iComply on FATF Travel Rule: Cryptocurrency is Meant to be Trustless, Not Anonymous
In June of 2019, one of the most authoritative regulatory organizations worldwide, the Financial Action Task Force (FATF), issued new guidelines on how digital assets should be regulated.
A point that caused great concern and confusion for exchanges was the “travel rule,”: which refers to section 7(b) in the Interpretative Note to Recommendation 15 in the FATF Guideline, which requires Virtual Asset Service Providers (VASPs) to collect and transfer customer information during transactions. While FATF recommendations are not legally binding, the G-20 stated that it uses them to regulate cryptocurrencies for Anti-Money Laundering.
So what do these recommendations really mean, and how should exchanges or VASPs observe them? We decided to gather some of the questions being posed by those in the exchange and cryptocurrency sector and put them to an expert, Matthew Unger, CEO, iComply.
Matthew Unger is the CEO and co-founder of iComply Investor Services. At 22, he became one of the youngest executive financial advisors in Investors Group Financial Services’ history, building a $42-Million business in under five years. He has a decade of technology management consulting experience, driving innovation for companies ranging from high-growth startups seeking to scale into enterprise markets to major multinationals, including Virgin Group, Investors Group Financial Services, BDC, Bank of Canada, and has held Secret-Level clearance with CSIS (a.k.a. Canada’s CIA).
His previous FinTech experience includes leading the systems architecture on an end-to-end digital workflow solution for a wealth management firm in Canada. Unger previously led a proof of concept at MIT to use Ethereum to automate the matching and fulfillment of interest rate swaps over LIBOR.
iComply Investor Services (iComply) is a regulatory technology (Regtech) company focused on making financial markets more robust, secure, and efficient. Its mission is to improve the user experience of compliance for all counterparties in every transaction.
Does the travel rule spell the end of cryptocurrency anonymity?
No, it does not. The travel rule only applies to people who are trading or facilitating trades for others; it doesn’t impact peer-to-peer transactions.
The subset of digital assets dubbed privacy coins, which have long delighted libertarians and frustrated law enforcement, are feeling the pinch of a step up in regulation—what would you tell advocates of the technology who believe in the autonomy of personal finance and operating free of state surveillance?
A few points here:
The top two privacy coins are Monero and Zcash. Both are able to fully comply with the travel rule, depending on privacy settings that the user has enabled in their wallet. One of these is set to be private by default; the other is transparent by default. These coins will allow the user to give audit access (say, to a regulator) to view transaction details…and software can be created to enable these coins to be compliant at scale, without giving away transaction history to surveillance firms such as ChainAnalysis.
There is a larger conversation embedded in this question regarding state surveillance. While we want to be free, money has a direct impact on people’s lives. The reality is that crypto is often used in the child sex trade, to launder massive amounts of money, and to undermine the free democratic process in favor of corruption and foreign influence, such as was the case in the 2016 U.S. election (re: the Mueller report). We’ve seen even more extreme values on privacy in the last few years. While some people say privacy is more important, these people limit the current and potential uses of crypto in the financial system.
The original objective of this technology is not to be anonymous—it’s to be trustless.
You don’t need to know anything about an individual to know that you can trade with them and that their money is real. What the tech can’t do is tell you if the crypto is stolen, was used to harm someone, or was used to facilitate acts of terrorism, crime, or other illicit or harmful activities. In order to use crypto in good conscience, it’s prudent that users deal with people that they have vetted...although it’s not possible to know all their details (that eliminates the whole concept of trustlessness). You need policies to be managed at large institutions, so you know that you can actually use cryptocurrency properly.
The reality of the FATF travel rule is that it’s just a method of data standardization. Once you standardize that data format (i.e.: FIX for stock exchanges and SWIFT for banks and bank wires), and if you are an advocate of crypto adoption, having an open-source global data standard is the gateway to mainstream adoption.
Would a technology like Zero-Knowledge Proof be an acceptable way around the declaration of personal data required by FATF?
Again, the people who are required to report and use the FATF travel rule are already legally compelled to do KYC. There is no additional requirement. All this does is make sure that, for example, if someone takes all the money out of Quadriga and starts washing that money, at least people will know where the money went. This is not about the user of crypto making declarations; it’s about VASPs being held accountable for transparency and protection both of their users and the integrity of their platforms.
Zero-Knowledge Proof is a very broad term that could be implemented in many ways, but it’s not really a useful tool for this application. This is because you are not asking for authentication of info (such as, is this person’s name, date of birth, address, etc.). Instead, you’re required to actually pass that data forward from the sending VASP to the receiving VASP.
A much better framework than Zero-Knowledge Proof would be to use blockchain to ensure that users consent to their info being shared, which can be done off-chain using standard encryption and APIs, or other means.
Ryan Taylor, CEO of Dash Core Group said: “Exchanges are struggling to understand the specific requirements because the FATF regulation must be implemented in local jurisdictions, which will undoubtedly act on the guidance differently. For now, it is a guessing game.” —Will this mean that the travel rule is likely to be implemented unequally?
There is already a global standard emerging for adhering to the FATF travel rule. iComply, among other reputable companies from all around the world, have worked together to establish a best practice for how the travel rule data can be shared through a common standard (similar to FIX or SWIFT) while using blockchain to protect identities, privacy, and decentralization. This new standard will be a key discussion point at the FATF plenary in May 2020.
Again, we are merely talking about a standardized way to share data between VASPs. If a VASP wants to adopt its own standard for data, such as the format of the date of birth, it will be on them to maintain their data and the “translation” of that data with other VASPs. Adopting a public and open standard saves everyone time and money.
What advantages do you personally see for the crypto industry by the introduction of the travel rule?
First and foremost, there’s the mainstream adoption—because this is the last piece of compliance needed for crypto assets to be held to the same standard as the rest of the financial industry.
Secondly, without the FATF travel rule or something similar to the travel rule, the security token industry will never survive because every platform is creating its own protocol, which is causing massive fragmentation.
Finally, without the travel rule, institutional money cannot trade cryptocurrencies at scale and must rely on more intermediaries that charge high costs in order to maintain their existing compliance requirements, all while giving their clients adequate exposure to cryptoassets.
Bitpanda CEO Eric DeMuth has been urging the FATF for legal clarity—“Compliance must be possible from a technical level, and there is no clear way to achieve that.”—Are the legalities unclear, what advice would you offer DeMuth?
At a technical level, compliance has been possible from day one. The biggest barriers to compliance right now are the unwillingness of platforms to adopt a common standard and knowledge of VASP management teams. FATF is not a regulatory or enforcement body—they will not prescribe how things need to be done, but instead they will provide insights into the risks (the ‘why’) and what needs to be done. How you choose to do this is up to you—whether relying on some centralized data repository such as Equifax or Verisign, using solutions such as Madana, the MME and Crypto Valley Association proposal), or solutions that go much further to protect the privacy of users and promote the long-term growth of the crypto industry.
What key observations and understanding have you taken away from the travel rule?
The travel rule has in some ways divided the crypto industry against itself. Some that subscribe to ultra-libertarianism at all costs (ie: John McAfee) are directly pitted against those in the industry who want to see this technology used broadly and for positive, transparent change across the financial industry, governments, and societies.
The reality is that regulation in finance has been increasing steadily over the last century. And just because you happen to use a blockchain doesn’t make you immune to regulations that apply to some that used a different database structure. The FATF travel rule has caused a lot of fear, uncertainty, and dread in the crypto market, but this is completely unnecessary. It is a fairly straightforward regulatory requirement, and many platforms are already in full compliance. Those that are uncertain on how the travel rule impacts them should speak with an experienced legal or compliance advisor to help guide them through the process.
In the long run, we believe that once the industry has implemented a common standard for the FATF travel rule, it will unlock the ability to massively lower costs for KYC, transactions, and the business operations of running a VASP.