On-Prem Solutions Trump SaaS for Sensitive Travel Rule Data
If you work for a company that offers crypto services, you have probably heard of the Travel Rule. That is a new recommendation from the global financial watchdog, the FATF, that requires the exchange of personal information between virtual asset service providers (VASPs).
With new requirements, new solutions are needed: is your company building it in-house, subscribing to a Software-as-a-Service, or hiring an On-Premise solution? If you are not building your own solution, your choices are either On-Prem or SaaS.
Let’s have a look and see which is the best solution for the hottest compliance challenge in crypto right now: the FATF Travel Rule.
It is clear that the distinct approaches have their pros and cons depending on the use of the products. However, for the exchange of very delicate information, which is the exact case when it comes to the Travel Rule, a SaaS isn’t the ideal solution. Here’s why:
Why You Need an On-Premises Travel Rule Solution
The idea of a SaaS offering is that the VASP does not need to install or run any programs. Instead, the SaaS will take care of everything, while allowing the VASP's team to access and manage it through the web. This obviously makes the data shared with such a solution visible to that SaaS provider: they own the database, run the program, while the VASP uses it, which means sharing information. This is why SaaS offerings can have a price per transaction: they know how many transactions your company has made over a certain period, since they can see all you have input in their Travel Rule solution.
While different jurisdictions have different levels of severity in their crypto regulations, the general requirements are similar - in accordance with the Travel Rule, sensitive information about the Beneficiary and Originator needs to be exchanged between VASPs when virtual assets (VAs) are transacted.
Sensitive is the keyword here - this information is private and delicate. It is the kind of information you, a crypto holder, don’t want floating around in somebody else's systems; it is your full name, your home address, the amount of funds you sent or received, with whom you transacted, your date of birth, and more. Furthermore, it is the type of information you, a compliance officer, should be extra careful to share with a third-party provider if you value your company's and your customer's privacy.
If this is your case, then on-premise is the only way. Last month, we saw further proof as to why SaaS isn’t the way to go for VASPs: whenever data is shared with a third-party, the leakage risk is amplified. This needs to be balanced: an on-premise solution may take a bit more time to set up in the beginning, and it may also need to be discussed with your IT team. But it definitely provides you the safety of keeping your data visible only to the essential parties involved.
Apart from the risks of breaches, with enough data, a software provider is able to generate intelligence and maybe even profit off your information. Hence, giving up your company's and your customer's privacy can have business impacts, as well as affect your legal efforts related to GDPR.
21 Travel Rule is an On-Prem solution that has everything you need under one roof. Not only will you be able to review all transactions in one place, but you will also be able to send transaction notifications, verify self-hosted wallets (unhosted wallets), and manage counterparty VASPs.
If you are a VASP who is concerned about privacy, contact us today to discuss how to implement 21 Travel Rule.