Dave Jevans, CEO of CipherTrace, and Siân Jones, Senior Partner at XReg Consulting, give the lowdown on the Financial Action Task Force’s travel rule and how it applies to businesses in the crypto space. They discuss:

  • their background and journey into crypto
  • what the travel rule is
  • the consequences for countries that are not compliant
  • whether the regulation will apply to staking providers in the future
  • the type of companies and transactions that will be covered under the travel rule
  • the type of information that has to be provided
  • how banks comply with the travel rule and whether crypto companies can use the same system
  • the different open standards available for sharing information
  • how the information will get shared between entities who use different travel rule solution providers
  • the “sunrise problem” in which different companies implement their compliance systems at different times
  • the security of user data being shared between different entities
  • how it applies to central bank digital currencies and centralized stablecoins
  • how the rule would affect privacy coins
  • the inherent contradiction between the cypherpunk philosophy and regulatory compliance
  • unintended consequences of the travel rule
  • how the travel rule may play out in the coming years

A glossary of terms discussed in the episode: 

FATF: Financial Action Task Force, an intergovernmental organization that develops policies to combat money laundering and terrorist financing

VASP: virtual asset service providers, who are custodial entities that run fiat-to-crypto or crypto-to-crypto exchanges, or run businesses related to transfer and safekeeping of virtual assets and financial services.

FinCEN: Financial Crimes Enforcement Network, the United States federal bureau that analyzes information about financial transactions in order to fight money laundering, terrorist financing, and other financial crimes

FCA: Financial Conduct Authority, the financial regulatory body of the UK

Thank you to our sponsors! 

Crypto.com: https://www.crypto.com 

Tezos: https://tquorum.com/

Episode links: 

Dave Jevans: https://twitter.com/davejevans

CipherTrace: https://ciphertrace.com/

Sian Jones: https://twitter.com/COINSULT

XReg Consulting: https://www.xreg.consulting/

Financial Action Task Force (FATF): https://www.fatf-gafi.org/

The Osaka conference where crypto got serious about FATF’s travel rule: https://www.coindesk.com/inside-the-osaka-conference-where-crypto-got-serious-about-fatfs-travel-rule

Will Osaka be crypto’s Bretton Woods moment? https://forkast.news/will-osaka-be-cryptos-bretton-woods-moment/

InterVASP Messaging Standard: https://intervasp.org

OpenVASP: https://openvasp.org

OpenVASP white paper: https://openvasp.org/wp-content/uploads/2019/11/OpenVasp_Whitepaper.pdf?cache=1

FATF report on “so-called stablecoins”: http://www.fatf-gafi.org/media/fatf/documents/recommendations/Virtual-Assets-FATF-Report-G20-So-Called-Stablecoins.pdf

OKEx’s Korea arm delisted privacy coins: https://www.theblockcrypto.com/post/39724/okex-korea-delisting-all-privacy-coins-including-monero-zcash-and-dash-as-these-violate-fatfs-travel-rule

Some of the potential FATF compliance solutions:

Travel Rule Information Sharing Alliance (TRISA): https://trisa.io/

Coinbase’s messaging board solution: https://www.theblockcrypto.com/daily/72293/coinbase-exchanges-fatf-travel-rule-solution

CoolBitX: https://www.theblockcrypto.com/post/56853/coolbitx-raises-16-75m-series-b-to-help-crypto-exchanges-comply-with-fatfs-travel-rule

Notabene: https://www.coindesk.com/crypto-identity-startup-notabene-launches-trust-framework-for-fatf-travel-rule

ING: https://www.coindesk.com/in-banking-first-ing-develops-fatf-friendly-protocol-for-tracking-crypto-transfers https://blog.chainalysis.com/reports/fatf-12-month-virtual-asset-review-2020

Recent travel rule meeting: https://www.coindesk.com/fatf-meets-wednesday-to-discuss-travel-rule-for-digital-assets

Bitcoin Improvement Proposal (BIP) 75: https://github.com/bitcoin/bips/blob/master/bip-0075.mediawiki

Transcript:

Laura Shin:

Hi, everyone. Welcome to Unchained, your no-hype resource for all things crypto. I’m your host, Laura Shin. Subscribe to Unchained on YouTube where you can watch the videos of me and my guests. Go to YouTube.com/C/UnchainedPodcast, and subscribe today.

Crypto.com

Crypto.com is waiving the 3.5% credit card fee for all crypto purchases until the end of September. Download the Crypto.com app today.

Tezos

TQuorum is a weekly virtual series about all things Tezos. Every Wednesday, join thought leaders, innovators, and blockchain enthusiasts for presentations about the latest advancements that help the ecosystem grow together. Sign up and learn more about the virtual series at TQuorum.com.

Laura Shin:

Today’s topic is the Travel Rule. Here to discuss are Dave Jevans, CEO of CipherTrace, and Siân Jones, Senior Partner at XReg Consulting. Welcome, Dave and Siân.

Siân Jones:

Hi, Laura. Hello, Dave.

Dave Jevans:

Hey, Laura. Great to be with you.

Laura Shin:

Before we start, disclosure that CipherTrace has been a sponsor of my shows. To begin, let’s have each of you explain what you do and how you came to work in crypto. Dave, do you want to start?

Dave Jevans:

Sure, be happy to. Laura, as you know, I’m CEO of CipherTrace. We are a company that helps make cryptocurrency safe and compliant. Our customers are banks. They’re cryptocurrency exchanges, and they’re government agencies, including regulators and law enforcement, and you know, I got into crypto, well, quite some time ago in the early days of bitcoin.

Laura Shin:

Well, actually, if I recall, I believe you kind of got into digital currency well before bitcoin even existed. Can you talk a little bit about that?

Dave Jevans:

I did. Yeah, I got interested in cryptocurrency in 1999, I would say, as the cypherpunk movement was kind of starting to trail off a little bit, and I got to go to the early financial cryptography conferences. So I was at the one in 2000 in Anguilla. I got to meet the early folks at DigiCash, David Chaum. I got to meet the E-gold guys who were building a gold-backed digital currency, Mondex, which, at the time, was being promoted by MasterCard, and also the zero-knowledge guys from Montreal who…eventually, that technology is now some of the foundational technology for zero-knowledge proofs that are used in Zcash.

Laura Shin:

Great, and so then can you just bring us up to how it is that you started CipherTrace?

Dave Jevans:

Sure. So I got interested in bitcoin in 2011, so a little late to the game, but I did start tracking and reporting how the price of bitcoin related to cryptocurrency crimes, primarily break-ins into exchanges, but there were some other ones, as well, and you could see a linear correlation between the price of bitcoin. It would drop 30, 40% the day after a major crypto theft, and I would report that every year at the Electronic Crime conference.

So I started back then. We were doing some early mining, as well, building custom mining rigs, liquid cooling, that kind of stuff. It was a hobby. You know, you make a few tens of bitcoins and you know, 100 bitcoin, that kind of thing back then. In 2015, I had sold a couple of security companies and FinTech companies, and I was presenting on bitcoin and bitcoin security, and effectively, I had a customer come up and say, hey, we would like you to build this, and we said well, okay, yeah, great. So we got into it in 2015 with an initial customer.

It was a government customer who wanted to help find criminals, effectively, but from there, we’ve really grown the company and the technology to help cryptocurrency exchanges with compliance, working with regulators on compliance, and more recently, working with financial institutions so that they can help validate cryptocurrency companies and help expand the banking relationships between crypto companies and the banks, because it’s clear these are merging, and they’re both I think very symbiotic worlds that are going to help drive crypto forward in a big way.

Laura Shin:

And Siân, what about you? Can you explain what you do and also your background and how you came to work in crypto?

Siân Jones:

Well, I’ve always thought of myself as the Methuselah of bitcoin, but I just realize, Dave, you beat me by two years. So my career is, what, 48, 49 years in IT. In fact, going back to the era of steam computing probably, and I have been largely involved in security and information security through my career until I finished my corporate career.

And I guess around 2012 / ’13, I started to get interested in this new use case for crypto, and pretty much, a bit like Dave, I started getting involved in meet-ups. This was where I was living, at the time, in the United Kingdom, and suddenly, before I knew it, because of my more recent, then recent experience in the regulated space, folks were asking me for advice, sort of one foot in the old regulated world, understanding that.

And a lot of startups who wanted to understand how they might be impacted going forward, but from there, I got involved in public policy work in the UK and Whitehall and Westminster and then in the European Parliament in Brussels, and from there, I was tempted away from being a poacher to becoming a gamekeeper. I was asked by the government of Gibraltar to architect what has then become the regulatory framework that I architected came into force in the beginning of 2018. So, at that time…

Laura Shin:

You mean for cryptocurrencies?

Siân Jones:

At the time, the idea was to do it just for virtual currencies, but during the period of architecting…we opened that up to cover a broader range of blockchain. So it became a DLT provider license, and I guess today, you would find analogies between the way we defined it then. A DLT provider is now known as a VASP in this current vat of the regulated world, and so that came into force. Other countries then started to follow suit, and in 2018, in August ’18…sorry, August ’19, my tenure as a public servant came to an end. I started to approach retirement.

With that, I picked up the mantle of being a poacher once more and came back into the private sector, and XReg is now working with governments, with public authorities, such as regulators and financial intelligence units in the public sector, but also working with VASPs in the private sector and really working around regulatory policy and the whole area of operationalizing regulation, and we’re a team of six, all former regulators, now all former poachers, who are now a band of merry…we started off being gamekeepers, but we’re now a merry band of poachers. Let’s put it that way.

Laura Shin:

So, at the beginning of this episode, I did talk about how the subject for today’s episode will be the Travel Rule, and I think this is one of those topics that is bringing into focus one of the main fears that the cryptocurrency industry or really community, maybe more, are having about how the space will develop, which is regulation, and this is kind of an on-the-ground implementation of a new regulation that I think will vastly change how people transact in cryptocurrency, or at least what happens on the back end when they do and probably also, frankly, will drive changes in behavior, or at least drive some of the evolution in the technology that is used to perform cryptocurrency transactions.

So, just to give people the lay of the land here, because we’re going to be using a lot of terms that some people will never have heard yet, including such as the Travel Rule, as I mentioned, but let’s maybe just give the high-level overview and define some terms. So you mentioned the FATF, Financial Action Task Force. We talked about the Travel Rule. You also, Siân, bring up the term already, virtual asset service provider, or VASP. So why don’t we just define these terms so people know what they are going forward, and then we’ll dive into more detail?

Siân Jones:

Sure. Well, let’s, first of all, look at the Financial Action Task Force, FATF. FATF is an intergovernmental body that has its origin, oh, more than 30 years ago. It was set up by what was then the G7 or G8, now the G20, and it was set up specifically at the behest of the few major nations that saw a problem with drug trafficking and felt that if they could address the source of funds…the flow of funds, I should say, the movement of funds, they could somehow beneficially impact this seemingly intractable problem of drug trafficking, and that’s the origins of this thing.

So it was set up as a body, as an international standards body, to set the rules for anti-money laundering. Those were its origins, and those rules have been updated a few times, and the remit of the organization has been expanded. So, now, after 9/11, that was expanded to include countering terrorist financing, and more recently, countering the financing of the proliferation of weapons of mass destruction, a very catchy sort of title, but a very clear objective there.

And of course, now it has an impact on money laundering that’s associated with not just drug trafficking and terrorist financing and so forth, but it also has an impact on those who are involved in human trafficking, on those who are involved in trafficking of animals, and so on. So the remit has widened over time. It should perhaps be seen as an organization that, although it’s got a title of its own, it has its own secretariat. It’s really made up of its members, and those members are countries, and there are 39 major countries of the world.

Well, 37 countries and 2 groupings of countries, such as the European Commission, and it’s involved in setting the rules, not just for those 39 members, but the anti-money-laundering rules, for some 205 countries around the world. This is through a kind of extended network of organizations. So, in effect, pretty much, every country in the world is required to follow those standards, and those standards, they may be called the FATF recommendations, but as I’ve called it before, they’re really recommendations with consequences.

So countries have to follow them, and you could think of it as kind of a quasi treaty organization setting those rules, and it sets those rules for banks, for financial institutions, for other kinds of industries, such as casinos, lawyers, or accounting firms, real estate firms, and so forth, but it also now has clarified…it did so in October 2018. Clarified that its rules, its standards also apply to virtual assets and virtual asset service providers.

Laura Shin:

And earlier, when you said there are consequences for countries that don’t enforce it, is it primarily financial or economic consequences that they face?

Siân Jones:

I mean, it used to run a system of country blacklists. In other words, those countries that didn’t comply with the standards…and that would make it difficult, for example, for banks in those countries to do business with banks in those countries that did comply with the standards. It enforces, if you’d like, its standards by a process of peer review. The countries periodically go and assess each other to do, really, two things. Firstly, whether they’ve got the technical means.

In other words, whether they follow the letter of the recommendations. That they’ve got the laws in place and the powers and so forth to enforce, and also how effective they are. In other words, you may have the laws, but do you actually, you know, make that stuff happen? And it carries out those assessments currently in a sort of 10-year cycle, and you can pretty much assume that every country is assessed once every 10 years on how it complies and how effective it is as complying with those rules.

Laura Shin:

Okay, and so now let’s talk about the Travel Rule, because this is what’s going to I think set in motion quite a bit of change across the industry. So what is the Travel Rule?

Siân Jones:

Well, let’s understand one thing. First of all, the Travel Rule is just one part of 1 of 40 recommendations. So it’s by no means the only thing that is affecting VASPs, and just to be clear about it, what is a VASP? That’s a pretty broad definition that’s been added, but in the main, think about exchanges. Think about custodians, custodial wallet providers, for example, but it does cover a range of other activities. Essentially, anyone who is intermediating in the virtual asset ecosystem. Virtual assets really go beyond just cryptocurrencies. Again, it’s another one of those wide definitions.

Laura Shin:

And would it apply to staking providers, because I believe staking is going to become a much bigger part of the industry in the coming years?

Siân Jones:

The short answer to that is maybe. They’re not defined specifically, but depending on their role and their function, they may well be considered a service provider, yeah.

Laura Shin:

And then what either types of companies or transactions would not be covered by the Travel Rule? I know with tax purposes, there was a question at a certain time about whether or not crypto-to-crypto transactions would be taxed in the same way that crypto-to-fiat. Is there any distinction for things like that or like, you know, what falls within the purview and what falls outside?

Siân Jones:

So there’s no distinction between fiat-crypto / crypto-fiat, on the one hand, and crypto-crypto on the other. All kinds of those intermediated functions are activities that come into scope of a broad set of recommendations. So, pretty much, all the 40 recommendations now apply to VASPs, and that includes things like having to be licensed or registered not only in one’s home jurisdiction, but also, potentially, jurisdictions in which one operates.

That’s I think something that’s not yet fully appreciated across the industry because different countries will apply this differently. Think of the FATF rules, the FATF recommendations as a baseline. So countries will, and already are, starting to put their own gold plating to those baseline rules, but looking just at your question around the Travel Rule, the Travel Rule is not unique to crypto. It’s not unique to virtual assets and VASPs.

This is the same rule that is applied to banking and financial institutions where, if you imagine transferring money across borders, your bank in one country is required to gather some information, hold that information, but also to transfer, for that information, if you’d like, or certain information, certain mandated information to travel with the transaction to the institution at the receiving end, the beneficiary end, and essentially, that base rule has simply been widened out to include transactions between VASPs.

Laura Shin:

And what is the information that has to be provided?

Siân Jones:

Well, there’s certain required information, such as identifying the originator of the transaction, and that has to be verified information. So that’s essentially KYC, the information from the originating VASP, the sending VASP, if you like, about its client, its customer, and also details…and that’s including things like name, potentially the national identifier, maybe a passport number, for example, maybe their address, and not necessarily all of those things, but enough to identify who that person might be.

And that has to be verified in relation to the sender, the originator, and also information about who the intended beneficiary is, although that doesn’t have to be verified by the originating VASP, and that information has to travel. Now, in the traditional world of bank transfers, messages are sent between banking institutions, and so it’s very easy for that additional information that’s required to travel with the instruction to make a payment, but in crypto, of course, it doesn’t work like that.

The transfer of value happens differently on a blockchain, and well, hey, there’s nowhere that you can just append that information, nor I suggest would it be wise to do so. So that’s presented, immediately, some very significant challenges for the industry, but those are challenges which maybe we’ll talk about later on, but the industry has certainly come together to start to resolve and in short order of time. It hasn’t been given a lot of time to do this.

Laura Shin:

Yeah, and what is the deadline, Dave? Do you know?

Dave Jevans:

Well, there’s no specific deadline. So every country sets its own regulations. So it’s going to be country by country, based on their timelines and how they interpret the regulatory guidance from the FATF. So, for example, the United States says that since 2015 or thereabouts, every cryptocurrency company should have been in compliance already.

So they would say that you’ve been given a grace period of 4 to 5 years where we haven’t come after you. It was mentioned in the Ripple issue several years ago, but it wasn’t the main focus of that investigation and order, but it was mentioned at the end, but if you talk to FinCEN in the United States, they would say that every cryptocurrency in the United States has been under this regulation for at least five years.

In Switzerland, it’s already in place, although it goes further than the requirements in the United States to include personal transfers in and out of exchanges and VASPs. Singapore is starting enforcement actions, as well. So they say we’ll look at…it takes effect now, and you have to do it. So there’s no specific global time frame. It’s really when countries start to adopt it, integrate it into their regulations. Another example is the United Kingdom. They intend to do it, but it is not regulated at this time with the FCA.

Laura Shin:

And just to understand a little bit more about which transactions will be covered by this rule, let’s say I’m a customer at one exchange, like Gemini. I send money to my friend, and they want it sent to their Kraken account, and also, FYI, disclosure, Kraken was a sponsor of my show. Then the exchanges will send the info, but let’s say that I’m a customer of Gemini, but I send it to my friend’s self-custodial wallet, then no information gets sent, and if so, how does Gemini know that one of them is going to, you know, this other custodial wallet, or in the case of the other transaction, that that’s not a custodial wallet?

Dave Jevans:

Yeah, so this is one of the large technical problems that need to be solved. So how do I know, across all virtual currencies, hundreds and hundreds and hundreds of virtual currencies and chains, how do I know whether it’s a personal wallet or a custodial wallet? So that’s the first one. Do I know I have to send it or not, and same on the inbound. So when I get the transaction, do I know that it came from a personal wallet, or do I have to wait for this information to arrive to me from some other VASP or exchange, what have you, to come in?

So that is one of the challenges. Another challenge…and you know, there’s a lot of technical detail around it. So how do you do it without creating a global list of every address that belongs to every exchange? So preserving privacy is a big issue that we’ve been working on. We believe privacy is of dramatic importance. You know, the simple idea is, well, we’ll just create a database or a blockchain of everybody. This is not, for various reasons, a good idea.

Then you have other problems around how do I know who’s a VASP, and how do I know who isn’t, and what country are they in, and how do I stop ones from spoofing each other so that I can reap all of the data, pretend to be a VASP who hasn’t signed up yet, get all the customer data from other people? So there’s quite a number of security and privacy issues that have to be dealt with, and of course, it has to be cross-chained. It has to be global, and so these are the technical challenges, and then combined with the regulatory, you know, we’ve been working on as an industry.

Laura Shin:

Okay, so I just want to make sure the audience has caught on. Essentially, any time there is a transaction between two custodians, meaning two exchanges or two wallets that are both custodial wallets, then this information will be sent, and if either for the sender or the recipient, that it’s someone transacting using their own private keys, managing their own keys, then the information will not be sent, but then I also want to make sure…so it sounds like, depending on the jurisdiction, that the types of information being sent will differ, and it sounds like, you know, your identity is a key piece of it and who you’re transacting with is also a key piece, but then in terms of other things…like, when you said, in Switzerland, that they also include your transaction history a little bit or something, that’s kind of…

Dave Jevans:

No, they don’t include your transaction history, but they’re extending it to self-custodial wallets where you have to make declarations about who you are. So they’ve taken it beyond VASP to VASP. They’re stretching the boundary to look at, you know, extending it to more self-custodial wallets, which is, you know, challenging and obviously not a great thing, in my opinion.

Laura Shin:

And actually, seemingly out of character of this…

Dave Jevans:

Exact opposite of Switzerland from 11 or 12 years ago, yes.

Laura Shin:

All right. Okay, but in terms of these six, it’s who you are, who you’re transacting with, and I’m presuming the amount of the transaction, the date, stuff like that?

Dave Jevans:

Correct, and a transaction ID so that you can correlate it to the blockchain transaction, right.

Siân Jones:

I will say one sort of addition to that. I think it goes beyond just custodial wallets, although that is the easiest way to think about it. If you’ve got some sort of intermediary function at the other end or one other end, then you’re effectively caught if there is an intermediary at both ends. So there’s got to be a VASP, broad definition of VASP. Think about every kind of financial intermediary in the traditional world, and you kind of got the analogy there. So it probably is more than just…well, it is more than just exchanges and custodial wallet providers, and there has to be a VASP at either end. That’s the baseline requirement. So if it’s VASP-to-user, individual or user to VASP or it’s peer-to-peer, user-to-user, then that’s outside the scope, if it’s an intermediary, it’s caught.

Laura Shin:

Is there any minimum transaction threshold, or is this for any transaction, even if it’s for a dollar or something?

Siân Jones:

Well, potentially, it could be, even if it’s a dollar. So the laws are that information has to be captured about a customer. So, essentially, a customer has to be KYC to some degree. There are degrees of how much KYC is, depending on value and risk and the whole set of factors, but that has to be done at the start of what’s known as a business relationship. Essentially, if you open an account, you sign up with someone. That could constitute the start of a business relationship.

And if you’ve started that business relationship, you’ve got to be KYC. You may never perform a transaction, subsequently. Clearly, of course, if you don’t perform a transaction, no information has to be transferred. There are provisions which say, well, if it’s a one-off…what’s known as an occasional transaction, if it’s a one-off, you haven’t signed up. You’re just performing a single transaction, then there is a threshold, which, interestingly, for crypto, is set by FATF, lower than it is for most other sectors.

Well, essentially, anything that’s below 1,000 dollars or 1,000 euros as a one-off transaction where there’s no sort of pre-signup, no commencement of a business relationship, then it would fall outside, but it’s up to countries. They can stipulate lower values or even a zero value. So it’s quite feasible that a particular country…and there clearly are some who are going beyond the baseline and saying, oh, we want it for everything.

Dave Jevans:

And then there’s also countries like the United States who go above and say it’s 3,000 US dollars. It’s not 1,000 euros. They’re setting their limit higher saying, you know, if it’s under 3,000 dollars, then you don’t have to do this.

Laura Shin:

Okay. Well, that’s a little bit more generous or comforting probably to a lot of people in the crypto community. So, in a moment, we’re going to talk about how all this information will be sent, because, as Dave did allude to, it brings up a lot of questions around security and privacy, but first, a quick word from the sponsors who make this show possible.

Tezos

Looking for a place to connect with thought leaders, innovators and blockchain enthusiasts of every level? Welcome to TQuorum—a weekly virtual series about all things Tezos.Each week will feature presentations about the latest advancements—from baking and staking and developer tooling to DeFI projects and community content—that help the ecosystem grow together. This year, TQuorum will be opening up its podium to you. If you’re interested in presenting, submit your ideas by July 15 and the Tezos community will vote on who they’d like to hear from next. Sign up and learn more about the virtual series at TQuorum.com.

Crypto.com
How much in fees are you paying for your crypto purchases crypto.com is waiving the 3.5% credit card fee for all crypto purchases which means you can buy crypto with a 0% fee apart from your crypto purchases you can also get a great deal on food and grocery shopping. You get up to 10% back on uber eats,  McDonald’s, Domino’s Pizza, Walmart, and many more when you pay with your MCO Visa card.On the Crypto.com app buy gift cards and get up to 20% back from merchants like Whole Foods, Safeway, Burger King, Papa John’s and Domino’s. Download the Crypto.com app today and enjoy these offers until the end of September

Laura Shin:

Back to my conversation with Dave Jevans and Siân Jones. So, as we discussed earlier, there’s a lot of sensitive information being sent, and it’s valuable information. So I’m curious to know, and as we talked about, this is basically replicating what the banking system already does. So what do banks use, and is that a system that crypto companies could use or you know, what options are they looking at?

Dave Jevans:

So banks today, typically for international funds transfer, use the SWIFT system. So that means, effectively, any kind of instruction, whether it’s payment instructions, but also stock clearing on an international basis, go through SWIFT. There are over 4,000 banks directly connected to it, but there are also corporations, as well. So you can join SWIFT as a private corporation. They have a whole set of messaging standards. In fact, you can even move check images and things if people are still using checks.

So they have all these messaging standards, and I feel like this approach is really trying to mimic that, although I think nobody in the crypto industry wants a centralized solution. Could you use SWIFT? I suppose so, but it will incur a lot of cost because every message is not free. It’s expensive. You still have to have directories, how to look people up. Does this address belong to this exchange or to a private custodial wallet? So all of that stuff would still be an issue.

I’m not sure everyone wants, you know, every crypto transaction to be routed through either Manassas, which is near Dulles Airport in the United States, or through La Hulpe in Belgium, because that’s where every message goes through if you’re on the SWIFT system. We think that a much more of a peer-to-peer type of model which will help contain privacy, contain breaches, make it more attack resilient, is a better model.

Laura Shin:

And so what are some of the different standards right now? When I was doing research for this, I came across so many. CipherTrace has your open-source solution TRISA. Coinbase is about to come out with a white paper for a peer-to-peer joint bulletin board maintained by exchanges which has participation from some of the other big exchanges, like Gemini, Bittrex, and Kraken, and I also saw BitGo has an API Travel Rule Solution. Notabene just launched to provide such a thing. CoolBitX also did so. ING is proposing something. Then there’s these other kind of like open standards that I found, interVASP and OpenVASP. Actually, why don’t we just do this? Dave, do you want to just tell us about TRISA, and then we can talk a little bit about some of these other solutions?

Dave Jevans:

Yeah, so I think that, in my view, there’s about four different, what I would call, open efforts that are going on. So there’s interVASP, which Siân can speak to quite a bit because she was on the leadership team of that, which is developing messaging format. So what do the messages actually look like that contain the information? And I think pretty much, I would say, most people in the industry have standardized around that as a standard for the message contents.

Then you have the overall message flow, which is how do you discover if it’s a private wallet? Is it a custodial wallet? Where are they? How do I communicate with them? And in my view, there’s pretty much two and maybe two and a half open efforts there. One is the TRISA, which is the Travel Rule Information Sharing Architecture. I mean, we’ve contributed to it, but you know, every time we have a call, there’s 36 companies every week working on it. So it’s not a CipherTrace product or anything. It’s an open initiative that, you know, we’re helping with. The other one is OpenVASP, which has been led primarily by Bitcoin Suisse.

So that is, again, looking at an open methodology for exchanging this information, for doing peer discovery, and having a directory, and we work very closely. So the TRISA working group, the OpenVASP working group working together, and we’re working on interoperability of the messaging standards and the directory and how those would integrate. I would say a third one is BIP 75. So that is being promoted by a private company called Netki, but it is an open standard definition that’s been around for some period of time, primarily…

Laura Shin:

And when you say BIP 75, you mean a Bitcoin Improvement Proposal?

Dave Jevans:

Correct. Yes. Yeah, so that’s been around for several years now. Was not designed to solve this problem, but the people have been working on it…Justin and others at Netki have been working on it to move it into this direction and to build that. Those, to me, are what I would consider, what I know of, the open efforts where you have multiple companies, and then there’s the Coinbase one, which is really US-centric exchanges. Does not deal with the global problem of discovery. Was initially a peer-to-peer mechanism but to try to get some prototype out, they’ve gone to a private bulletin board system to publish addresses. So I don’t think it’s a scalable global solution, and they would never say it is. They are saying we want a proof of concept to show US regulators that we’re doing something, that we can solve this problem in the United States. You know, it’s not designed, at this point, as a global solution.That may change, but that’s not where it is right now.

Everything else you mentioned, as far as I understand, are private companies who have built proprietary solutions that are closed. Many country-specific like CoolBitX is largely aimed at the Asian market, and they’ll…because they’ll tell you, they want to be the SWIFT of the space. They make no bones about it. They want to run every message through them.

Shift has another model, which is pretty cool, and they’re working on interoperability with some of these open standards, but again, you know, run by a private company, and many of these other ones that you mentioned are private company-specific things. So what I think the takeaway is, several really open efforts around standards, interoperability, and then private companies offering things in their own country, and therefore, there will not be one solution.

There will have to be interoperability. You know, it’s going to be a free market, which is great, because anyone who wants to build solutions can, but it does mean that, for the foreseeable future, there are going to be 5, 10, 15, who knows, solutions out there, which means interoperability is going to be critical. This thing is not going to start next year and suddenly be solved. We have other issues, which we call the sunrise problem. We’ll talk about that later if you wish.

Laura Shin:

Well, yeah, why don’t we just start with the first one about how there isn’t going to be one single solution and how, actually, some of these basically are more decentralized. Some of them seem more kind of crypto, and then some of them seem more, you know, traditional kind of VC startup-y, but just from a logistical standpoint, it seems like it would be pretty burdensome on countries if there were five or several different solutions that they had to use, right, and maybe it’s just that…well, you tell me. So let’s say that I’m Coinbase and one of my customers wants to send to their friend, who uses Kraken. Then Kraken maybe uses, let’s say, a different Travel Rule solution provider than Coinbase. So, then, how does that information get shared? Do they just have to both adopt the other’s solution, too, or what?

Siân Jones:

The reality is that a VASP, it’s not I think so much troublesome for countries. It’s probably not troublesome at all for countries. They’re agnostic on the question. It’s troublesome for VASPs because, you know, I think Dave is right. The moment I suddenly counted in excess of 15 projects out there with the different sort of broad categories that Dave has outlined, and some of them will make it to market. Some of them will not make it to market, but others may emerge.

In fact, we’ve seen, even over the last year, folks who weren’t in the running at the beginning, if you’d like, as this issue emerged, have joined the fray, and you’ve mentioned a couple of mainstream financial institutions that are involved in their solutions. Pretty much, though, across the board, there is no obvious single solution out there, and I would echo Dave’s comment. I don’t think will be a good thing, necessarily.

But having 15 is also not good because the costs of trying to connect up to 15 different solutions and the complexity involved in that and indeed, the discovery exercise…so you’ve got the challenge of figuring out whether you’re going to be involved in a transfer of value with a wallet at the other end that has a VASP associated with it. Then you’ve got the problem of discovering who that VASP is, and now you got the problem of also discovering which networks or which solutions they’re employing.

This is a whole cascade of issues. So when we started the interVASP project…it’s proper title is the interVASP Messaging Standards, and this was partly to short circuit some of the challenge associated with having many different systems. So we said, well, you know, the way the data will get from one VASP to another will be solved by different solutions, one or a few may emerge as the leading solution.

And then maybe in the open space. They may be in the very closed networks that some VASPs are building between one another, or they may be in the proprietary space or a combination, but any which way you cut it, at the end of the day, it’s the same amount of data, the same pieces of information that have to move from one VASP to another.

And it would save an awful lot of time if that data payload were defined in a standard way that a VASP at the sending end would know that, regardless of where in the world that value is being transferred to, the information that goes with it could be understood. Understood was intended, and the receiving VASP can get this information and understand, oh, this bit’s the name. This bit’s the city where they live. Oh, this is a passport number. This is a date of birth.

Just to be able to understand that, forgetting, for a moment, that not the whole world speaks the same language, yet alone uses the same character set. So there are a lot of things that a technical standard, which is what the interVASP Messaging Standard 101, IVMS-101, was about, was really to short circuit that and make it possible for the payload data, however that is transferred, to be understood as intended, and needless to say, most…

Laura Shin:
You’re saying interVASP will make it so that it doesn’t matter if Gemini and Kraken are using different kind of front-end solutions because the information in them will be standardized?

Siân Jones:

Absolutely. You’re right. It’s not a solution at all. It is simply a technical standard. It’s a document that’s published that says this is how the name is sent out. This is how to deal with a scenario where the original name is in Korean, but you have to communicate this to someone who’s in Switzerland, for example. This is what a date of birth looks like. In other words, you know, is it the year first, the month second, and the date third, or how is that constructed, so that everyone involved in that information sharing exercise can at least understand the data. They can send it knowing that it can be understood and it can be received knowing that it’s coming to you in a way that was intended.

Laura Shin:

Okay. So, actually, maybe it won’t be as burdensome if different custodians are using different software, but another major concern I imagine a lot of people in the crypto community will have is how this will be secured, especially if there does end up being redundancy where, for whatever reason, you know, we find that even for one transaction, you have two different solution providers having to send the information for various reasons. I mean, it just creates more places where people’s information can be compromised, and the other scenario is also not super comforting where perhaps maybe there will be one solution that tends to be the dominant one and sees almost all the transaction flow in it. Anybody who gains access to that will have access to extremely valuable information. So how is security being handled for these different systems?

Dave Jevans:

So we’ve put a lot of thought into security around systems architecture on the TRISA project. So CipherTrace has contributed to it, but MIT, a whole bunch of exchanges, and others have really thought about it quite a bit, and definitely a centralized data exchange model we believe is very dangerous. It’s counter to crypto. Not only, as you point out, Laura, is it something that, you know, if somebody were able to get into it and the information were not end-to-end encrypted and the middleman could look at it, absolutely could be a privacy disaster.

But also, it’s also availability. So let’s say the world went to a centralized system. Even if it was end-to-end encrypted and they couldn’t intercept the messages, it’s a potential DDoS attack for a nation state or anyone else who wants to take crypto offline. So if you have one centralized service that, if you want to transfer between VASPs, well, if you want to take crypto out, just kill that thing for a long period of time, and no one can send money between VASPs anymore. So there’s a lot of…

Laura Shin:

Either that, or they’ll just do it without complying with the FATF rules, but anyway.

Dave Jevans:

Well, sure. Absolutely. So that’s the thing. So we believe that it needs to be peer-to-peer exchange of the information. So what that does is it creates resilience because there’s no central place to take it out. It means that you’re only exchanging the information with the VASP counterpart that you have to send it to.

Now, then, the other benefit of this is if you have a directory service that you can look up these VASPs around the world and then understand what their information protection, at least, requirements are or profiles or what have you. Then you can start to make decisions about do I feel comfortable sending my customer’s information to this VASP? And some, you know, companies won’t.

So one of the things that we’ve been working on on the TRISA project as well as with OpenVASP is a direct and a GDF, the Global Digital Foundation, Digital Ecommerce Foundation, is we’ve been working on, one, a questionnaire and a verification process for who is a VASP. Where are they? What is their jurisdiction? What protocols do they support? So, as we’ve talked about, you’re going to have to support multiple, for some period of time, if not forever, and what are the end points of it? What is the security of it? What are the digital certificates around it? But also what is your basic information security policy?

So not how you do it, but information about how do you protect the customer’s data, and then I think that helps VASPs as we move into this world to determine I feel comfortable sending my data to this company that’s going to hopefully protect it or not. I don’t feel comfortable. Therefore, we’re not going to allow direct VASP-to-VASP transfers to XYZ company in some country that has no data protection.

Laura Shin:

And one other thing I wanted to ask about was here we’ve been talking about cryptocurrencies this whole time, but the FATF did release a long report all about what they kept calling so-called stablecoins. Throughout the report, they never just called it stablecoins, and in the title, they called it so-called stablecoins.

Dave Jevans:

You know what I call it, Laura? I call it a so-called report.

Laura Shin:

I don’t know why they didn’t just go with the term, but anyway, so, you know, I didn’t fully really understand in the report how this would affect…because, I mean, they did make the distinction between centralized and decentralized stablecoins, but even with decentralized stablecoins, they were saying, well, there generally is a team that you can identify that launch the coin, but even for a centralized stablecoin, it wasn’t totally clear to me what exactly those creators of those stablecoins would need to track.

Is it that every time somebody creates a tether, that the parent company, which I think is iFinex or it’s somehow related to…I’m just blanking on the company. That they would need to track who that is, and then do they need to track where they send their tethers initially, or you know, how does that all work? And then, as far as I can tell, I believe also these rules could even apply to central bank digital currencies, or do those get a pass because they represent fiat, or you know, how does all this apply outside of cryptocurrencies?

Siân Jones:

Taking the last point first, Central Bank digital currencies are outside of scope, so they’re expressly excluded from the definition of a virtual asset. Pretty much everything else that you mentioned, whether they’re considered to be stablecoin of limited scope or whether they’re so-called global stablecoins of global scale is really beside the point. They do fall within scope, and I think if you look at the direction of travel, you can assume that if you’re someone who makes a buck on the back of some transaction, you’re going to be the one, somehow along the line, that is going to be brought into scope.

So something that’s truly decentralized, where nobody’s making any money, nobody’s gaining from the process other than the users, the sender and the recipient, I think you’re going to assume that that definition, over time, is going to suck in more and more people. Processes are going to get more and more imaginative about how they decentralize stuff, but if you’re looking to make some money out of decentralized stuff, you’re going to be sucked back in, and there’s an inevitability to that I think.

Laura Shin:

But what about centralized stablecoins? You know, what do those creators have to do in terms of tracking information or sending information on?

Siân Jones:

Well, of course, if it’s within their ecosystem, they may be the VASP at both ends. So, of course, they’ve got the information on both customers, both holders, both stablecoin holders. If, however, it’s moving between VASPs or between the issuer and a VASP, the issuer is almost certainly going to be considered a VASP of some sort, and so you got a VASP-to-VASP transfer.

And you’re caught by the same requirements to capture certain information, to verify that information. In other words, to do the KYC and the due diligence stuff, and where there’s another VASP at the other end, you’re going to have to send the required information. That is the information about your verified customer is the sender and the intended recipient, and it’s then up to the VASP at the other end to do due diligence on this customer.

Laura Shin:

But only at the creation redemption points, right? It wouldn’t be, like, every tether is being tracked as it changes hands until it gets redeemed or nothing like that?

Siân Jones:

If it changes hands between one VASP and another, then that information moves. That travels if we’re looking at the Travel Rule implication, and if that chain is broken, in other words, there’s not a VASP at one end or the other, then subject to certain national variations, which I think Dave’s already mentioned Switzerland, which is a very clear variation on the baseline, but in broad terms, if it breaks the chain because there’s not a VASP at both ends, then you may only need to keep information about your customer, and you don’t have to send any of that information to anyone.

Laura Shin:

Right, but what I’m saying, is Tether itself, the company, does not have to do it for every step. They only do it at the creation or redemption points?

Dave Jevans:

Yeah, that’s my understanding. Now, effectively, you know, the recommendation doesn’t go into great detail. It basically says all that stuff we wrote about applies here. It’s really pretty simply what it says. So if you were to think to some extent around the nuances of it, I think, you know, right now, it’s not dealing with creation of cryptocurrency. It’s not dealing with mining of crypto. It’s not dealing with issuance. It’s really about when there’s an end user customer moving that information back and forth.

Now, so, for example, if you think about, like, stablecoins as a settlement mechanism between VASPs, maybe, maybe not. So it’s not really a per-customer thing. It’s an end-of-day type of settlement mechanism. You probably just say I’m the customer. I’m the VASP, and you’re the recipient. You’re the VASP, and you probably don’t have to bundle 500 people’s stuff into it, as far as we know, but I think it’s open for interpretation at this point in time.

Siân Jones:

I take a slightly different view on that. If you think about the traditional financial services world, there’s the communication of the payment instruction, yeah. Bank A telling Bank B, you know, make these funds available to someone. That’s quite separate from the settlement between the banks, but if you’re talking about the…so the information that has to flow in the traditional world goes with that payment instruction.

And I think every movement of value between two parties where there’s a VASP involved at either end, that information about sender and receiver has to move, regardless of whether there’s some kind of net settlement mechanism, but the placing of liquidity, say, between VASPs that isn’t about an underlying transaction, that probably won’t attract…there’s no information to transfer with it.

So I think you can always look to the banking sector to look for the analogies because, actually, that’s all they’ve done, is take the existing rules and say they also apply to virtual assets, to crypto, and hey, industry, you work it out, and countries, you work out how you regulate your VASPs to make sure they comply with your rules.

Laura Shin:

One other thing I wanted to ask about was how you thought that this rule would affect privacy coins, particularly on exchanges. I mean, obviously, if a privacy coin is on an exchange…well, yeah, I don’t know how this applies to something like Monero, but you know, with Zcash, there’s a public, and there’s a shielded transaction, but I did see that the Korean arm of OKEx delisted its privacy coins, most likely due to FATF rules last fall. So, in general, I wondered if you had any prognostication on what this would mean for privacy coins?

Dave Jevans:

Yeah, I mean, it applies. So, you know, I work with Zcash, I would say every week with the Electric Coin Company, you know, who’s one of the major players in the Zcash space? They would argue that Zcash natively supports the Travel Rule because you can, you know, attach information with a view key that could actually literally move with the transaction, but I mean, this would apply to every privacy coin, as well.

Remember, we’re talking about an out-of-band transactional information exchange before you do the actual blockchain transaction. So, to be compliant, whether it’s Monero, Zcash, Dash, or anything else that’s yet to be invented, you have to be able to identify it to a VASP or private wallet, and if it’s to a VASP, you have to send that information and correlate it with a transaction so that it can be correlated at the receiving end.

Siân Jones:

And the extension of that is that if you can’t do that, then you can’t affect that transfer of value. If you’re a VASP and you’re unable to meet that criteria, whatever the circumstances…obviously, there are very specific challenges in being able to do that with shielded transactions or with those enhanced privacy coins that shield, effectively, all movement, then somebody can’t support that transfer because you can’t comply with the law in your country.

Dave Jevans:

Yeah, you can certainly provide trading facilities. So, for example, as an exchange, you buy Monero from, you know, a known vendor or a miner. You can certainly support trading on your platform, the ability for people to buy and sell and make money, et cetera. It’s the transfer in and out by private individuals that would fall under this regulation.

Laura Shin:

So, you know, one thing that I’m sure you guys have been watching in recent months that I feel is really developing between the crypto community, or at least a certain segment within the crypto community and analytics companies, is a certain kind of antagonism because of the general cypherpunk philosophy and of this new world that we’re entering where cryptocurrency is going from the fringes to becoming adopted by the mainstream.

And here we’re just talking about basically applying some pretty basic tenets of the banking system to cryptocurrencies, and so I was wondering, especially Dave, I think for you, you were talking about how you have these roots in the cypherpunk world, and I wondered how you square this work that your company’s doing with the cypherpunk philosophy and if you have any opinion on that relationship that I talked about between the community and this new world that we’re entering? 

Dave Jevans:

Sure. So I don’t think anyone wanted, in our opinion…at least in my opinion in the crypto side, nobody wanted this move. I think there’s way better ways to deal with this, in my view, which are much more crypto-centric, which aren’t, you know, folks who spent 35 years regulating banks, but that’s the world that we’re in. I think there’s far better ways to solve this problem, to be honest, and maintain way better privacy and not spew people’s information all around the world to VASPs that you don’t know about, but this is the world we live in.

So I have two choices. I can either say I’m going to do nothing and let the regulators do whatever and not be technically informed, or I can step in as a technical person who understands the privacy constraints and be involved and create the bridge between the community and hopefully, you know, influence them to think about privacy, influence them to think about the implications and also the unintended consequences of what they’re proposing…

Because, let’s face it, there’s a lot of unintended consequences that are going to come out of this that are not what they intended. So it’s either stand back and let a train wreck happen or at least try to, like, help some way to represent the community, to bring it in, to help influence it, to bring the privacy community, to bring, you know, the privacy coin community into it, to work with them. That was my choice.

Laura Shin:

And what are some of those unintended consequences that you believe could happen?

Dave Jevans:

Well, I mean, the first one is you’re spraying people’s information all around the world. You’ve now made it highly valuable to break into smaller companies because you’re going to be able to identify people around the world. So I think that’s a big privacy problem. You’ve just basically taken protecting people’s data and made it, let’s say, 1,000 times more difficult because you’re going to have 1,000 VASPs out there that are going to have other people’s data that aren’t their customers.

That’s a big one. I think the second one is going to be, well, then everyone will just move everything to private wallets. Why would you do VASP-to-VASP transactions? Your transaction fee will be double or more, but you know, move everything to a private wallet, and then send it on, and then none of this makes any sense anyway. So there’s a lot of different implications out there.

I mean, we also are going to have the sunrise problem, which is that this regulation is going to be implemented country by country. It’s going to take years to get implemented. Different countries will implement it differently. So what does that mean if there’s enforcement in one country…let’s say Singapore or the United States decides to enforce strictly and like, actually start fining people. Then does that mean that if France hasn’t implemented it, you can’t send money there? So does that create a restriction in the market? You no longer have global liquidity?

So none of these, in my view, are positive. So these are all unintended consequences. There’s others, too, but there’s a lot that need to be thought through, and this is why I chose to get involved, and CipherTrace chose to get involved, because it’s either stand away and let people who don’t know anything about it, like, define it, or at least help the industry representative in the room literally and figuratively in the room with these people to try to show them here’s the problems.

There’s alternate solutions, and here’s the problems that you’re going to see and face, and you know, we were asked to list it. We worked with 50 different VASPs and others. You know, we worked closely with Coinbase and other VASPs, as well, around the world to try to get their issues with it and represent that out so that, hopefully, we can influence policy in a positive way that doesn’t, you know, destroy the fundamental value of crypto.

Laura Shin:

And speaking more about the unintended consequences, it did occur to me that this maybe would spur more developments in privacy technology or more usage of privacy technology, such as mixers, or it might drive certain groups of people who transact in cryptocurrency to simply cash out in less-compliant jurisdictions, or and broadly probably, there’s just going to be a lot more people…

Dave Jevans:

Oh, absolutely, without a doubt. There will be regulatory arbitrage, both among users and companies, who want to move to less regulated jurisdictions. Absolutely, and they should, but that’s just what’s going to happen. You know, it’s a balloon. You squeeze it in one place and it’ll grow in another, which can’t stop crypto and you shouldn’t. It should be available to everyone. You know, we just unfortunately have this world of financial controls that are out there that are only going to get more stringent they’re applying to crypto.

I would rather them take a view which is more enlightened, which is there’s ways to solve this problem that aren’t throwing people’s customer data all around the world, that aren’t assigning account numbers, that aren’t changing the way that we do crypto. You know, I’d rather see that emerge, but that’s not going to happen unless people like us are involved in that discussion, because, otherwise, they’re just going to slap all the banking regs on, and that’s what we’re going to have. This thing’s going to look like a glorified, you know, wire transfer system.

Laura Shin:

Yeah, and one other thing, I imagine, is that this will probably prompt a lot more people to manage their own keys.

Dave Jevans:

Oh, that’d be great.

Laura Shin:

So those kinds of…I don’t know, there’s probably both good and bad to that, but I did want to ask a little bit more about the sunset thing, or just in general, what do you think the next few years as this gets implemented, what will that look like, and are there any other major milestones that are on the horizon that people should be on the lookout for?

Siân Jones:

Well, I think you’ve got to look at this deadline question that you asked a wee while ago. That Dave is quite right. There was no sort of deadline. The deadline was back in October 2018 when the recommendations were changed, and countries became obliged to do something about it, okay? Took until the summer of ’19 before there was the guidance for countries that might explain what that could look like.

But as has already been said, those guidelines are pretty high level, and so countries…well, you’ve got advanced countries who have folks who understand this stuff. The US has a regime that always supports this, and the US at FinCEN says these rules will apply forever, and certainly since they clarified the position five years ago now, something like that. There are other countries that have absolutely nothing in place.

So the sunrise problem emerges because, in reality, you’ve got 200 deadlines as each country brings in its own laws and sets its own deadlines that VASPs now have to comply. Well, there are countries, probably around 30, 35 countries that’ve now done something to bring the recommendations, the global recommendations, into their national legislation, but quite a few of those have either not brought in anything yet for the Travel Rule because they know there are no solutions out there.

So they can’t, or they have brought them in, but have simply said, look, we’re not going to enforce them, or we’re giving some regulatory forbearance until a solution is available, and keep the pressure on the industry to actually solve all these many different challenges so that you end up with an end-to-end, a perfect solution, but you’re still going to have countries bringing them in. One this month, one next month, three the month after, and so on and so on.

And if you look at how the Travel Rule was brought into the banking sector, that was exactly the same problem. It applied in some countries very quickly. The majority of countries took another 2 or 3 years to bring in the legislation and then start to bring in the regulations to support it, and then you have the stragglers who took up to, what, I think 7, 8, 9 years before they ever will comply and this is not going to be any different than that.

Meanwhile, you’ve got VASPs all over the world who have this asymmetry in regulation. Not only the requirement to be licensed or registered in their own jurisdictions, the possibility that they may have to be licensed or registered in some other jurisdictions, because those countries then say, oh, well, if you got a customer in our country, even though you’re not based here, you still also have to be regulated in our country, and then you’ve got the mismatch of the Travel Rule.

Some countries will have the legislation in place, the rules in place. Other countries may not. So, you know, it takes two VASPs to tango, and yet one VASP is subject to rules, and the other one hasn’t got any rules yet to apply. I mean, this is going to be an ongoing story in itself, a challenge of uncertainty, a challenge of asymmetry enforcement, and to be honest, many of the solutions that are out there today are only part of them.

I think Dave has very eloquently made the point that some of the solutions are geographic. You know, those for the US and North America. On the one hand, those in Asia. On the other hand, different solutions are certainly not yet global in nature and not comprehensive in nature, not end to end, and meanwhile, amidst all that confusion, you’ve got data that’s being thrown around in an unregulated way, and that also is a huge challenge.

I couldn’t agree with Dave more. The privacy issues are massive. They are the same privacy issues that happened with banks. You know, your bank will send your information to, I don’t know, a bank in Brunei or in North Korea or…well, probably not North Korea, but certainly in some other part of the world, and your information about the fact that you sent this money to someone is held by that bank. You don’t know who that bank is.

You don’t necessarily know what’s going to be done with that information, but it’s certainly a much bigger problem when you think that this is going to apply to an unlimited range of virtual assets. So in the, you know, payments world, there are 200 and some currencies, or thereabouts. You’ve got thousands of virtual assets today. We could be talking, in 10 years time…there’s a part of me that kind of hopes it’ll happen, but you could be talking about 100 thousand different kinds of virtual assets, especially when you start to think about the supply not just to cryptocurrencies, but to a whole raft of digitized assets of one form or another.

They would still qualify as virtual assets, and you’ve got VASPs who are not yet regulated in the way the banking sector’s regulated globally, to global standards, and then you’ve got a raft of different privacy requirements. EU, obviously, with its GDPR, but you’re seeing other jurisdictions now with their own flavors of privacy rules, and they have to be mapped onto all of the same stuff. It’s going to keep me occupied right the way up to and probably beyond my retirement.

Laura Shin:

All right, and Dave, did you want to add anything?

Dave Jevans:

I mean, I think it’s important for the industry to get involved. So the more exchanges, more companies that are either doing analytics or anybody who’s doing currency swap services, this is going to affect all of those companies, and we’d like to see more engagement, more education. You wouldn’t believe the number of exchanges that I talk to on a weekly basis who’ve never heard of it, and it’s…

Laura Shin:

Oh, boy.

Dave Jevans:

Oh, yeah. No, it’s coming…

Laura Shin:

Okay. All right. Well, I think we’ll end on that note.

Dave Jevans:

…they represent privacy, right, and find ways that the end goal can be served without breaking crypto and without, you know, spreading people’s information all over the world, and I think the sunrise problem is a big one. I think we’re going to see five years of turmoil around this thing. The good news is I think many countries recognize they aren’t good solutions. We’ve educated them that the sunrise problem exists. It’s now in their vernacular. They talk about it every time there’s a meeting. So that’s good. They understand the…you know, this isn’t easy. It’s not trivial, and I think there will be forbearance, hopefully, on enforcement, and let the industry come up with better ideas, better solutions.

Siân Jones:

Yeah, I think, to its credit, this industry has mobilized super fast and super well. Yes, I agree that there are a lot of folks who still don’t really understand what the requirements are going to be. Even if they’d heard of it, they don’t understand all of the implications, and that itself is a challenge, but if you look across the industry, you’ve seen it get together very fast on various projects that we’ve talked about in this program and also on technical standards, such as the interVASP standards.

To get an international standard on messaging in the traditional world might take three years. It was done in 18, 19 weeks, and this industry has stepped up to the challenge, but let’s be absolutely clear. David’s 101% right on this one. This is going to go on for years, and it’s going to be in a state of flux, and how it settles in 5 to 10 years time will not necessarily be how it looks like today.

Laura Shin:

Yeah, if there’s anything I’ve learned covering crypto, it’s that this industry moves very fast. So we will have to see how this all plays out. It does sound like it will be a little bit messy, but hopefully, it will actually maybe not be as scary and I guess as transforming of the industry as people expect or hope. Okay, so where can people learn more about each of you and your companies and also about the Travel Rule?

Siân Jones:

Well, the information about the FATF recommendations in their entirety, which, of course, include the travel, can be found on the FATF website. You can Google that, FATF, virtual assets, guidance. It’ll come up in the top couple of search results. In terms of the technical standard, the interVASP messaging standard, IVMS 101 that we talked about, is free to download. Any VASP anywhere in the world, anyone with an interest can download it from intervasp.org, and anyone who wants to find out more from those of us who are in the industry helping folks, well, you can see the name xreg.consulting, and you can reach us that way.

Laura Shin:

Dave?

Dave Jevans:

Yeah, so, I mean, I think everybody who’s listening probably knows I’m at CipherTrace. So you can catch me over there, but on the open standard side of things, the working group, the governance model, look at TRISA.io. So that’s TRISA, so Travel Rule Information Sharing Alliance, dot I-O, and you can find GitHub over there to get open source. You can find various articles and white papers about security models, threat models, how these things work, and then also I would recommend interVASP, as Siân said, but also OpenVASP. So look up OpenVASP, and look up their standards, as well, and also the BIP 75 are all open standards, as well.

Laura Shin:

Great. Well, thank you both so much for coming on Unchained.

Siân Jones:

Thank you very much for having us, Laura.

Dave Jevans:

Thanks, Laura.

Laura Shin:

Thank you so much for joining us today. To learn more about Dave and Siân and CipherTrace and XReg as well as the Travel Rule, be sure to check out the show notes for this episode. Don’t forget, you can now watch video recordings of the shows on the Unchained YouTube channel. Go to YouTube.com/C/UnchainedPodcast and subscribe today. Unchained is produced by me Laura Shin with help from Anthony Yoon, Daniel Nuss, and the team at CLK Transcription. Thanks for listening!