traveladdressinner

How the TRP Travel Address Solves the FATF Travel Rule

08 Sept, 2021
Updated: 30 Oct, 2023

In the previous post, we talked about what problems the Travel Address solves. Here, we’ll have a better look at how it does that.

Similar to a Bitcoin address, a Travel Address looks like an opaque string of characters:

ta6MNBj2u4art71gN99C6xniYrNfDUF26QgZHdXwd6zzYsvk1S6M5A15K2REHRULnZHnJs88

This, however, is not true. The Travel Address, inspired by the LNURL standard, is a URL. It is a base58check encoded URL, which helps the VASP make a Travel Rule compliant transaction. Our example Travel Address encodes this URL:

beneficiary.com/implementation/defined/path?t=i

It is now immediately evident that the beneficiary VASP is "beneficiary.com". The originating VASP now knows who the beneficiary VASP is.

Using the Travel Rule Protocol (TRP) standard, the VASP can now call the decoded URL. In essence, the response sent by the beneficiary VASP contains a cryptocurrency identifier and an address, encoded in a JSON document, for example.

1
2
3
4
5
6
{
    "approved": {
        "address": "some payment address",
        "callback": "https://beneficiary.com/implementation/defined/path/for/transferConfirmation"
    }
}

With both the beneficiary VASP and cryptocurrency address now available to the originating VASP, it can send the virtual asset (in the example above, Bitcoin) and the required FATF Travel Rule information under the condition that the remainder of the TRP endpoints reside on the same domain. A TRP compliant implementation will ensure this.

The base58 encoding does not prevent the user from tampering with the URL, which should not be changed as it holds the crucial Travel Rule information needed . Worst case is that the originator VASP can be tricked into calling an arbitrary URL. This can be prevented or mitigated by the originating VASP by creating a whitelist of domains or a set of heuristics such as, for example, verifying a TLS certificate. Or the request can be parked for a compliance officer to check. Again no assumptions are necessary in order for Travel Address to work. The freedom to do business as the VASP sees fit is maintained.

Written by:
Harm Aarts
Senior Software Engineer
Cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.
Accept