Look ... up in the sky ... it's a bird, it's a plane ... it's .. it's ... the FATF "Travel Rule"!

It's rather perplexing to see so much interest about the Financial Action Task Force's (FATF) travel rule that was a topic of the latest guidance from the intergovernmental organization. In the last couple months, dozens of companies have flooded the internet with ways to solve this "new problem".

Although ... it's not new by any stretch, nor is it a problem, US service providers have had to deal with this since the beginning of bitcoin time.

This went into effect in 1996 in the United States and over 10 years before bitcoin ever graced the land and most recently reinforced by the Financial Crimes Enforcement Network (FinCEN), with it's May release of virtual currency guidance document FIN_2019_G001.

However, that doesn't make it legal.

The Illegal Travel Rule

Under the "travel rule", which derives from the United States BSA (Bank Secrecy Act) 31 CFR 103.33(g), service providers are required to send specific identifying information about themselves and their customer along with the transaction. In other words, the expectation is to write data to the blockchain containing the identity of the exchange or service provider, name of the customer sending the bitcoin, and the account number of the customer.

Here's the problem.

This is about as silly as the flood of efforts to store PII (personal identifying information) and/or identification document attributes and information on the blockchain. The problem with this thinking is that it may be secure today, but it will not be secure tomorrow..

Sure, currently nothing can realistically crack SHA256 encryption given the fact that with current technology ... that would take about 6.4 quadrillion years.

However, it can and will be cracked. It's just a matter of time.

When it happens, bitcoin will adjust and implement the next 6.4 quadrillion year algorithm and that's fine. Nothing will be lost and no harm will be done, bitcoin will continue to chug along as it has for the past decade. At least that's the theory anyway, but then again, look at the block-size debate and the length of that fiasco.

Point being, its something already being worked on today and there will be a solution.

This doesn't solve the problem of storing personal data on the blockchain, encrypted or not. There are plenty of copies and backups of old blockchain data-stores all over the planet and that's all a fraudster need do, backup a copy and wait.

Once the encryption is broken, they merely need pull out the old copy and start cracking. Any personal or sensitive data, including that required by the... wait for it ... TRAVEL RULE is spread eagle and open to the world.

Every single transaction that complies with the travel rule would be exposed, 100% visible to the entire planet along with first name, last name, account number, transaction details, etc...

This violates GDPR, this violates US privacy laws, and this violates the regulations of half the countries in the world, if not more. These regulations clearly state, in some form or fashion, that no person shall knowingly put data in a position that could lead to any kind of disclosure.

If you know the above can happen and you follow the travel rule, it sounds rather illegal to follow this rule, yet, will soon be illegal not to. If that's not bad enough, given the immutable nature of bitcoins blockchain, once the data is there, you can't remove it ... ever.

FATF is essentially asking service providers to break the law because it's simply not possible to do this without risking disclosure and every solution that's floating around the internet shares this same dilemma.

Legal in the USA?

Now there's the trillion dollar question and the answer is, most likely, sort of, maybe not. Just to be crystal clear.

Privacy laws protect the people from the man (government) requiring warrants and red tape under specific guidelines to access just about anything when it comes to private data, in fact this is a common defense that often works when police grab more than they were supposed to under a court order. This very defense was used n the Silk Road case, although it didn't work too well for the defense.

Privacy laws are very strict regarding the illegal use of private data or anyone with data they are not entitled to. Identity theft, for example, can land one in prison for up to 20 years and just a 1st offence and aggravated identity theft  has a mandatory term of no less than 2 years in prison.

However.... a business, and certainly a financial services company or bank, operates under the regulations in most jurisdictions that require a whopping "reasonable effort" to secure private data. That's it. Just a "reasonable effort" that is often not well defined if defined at all.

Just think about all of the Western Union and Money Gram wires sent over the last 20 years under this law.

The protection of personal data at these organizations is about as secure as a billboard, complete with the uber-secure method of maintaining records on paper, face-up, and well hidden in plain view under the maximum security of a giant thumbtack operated by a clerk who hates their job.

How s that for a "warm fuzzy"?

Notably, these "reasonable efforts" refer to internal networks secured by the company, or 3rd party company, and not slapped out on the blockchain for the world to start hacking at and given that, it's not so clear as to the legality.

The government may well elect to provide a "pass" or not charge anyone following federal regulations, but this doesn't stop a customer from filing a civil lawsuit or a class action against anyone who follows the travel rule. Short of a suspicious transaction accompanied with a SAR, there's also no safe harbor.

Next Steps

Regulators and FATF need to revisit the travel rule. These rules need to be updated for modern times as do all ancient regulations. Trying to stuff blockchain into the same carton that holds private networks is ridiculous. They are completely different and this is not going to go well.

In the meantime, there's plenty of ways to comply with the travel rule just as companies have been doing and nothing against all of these companies coming out of the woodwork with "solutions" to the travel rule, but ... the justification of spending a single dollar on anything right now is flat out unrealistic.

This is because the more likely scenario is that this backfires and nobody ever sends bitcoin, or any virtual currency, between service providers anymore. The "travel rule" will just completely defeat the entire purpose of its existence.

Which pretty much puts this article right up there with FATF's travel rule guidance ... a complete waste of time.

[accordion] [item title="Author and Credits"] Article by dinbits
Image Credits: Banner Image by dinbits.com staff
[/item] [item title="Disclaimer"]The opinions expressed by authors of articles linked, referenced, or published on dinbits.com do not necessarily express, nor are endorsed by, the opinions the of dinbits.com or its affiliates. Please review the Terms of Use for more information.[/item] [/accordion]

This is the most recent post.
Older Post

Post a Comment

Powered by Blogger.