On Wednesday, I covered the misleading messaging around Europe’s proposed new anti-money laundering law, which was advertised as “banning anonymous crypto wallets.” That wasn’t really true – the law affects only third-party custodians, not software or hardware wallets.
However, it turns out the rules, while not banning self-hosted anonymous wallets, could indirectly strangle them.
The provisions, and the larger strategy behind them, point to genuinely scary encroachments on financial freedom and should be opposed.
On the other hand, these pernicious portions of the European Union rules could be narrowed or removed before they are slated to be implemented in 2024. According to members of Europe’s Data Protection Authority, they may violate Europe’s recently implemented "General Data-Protection Rules," or GDPR.
The poison pill is in article 58 of the proposed rules (full PDF here):
“Owners and beneficiaries of existing anonymous accounts, anonymous passbooks, anonymous safe-deposit boxes or crypto asset wallets shall be subject to customer due diligence measures before those accounts, passbooks, deposit boxes or crypto-asset wallets are used in any way.”
According to Simon Lelieveldt, compliance adviser for the Dutch crypto exchange Bitonic, this language would require that both the owners of hosted crypto wallets and the owner of any crypto wallet they transact with, including self-hosted wallets, be subject to know-your-customer procedures under the new rules. (At least in the U.S. we tend to use “beneficiary” to mean the recipient of assets after the owner’s death, but in this context, it just means transaction recipients.)
This, Lelieveldt argues, is part of a larger strategy to kill anonymous crypto wallets.
“In sum, the travel rule is used as a wedge to push decentralized [wallets] into a legitimate custody world, making all else illegitimate and criminalized,” he told CoinDesk. “And it will be used to ban anonymous wallets from existing in the regulated world. Hence the expressed intentions of the (European) Commission are correct.”
It’s hard to say whether European authorities fully comprehend how draconian, malicious and outright absurd this measure is. At the highest level, it could be seen as making it illegal for any custodial crypto account holder to withdraw their holdings as cash. It sets a European agenda fundamentally hostile to the right to transact privately on the internet.
It’s also very hard to imagine how it would work. The Financial Action Task Force (FATF), which broadly sets the agenda for international anti-money-laundering (AML) measures, itself says it “is not aware of any technically proven means of identifying the person that manages or owns an unhosted wallet, precisely and accurately in all circumstances.” Any system for linking identities to on-chain wallets would be subject to errors and abuse, for deep technological reasons.
But even more disturbing is the indirect nature of the initiative. As I wrote Wednesday, the proposed rules do nothing to directly “ban” self-hosted wallets. But they would create a huge moat between third-party hosted wallets and self-hosted wallets, significantly undermining the utility of cryptocurrencies. Like residents of urban neighborhoods bifurcated by U.S. expressways in the mid-20th century, crypto users would be cut off from each other, undermining the technology’s promise of peer-to-peer transactions.
Shockingly, this is an explicit enforcement strategy floated by the FATF in a March guidance document on virtual assets, (thanks again to Lelieveldt for the tip here). The document includes a list of “options to mitigate risks posed by P2P [peer-to-peer] transactions at a national level if the ML/TF (money laundering/terrorism financing) risks are unacceptably high. This includes measures that seek to bring greater visibility to P2P transactions, as well as to limit jurisdiction’s exposure to P2P transactions.”
(Remind yourself here that “jurisdictions’ exposure to P2P transactions” is a synonym for “citizens’ rights to transact freely.”)
The FATF’s third recommendation for controlling peer-to-peer transactions is “denying licensing of VASPs (virtual asset service providers) if they allow transactions to/from non-obliged entities (i.e., private or unhosted wallets).
The GDPR problem
Now, there is some good (and fairly funny) news here. Before the draft AML rules were circulated publicly, the European Financial Commission received a fairly stern letter from the European Data Protection Board (EDPR), which oversees the enforcement of Europe’s General Data Protection Rule. When it was implemented, GDPR was largely seen in the context of social media and advertising, coming as it did in the wake of the Cambridge Analytica data scandal.
But the Data Protection Board is making it crystal clear that it regards financial data as subject to GDPR, too. And though the letter tiptoes around the issue, it hints that the board may regard the proposed new AML framework as flawed.
“The EDPB ... has repeatedly noted the privacy and data protection challenges related to the AML framework … a fair balance has to be struck between the interest to prevent money laundering and terrorist financing, on the one hand, and the interests underlying the fundamental rights to data protection and privacy, on the other,” the letter said.
The board points to principles including “data minimization” and “necessity and proportionality” as key to crafting AML regulations that don’t violate GDPR. Digging into these is a task for another day. But suffice it to say that requiring transactors’ detailed personal information be sent with every large financial transaction, as current AML rules often do, does not mesh easily with those principles.
“Why broadcast 99.8% of redundant data of innocent citizens via the payment channels to capture 0.2% of the people [committing crimes],” Lelieveldt asks, “in a day and age where other surveillance technologies are better suited? Data breaches [of financial services] are just around the corner.” Rules requiring on-demand delivery of data about suspicious transactions to police, he says, would be just as effective while preserving privacy.
The new AML rules, moreover, could create a perverse incentive for companies whose data-centric business models are being threatened by rising privacy standards such as GDPR and Apple’s recent opt-in tracking feature.
Companies like “Cambridge Analytica (or Facebook itself) will jump at the opportunity to use the FATF-crypto travel rule to push all the customer data along to all business partners under the pretense of complying with FATF rules,” Lelieveldt warns.
It would be great if cooler heads prevail and Europe’s AML rules are revised before they’re implemented. But whatever the letter of the law, it seems unlikely that the Data Protection Board has the heft to go up against the Finance Commission, which can just start talking about “terrorist financing” and use fear to push through pretty much whatever it wants.
Fighting back is going to require broad resistance. It’s time for loud voices from around the world to make themselves heard.