Cryptocurrency Exchanges Pressured to Collect More Private User Information by FATF
New rules require exchanges to collect even more personally identifying information.
The FATF’s recent guidelines have widespread implications on what private information exchanges need to track and collect from customers. Here are some insights on the recent regulation from CipherTrace’s Nov. 5 Cryptocurrency Travel Rule Compliance Conference and Hackathon.
An event oriented around the integration of cryptocurrency into the modern financial infrastructure may be at odds with the cypherpunk ethos. However, next year the cryptocurrency Travel Rule is going into effect and will affect cryptocurrency holders and blockchain-based institutions.
CipherTrace, a blockchain tracing and security company, put the conference together to shed light on the impacts of the upcoming Financial Action Task Force guidelines that take effect in June 2020.
The event also featured a hackathon, a competition where software developers attempt to build solutions in a limited timeframe. The competition was focused on developing better industry-wide solutions for transferring sensitive customer information while maintaining user privacy. The solutions developed would be integrated into CipherTrace’s Travel Rule Information Sharing Architecture.
FATF Overview and Impact
In June 2019, the FATF issued its suggestions for the regulation of cryptocurrencies, which impacts financial institutions that conduct cross-border transactions. FATF is an intergovernmental entity (comprised of 37 countries and two regional entities) that aims to combat money laundering and disrupt terrorist financing.
The June 20 FATF guidelines outline new standards that virtual asset service providers must implement. Notably, the “Travel Rule,” a byproduct of the U.S. Bank Secrecy Act, requires financial institutions share personal identifying information of their customers who transact with other users across platforms.
A virtual asset service provider includes a business that offers any of the following services:
- Exchange between digital assets and fiat currencies;
- Exchange between one or more forms of digital assets;
- Transfer of digital assets;
- Safekeeping and/or administration of digital assets or instruments enabling control over digital assets; and/or
- Participation in and provision of financial services related to an issuer’s offer and/or sale of a digital asset.
Examples of entities expected to be impacted include cryptocurrency exchanges, custodial wallets, and non-custodial exchange operators.
Once the regulations go into effect, individuals conducting transactions between VASPs must provide the following information:
- Originator’s name,
- Originator’s account number,
- Originator’s physical (geographical) address, national identity number, or customer identification number,
- Beneficiary’s name,
- Beneficiary’s account.
Why does a new global regulation for an emerging technology resemble an outdated U.S.-based regulation? The answer lies within the leadership model of the FATF organization.
FATF Guidelines and U.S. Regulations
The FATF presidency runs for a term of one year and the senior official appointed to the position is chosen by the FATF’s decision-making body, the Plenary. From July 1st, 2018, through June 30th, 2019, the FATF President was Marshall Billingslea, the Assistant Secretary for Terrorist Financing of the U.S. Department of the Treasury.
Given a year term and a desire to enact policy surrounding the transfer of digital assets, Billingslea proposed a variety of ideas that closely mirrored the BSA’s existent anti-fraud legislation.
The BSA is nearly a 50-year old piece of legislation, drafted to eliminate money fraud issues associated with wire transfer infrastructure. Though, this legislation doesn’t account for the nuances associated with distributed ledger technology.
For this reason, CipherTrace hosted the conference to help VASPs and cryptocurrency users better understand a regulation that will be enforced in less than a year that is riddled with issues surrounding the loss of user privacy.
Voices at the Travel Rule Conference
Conference organizers invited a breadth of stakeholders who might be impacted by the new FATF guidelines, from regulators to privacy-oriented developers. Stakeholders in attendance included privacy coin advocates, developers, financial institutions, cryptocurrency exchanges, regulators, government entities, law enforcement, and money transmitters.
Eliahu Assif, the chief security officer at eToro, discussed how the centralized exchange aims to be compliance-friendly by offering a complete audit trail and reconciliation process. From the perspective of the exchange, the new FATF regulations mean they must be able to identify each customer, both the individual and their wallet.
Lee Brown, Department of Homeland Security investigator, discussed the first time he and his team came across Bitcoin and how criminal enterprises have used the cryptocurrency. While Brown explained the criminal activity conducted on the Bitcoin network, he didn’t demonize cryptocurrency. He stated:
“Bitcoin is a new way to exploit money, just like Western Union, and wire transfers,” while simultaneously acknowledging “cash is probably the most anonymous.”
On the other side of the coin, the conference hosts carved space for a panel comprised of privacy advocates and representatives from Dash, Zcash, and Monero, as well as a Bitcoin core dev. The panelists agreed that using money or cryptocurrency for illicit purposes is indeed a bad thing and must be mitigated. However, the panelists also urged that privacy coins should be seen for their spectrum of use-cases. Each cryptocurrency should be evaluated on a case-by-case basis rather than outright outlawing all privacy coins, the panel concluded.
To encapsulate the perspectives of all parties, offer cryptocurrency users the option of privacy, and give VASPs a working protocol, CipherTrace also hosted a hackathon. The goal was to design an industry-wide standard that meets the regulatory needs for VASPs while protecting the personally identifying information of users.
To address the needs of the FATF guidelines, CipherTrace took a proactive approach with the development of is open-source protocol, TRISA. TRISA is an open-source, peer-to-peer protocol that aims to comply with FATF guidelines at a minimal cost to participants while offering an entity high-performance transaction processing.
The hackathon encouraged developers to expand upon the TRISA protocol to include the ability to verify the originator and receiver of a transaction to ensure they are not blacklisted criminals (without sharing their private information among the sending and receiving parties).
Over the two days, five teams of developers dug into the TRISA whitepaper and designed solutions that comply with FATF guidelines while ensuring the privacy of the customer. Solutions included:
- Creating multiple wallets to send amount less than the $1,000 threshold in the FATF guidelines
- Utilizing a token that can be sent with a transaction that verifies each user has provided the required KYC/AML information
- Integrating filters to identify fan-in / fan-out patterns, time-delays of large transactions, or non-VASP addresses that serve as a middleman
- A Chrome extension that integrates KYC/AML information in the transaction while also making the ledger more readable (i.e., domain names for addresses instead of alphanumeric hashes)
- The integration of cryptographic protocols – bullet proofs and bit commitment – into the TRISA protocol
Of the five teams, two had integrated their projects with the TRISA source code.
Come June 2020, all 37 countries of the G20 need to comply with the regulations outlined in the FATF guidelines. While the enacted regulations were initially designed to address fraudulent activity conducted via wire transfers, the lack of a modernized solution will impede on the privacy of users who use services on VASPs, such as exchanges.
CipherTrace intends for TRISA to deliver a privacy-preserving solution for the processes that FATF guidelines will soon mandate for all VASPs. Upon the conclusion of the Cryptocurrency Travel Rule Compliance Conference and Hackathon, one thing was apparent. The industry might not be ready to meet the requirements of the FATF guidelines by the Summer of 2020. However, a user’s personal information will be shared among VASPs, whether the user’s privacy is protected or not.
Cryptocurrency users must remain vigilante. Exchanges are in a tough position between satisfying regulators, protecting private information, and gaining business through fewer customer checks. Ultimately, it’s up to the user to protect themselves.