TRUST (Travel Rule Universal Solution Technology) is a solution to identify transaction counterparties and securely transmit Travel Rule information between members. Formerly known as the US Travel Rule Working Group, a group of US-based virtual asset service providers founded TRUST to implement and comply with the US Travel Rule. It has recently been expanded to include non-US VASPs to solve the broader FATFTravel Rule.
This article covers factors to consider when choosing TRUST as a Travel Rule messaging protocol. The information within was provided to Notabene directly by Coinbase and other TRUST members.
How does TRUST work?
The TRUST solution incorporates two separate components to address the Travel Rule:
(1) a centralized bulletin board used to identify the correct counterparty, allowing an Originating VASP to identify a Beneficiary VASP; and
(2) an encrypted P2P channel to securely transfer the requisite Travel Rule data from the Originating VASP to the Beneficiary VASP.
The Beneficiary VASP provides a crypto deposit address to the receiving customer. The Beneficiary VASP hashes and registers the crypto deposit addresses on the TRUST bulletin board as one that they own, including proof of address ownership.
The Beneficiary Customer provides the deposit address to the Originating Customer.
The Originating Customer provides the beneficiary address to the Originator VASP.
If a transaction is over $3000, the originating VASP posts the beneficiary address to the US Travel Rule WG board.
The Beneficiary VASP replies privately to the Originating VASP, acknowledging that the address is theirs.
Send the underlying Bitcoin or Ethereum transaction.
The Originator VASP transmits PII and transaction hash to the Beneficiary VASP through a peer-to-peer method.
Each VASP using TRUST provides an API endpoint similar to TRP. Yet, TRUST adds a centralized bulletin board to solve the “discovery” problem, identifying which VASP is behind an address. The bulletin board shows a wallet address and the originating VASP trying to verify it. The Beneficiary VASP then replies privately to claim the transaction.
Note that TRUST does not currently offer a method for the beneficiary exchange to perform a name sanctions screen on the originating customer or reject a transfer based on wrong beneficiary names. These are both essential requirements when implementing the Travel Rule.
Is TRUST a Travel Rule solution or protocol?
TRUST is a centralized messaging bulletin board.
Is TRUST an open-sourced industry alliance network, a closed network, or a commercial solution?
TRUST is a closed network operated by Coinbase that comprises over 35 VASPs, including many of the largest global VASPs, such as Coinbase, Bitgo, Gemini, etc. To join TRUST, VASPSs must complete an onboarding due diligence assessment to ensure members meet objective security, privacy, and compliance standards and adequately safeguard Travel Rule data. Due to the complexity of implementation, we understand that a significant number of members are not actively using TRUST yet.
Is TRUST a fully integrated Travel Rule solution provider?
TRUST is an automated protocol to identify VASP counterparties and securely transmit Travel Rule data. VASPs complete a technical integration with TRUST to connect the solution to their internal systems.
Is TRUST complex to integrate?
There are two primary components to the TRUST integration that a VASP must complete: 1) integration with the TRUST solution (bulletin board and P2P channels); 2) internal integration with a VASP’s crypto payment rails and compliance systems/tools.
TRUST offers technical builds that VASPs can leverage to achieve integration. Members of TRUST can also participate in its Technical Committee, where they can collaborate and obtain assistance in building their technical integration.
Our customers have told us it takes a minimum of 3-6 months to integrate TRUST. In particular, we are told that it is complex to implement the wallet ownership proof aspect of TRUST if you rely on third-party wallet infrastructure.
How does VASP due diligence work on TRUST?
To our knowledge, VASPs must perform due diligence on each counterparty.
What is TRUST’s governance model?
TRUST has a central legal agreement between its members and committees that governs the solution. However, it appears that TRUST is primarily operated by Coinbase and runs on Coinbase infrastructure.
Does TRUST support non-custodial wallets?
TRUST is designed to allow VASPs to comply with the Travel Rule, which involves transmissions between VASPs, not between VASPs and self-hosted wallets. TRUST, therefore, does not support communication with non-custodial wallets. However, TRUST allows members to verify their ownership of a deposit address in the context of the Travel Rule to ensure Travel Rule information is sent to the correct party.
Is TRUST live?
TRUST launched in December 2021. Further information is available here.
Is there industry support for TRUST?
Yes. TRUST is supported by a group of prominent global exchanges: Coinbase, Fidelity, Gemini, Kraken, Bitgo, Binance US, Crypto.com, and others. As of May 2022, TRUST has over 35 members. More information is available here.
What is TRUST’s membership fee structure?
TRUST members are not required to pay a set membership fee. Instead, members are charged monthly to account for ongoing operating costs—with no party collecting fees beyond the actual costs. These costs are divided equally among the members, and fees are expected to decrease as new members join. Estimated costs per VASP for the first year will be approximately $15,000 or less.
How does TRUST compare to Notabene?
TRUST is a Travel Rule messaging system. Notabene, on the other hand, is an end-to-end Travel Rule compliance platform that helps you implement the Travel Rule through compliance, operations, technical infrastructure, and communication through multiple travel rule messaging protocols to ensure the broadest possible reachability. In addition, Notabene offers training and certification in Travel Rule compliance with our white glove service, ensuring your successful rollout.
TRUST, like all other travel rule messaging protocols, requires you to:
Build a manual process to perform due diligence on counterparty VASPs.
Make changes to UX to perform additional data collection.
Integrate sanctions name screening and other tools for managing counterparty risk.
Build a Travel Rule case management dashboard.
Compliance teams must work closely with the development team to implement compliance rules.
We hear from our customers that implementing TRUST can typically take 3-6 months for a fully operational system. Comparatively, Notabene has a relatively simple 5-point technical implementation plan that companies, depending on size, have been able to launch between one week and two months.
What are the benefits of using TRUST?
Strong coverage: TRUST is a solution that has extensive coverage of both US and international VASPs. More than 35 VASPs have joined TRUST, including members with a significant international presence, and TRUST is building international coalitions with additional VASPs worldwide.
Secure Travel Rule solution: TRUST prioritizes the security and privacy of sensitive customer and business information by:
Proving ownership: Requiring Beneficiary VASPs to prove ownership of their addresses to ensure Travel Rule data is shared with the right counterparty;
Conducting due diligence on prospective members to ensure they can adequately safeguard Travel Rule data; and
Partnering with an independent security vendor to conduct core security functions for the solution.
Legal and governance framework: TRUST has a multilateral agreement that governs a VASP’s membership in the solution. This eliminates the need for VASPs to establish bilateral agreements with each counterparty.
What are the drawbacks to using TRUST?
Closed network: TRUST enables members to exchange Travel Rule data with one another through the automated solution. If a VASP has counterparties that are not members of TRUST, that VASP can either join TRUST or will have to implement an alternative solution, such as Notabene, to exchange Travel Rule data with TRUST members.
Weak global coverage: While coverage within the US is strong, and there are some international exchanges in TRUST, coverage is still weak globally.
Likely non-compliant post-transaction flow: FATF’s guidance clarifies that Travel Rule must be carried out in such a way that beneficiary institutions can perform their own risk management procedures and block transactions. To do this correctly, the entire Travel Rule process has to happen in the pre-transaction flow. TRUST requires the originator to send the crypto transaction to the beneficiary before the Travel Rule message gets shared, so it appears not to be fully compliant with FATF and most national regulators’ requirements.
Limited support for blockchain assets: Due to the requirement of a cryptographic proof, TRUST only currently supports BTC and ETH.
Wallet ownership proofs: This is technically very difficult to implement for most exchanges. In particular, if they use an MPC or MultiSig approach to managing their wallets. It is also not a requirement as long as you perform proper due diligence on a counterparty exchange.
Is TRUST secure?
The underlying PII exchange method appears to be secure, and we expect the server infrastructure to be very secure, as Coinbase maintains it.
However, there are a few unknowns, due to the closed source nature, that we recommend members investigate before joining:
The encryption algorithms and methodology used to encrypt PII and IVMS101 data between VASPs are unknown.
There is a centrally hosted server for TRUST. There is no publicly available information about this server’s security audits and SLA guarantees.
The centrally hosted API server contains hashed blockchain addresses, which could be used to map to public blockchain data. Exchanges could consider this information sensitive from a business point of view.
Due to the centralized nature of TRUST and its importance from an infrastructure point of view, we recommend performing similar security evaluations as you would with any other centralized service before committing to integrating.
Has there been a testnet using TRUST?
VASPs integrating with TRUST have access to a testing environment to test their technical integration before they fully launch and begin transmitting Travel Rule data.
TRUST for Developers:
Requesting changes on TRUST
TRUST members can participate in the Technical Committee and request or suggest changes to the solution through proposals that members vote on.