CipherTrace has unveiled its answer to one of the thorniest questions now facing the cryptocurrency industry: how to securely share information about customers under new global regulatory guidelines.

On Tuesday, the blockchain security firm published its final white paper and open source software for wallet providers and crypto exchanges to comply with the Financial Action Task Force (FATF)’s “travel rule.”

The intergovernmental body dedicated to fighting money laundering and terrorism financing recommended in June that countries require exchanges and wallet providers to pass each other information about customers when transferring cryptocurrency.

This means that “virtual asset service providers” (VASPs) worldwide will have to hold sensitive personal information not only about their customers, but who their customers are transacting with.

Opponents of the recommendation had claimed implementing such a rule would be “onerous” at best, but failed to sway FATF. Now, tech vendors are jockeying to offer solutions.

“The industry itself has said it’s virtually impossible to adhere to the travel rule,” CipherTrace chief marketing officer John Jefferies told CoinDesk. “The reality is it can be done.”

CiperTrace’s Travel Rule Information Sharing Architecture (TRISA) would allow exchanges and wallet providers to share payment details and confidentially exchange customer know-your-customer (KYC) information, Jefferies said.

The reference implementation, a basic version of the software that others can modify, “isn’t even that heavy,” he said, meaning it won’t require much in the way of processing power. Much of the requirements are met once the exchanges establish they’re “talking” to the right counterparty.

“While this rule may cause some consternation with respect to privacy because these exchanges are exchanging their data, they’re going to have to do that” confidentially, Jefferies said. “Assuming VASP A and VASP B need to share data, confidentiality is the most important” part.

CipherTrace’s announcement comes a day after Netki announced it was updating its own digital identity service, to help firms comply with the FATF travel rule.

How it works

Exchanges adopting TRISA would essentially create an “extended validation know-your-VASP” certificate, which would be sent from the exchange originating a transaction to the one receiving it. These certificates would be verified through a third-party trusted certificate authority.

The exchanges receiving a transaction should in turn confirm that they did actually receive a transaction with a receipt (or otherwise send a receipt saying the exchange would reject the transaction, should a party be on a sanction or other black list).

According to the white paper, exchanges should also ensure they have secure and reliable communications set up between each other.

“It’s much like websites, right? The whole architecture is identical to SSL,” said Jefferies, referring to the secure sockets layer (SSL) protocol. “It’s not prohibitively expensive because half the sites use SSL.”

The company plans to let exchanges test the implementation for “a little while” to ensure it works as advertised. Any issues would be fixed by updating the open-source code, he explained.

Binance, currently the world’s largest crypto exchange by volume, is examining CipherTrace’s code (though the exchange hasn’t yet committed to implementing it). A few other exchanges are supposedly also considering whether to implement the code, though Jefferies said he could not disclose the names.

FATF’s recommendations have yet to be formally adopted by most countries, so any exchange implementing travel rule compliance would be doing so proactively. Jefferies predicted that exchanges would either add the code as a possible boost over other exchanges or otherwise wait until “it’s forced upon them.”

“What we’re starting to see is compliance used as a competitive advantage,” he said.

FinCEN stepping up?

While the ink is barely dry on the FATF recommendations, the U.S. Financial Crimes Enforcement Network (FinCEN) may be forcing exchanges to comply with the travel rule already.

FinCEN, a bureau of the U.S. Department of the Treasury, published guidance in May imposing its own version of the travel rule.

The guidance, released May 9, gave exchanges 180 days to do so (meaning until Nov. 27).

Unlike FATF’s recommendations, exchanges are expected to immediately comply with FinCEN guidance, Jefferies said, adding:

“The difference between FinCEN and FATF is FinCEN is a law, right? They have no choice.”

He told CoinDesk that FinCEN has already begun enforcement actions, though he did not provide any names. “FinCEN is from my understanding actively taking action against people and VASPs in the U.S. who are not complying with the travel rule so we expect to see some disclosure of that in the not-so-distant future,” according to Jefferies.

His comments echo Netki, which said in its announcement Monday that “the U.S. FinCEN agency has begun enforcement actions against VASPs who are not in compliance.”

FinCEN has not announced any new enforcement actions in the crypto space since April. The agency did not reply to a request for comment.

Keys and cash image via Shutterstock