Using Decentralized Identity for

Regulatory Compliance in crypto

​

Pelle Braendgaard CEO @PelleB

​

notabene.id

Objectives

• About Notabene
• State of Crypto Compliance today
• A global framework for regulating crypto companies
• Travel Rule and Identity
• Travel Rule standards
• The Notabene solution
• Non-custodial wallets and SSI
• Questions

About Notabene

WHO WE ARE

OUR RELATIONSHIPS

Live since August 2020. Used by leading crypto businesses globally

US corporation with offices in New York, Zug, and Santiago de Chile

Active contributor to AML / CFT industry working groups and travel rule protocols

Crypto veterans and digital identity experts

We help companies manage regulatory and counterparty risks around crypto transactions.

​

With our software, tools, and data, their customers can transact in crypto with confidence and ease.

​

​

​

​

Current state of Identity in Crypto Compliance

Direct Bitcoin Transaction

Custodial Bitcoin Transaction today

What has been missing for institutional adoption?

Missing

Counterparty

Information

No regulatory

clarity

Current blockchain exchanges perform KYC

They are missing information about the counterparties to a transaction

Global Regulatory Framework for Crypto

FATF

Who is FATF?

FATF released its updated guidance for virtual assets this March

WHAT IS IT?

June 2019: FATF releases guidance that requires crypto businesses (a.k.a. virtual asset service providers or VASPs) to be regulated for AML purposes. This means they need to be licensed, do proper KYC and perform the travel rule.

March 2021: FATF releases updated guidance to the original doc, with additional clarifications and requirements outlined.

​

April 2021: Public consultation period

June 2021: The updated guidance comes into effect.

​

WHY IS THIS IMPORTANT?

• FATF, the global anti-money laundering watchdog, is responsible for setting AML / CFT guidelines that local jurisdictions implement locally.
• This is indicative of the minimum requirements that regulators will implement for crypto assets across jurisdictions over the next 1-2 years.
• As of Oct 2019, 35 jurisdictions implemented FATF’s guidelines for crypto. 30 introduced registration or licensing regimes.

​

Check out Notabene’s summary of the FATF guidance

Recap of original FATF 2019 guidelines: Defining VAs and VASPs

WHAT IS A VA?

A digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes.

Virtual assets do not include digital representations of fiat currencies, securities, and other financial assets that are already covered elsewhere in the FATF Recommendations.

​

WHAT IS A VASP?

Any natural or legal person who is not covered elsewhere under the Recommendations and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

i. Exchange between virtual assets and fiat currencies;

ii. Exchange between one or more forms of virtual assets;

iii. Transfer of virtual assets;

iv. Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and

v. Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

​

​

Recap of original FATF 2019 guidelines: Defining travel rule

1. Originator’s name

2. Originator’s account #

3. Originator’s physical address, or national identity number, or customer identification number or date and place of birth

4. Beneficiary’s name

5. Beneficiary account #

FATF MANDATES RECOMMENDATION 16, THE TRAVEL RULE

• VASPs are required to exchange customer information when performing transfers above $1000 (or Euro 1000) between an originator and beneficiary customer.
• Originator VASP must collect and verify originator info (usually as part of KYC process), as well as collect beneficiary info (from the originator)
• Originator VASP passes on this info as part of a data transfer to the Beneficiary VASP, while the transaction is happening

FATF Revised Guidance 2021

Notabene summary

(1) Some aspects of virtual assets are deemed higher risk

FATF maintains a technology neutral approach to virtual assets.

• Should be regulated similarly to FIs
• Apply to all VASPs and VAs regardless of underlying technology

Allows local regulators to treat certain aspects of VAs as riskier.

• No one size fits all. If a jurisdiction cannot manage risks of VAs or certain aspects of it like non-custodials, then it can deem it higher risk

VASPs are expected to "build compliance into their product".‍

“Authorities may also require that appropriate AML/CFT mitigations must be built into products and services before they are brought to market, as it is much more difficult to do so later.” (Section 119, Page 43)

Our assessment: FATF applies its tech-neutral approach to ‘decentralized’ projects that are not so decentralized

Our assessment: Local jurisdictions will see this as green light to implement stricter rules such as ones for non-custodials.

Our assessment: Regulators will expect that VASPs make compliance an integral part of their product development.

(2) Definition of VASPs to include DeFi and stablecoins

No financial asset should ever fall outside of FATF standards.

• Every financial asset is either a VA or a traditional financial asset.
• VASP definition stays the same, but should be more ‘broadly’ applied

A VASP is included in the majority of crypto protocols.

• Warns regulators not to buy into the ‘marketing’ terms and separate the function of a VASP from its underlying technologies
• VASPs may include: DeFi protocols, multisig and MPC providers, stablecoin issuers or those with enough governance control
• Does not include software developers who just develop the software but dont stand to benefit from its adoption more widely and non-custodial wallet providers

​

Our assessment: Previously unregulated segments of the crypto industry will find themselves under scrutiny.

Our assessment: There will be push back from the industry, and DeFi projects will either launch fully decentralized or will get regulated.

(3) Regulators may introduce stricter rules in their jurisdictions

Leaves regulators to take a risk-based approach with regards to P2P transactions.

• Examples of measures they can take to limit exposure to P2P txs: reporting reqs similar to CTRs, enhanced recordkeeping and due diligence reqs, denying them licensing

Regulators have flexibility in picking an appropriate regulatory regime.

• Recommends that countries do not outright ban virtual assets as that can lead to higher ML/TF risks (e.g. crypto users move to offshore exchanges)
• They should introduce registration and licensing regimes

​

Our assessment: Industry needs to act fast to educate local regulators or risk them passing rules on non-custodial wallets.

Our assessment: Many jurisdictions who have not allocated resources as yet to VAs will find it difficult as they look to close the gap.

(4) FATF adds additional clarity and new reqs to the Travel Rule

New req

Originating VASP must:

​

• Verify originator information (e.g. their own KYC process)
• Collect beneficiary information but not verify it
• Perform sanctions screen
• Be prepared to freeze and prohibit transactions

Beneficiary VASP must:

​

• Not verify originator information provided
• Detect if the required originator or beneficiary data is missing
• Verify provided beneficiary information with their own KYC’d information
• Perform sanctions screen

​

Our assessment: No surprises, FATF shows they are serious about real implementation and not vanity data transfers. Sanctions screening may lead to many false positives.

(4) FATF adds additional clarity and new reqs to the Travel Rule

Originator VASPs must collect beneficiary names for all txs.

• Under threshold or going to unhosted wallet
• TR applies to transfers between a VASP and an unhosted wallet, and they could be treated as higher risk.

Travel Rule data transfers must be immediate and secure.

• Performed same time or before a transaction
• It does not have to be attached to the blockchain transaction itself
• Batching is allowed

Intermediaries need to record-keep and perform sanction-screening.

• They aren’t required to verify originating or beneficiary customer information.

Our assessment: We expect many VASPs to allow their customers to only send transfers their own unhosted wallets.

Our assessment: This will be a challenge in sunrise period as VASPs grapple with insufficient data and counterparties who are not yet supporting travel rule

Our assessment: We expect a standard travel rule compliance flow for intermediaries to emerge in the industry in the next 6 months

Soon integrations with custodials and MPC providers!

(5) VASP due diligence is a core requirement of the Travel Rule

VASPs are required to conduct counterparty VASP diligence before initiating a transfer.

• Treating a counterparty VASP as a correspondent banking relationship
• Collect information directly from the VASP, and verify OR collect from public data
• Should assess jurisdiction risk (e..g. AML/CFT laws) as well as the counterparty VASP’s AML/CFT controls (see slide 12)
• Should periodically refresh diligence or have mechanisms in place to identify if a new risk emerges.

Sunrise period is a challenge but not an excuse.

• VASPs should be compliant. They can request travel rule from their counterparty VASPs or take other measures to demonstrate compliance

“Regardless of the lack of regulation in the beneficiary jurisdiction, originating entities can require travel rule compliance from beneficiaries by contract or business practice.“ (Section 176, Page 59)

“The absence of relevant regulations in one country does not necessarily preclude the effectiveness of measures introduced by a VASP on its own.” (Section 177, Page 59)

Our assessment: At scale will still be a challenge. Jurisdictions will help create public databases, and platforms like Notabene will help streamline it.

Our assessment: In late 2021, many VASPs will adopt the travel rule for business reasons - mainly that their counterparty VASPs already require it.

(5) VASP due diligence is a core requirement of the Travel Rule

FATF’s recommended steps for VASP due diligence

(6) Technical solutions must be scalable, secure and protect data privacy

FATF expects tight compliance with travel rule from VASPs; technical solutions must deliver.

• VASPs perform the due diligence, but technical solutions can help collect the data or provide communication channels
• VASPs should request missing data, but solution providers can make it easy for VASPs to do so

“These technological solutions should enable VASPs to comply with the travel rule in an effective and efficient manner if they enable a VASP to carry out the following main actions:

1. enable a VASP to locate counterparty VASPs for VA transfers;
2. enable the submission of required and accurate originator and required beneficiary information immediately when a VA transfer is conducted on a DLT platform;
3. enable VASPs to submit a reasonably large volume of transactions to multiple destinations in an effectively stable manner;
4. enable a VASP to securely transmit data, i.e. protect the integrity and availability of the required information to facilitate record-keeping;
5. protect the use of such information by receiving VASPs or other obliged entities as well as to protect it from unauthorized disclosure in line with national privacy and data protection laws;
6. provide a VASP with a communication channel to support further follow-up with a counterparty VASP for the purpose of:
1. due diligence against counterparty VASP; and
2. requesting information on a certain transaction to determine if the transaction is involving high risk or prohibited activities.“

(Section 258, Page 77)

Our assessment: Availability of technical solutions will not be a problem. Notabene already helps you comply fully with these requirements.

Travel Rule has several Identity Related challenges

Travel Rule has several Identity Related challenges

Sharing customer’s Personal Identifying Information (PII) with beneficiary institution

Know Your VASP

Originating VASP

• Is my counterparty regulated?
• Do they have proper AML/KYC policies
• Who are they?
• Can I trust them with my customer’s PII?

​

Beneficiary VASP

• Is my counterparty regulated?
• Do they have proper AML/KYC policies
• Who are they?
• Did they properly KYC the Originating Customer?

​

OpenVASP

Open protocol to implement FATF’s travel rule for virtual assets

• Functionally similar to SWIFT
• Strong decentralized design
• Blockchain agnostic
• Based on Decentralized Identity
• OVIPS (OpenVASP Improvement Proposals)
• https://github.com/OpenVASP/ovips

https://openvasp.org

Identifying a VASP using a VASP Code

• Similar to SWIFT Code
• Decentralized Issuance through smart contract on Ethereum Mainnet https://github.com/OpenVASP/ovips/blob/master/ovip-0003.md
• Will become a DID method
• On-chain Credential Registry https://github.com/OpenVASP/ovips/blob/master/ovip-0012.md
• VASP Verifiable Credential https://github.com/OpenVASP/ovips/blob/master/ovip-0015.md

Identifying a customer using a VAAN

• Similar to IBAN Code
• Used instead of Blockchain Address
• Issued by VASP and tied to a VASP https://github.com/OpenVASP/ovips/blob/master/ovip-0002.md
• Not really SSI as issued by VASP
• Better Privacy than Blockchain Address
• Maybe VAAN DID method?

​

t = VASP Code Type

r = Reserved bits

v = VASP Code

c = Internal Identifier

x = Check Digits

​

tt | rr | vvvvvvvv | cccccccccc | xx

10 | 00 | bb528777 | e33b078520 | 9e

IVMS-101

InterVASP IVMS-101

Universal common language for communication of required originator and beneficiary information between virtual asset service providers

• Originating customers PII
• Just data model
• Could be wrapped in VCs

https://intervasp.org/

Transact in crypto with confidence and ease

About Notabene

Notabene adds a private counterparty

layer on top of blockchains

Allows institutions to manage counterparty and AML risk regarding blockchain transactions

​

Our product: An all-in-one platform for the Travel Rule

Ready-to-use, minimum integration required

Automated identification of business counterparties

Seamless data exchange, regardless of the protocol

DID’s in Notabene today

The Travel Rule and Non-Custodial Wallets

Non-Custodial Wallets do not need to implement travel rule

• VASPs will be required to prove ownership of addresses to support Non-Custodial Wallets
• Ideally SSI functionality can be built in
• Notabene allows VC like Ownership Proofs to be issued by the majority of wallets

Concordium - Identity Verified blockchain

Please reach out

Future work in SSI

​

• Would like to support all SSI wallets
• Consume credentials from 3rd party credential issuers
• Help Blockchain wallets to add basic SSI functionality

Pelle Braendgaard CEO @PelleB

pelle@notabene.id

​

notabene.id