Unchained - Why The Travel Rule Is One Of The Most Significant Regulations In Crypto - Ep.184

Dave Jevans, CEO of CipherTrace, and Siân Jones, Senior Partner at XReg Consulting, give the lowdown on the Financial Action Task Force’s travel rule and how it applies to businesses in the crypto space. They discuss: their background and journey into crypto what the travel rule is the consequences for countries that are not compliant whether the regulation will apply to staking providers in the future the type of companies and transactions that will be covered under the travel rule the type of

  • Play Speed:
Content Keywords: baseline requirement coin holders recipient
Youtube Link
00:00:00
WEBVTT Kind: captions Language: en [Music] hi everyone
welcome to unchained your no hype resource for all things crypto
i'm your host laura shin subscribe to unchained on youtube where you can watch
the videos of me and my guests go to youtube.com c unchained podcast
and subscribe today crypto.com is waiving the 3.5 credit
card fee for all crypto purchases until the end of september download the
crypto.com app today tcorum is a weekly virtual series about all things tazos
every wednesday join thought leaders innovators and blockchain enthusiasts
for presentations about the latest advancements that help the ecosystem
grow together sign up and learn more about the virtual series at tquorum.com
today's topic is the travel rule here to discuss are dave jevins ceo of
cyphertrace and sean jones senior partner at x-ray consulting
welcome dave and sean hi hi laura hello dave hey laura great to be with you
before we start disclosure that ciphertrace has been a sponsor of my shows
to begin let's have each of you explain what you do
and how you came to work in crypto dave do you want to start
sure be happy to um laura as you know i'm ceo of ciphertrace
we are a company that helps make cryptocurrency
safe and compliant our customers are banks their cryptocurrency exchanges and
their government agencies including regulators
and law enforcement and uh you know i got into crypto
well quite some time ago in the early days of bitcoin
well actually if i recall i believe you kind of got into digital currency well
before bitcoin even existed can you talk a little bit about that i did yeah
i got interested in cryptocurrency in 1999 i would say as sort of you know as
the cypher punk movement was kind of starting to trail off a little bit
and i got to go to the early uh financial uh cryptography conferences so
i was at the one in 2000 on anguilla i got to meet the early folks at digicash
uh david chalm i got to meet the e-gold guys who were building a gold-backed
digital currency mondex which at the time was was uh was being promoted by
mastercard and also the zero knowledge guys from montreal who eventually that
technology is now some of the foundational technology for
zero knowledge proofs that are used in c cash great and so then can you just
bring us up to how it is that you started cypher choice
sure so i got interested in bitcoin in 2011. so a little late to the game but i
did start tracking and reporting how the price of bitcoin related to
cryptocurrency crimes primarily break-ins into exchanges
um but there were some other ones as well and you could see a linear correlation
between the price of bitcoin it would drop 30 40 the day
after a major crypto theft and i would report that every year at the
electronic crime conference so i started back then
um we were doing some early mining as well building custom
mining rigs liquid cooling that kind of stuff as a hobby
you know you make a few tens of bitcoins you know 100 bitcoin that kind of thing
back then in 2015 i uh i had finished i sold a couple of security companies and
fintech companies and um i was presenting on bitcoin and bitcoin security and
effectively i had a customer come up and say hey we would like you to build this
we said well okay yep great so we got into it in 2015 with an initial customer
was a government customer who wanted to help find um criminals
effectively but from there we've really grown the company and the technology to
help cryptocurrency exchanges with compliance
um working with regulators on compliance and more recently
working with financial institutions so that
they can help validate cryptocurrency companies and help expand the banking
relationships between crypto companies and the banks because it's clear these
are merging and they're both i think very symbiotic worlds that are
going to help drive crypto forward in a big way
and sean what about you can you explain what you do and also your backgrounds
and how you came to work in crypto well i i've always thought of myself as
the methuselah of uh bitcoin but i just realized dave you
you beat me by two years so i i my career is 48 49 years in
i.t in fact going back to the era of steam computing probably
and i have been largely involved in security and information security through
my career until i finished my corporate career i guess around 2012-13 i
started to get interested in this new use case for
crypto pretty much a bit like dave i guess started getting involved in
in meetups this was uh where i was living at the time in the united kingdom
uh and suddenly before i knew it because
of my more recent then recent experience
in the regulated space folks were asking me for advice sort of
one foot in the old regulated world understanding that and a lot of startups
who wanted to understand how they might be impacted
um going forward but from there i got involved in
public policy work in the uk in whitehall and westminster and then
in the european uh parliament in brussels and from there i was
uh tempted away from being in the uh from being a poacher to becoming a game
keeper i was asked by the government of gibraltar to architect the
um what has then become the regulatory framework that i architected uh came into
force in the beginning of 2018 so the idea was to do it just for virtual
currencies but during the the period of architecting we opened that up
to to to cover a broader range blockchain so it became a dlt provider
license and i guess today you would find analogies between
the way we defined it then a dlt provider and what is now known as
a vasp in this current vat of regulated world
and so um that came into force other countries then
started to follow suit and in 2018 in august 18 i sorry august 19
i my tenure as a public servant came to an end i
started to approach retirement with that i
picked up the mantle of being a poacher once more
and came back into the private sector and uh x-ray
is now working uh with governments with public authorities such as regulators
and financial intelligence units in the public sector
but also working with vast in the in the
private sector and really working around regulatory policy and the whole
area of operationalizing regulation uh and we're a team of uh of six all
former regulators now uh uh all former poachers who are now
a merry band of poachers so at the beginning of this episode i did
talk about how the subject for today's episode will be the travel rule and i
think this is one of those topics that is bringing into focus one of the main
fears that the cryptocurrency industry or really community maybe more
have about how the space will develop which is regulation and this is kind of an
on-the-ground implementation of a new regulation that i think will
vastly change how people transact in cryptocurrency or at least what happens
on the back end when they do um and probably also frankly will drive changes
in behavior or at least um drive some of the evolution and and also
the technology that is used to uh to perform cryptocurrency transactions
so um just to give people the lay of the land here because we're
going to be using a lot of terms that some people will never have heard yet um
including such as the travel rule as i mentioned
um but let's maybe just give the high level overview and define some
terms so you mentioned uh the fitfatf financial action task force we talked
about the travel rule um you also sean did bring up the term already virtual
asset service provider or vasp so can why don't we just define
these terms so people know what they are going forward and then we'll
dive into more detail let's first of all look at the financial action test for
spatter fatigue is a an intergovernmental um body that has its origins uh
oh more than 30 years ago it was set up by what was then the
the g7 or g8 now the g20 and it was set up specifically
um at the behest of the few major nations that saw a problem
uh with uh drug trafficking and felt that if they could address the source of
funds the flow of funds i should say the movement of funds they could
um somehow beneficially uh impact this seemingly
intractable problem of drug trafficking and that's the origins of this thing so
it was set up as a body as an international standards body
to set the rules for anti-money laundering
that was it those were its origins and those rules have been updated a few times
and the remit of the organization has been expanded so
now that after 9 11 that was expanded to include
countering terrorist financing uh and more recently
uh countering the prolife the financing for the of the
proliferation of weapons of mass destruction a very
catchy sort of title but a very clear objective there
and of course now it has an impact on money laundering that's associated with
not just drug trafficking and uh terrorist financing and so forth but it
also has an impact on those who um are involved in human trafficking on
those who are involved in uh trafficking of of uh
animals and and and so on so the remit has has has widened over time it should
perhaps be seen as an organization that although it's um it's got a title
of its own it has its own secretariat it's really made up of its members
and those members are countries and they're the 39 major countries of
uh of the world were 37 countries and two groupings
of countries such as the european uh commission and it's involved in um
setting the rules not just for those 39 members but the anti-money laundering
rules for some 205 countries around the world this is through a kind of extended
network of organizations so in effect pretty much every country
in the world is required to follow those standards
those standards they may be called the fat of recommendations but
as i have called it before they're really recommendations with consequences so
countries have to follow them and you could think of it as a kind of
quasi-treaty organization setting those rules
and it sets those rules for for banks for financial institutions
for other kinds of industries such as casinos or
lawyers or accounting firms real estate firms and so forth but it also um now
has clarified it did so in october 2018 clarified that its rules its standards
also applied to virtual assets and virtual asset service providers
and earlier when you said there are consequences for countries that don't
enforce it is it primarily financial or economic consequences that they face
i mean it used to run a system of country blacklists in other words those
countries that didn't comply with the standards and that would make it difficult
for example for banks in those countries to do business with banks
in those countries that did comply with the standards
um it it enforces if you like its standards by a
process of peer review the countries um periodically go and assess each other
to really two two things firstly whether
they've got the technical means in other words whether they follow the letter of
the recommendations that they've got the laws in place
and the powers and so forth to um to enforce uh and also how effective
they are in other words you may have the laws but do
actually you know make that stuff happen and it carries out those assessments uh
currently in a sort of 10-year cycle and you can pretty much assume that
every country is assessed once every 10 years on its uh how it complies and how
effective it is at complying with those rules okay and so now let's talk to
let's talk about the travel rule because this is what's going to
i think set in motion quite a bit of change across the industry so what is
the travel rule well let's uh let let's understand one
thing first of all the travel rule is just one part of one of 40 recommendations
so it's by no means the the only thing that
is affecting vasps and just to be clear about it but it is a vast
that's a pretty broad definition that's been added but
in the main think about exchanges think about
custodians custodial wallet providers for example but it does cover a range of
other activities essentially anyone who is intermediating in
in the virtual asset ecosystem and virtual assets really go beyond just
cryptocurrencies again it's another wide one of those wide definitions and would
it apply to staking providers because i believe staking is going to become a
much bigger part of the industry in the coming years
the the short answer to that is maybe they're not defined specifically but
depending on their role and their function
it may well have that they may well be considered a
a service provider yeah and then what either types of companies or
transactions would not be covered by the travel rule like i know
for with tax purposes there was a question at a
certain time about whether or not crypto to crypto
transactions would be taxed in the same way that crypto fiat is
there any distinction for things like that or like you know what
what falls within the purview and what falls outside
so so there's no distinction between fiat crypto crypto fiat on the one hand
and cryptocrypto on the other um all kinds of those intermediate functions
uh are activities that come into scope of fatima's
broad set of recommendations so pretty much all the 40 recommendations
now apply to bass and that includes things like having to be licensed or
registered not only in one's home jurisdiction but also in potentially
in jurisdictions and which one operates that's i think something that's not yet
fully fully uh appreciated across the industry
because different countries will apply this differently
think of the fact of rules the fact of recommendations as a baseline so
countries will and already are starting to put their own gold plating to those
baseline rules but looking just at your question
around the travel rule the travel is is is not unique
to crypto it's not unique to virtual assets and bus
this is the same rule that is applied to
banking and financial institutions where
if you imagine transferring money across borders your bank in one country is
required to gather some information hold that information but also to
transfer for that information if you like or certain information certain
mandated information to travel with the transaction to the
institution at the receiving end the beneficiary yet
and essentially that is that base rule has simply been widened out to include
transactions between vasts and what is the information that has to be provided
well there's certain required information such as identifying the
originator of the transaction and that has to be verified information so that's
essentially kyc'd information from the originating vasp the sending bas
if you like about its client its customer uh and also details and and that's
including things like name potentially their national
identifier maybe a passport number for example maybe their address
and not necessarily all of those things but
enough to identify who that person might be and and that has to be verified in
relation to the sender the originator and also
information about who the intended beneficiary is although that doesn't
have to be verified by the originating vesp
and that information has to travel now in the
traditional world of bank transfers um messages are sent between banking
institutions and so it's very easy for that
additional information that's required to travel with the instruction to make a
payment but in crypto of course it doesn't work like that the
transfer of value happens differently on the blockchain
uh and well hey there's nowhere that you can just append that information nor
i suggest would it be wise to do so so that's presented immediately some very
significant challenges for the industry those are challenges which maybe we'll
talk about later on but the industry has certainly come together to
to start to resolve and in short order of time it hasn't been given a lot of
time to to do this yeah and what is the deadline dave do you know
well there's no specific deadline so every country
sets its own regulations so it's going to be country by country
based on their timelines and how they interpret the
regulatory guidance from the fatif so for example in the united states says
that since 2015 or thereabouts every cryptocurrency company
should have been in compliance already so they would say that they have
you've been given a grace period of four to five years
where we haven't come after you it was mentioned in the rippled
um issue back in several years ago but it wasn't the main focus of that
investigation and uh and order but it was mentioned at the end
but if you talk to finson in the united states they would say that every
cryptocurrency in the united states has been under this regulation
for at least five years in switzerland it's already in place although it goes
far further than um the requirements in the united states to include
personal transfers in and out of exchanges and vasps
singapore is starting enforcement actions as well so they say we'll look at it
it takes it back now and you have to do it
but so there's no specific global time frame it's really when countries start to
um adopt it integrated into their regulations
another example is the united kingdom they intend to do it but it is not
it is not regulated at this time with the fca
and just to understand a little bit more about which transactions
will be covered by this rule let's say i'm a customer
at one exchange like gemini i send money to my friend and they want
it sent to their kraken account and also fyi uh disclosure kraken was a
sponsor of my show then the exchanges will send the info
but if i let's say that i'm a customer gemini but i send it to my friend's
self-custodial wallet then no information gets sent and if so
how does gemiini know who the recipient how does gemini know
that one of them is going to you know this other custodial wallet and
that or in the case of the other transaction that that's not a custodial wallet
yes so the this is one of the large technical problems
that need to be solved so how do i know for across all virtual currencies
hundreds and hundreds and hundreds of virtual currencies and chains
how do i know um whether it's a personal wallet or uh or um a custodial wallet
so that's first one um do i know i have to send it or not
and um same on the inbound so when i get the transaction do i know that it came
from a personal wallet or do i have to wait for this
information to arrive to me from some other
vasp or exchange what have you to come in so that is one of the
challenges another challenge is and then you know there's a lot of technical
detail around it so how do you do it without creating a global list of every
address that belongs to every exchange so preserving privacy is a big issue
that we've been working on we believe privacy is is of a dramatic importance
you know this simple idea is well we'll just create a database or a blockchain
of everybody this is not in or for various reasons a good idea
and then you have other problems around how do i know who's of aspen how do i
know who isn't and what country are they in and how do i stop ones from spoofing
each other so that i can reap all of the data
pretend to be a vast who hasn't signed up yet
get all the customer data from other people so there's a quite a number of
security and privacy issues that have to be dealt with and of course
it has to be cross-chained it has to be global and so these are the
technical challenges that combined with the regulatory that
you know we've been working on as an industry okay so i just want to make
sure the audience has caught on essentially anytime there's a transaction
between two custodians meaning two exchanges or two wallets that are
both custodial wallets then this information will be sent and if
at you know either for the sender or the recipient that
it's someone transacting using their own private keys managing their own keys
then the information will not be sent but then i also want to make sure so it
sounds like depending on the jurisdiction that the
types of information being sent will differ and it sounds like you know your
identity is a key piece of it and who you're transacting with
is also a key piece but then in terms of other things like when you said in
switzerland that they also include your transaction
history a little bit or something uh that's no they don't include
transaction history but they're extending it to
um self-custodial wallets where you have to make declarations about who you are
so they've taken it beyond fast to vasp they're stretching the boundary
to look at you know extending it to more self-custodial wallets which is
you know challenging and obviously not a great not a great thing in my opinion
and and actually seemingly out of character for the
famous book of switzerland from uh 11 or 12 years ago yes all right
so okay but in but in terms of the basics it's who you are
who you're transacting with and i'm presuming the amount of the transaction
the date stuff like that correct and a transaction id so that you
can correlate it to the blockchain transaction
right one sort of addition to that i i think it goes beyond just custodial
wallets although that is the easiest way to think about it
if you've got some sort of intermediary function at the other end or one or
other end then you're you're effectively caught if
there is an intermediary at both ends so there's got to be a vast raw
definition of a vast think about every kind of financial intermediary in the
traditional world and you kind of got the analogy there so
it it probably is more than just exchange well it is more than just
exchanges and custodial wallet providers
um and uh and there has to be a vast but
at either end that's that's the baseline requirement so if it's
vast to user individual uh or user to er to vasp or or it's
a peer-to-peer user-to-user then that's outside the scope but if there's an
inventory there it's called is there any minimum
transaction threshold or is this for any transaction even it's for a dollar
or something well potentially it could be for even if it's a dollar
the rules are that information has to be captured
uh about a customer so essentially a customer has to be
kyc to some degree there are degrees of of of how much kyc is done depending on
on value and risk and a whole set of factors
but um that has to be done at the start of a what's known as a business
relationship essentially if you open the account you
sign up with someone that could be could constitute a the start of a
business relationship and if if you've started that business
relationship you've got to be kyc you may never perform a transaction
subsequently clearly of course if you don't perform a
transaction no information has to to be transferred there are provisions
which say well if it's a one-off and what's known as an occasional
transaction if it's a one-off you haven't signed up you're just
performing a single transaction um then there is a threshold which interestingly
for crypto is set by fat of lower than it is for most other sectors
but essentially anything that's below a thousand dollars or a thousand euros
has a one-off transaction where there's no
sort of pre-sign up no commencement of a business relationship
then then it would fall outside but it's up to countries they can
stipulate lower values or even a zero value so it's quite feasible that a
particular country and there clearly are some who are going beyond the baseline
and saying you know we want it for everything
well and then there's also countries like the united states who go above and say
it's 000 us dollars it's not a thousand euros we where they're setting their
limit higher saying you know if it's under 3 000 then
you don't have to do this okay well that's a little bit more um
generous or comforting probably to a lot of people in the crypto community
um so in a moment we're going to talk about how all this information will be
sent because as dave did allude to it brings up a lot of questions around
security and privacy but first a quick word from the sponsors who make this
show possible looking for a place to connect with thought leaders innovators and
blockchain enthusiasts of every level welcome to tquorum a weekly virtual
series about all things tazos each week will feature presentations
about the latest advancements from baking and staking and developer
tooling to d5 projects and community content that will help the ecosystem grow
together this year tcorum will be opening up its podium to you
if you're interested in presenting submit your ideas and the taisos
community will vote on who they'd like to hear from next
sign up and learn more about the virtual series at tcorum.com
how much in fees are you paying for your crypto purchases
crypto.com is waiving the 3.5 credit card fee for all crypto purchases
which means you can buy crypto with a zero percent fee
apart from your crypto purchases you can also get a great deal on food and
grocery shopping too get up to ten percent back on ubereats
mcdonald's domino's pizza walmart and many more when you pay with
your mco visa card no card on the crypto.com app buy gift cards
and get up to 20 back from merchants like whole foods
safeway burger king papa john's and domino's
download the crypto.com app today and enjoy these offers till the end of
september back to my conversation with dave jevins and sean jones
so as we discussed earlier there's a lot of sensitive information
being sent and it's a lot of valuable information
so i'm curious to know if and as we talked about this is basically
replicating what the banking system already does
so what do banks use and is that a system that crypto companies could use
or you know what options are they looking at so banks today typically for
international funds transfer use the swift system
so that means effectively any kind of instruction
whether it's payment instructions but also stock clearing on an international
basis uh go through swift there are over 4 000
banks directly connected to it but there
are also corporations as well so you can join swift
as a private corporation they have a whole set of messaging standards
in fact you can even move check images and things if people are still using
checks so they have all these messaging standards and i would i feel like
this um approach is really trying to mimic that although i think
nobody in the crypto industry wants a centralized
solution could you use swift i suppose so but it will incur a lot of cost um
because every message is not free it's expensive um you still have to have
directories how to look people up does this address belong to this
exchange or to a um a privately uh custodian wallet
so all of that stuff would still be an issue
um i'm not sure everyone wants all of you know every crypto transaction to be
routed through either um manassas which is near dulles airport in the united
states or through lahore in belgium because that's where
every message goes through if you're on the swift system we
think that a much more of a peer-to-peer type of model which will help
contain privacy contain breaches make it more attack resilient as a better model
and so what are some of the different standards right now
when i was doing research for this i came across so many uh safer trace has
your open source solution teresa coinbase
is about to come out with a white paper for a peer-to-peer joint bulletin board
maintained by exchanges which has participation from some of the other
big exchanges like gemini bittrex and kraken and the i also saw bitco has an api
travel rule solution no to bene i just launched to
to provide such a thing coolbitx also did so
ing is proposing something then there's these
other kind of like open standards that i found intervasp and openvasp
um why don't we actually why don't we just do this dave do you want to just
tell us about teresa and then we can talk a little bit about
some of these other exchanges or these other solutions yeah so i think
that in my view there's about four different
what i would call open efforts that are um that are going on so there's inter
bass which sean can speak to uh quite a bit because she was on the
leadership team of that which is um developing messaging formats so what
do the messages actually look like that contain the information
and i think pretty much i would say most
people in the industry have standardized around
that as a standard for the message contents
then you have the overall message flow which is how do you discover
is is it a private wallet is a is it a custodial wallet where
are they how do i communicate with them and there's
in my view there's there's pretty much two and maybe two and a half
open efforts there one is the trisa which is the travel information sharing
architecture it's i mean we've contributed to it but there's you know
every time we have a call there's 36 companies every week working on it
so there's it's it's not a cyber trace product or anything it's an open
initiative that you know we're helping with the other one is openvasp
which has been led primarily by bitcoin swiss um so that is again
looking at an open methodology for exchanging this information for doing
peer discovery and having a directory and um we work very closely so the truth
working group the open best working group work together and we're working on
interoperability of the messaging standards and the
directory and how those would integrate i would say a third one is bip 75 so
that is being promoted by a private company called netkey but it is an
open standard definition that's been around for some period of time
and when you say 75 you mean a bitcoin improvement proposal
correct oh yes yes so that's been around for several years now um
was not designed to solve this problem but has been the people have been
working on it justin and others at netkey have been working on it to
um to to move it into this direction and to build that those to me or the what i
would consider what i know of the open efforts where you have multiple
companies and then there's the coinbase one which is
i'm really u.s centric u.s centric exchanges does not deal with the global
problem of discovery was initially a peer-to-peer mechanism
but to try to get some prototype out they've gone to a
private bulletin board system to publish addresses so i don't think it's a
scalable global solution and they would never say it is they're
saying we want a proof of concept to show us regulators that we're doing
something that we can solve this problem in the united states
you know it's not designed at this point as a global solution
that may change but that's not where it is right now
everything else you mentioned as far as i understand are private companies
who have built proprietary solutions that are closed
um many countries specific like cool bit x's really larged it
largely aimed at the asian market and they'll if they'll tell you they want to
be the swift of the space they make no bones about it they want to run every
message through them um shift has another model which uh
is is pretty cool and they're working on
interoperability with some of these open standards but
again you know run by a private company and many of these other ones that you
mentioned are private company specific things so
what i think the takeaway is several really open efforts around standards
interoperability and then private companies
offering the things in their own country and therefore there will not be one
solution there will have to be interoperability
it's you know it's going to be a free market which is great because anyone who
wants to build solutions can but it does mean that for the foreseeable future
there are going to be 5 10 15 who knows solutions out there which means
interoperability is going to be critical this thing is not going to start next
year and suddenly be solved we have other issues which we call the
sunrise problem we'll talk about that later if you wish
well yeah why don't we just start with the first one about
how there isn't going to be one single solution
and how actually some of these um basically are more decentralized some of
them are seem more kind of crypto and then some of them see more you know
traditional kind of vc startupy just from a logistical standpoint it seems
like it would be pretty burdensome on countries if there were you know five or
several different solutions that they had to use right because
well you tell me so let's see so let's say that um you know
i'm coinbase and i'm sending to or that one of my customers wants to
send to their friend who uses kraken then uh kraken maybe uses
let's say a different travel role solution provider than coinbase so
then how how does that information get shared do they just have to both adopt
the other's solution to or or what the reality
is that a vast i mean it's not i think so much troublesome for countries it's
probably not troublesome at all for countries they they
they're agnostic on the question uh it's troublesome for vasps
because um you know i think dave is right at the moment
i've certainly counted uh in excess of 15 projects out there
the different broad categories that dave has outlined
and you know some of them will will make it to market some of them will not make
it tonight um but others may emerge and in fact we
we've seen even over the last year folks who weren't in the running at the
beginning if you like as this uh issue emerged have have joined the
fray and you've mentioned a couple of mainstream
uh financial institutions that are involved in in
in their solutions um pretty much though across the board
there isn't a si there is no obvious single solution out there and i would echo
dave's comment i don't think it would be a good thing necessarily but
having 15 is also not good because the costs of trying to connect
up to 15 different solutions and the complexity involved in that and
indeed the discovery exercise and you've got the challenge of figuring out
whether uh you're you're going to be involved in a transfer of value
with a wallet at the other end that has a vast associated with it
then you've got the problem of discovering who that vast is
and and now you've got the problem of also discovering
um which networks or which solutions they're employing these
this is a whole cascade of issues certainly when we started the
uh the intervas project this was uh its proper title was the uh
intervas messaging standards and this was partly to short-circuit
some of the challenge uh associated with having many different systems
so we said well you know the the way the data will get from one vast
to another will be solved by different solutions
one or a few may emerge as the leading solutions
and then maybe in the open space they may be in the
very closed networks that some uh vasps are building between one another
and or they may be in the proprietary space or combination
any which way you cut it at the end of the day it's the same amount of data the
same pieces of information that have to move from one vasp to another
and it would save an awful lot of time if that data payload were
defined in a standard way that a vast at the sending end would know that
regardless of where in the world that value is being transferred to
the information that goes with it can be understood understood as was intended
and the the receiving vast can can get this information and understand how this
bits the name this is the city where they live oh this is a passport number
this is a date of birth just to be able to understand that
forgetting for a moment that not the whole world speaks
the same language yet alone uses the same character set so there are a lot of
things that a technical standard which is what
the interval messaging standard 101 ibm s101 was about
was really to short-circuit that and make it possible
for the payload data whatever however that is transferred
to be understood as intended you're saying inter-vasp will make it so that
it doesn't matter if gemini and kraken are using different
um kind of front-end solutions because the information in them will be
standardized absolutely you're right it's not an it's not a solution at
all it is simply a technical standard you know it's a it's a document that's
published that says this is how the name is set out this is how to deal
with a scenario where uh than the original name is in korean
but you have to communicate this to someone who's in switzerland for example
this is what a date of birth looks like in other words
you know is it the year first the month second and the date third or
how how is that constructed so that everyone involved in that
information sharing exercise uh can at least understand the data they can send
it knowing that it can be understood and it can be received knowing that it's
coming to you in a way that was intended okay so actually maybe it
won't be as burdensome if different custodians are using different software
but another major concern i imagine a lot of people in the crypto community
will have is how this will be secured especially if
there does end up being redundancy where for whatever reason
you know we find that even for one transaction you have two different solution
providers having to send the information for
various reasons i mean it just creates more places where people's information
can be compromised and you know the other scenario is also not
super um comforting where perhaps maybe there will be one solution that
tends to be the dominant one and sees almost all the transaction flow in it
anybody who gains access to that will have access to extremely valuable
information so how is security being handled for
these uh different systems so we've put a lot of thought
into security around systems architecture
on the trisa project so ciphertrace has contributed to it but
mit a whole bunch of exchanges and others have really thought about it
quite a bit and definitely a centralized exchange
our centralized data exchange model uh we believe believe is very dangerous
it's counter to crypto i not only as you point out laura is it something that
you know if somebody were able to get into it and the information were not end
to end encrypted and the middleman could look at it
absolutely it could be a privacy disaster
um but also it's it's also availability so if let's say the world went to a
centralized system even if it wasn't and encrypted and they
couldn't intercept the messages it's a potential ddos attack for a
nation state or anyone else who wants to take crypto offline
so if you have one centralized service that if you want to transfer between
vasps well if you want to take crypto out just
kill that thing for a long period of time and no one can send money between
vasps anymore so there's either that or they'll just
do it without without complying with the fed of rules but anyway
well sure absolutely um so that's a thing so we believe that it needs to be
peer-to-peer exchange of the information so that create what
that does is it creates resilience because
there's no central place to take it out it means that you're only exchanging the
information with the person that you have
the vast the counterparty that you have to send it to
now then the other benefits of this is if you have a directory service that
you can look up these vasps around the world and then understand what their
information protection at least requirements are or profiles or
what have you then you can start to make decisions about do i
feel comfortable sending my customers information to this vast and some you know
companies won't and so one of the things that we've been working on on the trisa
project as well as with open basp is a direct and the gdf the global
digital foundation digital conference foundation is we've been working
on a one a questionnaire and a verification uh process for who is a vasp
where are they what is their jurisdiction what protocols do they
support so as we've talked about you're going to have to support multiple
for some period of time if not forever and and how what are the end points of it
what is the security of it what are the certificates digital certificates around
it but also what is your basic information security policy
so not how you do it but um information about how do you protect
the customer's data and then i think that helps that helps
vasps as we move into this world to determine
i feel comfortable sending my data to this company that's going to
hopefully protect it or not i don't feel
comfortable therefore we're not going to allow direct basketball
transfers to xyz company in some country that has no data protection
and one other thing i wanted to ask about was here we've been talking about
cryptocurrencies this whole time but the fat off did release a long report
all about what they kept calling so-called stable coins throughout the
report they never just they never just called it stable coins
um even in the title they called it so-called stable coins um anyway i call it a
so-called report i don't know why they didn't just go with the term but anyway
um so you know i didn't fully really understand in the report
how this would affect because i mean they did make the
distinction between centralized and decentralized stable coins um but even
with the centralized table coins they were saying well there generally is
a team that you can identify that launched the coin
um but even for like a centralized stable coin it wasn't totally clear to
me what exactly those creators of those stable coins would need to track
is it that every time somebody creates a tether that
uh the um the parent company which i think is
iphone x or it's somehow related i'm just blanking on the company
that they would need to track who that is and then do they need to track where
they send their tethers initially or you know how does that all work and then
as far as i can tell i believe also these rules could even imply to
central bank digital currencies or do those get a pass because they
represent fiat or you know how does all this apply outside of cryptocurrencies
so taking the last point first as central bank digital currencies are
outside of scope they're expressly excluded from the
definition of a virtual asset pretty much everything else that you've
mentioned whether whether they're considered to be stable coins of limited
scope or whether they're so-called global stable kinds of global scope
is really beside the point uh they they do fall within scope and i think if you
look at the direction of travel you can assume
that if you're someone who makes a buck on the back of some
transaction you're going to be the one somehow along the line that is going to
be brought in to into scope so true digi something that's truly
decentralized where nobody's making any money nobody's
gaining from the process uh other than the users
uh the sender and the recipient uh i think you're going to assume that that
that definition over time is going to suck in more and more people
we're also going to get more and more imaginative about how they decentralize
stuff and if you're looking to make some money out of decentralized stuff
you're going to be sucked back in and there's an inevitability to that i think
and but what about centralized stable coins
you know what do those creators have to do
uh in terms of tracking information or sending information on
well of course if it's within their ecosystem they may be the vast at both
end so of course they've got the information
on both both customers if when we're both holders both stable coin holders uh
if however it's moving between vasps or between the um between the issuer
and a vast the the issuer is almost certainly going to be considered a vast
of some sort so you've got a vast vast transfer and you
you're caught by the same requirements to capture certain information
to verify that information that was to do the kyc the
due diligence stuff uh and um uh where there's another vasp at the
other end you're to have to send the required information that is the
information about your verified customer as the sender and
the intended recipient and it's then up for the bus but the other end to do due
diligence on his customer but only at the creation redemption
points right it wouldn't be like every tether is being tracked you
know as it changes hands until it gets redeemed or nothing like that
if it changes hands between uh between uh one vasp and another
then that information moves that travels if we're looking at the travel rule
implication and if uh that chain is broken in other words
there's not a vast but one end or the other then
subject to certain national variations which i think dave's already mentioned
switzerland which is a very clear variation on the baseline but
in broad terms if it breaks the chain because there's not a vast at both ends
then you may only need to keep information about your customer
and you don't have to send any of that information right but
what i'm saying is tether itself the company does not
have to do it for every step they only do it at the creation or redemption
points yeah that's my understanding now what the the effectively the
you know the recommendation doesn't go into great detail it basically says
all that stuff we wrote about applies here
that's really pretty simply what it says okay so
it turns out to some extent around the nuances
of it i think you know right now it's not dealing
with creation of cryptocurrency it's not dealing with mining of crypto it's not
dealing with issuance it's really about when there's an end user customer moving
at information back and forth now so for example if you think about like
stable coins as a settlement mechanism between vasps
maybe maybe not so you probably don't you know it's not really a per customer
thing it's a settlement end-of-day type of settlement mechanism um
you probably don't have to probably just say i'm vast i'm the customer i'm the
best but you're the recipient you're the best but
you probably don't have to bundle 500 people's stuff into it
as far as we know but i think it's open for interpretation at this point in time
i i take a slightly different view on that i think that um the the settlement
if you think about the traditional financial services world there's the
the communication of the of the of the payment instruction you know
bank a telling bank b make these funds available to someone that's quite
separate from the settlement between the banks but if you're talking about
the the so the information that has to flow in the traditional world
goes with that payment instruction and i think every movement of value
between two parties where there's a vast body
involved at either end that information about sender and receiver has to
has to move regardless of whether there's some kind of net settlement mechanism
but the placing of um of liquidity say between vasps um
that isn't about uh an underlying transaction
that that probably won't attract there's no information to transfer with it
so i think you can always look to the banking sector to look for the analogies
because actually that's all they've done is take the existing rules and
say they also apply to virtual assets to crypto
and hey industry you work it out and countries you work out how you
regulate your vasps to make sure they comply with your rules
um one other thing i wanted to ask about was how you thought that
this rule would affect privacy coins particularly on
exchanges i mean obviously if a privacy coin is
on an exchange well yeah i don't know how this applies to
something like monero but you know with zcash there's a public and there's a
shielded transaction but i did see that the korean arm of
ok x d listed its privacy coins most likely due to fat f rules next
last fall so in general i wondered if you had any prognostication on what this
would mean for privacy coins yeah i mean it applies you know i work
with zcash i would say every week um with the electric coin
company you know is one of the you know major
players in the z cash space um you know they would argue that
zcash natively supports the travel rule because you can
you know attach information with a view key that could actually literally move
with the transaction but i mean this would apply to every
every privacy coin as well remember we're talking about an out-of-bound
transactional information exchange before you do the
actual blockchain transaction so to be compliant whether it's monero zcash dash
or anything else that's yet to be invented
if it's you have to be able to identify is it to a vast
or a private wallet and if it's to a vast you have to send that information
and correlate it with a transaction so that it can be correlated at the
receiving end and and the extension of that is that if you can't do that
then you can't affect that transfer of value
if you're a vasp and you you're unable to meet that criteria
whatever the circumstances but obviously there are very specific challenges in
being able to do that with shielded transactions or with those uh enhanced
privacy coins that simply don't that that shield effectively
all movement then you you simply can't support that
uh that transfer because you can't comply with the law in your country
it can certainly provide trading facility so for example you buy
as an exchange you buy monero from you know a known vendor or a miner you
can certainly support trading on your platform the ability for
people to buy and sell and make money etc it's the transfer in and
out by private individuals that would be uh would fall under this regulation
so you know one thing that i'm sure you guys have been watching in recent months
that i feel is really developing between the crypto community
or or at least a certain segment within the crypto community and analytics
companies is a certain kind of antagonism because
of the general cypherpunk philosophy and of this new world that we're
entering where cryptocurrency is going from the fringes
to becoming adopted by the mainstream and
here we're just talking about basically applying some
pretty basic tenants of the banking system to cryptocurrencies
and so i was wondering especially dave i think for you
you were talking about you how you have these roots in the cypherpunk world
and i wondered how you square this work that your company is doing
with the cypherpunk philosophy and if you have any opinion on that um
relationship that i talked about between the community and
and the this new world that we're entering i don't think anyone
wanted in our opinion at least in my opinion in the crypto side nobody wanted
this move i think there's way better ways to
deal with this in my view which are much more cryptocentric which aren't
you know folks who spent 35 years regulating banks
but that's the world that we're in i think there's far better
ways to to solve this problem to be honest
um and maintain way better privacy and not spew
people's information all around the world to
vasps that you don't know about i but this is the world
we live in so i have two choices i can either say
i'm gonna do nothing and let the regulators do whatever and not be
technically informed or i can step in as a technical person who
understands the privacy constraints and and be involved and create the bridge
between the community and hopefully and you know influence
them to think about privacy influence them to think about
um the implications and also the um unintended consequences of what they're
proposing because let's face it there's a lot of
unintended consequences that are come out going to come out of this that are not
what they intended so it's either stand back and let a
train wreck happen or at least try to like help some way to represent the
community to bring it in to help influence it to
bring the privacy community to bring the
you know the privacy coin community into it to work with them
that was my choice so what are some of those unintended consequences that you
believe could happen well i mean the first one is you're spraying people's
information all around the world you've now made it highly valuable to
break into smaller companies because you're going to be able to identify
people around the world so i think it's a big privacy
problem you've just basically taken protecting people's data and made it
let's say a thousand times more difficult because you're going to have a
thousand vasps out there that are going to have
other people's data that aren't their customers
that's a big one i think the second one is going to be
um well then everyone will just move everything to private wallets
why would you do vast past transactions your transaction fee will be doubled but
um or more but you know move everything to a private wallet and then send it on
and then none of this makes any sense anyway so there's a lot of different
implications out there i mean we also are going to have
um the sunrise problem which is that this regulation
is going to be implemented country by country it's going to take years to get
implemented different countries will implement it differently
so what does that mean if there's enforcement in one country
let's say singapore or the united states decides to enforce
strictly and like actually start binding people does that mean that if france
hasn't implemented it you can't send money there
so does that create a restriction in them in the market you know no longer
have global liquidity so none of these in my view are positive
so these are all unintended consequences there's others too but
yeah there's a lot that needs to be thought through and this is why
i chose to get involved and ciphertrace chose to get involved because it's
either stand away and let it let people who don't know anything about it like
define it or at least help be an industry representative
in the room literally and figuratively in the room with these people to try to
show them here's the problems here's alternate
solutions and here's the problems that you're going to see
and face and you know we were asked to list it we worked with
50 different vasps and others you know we work closely with coinbase and others
just to and other vasps as well around the world to try to get their
issues with it and represent that out so that hopefully we can influence
policy in a positive way that doesn't you know destroy the
fundamental value of crypto and speaking more about the unintended consequences
it did occur to me that this maybe would spur more developments in privacy
technology or more usage of privacy technology such as mixers or
um it might drive it might drive certain groups of people who transact in
cryptocurrency to simply cash out in less compliant jurisdictions
or and and broadly probably there's just going to be a lot more people
absolutely without a doubt there will be regulatory arbitrage both among users
and companies who want to move to less regulated jurisdictions
absolutely and they should but that's just going to happen it's just it you know
it's a balloon you squeeze it in one place and it'll grow
in another you can't stop you can't stop crypto what
and you shouldn't yeah it should be available
it should be available to everyone i you know we just unfortunately have this
you know this world of financial controls that are out there
that are only going to get more stringent they're applying to crypto i
would rather them take a view which is more more enlightened which is
there's ways to solve this problem that aren't throwing people's customer
data all around the world that aren't assigning account numbers that aren't
changing the way that we do crypto that you know i'd rather see that emerge but
that's not going to happen unless people like us are involved in that
that discussion because otherwise they're just going to slap all the
banking regs on and that's what we're going to have is this thing's going to
look like a glorified you know wire transfer system
yeah and one other thing i imagine is that this will probably prompt a lot
more people to manage their own keys so um there's there's kinds of uh
i don't know there's probably uh both good and bad uh
to that um but i did want to ask a little bit more about the sunset thing
because or or just in general like you know what do you think the next few years
as this gets implemented what will that look like and and are there any other
major milestones that are on the horizon that people should be
on the lookout for i think uh you've got to look at this deadline question
that you asked a wee while ago that dave is quite right there was no sort of
deadline the deadline was back in october 2018 when
the when the recommendations were changed and it became countries became obliged
to do something about it okay took till summer of 19 before
there was the guidance for countries that might explain what that could look
like but as has already been said those guidelines are pretty high level
and so countries well you've got advanced countries who have
folks who understand this stuff the us has a regime that already supports this
and and the u.s fincen says these rules have applied
forever and certainly since they clarified the position
five years ago now something like that but other countries that have absolutely
nothing in place and so the sunrise problem emerges because
in reality you've got 200 deadlines as each country
brings in its own laws and sets its own deadlines that
vasps now have to comply well there are countries
probably around 30 35 countries that have now done something to bring the
recommendations the global recommendations into their national legislation
but quite a few of those have either not brought in anything yet for the travel
rule because they know there are no solutions out there so they can't
or they have brought them in but have simply said look
we're not going to enforce them or we're giving some regulatory
forbearance until a solution is available
and keep the pressure on the industry to actually solve all these many different
challenges so that you end up with an end-to-end
a perfect solution but you're still going to have countries bringing them in
one this month one next month three the month after and so on and so on
and if you look at how the travel was brought into the
banking sector that was exactly the same problem it applied in in some countries
very quickly the majority of countries took another
two or three years to bring in the legislation and then start to uh bring in the
regulations to support it and then you had the stragglers who took
up to what i think seven eight nine years before they had all
complied and this is not going to be any different than that
meanwhile you've got vast all over the world who have this asymmetry in
regulation not only the requirement to be licensed
or registered in their own jurisdictions
the possibility that they may have to be licensed or registered in
some other jurisdictions because those countries then say
oh well if you're if you've got a customer in our country even though
you're not based here you still also have to be
regulated in our country and then you've got the
mismatch over the travel rules some countries will
have the legislation in place the rules in place
other countries may not so you know it takes two basks to tango and yet one
one verse be subject to rules and the other one hasn't got any rules yet to
apply and this is going to be an ongoing story and itself
a a challenge a challenge of uncertainty a challenge of uh asymmetry and
enforcement and um to be honest many of the
solutions that are out there today are only part of them i think dave has very
eloquently made the point that some of the solutions are
geographic you know those for the us and north america on the one hand
those in asia on the other hand different solutions that certainly not yet
um global in nature and not comprehensive in nature not end to end
and meanwhile amidst all that confusion you've got data that's being thrown
around in an unregulated way and that it also
is a huge challenge i couldn't agree with dave moore the
um the privacy issues are massive they are the same privacy issues that
happen with banks you know your bank will send your information to
a i don't know a bank in brunei or in uh or in north korea
or well probably not north korea but um certainly in some other part of the
world and your information about the fact you sent this money to someone is is
is held by that bank you don't know who that bank is you don't necessarily know
what's going to be done with that information
but it's certainly a much bigger problem when you think that this is going to
apply to an unlimited range of virtual assets so
in the payments world there are 200 and some currencies thereabouts you've got
thousands of virtual assets today we could be talking
in 10 years time there's a part of me that kind of hopes it'll happen but you
could be talking about a hundred thousand uh different kinds of
virtual assets especially when you start to think about
this applying not just to to cryptocurrencies but to a whole
raft of digitized assets of one form or another they would still qualify as
virtual assets and you've got vasps who are not
yet regulated in the way the banking sector is regulated
globally to global standards and then you've got a raft of different
privacy requirements uh eu obviously with gdpr but you're seeing
other jurisdictions now with their own flavors of of privacy rules
and they have to be mapped on to all of the same stuff it's
it's going to it's going to keep me occupied right the way up to
and probably beyond my retirement all right and dave did you want to add
anything uh i mean i think it's important for industry to get involved
so more exchanges more companies that are either doing analytics or anybody
who's doing currency swap services this is going to affect
all of those companies and we'd like to see more engagement
more education you wouldn't believe the number of exchanges that i talked to on
a weekly basis who've never heard of it and it's oh yeah
no it's coming and this can be the end goal can be served
without breaking krypton without you know spreading people's information
all over the world and i think this sunrise problem is a big one um
i think we're gonna see five years of turmoil around this thing
um the good news is i think many come countries recognize there aren't good
solutions we've educated them that the sunrise problem
exists it's now in their vernacular they talk about it every time there's a
meeting so that's good they understand that you know this isn't easy it's not
trivial and i think there will be forbearance on hopefully on
enforcement and let the industry come up with better ideas better solutions
yeah i think to its credit this industry has mobilized super fast and super well
um yes i agree that there are a lot of folks who still don't really
understand what the what the requirements are going to be
even if they've heard of it they don't understand all of the implications
and that itself is is a challenge but if you look across industry
you've seen it get together very fast on
various projects that we've talked about in this program and also on
technical standards such as the interval standards you know
to get an international standard on messaging in the
traditional world might take three years it was done in 18 19 weeks and this
industry has stepped up to the challenge but
let's be absolutely clear dave is 101 right on this one um this is going to go
on for years and it's going to be in a state of flux and how it settles in five
to ten years time will not necessarily be how it looks like today
yeah if there's anything i've learned covering crypto it's that this industry
moves very fast um so we will have to see how this all plays out it
does sound like it will be a little bit messy but hopefully
um it will actually maybe not be as scary and a transforming of the industry as
people expect or hope okay so where uh can people learn more about
each of you and your companies and also about the travel rule
well um the the information about the uh the flat of recommendations in their
entirety which include uh which of course include the travel
rule can be found on the fat of website you can google that that of uh
virtual assets guidance you'll it'll come up in the top top couple of
search results um in terms of the technical standard the interval
messaging standard ibm s101 that we talked about it's free to download
uh any vasp anywhere in the world anyone with an interest can download it from
intervasp.org and anyone who wants to find out
more from those of us who are in the industry helping folks
well you can see the uh the name there x-ray
x-ray dot consulting um and and and you can reach us uh reach us that way dave
yeah so i mean i think everybody who's listening probably knows i'm at cypher
trace so you can catch me over there um but on the open
standard side of things the working group the governance model
look at trisa.iaos so that's t-r-i-s-a so travel information sharing alliance
dot io and you can find github over there to get open source you can find
various articles and white papers about security models threat models
how these things work and then also i would recommend
intervasp sorry open vast investment as uh as sean said but also openvasp
so look up openvas and look up their standards as well and
um also the bip75 uh are all open uh standards as well great well thank
you both so much for coming on unchanged thank you so much for joining us today
to learn more about dave and sean and cypher trace and x-rag
as well as the travel rule be sure to check out the show notes for this
episode don't forget you can now watch video recordings of the shows on the
unchained youtube channel go to youtube.com c unchained podcast
and subscribe today unchained is produced by me laura shin
with help from anthony yoon daniel nuss and the team at clk
transcription thanks for listening you
Translate the current page