What Are the Regulatory Benefits of an On-premises Solution?
Not enough emphasis can be placed on the importance of an on-premises (on-prem) Travel Rule solution. As explained in a previous blog: Software-as-a-service (Saas) solutions are a double-edged sword - offering users benefits like reduced costs and deployment times but coming with the risk of data breaches, human error, phishing attacks and so forth.
The core of the Travel Rule is the sharing of delicate customer information—information that cannot fall into nefarious hands. The most effective way to mitigate this risk is to use an on-prem Travel Rule solution. Below, we explain the benefits of choosing an on-prem solution from a regulatory perspective.
Enhanced Data Security and Privacy Compliance
On-premise solutions, like 21 Travel Rule, store sensitive customer data on the VASP's own databases. Unlike a SaaS option, there is no third-party data storage, reducing the risk of data breaches or unauthorised access and aligning with GDPR and DORA requirements.
By keeping the data on-prem, the licensed software user is responsible for the level of security and can, therefore, implement stringent security measures tailored to their needs. This means complete control over their customer data, allowing for easier compliance with jurisdiction-specific policies.
Additionally, the GDPR requires timely reporting — 72 hours — of data breaches, with DORA requiring an initial notification within 24 hours. On-prem solutions allow for easier detection, control, and resolution of these breaches, ensuring regulatory timelines are met.
Read: How VASPs Can Ensure Data Protection and Security
Control Over Data Retention Policies
Many regulations, such as the TFR and GDPR, require specific data retention and deletion practices. On-prem solutions allow organisations to fully control these processes without being tied to third-party policies.
By choosing an on-prem solution, VASPs can decide when data is physically deleted once data protection obligations are fulfilled, can be independent, not rely on the provider's availability and uptime to complete transactions, and can prevent additional risks and points of failure.
Audit Readiness and Transparency
With an on-prem solution, VASPs have complete control over infrastructure and access logs and can provide regulators with precise, real-time insights into their systems, ensuring easier compliance audits.
21 Travel Rule allows VASPs to download transaction data at any stage of the transaction flow. It also enables VASPs to download all internal actions within the software, improving the trail of work and transparency.
Mitigation of Cross-Border Data Transfer Risks
By hosting data locally, VASPs can avoid potential breaches of cross-border data transfer laws (e.g., the Schrems II ruling under GDPR) that may arise when using cloud services hosted in foreign jurisdictions.
On-prem setups can be customised to meet the specific compliance requirements of local jurisdictions. For instance, some laws require data to remain within the country’s borders—on-prem solutions ensure compliance without relying on external hosting providers.
Reduced Workload and Time Saved
As explained previously, an on-prem solution eliminates the need for a SaaS provider. This also reduces the legal team's workload as it eliminates the drafting, sharing, and enforcing of complex data-sharing agreements.
For example, according to DORA Chapter V, Articles 28-44, VASPs must ensure that they have implemented effective risk monitoring procedures, which include detailed contracts and specific contractual arrangements covering exit strategies, audits, and performance targets for accessibility, integrity, and security.
With the implementation of frameworks like DORA, it makes little sense to opt for a SaaS solution due to the excess workload to comply. Orchestrating these multi-layered agreements with a SaaS provider is not straightforward. On the other hand, when VASPs store their data on-premises, the planning, implementation and enforcing of such processes is straightforward, with no extra due diligence needed for the specific Travel Rule system.
Another benefit of on-prem is the record-keeping component. Various implementations of the Travel Rule and data protection policies require meticulous record-keeping for extensive periods. This task is inherently easier with an on-prem solution as the data resides within the VASP’s servers; with the data on hand, the retrieval, reporting, and audit processes become quicker and simpler.
Parting Thoughts
SaaS solutions do offer an element of convenience like swift deployment and decreased implementation costs. However, frameworks like DORA and the GDPR make on-prem Travel Rule solutions a more practical choice as data is immediately available and stored securely in-house.
Ensuring enhanced data security and privacy compliance, control over data retention policies, audit readiness and transparency, the mitigation of cross-border data transfer risks and a reduced workload with overall time saved.
Learn more about 21 Travel Rule and how your VASP can make use of our DORA Agreement - request a demo, today.
