Tokens and the Travel Rule 76 BANKING PERSPECTIVES QUARTER 4 2018 transfer systems and certain commercial payments sent through new payment systems such as The Clearing House’s RTP (Real-Time Payments) and other potential payment systems that may be developed are subject to the rule. 11 Hence, expanding tokenization to these payments requires that tokens be permissible under the travel rule. The question that arises for those payments subject to the travel rule is whether FinCEN will interpret or revise the rule to enable the payers involved in those transactions to benefit from the enhanced data security protections afforded by tokenization. 12 In addition to large-dollar business-to-business payments that are made over wire transfer systems, covered payments could include a consumer making a down payment on a home by wire or a small business getting paid by another business for services rendered (e.g., designing business cards) made over the RTP system. It would seem hard to justify an outcome where the benefits of the tokenization technology would not be available to consumers and small businesses when they send wires or businesses that pay each other over RTP. After all, cybercriminals do not make distinctions based on whether a particular payment is subject to the travel rule or not. Therefore, it’s important to consider the origins and purpose of the travel rule. The travel rule was developed specifically to help remedy difficulties encountered by law enforcement in the 1990s due to the absence of payer and payee names and other identifying information in many payment instructions. The decision to include the payer’s account number was made despite concerns even at that time that such information was sensitive information, the disclosure of which created heightened fraud risk. At the time, the Treasury Department concluded that the risk of fraud was low compared with the value that inclusion of the number would have for law enforcement efforts. In particular, the Federal Register notice adopting the final rule explained that a payer’s account number “will be particularly useful to law enforcement in cases in which delay occasioned by a search for account information would hinder the success of an investigation.” 13 The Treasury Department also concluded that the inclusion of account numbers “will present only a minor increase in the risk of fraudulent transfers” since banks “generally have security procedures that include passwords, codewords and, in the case of electronic transmissions, confirmation to ensure that only authorized parties issue payment orders.” 14 On balance, the Treasury Department found that the security procedures employed by banks “reduce the potential for fraud… to a level at which that risk does not outweigh the immediate and tangible benefit to law enforcement derived from the inclusion of account information in transmittal orders.” 15 But much has changed since 1995. At that time, the internet was in its infancy. And we did not have mobile apps, big data, or the associated threat of massive data breaches. Further, the last 20 years have seen an increasing intermediation of payments by non-bank service providers that may not employ – and are not regulated to ensure – the same level of security that banks provide to sensitive financial information. Additionally, the level of sophistication of today’s cybercriminals and the sponsorship of those criminals by nation-states is something that was not anticipated at the time the rule was implemented. Moreover, the risk of data breach is better understood today than it was in 1995. The risk of data compromise is not isolated to the payment system over which a payment instruction is sent but, rather, flows out of the payment system and into one or more back-office applications of the entities being paid (e.g., invoicing systems, sales support) and sometimes even to third parties that work with the payee or obtain data from the payee. It is because of these risks in the current environment that efforts are being made to tokenize sensitive information and to limit the flow of sensitive information across all payment channels. What reasonably may have been construed as a low risk in 1995 can no longer be analyzed the same way. But there is reason to be hopeful that with modern security technologies such as tokenization we can fulfill the needs of law enforcement while allowing all payers to The travel rule has not been an issue in current tokenization efforts for cards because of the rule’s narrowly tailored scope.