How VASPs Can Ensure Data Privacy and Security inner

How VASPs Can Ensure Data Protection and Security

15 Jan, 2025

Due to the nature of the Travel Rule - the exchange of data in digital asset transactions - VASPs cannot overlook the importance of having the appropriate channels to ensure data protection and security for their customers. Moreover, with DORA, these aspects are further highlighted. 

A comparison between data protection and security will be provided below, along with tactics VASPs can apply to safeguard themselves, the company, and their customers. 

What Is Data Protection? 

Data protection focuses on how an entity collects, shares, and uses data. One key aspect of data protection is ensuring data is handled according to regulations, such as the GDPR in the EU. 

The GDPR governs how entities are to protect and manage collected personal data. This includes general rules, principles, data rights of individuals, the responsibilities of data controllers and processors, how this data is to be shared with countries outside of the EU, cooperation between EU countries, supervisory authorities, solutions, penalties for rights violations, and other final provisions.  

What Is Data Security? 

Data security entails safeguarding data from leaks, cyber threats, unauthorised usage, and other similar risks. It requires implementing technical measures to prevent these risks. Data security is driven by frameworks like DORA

DORA has 5 pillars designed to aid financial institutions in mitigating risks. These include information and communication technology (ICT) risk management, ICT-related incident reporting, digital operational resilience testing, the management of ICT third-party risks, and information sharing. 

Data ProtectionData Security
FocusThe correct handling, sharing and storing of data.Protecting data from cyber-attacks and leaks.
Regulatory BasisExamples include GDPR and FADP.Driven by frameworks like ISO 27001 and DORA.
ScopeUser rights and data governance. Examples include firewalls, data encryption, and operational resilience testing.

Read more about DORA in MiCA and TFR Compliance

Access the Practical Guide

How VASPs Can Ensure Data Protection and Security 

Choose An On-premises Solution 

Choosing an on-premises (on-prem) Travel Rule solution is already a step towards safeguarding customer data. Moreover, it shields your company from potential reputational damage: As repeatedly shown in the media, when a data leak occurs, it is not the SaaS provider who takes the blame but the company that used its services.

A Travel Rule solution has to be on-prem. These solutions are less susceptible to breaches because no data is shared with providers or third parties without the VASP's explicit consent. With everything handled in-house, only the transacting parties have knowledge of the executed transactions, ensuring maximum protection and control.

Additionally, unlike SaaS solutions, which often store vast amounts of client data in centralised databases that are shared across hundreds of VASPs—making them prime targets for cybercriminals—on-prem solutions keep all data separated securely on the VASP’s own servers, making it a less lucrative target for attackers.

Ensure Robust Data Protection Practices 

VASPs handle highly sensitive information, including personally identifiable information (PII) of the transaction originator and beneficiary. This data becomes vulnerable to breaches, theft, and misuse if improperly managed. Ensuring robust data protection protocols helps prevent these attacks. 

As cybercrimes become more prevalent in the crypto ecosystem, advanced security measures, such as encryption, secure data storage, and multi-factor authentication, must be implemented correctly. 

21 Travel Rule Ensures Data Protection and Security

21 Travel Rule Is Run On-Premises. 

As 21 Travel Rule is an on-prem solution, data breaches are minimised and VASPs are guaranteed complete control of their stored customer data, ensuring compliance with jurisdiction-specific data protection policies. 

By enabling direct VASP-to-VASP transfers, intermediaries are eliminated, facilitating secure, direct communication. This approach enhances transaction speed and reliability while significantly reducing the potential attack surface for cyber threats.

21 Travel Rule Ensures Robust Data Protection Practices 

21 Travel Rule allows transactions only with vetted VASPs. This vetting mechanism ensures that sensitive information is shared only with trusted, verified entities, mitigating data leaks or unauthorised access risks.

When receiving a transaction from an unknown VASP, the software automatically identifies and adds it to the counterparty VASP list. The newly added VASP is classified as “untrusted,” allowing the compliance team time to complete their due diligence processes before transacting with that counterparty, as required by regulations. 

Furthermore, 21 Travel Rule allows VASPs to exchange transaction information with counterparties that are not yet Travel Rule ready via encrypted emails

Learn how 21 Travel Rule can ensure data protection and security for your VASP.  

Request a Demo
Written by:
About Nicole
Content & Social Media Manager
Cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.
Accept