For better or for worse, the cryptocurrency space is coming of age. Since Bitcoin’s rise to mainstream prominence in 2015, there has been increasing recognition of digital assets from government agencies around the world. In turn, new regulations are being imposed to control the way cryptocurrency companies operate and do business globally.
Most recently, the Financial Action Task Force issued new guidelines on how digital assets should be regulated. In order to raise awareness around these requirements, the blockchain security company CipherTrace hosted a conference and hackathon this week in San Francisco dedicated entirely to discussions on the FATF guidelines, also known as the “travel rule.”
The travel rule requires regulators and Virtual Asset Service Providers, such as exchanges from various countries worldwide, to collect and share personal data during transactions. Much like the guidelines followed by traditional banks under the United States Bank Secrecy Act, the travel rule being enforced for crypto firms follow the same requirements as money transmitters do to record identifying information on all parties in fund transfers made between financial institutions.
Yet, unlike traditional financial firms, many cryptocurrency exchanges do not capture personally identifiable information by default. Complying with the travel rule will therefore require significant shifts for businesses operating in the crypto space.
“The new regulations coming from FATF will ultimately change the way crypto companies operate, requiring them to track not only their own customers’ transactions, but also where their customers are sending money to,” Dave Jevans, CEO of CipherTrace, told CryptoX.
One of the main goals of the CipherTrace conference was to gather regulators, banks, crypto companies and programmers together to make sense of the new guidelines, and then build a solution that would allow organizations to easily comply with the FATF rules.
“There are broad implications around privacy, identification of customers, how data works across various blockchains and privacy coins,” said Jevans. “We need to come up with solutions to ensure that companies can easily comply with these regulations, which is what we aim to achieve here.”
Companies must act now
Prior to working on a compliance solution at the hackathon, a number of panels highlighted the themes and main challenges surrounding the FATF regulations. While these rules are not yet legally binding — as the FATF said in a public statement in June that countries have until June 2020 to adopt the guidelines — a broad theme at the CipherTrace conference was that action must be taken immediately. The G-20 stated that it already uses the recommendations for anti-money laundering regulation of cryptocurrencies, so crypto companies that fail to comply with the new regulations are likely to face penalties.
“The consequences for non-compliance could range from a slap on the wrist, to going to jail if a company violates the Bank Secrecy Act,” Carol Van Cleef, CEO of blockchain consulting firm Luminous Group, warned on stage during the legal requirements panel. “No matter how big or small a company is, each has obligations to fulfil under the law.”
Although this may be the case, John Jefferies, CipherTrace’s chief financial analyst, pointed out that many companies operating in the cryptocurrency sphere have yet to comply with the new regulations.
“Many U.S. exchanges may not yet be compliant, but they should be at this time,” Jefferies said. “Moving forward, when Binance or Coinbase completes a transaction for example, they need to send the sender recipient data at the same time with that transaction. Otherwise, they are not in compliance.”
While most crypto companies are not yet compliant with the FATF regulations, Jevans, the CEO of CipherTrace, stressed the importance of getting everyone on the same page.
“Education is the main challenge we have to tackle first,” he said. “We need to know what the FATF laws are, why we should care and what can happen if companies don’t comply.”
The U.S. Treasury Department’s Financial Crimes Enforcement Network emerging technology policy specialist, Carole House, explained the FATF guidelines during her keynote. She highlighted that the guidelines are designed to curb the use of cryptocurrencies for financial crimes by making crypto transactions more traceable, giving regulators increased visibility into both cross-border and domestic currency transfers.
“Crypto companies need to comply with the virtual currency recommendations by the end of June 2020. We’ve already been involved with a number of people from the Digital Commerce Association to provide commentary around accomplishing this,” House stated.
The regulations are clear — now what?
As the FATF regulations were brought to light, a number of challenges around ensuring compliance followed.
For instance, the question of how the FATF guidelines would relate to privacy coins was a pressing issue. One of the stated goals of privacy coins such as Monero and Zcash is to ensure that users have anonymized transactions, so it is questionable how these could be compliant with the new regulations.
During the privacy coin panel, Jack Gavigan, head of product and regulatory affairs at Zcash, asked, “Is compliance possible in relation to privacy coins?”
Answering his own question, Gavigan stated his belief that compliance is indeed possible, as a number of privacy coins are already listed in U.S. exchanges regulated by the Financial Crimes Enforcement Network.
Even though this may be the case, understanding how to abide by the FATF regulations in a way that focuses on privacy while maintaining the decentralized ethos of cryptocurrency and blockchain remains a challenge.
Jake Tarnow, a security software developer at CipherTrace, aimed to solve this problem during the hackathon. His team came up with an impressive solution that aims to keep data anonymous when information is being exchanged between Virtual Asset Service Providers.
“If VASP A is trying to send data to VASP B, we need to know how this can be done in a way that none of the information is in the clear,” Tarnow told CryptoX.
His solution entailed using a zk-SNARK — short for a “zero-knowledge succinct non-interactive argument of knowledge” — a form of cryptography that allows one party to securely reveal that it possesses a piece of information, without actually exposing the information itself.
“By using zk-SNARKs, VASPs can send this information in a bulletproof way, where no one else can pick that up and pull out their proprietary information,” explained Tarnow.
During the hackathon, developers also worked closely with security software gurus to integrate the Travel Rule Information Sharing Architecture into their systems. CipherTrace announced the release of TRISA in September as an open-source, peer-to-peer design for cryptocurrency companies and blockchain projects to comply with the FATF regulations.
TRISA is meant to provide secure, reliable delivery of personally identifiable information, or PII, to the correct VASP, eliminating a huge risk for exchanges. However, sharing PII is prone to spamming, a problem that developers at the CipherTrace hackathon aimed to solve.
“Various backend systems managing PII are vulnerable to spamming, as spammers can get into these systems and start asking people to send PII,” explained Jefferies.
Independent consultant Kenneth Kron and his team won first place in the hackathon for coming up with a solution that introduces PII tokens to prevent spamming in TRISA.
“We want to solve the problem of PII spamming in TRISA by introducing PII tokens and KYC providers who can generate enhanced KYC tokens. If spammers are trying to capture personal information and get a hit, all they get back is a token in this case,” Kron told CryptoX.
All the ingredients for a compliance recipe
Overall, the CipherTrace conference and hackathon gathered a unique mix of individuals to discuss the future of cryptocurrency regulations. The discussions throughout the event demonstrated that action must be taken now to ensure that crypto companies are compliant with the FATF regulations by June 2020.
“We gathered many tribes that do not typically interact, enabling experts from government, exchanges and privacy groups to understand each other’s diverse perspectives,” Jefferies told CryptoX after the conference. “The conversations instilled a sense of urgency in the community and TRISA, while creating an open-source path to meet these tight regulatory deadlines and defend privacy at the same time.”