This deck is meant to help compliance officers and technical implementors at Virtual Asset Service Providers (VASPs) implement TRISA for travel rule compliance.
The goal of TRISA is to enable compliance with the FATF and FinCEN Travel Rules, as well as Travel Rules implemented by equivalent authorities, without: modifying the core blockchain protocols, incurring increased transaction costs, or modifying virtual currency peer-to-peer transaction flows.
2. — HARPER LEE / TO KILL A MOCKINGBIRD
“You never really understand
a person until you consider
things from his point of
view.”
3. TRISA is an open peer-to-peer
network that supports information
sharing between members
What is TRISA?
Getting Started with TRISA
Getting Certified
To join the network, register
with your legal, business, and
technical details
Member
Responsibilities
Members must store shared
details and operate an endpoint to
respond to incoming requests
About the Global
Directory Service (GDS)
The GDS grants certificates
and serves as a decentralized
store of member details
Working with
Secure Envelopes
6
Learn the fundamental data
structures that enable secure
information exchange
5
4
2
1
Member Benefits
3
Members can request details about
other members for Travel Rule
compliance
5. This is Alice
● Alice wants to send digital assets in
the form of cryptocurrency
● Alice lives in the US and she wants to send the
equivalent of $3,500 in cryptocurrency to her
friend Bob, who lives abroad.
● She uses a Virtual Assets Service Provider
(VASP) to do this.
● Under the Travel Rule, Alice’s VASP has a legal
responsibility to keep a record of all the parties
involved – not just data about Alice, but also
about Bob and his VASP.
6. This is Bob
● Bob lives in Singapore.
● Bob also uses a Virtual Assets Service Provider
(VASP) to manage cryptocurrency
transactions.
● Depending on his local government
regulations, Bob’s VASP may also have a legal
responsibility to keep records about Bob, Alice,
and Alice’s VASP.
7. That’s a lot of records!
The recently enacted Travel Rule is
changing how VASPs use customer data,
as well as how much non-customer data
they store.
8. The “travel rule” refers to guidance published by the
Financial Action Task Force (FATF), an independent
inter-governmental body that develops policies to combat
money laundering and the financing of terrorism.
What is the Travel Rule?
9. The guidance requires Virtual Assets Service Providers “to
obtain, hold, and transmit required originator and beneficiary
information in order to identify and report suspicious
transactions, monitor the availability of information, take
freezing actions, and prohibit transactions with designated
persons and entities.”
What is the Travel Rule?
10. This raises many questions…
How can VASPs make sense of each other’s
data? How can they keep customer details
secure? How can they trust other VASPs to
keep their customer data secure?
11. The Travel Rule Information Sharing Architecture (TRISA)
was initiated in July 2019 as a response to emerging
regulations from the FATF and FinCEN around data
transfer for cryptocurrency transactions between Virtual
Asset Service Providers (VASPs).
Introducing TRISA
12. The goal of TRISA is to enable compliance with the FATF
and FinCEN Travel Rules, as well as Travel Rules
implemented by equivalent authorities, without:
● modifying the core blockchain protocols.
● incurring increased transaction costs.
● modifying virtual currency peer-to-peer transaction
flows.
Introducing TRISA
13. TRISA aims to do this on a global level while:
● Protecting user privacy
● Ensuring fast and inexpensive transactions
● Remaining open source and decentralized
● Having an open governance body
● Maintaining interoperability with other approaches
It helps VASPs demonstrate the technical capability to comply with
the Travel Rule, which may help with licensing, depending on the
jurisdiction.
Introducing TRISA
14. Why you should start meeting Travel Rule requirements
today?
● Signal to regulators that your business is taking
regulations seriously. Ensure your business receives its
licenses on time without disrupting go-to-market
strategy.
● Signal to counterparties that your compliance program is
up to par. Give your customers and partners the
confidence to keep working with you, open up new
opportunities, and gain an advantage in the market.
Introducing TRISA
15. TRISA is designed with the six following guiding principles:
● Open Architecture
● Open Source
● Secure
● Private
● Decentralized
● Reliable
Introducing TRISA
16. Who can join TRISA?
● Virtual Asset Service Providers (VASPs)
● Crypto Asset Service Providers (CASPs)
● Money Service Businesses (MSBs)
● Traditional financial services institutions
● Regulatory bodies
Introducing TRISA
17. A Peer-to-Peer Network
At its heart, TRISA is a peer-to-peer
network.
It’s a decentralized and secure
messaging layer.
No single person, organization, or
government controls it.
18. A Peer-to-Peer Network
Alice’s VASP Bob’s VASP
The “peers” in the TRISA network are
VASPs who are following their legal
recordkeeping responsibilities by
exchanging customer, business, and
legal data once an applicable
transaction occurs.
19. A Peer-to-Peer Network
Alice’s VASP Bob’s VASP
TRISA is a special kind of peer-to-peer
network — a trusted network.
This means that the communications
between peers are protected, unlike
those on ordinary p2p networks.
20. A Peer-to-Peer Network
Alice’s VASP Bob’s VASP
The protection comes in the form of
mutual authentication (mTLS).
When Alice’s VASP registers for TRISA,
it receives Identity Certificates, which
serve as proof to Bob’s VASP that
Alice’s VASP is who they say they are,
and vice versa.
21. A Peer-to-Peer Network
Alice’s VASP Bob’s VASP
TRISA’s messaging framework is based
on proven security technologies:
● Certificate Authority (CA):
TRISA employs the CA model,
commonly used in e-commerce
and gov’t communications, to
issue Identity Certificates to
Members.
● Public Key Cryptography (PKC):
TRISA uses PKC to encrypt Travel
Rule data packets.
22. A Peer-to-Peer Network
The TRISA Network includes
VASPs from all over the
world, including Singapore,
Germany, Taiwan, the
Philippines, the Czech
Republic, and the United
States.
23. What TRISA Is and What It Is Not
TRISA is… TRISA is NOT …
A peer-to-peer network of vetted Members A centralized service
A secure messaging protocol A complete Travel Rule solution
An open source initiative A proprietary service
Interoperable with other solutions A closed framework
A messaging layer on top of blockchains A means for address confirmation
25. TRISA Certification Process
● TRISA acts as the root of trust. It is the Trusted VASP Certificate Authority
(TVCA) and issues Identity Certificates to Members.
● VASPs must complete a formal registration and due diligence process by
TRISA that includes physical and digital verification of the VASP.
● The verification process follows FATF’s Recommendations for VASP
licensing and registration.
● The process is designed to be thorough and rigorous, but not financially
burdensome for VASPs to complete on their own; it does not require a
third-party auditor or hefty fees.
● TRISA verifies all data submitted by VASPs and conducts sanctions checks.
26. Step 1: Get Certified
● The first step is to formally join the
TRISA network.
● To become a member, a VASP
must submit a registration.
● Once approved, the VASP will
receive digital certificates
(cryptographic key-pairs), which
can be used in secure TRISA
information exchanges with other
members.
27. What You’ll Need
● Your business details, e.g.
○ Your company name and website
○ What type of business/VASP you are
● Your legal details, e.g.
○ Legal name
○ Country and address
○ Government identification number
● Points of contact:
○ Technical and Legal/Compliance (required)
○ Administrative and/or Billing (optional)
● Endpoint details
● Jurisdiction details
28. Make sure you have
all your details ready
before you begin
registration!
29. Business Details
1. Company Name
2. Date of Incorporation/
Establishment
3. Company Website
4. Business Category
○ Private Organization
○ Business Entity
○ Government Entity
○ Non-Commercial Entity
5. VASP Category
○ Centralized Exchange
○ Decentralized Exchange
○ Person-to-Person Exchange
○ Kiosk/Crypto ATM Operator
○ Custody Provider
○ Over-The-Counter Trading Desk
○ Investment Fund
○ Token Project
○ Gambling or Gaming Site
○ Mining Pool
○ Mixing Service
○ Legal Person
○ Other
30. Legal Details
● The Legal Person is how TRISA defines your business entity.
● TRISA uses the IVMS 101 data standard to describe the business entity.
● IVMS 101 defines a Legal Person* as having:
1. One or more Name Identifiers (Legal Name, Short Name, Trading Name)
2. Zero or more Local and/or Phonetic Names (other spellings, translations, etc)
3. One or more physical geographical address
4. The country where your business is headquartered
5. National Identification (e.g. LEIX)
*Depending on your business details, other fields may be required.
31. Key Points-of-Contact
1. Technical Contact (Required)
Primary contact for handling technical queries about the operation and status of your
service participating in the TRISA network. Can be a group or admin email.
2. Legal/Compliance Contact (Required)
Compliance officer or legal contact for requests about the compliance requirements and
legal status of your organization.
3. Administrative Contact (Optional)
Administrative or executive contact for your organization to field high-level requests or
queries.
4. Billing Contact (Optional)
Billing contact for your organization to handle account and invoice requests or queries
relating to the operation of the TRISA network.
32. Endpoint Details
Each VASP is required to establish a TRISA endpoint for inter-VASP communication.
To join TRISA and be issued a certificate, you must specify two details of your endpoint in
your registration:
1. TRISA Endpoint
○ The address and port of the TRISA endpoint for partner VASPs to connect on via gRPC.
○ Example: trisa.myvasp.com:4321
2. Certificate Common Name
○ The common name for the mTLS certificate.
○ This should match the TRISA endpoint, without the port, in most cases.
○ Example: trisa.myvasp.com
33. Jurisdiction Details
● aka “The TRIXO Questionnaire”
○ Primary National Jurisdiction
○ Name of Primary Regulator
○ Applicable Regulations
○ Currency Threshold
○ etc.
● This will help your Members understand the regulatory regime of your
organization.
● The information you provide will help ensure that required compliance
information exchanges are conducted correctly and safely.
● Where required, a counter-party or any VASP involved in the transaction will
have access to this information.
35. Why VASPs Choose TRISA
Safeguards private
customer data
Counterparty lookups
and verification
Synchronous and
asynchronous transfer
Fully decentralized
data layer
Common technical
messaging framework
Standardized data
formats
36. VASP Decision Point: DIY vs COTS
Upon verification, VASPs must integrate with TRISA to begin exchanging
Travel Rule data with other verified TRISA members. Since TRISA is open
source and interoperable, VASPs have two options.
Option 1. Do it Yourself (DIY)
Set Up Your Own TRISA Node
VASPs can set up and maintain their own
TRISA server to exchange encrypted
Travel Rule compliance data. TRISA
maintains a GitHub repository with
detailed documentation, a reference
implementation, and “robot” VASPs for
testing purposes.
Option 2. Commercial Off the Shelf (COTS)
Use a 3rd-party Solution
There are several Travel Rule solutions
providers available on the market that are
interoperable with TRISA. If you are a
customer, work with them to integrate
TRISA into your Travel Rule compliance
workflow.
37. Open Source Resources & Considerations
TRISA maintains open source
resources for building, testing, and
deploying a TRISA node.
● Github repository
○ Reference
implementation
○ “Robot” VASPs for test
transactions
● Documentation
● TRISA Slack
Open Source implementers must consider:
● Systems integration: How will your
TRISA node integrate with your
backend systems?
● Data storage: How will you store
encrypted secure envelopes?
● Key management: How will you
manage the keys for secure
envelopes?
38. 3rd Party Travel Rule Solutions
VASPs may choose to work with a COTS Travel Rule solution. VASPs should
evaluate the solutions, select the one that best fits their needs, and work with
the provider to integrate with TRISA.
A non-exhaustive list of commercial solutions include:
● 21 Analytics
● CipherTrace Traveler
● CoinBase TRUST
● Sygna Bridge
● NotaBene
41. 3 Responsibilities of Members
Communication
It is your responsibility
to communicate and
interact directly with
your peer VASPs.
Operations
It is your responsibility
to deploy and maintain
your TRISA endpoint to
keep it operational.
Security
It is your responsibility to
protect the security of the
network, including data,
passwords and certificates.
42. Communication
● Because TRISA is a decentralized network, there is no
central body designated to facilitate communications
between VASPs.
● TRISA exchanges go in two directions, and you must
be prepared to respond to other VASPs requests for
information as well as sending your own requests.
● It is your responsibility to coordinate directly with
your peer VASPs.
○ For secure information sharing, use the TRISA protocol.
○ For informal communications, use the TRISA Slack group.
43. Operations
● You must deploy a TRISA endpoint that enables you to
respond to requests from peer VASPs.
○ An endpoint is like a phone number or web address
where your peers can reach you.
○ It looks a bit like a URL, e.g. api.alice.vaspbot.net:443
● You must maintain your TRISA endpoint and ensure it
remains healthy and operational.
● If you do not have an engineering team capable of
deploying and maintaining your TRISA endpoint, there
are third party tools that offer support and hosting.
44. Security
● To connect to a peer’s TRISA endpoint, you must
authenticate with mTLS using the TRISA identity certificates
you were granted during registration.
● You are responsible for maintaining your own private keys
for your TRISA identity certificates.
● You are responsible for securely storing encrypted Travel
Rule data in compliance with local data retention regulations.
● If your TRISA certificates are compromised, you must revoke
them immediately so that new ones can be reissued.
46. The Global TRISA Directory Service (GDS) facilitates peer-to-peer exchanges
between TRISA members as follows:
● By issuing mTLS certificates to verify exchanges
● By providing discovery services for finding TRISA endpoints
● By providing VASP public certificate and KYCV (Know Your Counterparty
VASP) information for verification
Interactions with a Directory Service are specified by the TRISA protocol.
Currently, the TRISA organization hosts the GDS on behalf of the TRISA network.
The Global Directory Service (GDS)
47. The Global Directory Service (GDS)
The GDS serves as a
decentralized store of
member details.
It is replicated across
multiple continents.
48. The Global TRISA Directory Service issues
Identity Certificates for VASPs to verify
exchanges with peers.
Identity certificates:
- Are issued after extended validation
including business entity verification and a
phone interview.
- Prove that the VASP is a trusted member of
the TRISA network and are used to
establish mutually authenticated secure
communications between VASPs and the
Directory.
Issuing Identity Certificates
49. Discovery Services for Endpoints
The Global TRISA Directory Service
provides discovery services for finding
TRISA endpoints.
Only TRISA members have access to the
directory listing of other verified members
and can search and lookup counterparties
for information exchanges.
The Directory also manages the certificate
revocation list (CRL) to maintain the
network over time.
50. Certificate and KYC Information
The Global TRISA Directory Service
provides certificate and KYC information
for verification.
The Directory:
- Issues sealing keys and manages
revocation and reissuance of certificates.
- Provides public keys to facilitate sealing
key exchange and signature verification.
VASP LegalPerson records are available for
members to assist them in building
complete IVMS 101 records.
52. Secure Envelope → Secure Envelope →
Encryption Key
HMAC Secret
Encryption Algorithm
HMAC Algorithm HMAC Signature
Payload
IVMS 101 Identities
Transaction Info
ID & Timestamp Sealing Key Info
Encryption Key
HMAC Secret
Encryption Algorithm
HMAC Algorithm HMAC Signature
Payload
IVMS 101 Identities
Transaction Info
ID & Timestamp Sealing Key Info
Originator VASP Beneficiary VASP
mTLS Encrypted
Channel
53. Originator VASP Beneficiary VASP
Step 1: The Originator VASP
finds the TRISA endpoint
address and public identity
key of the Beneficiary
VASP.
api.bob.vaspbot.net
54. Originator VASP Beneficiary VASP
Step 2: The Originator
VASP encrypts the sender’s
data and the transaction
details using an encryption
key.
56. What’s being encrypted?
IVMS 101 Identities
This data should be expressed using the interVASP
Messaging Standard (IVMS101), an internationally
recognized standard that helps with:
- language encodings
- numeric identification systems
- phonetic name pronunciations
- standardized country codes (ISO 3166)
The Originator VASP needs to encrypt and send two pieces
of data in IVMS101 format:
- Originator customer data
- Originator VASP data
57. {
“originator”: {
“originator_persons”: [{
“natural_person”: {
“name”: {
“name_identifiers": [{
"primary_identifier": "Verte”,
"secondary_identifier": "Sinead”,
"name_identifier_type": 1
}]
},
"geographic_addresses" : [{
"address_line": "456 Lime Blvd, Dublin",
"country": "IRL",
"address_type": 0
}],
“national_identification”: {
"national_identifier": "567567567",
"national_identifier_type": 1,
"country_of_issue": "IRL",
"registration_authority": "RA000234"
},
"customer_identification": "12345",
"date_and_place_of_birth": {
"date_of_birth" : "1984-08-01",
"place_of_birth" : "Dublin, Ireland"
},
"country_of_residence": "IRL"
}
}],
“account_numbers”: [
“2sdffsfd93kjhbkjhj55554ggtrt”
]
}
Natural Person
The first part of the Originator
details are the customer details.
TRISA defines the Originator as a
Natural Person using the
IVMS101 standard, shown in this
example.
58. {
“originating_vasp”: {
“originating_vasp”: {
“legal_person”: {
“name”: {
“name_identifiers": [{
"legal_person_name": "Kelly Green VASP, LLC",
"legal_person_name_identifier_type": 0
}, {
"legal_person_name": "Kelly Green",
"legal_person_name_identifier_type": 1
}]
},
"geographic_addresses" : [{
"address_line": "987 Chartreuse Lane, Dublin",
"country": "IRL",
"address_type": 0
}],
"customer_number": "12345",
“national_identification”: {
"national_identifier": "987987987",
"national_identifier_type": 8,
"country_of_issue": "IRL",
"registration_authority": "RA000999"
},
“country_of_registration”: “IRL”,
}
}
}
}
Legal Person
The second part of the Originator
details are the VASP details.
TRISA defines the Originator
VASP as a Legal Person using
the IVMS101 standard, shown in
this example.
59. What’s being encrypted?
Transaction Details
The transaction details specify:
- sender/originator
- intended recipient
- transaction amount
- other information used to identify the
transaction on the blockchain*
{
“amount” : 5,
"originator": "3XhHDu1Ngh7x9fcBs5KuThbSzw",
"beneficiary": "1ffXrcWge9Zi1ZngNia64u3Wd2v"
…
}
*see protocol buffer for details
60. Secure Envelope
Originator VASP Beneficiary VASP
Step 3: The Originator VASP creates a
Secure Envelope containing the
encrypted payload, the encryption key
and HMAC secret, and a timestamp,
sealing it with the Beneficiary’s public
identity key.
61. Originator VASP Beneficiary VASP
Step 4: The Originator VASP
opens an mTLS connection to
the Beneficiary VASP’s TRISA
endpoint and transmits the
Secure Envelope via a TRISA
Transfer message.
62. Originator VASP Beneficiary VASP
Step 5: The Beneficiary VASP
receives the Secure Envelope via
the mTLS connection and opens
it using their private identity
certificate.
Secure Envelope
63. Originator VASP Beneficiary VASP
Step 6: The Beneficiary VASP
validates the encryption key with
the HMAC secret.
✓
64. Originator VASP Beneficiary VASP
Step 7: The Beneficiary VASP
uses the key to decrypt the
identity payload
65. Originator VASP Beneficiary VASP
Step 8: The Beneficiary VASP
stores the Originator VASP and
sender details in a secure
location for Travel Rule
compliance.
66. Originator VASP Beneficiary VASP
Step 9: The Beneficiary VASP
encrypts the recipient’s data and
Beneficiary VASP data and creates
a secure envelope to send back to
the Originator VASP.
67. Originator VASP Beneficiary VASP
Step 10: The Beneficiary VASP
opens an mTLS connection to the
Originator VASP’s TRISA endpoint
and transmits the Secure
Envelope via a TRISA Transfer
message.
Secure Envelope
68. Originator VASP Beneficiary VASP
Step 11: The Originator VASP
opens the Secure Envelope,
decrypts the payload, and stores
the receiver and Beneficiary VASP
details securely for Travel Rule
compliance.
69. Benefits of Secure Envelopes
Non-
Repudiation
(Identity
Certificates)
Encryption in
Flight and at
Rest
Convenient for
Long-Term
Compliance
Storage
“Erasure” by
Deleting
Sealing
Certificates
70. Benefits of Secure Envelopes
1. Non-repudiation: Timestamps are digitally signed, meaning it is possible
to cryptographically prove that both parties have identical compliance
information exchanged at the time of the transaction.
2. Encryption In Flight and At Rest: Exchanges are encrypted both: (1) in
flight using mutually authenticated TLS (mTLS) version 1.3; and (2) at
rest through the use of multi-layer data cryptography.
3. Amenable to Long-term Storage: VASPs can retain encrypted
compliance data in accordance with jurisdictional data retention laws
(e.g. 5 or 7 years), though indexing and retrieval are more challenging.
4. Easy to Discard via "Erasure": Data can be erased when it no longer
needs to be maintained for compliance purposes simply by deleting the
private keys that decrypt the envelopes, making it impossible to open
the secure payload. This is called Erasure.