Back to All Blog Posts

CipherTrace tackles impending FATF crypto ‘travel rule’ obligations with ‘Travel Rule Information Sharing Architecture’ whitepaper

Bitcoin graphics covering the world

Several powerful regulatory and economic bodies have issued guidelines, guidance and statements in recent months that could fundamentally change the nature of crypto transactions and how virtual currency exchanges and other related entities share information on users with each other in a bid to counter financial crime.

But these initiatives, while laudable with the eventual aim to graft the kind of transparency and transaction tracking capabilities as wire transfers through brick-and-mortar banks, also come with a host of technical, operational and systems challenges – critical issues addressed in a CipherTrace whitepaper reviewing the trials and tribulations of the impending “travel rule.”

At the forefront of this change is global anti-money laundering (AML) watchdog, the Paris-based Financial Action Task Force (FATF), which in June updated guidance that includes a “Funds Travel Rule,” for crypto exchanges, which it calls virtual asset service providers (VASPs).

To foster compliance with the upcoming obligations tied to the travel rule, CipherTrace has issued a whitepaper offering a potential solution in the form of a Travel Rule Information Sharing Architecture, or TRISA. To read the full CipherTrace TRISA whitepaper, click here.

The ultimate goal of the TRISA is to “enable compliance with the FATF and FinCEN Travel Rules for transaction identity information without modifying the core blockchain and cryptocurrency protocols,” according to the whitepaper.

“Trying to modify the protocols is bound to fail, as there are many different protocols, and forcing hard forks is simply not feasible,” the whitepaper stated. “A better option involves creating a separate out-of-band mechanism to augment existing blockchains and cryptocurrencies for compliance purposes.”

This whitepaper describes a “peer-to-peer mechanism for VASPs to comply with the respective Funds Travel Rule for transaction identification exchange between originators and beneficiaries,” according to the document.

The new FATF requirement mimics so-called Travel Rules that have for years required financial institutions to share sender and beneficiary information when executing bank wire transfers and SWIFT electronic funds transfers, but come with technical tethers aplenty when attempting to implement the same dynamic for crypto transactions.

Sharing, storing in real, virtual worlds

In short, the new rule requires VASPs to share and store sender (originator) and receiver (beneficiary) information related to cryptocurrency transactions.

Just a month prior to FATF’s seminal June crypto guidance, in May 2019, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) further clarified its guidance to categorize certain VASPs as money service business (MSBs), which means they must now comply with the long-standing Funds Travel Rule under the Bank Secrecy Act (BSA).

The recent FinCEN guidance detailed some of the more arcane areas of crypto compliance, including person-to-person, or P2P, exchanges and what actions and scenarios trip AML rules. In short, if a person exchanges crypto funds to fiat and bank for others and as a business, they are a crypto exchanger and thus must craft a full AML program.

The FinCEN crypto guidance was an update to its historic March 2013 guidance that provided clarity and regulatory certainty for businesses and individuals in the cryptocurrency space.

In its 2013 guidance, FinCEN created and identified three classifications for those engaged in creating, obtaining, distributing, exchanging, accepting, or transmitting virtual currencies: “users,” “exchangers,” and “administrators.”

Users typically are not subject to AML rules, while exchangers are, with administrators being caught depending on their structures, actions and ability to move value geographically.

As a point of context, the moves by FATF, FinCEN and other watchdog groups come as crypto crime soars into the billions of dollars and global investigators identify and cripple the major money laundering hubs at the nexus of the real and virtual worlds.

In recent years federal law enforcement agencies in the U.S. and other countries have taken down the world’s largest darknet markets, the related exchanges and more recently, crypto tumbling services – operations that attempt to anonymize crypto transactions for a price.

Further cementing that crypto travel information travails are on the horizon is that at the close of their summit held in Osaka, Japan on June 29, finance ministers and central bankers of the G20 economic bloc formally announced their support for FATF’s updated virtual guidelines, including the Travel Rule.

But that requirement comes with inherent technical, privacy and cost challenges.

New rule is ‘impractical, antithetical’

Subsequently, a “number of major voices in the crypto economy have complained that the new rule is not only impractical given current blockchain technology but also antithetical to the pseudo-anonymous nature of cryptocurrencies,” according to CipherTrace.

“Developing a solution that will help VASPs to overcome this compliance challenge presents major technical obstacles,” according to CipherTrace. “For example, trying to modify the existing blockchain protocols is bound to fail, as there are many different protocols, and forcing hard forks is simply not feasible.”

TRISA applies, according to CipherTrace, the “trusted Public Key Infrastructure (PKI) to identify and verify VASPs reliably. It is similar to the way clients and servers establish trusted communication on the web and other internet applications.”

The certificate authority (CA) is the “cornerstone” of trust for PKI, by “issuing trusted digital certificates and managing, distributing, and revoking these certificates,” CipherTrace stated.

“The CA issues digital certificates that identify the entity associated with a given pubic key to ensure users are confidently working with the said entity and not a fraudster posing as the entity,” according to the paper. “PKI is the key to trusted information sharing.”

An uncertain future?

Many pundits, prognosticators and soothsayers have said the end of the Wild West period for crypto coins is nigh, with the compliance sheriff coming to town, which may or may not be a bad thing.

The rollicking sector, as has been shown in recent years, can be abused by criminals of all stripes, just as it opens the door to moving value around the world quickly, cheaply and securely.

Regardless of where you stand on the issue – for or against crypto, the wave of the future of value or merely Monopoly money – there are two very large trains on a collision course.

Fincrime compliance is coming to crypto in a big way and it appears the sector is going to have to come together to figure it out – or see some countries cracking down on crypto exchanges that don’t, can’t or aren’t falling in line with where FATF believes they need to be.

See What Certified Financial Crime Specialists Are Saying

"The CFCS tests the skills necessary to fight financial crime. It's comprehensive. Passing it should be considered a mark of high achievement, distinguishing qualified experts in this growing specialty area."


(JD, Washington)

"It's a vigorous exam. Anyone passing it should have a great sense of achievement."


(CFCS, Official Superior

de Cumplimiento Cidel

Bank & Trust Inc. Nueva York)

"The exam tests one's ability to apply concepts in practical scenarios. Passing it can be a great asset for professionals in the converging disciplines of financial crime."


(CFCS, Royal Band of

Canada, Montreal)

"The Exam is far-reaching. I love that the questions are scenario based. I recommend it to anyone in the financial crime detection and prevention profession."


(CFCS, CAMS Lead Compliance

Trainer, FINRA, Member Regulation

Training, Washington, DC)

"This certification comes at a very ripe time. Professionals can no longer get away with having siloed knowledge. Compliance is all-encompassing and enterprise-driven."

Director, Global Risk
& Investigation Practice
FTI Consulting, Los Angeles