This FAQ is designed for compliance, legal, and product teams. Technical documentation is available at trisa.dev.
THE BASICS
What is Envoy?
Envoy is a secure messaging tool designed for travel rule data exchanges, ensuring compliance using the TRISA (Travel Rule Information Sharing Architecture) and TRP (Travel Rule Protocol) protocols.
What is the Travel Rule?
The Travel Rule is a regulation from the Financial Action Task Force (FATF) that mandates Virtual Asset Service Providers (VASPs) to collect and share specific customer information for cross-border transactions to prevent money laundering and terrorist financing.
What are TRISA and TRP protocols?
- TRISA (Travel Rule Information Sharing Architecture): A peer-to-peer protocol that enables VASPs to securely share Travel Rule information, providing a standardized approach to data exchange and verification, through the use of a certificate authority and public-key encryption.
- TRP (Travel Rule Protocol): A peer-to-peer protocol designed to facilitate the technical implementation of the Travel Rule in a decentralized manner, ensuring secure and compliant information exchange, through the use of unique travel addresses.
TRISA and TRP developed a “bridge” that allows for seamless travel rule data exchanges between the protocols, demonstrating commitment to interoperability. TRISA and TRP seek to provide a common “language” VASPs use to transmit confidential travel rule information to their counterparts.
Who is Rotational Labs?
Rotational is the technical implementation partner for TRISA. Rotational has been working with the TRISA Working Group since 2020 to translate the TRISA protocol and white paper into code. Rotational publishes open source code to TRISA’s Github repository. Rotational has built, deployed, and maintained TRISA’s Global Directory Service (GDS) and Envoy.
Who can use Envoy?
Envoy is intended for VASPs, including cryptocurrency exchanges, wallet providers, payment service providers (PSPs), money service businesses (MSBs), and other entities involved in the transfer of digital assets.
How does Envoy ensure compliance with the Travel Rule?
Envoy ensures compliance by:
- Utilizing TRISA and TRP protocols for secure data exchange of PII
- Encrypting data end-to-end
- Verifying the identity of involved VASPs
- Maintaining an audit trail of all transactions
- Long-term secure storage of PII for compliance audits
DATA SECURITY & PRIVACY
What is a secure envelope?
A secure envelope is an encrypted message containing the identity and transaction data required to comply with the travel rule. Secure envelopes have multiple layers of encryption to protect PII. Secure envelopes rely on public key infrastructure i.e. the use of public and private keys.
What kind of data is exchanged using Envoy?
Envoy allows counterparties to send and receive secure envelopes. Secure envelopes contain required customer information (PII) for travel rule compliance, including:
- Identity information using the IVMS101 standard (depends on jurisdiction)
- Originator’s name, account number, date of birth, physical address, national identity number
- Beneficiary’s name and account number
- Transaction information such as asset type, amount, network, etc.
How does Envoy ensure data security?
Envoy ensures data security through:
- End-to-end encryption of all exchanged data
- Use of secure envelopes that have multiple layers of encryption
- Verification processes for the authenticity of VASPs
- Secure transmission channels to prevent unauthorized access and data breaches
- Encrypted long-term data storage
- User managed keys
How many secure envelopes are involved in a typical transaction?
The minimum number of secure envelopes is two, but that almost never happens. Typically, you will see a sequence of six secure envelopes in a normal flow. This includes an initial message, pending review, additional detail request, pending reply, and final acceptance to complete the transaction.
The goal of a Travel Rule information exchange is for both the originator and beneficiary counterparties to have exactly the same PII data for an on-chain transaction, cryptographically signed to mathematically verify that the data has not been tampered with by either party.
The number of secure envelopes can vary depending on jurisdictional requirements but will always be an even number. For example, if the beneficiary VASP operates in a jurisdiction that requires date of birth (DOB), but the originator VASP did not include DOB in the original envelope, the beneficiary VASP can request a repair to the original secure envelope, which generates a new secure envelope. The more repairs needed in a transfer, the more secure envelopes will be exchanged.
In the event a regulator requests data about a transfer, what do I show them?
You present the last secure envelope. This ensures both parties have the same exact data, digitally signed for non-repudiation, proving cryptographically that the data has not been tampered with.
What are the different status types for secure envelopes? What will be the status of a transaction if I select “reject and repair”?
The transaction status for reject and repair will indicate that action is needed on the envelope. Statuses for secure envelopes include: unspecified, started, pending, reject, repair, accepted, completed, or errored.
How can I be sure that a secure envelope that I receive has not been tampered with?
Each secure envelope has its own encryption key and HMAC secret, ensuring high security and non-repudiation. HMAC stands for Hash-based Message Authentication Code. It’s a type of security mechanism that combines a cryptographic hash function with a secret key to ensure the integrity and authenticity of a message. In simpler terms, it’s like a digital fingerprint that helps verify that the message hasn’t been tampered with and comes from a trusted source.
Envoy performs HMAC verification on your behalf. TRP messages are encrypted as secure envelopes by the TRISA bridge.
What happens if an HMAC is not valid?
If an HMAC (a security code) is not valid, the system automatically rejects the transfer. When this happens, the system does not include an HMAC in the error or rejection messages.
If you come across a transaction with an invalid HMAC, first check if it’s an error message. If you’re unsure, you should reach out to support for help.
Does the TRP protocol also have the same form of security that the TRISA network has?
TRP uses TLS v1.3 for encryption in transport and can require MTLS for mutual authentication. However, TRP does not guarantee the same level of security as TRISA. Envoy stores all messages as secure envelopes regardless of the protocol.
IMPLEMENTATION
How long does it take to implement Envoy?
Time to implementation depends on the implementation option selected by a VASP and if the VASP is a current member of TRISA.
Open Source: If a VASP elects for the open source self-hosted node, then the VASP can download the source code and begin configuring Envoy for its backend and use cases immediately. In addition, the VASP will also have to register with TRISA’s Global Directory Service (GDS) to receive X.509 identity certificates. X.509 identity certificates are tied to the endpoints provided by the VASP and ensure data is encrypted in flight and prevent errant data transfers. We estimate it takes 2-4 sprints (4-8 weeks) to configure, integrate, test and deploy Envoy.
Managed Service: If a VASP elects for the managed service and is a TRISA member, Rotational will host the VASP’s Envoy instance and we estimate it takes 2-3 days to be operational. If the VASP is not a TRISA member, then we estimate it will take an additional 2-3 days to complete the VASP validation and verification process to become a TRISA member.
What is the relationship between TRISA’s Global Directory Service (GDS) and Envoy?
TRISA’s GDS is a network of trusted VASPs verified by the TRISA VASP Certificate Authority (TVCA). The GDS consists of two separate networks: TestNet and MainNet. Upon completing the verification process, TRISA issues X.509 identity certificates for the endpoints provided for each network. It’s important to note that the networks are separate and require separate identity certificates. Currently, there is no cost to register for TestNet and MainNet certificates.
Envoy requires TRISA identity certificates for implementation. The identity certificates enable encryption in flight and protect against errant data transfers. In the event a data transfer is sent to the wrong counterparty, it is not possible for the counterparty to read the data.
What do I have to do and what is my responsibility if I elect for the Envoy open source self hosted node?
If a VASP elects for the open source self-hosted node, at a minimum the VASP will have to:
- Download the source code and docker image
- Review the documentation to set up the service and endpoints
- Register with TRISA’s GDS to obtain identity certificates
- Integrate it into backend compute and storage systems
- Test and deploy the node
- Support and maintain the node
- Manage and rotate encryption keys
- Manage storage to comply with local data retention laws
What do I have to do and what is my responsibility if I elect for the Envoy managed service?
If a VASP elects for the managed service, it will have to sign a standard managed service agreement (MSA) and a data protection agreement (DPA) with Rotational Labs. Rotational will then obtain identity certificates, set up secure endpoints, and deploy the Envoy service for your VASP. Rotational will also provide secure data storage, key management, and continuous support.
It is possible to start with the managed service and transition to the open source self-hosted node at a future point in time.
How does Envoy handle DeFi exchanges or exchanges with self-hosted/ unhosted wallets?
Envoy is designed and built for VASP-to-VASP data transfers. For DeFi or self-hosted wallets, the approach is different from traditional VASP exchanges. Typically, VASPs require the owner of the wallet to prove control over the wallet. Common methods include depositing small amounts of crypto into their wallet and verifying those amounts, or sending an encrypted token with the wallet’s public key and having it decrypted to prove control over the private key. While Envoy does not provide KYC services, it works with providers like iComply, Ospree, and Chainalysis, who are considering creating plugins for Envoy. This means for self-hosted wallets, you will need to follow these verification methods and inform regulators accordingly.
Does Envoy solve the ”sunrise” issue i.e. the case where a counterparty VASP has not yet implemented the travel rule?
Currently, there is no “sunrise” functionality in Envoy. However, an upcoming release will include the ability to send an email to a counterparty requesting information to complete the data transfer. At that point, the counterparty will have to decide to respond.
USER EXPERIENCE
How do I handle transactions with non-responsive VASPs?
For non-responsive VASPs, the common practice is for compliance officers to review transactions periodically, typically once or twice a week. If a VASP on the TRISA network is not behaving correctly, TRISA can take action to remove them from the network.
How long does it take to accept a transfer? Is there a wait time?
The wait time to accept a transfer depends on the policies implemented by a VASP using Envoy. With Envoy, VASPs can implement auto-acceptance policies if they transact frequently with a counterparty or have a legal agreement in place. In such instances, transfers are “real-time”. Other VASPs may prefer to manually approve data transfers, in which case there will be a self-imposed wait time.
What if I receive a transfer from a VASP outside of TRISA? Can I see it or accept it?
If the counterparty uses TRP, it is possible to receive a transfer from a VASP outside of TRISA. VASPs can accept it, though the VASP will have to accept the risk of receiving transfers from non-TRISA counterparties. If the counterparty does not use TRISA or TRP, then it is not possible to receive or accept a travel rule data transfer.
Both TRISA and TRP are open to interoperability with other travel rule protocols and solutions. TRISA is interoperable with proprietary travel rule solutions provided by Ospree and Sygna. TRISA is in discussions with other proprietary travel rule solutions about interoperability.
What happens if the transfer is with a counterparty that is not in the TRISA network?
If the counterparty is not in the TRISA network, but is in the TRP network, you can select the TRP protocol. TRP VASPs require a travel address for transactions. If the counterparty does not support either TRISA or TRP, then it’s not possible to complete a data transfer using Envoy. As stated previously, TRISA and TRP are both open protocols and are open to interoperability with other solutions.
What feedback is going to come back to my VASP if the counterparty has not implemented the travel rule?
This refers to the “sunrise” issue. Envoy does not currently provide specific feedback for counterparties that have not implemented the travel rule. However, an email functionality for transactions with non-compliant counterparties is planned for a future release.
Does Envoy generate travel addresses for pre-screening?
Yes, your node will generate travel addresses. The travel address is a URL used globally across TRISA and TRP networks. The travel address utility in Envoy can decode these addresses to identify counterparties.
Do we need to keep sending requests to get a new envelope for verification each time, even if we’ve already done it before, or can we use a whitelist instead?
Envoy is working on auto-accept and auto-reject policies to streamline repeat transactions. You can create whitelists and blacklists on a per VASP and per customer basis to avoid redundancy.
Can we cache wallet information locally if we receive transfers for the same wallet address that has been previously KYC’d?
Yes, caching this data locally is feasible. Envoy will support auto-accept policies for repeat transactions with known counterparties. This ensures the same data does not need to be resent if previously verified.
Can the auto-send feature work for situations where it’s the same person sending money between their own wallets within the same country?
The travel rule does not apply to transactions within the same country. However, for international transfers, the auto-send feature can work if the counterparty has auto-accept policies enabled.
How do other VASPs deal with situations where a VASP might not respond?
Other VASPs often review transactions once or twice a week in batches. Non-responsive VASPs can be contacted directly via email. TRISA can take action against non-compliant VASPs on the network.
Does every transaction that comes back from the counterparty get populated in the dashboard?
Yes, every transaction, whether sent through the API or received via TRP or TRISA nodes, will appear on the dashboard. This ensures that all transactions are visible and manageable through the user interface.
Is the API going to handle exceptions that are going to be in the dashboard for the compliance officer to look at and manually approve and reject? Or does everything that is sent appear on the dashboard?
Everything that goes through Envoy will show up on the dashboard. This includes transactions handled via API and those received through the nodes. Both manual and automated handling of transactions will be visible.
Where will it show us the difference between transactions that have gone via the TRP protocol or the TRISA protocol?
Currently, the user interface does not distinguish between TRP and TRISA protocol transactions, but this metadata is available in the API. Future updates will include this distinction in the user interface.
Is there an independent way of validating if exchanges or wallets are within the same country?
Envoy does not interact with chains or perform chain analysis. Moreover, the travel rule does not apply to in-country transfers. Other services provided by KYV providers such as iComply, Ospree, and Chainalysis are recommended for such validation, as they can provide information on node processing locations and other relevant data.
Can an external party get a transaction ID on the TRISA network and validate or verify if it was screened or not?
No, the TRISA network does not store travel rule checks on-chain. Validation and verification are handled internally within the VASP’s system, not accessible to external parties.
What happens to all of your ledger transfers within a trusted network or within your own vault structure because there’s no on-chain data passing through that?
Envoy provides an audit trail for all transactions. Even if data is not stored on-chain, secure envelopes in Envoy create a detailed record that can be presented to regulators.
Can we show the regulator the data even if it’s not on-chain?
Yes, you can show regulators the data stored in Envoy’s secure envelopes. This audit trail will include all necessary details, even if not stored on-chain.
What is the difference between the travel rule checks being stored on-chain versus off-chain?
Travel rule checks are not stored on-chain in the TRISA network. They are stored within the VASP’s system in secure envelopes. On-chain storage would expose private information, which Envoy avoids.
Can auto-send work for transactions from a local wallet to an international wallet within the same person’s account?
If the transaction crosses borders, it may trigger the travel rule. Envoy supports auto-send for transactions with recognized counterparties, but compliance with travel rules will depend on jurisdiction.
Does Envoy have a webhook notification feature when I get incoming requests so that I can use it internally to route it to the compliance team member that will attend to a transfer?
Yes, Envoy has a webhook feature that enables a callback to your API system so you are immediately notified of incoming requests.