aboutsummaryrefslogtreecommitdiff
path: root/doc/flows/main.tex
blob: be7b884ed5711dbe6f1b3d4e0a45ab855121e4c1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
\documentclass[10pt,a4paper,oneside]{book}
\usepackage[utf8]{inputenc}
\usepackage{url}
\usepackage{graphicx}
\usepackage{hyperref}
\usepackage{qrcode}
\usepackage{pgf-umlsd}
\usepackage{tikz}
\usetikzlibrary{shapes,arrows}
\usetikzlibrary{positioning}
\usetikzlibrary{calc}
\usetikzlibrary{quotes}
\author{Christian Grothoff}
\title{Flows in the GNU Taler System}

\newcommand\CURRENCY{CHF}

\begin{document}

\maketitle
\tableofcontents

\chapter{Interactions} \label{chap:interactions}

This chapter introduces the main payment interactions in the GNU Taler payment
system. For each interaction, we introduce the parties involved and in which
order they interact and how.  In each interaction it is possible that the
Taler exchange needs to trigger a compliance process.  These regulatory
riggers are described in more detail in Chapter~\ref{chap:triggers}.

The main interactions of the system are:

\begin{description}
  \item[withdraw] a customer withdraws digital cash to their wallet
  \item[deposit] a customer returns digital cash into their bank account
  \item[pay] a customer pays into bank account of a merchant
  \item[refund] a merchant decides to return funds to a customer
  \item[push] a customer sends a payment to another wallet
  \item[pull] a customer requests a payment from another wallet (effectively sending an invoice)
  \item[shutdown] the Taler payment system operator informs the customers that the system is being shut down for good
\end{description}

In the analysis of the legal requirements, it is important to differenciate
between transactions between wallets (customer-to-customer) and transactions
where money flows from a wallet into a bank account (customer-to-merchant) as
these have different limits: When digital coins are deposited at a business in
Taler, the business never actually receives usable digital coins but instead
the amount is always directly credited to their bank account.  Depending on
the transacted amounts, the business will nevertheless be subject to KYB
(Section~\ref{sec:proc:kyb}) and AML checks.

{\bf Customers} begin their business relationship with us when they withdraw
digital cash.  Taler has no accounts (this is digital cash) and thus there is
no ``opening'' or ``closing'' of accounts for consumers.  Given digital cash,
the customers can either (1) deposit the funds explicitly into a bank account
(see Section~\ref{sec:deposit}), (2) pay a merchant (see
Section~\ref{sec:deposit}), (3) pay another customer using a peer-to-peer
transfer (see Sections~\ref{sec:push} and~\ref{sec:pull}), or (4) the coins
will expire if the wallet was lost (including offline for a long time or
uninstalled).  Finally, if a wallet remains (occasionally) online but a user
does simply not spend the coins will (5) diminish in value from the change
fees (see Section~\ref{sec:fees:coin}) that apply to prevent the coins from
expiring outright.

For customers, we will categorically limit of digital cash withdrawn per month
to less than CHF 5'000 per month and less than CHF 25'000 per year, thus
ensuring that consumers remain below the thresholds where most regulatory
processes become applicable.  Payments between users will be limited
to receiving less than CHF 1'000 per month and less than CHF 5'000 per year.
We will ensure that customers are Swiss
(see Section~\ref{sec:proc:domestic}) by requiring them to have a Swiss bank
account and/or Swiss phone number (+41-prefix).
%Furthermore, the wallet will
%impose an upper limit of CHF 5000 on its balance at any point in time.

For {\bf merchants}, the Taler equivalent of ``opening'' an account and thus
establishing an ongoing business relationship is for a business to receive
payments (see Section~\ref{sec:deposit}) exceeding CHF 5'000/month or CHF
25'000/year.  We will consider the account ``open'' (and require up-to-date KYB
information and check sanction lists) as long as the business has made any
transactions within the last 24 months.

As we will only transfer money into the existing bank accounts of the
merchants to compensate them for sales made using the Taler payment system, we
do not need to check the origin of funds for those merchants as they will only
receive funds from us.\footnote{Should businesses want to use Taler for
expenditures, they will need to withdraw digital coins from their bank account
just like customers, and the limits for customers will continue to apply.}

For individual {\bf transactions}, we will impose a limit of CHF
1'000/transaction (even though our reading of the regulations would permit
individual transactions up to CHF 15'000).

The following sections describe the respective processes for each of these
interactions.

\include{int-withdraw}
\include{int-deposit}
\include{int-pay}
\include{int-refund}
\include{int-push}
\include{int-pull}
\include{int-shutdown}


\chapter{Regulatory Triggers} \label{chap:triggers}

In this chapter we show decision diagrams for regulatory processes of the
various core operations of the GNU Taler payment system.  In each case, the
{\bf start} state refers to one of the interactions described in the previous
chapter.  The payment system will then use the process to arrive at an {\bf
  allow} decision which permits the transaction to go through, or at a {\bf
  deny} decision which ensures that the funds are not moved.

The specific {\em decisions} (in green) depend on the risk profile and the
regulatory environment. The tables in each section list the specific values
that are to be configured.

There are five types if interactions that can trigger regulatory processes:

\begin{description}
  \item[withdraw] a customer withdraws digital cash from their {\bf bank account}
  \item[deposit] a merchant's {\bf bank account} is designated to receive a payment in digital cash
  \item[push] a {\bf wallet} accepts a payment from another wallet
  \item[pull] a {\bf wallet} requests a payment from another wallet
%  \item[balance] a withdraw or P2P payment causes the balance of a {\bf wallet} to exceed a given threshold
\end{description}

We note in bold the {\bf anchor} for the regulator process. The anchor is used
to link the interaction to an identity.  Once an identity has been established
for a particular anchor, that link is considered established for all types of
activities involving that anchor.  A wallet is uniquely identified in the
system by its unique cryptographic key.  A bank account is uniquely identified
in the system by its (RFC 8905) bank routing data (usually including BIC, IBAN
and account owner name).

The KYC and AML processes themselves are described in
Chapter~\ref{chap:regproc}.

\include{kyc-withdraw}
\include{kyc-deposit}
\include{kyc-push}
\include{kyc-pull}
%\include{kyc-balance}

\chapter{Regulatory Processes} \label{chap:regproc}

This chapter describes the interactions between the customer, exchange and
organizations or staff assisting with regulatory processes designed to ensure
that customers are residents in the area of operation of the payment service
provider, are properly identified, and do not engage in money laundering.

The three main regulatory processes are:

\begin{description}
\item[domestic check] This process establishes that a user is generally
  eligible to use the payment system.  The process checks that the user has an
  eligible address, but stops short of establishing the user's identity.
\item[kyc] This process establishes a user's legal identity, possibly
  using external providers to review documents and check against blacklists.
\item[aml] The AML process reviews suspicious payment activities for
  money laundering. Here AML staff reviews all collected information.
\end{description}

\include{proc-domestic}
\include{proc-kyc}
\include{proc-kyb}
\include{proc-aml}

\chapter{Fees} \label{chap:fees}

The business model for operating a Taler exchange is to charge transaction
fees.  Fees are charged on certain operations by the exchange.  There are two
types of fees, {\bf wire fees} and {\bf coin fees}.  This chapter describes
the fee structure.

Fixed, amount-independent {\bf wire fees} are charged on wire transfers using
the core banking system.  Details on wire fees are described in
Section~\ref{sec:fees:wire}.

Coin fees are more complex, as they do not exactly follow neither the usual
percentage of volume model of other payment systems.  Instead, coin fees are
applied per coin, resulting in a {\em logarithmic} fee structure.  As a
result, the effective fee {\em percentage} for tiny transactions is high (for
example 50\% for transactions of 0.0025 CHF) while the effective fee
percentage for large transactions is nominal (for example $\approx$ 0.05\% for
transactions of $\approx$ 40 CHF). Details on coin fees are described in
Section~\ref{sec:fees:coin}.

Fees are configurable (and that fee types beyond those described here are
supported by the software). Thus, the specific fees may be adjusted in the
future based on business decisions.  However, changes to the fees are never
retroactively applied to coins already in circulation.  Wire fees that have
been publicly announced for a particular time period also cannot be changed.
Finally, any change to the terms of service must also be explicitly accepted
by the users before they withdraw additional funds.


\include{fees-wire}
\include{fees-coins}
%\include{fees-other}


\end{document}