Transfer of Funds Regulation Amendments – CASP to retain information on originator and beneficiary
Foreword
On the 31st of March of 2022, the ECON-LIBE voting session of the EU Parliament voted for the proposal whereby aimed to implement certain amendments to the Reg.2015/847 (Transfer of Funds Reg). The proposal was passed with a majority of the votes, making its way to the next phase; a Trilogue conformed by a conciliation committee represented by the EU Comm. The proposal targets Virtual Assets (VAs) and Virtual Assets Service Providers (VASPs). Among the many amendments brought forward, some of them have caught the special attention of Industry players. The rules to be imposed over “unhosted wallets”.
The play
Amendment 15. Recital 27 b (new) This rule imposes over the CASP or any other obliged entity the obligation to collect and retain information from the originator and beneficiary when dealing with transactions executed that involves an “unhosted wallet” (from the beneficiary, when feasible). Moreover, the entities involved “should” reject or suspend the Tx if such Tx seems to be “suspicious” when placed under the screen on a risk-sensitive basis.
Amendment 33 (Art.3 – paragraph 1 – point 17a (new)). This rule defines an “unhosted wallet” as any crypto-asset wallet not held or managed by a CASP. Under the justification for the proposal, the definition aims to include Txs from/to “unhosted wallets” under Reg.2015/847, as soon as any obliged entity is involved. (with Ref. to explanatory statements, point 2 at the end of the doc). Amendment 52. Art 14 – paragraph 5a (new). This rule imposes a burden on the obliged entity to obtain and retain information related to the Txs from its Customers, where available. Complementary, it extends the obligation to serve the authorities.
Amendment 59. Art 16 – paragraph 1a (new). This rule imposes on the beneficiary interacting with an “unhosted wallet” the obligation to provide the necessary information and to CASPs the obligation to request such information.
Amendment 78. Art 30 a (new). This art. extends the request for a further report on the progress made. Point “b” requests from such a report an analysis of the needs, feasibility and proportionality of specific measures to mitigate risks posed by “unhosted wallets”; including possible requirements to identify beneficial owners. Point “c” requests an analysis of trends involving the use of “unhosted wallets” and associated risks related to terrorism and money laundry; together with possible obligations towards hardware and software providers and caps over Txs limits.
Amendment 16. Recital 28. All transfers of crypto-assets should be treated as cross-border wire transfers, with no simplified domestic wire transfer regime. Explanatory statements At the end of de doc), Point 2 establishes a lack of transmission of information to “unhosted wallets”.
Point 3. Extending the information of disclosure established within Art 14 and subsequent, to “know your transaction” requirements. This later requirement involves the disclosure of the source and destination of Crypto-Assets involved in a Txs.
The parts
The proposal aims to implement a modification (or seemingly extension) of the “Travel Rule” developed by FATF and tailored for VAs and VASPs (the equivalent to CASPs in the EU under the governance of MICA). The history of the development of the “Travel rule” can be traced back to the U.S Banking Secrecy Act (BSA) when Capone and other characters of the history gained their reputation as untouchables. Later on, the back then “most developed countries” adopted the term “terrorism” and “Money Laundry” as their new legal basis to justify rules on disclosure of information to fight “the war” against. This was exacerbated after the attacks on the World Trade Center, London and Paris; which served as catalysts for the further strengthening of such measures. Part of the materialization of those rules are KYC/AML requirements. These rules on disclosure changed the Banking Industry and the privacy of Citizens up to nowadays.
Since the adoption of the BSA, the fight against “terrorism” and the prevention of money laundering has become legitimized and operative through the letter of the Law. This gives to some States the physical capacity to request from Financial Institutions certain information from the Citizens, in order to serve the purposes of “National Security”. This is where the FATF and the “Travel rule” play an essential part in materializing such national policies. Within the scope of the proposal under analysis, the information necessary to honour the “Travel Rule” is found throughout the amendments 42 and 57.
A priori, all the official texts mentioned above are centred around Terrorism and Money Laundry. That’s the legal basis to bring forward this proposal, as it is clearly written all around the documents. Regardless of whether the DATA is gathered from a hosted or “unhosted wallet”, this approach holds every user of VAs and CASPs as a potential terrorist or money launderer; either directly or indirectly. This places the users of VAs and CASPs under the highest-risk category for Compliance purposes. The higher the level of risk the harder the measures to apply. That’s a far extreme approach to adopt considering the EU Digital Finance Package and the true valuation of Blockchain Technology as ICT with the capacity to foster a DATA-driven society. The ramifications of such consequences shouldn’t be taken lightly.
As a heritage, there is a matter with Legacy systems. Realistically, the DATA requested by the Travel Rule is gathered and processed within a centralized DATABASE; whereby requests human input to apply a discretionary risk-based assessment. Such systems aren’t resilient to human error. For example, If the information is unintentionally wrong or incomplete the transfer ongoing can be “red-flagged” as “suspicious” under “presumptions” of terrorism or money laundering. The same may happen with unrecognized IP addresses, geolocalization of IP addresses and countries under “grey lists”. Operatively, this might imply possible cancellation of the Txs and further investigation of the facts. Complementary, the originator of the DATA could be possibly placed within a “Blacklist” stored in the DATABASE; triggering further complications for future transactions. The process for reverting these circumstances transfers to the users involved the obligation to allocate her/his resources to overcome the issues. Sometimes presenting independent evidence as requested by the Financial Institution and waiting until the Ledger is updated. Even then, the user has no certainty about her/his details being effectively erased from that Blacklist.
I’ve crossed paths with more than one person who received a phone call from their banks after attempting to deposit or withdraw their funds to a crypto exchange, being requested to present themselves at the premises of such a Bank in possession of independent evidence because the transaction is under scrutiny for Money Laundry. From a legal perspective, they sound very confident accusing you of the facts without even one piece of independent evidence convincing enough to reach positive certainty. Nonetheless, we all still pay banking charges for putting our funds at the disposal of the Banking sector. Once again, within that Legacy system that “red flag” triggers that categorization. Whatever the justification is, by this point the damage is already done. Business does not happen and people are charged with the burden of defending themselves from crimes that they never committed. Not to mention the remaining issues arising out of being placed on a Blacklist, like sustaining banking correspondence. Furthermore, the level of scrutiny applied to the DATA in order to detect terrorism and money laundry is far more intrusive and sensitive. Finally, there is no evidence supporting a clear link between the increase of terrorism and money laundry with the usage of “unhosted wallets”; or not beyond the hypothetical risk attached to the technical qualities of decentralization and speed endowed by Blockchain. Alas, it might be wiser to have a look at the current issues created by those Legacy systems before blaming a new technology on the basis of “unrealized damages”.
About Money Laundering. The process for Money Laundering consists of three phases: placement, layering and integration. As you may have read, for the process to be completed it requests one essential element: a Financial Institution. Without a Financial Institution willing and capable to engage in the process the funds will remain outside of the accounting ledgers of the financial system. As a matter of fact, during this process, the funds will be cleared within the accounting ledgers of more than one Financial Institution and possibly more than once. Which serves to prove that those transfers of funds were/are under the scrutiny of KYC/AML repeatedly. At this point, the “Travel Rule” has been implemented. That’s why those Financial Institutions are liable under the “Travel Rule” That’s the way that the financing of Terrorism and Money Laundry has happened and still happening. Which serves to probe the partial efficiency of such rules up to date.
“Unhosted wallets”, on the other hand, are nothing more than a communication layer between different protocols. Eventually, users of “unhosted wallets” already comply with KYC/AML. As a reference, before being capable of disposing of my funds within my Metamask wallet I need to go through a Financial Institution where my FIAT funds are cleared (either a Bank or an Investment Firm or a regulated Institution offering Stablecoins) and from there I’ll need to convert my funds into the format of the token supported by the Protocol and then transfer to Metamask. In other cases, before transferring to Metamask I’ll need to use an extra Financial Institution to exchange FIAT into Crypto, which are Crypto Exchanges like Coinbase or Binance. This process works the same either way around, equally for inflows like for outflows (or deposits and withdrawals). Similar to FIAT transfers, information to fulfil KYC/AML requirements under the “Travel Rule” is already implemented by Financial institutions dealing in Crypto, in addition to IP geolocalization. Redundantly, at this point, the “Travel Rule” has been implemented more than once.
Cloning the same rule over “unhosted wallets” would imply the third or fourth layer of replicated enforcement. In practical terms, this decision might come at the expense of a misallocation of resources in Compliance programs and software development and maintenance; offering nothing more than duplicated information. At the same time, it will overcharge users with an unnecessary extra layer of identification; slowing adoption down while deterring their interaction with Blockchain Protocols and Defi. This point shall be taken seriously, considering that fulfilling KYC/AML requirements are an ongoing and repeated activity that never ends, until the point that has become absolutely annoying for any user. Taken together, those measures may delay the development of other technologies like IoT and Web 3.0 (Especially, the Metaverse); thereby rely heavily upon Blockchain Technology and deep DATABASES for development.
Regarding the DATA requested by the “Travel Rule”. What’s the methodology applied to the processing of such DATA? (including the missing DATA) Are we speaking of a deductive or inductive methodology? What’s the rate of false positives? This is essential considering the facts at stake. For reference, we all may provide wallet addresses, dates of birth and details about the source and destination of the funds; however, those details in isolation do not suffice to reach certainty about terrorist activities or money laundry. Conversely, those details analyzed in combination with inductive methodologies might give some extra hints that allow whoever is analyzing the data to “theorize” about an individual and her/his activities; at the expense of implementing methodologies for DATA analysis not disclosed to the citizens. It is essential to deal with this aspect very delicately, considering the immutable and perpetual properties of Blockchain Technology in conjunction with the developments of AI in the field of behavioural recognition. Otherwise, the wrong approach may lead to a clash between the development of Blockchain and human freedom. There is more clarification needed from the Legislator to understand the operative aspect of this point and the risks involved in the processing of DATA for the purposes of pursuing ”Public Policies” against “terrorism” and “money laundry”; specifically.
In tandem, by leveraging Blockchain technology the same level of scrutiny can be placed upon disclosure and transparency coming from the States and Institutions of certain dimensions. In correspondence, there is no need for a de-minimis threshold of USD 1000 to track the allocation of the funds collected from the taxpayers.
Furthermore, in terms of identity, it is worth mentioning the progress made by Decentralized Identifiers (DIDs) Self-sovereign Identities (SISs) Data Monetization and Data Portability. Another example of progress in terms of privacy and scalability is “Whisper”. And there are many other projects currently ongoing. Most of these developments can be implemented in “unhosted wallets” without the need to expose DATA to centralized Legacy systems while relaxing the burden for disclosure and protecting privacy. Perhaps a conversation between the FATF (or the EU Parliament) and the Blockchain industry may help to bring more useful tools in terms of privacy and DATA management, instead of imposing outdated solutions for novel technologies. The trade-off ought to be oriented towards decentralization, privacy, adoption and simplicity.
The End
To date, FATF is not aware of any technically proven means for identifying the VASP that manages the “unhosted wallet” accurately, precisely and exhaustively; in all the circumstances and from the VA’s address alone. Read Footnote 30.
The amendments towards “unhosted wallets” are one piece of the puzzle only. The real issue comes with the degree of surveillance delegated to the EBA towards DEFI through Reg. 2018/847 and MICA. The consequences of this last topic may lead to a de-facto expropriation of the Defi ecosystem through the imposition of formalities biased towards economic interests.