Bitcoin Forum

CipherTrace has published their final white paper and open source software for wallet providers and crypto exchanges to comply with the FATF travel rule.

This means that their Travel Rule Information Sharing Architecture (TRISA) would allow exchanges and wallet providers to share payment details and exchange KYC info.

Exchanges adopting TRISA are essentially creating a 'extended validation know-your-VASP certificate' which would be verified through a third-party trusted certificate authority.

FinCEN released guidance on May 9th that gave exchanges 180 days to comply with the travel rule. I am really interested to see what everyone's thoughts are regarding the travel rule, how exchanges are meant to comply and what your thoughts are with the government making their first step into crypto.



https://www.coindesk.com/ciphertrace-enters-race-to-solve-cryptos-fatf-compliance-headache

I would rather have a cybersecurity firm like Ciphertrace try to step in and offer something that is working to preserve crypto than the government implementing their own form of regulated tracking.

wow, this was news to me. the new FinCEN requirements (https://www.fincen.gov/sites/default/files/2019-05/FinCEN%20Guidance%20CVC%20FINAL%20508.pdf) are really far-reaching and burdensome. they even plan to designate mixers as financial institutions regulated under the bank secrecy act:


that means by this coming november, they are expecting mixers to register with FinCEN, perform KYC, and start filing currency transaction and suspicious activity reports! ::)

fortunately, this new guidance doesn't appear to reflect the FATF travel rule exactly. there don't seem to be any $1000 reporting thresholds. under the BSA, institutions are required to file a CTR at $10k, and they begin filing SARs at $5k.

I agree I didn't realize that FinCen released guidance until reading this post. Same with the mixers I had no idea. I mean it makes sense to see ciphertrace work to step in and try to help exchanges since they focus on compliance

They're just the "good cop" in a good cop/bad cop scenario. It's easy to think Ciphertrace is here to help you, but their primary role is convincing you to swallow these incredibly invasive AML requirements. At best, they're profiting from government overreach. At worst, they're literally just an arm of governments like the US.

Well from the sounds of it exchanges are going to have to abide by the travel rule regardless. Meaning either they are going to have to come up with their own technology to deal with AML or they're going to have to find a reputable source or technology like ciphertrace's.

That's not set in stone. Nothing the FATF does is binding. They just pressure individual governments to implement their standards -- it often doesn't actually happen. None of the FATF member countries have even passed complying legislation yet, let alone the rest of the world. Anything that exchanges do to comply at this point is completely voluntary, not required. And then, once laws are actually passed, enforcement is another question entirely.

Does what they propose somehow become a regulation or law overtime? What would an ideal timeline be like for something to be set into place?

Purpose of the Travel Rule:
" The Rule was created to help law enforcement agencies detect, investigate and prosecute money laundering and other financial crimes by preserving an information trail about persons sending and receiving funds through funds transfer systems." Source : https://medium.com/@sashahodler/the-fincen-travel-rule-d9e6e2cd8b28

My take on this is a little bit different, because I think it was created to have full control over people's financial data and to use this as a tool to collect more income tax for the government.

The Money laundering and terrorism funding nonsense is just used as a scare tactic to influence people to give up control over their financial privacy.  ::)

The FATF has set a June 2020 deadline (one year) for countries to codify the Travel Rule into national law. At that time, they'll issue a statement flagging countries that are non-compliant or not working towards implementing the rules.

They have no real power to enforce anything of course, but there is an element of "soft power" as governments pressure each other into compliance. My guess is that some/most of the 36 member countries will have passed complying laws by that time. It might take a while longer than that before laws take effect and compliance is widespread.

Which kinda defeats the main purpose of mixers IMO. One person mixes his coins because he feels the need to, and so the solution is to go to a service which tumbles and turns coins and ensuring that no one, not even the mixing service themselves, know who he is and why he's doing it. They are really closing in on the privacy that some of these services offer, and that's not good in any way.

@figmentofmyass - I think FATF just made a recommendation about sharing informations across all exchanges. FINCEN is in charge of "enforcing" Travel Rule. BSA (Bank Secrecy Act) of 1996 was amended in 2012 to include all electronic funds transfer. I'm assuming it includes crypto and the threshold is $$3k or more.

I think crypto mixers falls under the definition of VASP (Virtual Asset Service Provider) and also includes exchanges. So I don't know if they are going to comply with this new rules or take the risk of being shutdown.

I guess there will be no privacy here, as the guidelines states that originator and receiver should exchange information. And the thing is, there will be a something to validate everything, a certificate authority (CA) to protect the communications between VASP.

https://i.ibb.co/M7GKTnR/Screen-Shot-2019-09-12-at-9-06-33-PM.png (https://ibb.co/9WVBXnq)
https://ciphertrace.com/wp-content/uploads/2019/08/TRISA-Enabling-FATF-Travel-Rule-V4.pdf

I think to some extent this is just an extension of KYC right? Their technology will only be flagged for movements greater than 3k

Can't say I'm surprised by that in the slightest.

What I would be interested to know is how an exchange or other service that has to yield to this would treat coins that come either from mixers that ignore this or are mixed crowd style a la Coinjoin. Would they be automatically obligated to reject them? Will there be a point where you need a completely unbroken trail to go anywhere near a centralised service?

It's same old fungibility question. Where does it begin and where does it end? I can see it becoming an impossible mess unless everyone's sensible.

the travel rule is not part of american law, so FinCEN does not enforce it.


the $3k threshold is only for "cash purchases of monetary instruments such as money orders, cashier's checks, and traveler's checks". it doesn't apply to cryptocurrency. FinCEN asserting that virtual currency falls under the BSA means that CTR and SAR do apply though. https://en.wikipedia.org/wiki/Bank_Secrecy_Act#Reports


as the DOJ and FinCEN discovered in 2017 when they came after BTC-E, they can't seize cryptocurrency. fiat exchanges are exposed to banking risks, but if the american government targets crypto-only businesses, they can remain as hidden services and/or spin up new clearnet domains, wallets fully intact. coming after mixers this way could be a game of cat and mouse they know they can't win. and three letter agencies hate looking powerless.

i think the american government is more likely to indirectly target mixers by implementing "know your customer's customer" standards like those seen in the FATF travel rule. basically, they'll pressure services to blacklist non-complying services like mixers. anyone who doesn't fall in line is at risk of adverse government action. the exchanges police themselves.

That's the million dollar question. For now, nobody really knows. To my knowledge, Gemini is the only service that specifically prohibits interfacing with mixers in their user agreement. I don't think they'll be the last, though.

Exchanges will likely take a risk-based approach, with a spectrum of different policies. The worst of them will do as Bitstamp already does -- demanding proof of source of funds for every satoshi deposited. Others may only flag accounts that deposit specifically dubious coins that are sent directly from DNMs and things like that.


Well, what's sensible?

Dunno. I was hoping you could help me out with that.

Stuff like the story about Coinmama shutting someone down for having a gambling transaction about 10-15 txs back is the type of thing that's worrying. I can get 1-2 tx away stuff that breaks terms and conditions, but if it was months and many wallets ago that's going to wind up nightmarish.

IMHO I think the technology will be able to track those 1x movements but won't really be alarmed until reoccurances of movements sets it off showing signs of money laundering. I think that's the entire premise behind what Ciphertrace is trying to create. A privacy preserving compliance tool

It sure is. I won't lie, this is probably going to end with lots of disgruntled exchange customers, frozen money, closed accounts, unexpected law enforcement investigations, etc. I've always been extremely careful to ensure that anything touching my Coinbase account is unimpeachable. Unfortunately with the way things are headed, we'll need to employ that sort of caution to most services -- maybe even lower tier exchanges registered in random island nations. You just never know.

Right, they going to like "flex" their muscle again, maybe ala BTC-E seizure most likely in the future. Interpol/EUROPOL also have this sort of mentality as in the case of Bestmixer.io last May.

I suggest everyone to brace yourself next year about this new regulations and policies. Maybe some exchanges will stay in their ground and try to protect themselves, but which pressures coming at all angle, just a matter of time before they succumb. And it will create a lot of mess, maybe exchanges will run to a supposedly safe haven countries, who knows.

I don't think the BTC-e seizure went at all like the US government was hoping. In many ways, it was an embarrassment. They weren't able to seize any funds up front, arresting Vinnik netted absolutely nothing, and BTC-e reemerged a month or so later. That experience probably showed the DOJ how difficult it is to target crypto services who are scattered across many borders, and who employ proper operational security. I believe the US government has wanted to take down Bitfinex for years -- the DOJ and CFTC have been investigating them since at least 2017 and probably earlier. That they haven't suggests that they can't, at least not yet.

Targeting mixers (who don't even touch fiat money) is even more problematic for governments. An honest mixer can easily recover from authorities shutting down clearnet domains or seizing servers. New infrastructure can be built within days and proper encryption would protect all customer funds in the meantime.

But the Bestmixer case -- and subsequent disappearance of BitBlender -- highlights the biggest problem for us: Law enforcement temporarily shutting down a mixer creates an opportunity for them to exit scam.

It sounds more like Ciphertrace's proposed TRISA is in place for exchanges to align with their KYC?

I am almost positive Ciphertrace's technology can still trace movements of transactions even after they've gone through a mixer

That's possible to an extent, particularly mixers that are using outdated and broken algorithms (https://bitcointalk.org/index.php?topic=5117328.0). However, if companies like Ciphertrace could conclusively break all mixers, governments would simply surveil mixers rather than trying to shut them down (https://cointelegraph.com/news/europol-shuts-down-200-million-crypto-mixing-service-bestmixer).

Either way, this is irrelevant to the larger point, which is: Governments can't shut down mixers. They can only shut down domains and seize servers. These are small, temporary setbacks.

Of course, nobody was arrested in the Bestmixer case. They just disappeared with everyone's money. Same with Bitblender. These were exit scams.

So people are going to self-police themselves even without legal pressure? :-\


I am not. It most likely depends on the mixer used and on each individual case.

After what Bitstamp, HitBTC, Changelly, Freewallet and others have done it's only common sense. Lots of services already employ selective KYC scams under the guise of similar AML regulations. We can only expect things to get worse as the regulatory burdens pile on.

In this environment, people should obviously avoid third parties wherever possible. Otherwise, they should at least be aware that every satoshi they've deposited might be put under a microscope, with proof of source of funds demanded for every bit.

I've long fucked off Bitstamp and not for one second did I ever entertain those other services mentioned.

I plan on only two routes back to fiat should I ever require it.

The first is OTC for significant amounts. Why anyone would use a bog standard exchange for a decent sum is beyond me. I do not intend to wind up as a ticket number with no way of accessing money. A competent OTC deal will sort any question marks before the exchange proceeds. That's the way ALL crypto to fiat services should operate with no exceptions.

For the day to day fripperies I'll stick with crypto debit cards. They may cost a little more but if they croak it's no big deal, they never go anywhere near my bank and nothing more than piddling sums is placed on them.

I find it weird that exchanges dominate everyone's thinking when they're the shittest and most dangerous option by a country mile.

Even I've never went through these services except HitBTC that wanted me to do KYC for no freaking reasons and being the shittiest of all exchanges, but I needed to give out my details just to get my money moved.



The best advantage in our hands here - I try to find reliable traders with broader background in the field of trading Bitcoins and trade with them only (directly) rather than transferring my coins to an exchange, waiting for the deposit to confirm, waiting for a trader to buy my coins (and that takes a lot of time because it's all done partially and not in one shot) and finally, the hassle of releasing them, all with the so-called KYC regulations to be abide by as there's "No KYC, No Trading allowed" policy here.


I'm afraid I can't get a debit card to use in my country knowing that the heat to stopping crypto here has taken an enormous form, but all I do for nominal things like buying groceries online to doing recharges and even paying my bills, I simply sell my BTC to the trader, give the bill details and/or number to recharge upon and get it done almost immediately without any issues.


Exchanges are dominating because they've got volumes (whether real or fake) and that's why they've taken over the OTC deals at a higher pace these days. I wouldn't prefer giving my details to any shady exchange (even the most reputed one) just because they won't let me withdraw my money, but would rather prefer going out of the box and remain private (not so safe if the trader turns out bad).

Yeah, it's nice that someone is trying to make it possible to comply with the requirements using cryptocurrencies. I think it what CipherTrace does can be very useful to exchanges and other businesses that don't won't troubles with the authorities. If we look at it from the user's standpoint, however, this is not a good thing, because there aren't many sponsors of terrorists or financial scammers among us, but we are required to give away so much data about us nevertheless. This is just not fair and also impractical to fight crimes. It would make more sense to come up with certain requirements, based on the analysis of the known cases of crimes, under which the travel rule should apply. Otherwise the investigators will just drown is data and be too tempted to use it for other purposes.

I know a few companies are working to aid in compliance. Although I find Ciphertrace's to make the most sense in regards to privacy