VerifyVASP is a closed, centralized Travel Rule messaging protocol for secure and immediate data sharing between verified VASPs. South Korean cryptocurrency exchange Upbit created VerifyVASP as a joint venture with Chainalysis. It provides Travel Rule compliant connectivity to Travel Rule obliged entities and non-obliged entities in compliance with Travel Rule and personal data protection requirements.
This article covers factors to consider when choosing VerifyVASP as a Travel Rule messaging protocol.
How does VerifyVASP work?
VerifyVASP requires each VASP to run a closed-source server component known as the enclave server within their infrastructure. This component manages encryption keys and customer personally identifiable information (PII) for the VASP.
The VASPs' own server back-end interacts with the enclave server, which in turn interacts with VerifyVASP’s Central API server, run by the VerifyVASP company.
Sending a Travel Rule transaction in VerifyVASP takes the following steps:
- Modify withdrawal UX for originator VASP to collect information from the customer, including specifying the beneficiary VASP and beneficiary details according to local regulations. An API is provided for the list of verified VASPs in VerifyVASP for user selection.
- Ask Beneficiary VASP if the Beneficiary Customer’s blockchain address belongs to them through the User Account Verification API on the Central API server, and await confirmation.
- Transmit required Travel Rule Originator Customer and Beneficiary Customer PII in encrypted form through the User Verification API on the Central API server and await confirmation.
- Transmit transaction hash to the Central API server using Transaction Status API.
What information is held in VerifyVASP’s central database?
While encrypted PII passes through the central API, it is not held on the server. However, the transaction metadata is stored, including:
- Originator and Beneficiary VASP identifiers
- Transaction hash
- Blockchain addresses
Is VerifyVASP an open-sourced industry alliance network, a closed network, or a commercial solution?
VerifyVASP is a closed-network commercial solution that conducts stringent due diligence upon onboarding. The due diligence standard adopted by VerifyVASP is consistent with FATF guidance.
Who can join VerifyVASP?
VerifyVASP allows any VASP to register as long as you complete their due-diligence process. If you do not have a license yet or your regulator does not yet require you to implement the travel rule, you will not be able to use VerifyVASP to implement the Travel Rule. However, you will be able to use VerifyVASP for enhanced risk mitigation measures through the VerifyNAME API.
Can VerifyVASP reach exchanges that are not part of VerifyVASP?
No. There is no way of sending transactions to non-members.
Can VerifyVASP reach member exchanges that have not yet implemented VerifyVASP in their back-end?
No. There is no dashboard to respond to transactions manually, so sending transactions to companies that are members but have yet to perform the technical integration is not possible.
Does implementing VerifyVASP guarantee that you can transact with a VerifyVASP member?
No. According to FATF guidance, each VASP has to perform their own due diligence on counterparties, which VerifyVASP facilitates by sharing the due-diligence documentation, subject to the written consent of the VASP, with counterparties through its extensive alliance network.
How does VASP due diligence work on VerifyVASP?
Upon signing as an alliance member of VerifyVASP, the VASP will be subject to the VerifyVASP onboarding process and will receive an email requesting KYC documentation necessary to satisfy its onboarding requirements and mitigate against AML and CFT risk. VerifyVASP will check/verify the licensing status of the relevant VASP and conduct connected person (directors, UBOs, authorized persons, etc.) name and wallet screening. Unlicensed or unregulated VASPs, including those in the middle of an application, will be subject to a more stringent due-diligence process based on Wolfsberg CBDDQ. Once the documents submitted are verified and onboarding requirements are satisfied and approved by VerifyVASP’s management, the particular VASP can commence the technical integration process as the new alliance member.
What is VerifyVASP’s governance model?
VerifyVASP Pte.Ltd runs VerifyVASP, a Singapore-based company which was started as a joint venture between UpBit and Chainalysis. It has an independent board of directors.
Does VerifyVASP support identifying non-custodial wallets?
No. VerifyVASP does not support transactions to/from non-custodial wallets.
What is the flow of personally identifiable information (PII) on VerifyVASP?
- The Originator VASP back-end sends their end customers’ PII together with beneficiary PII collected from the end customer to the enclave server hosted in their local network environment.
- The Beneficiary VASP’s public key is retrieved from the VerifyVASP Central API server and is used to encrypt the PII.
- The encrypted PII is passed through the central API server to the beneficiary VASP’s enclave server.
- It is then decrypted using the corresponding private key that was generated as part of an asynchronous key-pair specifically for each transfer.
Is VerifyVASP live?
Yes, VerifyVASP is live.
Is there industry support for VerifyVASP?
VerifyVASP is still relatively early, and multiple VASPs have joined as members. UpBit and others are transacting in production on VerifyVASP. Still, it is uncertain how many of the listed members are integrated and able to send and receive transactions at this time.
What is VerifyVASP’s membership fee structure?
Companies may become alliance members at no cost.
How does VerifyVASP compare to Notabene?
VerifyVASP is a messaging protocol that allows members to share transaction data immediately. As told by our customers, implementing VerifyVASP can typically take 3-6 months for a fully operational system.
VerifyVASP, like all other travel rule messaging protocols, requires you to:
- Build a manual process to perform due diligence on counterparty VASPs.
- Make changes to UX to perform additional data collection.
- Integrate sanctions name screening and other tools for managing counterparty risk.
- Build a Travel Rule case management dashboard.
- Compliance teams must work closely with the development team to implement compliance rules.
Conversely, Notabene is an end-to-end Travel Rule compliance platform that helps you implement compliance, operations, technical infrastructure, and communication through multiple travel rule messaging protocols to ensure the broadest possible reachability. Along with our "white glove" service, Notabene also offers training and certification in Travel Rule compliance to ensure a successful rollout.
Does Notabene support VerifyVASP?
Notabene is looking to add support for VerifyVASP to our travel rule messaging switch pending a security review of the VerifyVASP API server and enclave server source code.
Is VerifyVASP secure?
The protocol appears to be secure. However, there are a few unknowns due to the closed source nature. Notabene has requested this information from VerifyVASP, which they are unwilling to share:
- The encryption algorithms and methodology used to encrypt PII and IVMS101 data between enclave servers are unknown.
- The secure enclave server, which handles encryption keys and is designed to be held in VASP’s own infrastructure, is closed source. Security audits or access to source code have been requested.
- There is a centrally hosted API server for VerifyVASP. There is no publicly available information about this server’s security audits and SLA guarantees.
- You must trust the VerifyVASP servers to correctly handle the exchange of encryption public keys to ensure the safety of the PII encryption.
- The centrally hosted API server contains mappings of all transactions and participant VASPs. This information should be considered sensitive from a business point of view by exchanges.
Due to the centralized nature of VerifyVASP and its importance from an infrastructure point of view, we recommend performing similar security evaluations as you would with any other centralized service before committing to integrating.
We recommend a thorough evaluation of the enclave server since it handles very sensitive data on behalf of VASPs.
What are the benefits of using VerifyVASP?
- Comprehensive, independent due-diligence process, ensuring only credible and reputable members are in the alliance. Due diligence, in turn, is also used to facilitate counterparty vetting.
- Instantaneous and scalable API-based transfers and verifications that are easily integrated.
- Solutions are live and road-tested in various jurisdictions, with more coming on board.
- Close industry and regulator engagement ensures industry needs shape its solutions.
- Designed for compliance with major data protection and privacy laws that have been shaped by industry and regulatory engagements.
- Send Travel Rule transactions to, in particular, South Korea’s major exchanges.
What are the drawbacks to using VerifyVASP?
- For many companies, it will not be enough to only integrate VerifyVASP. With all travel rule protocols we recommend reaching out to your main counterparties, to verify if and when they have fully implemented the travel rule using VerifyVASP.
- Due to its stringent onboarding due diligence, some may be unable to join its membership.
- Implementing VerifyVASP may not guarantee that you can send transactions to UpBit or other member VASPs, due to the manual due-diligence process
- The development team must build its own compliance dashboards and implement compliance rules.
Has there been a testnet using VerifyVASP?
VerifyVASP has been live since 2021. It features a sandbox complete with roboVASPs for VASPs to test the protocol.
Verify VASP for Developers
VerifyVASP Alliance Members are invited to connect to the Value Transfer Protocol Solution via API connectivity. Each Alliance Member must integrate with VerifyVASP’s servers by downloading a Docker image and using it to host their enclave server in their own environment.
The API key allows interaction between the enclave server hosted by the individual Alliance Member and VerifyVASP’s Central API Server. Each Alliance Member must implement the User Validation API to access VerifyVASP’s enclave server hosted in their environment.