Recipient Policy

Explains options for reducing risk when integrating with other VASPs.

VASPs set their deposit and withdrawal policies according to global regulatory trends and internal risk assessment criteria. In doing so, they often decide whether to integrate with a specific VASP in a binary manner. However, a more flexible approach can be considered. One way to reduce risks from a compliance perspective while still seeking scalability from a business perspective is to allow transactions only to and from the user's own wallet.

Let's compare two policy options based on transaction restrictions.

1. Travel Rule: Transactions involving third parties

CODE's Travel Rule requires verifying transaction information for both personal and others' transactions. VASPs provide an environment where users can freely transfer assets, which not only enhances market accessibility but also can contribute to increased revenue.

2. Travel Rule: Transactions restricted to first parties

Even if a VASP does not meet all the due diligence conditions, a policy can be established to allow transactions only to and from the user's own wallet.

No significant additional development is required; however, the following modifications to the deposit and withdrawal processes may be necessary to ensure a smooth user experience (UX).

2-1. To Withdraw

One approach is to auto-fill the recipient's information with the sender's details on the withdrawal screen and prevent editing

2-2. To Deposit

During deposits, verify that the 'nameIdentifier' information of the originator and beneficiary matches in the 'Asset Transfer Authorization' API data('payload'). Then, confirm that the originator's name corresponds with the name of the receiving wallet's owner's one.

This requires that the Originator and Beneficiary information sent by the originating VASP aligns exactly with the KYC information held by beneficiary VASP. The deposit shall be processed when details correspond, or a 'denied' response should be returned.

Please Set the reasonType as 'INPUT_NAME_MISMATCHED' and reasonMsg as 'Only self-transfer allowed from the originator'.

{  
  "result": "denied",
  "reasonType": "INPUT_NAME_MISMATCHED",
  "reasonMsg": "Only self-transfer allowed from the originator"
}