Integration Overview
Under the Travel Rule, VASPs are required to exchange PII between the originator and beneficiary VASPs for crypto asset transfers.
However, this becomes challenging when your counterparty VASP has not yet integrated with the GTR Network. In such cases, standard API-based Travel Rule messaging is unavailable, creating a compliance gap for regulated VASPs.
To bridge this gap, GTR provides a secure, email-based mechanism that allows your organization to fulfill Travel Rule obligations with non-GTR counterparties.
This Out-of-Network (OON) Travel Rule solution ensures regulatory compliance and protects sensitive PII using encrypted communication channels, without requiring any additional system integration from the counterparty VASP.
Out-of-Network Travel Rule is usually for the Pre-transaction situation, so in this case:
| Your VASP | Your Counterparty VASP |
|---|---|
| - Originator VASP - GTR Member - Travel Rule Initiator VASP | - Beneficiary VASP - Not connected to GTR Network - Travel Rule Receiver VASP |
On GTR Website, there are three options for your VASP to configure the Out-of-Network Travel Rule message behaviour.
| Options | Email Content | Use Case | API Integration Required |
|---|---|---|---|
| Notification Only | 1. Transaction Summary 2. Your Contact Email | Used as an initial notification only. Upon receipt, counterparties will contact your VASP directly to coordinate PII sharing offline. | ❌ |
| Download Link | 1. Transaction Summary 2. Your Contact Email 3. Secure PII Retrieval Link | This provides your counterparty immediate, self-service access to encrypted PII data of your VASP. | ✅ |
| Disable | No Out-of-Network emails will be sent to this VASP | ❌ |
So this integration guide is purely for the VASP who selects "Download Link" as their Out-of-Network Travel Rule message behaviour.
- Before initiating the Out-of-Network Travel Rule request, you may need to get the Out-of-Network VASP name list by invoking Exchange List API.
- Your VASP, as the Originator VASP of this asset transfer, invoke the Originator API 1: Initiate OON Message endpoint to send this Out-of-Network message to GTR.
- If asset transfer is executed on the blockchain, update GTR with your
tx_idby calling Originator API 2: Update TX ID. - GTR sends out email notification with the PII Retrieval Link to your counterparty VASP.
- If your counterparty VASP accesses this PII Retrieval Link before expiration, they will implicitly provide a temporary Public Key to GTR, and GTR will forward the PII retrieval request to your service via the callback endpoint Originator Callback 1: Retrieve PII.
- Once your callback endpoint responds with encrypted PII, GTR forwards it to your counterparty VASP.
- PII will be decrypted implicitly on your counterparty side, and displayed as plain-text on their web page.
✍️ GTR will delay sending the email until you complete the TXID notification step via Originator API 2: Update TX ID.
Additionally, GTR cannot guarantee 100% email delivery. See Limitations.
Security Measures
- End-to-End Encryption: A temporary public/private key pair is generated for each PII Retrieval session to ensure data confidentiality and integrity throughout the transmission. This ensures that GTR, or any other intermediary, cannot decrypt the data or access the plaintext of PII.
- Limited Retrieval Attempts: The PII Retrieval Link can be accessed a maximum of 3 times and will automatically expire after 4 days.
Limitations
While GTR strives to maintain reliable communication, 100% successful delivery of Out-of-Network emails cannot be guaranteed due to the following factors:
- Email system delivery failure or spam filtering by your counterparty's recipient email mailbox.
- Your counterparty's compliance email address is not present in GTR or is invalid.