#21.- Open letter to the EU Parliament and Council

A reflexive proposal on the Transfer of Funds Regulation & regulating tech.

What is the Transfer of Funds Regulation?

It’s a proposal of regulation that sets out rules on the information on payers and payees (originators and beneficiaries for crypto transactions), accompanying transfers of funds and crypto assets, in order to help prevent, detect and investigate money laundering and terrorist financing.

Origins: the Travel Rule.

The FATF first introduced this rule in 2019 as a recommendation, and since, many countries have worked on its implementation (not doing so means the inclusion of the country on the grey or black list of the FATF & consequent sanctions).

Essentially, it requires the extension of AML/CFT obligations to Virtual Asset Service Providers, better know as VASPs, but in its last guidance publication, FATF suggested the extension of the rule to “unhosted wallets”, or personal wallets, which are wallets that are not issued nor controlled or hosted by a third party (exchanges..etc).

This suggestion has now, or it seems, been welcomed by the EU. The proposal for a regulation of the European Parliament and of the Council on information accompanying transfers of funds and certain types of crypto assets was subject to several amendments during the 31st of March, that being approved, have heavy implications and are also far away from the recommendations of the FATF.

As I use to say, regulatory analysis always require a previous context situation. In this case, the EU is not the first jurisdiction implementing the Travel Rule, as Canada, Japan and Singapur already enforce it (see picture below).

For instance, in the US, FinCEN tried to pass by a “crypto wallet rule” led by Munchin (former Treasury Secretary) that required VASPs to store names and adresses of customers transferring over US3,000 to private crypto wallets (UW), and for customers transferring over US10,000, VASPs would be required to report FinCEN both the sender and the recipient’s information. This initiative was finally and successfully halted by the US crypto ecosystem.

Of course, as a regulatory lawyer I do understand that money laundering is an issue and a legitimate goal to fight against. Criminal activity not only damages administrations, but each and every one of us, and it shall be prosecuted. But this can not mean the automatic DEMONISATION of an asset or an activity, nor the systematic exposure of privacy from users. Proportionality does matter when Governments approve enforceable rules, and thus, regulators must listen and consider the affected the players, in this case, VASPs.

As it can be seen, VASPs are required to collect certain data on the recipient (in the European text “beneficiary”) when transactions exceed a certain amount (1.000 CAD). Therefore, Travel Rule is not new, nor a burden that the biggest players in the space are complaining much about. Moreover, Coinbase is spearheading a new SWIFT-ish protocol called TRUST (Travel Rule Universal Solution Technology).

So…why have the amendments introduced by the EP caused so much reaction, then?

Here’s the last version of this regulatory proposal, dated on February 2022, drafted by the Committee. After being published, the EP has introduced several amendments, some of them being a threat to the current European position as a potential crypto hub. Therefore, some of us are willing to not only spread the word but also makes ourselves available for any conversations that can help regulators understand the deep impact of approving this version of the text. The crypto industry is just starting to boost in the EU, and other jurisdictions are already setting themselves as a crypto friendly space. We should not close the door to this next revolution.

I have done a deep analysis on the text, and highlighted the most relevant amendments that were voted and passed by.

Before deep diving in them, lets first understand how the regulatory process of approving a legislative proposal works at this level:

https://www.europarl.europa.eu/doceo/document/CJ12-PR-704888_EN.pdf

Blue shaded icons represent steps already fulfilled by the proposal, whilst the last one, is still ongoing. This should make a guess of how relevant it is for European crypto users and asset providers to make their voices heard.

Once understood how close we’re to having this text passed by, as a lawyer, I always put emphasis when analyzing a Law on the explanatory statement, a piece of text that is very much ignored but that contains the spirit and expectations of every single regulatory text and that can be used in this case to push forward (or actually push back) several amendments that have been just introduced in it. As I say “it is in the spirit and no in the form of the Law that keeps justice together”. A lack of understanding and ignorance of how complicated it would be to turn the words into enforcing rules is quite obvious if one reads this extract, something that suggests me that it is very necessary to keep pushing through education from the ecosystem, to the political members.

MAIN AMENDMENTS that exceed the basic recommendations of FATF and imply a regulatory detriment for VASPs in Europe.

1️⃣ 5b. In the case of a transfer of crypto-assets made to an unhosted wallet, the provider of crypto-asset transfers of the originator shall collect and retain the information referred to paragraphs 1 and 2, including from its customer, verify the accuracy of that information in accordance with paragraph 5 of this Article and Article 16(2), make such information available to competent authorities upon request, and ensure that the transfer of crypto-assets can be individually identified. For transfers to unhosted wallets which are already verified and have a known beneficiary, providers of crypto-asset transfers shall not be required to verify the information of the originator accompanying each transfer of crypto-assets. Such information shall be made available to competent authorities upon request in accordance with Article 33 of Directive (EU) 2015/849.

Where does this come from?

From copy-pasting regulation applicable to transfers of funds in fiat, this is, from money service provider’s regulation where incoming funds (beneficiary accounts) can be easily verified from a AML perspective, as every single account must be issued and approved by a bank or similar institution, and of course, they’re all regulated parties.

Nevertheless, this is something that does not happen in the crypto space, where we have the so called “unhosted wallets”. These wallets do not require a previous KYC and therefore ensure the user’s privacy. A privacy that may be challenged when relying on a VASP for a determinate transaction. We must not forget this regulation applies only to VASPs, and no to P2P transactions, but still, it must be highlighted since the implementation of such a rule outlines a heavy burden on VASPs.

It is not clear HOW are VASPs going to to execute this verification in order for it to be complaint, BUT one can really not expect it to be nor easy, nor efficient. Specially given the literature of the next paragraph:

Providers of crypto-asset transfers shall adopt effective measures to ensure that the verification of the ownership information in relation to unhosted wallets does not cause undue delay to the execution of the intended transfers.

Of course, the dangers of having such information stored digitally poses a huge cyberattack risk for VASPs and it should be weighted by the regulators before turning it into Law.

Following on, and one of the other amendments that deserves a mention, is in article 16:

2️⃣ 4 a. Where there is a transfer of crypto-assets from an unhosted wallet, the provider of crypto-asset transfers of the beneficiary shall collect and retain the information referred to in Article 14(1) and (2) from its customer, verify the accuracy of that information in accordance with paragraph 2 of this Article and Article 14(5), make such information available to competent authorities upon request, and ensure that the transfer of crypto-assets can be individually identified. For transfers of crypto-assets from unhosted wallets which are already verified and have a known originator, providers of crypto-asset transfers shall not be required to verify the information of the originator accompanying each transfer of crypto-assets.

 The provider of crypto-asset transfers shall maintain a record of all transfers of crypto-assets from unhosted wallets and notify the competent authority of any customer having received an amount of EUR 1 000 or more from unhosted wallets.

Providers of crypto-asset transfers shall adopt effective measures to ensure that the intended transfers are not unduly delayed by verification of the ownership information in relation to unhosted wallets and by reporting procedures.

The fact that VASPs are forced to report all transfers coming from UW that amount 1.000 euros or more, is not only excessive but naive. As with fiat, in crypto anyone can chop up transactions, use different mixing tools or bypass the limit.

The third controversial amendment is in Article 17:

3️⃣ 1. The provider of crypto-asset transfers of the beneficiary shall implement effective risk-based procedures, including procedures based on the risk-sensitive basis referred to in Article 13 of Directive (EU) 2015/849,  including procedures to detect the origin or destination of the transferred crypto-assets, for determining whether to execute or reject a transfer of crypto-assets lacking the required complete originator and beneficiary information or a transfer that is detected as suspicious and for taking the appropriate follow-up action.

Where the provider of crypto-asset transfers of the beneficiary becomes aware, before making the transfers of crypto-assets available to the beneficiary, that the information referred to in Article 14(1) or (2) or Article 15 is missing or incomplete, or a transfer that is suspicious, the provider of crypto-asset transfers shall on a risk-sensitive basis:

a) immediately reject the transfer or return the transferred crypto-assets to the originator’s crypto-asset account or wallet address; or

b) ask for the required information on the originator and the beneficiary as soon as possible before  making the crypto-assets available to the beneficiary;

c) report to the competent authority responsible for monitoring compliance with anti-money laundering and counter terrorist financing provisions and hold the transferred crypto-assets without making them available to the beneficiary, pending review by the competent authority, which shall provide specific instructions as soon as possible.

4️⃣ And the last one, in article 18aa, says:

Prohibition of transfers to or from non-compliant providers

1. Providers of crypto-asset transfers and intermediary providers of crypto-asset transfers shall not facilitate any transfer of crypto-assets to or from non-compliant providers of crypto-asset transfers.

The following shall be deemed to be non-compliant providers of crypto-asset transfers:

a) providers of crypto-asset transfers that are not established, or do not have any central contact point or substantive management presence, in any jurisdiction and that are unaffiliated with a regulated entity;

This point intends to bring the crypto industry amongst only identified corporations, in order to make potential enforcement easier. Attitudes like the one certain exchanges used to have, with no disclosure of HQ, nor offices, represent a serious hurdle for regulators when trying to enforce their laws, and something they must have learnt about.

b) providers of crypto-asset transfers operating in the Union without authorisation under Regulation [Regulation on Markets in Crypto-assets].

Following the previous provision, Europe intends to create a closed circuit of crypto asset service operators. Not one of my favourite approaches, must I say, since this sort of authorisations do not exist for other types of businesses.

The condition referred to in point (b) shall apply from ... [date of application of the Regulation on Markets in Crypto-assets], without prejudice to any transitional measures set out in that Regulation. 

Final thoughts - specific actions and demands:

🟣 A de minimis threshold should be again introduced in the proposal, since the absence of it does not ensure the elimination of criminal activity through money laundering.

🟣 Verification of information from unhosted wallets is not only disproportionate but possibly useless, since users may just EU infrastructure and use non-EU providers.

🟣 Privacy IS a fundamental right and an important value for the EU, as its track record proves. It is therefore vital to understand that exposing data may not be effective to prevent money laundering when there are many decentralized tools that would fall out of the scope of this regulation.

🟣 Centralized VASPs are not the main tool for criminals (decentralized protocols are), thus, imposing such a burden on them may not only not accomplish the EP goal, but expel them from the EU, to another jurisdiction.

🟣 Statement from Crypto Council for Innovation on the topic can be found here

🟣 Coinbase has also issued a statement that can be read here

🟣 If you’re in Europe, you can reach out to your MEPs and either resend them this post, or please just be courteous and informative. This is dialogue that we must manage from education and wisdom.

From the crypto ecosystem we hope that the dialogue that is still ongoing represents an opportunity to move forward in a tech neutral and innovation-friendly manner. We look forward and are open to continuing the conversation with policymakers to discuss the benefits of crypto and the challenges these new measures would pose if adopted.