‘Evil VASP’ Simulation Preps Crypto Exchanges for FATF Travel Rule

Getting crypto exchanges across the world to plug into each other and share sensitive customer data is proving to be a complex problem.

Nonetheless, firms have to show real progress on this by June of this year, according to new anti-money laundering (AML) rules from global AML watchdog the Financial Action Task Force (FATF).

Announced Thursday, the Travel Rule Information Sharing Alliance (TRISA), one of the better-known solutions being proposed, is launching a testnet that includes a directory of virtual asset service providers (VASPs) and scenario testing for inevitable contact with non-compliant firms.

The FATF rules require crypto companies to share personally identifiable information (PII) for transactions over a certain amount. While a global cohort of compliance-minded exchanges will begin implementing the new rules later this year, there will be many stragglers including smaller firms in far-flung jurisdictions. This is expected to create a so-called “sunrise problem,” as some parts of the crypto world become regulated ahead of others.

The TRISA testnet begins to address that looming challenge by including a dummy version of an “evil VASP” that will provide false authentication, attempt to steal data and so on.

There are two compliant VASPs as well as the non-compliant exchange on the testnet, explained John Jefferies, co-chairman of TRISA.

“The evil VASP isn't part of TRISA and it will try and trick people into sharing information,” said Jefferies. “So what we are building out gives firms the opportunity to test out domains and do interoperability testing from a security dimension and messaging dimension.”

Read more: Crypto Firms Establish Messaging Standard to Deal With FATF Travel Rule

TRISA is backed by blockchain analytics company CipherTrace and has support from the likes of Paxful’s Lana Schwartzman, Bradley Arant Boult Cummings LLP attorney Carol Van Cleef, and Thomas Hardjono of MIT Connection Science & Engineering.

The solution leverages battle-tested certificate authority infrastructure that allows VASPs to mutually authenticate one another, Jefferies explained. Post-testnet, TRISA will be issuing know-your-VASP certificates, validated by a registration authority.

“The cool thing about having a proper certificate authority is that it has the concept of revocation,” said Jefferies. “So if a VASP turns evil – say they pull some sort of exit or fraud or their licenses are revoked – that public key infrastructure that sets up the relationship can also take it back if the whole community has to stop communicating with a VASP, at least for a little while.”