How Hubspot’s Data Breach Proves You Shouldn't Go for a SaaS Travel Rule Solution
Earlier this month, the news about a Hubspot data breach took over the discussions around data security. A leader in CRM, Hubspot offers a platform that helps companies organise their sales and marketing efforts, the areas that inherently process a lot of sensitive data such as full names, email addresses, phone numbers and more.
Hubspot is a Software-as-a-Service (SaaS), which means its clients do not need to install any software on their infrastructure but can access information from the online platform. So, if you use their CRM, the data you have input on Hubspot about your clients is stored by Hubspot and, secured by Hubspot. You have access to it, but you do not own it. Your provider can see and manage all the accounts information.
If you work in finance, you will know that this is a plausible scenario not exclusive to sales and marketing. With cryptocurrency going mainstream, we have seen the rise of regulation in the space, which made Know-Your-Customer (KYC) efforts - and consequently, providers - a key part of a virtual asset service providers (VASP) compliance day-to-day. When KYC data is user handled by a SaaS provider, a door to great privacy risks is opened. Add transaction information to this landscape, and crypto users are put at risk.
Privacy and The Travel Rule
The Travel Rule requires VASPs to exchange their clients' information when transacting crypto assets. The transferred data is highly sensitive, as each transfer has at least the full name and wallet addresses of the parties involved. Regulation already requires that two entities (the transfer-originating VASP and the transfer-receiving VASP) hold this data, doubling the risk of a leak. Hence, it is easy to see that using a SaaS provider to perform this communication makes the data accessible to a third party who is not directly involved in the transaction, creating an unnecessary security risk.
Compliance officers have the great challenge of deciding how to deal with this new requirement, securing their company's and clients’ privacy, while following the said regulation. It can be solved in different ways: by developing an in-house solution, using a SaaS provider, or licensing an on-premise solution; each with its benefits and limitations, making the trade-offs greatly relevant.
What Travel Rule Approaches Are There?
If you decide to develop your own Travel Rule solution in-house, it will most likely be tailored to your company's needs, and all the data transacted will be stored in-house. However, this topic is probably not the main expertise of your company's team, which means they will need to research and dedicate resources to the development of this solution.
On the other hand, a SaaS solution takes all the burden (and data) from your hands. It allows you to kick the project off quickly, providing a simpler experience. But this does have its downsides: your company's and clients' data is stored and processed by the provider, which means your data is visible to them, adding third-party risk to the equation. While, at first this may seem like the easiest way out, it might not be worth the risk, as seen with Hubspot and others like it.
A third option is an on-premise solution, like 21 Travel Rule will need some initial setup work, but prioritises your company's data privacy. Being on-premises means the VASP uses the product on its infrastructure and does not share any data with the software provider, much like a calculator program on your computer.
When deciding on your company's approach to the Travel Rule, these aspects must be considered in order to avoid exposing such sensitive data like what is required from the Financial Action Task Force (FATF). Since the leak from Hubspot hasn’t been the first incident of this kind, privacy should be considered one of the main drivers within Travel Rule decisions. Make sure you own your data.