Dash Complies with the Financial Action Task Force (FATF) Guidelines Including the ‘Travel Rule’
If an exchange can be compliant with FATF guidelines for the Bitcoin network, then by definition it can be compliant with the Dash network. This is because for regulatory and compliance purposes, the Bitcoin Network and the Dash network are completely identical.
In what ways are they identical?
1) As a fork from Bitcoin code, the Dash network operates with the exact same transaction ruleset as the Bitcoin network. Dash incorporates most Bitcoin backports to maintain a high degree of similarity with the current Bitcoin implementation.
2) Both networks are public blockchains that are completely transparent. Every transaction on each network identifies the sending and receiving addresses as well as the amount of the transaction. There is no way to obscure any of those data points due to the transparent nature of the blockchain.
3) Both networks offer wallets that utilize some form of CoinJoin to provide users with optional privacy enhancements. Because of the transparent nature of Bitcoin and Dash transactions, CoinJoin merely improves a user’s privacy profile, but falls short of providing user anonymity. On Bitcoin, such wallets include both mobile and desktop versions, such as Wasabi, Joinmarket, and Samourai, while on Dash the feature is called PrivateSend and is only available in the desktop wallet. CoinJoin is a privacy technique that requires no changes to the transparent nature of Bitcoin transactions. In fact, because it is merely a technique, CoinJoin can be used in conjunction with any cryptocurrency network that utilizes a transparent blockchain. The analytic techniques that are currently utilized to analyze Bitcoin transactions for money laundering prevention are equally applicable to Dash.
In short, there is absolutely no distinguishing feature between Bitcoin and Dash that would enable one to comply with regulatory guidelines while excluding the other.
Background and context
The Financial Action Task Force (FATF) issued on June 21, 2019, the “Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers”, a series of recommendations with the goal of strengthening Anti Money Laundering (AML)/Countering the Financing of Terrorism (CFT) within the global and respective national cryptocurrency industries. These recommendations define those entities that would be covered under these guidelines and provide a number of recommendations for Virtual Asset Service Providers (VASPs) to follow that will mitigate the risk of illegal financial activity occurring through their services. Many of these recommendations include processes and best practices applied to the traditional financial industry, however, some recommendations directly address the Virtual Assets (VA) these VASPs carry, including Anonymity Enhanced Currencies (AEC).
As a result of this guidance, several exchanges have decided to delist Dash to ensure full compliance. However, the decision to delist Dash was based merely on the media’s portrayal of Dash as a “privacy coin” and not rooted in actual analysis regarding the nature of Dash’s blockchain. In this document, we conclusively demonstrate that Dash is erroneously labeled as an AEC or colloquially a “privacy coin”. Dash is no different than Bitcoin, and in fact carries a lower risk of regulatory non-compliance than Bitcoin for both technical and non-technical reasons. We will further cover optimal ways an exchange can approach compliance, policies, procedures, technology and KYC/ AML services to remain compliant. Finally, this document addresses and clarifies the reasons for the widespread misconception of Dash and its optional privacy feature.
Summary of Guidelines for exchanges as it relates to VAs/AECs
Within the guidelines, the VASP must ultimately be able to prove that the VASP can understand, manage, and mitigate the risks presented in all VAs offered by the VASP, including: AECs, mixers, tumblers, and other technology that hide the identity of the sender, recipient, holder or beneficial owner of a VA.
The Travel rule stipulates that VASPs require their customers provide information about the originator or beneficiary of a VA transfer deposits into customer accounts or withdrawals from customer accounts. For withdrawals, they must also indicate whether the originator or beneficiary address is custodied at another VASP, and if so which VASP. The originating VASP must provide and verify accuracy of the required originating transaction information, while the beneficiary VASP must do the same for the beneficiary side of the transaction. This helps ensure accurate information and an equal division of requirements between the two parties. In short, the Travel Rule seeks to replicate the regulatory requirements placed on traditional fiat wire transfers.
The Travel Rule that specifically addresses this point mandates that the VASP must be able to collect “Required Information” which includes:
• Originator’s name (i.e., the sending customer);
• Originator’s account number where such an account is used to process the transaction (e.g., the VA wallet address);
• Originator’s physical (geographical) address, national identity number or customer identification number (i.e., not a transaction number) that uniquely identifies the originator to the ordering institution, or date and place of birth;
• Beneficiary’s name
• Beneficiary’s account number where such an account is used to process the transaction (e.g., the VA wallet address).
As the FATF Guidelines mention throughout the publication, there are several risk factors that increase the risk of non-compliance with the guidelines such as: decentralized exchanges, AEC features, fiat on/off ramps, business model of VASP (peer-to-peer, in-person vs. virtual, decentralized vs. centralized), or exposure to IP anonymizers. VASP includes not only exchanges but custodial solutions, wallets, and other businesses that are traditionally less regulated than exchanges and have taken more privacy-centric business strategies that now place these companies in a difficult situation. Exchanges are fortunate in that, unlike many wallet solutions, KYC/AML processes are already a standard part of the onboarding process for all reputable centralized exchanges. Information collected by exchanges are by default thorough. To open an account one is required to include a photo of the individual holding their passport open to the main page, a photo of the passport alone or other national Identifier of the individual, country of residence, address, and other information that together ensures that:
• Outgoing transfers (withdrawals) come from an individual the VASP is able to report to regulators including originator’s name, originator’s account number, originator’s physical (geographical) address, national identity number, and beneficiary’s account number as one cannot send an anonymous/obfuscated transaction from centralized exchanges. Dash’s optional privacy solution (“PrivateSend”) can only be activated by the sender, so there is zero risk for an exchange for outgoing transfers because they maintain complete control of the processing of customer withdrawal requests. In all Dash transactions, the output address is always fully transparent, including the outputs of PrivateSend transactions. With the implementation of the Travel Rule, exchanges and other VASPs will require frequent communication to gather beneficiary information such as their name tied to the recipient’s account/address on the other VASP.
• Incoming transfers (deposits) — A deposit to an exchange that has utilized CoinJoin is easily identifiable by a VASP due to a VASP’s use of KYC/AML service platforms. Due to the transparency of the Bitcoin network, there are many service platforms that can perform this function. Dash, which also has a transparent blockchain, with identical rulesets to Bitcoin is also covered by many service platforms performing this function. Utilizing these services a VASP can detect these transactions, filter them and report on them to regulators in an easy and efficient manner.
◦ Note: As will be shown in the next section, Dash’s privacy technology is built upon CoinJoin, a technique built for increasing the privacy of Bitcoin and is used on many Bitcoin wallets. Similar to how an exchange would treat Bitcoin transactions that undergo a CoinJoin mixing process, the same treatment and process can and should be applied to Dash transactions.
◦ Note 2: Cross-border transfers below the USD/EUR 1,000 threshold must include the above information as well, however, it does not need to be verified for accuracy unless there is some suspicion of terrorist financing or money laundering.
Dash has fewer privacy features available than Bitcoin
Since Dash is commonly labeled as “privacy centric” in the media, it is sometimes included in proposed “ban lists”. This is an incorrect treatment of Dash from both regulatory and legal stances. Dash’s transaction rulesets are in fact identical to Bitcoin, and therefore for regulatory and compliance purposes Dash can and should be treated identically to Bitcoin. Privacy and anonymity features are not binary, but rather a spectrum. This spectrum includes complete shielding of transactions (in which addresses or amounts are completely obscured from third-party observers), optional shielding of transactions, and completely transparent transactions. It can also include “off-chain” transactions and other enhancements that prevent third-parties from observing transactions at all.
For example, with ZCash, when shielding is switched on, shielded addresses are not visible and transactions between shielded addresses do not reveal either address, the transaction amount or the contents of an encrypted memo field. In contrast, Dash transactions are all completely transparent and auditable by any third party, identical to Bitcoin (upon which Dash is based), including the amounts, input addresses, and output addresses of each transaction. Dash’s optional privacy features — as we will demonstrate — are nearly identical in nature to the privacy technologies currently available to Bitcoin users. However, Bitcoin users have an “off-chain” option called the Lightning Network, which is completely anonymous. Even the nodes (e.g., servers) relaying transactions on the Lightning Network are unable to determine the origin or destination node of the payments it routes.
Properly categorized, Dash is not a “privacy-centric coin”, rather it is a payments-focused digital currency that is based on Bitcoin. It is a public blockchain with added privacy functionality in its desktop wallet only. Dash is not explicitly optimized for maximum privacy, which would involve technologies requiring substantial compromises to scalability, speed, transaction cost, and user experience.
Many cryptocurrencies that optimize for maximum privacy utilize technologies that prevent them from being used on mobile devices due to extensive data storage and processing requirements. Dash balances user needs for many attributes beyond privacy, including speed, reliability, scalability, security, and cost. Dash also ensures transactions are transparent by default and that privacy wallet utilization is easily detectable by any third-party observer to the transaction. From a legal and compliance standpoint, Dash should not be treated any differently than other networks with similar attributes, regardless of how the media portrays it.
Dash utilizes CoinJoin for its optional privacy feature. CoinJoin is a technique for combining multiple payments from multiple spenders into a single transaction or a series of transactions to make it more difficult for outside parties to determine which spender paid which recipient or recipients. Unlike many other privacy solutions, CoinJoin transactions do not require any modification to the bitcoin protocol. In fact, because CoinJoin is simply a technique, it can be performed on literally any transparent blockchain. All transactions remain transparent on the Dash blockchain, including all sources of funds used in the transaction, the destination address(es), and the amounts. Therefore, these transactions can easily be identified as such by any observer – including third party observers – and analyzed by compliance software.
Bitcoin and other leading projects have enhanced their own privacy features using approaches that are nearly identical to Dash’s PrivateSend implementation, utilizing their own versions of CoinJoin. Note that this is the same technology Dash utilized in 2014 to enhance user privacy. While Dash’s implementation of CoinJoin is faster, easier, and less expensive than similar options available through Bitcoin wallets, there are no legally definable differences in the resulting transactions. The main improvements compared to Bitcoin (e.g., ease-of-use, speed, security, and cost) are attributes shared by all Dash transactions compared to Bitcoin, and are in no way attributable to Dash’s implementation of CoinJoin.
CoinJoin has been implemented in a number of wallets, tools, and protocols within Bitcoin or other Bitcoin-forked projects, including those in Figure 1 below.
Bitcoin and Dash transaction rulesets are mutually inclusive.’ This means that a valid Bitcoin transaction would be valid on the Dash network and vice versa. It also means that an invalid Bitcoin transaction would be invalid on the Dash network and vice versa. Dash addresses and transactions between them are publicly viewable on the Dash blockchain, in the exact same manner that Bitcoin addresses are publicly viewable. In short, the rules that determine a valid user transaction are completely identical. Therefore, there is no logical argument for why Dash should be treated any differently than Bitcoin for compliance or regulatory purposes. In addition, Dash maintains upstream Bitcoin compatibility, as improvements are made to Bitcoin’s code base. The result is that there are no substantial differences between Dash and Bitcoin transactions on the blockchain. In fact, PrivateSend transactions can be performed on any fully transparent transaction ledger, including Bitcoin. We do not simply assert this is the case’ — we provide proof. The following two transactions (Shown in Figure 2) were conducted on the Dash and Bitcoin networks respectively. They both feature 20 inputs and 20 outputs of 0.0100001 units each. As is plainly apparent, the Bitcoin transaction is not similar … it is completely identical.
Why Dash has been mislabeled as a privacy-centric coin
Dash was launched in 2014 as “Xcoin” by developer Evan Duffield. One of the first enhancements Duffield pursued was the implementation of CoinJoin into Dash’s desktop wallet. Incorporating CoinJoin into a user wallet had already been formally proposed by Bitcoin’s developers, but was not yet programmed into a wallet. Therefore, Dash was simply the first of many currencies to formally offer an easy-to-use wallet that automated the CoinJoin technique. It is worth noting that by early 2014, service providers were already offering similar mixing services for Bitcoin users, but they required users to transfer their funds to the service operator.
Dash’s reputation is undoubtedly impacted by the decision of the founding team to capitalize on the differentiation of its PrivateSend feature by rebranding Xcoin to “Darkcoin” in early 2014. As the project continued to grow and introduce new features, such as instant transactions, the Darkcoin branding was hindering adoption because of negative connotations evoked by dark markets. Although the network name was changed to “Dash” in early 2015, the stigma from naming the coin Darkcoin has proved to be persistent, especially with journalists seeking edginess or mystique for their stories in the cryptocurrency press. This history is undoubtedly one of the key reasons Dash continues to be labeled as “privacy centric”. However, brand history is no rationale for legal treatment today.
As mentioned earlier in this document, Coinjoin has been implemented in a number of wallets, tools, and protocols within Bitcoin or other Bitcoin-forked projects (see Figure 1). Many of these options have been available since 2015, only one year after Dash’s PrivateSend became operational. In addition, there are a number of third-party Bitcoin services that charge users a fee for providing coins that have undergone CoinJoin mixing. These options operated even prior to Dash’s PrivateSend feature, which was introduced in 2014. Finally, there are a number of similar technologies such as TumbleBit and CoinSwap that offer similar privacy benefits, but are not CoinJoin-based.
New technologies continue to improve privacy as well. There have been notable improvements in CoinJoin implementations on Bitcoin, such as Chaumian CoinJoin, that prevents the server that is coordinating the transaction from seeing which addresses belong to which transaction participant. In this way, even the server coordinating the transaction obtains no identifiable information. In addition, new off-chain transaction methods have been implemented on Bitcoin’s network, which include the Lightning Network (LN). Individual LN transactions are not recorded on the Bitcoin blockchain at all, and only the participants to the transactions have any visibility to them. Even within the LN, routing servers (a.k.a., “nodes”) have no visibility to the starting and ending points of a transaction.
Despite the advances in sophistication, accessibility, and user experience, the use of privacy tools remains quite low. In fact, CoinJoin transactions currently constitute less than 1% of all transactions on both Bitcoin and Dash, and LN adoption has been slow to develop. Even if usage rates were higher on Dash than Bitcoin, drawing a legal distinction between Bitcoin and Dash is increasingly unjustified given the multitude of similar implementations that now exist in the market. PrivateSend is simply a brand name for the specific CoinJoin implementation found in Dash’s desktop wallet.
How to remain compliant with the Travel Rule with Dash
We have demonstrated with undeniable evidence that Bitcoin and Dash, with the exception of speed, security, and cost of transactions, are equivalent in all legal respects, including when it comes to privacy. As such, the solution to remaining compliant with the Travel Rule and Dash is no different as well.
The mechanisms and protections that are currently utilized in the Bitcoin ecosystem for money laundering prevention are equally applicable to Dash. PrivateSend transactions can be readily distinguished as such on the blockchain (just as with Bitcoin CoinJoin transactions), and all transactions can be risk scored based on behavioral patterns, proximity to problematic addresses, country of origin or receipt of transaction, and any other value, or other criteria defined by the exchange.
The FATF Guidelines place a great deal of responsibility for additional reporting on the exchange to remain compliant. To continue to be able to provide a positive user experience as well as to remain capable of dealing with the scale of transactions while remaining compliant with more stringent rules, a VASP would require a tool to automate as much of the detection and reporting of suspicious transactions as possible without compromising accuracy of information. These tools are provided by KYC/AML providers, many of these providers work extensively with law enforcement, traditional financial institutions, and VASPs. Dash is partnered with some of the largest companies in this space, and these service partners continue to grow.
These services are available to support both Bitcoin and Dash. Our compliance partners can help you meet the Travel Rule and other global and national compliance requirements in a number of ways such as:
• Transaction monitoring
• Identifying and blocking transactions that utilized mixing, or are in close proximity of known bad actors or sanctioned wallet addresses.
• Track anonymity enhanced convertible virtual currencies and wallet addresses sending more private transactions.
◦ This means that the VASP can choose to identify, block, and report on all transactions sent with Dash PrivateSend and can track and report on all the components of a mixed transaction.
• Reporting on your users’ blockchain transactions
• Establish an automated record keeping system for suspicious activity
• Activity reporting, customer due diligence, and currency transaction reporting.
• Track anonymity enhanced convertible virtual currencies and wallet addresses sending more private transactions.
• Customizable risk scoring
With these tools, any VA (including Dash and Bitcoin) transactions that are privacy enhanced are identified, blocked, and reported to the VASP.
We are happy to introduce any of our partner exchanges to these companies to explore their services and help ensure they remain compliant with the Travel Rule and Dash (as well as multiple other VAs).
A major European Exchange delists, then relists Dash as a result of Dash Core Group support.
In May of 2019, a Gibraltar-regulated cryptocurrency exchange had announced that it had delisted Dash due to regulator concerns over Dash’s optional privacy feature, only a month after this exchange’s launch. The exchange’s executives quickly reached out to Dash Core Group (DCG) to discuss the listing and explore whether DCG was aware of the rule and how Dash can remain compliant of U.K. AML/CTF requirements with the privacy feature.
In a meeting with both DCG and the exchange, DCG executives collected all the relevant information regarding the reasons for delisting, and other requirements. Regulators in the U.K. required the exchange to be able to identify, filter, and report on all anonymized Dash transactions to remain compliant. DCG had partnered with a close KYC/AML service provider to help address these exact situations, which were long anticipated by many in the cryptocurrency industry. The DCG team introduced and facilitated discussions between the exchange and Dash’s KYC/AML compliance service provider partner, who was able to demonstrate that they can help the exchange collect, analyze, and report all the information regulators require and ultimately keep Dash listed while remaining compliant. This provider also covered many other VAs the exchange offers on their platforms. The exchange adopted the compliance provider’s platform and services, and relisted Dash on their platform. These systems and tools are continuously evolving as regulation does, to ensure VASPs always remain in compliance. In most cases where DCG was invited to assist with a delisting, the team has been successful in proving their case and keeping Dash listed on partners’ platforms.
Dash Core Group is happy to provide this level of assistance to any of our partners meeting similar challenges. Please contact us to speak with a DCG representative about your regulatory concerns.
How We Can Help
Regardless of the type of VASP your business may be, if you are facing regulatory concerns about offering Dash on your platform, please let us help you. As mentioned, we have been successful in reversing delisting decisions caused by regulatory purposes. In addition to finding the right solutions for you, the Dash Core Team is available to speak with your compliance team, regulators, banking partners, and any others to help you resolve these concerns.
Author: Omar Hamwi
Original link: https://blog.dash.org/dash-complies-with-the-financial-action-task-force-fatf-guidelines-including-the-travel-rule-a4c658efc89d