There was quite a bit of protest from the cryptocurrency industry when the Financial Action Task Force (FATF) announced Recommendation 16, a new set of compliance guidelines for cryptocurrency exchanges earlier this year.
In particular, a number of crypto industry insiders took issue with the FATF’s mandate to apply the so-called “travel rule” to cryptocurrency exchanges. In short, the travel rule requires that cryptocurrency exchanges must verify and keep records of users’ identities, and that they must pass customer information to each other when transferring funds–in other words, if an account on one cryptocurrency exchange sends cryptocurrency to an account on another cryptocurrency exchange, the identity information associated with the first account must also be sent along with the funds.
However, there are some major logistical challenges associated with applying this in the cryptocurrency world.
For example: when a transaction is sent from one bank to another–anywhere in the world–there is a certain amount of identity information that is naturally built into the transaction. In an IBAN code, there is information about the country where the transaction is being sent to, the bank’s identity code, information on the branch of the bank where the receiving account is based, and the account number itself.
However, there is no information associated with customer identity or location in a cryptocurrency transaction. For example, a Bitcoin address–which is necessary to send and receive BTC–is nothing more than a string of randomly generated characters. The only way that this string of characters can be tied to an identity is if the owner of the address chooses to publicly or privately share information that ties their identity to it.
London-based trade group Global Digital Finance (GDF) illustrated this point in a commentary letter to the FATF this April.
So, when the guidelines were published at the end of June with a compliance deadline of January 2020, cryptocurrency exchanges and other digital asset service providers were left with a heavy burden to bear.
However, where a number of service providers may have seen an onerous task, a number of other organizations have seen an opportunity–a chance to create a solution that could be adopted by cryptocurrency exchanges across the board, putting them on the map and money in their pockets.
But is it feasible to think that any single solution could serve the entire cryptocurrency industry? Is that a healthy way to solve this problem? And what are the challenges associated with creating a compliance solution that could fulfill the needs of all of the populations that are a part of this very global space?
The first solution, rather than the best solution, may become the industry standard
One concern that a number of analysts within the space have expressed is the fact that because digital asset service providers have a limited amount of time to comply with the FATF’s guidelines, there could be a scenario in which the first finished solution–and not necessarily the best solution–could become the industry standard.
Imagine: there are several weeks until the FATF’s compliance deadline, and there are a handful of solutions on the market. These solutions are not interoperable with each other.
Solution A has a number of organizational problems and no governance structure, but they do have an aggressive marketing team and connections with some of the largest exchanges in the world; Solution B does have a governance structure and is organizationally sound, but does not have the connections to large exchanges that Solution A has.
So, Solution A is the solution that is adopted by the world’s largest exchanges. Because it is not interoperable with any other solution–including Solution B–the fact that it has been adopted by the biggest players in the space forces the smaller players also to adopt Solution A so that their users can continue to send and receive transactions from other exchanges.
This could potentially create a situation in which Solution A has a huge commercial advantage over other solutions, and in which Solution A has total control over the governance model behind the solution–the individuals that form Solution A are solely responsible for updating and making decisions about how cryptocurrency exchanges can stay compliant when the FATF.
Yana Afanasieva, who led compliance functions for Amazon and PayPal in Europe between 2012 and 2016, explained more about this particular problem in an email to Finance Magnates.
“[These] companies are mostly opportunistic and act against the interests of the end-users. They try to position themselves as an intermediary, who is going to set up some rules and principles of how information should be submitted to them, who will have access, how often it needs to be updated and other criteria,” she said.
“If [this] happens, we will reproduce all the inefficiencies of the banking system on the blockchain, where essentially you are nominally the owner of the funds, but if your bank does not work on Sunday, there is nothing you can do, and the bank, in reality, controls your funds.’
”Recommendation 16 is an opportunity for the digital asset community to come together.”
However, there is some effort within the industry to prevent this sort of involuntary, technocratic scenario from becoming a reality. For example, Global Digital Finance has established the FATF Steering Committee, an organization that the organization says will work to “support a positive outcome for the wider digital asset industry.”
The committee, which is open to all digital asset service providers–regardless of whether or not they are members of GDF–has been formed to “collaborate to address an industry solution for FATF Recommendations 16 and effectively define data and operational standards and a governance mechanism to oversee compliance.”
“FATF’s mandate is to provide recommendations and measure the effectiveness of implementation,” said GDF’s executive director, Teana Baker-Taylor, in an official statement announcing the launch of the committee.
“Recommendation 16 is an opportunity for the digital asset community to come together to articulate global standards around data requirements and operational practices while simultaneously assessing technological solutions.”
Additionally, Malcolm Wright, Chief Compliance Officer of Diginex and Chair of the GDF FATF Working Group, said that “the industry agrees that governance and standards will underpin the success of technical solutions to Recommendation 16.”
“Implementing technical solutions without considering standards will lead to fragmentation, increased costs, and create market liquidity risk. GDF offers the ideal forum for VASPS to co-develop the most effective approach by drawing on its expertise in standards development.”
”Ahead of technology, we should first consider standards and governance of the technical solution(s).”
Wright has also created a non-technological solution that could help to establish standards that could support the development of multiple compliance solutions. Dubbed “VATIRS” (Virtual Asset Transfer Information Reporting System), is a solution that does not identify any specific technological provider–Wright’s approach to the problem has not been technological at all.
Instead, Wright says that before any technological solutions for compliance are created, a number of logistical, non-technical standards need to be set into place.
“I noticed that there were many groups rushing to create a technical solution without first considering a number of key factors,” he told Finance Magnates. “I considered that ahead of technology, we should first consider standards and governance of the technical solution(s). As a basic example, what format should the ‘date of birth’ field be in”–should it be DD/MM/YY or MM/DD/YY? And what language–what alphabet–should dates be in?
“Within this, I created an overarching flow that I ran past several key regulators and exchanges to solicit feedback and refine. What I have now created is an overarching technology-neutral proposal that is peer-to-peer, protects personal information, minimizes sanction screening overhead, protects commercial interests, and requires no regulatory change (e.g., data privacy laws).”
Can ODPs Bring Transparency to South Africa’s FX & Derivatives Industry?Go to article >>
“There are also important regulatory compliance benefits that currently, several technology solutions have not encompassed. The proposal recommends the establishment of standards first with a lightweight governance model in parallel into which multiple technologies could be introduced for the actual transmission of the required data.”
Wright believes that setting these standards will create an environment in which multiple technological solutions can function together to fit the specific needs of specific populations.
“I envisage multiple solutions, and in a nascent industry this is the correct approach to both allow solutions to mature and the industry to identify which ones are most optimal (i.e., security, performance, cost, etc.) as well as protect the infrastructure were one solution to suffer from a performance/security issue as it allows for immediate switching to other technologies.”
However, some of the technology providers that have created solutions for Recommendation 16 aren’t taking a totally technocratic approach.
Justin Newton, Founder & CEO of Netki, which created “TransactID,” told Finance Magnates that “there should only be one standard that everyone implements to, that standard should encourage competition between vendors. In this way, if any given vendor is not able to meet the entire ecosystem’s need, there should be ample choices and alternatives to suit the local markets.”
Additionally, Newton said that “while we designed the protocol (along with our co-authors) we don’t ‘own’ it. Just like TCP/IP or SSL, no one should ever own the communication protocol which is why we made this a BIP (Bitcoin Improvement Protocol .)”
“It’s a public and open-source standard that can be extended by the community to meet future community needs. This can be done with us, or if for some really odd reason we didn’t agree with the change, it could still happen without us if that’s what the community wanted.”
But of course, Netki does stand to profit if TransactID is adopted: “our customers will have some initial set up fees for TransactID, as well as the cost per certificate charges, which would be on the order of $1 US. The solution is based on an open standard, so the costs are quite affordable, and would only be incurred by VASPs whose customers have successfully onboarded and funded their accounts, providing income offset.”
Additionally, “there will be no transaction fees associated with this service or platform, allowing network transactions to flow universally without breaking connectivity between VASPs and non-VASPs, or adding cost-based friction to the transaction.”
As for governance, Newton explained that the industry would need to establish a separate entity–”the industry would establish a global non-profit governance organization, similar to how SSL certificates are issued and overseen,” he said. ”The non-profit would establish standards for the CA’s and audit them to ensure they are acting in compliance. This allows for sound self-governance rather than opening the door to more government intervention.”
Cybersecurity firm CipherTrace has also created TRISA, a solution that could be used interoperably across different service providers. “We have released the software as open-source, so VASPs and software providers can modify the TRISA code or extend the software to integrate with their platform management applications and changing needs,” John Jefferies, CipherTrace’s Chief Financial Analyst, told Finance Magnates.
TRISA does not have any specific costs associated with it. “There are no licensing expenses associated,” Jefferies explained.
“Each VASP will be responsible for operating the system on their own premise and integrating it with their platform. Operating the platform will require people to operate it 7×24 which can be expensive, especially for smaller VASPs,” he said. However, “the operational expense will probably be passed onto customers.”
Like Netki, CipherTrace agrees that the industry should make the decisions about FATF compliance standards, but it doesn’t have any specific plans to create a governance model itself.
“There are already communities of exchanges and other VASPs discussing and evaluating potential standards. Industry groups such as the Digital Chamber of Commerce and the Blockchain Alliance are providing venues and hosting meetings to present and discussing solution proposals,” Jefferies told Finance Magnates. “TRISA has invited VASPs to participate in interoperability testing so we can reach a consensus around messaging and standards.”
Ultimately, “the community will decide. The largest exchanges will influence the industry direction. A non-profit governance model would be ideal, and it should be governed by a mix of VASPs and technology providers like the APWG or MAAWG.”
CoolBitX: Beware of solutions claiming to be free
CoolBitX, a Taiwan-based crypto company, has also created a solution. Tom Maxon, head of the wallet’s US branch, told Finance Magnates that “it is a privacy secure tunnel that allows cryptocurrency exchanges to correspond with each other privately and securely to comply with their country’s version of the funds travel rule,” and that the solution does not “see, obtain, or analyze any private data. It’s a straightforward and inexpensive way for exchanges to implement and maintain.”
Maxon also believes that “there will always be discussions of more than one solution, and that is healthy for everyone. We want to see interoperability as a long term target. I certainly hope that exchanges do work within a common set of standards.”
However, the best solutions will have a lot to prove that they are not over-engineered, expensive, or constraining virtual asset service provider (VASP) compliance standards by forcing clunky legacy standards onto new problems. As the number of proposals arise, it will take much more testing for them to actually considered ‘solutions’ as many of the proposals are untested, cumbersome, and will make compliance difficult to scale.”
Even though there may be multiple different solutions, compliance must remain as the ultimate goal: “it’s important that despite diverse needs of the various VASP business models or platforms, the underlying single common goal for all VASPs is to comply with their country’s funds transfer requirements. Those requirements will begin to look more uniform over time as global regulators learn from variations of the FATF recommendations. If a single solution were to arise it should, first and foremost, reduce the risks of non-compliance (as that is the matter at hand).”
“After that has been achieved, it must be highly flexible to work with different software and business models, encrypt any type of data, and privately send that information along without the threat of data companies getting access to that information.”
As for governance, Maxon explained that many of the decision s made about the solution can only be made over time: “there’s probably no way to force a top-down solution for the entire crypto industry. It will be decided over time organically by a variety of stakeholders and broader industry activity such as by regulatory sandboxes, industry non-profits, RFP processes, and live testing out in ‘the wild.'”
Indeed, “a problem this complex cannot be solved by either tech or governance alone. I see a strong need for proper governance to ensure VASPs are operating on a similar compliance level, but at the same time, understand that governance alone will not actually solve the engineering problems presented by these new compliance requirements. Even if a governing body is formed, there will still be a period of testing out solutions and identifying the best practices.”
Maxon said that CoolBitX’ Solution is low-cost, and warned against solutions claiming to be free: “our solution is very cost-effective, with minimal resources needed from a software integration level, FTEs, user experience, and future maintenance. Some solutions are marketing themselves as free, or low-cost per user, but these proposals have tremendous downstream costs arising from the complexity of building new protocol layers, servicing, or business arrangements with counterparty VASPs…When it comes to compliance, I’d say it is best practice to avoid any solution that is claiming to be “free”. Especially, if those companies have business models profit off of data collection or KYC solutions.”
FATF: “We may well end up with a number of protocols.”
There are a number of other companies that are vying to create the solution that the industry will adopt, and it’s likely that even more will emerge as time marches on.
What does the FATF itself have to say about all of this?
“The FATF has established a Contact Group that monitors developments in this sector to understand how the industry is meeting the challenge, but it isn’t involved in developing the actual solution,” said Alexandra Wijmenga-Daniel, Communications Management Advisor for the FATF, to Finance Magnates.
“A number of potentially compliant proposals have emerged already. It is too early to predict which solution will end up getting adopted, or indeed how many. We may well end up with a number of protocols.”
In other words–only time will tell.