protocols

TRP

What is TRP?

TRP is an open protocol managed by the OpenVASP foundation, designed to implement the FATF Travel Rule.

‍

Pros:

  • Fully Open
  • Technically simple to implement
  • Restful API
  • Pre-Transaction Authorization and Rejection
  • Exchange blockchain address after Authorization
  • Decentralized like the Web

Cons

  • Requires change to both withdrawal and deposit UX flow
  • VASP Identification and Due Diligence must be handled out of band
  • No VASP identification handshake to ensure the privacy of the transaction
  • Customer PII is exchanged together with transaction metadata
  • No support for intermediary flow
  • Reliance on non-verified mTLS client-side authentication

‍

What changes do you need to make to your withdrawal and deposit UX?

One of TRP's largest adoption issues is the requirement to make significant changes to deposit and withdrawal UX. Even in its home country of Switzerland, which has strict Travel Rule requirements, there has been limited success in implementing these changes:

TRP Transaction Worklow
  1. You must replace the blockchain address on deposit screens with a so-called Travel Address.
  2. You must replace the blockchain address with a travel address form field on withdrawal screens.

‍

While you may be able to make this change yourself, it would also require that all of your transaction counterparties globally make the same change.

How does TRP work?

The Travel Rule Protocol (TRP) is a minimal restful API but requires creating a Travel Address, which encodes a URL to the beneficiary VASPs API endpoint. 

  1. Once a Travel Address is received, the originator calls the API endpoint within the Address and provides an inquiry resolution webhook.
  2. This inquiry resolution webhook is called if the beneficiary approves or rejects the transaction and includes a transaction confirmation hook.
  3. If the originator approves the transaction and sends it to the blockchain, it calls the transaction confirmation hook.

How are VASPs identified?

VASPs are not explicitly identified, but the Travel Address includes an inquiry URL that may be used to identify the VASP. VASPs need to use this to verify who the other VASP is and tie it to their due diligence.

The originating VASP does identify itself as the beneficiary VASP. Still, there is no way to actively authenticate that neither the originator nor beneficiary VASP are who they claim to be without manually figuring it out and ensuring that the endpoints are correct.

‍

How are VASPs authenticated?

VASPs use mTLS pairs without requiring a certificate issued by a Certificate Authority. This makes it very difficult to ensure you communicate with the correct VASP, even if you have correctly identified them.

VASPs must perform considerable due diligence before accepting transactions from unknown VASPs. This includes verifying that the certificate belongs to them.

‍

How do I perform due diligence on a VASP with TRP?

TRP is just a messaging protocol and is missing an identification function, meaning you must perform all due diligence manually. This can be a large lift unless you have a small amount of transaction counterparties.

‍

How is PII protected in TRP?

If you have correctly identified and authenticated a counterparty VASP, the transmission of the PII is included directly in the encrypted API call containing the transaction metadata.

This may work if you trust the counterparty and have a Data Processing Agreement with them.

While the TRP protocol says, it supports “Bilateral exchange of encrypted data (VASP-to-VASP),” there is a lot of work that VASPs need to do from a security perspective actually to be GDPR compliant using TRP, as you need to make sure that you can correctly identify the VASP and be sure they are also handling your customer PII securely.

‍

What is a Travel Address?

The Travel Address replaces a blockchain address. Unlike previous versions, it is a base58 check encoded stripped URL of the TRP Inquiry endpoint.

ta2W2HPKfHxgSgrzY178knqXHg1H3jfeQrwQ9JrKBs9wv, which is decoded into beneficiary.com/x/12345?t=i

Since no blockchain address is included, the beneficiary should include a user or account identifier in the URL that can be used to credit funds to the correct account.

While we understand the reasoning behind the Travel Address as it identifies an API endpoint to send PII, it doesn’t ultimately identify the VASP, and expecting all your counterparties to support it is a big jump. 

‍

Does TRP support transaction intermediaries like custodial wallet services?

In short, no. It only supports transactions between originating and beneficiary VASPs, and there doesn’t seem to be any work to support it. 

See TAP instead which fully supports complex payment chains including multiple institutional intermediaries.

‍

Is TRP complex to integrate?

Technically, it is simple to implement. However, the complexity lies in achieving critical mass around the Travel Address implementation. As such, coverage with counterparties and volumes on TRP will remain low.

As with any travel rule protocol, the technical implementation in your backend is only one part. You must tie it into your overall risk management process, UX, security infrastructure, and due diligence. 

‍

History

The Travel Rule Working Group (TRP Working Group) was a global independent industry body of virtual asset service providers dedicated to creating standards that adhere to the Financial Action Task Force’s (FATF) R.16 Travel Rule recommendation. It made the Travel Rule Protocol (TRP), which later merged with OpenVASP.

‍

What is TRP’s governance model?

TRP has an open governance model through the OpenVASP association. It hosts weekly meetings, chat rooms for more frequent collaboration, and emails for more infrequent formal announcements.

‍

Does TRP support non-custodial wallets?

The TRP is intended to support transactions between custodial wallets, but there are discussions for future extensions to support non-custodial wallets.

‍

Is TRP live?

Yes, TRP is live and has been in production since 2020. Several VASPs used to transact with the TRP protocol actively, but we are still determining if that remains true. If you use TRP, please join Notabene's network for free and mark that you are using TRP so your counterparts are aware.

‍

Is there industry support for TRP?

There used to be a lot of interest in supporting TRP. Since it moved to require first the LNURL and then the Travel Address this interest has now waned. Most early members have left the association or are not actively integrating it.

‍

What is TRP’s membership fee structure?

TRP is royalty—and license-free. However, any fees, licenses related to implementation, service of software providers, etc., are the implementing VASP’s responsibility. Further costs may include but are not limited to, documenting the legal and contractual arrangement and ensuring that any information exchange is done in compliance with applicable laws, e.g., GDPR. 

‍

Does Notabene support TRP?

As a member of the OpenVASP Association, Notabene supported TRP early on. Notabene provides an easy-to-use, turn-key Travel Rule SAAS solution that supports TRP. Every Notabene customer has a live TRP 1.0 endpoint. However, a VASP needs to do some work to implement the Travel Address. If any VASPs are interested in supporting this, we can quickly add support for the latest version of TRP.

‍

What other open alternatives are there to TAP?

Since none of the open protocols supported intermediary flows or policy-based PII exchange, Notabene took our learnings since 2020 and published TAP, which is entirely public domain and solves TRP’s core issues.

‍

Specifications

Find the latest TRP specifications here.

Integrate once. Connect with many.



Thinking of integrating TRP? Save time and integrate Notabene's API to connect with TRP and many others.

Contact sales

Notabene's commitment to privacy + security:

‍Bank-grade security for an insecure world‍
  • Passed rigorous security reviews by more than 150 institutions, including global banks and top 20 crypto exchanges
  • Annual SOC 2 Type II Audit for Security and Data Privacy Categories
  • Regular penetration testing by security audit leader Cobalt
‍Industry’s strongest protection for your customer data‍
  • Industry’s only escrowed exchange of encrypted PII
  • Compliant with EU GDPR, Singapore PDA
  • Plug-and-play Travel Rule end-user data consent component
‍Enterprise White Glove features‍
  • 24h/7 days a week uptime
  • Configurable enterprise SLA
  • SOC2 compliant disaster recovery and business continuity plans
Learn more about our commitment to security