GDPR and Privacy within the FATF Travel Rule
General Data Protection Regulation (GDPR) and any of its siblings are an important part of doing business nowadays. Compliance is not a luxury, and the focus on compliance is growing, not only from the government but also companies and consumers.
Not too long ago, a German company was found violating GDPR while using Google Analytics. The use of Google Analytics is widespread, and in this case, there was a misconfiguration that led to the breach. Complying with GDPR and the likes is increasingly important, which clearly has effects on a company's approach to the Travel Rule.
Personal Identifiable Information
The above lawsuit merely pertained to an IP address. When dealing with the Travel Rule, the stakes are much higher. Full-blown Personal Identifiable Information (PII) is shared between parties. Two more factors make it even more precious:
The data shared contains details of a financial transaction. And while the Travel Rule doesn’t mandate that the amount is included, many, if not all, Travel Rule solutions choose to send that information too (and that makes sense in light of the day to day operations of a compliance officer).
Not one but two sets of PII data are shared, and, together, they describe a real-life financial transaction between the two parties. There are few things that are more sensitive than that.
Travel Rule solutions need to take special care exchanging and storing this information. Care must be taken to make the right security considerations. All too often, people are lulled into a false sense of security. For example, transport encryption needs to make sense and not just tick a mental box. The same goes with data at rest: don’t roll your own crypto.
At 21 Analytics we refer to this Travel Rule data as toxic data. It is supremely important that this data is handled well. For example, we use the principle of least privilege (PoLP) when accessing our databases: the TRP module of our application has no business accessing the email modules database. Each database has its own password.
PoLP is also the reason why our software runs on-premise. As a VASP you are dealing with this kind of data from the get-go, and we are happy to see that all our clients are taking this responsibility very seriously. Having on-premise software puts our clients in the driver seat. They have total control over the system. Inbound and outbound connections can be explicitly allowed. No spurious outbound connections are made by 21 Travel Rule. Furthermore, our clients have total control over the stored customer data. They do not need to ask permission to remove customer data if they so wish.
Different Jurisdictions and the Travel Rule
If we have learned anything from this field is that each jurisdiction has its own quirks. The same goes for data protection laws. The EU is different from the US, and they are different from the UK, Singapore, Hongkong, etc. Running 21 Travel Rule in your data centre allows you to apply the rules appropriate for your jurisdiction. Risk is reduced as you now know for sure that your data is handled correctly instead of believing in yet another supplier.
Reach out to learn more about how 21 Travel Rule keeps your PII data secure and private.