increased guidance on the definition of virtual assets - For example, stablecoins can be categorized as traditional financial assets but built with virtual asset technologies. Under which AML/CFT regime should they be regulated? 
• Clarification on the scope of VASP activities (eg safekeeping and/or administration of virtual assets) - This can help increase consistency across jurisdictions in terms of which companies are regulated as VASPs.

2. Transacting with non-custodial wallets

• Gap in tracing illicit flows of crypto - Some jurisdictions raised concerns that if non-custodial wallets remain unregulated, they may represent “a leak in tracing illicit flows of virtual assets”. However, FATF has reported that currently there isn’t sufficient evidence that they present a lot of risk and will continue to not cover them for the time-being.
• Anonymous P2P transactions are a concern - If a ‘privacy coin’ gains wide mass adoption, then FATF will study the prevalence of non-custodial wallets associated with it and reassess whether this constitutes a threat to existing ML/TF regimes.

3. Identifying VASPs for registration and licensing

• Many jurisdictions are requiring the regulation of VASPs not only incorporated in their countries but also operating there or selling services to their citizens. Some jurisdictions have reported challenges identifying which VASPs should be regulated and by whom. 
• In particular, they are interested in what approach they should take with VASPs operating from overseas but selling to their citizens. They are interested in identifying who the ‘right’ regulatory authority is for these VASPs, especially if they were decentralized and had no home country. 

4. Travel rule implementation

• Identifying counterparty VASPs and performing due diligence in a timely manner remains a challenge. In particular, concern has been raised about difficulty in identifying if a VASP is registered / licensed by a jurisdiction with adequate AML/CFT regimes. A proposed way forward is a ‘global list of VASPs’, but in theory is difficult to implement due to a number of reasons, including maintaining accurate and secure information and who governs and supervises this list.
• Concerns with how to deal with transactions with non-custodial wallets - There are challenges identifying whether a wallet is non-custodial. VASPs would like more clarity on whether they are allowed to transact with non-custodials, and what AML/CFT requirements they should put in place to mitigate risks.
• Guidance on frequency and timeliness of travel rule information sharing - Some VASPs requested whether they can do batch data submission of transfers, submit travel rule data at a later time (end of day, in 5-6 days) instead of immediately, and whether they have to do travel rule for past transfers.
• Interoperability of travel rule solutions - Common messaging standards will need to have built-in flexibility to accommodate for changes in privacy or AML/CFT standards across jurisdictions
• Sunrise issue - VASPs are not sure yet how to deal with VASPs in jurisdictions that do not yet mandate travel rule guidelines.

On July 3rd 2020, Malcom Wright, Co-Lead of Global Digital Finance’s working group for the travel rule (“Joint Working Group for interVASP Messaging Standards”), wrote this article about the Travel Rule. In it, he describes the “Travel Rule Discovery” problem. Basically, how can an originator VASP know which Travel Rule protocol the beneficiary VASP is using? In the article, the proposed solution is to build a “Global List of VASP” (GLoV) which is a centralized registry that maps a “Common Shared VASP Code” (or GLoV VASP Code) to some VASP information, mainly which Travel Rule protocols they support. This solution, in our view, has the problem of being centralized, which could make it difficult for all VASPs to be part of.

Our founding team at Notabene comes from the Self-Sovereign Identity industry, and believe a simple decentralized solution can be built under those principles.‍

1. Notabene's protocol-agnostic solution

In the article, Notabene is named as an alternative solution to OpenVASP, TRP, Shyft and Sygna. In fact, we do not offer our own protocol but take a “protocol-agnostic” view. We support (or will support) many of the protocols named. VASPs who use Notabene will be able to send and receive Travel Rule information using any of the available protocols, starting with OpenVASP and TRP.

Regarding a solution to the Travel Rule deadlock problem, we propose a decentralized solution using a DID for every VASP. Every VASP can then describe in its DID Document which protocol they support and the particular parameters for it. We also propose to use Verifiable Credentials (VC) as a standardized way to manage trust and knowledge information (KYV) between VASPs.

This decentralized approach can lead to faster adoption by VASPs, since VASPs can “onboard” to the system by themselves, without asking permission from anyone, apply to anything or pay any fee.

2. VASP DID as common shared VASP identifier

Our proposal is to use VASP DIDs as a commonly shared identifier for VASPs. DID stands for “Decentralized Identifier”. It’s a standard that is being developed by the W3C, and is currently being used by many organizations and financial service companies around the world including Microsoft and MasterCard. As described in the W3C standards, 

DIDs are URLs that associate a DID subject with a DID document allowing trustable interactions associated with that subject.

Every DID can be created independently by any VASP, without the need for coordination. There are many DID methods available so VASPs can choose which one fits best for them. All of them are interoperable by design. Some examples of VASP DIDs can be the following:

did:ethr:0xE6Fe788d8ca214A080b0f6aC7F48480b2AEfa9a6

did:sov:CYQLsccvwhMTowprMjGjQ6

did:web:exchange-b.com

3. Implemented travel rule protocols on DID Document

Every DID “resolves” to a DID Document. The information on the DID document is controlled by the DID subject (the VASP in this case), and the way to define it and update it is specific to the DID method. The DID documents can have many “service” endpoints which describe services on how to interact with the DID subject. We propose to use this mechanism to describe which protocols a VASP supports and how to access them.

An example DID Document can be the following:

‍
In this example, the VASP identified by the DID did:example:123456789abcdefghi has implemented the OpenVASP and TRP protocol. The DID also defines the end points used to interact with them. In the case of OpenVASP, it points to the OpenVASP’s VASP Code which can be used to get the keys and start a session. In the case of TRP, the endpoint is the base endpoint for the TRP /address-query and /transfer-notification. The public keys for TRP can also be published in the DID Document (there is a publicKeysection for it).

4. Proposed flow

The flow in Malcolm’s article would change to look something like this:

• Customer A of Exchange A wants to send Customer B of Exchange B 1 BTC
• Exchange A supports Sygna, OpenVASP, and TRP
• Exchange B supports Shyft, and OpenVASP
• Customer B provides their name and VASP DID to Customer A
• Customer A provides Exchange A with the VASP DID that resolves to a DID document to see which protocols Exchange B supports (and the parameters of the protocol, like encryption keys).
• Exchange A then asks Customer A to request any additional proprietary information from Customer B (such as an OpenVASP VAAN), or wallet address
• Customer B supplies the information to Customer A, who provides it to Exchange A
• Exchange A then uses the common protocol information (OpenVASP in this example) to transmit the required information on Customer A to Exchange B.

This flow does not require any central service or database. It still has the problem that Customer A needs to ask Customer B for information twice: first the VASP DID, then the proprietary protocol routing information. There are possible ways to solve this, but are out of the scope of this proposal.

5. Know your VASP (KYV)

The last point of Malcolm’s article is about the need for VASPs to trust each other. In the case that every VASP is identified by a VASP DID, then the W3C Verifiable Credential standard will help to create VASP Credentials that can be transmitted and shared to ease the bi-directional KYV process.

We will discuss this in the relevant GDF working groups.

Today we are launching Notabene, a new crypto compliance platform for the financial industry. Notabene combines our expertise in financial markets and privacy-preserving systems to enable the industry to solve its most pressing challenge - regulatory compliance.

Our platform enables businesses to comply with new financial reporting requirements more efficiently, broadly known as the Travel Rule. These critical requirements are part of the new worldwide regulatory framework for Virtual Assets Service Providers (VASPs) from FATF, the global anti-money laundering watchdog.

June 24th marks the deadline for national regulators to put in place this new regulation. For crypto businesses, this means increased regulatory scrutiny and a need to comply with rules at the risk of severe penalties that could include both steep fines or even the loss of operating licenses. Our new product enables businesses to more easily adhere to the Travel Rule without any interruption to existing business operations.

1. Why You Should Care About the Travel Rule

Put simply; the Travel Rule requires financial institutions participating in a transaction to exchange both relevant beneficiary and originator KYC (know-your-customer) information.

Also known as the Wire Transfer Rule, this regulation was initially created for banks transferring funds on behalf of their customers. While this worked well for traditional financial systems, modern blockchain solutions make it impossible to adequately implement this rule for three main reasons:

• The pseudonymous and permission-less nature of existing blockchains makes direct implementation impossible
• No standardized frameworks exist for establishing trusted relationships between industry players
• There are no existing technical solutions that can be easily adopted and scaled to meet the requirements of the Travel Rule

Over the past year, several industry groups and bottom-up initiatives have proposed a variety of  protocols for solving the Travel Rule. This proactivity was welcomed by regulators, but the diversity of solutions creates confusion for companies looking for the best fit.

If implemented correctly, we see the Travel Rule as a competitive advantage for companies. It would optimize their revenue generation by building better relationships with a variety of partners (including banks). In contrast, failure to implement could seriously damage business operations and increase regulatory risk.

2. A Turning Point for Crypto

Cryptocurrencies and their underlying blockchains are at a turning point and ready to become more mainstream. As the technology continues to mature, use-cases are also becoming more apparent.

Fintech companies and institutional players are already building with the technology and getting ready to reap its many benefits and opportunities.

Since its infancy, our industry has had regulation and compliance hanging over us. However, some companies, operating in proactive countries like the US where regulatory systems were developed early, have used compliance as a competitive edge, and are now market leaders.

The presence of this new global regulatory framework regardless of jurisdiction is a game-changer for the industry. This framework provides a framework for existing crypto companies to become regulated and work with traditional financial institutions. At the same time, it allows traditional financial institutions to safely work with cryptocurrencies and public blockchains.

The framework still has to be translated into local law in many places around the world. But at least national regulators now know how to start applying the rules locally, instead of having to understand the technology from scratch.

If you ask banks and regulators how crypto should be regulated, they have always said just like the traditional institutions. But, crypto is very different from traditional banking systems. The underlying blockchains are permission-less and public. Traditional core-banking software and customer due diligence processes are hard to fit on top of this new technology.

3. How Notabene Solves the Travel Rule

The Travel Rule affects how your customers send or receive funds from your service. We built this product to minimize the impact of the Travel Rule on day-to-day business operations.

The primary reason for the Travel Rule is that it finally allows compliance officers to take a risk-based approach for analyzing incoming transactions and accept or decline them.

We provide compliance officers with a simple dashboard allowing them to monitor incoming and outgoing transactions and set rules for approving them automatically.

The dashboard also allows compliance officers to:

• Set compliance rules
• Automate transfer request handling
• Manually accept/decline transfer requests

Notabene allows you to start integrating the Travel Rule into your compliance workflow while avoiding concerns about new protocols. We are protocol and blockchain agnostic and will support the major protocols and blockchains within the industry.

4. Notabene Helps Build Trust Between Crypto Businesses

A significant change to how you do business will be that you now need to work more closely with other crypto businesses.

When you receive an incoming transfer request from Mr. Smith at Exchange A, how do you know that Exchange A performed proper KYC on Mr. Smith? Is the exchange even a legitimate one? Are the operators on a government sanctions list?

When you send a transfer request from Mrs. Jones to Mr. Smith at Exchange A, do you trust them with your customer’s private data?

These questions are all new for an industry built on decentralized, trust-less payment systems. Traditional banks solve this through a combination of licensing and trust frameworks like within payment associations like SWIFT and Visa. To manually perform due-diligence on another institution can be an expensive, time-consuming process.

Notabene takes a decentralized identity approach to this. When you receive an incoming transfer request from an unknown business, we present you with up-to-date information about the business. Where are they incorporated, registered, and licensed?

Businesses create profiles for themselves with a mixture of self-reported information and company details verified by us and others. These profiles are continuously updated.

Notabene’s system allows compliance officers to rapidly perform due-diligence, monitor changes, and even directly ask the compliance officer on the other side for additional information required. This leads to a massive reduction in due diligence costs, making it easier to establish bilateral relationships with new business partners.

5. Simple API Based Integration for Back- and Front End Systems

We provide a straightforward REST and GraphQL API, allowing your developers to integrate it into your flow. Because your customer fronting interface might require some changes, we also provide a simple JavaScript API making implementation painless.

Most of the protocols require special nodes to be running for sending and receiving transfer requests. We manage these nodes, so you don’t have to set up and maintain them yourself.

At launch, we support the OpenVASP protocol and the InterVASP IVMS-101 messaging standard. OpenVASP is an industry-led open protocol for the transmission of transaction information between VASPs and other parties. Its founding members include Bitcoin Suisse, SEBA, Sygnum, and Lykke. OpenVASP already has a vibrant multi-vendor ecosystem, and Notabene has joined the OpenVASP Association as a technology partner

David Riegelnig, Head Risk Management of Bitcoin Suisse and President of the OpenVASP Association, says

‍ "We are excited that Notabene is joining OpenVASP as an implementation partner. The industry is in need of a turnkey hosted solution so companies can easily comply with the new rules. In addition, Notabene's trust framework seems a promising solution to help VASPs with due diligence efforts of their counterparties."

Based on demand and readiness, we will also support the following protocols shortly: TRP, PayID, TRISA, and BIP-75

6. What about non-custodial wallets?

When the FATF guidelines were released in 2019, there was fear that a 2 class blockchain world would be created - one for regulated entities and one for users managing their own keys.

Luckily, regulators have been clear that they don’t want this to happen. Businesses will, however, have to take an extra step that wasn’t necessary before. They must now be able to prove that any transaction going to a non-Travel Rule account belongs to their customer.

We offer our customers a way of integrating account ownership proofs for non-custodial wallets into your compliance flow.

We can also help non-custodial wallet developers add a Self-sovereign Identity Verification flow to their wallets, allowing their users to easily onboard with regulated businesses.

As the first official “Identity Issuer” for the Concordium blockchain, we are already providing this solution for its users. "Concordium is designed from the ground up for regulatory compliance," says Lone Fønss Schrøder, Concordium's CEO. "Notabene helps with identity verification at the protocol level. Using zero-knowledge proofs, our users are able to verify their identity using the blockchain without sharing any private information.”

7. Our Team

The Notabene founding team consists of Pelle Braendgaard as CEO, Alice Nawfal as COO, Ania Lipinska as CPO, and Andrés Junge as CTO. Based in New York, Zug, and Santiago, the team worked previously together at uPort, ConsenSys’ Ethereum-based, decentralized identity protocol.

Pelle and Andrés were uPort co-founders as well as founders of early bitcoin startups (Kipochi, Mondome, Yaykuy, and 37coins). Several of their early bitcoin companies were affected by the lack of a proper crypto regulatory framework.

As part of our work at uPort, we pioneered many of the core concepts of user-controlled data and self-sovereign identity currently being deployed. Recent examples are the European Union’s eIDAS SSI initiative, the Inter-American Development Bank's LACChain initiative in Latin America, and Alastria in Spain.

Notabene Is built on a deep commitment to data ownership, privacy, and security.

8. Work with Notabene for Travel Rule Compliance

Over the summer, we will expand early access within Notabene. If Travel Rule compliance is critical to your business, let’s connect.

Read more about the Travel Rule and its national implementations here.

Since day one, crypto and blockchain technology have been about enabling permissionless transactions between people and businesses. Many of us in the industry have built incredible products to make crypto accessible to the wider audience. However, the primary stumbling block for wider adoption always pointed back poor ties to the traditional financial industry, primarily due to the lack of a regulatory framework.

The industry is now at a turning point. FATF's new global framework and, in particular, the Travel Rule itself, is the biggest opportunity crypto has had for crossing the chasm into mass adoption.

Once your company implements the Travel Rule, it will make it much easier for you, as a virtual asset service provider (VASP), to do business with traditional financial institutions and by extension commerce with non-crypto businesses.

1. Regulatory clarity

Outside of a few major jurisdictions such as the US, Switzerland, and Singapore, most countries have not prioritized regulating or understanding the technology and its benefits.

This has been particularly problematic for exchanges outside of the main global financial centers, who have had problems both directly with regulators and indirectly through the loss of financial partners.

‍Notabene co-founders, Pelle and Andres, have both had to shut their early Bitcoin businesses down because of this exact problem in Kenya and Chile.

This also affects countries with strong regulation, where interacting with unregulated institutions has always been a risky grey area.

The new 2019 FATF guidelines for Virtual Assets forces local regulators to take a stance. They are required to either create a roadmap for a regulatory framework for VASPs or, unfortunately, outright ban them. Of course, the second option is problematic, but there are already well-thought-out legal frameworks from countries like the US, Switzerland, South Africa, South Korea, and Singapore. They will hopefully provide a good example to more risk-averse regulators.

2. Easier access to banking services

For several years, we have heard from traditional banks that the primary reason they would not open bank accounts for crypto businesses was the inability to prove a reliable source of client funds. It was simply too risky for them to engage with customers holding crypto.

The new Travel Rule specifically solves this problem. It enables crypto businesses to fully participate in the global financial system by bringing them to the same level of accountability that the traditional financial institutions already adhere to. This finally allows crypto businesses to be treated seriously by the financial industry as a whole.

The most successful crypto businesses have invested a lot of time and money in convincing their banking connections that they have very strict KYC and AML policies in places.

Solving the Travel Rule by performing strong due diligence on partner VASPs will help crypto businesses reduce this risk and become trusted partners for traditional financial companies. This is also a great opportunity to start implementing the Travel Rule before your jurisdiction requires you to do so.

3. Improved fiat on/off ramps globally

With better access to banking comes much better access to local payment systems around the world. This alone could really improve the adoption of cryptocurrencies as well as bring whole new classes of untapped users around the world to the innovations in the DeFi space.

4. Crypto and DeFi could become the rails for future FinTechs

Most FinTechs today differentiate themselves by improving UX and on-boarding and finding new use-cases for what is, in essence, the same products the traditional financial industry has offered for years.

As crypto products become regulated, with Travel Rule adoption and more thorough blockchain specific KYC/AML, fintech will look to adopt many of the new products coming out of the DeFi space. This will help them add new revenue opportunities and find better ways to differentiate themselves from incumbent financial services.

5. Lower regulatory risk means easier access for institutional investors

Institutional investors from around the world are actively looking at adding crypto as a new asset class. Lack of regulatory certainty has been one of the largest issues holding them back from wider investment in the space.

Blockchain analytics tools have already helped lower the risk of dealing with crypto assets, but through our conversations with institutional investors, we have learned that new regulations like the Travel Rule will really help open up the asset class to them.

We believe this will help increase the demand for cryptocurrencies. It will also improve liquidity and demand in the DeFi space.

6. Learn more

It is paramount for both new and existing businesses in the crypto space to understand more about how the Travel Rule affects your business.