protocols

TRUST - Travel Rule Universal Solution Technology

TRUST (Travel Rule Universal Solution Technology) is an opinionated solution for identifying transaction counterparties and securely transmitting Travel Rule information between members.

Formerly known as the US Travel Rule Working Group, TRUST is operated by Coinbase but is formally a non-profit consisting of a group of primarily US-based virtual asset service providers (VASPs).

Pros

  • Bulletin board-based address to VASP discovery
  • Does not require UX changes
  • The primary path for Travel Rule with Coinbase
  • End-to-end encrypted PII exchange directly between members
  • Requires wallet proofs between exchanges before exchanging PII
  • Operated on Coinbase infrastructure

Cons

  • No transaction authorization flow as PII is exchanged post-transaction
  • Limited blockchain support
  • Requires wallet proofs between exchanges, which can be difficult to implement using MPC wallet infrastructure
  • Limited network of active VASPs
  • Closed network with little public information
  • No support for transaction intermediaries
  • Access to the network is controlled by Coinbase.

What makes TRUST different from Travel Rule Protocols

TRUST was founded to implement and comply with the US Travel Rule. It has recently been expanded to include non-US VASPs; however, questions remain about whether it solves the broader international adoption of the FATF Travel Rule.

A post-transaction information sharing solution

TRUST was designed to exchange customer PII between two exchanges after a transaction has been sent to the blockchain.

This means that while it may solve the record-keeping requirements behind the Travel Rule, it does not have a pre-transaction messaging flow and cannot be used to stop fraudulent transactions or transactions sent to sanctioned individuals. 

This puts the burden on compliance officers to manage risk around transactions and convince their regulators that they comply with the Travel Rule. 

How does TRUST work?

The TRUST solution incorporates two separate components to address the Travel Rule: 

  1. A centralized bulletin board used to identify the correct counterparty, allowing an Originating VASP to identify a Beneficiary VASP, and; 
  2. An encrypted P2P channel to securely transfer the requisite Travel Rule data from the Originating VASP to the Beneficiary VASP.

How TRUST works (Source: Notabene)

  1. The Beneficiary VASP provides a crypto deposit address to the receiving customer. 
  2. The Beneficiary VASP optionally hashes and registers the crypto deposit addresses on the TRUST bulletin board as their own, including proof of address ownership. 
  3. The Beneficiary Customer provides the deposit address to the Originating Customer.
  4. The Originating Customer provides the beneficiary address to the Originator VASP.
  5. Originating VASP Send the underlying Bitcoin or Ethereum transaction.
  6. If the transaction is over the US transaction threshold of $3000, the beneficiary VASP posts the hash of the beneficiary address to the TRUST bulletin board, assuming they did not perform step 2
  7. If a transaction is over $3,000, the originating VASP queries the beneficiary address on the US Travel Rule WG board. The Beneficiary VASP replies privately to the Originating VASP, acknowledging that the address is theirs.
  8. If a Beneficiary VASP does not reply within 48 hours, the transaction is assumed to be to an unhosted wallet.
  9. The Originator VASP transmits PII and transaction hash to the Beneficiary VASP through a peer-to-peer method.

Each VASP using TRUST provides an API endpoint similar to TRP. However, TRUST adds a centralized bulletin board to solve the “discovery” problem, identifying which VASP is behind an address. The bulletin board shows a wallet address and the originating VASP is trying to verify it. The Beneficiary VASP then replies privately to claim the transaction.

Post-transaction flow is not consistent with FATF guidance

FATF and most regulators require that the Travel Rule is implemented pre-transaction to help sending and receiving VASPs perform name sanctions screens and other tools to stop financial crime before the funds are sent. This is an essential difference between crypto transactions and FIAT transactions due to the immediate and irreversible aspect of crypto transactions.

Unless changes have happened recently, TRUST's post-transaction flow is not consistent with current FATF guidance (Updated Guidance on Virtual Assets and Virtual Asset Service Providers), which specifies that the data transfer must be done immediately.

This leaves receiving VASPs with the only option of freezing funds if there are any issues with information obtained through TRUST. Sending VASPs have already lost custody of funds so they cannot do anything besides provide information obtained in a Suspicious Activity Report.

TRUST does not require the collection of beneficiary information from the sender

The Travel Rule requires VASPs and other financial institutions to enter the beneficiary's details on the withdrawal screen.

It works by verifying that the ultimate beneficiary of the transaction is indeed who the sender believes it to be. This is a crucial step to preventing fraud and financial crimes, such as pig-butchering schemes, that are rampant in the industry. It also helps stop much of the significant loss of funds that happens by users erroneously sending funds to the wrong blockchain address.

VASPs can implement this step themselves, but it is not a requirement of the TRUST solution itself. See FATF’s note (Updated Guidance on Virtual Assets and Virtual Asset Service Providers), which specifies that the originating VASP must collect beneficiary names from their customer.

Is TRUST an open-sourced industry alliance network, a closed network, or a commercial solution?

TRUST is a closed network operated by Coinbase that comprises over 35 VASPs, including many of the largest global VASPs, such as Coinbase, Bitgo, and Gemini. To join TRUST, VASPs must complete an onboarding due diligence assessment to ensure members meet objective security, privacy, and compliance standards and adequately safeguard Travel Rule data. Due to the complexity of implementation, we understand that many members are not actively using TRUST yet.

Is TRUST a fully integrated Travel Rule solution provider?

TRUST is a bulletin board that identifies VASP counterparties and securely transmits Travel Rule data. VASPs complete a technical integration with TRUST to connect the solution to their internal systems.

Is TRUST complex to integrate? 

There are two primary components to the TRUST integration that a VASP must complete:

  1. Integration with the TRUST solution (bulletin board and P2P channels), and;
  2. Internal integration with VASP’s crypto payment rails and compliance systems/tools.

TRUST offers technical builds that VASPs can leverage to achieve integration. TRUST members can also participate in its Technical Committee, where they can collaborate and obtain assistance in building their technical integration.

Integrating TRUST apparently may take a minimum of 3-6 months. Implementing the wallet ownership proof aspect of TRUST may be complex if relying on third-party wallet infrastructure.

How does VASP due diligence work on TRUST?

It seems that VASPs must perform due diligence on each counterparty. 

What is TRUST’s governance model?

TRUST has a central legal agreement between its members and committees that governs the solution. However, TRUST is primarily operated by Coinbase and runs on Coinbase infrastructure.

Does TRUST support unhosted wallets?

TRUST is designed to allow VASPs to comply with the Travel Rule, which involves transmissions between VASPs, not between VASPs and self-hosted wallets. TRUST, therefore, does not support communication with unhosted wallets. However, TRUST allows members to verify their ownership of a deposit address in the context of the Travel Rule to ensure Travel Rule information is sent to the correct party.

Is TRUST live?

TRUST launched in December 2021. Further information is available here.

Is there industry support for TRUST?

Yes. TRUST is supported by prominent global exchanges primarily based in the US such as Coinbase, Fidelity, Gemini, Bitgo, and others. Most important global counterparties besides Coinbase are not available on TRUST. 

As of June 2022, TRUST had over 90 members. Based on information from TRUST members, fewer than 20 VASPs are actually live with TRUST today. More information is available here.

What is TRUST’s membership fee structure?

TRUST members are not required to pay a set membership fee. Instead, members are charged monthly to account for ongoing operating costs—with no party collecting fees beyond the actual costs. These costs are divided equally among the members, and fees are expected to decrease as new members join. Estimated costs per VASP for the first year will be approximately $50,000 or less. 

There is also a significant upfront Due Diligence fee, which TRUST members have told us is between $50,000 and $100,000 to join. We expect the price difference to depend on the complexity of the company applying.

Smaller members can now join at a free membership rate. It is uncertain whether that also waives the Due Diligence fee.

In addition to the membership fee, please note that integrating TRUST involves significant technical and operational costs. Expect 3-6 months of engineering time.

How does TRUST compare to Notabene?

TRUST is a Travel Rule messaging system. Notabene, on the other hand, is an end-to-end Travel Rule compliance platform that helps you implement the Travel Rule through compliance, operations, technical infrastructure, and communication through multiple Travel Rule messaging protocols to ensure the broadest possible reachability.

In addition, Notabene offers training and certification in Travel Rule compliance with white glove service to ensure a successful rollout.

TRUST, like all other travel rule messaging protocols, requires you to:

  • Build a manual process to perform due diligence on counterparty VASPs.
  • Make changes to UX to perform additional data collection.
  • Integrate sanctions name screening and other tools for managing counterparty risk.
  • Build a Travel Rule case management dashboard.
  • Work closely between compliance teams and development teams to implement compliance rules.

While implementing TRUST seems to take 3-6 months for a fully operational system, Notabene has a relatively simple 5-point technical implementation plan that companies, depending on size, have been able to launch in as little as one week.

Does Notabene support TRUST? 

Notabene is working with TRUST to hopefully support it. Since TRUST is a membership-only solution, our customers who want access must apply independently to become members.

Since Coinbase does not allow external vendors to interact directly with TRUST, Notabene cannot connect directly with it today.

We recommend that VASPs use Notabene to integrate the Travel Rule in your backend and follow our phased approach to first rolling out the Travel Rule. This allows you to do a single integration with your backend and get your compliance team working on the complex process of implementing a Travel Rule compliance program.

If you can see in your Notabene dashboard that significant counterparties are only available on TRUST, then you may want to consider signing up with TRUST. While TRUST requires you to run the connection in your systems, our solution engineers will gladly guide you on connecting your TRUST transactions to your Notabene node using our simple webhooks.

This allows you to be Travel Rule compliant with only a single backend integration and reach all counterparty exchanges, including those using TRUST. It also allows you to receive incoming transactions via the TRUST BBS.

Ongoing discussions are happening between TRUST members and Notabene to provide a TRUST Gateway so that they can easily use Notabene as their holistic pre-transaction decision-making platform.

Is TRUST secure?

The underlying PII exchange method is secure, and we expect the server infrastructure to be very safe, as Coinbase maintains it.

However, there are a few unknowns, due to the closed source nature, that we recommend members investigate before joining:

  • The encryption algorithms and methodology used to encrypt PII and IVMS101 data between VASPs are unknown.
  • There is a centrally hosted server for TRUST. No publicly available information about this server’s security audits and SLA guarantees exists.
  • The Coinbase-hosted API server contains hashed blockchain addresses, which could be used to map to public blockchain data. Exchanges could consider this information sensitive from a business point of view.

Due to TRUST's centralized nature and its importance from an infrastructure point of view, we recommend performing security evaluations similar to those of any other centralized service before committing to integrating.

Developers requesting changes on TRUST

TRUST members can participate in the Technical Committee and request or suggest changes to the solution through proposals that members vote on.

Relevant links:

Coinbase | The standard for Travel Rule compliance

Coinbase | Introducing the Travel Rule Universal Solution Technology (“TRUST”)

Coinbase | TRUST Expands its Global Footprint and is Now Live Internationally

Integrate once. Connect with many.


Integrate Notabene's API to connect with the widest rage of protocols on the market.
Contact sales

Notabene's commitment to privacy + security:

Bank-grade security for an insecure world
  • Passed rigorous security reviews by more than 150 institutions, including global banks and top 20 crypto exchanges
  • Annual SOC 2 Type II Audit for Security and Data Privacy Categories
  • Regular penetration testing by security audit leader Cobalt
Industry’s strongest protection for your customer data
  • Industry’s only escrowed exchange of encrypted PII
  • Compliant with EU GDPR, Singapore PDA
  • Plug-and-play Travel Rule end-user data consent component
Enterprise White Glove features
  • 24h/7 days a week uptime
  • Configurable enterprise SLA
  • SOC2 compliant disaster recovery and business continuity plans
Learn more about our commitment to security