Vulnerability to theft of personal data
The barrier to setting up a TRP server is very low: all that is needed, in essence, is a domain name and a corresponding X.509 certificate (from any CA provider). I see this very much as a feature of TRP, but it also allows bad actors to participate.
I can imagine an attacker setting up a TRP server, and tricking a customer of a VASP into sending funds to a TRP address that resolves to that server. This gives the attacker access to the funds. So far, this is no different from tricking a user into sending funds to attacker-controlled crypto address. However, with TRP, in addition to the funds, the attacker obtains the personal information sent by the originator VASP. This can then be abused for identity theft and other damaging actions.
A naive customer might not be aware of this. The customer might be aware of the risk of sending funds to a non-trusted address, but accept this risk if it involves only a small amount. The customer may not be aware of the fact that personal data is sent, and of the related risks.
If a VASP wants to offer some protection against this attack, what could we consider best practices? One could, for instance, maintain a white-list of trusted VASPs in trusted jurisdictions, with their TRP domain names, and issue a warning to the customer in case of a withdrawal to a TRP address that resolves to a different domain name.