Integration of Travel Rule Providers

1) Purpose of integration

• support the canonical IVMS101 model,
• have an Adapter layer agnostic to the provider,
• provide security (mTLS, signature, encryption) and SLAs,
• cover hosted↔hosted and policy for unhosted.

2) Choice of protocol/provider: models

2. 1 Protocols and trust networks

TRISA/TRP/OpenVASP - p2p/federation with PKI, VASP directories, delivery confirmation.
Commercial hubs/aggregators - abstract transport, give Discovery and routing.

2. 2 Selection criteria (summary)

Jurisdiction Coverage/VASP, Directory/Discovery Quality.
Compatible with IVMS101 and extensions.
Safety (PKI, mTLS, signature), latency/SLA, retreats/quorums.
Cost per message/volume, reporting and audit.
Unhosted policy support (address ownership validation), sandbox and certification.

3) Integration Reference Architecture

1. Payments Core → initiates crypto transfer.

2. Compliance Orchestrator → decides whether a Travel Rule (threshold/geo/counterparty type) is required.

3. Travel Rule Gateway (your service)

Canonical IVMS101 model;

Adapters to TRISA/TRP/OpenVASP/aggregator;

Signature/encryption, idempotency, retrays/quotas.
4. Directory/Discovery → counterparty search, certificate/policy validation.
5. KYT/Sanctions Engine → pre-check before exchange.
6. PII Vault → storage of personal fields, tokenization, RBAC/audit.

1. Creation of a request → 2) TAC/pre-check sanction → 3) Discovery VASP → 4) IVMS101 exchange (request/response) → 5) allow/hold/reject solution → 6) Online broadcast → 7) Logs/report.

4) Canonical data model (IVMS101)

• Originator: name, identifier, country/address or DOB, account/wallet id.
• Beneficiary: name (при VASP), account/wallet id.
• Transaction: asset, chain, amount, timestamp, internal transfer id.
• Compliance refs: KYT check id, sanctions screen id, Travel Rule message id.

Practice: store IVMS101 as a "canonical model" in your database; adapters make transformations to a specific protocol.

5) Security & Trust

mTLS with mutual authentication (PKI/Directory).
Message signing and end-to-end content encryption (PII).
RBAC/SoD: split roles for sending/approving/exporting data.
Logs/unchangeable logs: who/what/when sent, schema version.

6) Discovery/Directory

Search counterparty by VASP ID, domain, LEI/BIC (where available).
Record caching, certificate rotation, trusted CA list.
Folback channel: request for confirmation of details through an aggregator or "bridge" (if allowed by policy).

7) Flow control and SLA

• Discovery + exchange p95: ≤ 60–120 с.
• Pre-KYT p95: ≤ 5–15 с.
• Auto-case solution: ≤ 2-5 min, manual High-risk: ≤ 4 h.

• Exponential backoff + jitter; idempotency by 'travel _ rule _ message _ id'.
• Auto-switch to standby adapter/hub in case of degradation.
• Quorum of delivery/read confirmations (ACK/NACK).

8) Error handling (playbook)

9) Policy for unhosted wallets

Confirmation of address ownership (signature, "proof-microtransfer").
KYT before enrollment and before withdrawal; limits by segment.
Address book/whitelist with TTL and periodic reverification.
Document RBA exceptions (small amounts/low risk) - where legal.

10) PII Vault and Privacy

Separate PII from transaction logs and payment data.
Encryption (KMS/HSM), tokenization of identifiers, need-to-know access.
Retention by jurisdiction (often 5 + years), auto-expiration, DSR procedures.
Versioning of IVMS101 schemes and audit trail for each exchange.

11) Integration patterns

11. 1 Adapter layer

Interface: 'send (ivms_payload) -> ack '/' receive () -> ivms_payload'.
Transformations: IVMS101 ⇄ a specific format (TRISA/TRP/OpenVASP/hub).
API versioning, signed webhooks, deterministic resubmissions.

11. 2 Compliance Solutions

Матрица RBA: `allow` / `limit` / `hold` / `reject` / `escalate`.

Partial release if part of the funds is "clean."

Link with KYT: Do not send Travel Rule on apparently prohibited routes.

11. 3 Reliability

Two or more providers/protocols through a single Gateway.
Health-checks, circuit-breaker, real-time alerts.

12) Testing and commissioning

Sandbox provider + your counterparty simulator.
Case set: full/incomplete data, timeouts, mismatch, PKI mistrust.
Load tests (peak tournaments/promotions), measurement of p50/p95/losses.
Payments/Risk/Support training: scripts for communication with customers.

13) Metrics and dashboards

Coverage%: the share of VASP↔VASP transfers with a successful exchange.
SLA hit rate по Discovery/Exchange/Decision.
Retry/Failure rate, причины (timeout/mismatch/unsupported/trust).
Hold/Reject% and average unlock time.
Complaint/Ticket rate by Travel Rule, NPS output.
Cost per Exchange (all-in): provider + opera. time.

14) Anti-patterns

Onchain-dispatch to complete Travel Rule where "pre-transfer" is needed.
A tough tie for one provider without Adapter abstraction.
PII storage in common logs/analytics without tokenization.
Lack of idempotency → duplicate messages/solutions.
Ignore unhosted-policy and address verification.
There is no schema/directory versioning → "non-repeatable" solutions.

15) RFP/Implementation Checklist (short)

• Support for IVMS101 (mandatory/optional fields), validation.
• Protocol (s): TRISA/TRP/OpenVASP, aggregators; Discovery/Directory и PKI.
• Security: mTLS, signature/encryption, activity log, signed webhooks.
• SLA/retrai: goals p95, backoff + jitter, circuit-breaker, feilover.
• QT/sanction compatibility, pre-check API and case correlation.
• Unhosted-policy: address confirmation, whitelist with TTL, limits.
• PII Vault: encryption, RBAC/SoD, retention/DSR, auditing.
• Reporting: exchange artifacts, schema/tag versions, export for SAR/STR.
• Sandbox/simulators, load and fail-safe tests.
• Team training and customer communication templates.

16) Summary

Travel Rule Integration is a gateway architecture with IVMS101 as a canonical model, Discovery/PKI for trust, multi-provider adapters, and strict security/PII rules. Link it to KYT and RBA solutions, write a policy for unhosted, provide SLA/feilover and transparent UX - and your crypto payments/deposits will meet the requirements without compromising speed and conversion.