Skip to main content

Travel Rule Integration

CRYMBO Connect natively supports Travel Rule compliance by enabling secure exchange of Personally Identifiable Information (PII) between Virtual Asset Service Providers (VASPs), without exposing data on-chain.

The architecture is built to meet FATF and MiCA requirements while preserving privacy, scalability, and decentralization.

🔐 How It Works

  1. Sender broadcasts transaction on-chain
  2. Oracle emits PIIRequested event
  3. Receiver submits encrypted PII off-chain
  4. Oracle emits PIIProvided and verifies the flow
  5. Compliance status is recorded and events are emitted

📤 Submitting Encrypted PII

Endpoint:
POST /deposits/pii

Payload:

{
	"network": "POLYGON",
	"hash": "0xf7a4...4762",
	"pii": "base64-encoded-encrypted-payload"
}
  • hash refers to the blockchain transaction
  • pii is an encrypted blob (AES, hybrid, or ZK format)

Only authorized receivers or Oracle validators can decrypt the content.

🔍 Receiving PII (for the Oracle)

Endpoint:
GET /deposits/:id/pii

This endpoint is only accessible to the destination VASP or authorized validator.

🧠 Compliance Events

You can listen for the following events to orchestrate your Travel Rule flows:

EventDescription
PIIRequestedOracle signals that PII is needed
PIIProvidedReceiver has submitted the encrypted PII
TransactionCompliantTransaction passed validation checks

✅ Policy Integration

Travel Rule checks can be enforced in business logic by evaluating:

  • Wallet metadata (e.g. IS_VASP = true)
  • Risk scores (e.g. RISK_SCORE > 80)
  • Transfer origin/destination (cross-border, high-risk countries)
  • PII delivery status (PIIProvided must occur before fundsAvailable = true)

🔐 Encryption Format

Encryption may follow hybrid encryption or ZK-wrapped payloads. A typical structure includes:

{
	"fullName": "John Doe",
	"idNumber": "XYZ12345",
	"address": "12 Chain St, Berlin, DE"
}

The above structure is encrypted off-chain before submission.

This design allows your system to comply with global regulatory expectations while maintaining a decentralized architecture and user privacy.