Shyft S.C.O.P.E

This section is intended to provide an overview summary of the Shyft Coalition Optimized Participant Exchange (SCOPE) system. SCOPE was designed as a smart contract mediated data coordination infrastructure, intended to provide a global discovery and validation ecosystem to solve regulatory guidance mandated through the Financial Action Task Force.

FATF Travel Rule:

This past summer, the Financial Action Task Force issued a guidance requiring Virtual Asset Service Providers (VASPs) to share Personal Identifiable Information (PII) and Know-your-customer (KYC) data between transacting sender and receiver user before executing transactions.

This guidance, called the Travel Rule, is enforced in the traditional finance space between counterparties such as banks who use SWIFT for both transaction settlement and identity data sharing.

Key Stakeholders

Financial Action Task Force: Intergovernmental organization that focuses on the development of policies to combat money laundering and terrorism financing. It monitors progress in implementing the FATF Recommendations through “peer reviews” (“mutual evaluations”) of member countries; it also maintains two lists of nations depending on their level of compliance or adherence to AML regulation and controls: FATF Blacklist and FATF Greylist.

VASPs: any entity engaged in digital asset custody

  • Cryptocurrency exchanges
  • Non-custodial wallets
  • OTC desk
  • Brokerage firms
  • Etc.

User Transactions To and From Exchanges Today

  1. Alice is a VASP1-Ex user. Alice wants to send 1BTC to Bob. Bob is a TurkeyEx user. VASP1-Ex does not know that Bob is a TurkeyEx user, and TurkeyEx does not know that Alice is a VASP1-Ex user.
  2. Alice inputs Bob’s TurkeyEx BTC address in VASP1-Ex, and initiates a withdrawal request.
  3. VASP1-Ex processes the transaction on Alice’s behalf, and Bob receives BTC in his TurkeyEx BTC wallet.

Throughout this process, VASP1-Ex has no idea where Alice is sending BTC, and TurkeyEx has no idea where Bob is receiving BTC from.

Assuming TurkeyEx and VASP1-Ex are both using blockchain analytics services, such as Chainalysis, the two exchanges may be aware (read: able to identify) that their entities are exchanging BTC. But then again, maybe not — addresses are changed frequently, for example. The two exchanges are not required to collect destination/origination prior to processing transactions on behalf of their users.

Example of the problem: User Transactions To and From Exchanges Under the FATF Travel Rule Guidance

  1. Alice is a VASP1-Ex user. Alice wants to send 1BTC to Bob. Bob is a TurkeyEx user. VASP1-Ex does not know that Bob is a TurkeyEx user, and TurkeyEx does not know that Alice is a VASP1-Ex user.
  2. Alice inputs Bob’s TurkeyEx BTC address in VASP1-Ex, and initiates a withdrawal request.

VASP1-Ex is in a difficult situation as it’s now responsible for somehow discerning the following information:

Identifying the receiving VASP

  • Who is the receiving entity?
  • Is the receiving entity a VASP? How does VASP1-Ex validate that it is a real exchange?
  • If the receiving entity is a VASP, VASP1-Ex will be required to share and receive PII pertaining to users participating in this transaction. How can VASP1-Ex find out if the receiving entity is a VASP?

Establishing communications with the receiving VASP

Assuming VASP1-Ex identifies that the receiving address belongs to a TurkeyEx account, VASP1-Ex must now establish connecting with TurkeyEx. How?

Data sharing between VASPs

Assuming VASP1-Ex establishes a line of communication with TurkeyEx, the two exchanges will have to decide to share their users’ PII.

  • What channel will they use to share this data to ensure it isn’t vulnerable in the transfer process?
  • How does VASP1-Ex decide if TurkeyEx is trustworthy, and will take care to custody Alice’s PII securely? How does VASP1-Ex verify TurkeyEx’s compliance in international standards of AML, CDD, etc.?
  • Does Alice have any say in executing this transaction? Does she have a right to know how her data will be custodied, or to stop the transaction from occurring at this point?
  • Will VASP1-Ex be liable if TurkeyEx exposes Alice’s PII? Who will be liable?
  • Do VASP1-Ex and Alice have a say in how TurkeyEx uses Alice’s data? Is TurkeyEx allowed to reach out to Alice, attempting to onboard her as a user? Can TurkeyEx now sell Alice’s data to data markets?

The issues with coordination, user address discovery, VASP discovery, data security, and liability/risk presented by the FATF Travel Rule guidance are enough to put exchanges out of business.

The Shyft Network FATF Travel Rule Solution

Shyft Network acts as a coordination and discovery layer for global VASPs. Shyft Network is partnering with the most trusted VASPs in the crypto space who will act as the first set of data custodians on the network; these VASPs will work together to:

  • Form and manage semi-trusted VASP coalitions
  • Pre-validate each VASP’s compliance and custody procedures
  • Pre-determine rules of doing business, such as which external, encrypted channels will be used to share user PII
  • Authenticate their users onto Shyft Network, generating key-pair attestations against user PII, and giving users transparency into and consent over their PII flows
  • Whitelist exchange addresses and privacy-preserving individual PII data attestations on a shared registry internal to the coalition
  • Develop procedures for validating user compliance with KYC/AML standards
  • Leverage Shyft APIs to enable encrypted communication

Other, smaller exchanges that are not part of the initial Shyft Network group of partners can also set up coalitions with their semi-trusted partners to comply with the Travel Rule. Coalitions can all communicate with each other, and set up the same business rules and procedures interoperably across coalitions.

Importantly, Shyft infrastructure does not hold or facilitate send/receive of any private or regulated data.

Also, current transaction systems don’t provide users the ability to see and control how their data moves post-required PII sending. Compliance with the FATF rule is one thing, but once that’s done, allowing exchanges that have been transferred your PII to then sell it to data market brokers (ad agencies etc.) for example should be under the user’s direct consent requirements for further sharing. Shyft Network is built with consent as a key pillar and the starting point of PII data transactions; users remain in control of who can access their data, and for how long.