Why 21 Travel Rule Is Safer for Your Customer's PII
This July, the EBA published the spring edition of its risk assessment report (RAR), noting that European banks face their biggest operational risks in cyber and data security. Over half of EU-assessed banks stated they had been victims of at least one cyber-attack in the second half of 2023.
But EU banks are not alone; VASPs are vulnerable to the same risks, especially in the context of the Travel Rule, since the sensitive data collected and exchanged can uncover a greater amount of financial detail than the VASP holds due to the visibility of a person's activities on the blockchain. Therefore, it is essential that VASPs employ robust cyber and data security measures.
Opting for an on-premises (on-prem) Travel Rule solution is a step in the right direction towards protecting your customer’s data and saving your company from a potential reputational nightmare. As the media repeatedly shows, when a data leak occurs, it is not the SaaS provider that takes the blame but the company that enlisted its services.
However, the EBA’s remarks are not the only factor VASPs need to consider when considering an on-prem option. The recent CrowdStrike debacle—and similar events—further underscore the importance of such a solution.
Keep PII within Your Own Data Servers with an On-Premises Solution
The biggest advantage of an on-prem Travel Rule solution is the control it provides over your data. With SaaS solutions, personally identifiable information (PII) is stored outside the VASP’s (your) environment. Hosting the solution on your own servers will ensure that all customer PII remains within your organisation's infrastructure, minimising the risk of data breaches associated with third-party service providers and cloud-based solutions.
With complete control over the environment, you can implement stringent security measures tailored to your needs, ensuring your customer's PII is always protected.
At a 2024 FATF VACG meeting, the EU Commission even voiced its concern over cloud storage. They cautioned SaaS Travel Rule solutions users to set up data protection contracts with great care. Therefore, it makes sense to opt for an on-premises solution, like 21 Travel Rule.
With 21 Travel Rule, VASPs retain complete control over stored customer data and can more effectively comply with jurisdiction-specific data protection policies. Data is not shared with the Travel Rule provider and remains as secure as the VASP's own handling practices.
Read Evidence Shows You Shouldn't Go for a SaaS Travel Rule Solution
Eliminate the Middleman with Peer-to-Peer Transfers
Any external transfer of data increases the risk of interception or unauthorised access. In contrast, 21 Travel Rule minimises these risks by keeping all data transfers within the VASP's own secure infrastructure.
21 Travel Rule employs VASP-to-VASP transfers, eliminating the need for a middleman. By facilitating direct communication between VASPs, PII is transmitted securely and efficiently. This enhances the speed and reliability of transactions and significantly reduces the attack surface for potential cyber threats.
Only Transact with Trusted VASPs
To further strengthen the security of PII transfers, 21 Travel Rule supports transactions only with vetted VASPs. This vetting mechanism ensures that PII is shared exclusively with trusted entities that have been vetted and approved. By maintaining a list of trusted (and verified) VASPs, you can mitigate the risk of data leaks and unauthorised access, ensuring that sensitive information is only exchanged in a secure and controlled manner.
Moreover, risks related to customers’ transactions received from or sent to jurisdictions subject to international sanctions remain the most relevant financial crime risks for financial institutions. The Travel Rule aims to solve this exact need for VASPs.
Although most firms focus on collecting data from their customers and rely on VASP networks for vetting counterparties, the key for compliance teams to mitigate financial crime risks is knowing their counterparties through proper due diligence. Ensuring transactions only occur with vetted and trusted firms allows them to ensure transactions only with whitelisted and trusted firms.
Why Choose 21 Travel Rule
Banks, mining companies, and VASPs who take data protection seriously opt for an on-prem Travel Rule solution, like 21 Travel Rule.
Choosing an on-prem solution allows you to:
to decide when data is physically deleted and data protection obligations are fulfilled;
be independent and not rely on the provider's availability and uptime to complete transactions;
prevent additional risks and points of failure.
An on-prem Travel Rule solution offers a robust framework for protecting your customer's PII while complying with regulatory requirements. By keeping data within your own servers, facilitating VASP-to-VASP transfers, leveraging inspectable technology, and restricting transfers to trusted VASPs, you can significantly enhance the security and privacy of sensitive information.
Data breaches are increasingly common; therefore, investing in a secure and transparent Travel Rule solution makes sense, which is not just a regulatory necessity but a strategic imperative to safeguard your customer's PII and your organisation's reputation.
If you are concerned about the data risks Travel Rule compliance adds to your operations, talk to us and learn why we differ from the alternatives.