Loading...

Amendments of Transfer of Funds Regulation

topic

On the 31st March 2022, the ECON-LIBE voting session of the EU Parliament voted for the proposal which aimed at implementing certain amendments to the Reg.2015/847 (Transfer of Funds Reg). The proposal was passed with a majority of votes, making its way to the next phase. The next phase will be a trilogue conformed by a conciliation committee represented by the EU Committee.

The proposal targets Virtual Assets (VAs) and Virtual Assets Service Providers (VASPs)

Among the many amendments brought forward, some of these have caught the special attention of market industry players. The rules are to be imposed over “unhosted wallets”.

The play    

Amendment 15. Recital 27 b (new) According to this amendment, the new rule is to impose over the Crypto Asset Providers (“CASP”) or any other obliged entity the obligation to collect and retain information from the originator and beneficiary when dealing with transactions executed that involves an “unhosted wallet”. The intention will be to be obtained from the beneficiary, when feasible. Moreover, the entities involved “should” reject or suspend the Tx if such Tx seems to be “suspicious” when placed under the screen on a risk-sensitive basis.

Amendment 33 (Art.3 - paragraph 1 - point 17a (new)). According to this amendment, this new rule defines an “unhosted wallet” as any crypto-asset wallet not held or managed by a CASP. Under the justification for the proposal, the definition aims to include Txs from/to “unhosted wallets” under Reg.2015/847, as soon as any obliged entity is involved (with ref. to explanatory statements, point 2 at the end of the document).

Amendment 52. Art 14 - paragraph 5a (new). This rule intends to impose a burden on the obliged entity to obtain and retain information related to the Txs from its Customers, where available. Complementary, it extends the obligation to serve the authorities.

Amendment 59. Art 16 - paragraph 1a (new). This rule shall also impose on the beneficiary interacting with an “unhosted wallet” the obligation to provide the necessary information and to CASPs the obligation to request such information.

Amendment 78. Art 30 a (new). This article extends the request for a further report on the progress made. Point “b” requests from such a report an analysis of the needs, feasibility and proportionality of specific measures to mitigate risks posed by “unhosted wallets”; including possible requirements to identify beneficial owners. Point “c” requests an analysis of trends involving the use of “unhosted wallets” and associated risks related to terrorism and money laundering; together with possible obligations towards hardware and software providers and caps over Txs limits.

Amendment 16. Recital 28. All transfers of crypto-assets should be treated as cross-border wire transfers, with no simplified domestic wire transfer regime.

Explanatory statements. At the end of de doc), Point 2 establishes a lack of transmission of information to “unhosted wallets”.  

Point 3. Extending the information of disclosure established within Art 14 and subsequent, to “know your transaction” requirements. This later requirement involves the disclosure of the source and destination of Crypto-Assets involved in Txs.

The parts

The proposal aims to implement a modification (or seemingly extension) of the “Travel Rule” developed by FATF and tailored for VAs and VASPs (the equivalent to CASPs in the EU under the governance of MICA). The history of the development of the “Travel rule” can be traced back to the U.S Banking Secrecy Act (BSA) when Capone and other characters of the history gained their reputation as untouchables. Later on, the “most developed countries”, back then, adopted the term “terrorism” and “Money Laundering” as their new legal basis to justify rules on disclosure of information to fight “the war” against these issues. This was exacerbated after the attacks on the World Trade Centre, London and Paris; which served as catalysts for the further strengthening of such measures. Part of the materialization of those rules are KYC/AML requirements. These rules on disclosure changed the banking industry and the privacy of citizens and has evolved and continues evolving until today.    

Since the adoption of the BSA, the fight against “terrorism” and the prevention of money laundering has become legitimized and operative through the letter of the Law. This gives to some States the physical capacity to request from Financial Institutions certain information from its citizens, in order to serve the purposes of “National Security”. This is where the FATF and the “Travel rule” play an essential part in materializing such national policies. Within the scope of the proposal under analysis, the information necessary to honour the “Travel Rule” is found throughout the amendments 42 and 57.

A priori, all the official texts mentioned above are centred around Terrorism and Money Laundering. That is the legal basis to bring forward this proposal, as it is clearly written throughout the documents. Regardless of whether the DATA is gathered from a hosted or “unhosted wallet”, this approach holds every user of VAs and CASPs as a potential terrorist or money launderer; either directly or indirectly. This places the users of VAs and CASPs under the highest-risk category for compliance purposes. The higher the level of risk, the harder the measures to apply. That is an extreme approach to adopt considering the EU Digital Finance Package and the true valuation of Blockchain Technology as ICT with the capacity to foster a DATA-driven society. The ramifications of such consequences should not be taken lightly.

As a heritage, there is a matter with legacy systems. Realistically, the DATA requested by the Travel Rule is gathered and processed within a centralized DATABASE; whereby it requires human input to apply a discretionary risk-based assessment. Such systems are not resilient to human error. For example, if the information is unintentionally wrong or incomplete, the ongoing transfer can be “red-flagged” as “suspicious” under “presumptions” of terrorism or money laundering. The same may happen with unrecognized IP addresses, geolocalization of IP addresses and countries under “grey lists”. Operatively, this might imply possible cancellation of the Txs and further investigation of the facts. Complementary, the originator of the DATA could be possibly placed within a “Blacklist” stored in the DATABASE; triggering further complications for future transactions. The process for reverting these circumstances transfers to the users involves the obligation to allocate her/his resources to overcome the issues. Sometimes, this involves presenting independent evidence as requested by the relevant financial institution and waiting until the ledger is updated. Even then, the user has no certainty about her/his details being effectively erased from that Blacklist. I have crossed paths with more than one person who received a phone call from his bank after attempting to deposit or withdraw his funds to a crypto exchange, being requested to present himself at the premises of such a bank or financial institution in possession of independent evidence because the transaction is under scrutiny for money laundering. Most of the times, banks may sound very confident to accuse their clients or argue money laundering without even one piece of independent evidence convincing enough to reach positive certainty. Nonetheless, everyone is still paying banking charges for putting all our funds at the disposal of the banking sector. Once again, within that legacy system a “red flag” may trigger that categorization. Whatever the justification is, by this point the damage is already done. Business does not happen and people are charged with the burden of defending themselves from crimes that they never committed. Not to mention the remaining issues as a result of being placed on a blacklist, like losing banking correspondence. Furthermore, the level of scrutiny applied to the DATA in order to detect and prevent terrorism and money laundering is far more intrusive and sensitive. Finally, there is no evidence supporting a clear link between the increase of terrorism and money laundering with the usage of “unhosted wallets”; or not beyond the hypothetical risk attached to the technical qualities of decentralization and speed endowed by blockchain. Alas, it might be wiser to have a look at the current issues created by those legacy systems before blaming a new technology on the basis of “unrealized damages”.  

About Money Laundering. The process for Money Laundering consists of three phases: placement, layering and integration. For the process to be completed it requests one essential element: a financial institution. Without a financial institution willing and capable to engage in the process, the funds will remain outside of the accounting ledgers of the financial system. As a matter of fact, during this process, the funds will be cleared within the accounting ledgers of more than one financial institution and possibly more than once. Which serves to prove that those transfers of funds were/are under the scrutiny of KYC/AML repeatedly. At this point, the “Travel Rule” has been implemented. That is why those financial institutions are liable under the “Travel Rule” That is also the way that the financing of terrorism and money laundering has happened and is still happening. Which serves to probe the partial efficiency of such rules up to date.

“Unhosted wallets”, on the other hand, are nothing more than a communication layer between different protocols. Eventually, users of “unhosted wallets” already comply with KYC/AML. For example, before a user is able to dispose funds from their Metamask wallet, they would need to go through a financial institution where either the FIAT funds are cleared either a bank or an investment firm or a regulated institution offering stablecoins. From there, the user will need to convert their funds into the format of the token supported by the protocol and then transfer to Metamask. In other cases, before transferring to Metamask, they will need to use an additional financial institution to exchange FIAT into Crypto, which are Crypto Exchanges like Coinbase or Binance. This process works the same either way around, equally for inflows likewise for outflows (or deposits and withdrawals). Similar to FIAT transfers, information to fulfil KYC/AML requirements under the “Travel Rule” is already implemented by financial institutions dealing in Crypto, in addition to IP geolocalization. At this point, the “Travel Rule” would have already been implemented to the user’s detriment more than once.

Cloning the same rule over “unhosted wallets” would imply the third or fourth layer of replicated enforcement of the same rules and checks. In practical terms, this decision might come at the expense of a misallocation of resources in compliance programs and software development and maintenance; offering nothing more than duplicated information. At the same time, it will overcharge users with an unnecessary extra layer of identification; slowing adoption down while deterring their interaction with Blockchain Protocols and Defi. This point should be taken seriously, considering that fulfilling KYC/AML requirements are an ongoing and repeated activity that never ends, until the point that has become absolutely annoying for any user. Taken together, those measures may delay the development of other technologies like IoT and Web 3.0 (Especially, the Metaverse); thereby rely heavily upon Blockchain Technology and deep DATABASES for development.

Regarding the DATA requested by the “Travel Rule”. What is the methodology applied to the processing of such DATA? (including the missing DATA). Are we speaking of a deductive or inductive methodology? What is the rate of false positives? This is essential considering the facts at stake. For reference, we all may provide wallet addresses, dates of birth and details about the source and destination of the funds; however, those details in isolation do not suffice to reach certainty about terrorist activities or money laundering. Conversely, those details analyzed in combination with inductive methodologies might give some extra hints that allow whoever is analyzing the data to “theorize” about an individual and her/his activities; at the expense of implementing methodologies for DATA analysis not disclosed to the citizens. It is essential to deal with this aspect very delicately, considering the immutable and perpetual properties of Blockchain Technology in conjunction with the developments of AI in the field of behavioural recognition. Otherwise, the wrong approach may lead to a clash between the development of Blockchain and human freedom. There is more clarification needed from the Legislator to understand the operative aspect of this point and the risks involved in the processing of DATA for the purposes of pursuing “Public Policies” against “terrorism” and “money laundry”; specifically.  

In tandem, by leveraging Blockchain technology the same level of scrutiny can be placed upon disclosure and transparency coming from the States and Institutions of certain dimensions. In correspondence, there is no need for a de-minimis threshold of USD 1000 to track the allocation of the funds collected from the taxpayers.  

Furthermore, in terms of identity, it is worth mentioning the progress made by Decentralized Identifiers (DIDs) Self-sovereign Identities (SISs) Data Monetization and Data Portability. Another example of progress in terms of privacy and scalability is “Whisper”. And there are many other projects currently ongoing. Most of these developments can be implemented in “unhosted wallets” without the need to expose DATA to centralized legacy systems while relaxing the burden for disclosure and protecting privacy. Perhaps a conversation between the FATF (or the EU Parliament) and the Blockchain industry may help to bring more useful tools in terms of privacy and DATA management, instead of imposing outdated solutions for novel technologies. The trade-off ought to be oriented towards decentralization, privacy, adoption and simplicity.

To date, FATF is not aware of any technically proven means for identifying the VASP that manages the “unhosted wallet” accurately, precisely and exhaustively; in all the circumstances and from the VA’s address alone.

The amendments towards “unhosted wallets” are one piece of the puzzle only. The real issue comes with the degree of surveillance delegated to the EBA towards DEFI through Reg. 2018/847 and MICA. The consequences of this last topic may lead to a de-facto expropriation of the Defi ecosystem through the imposition of formalities biased towards economic interests.  

The content of this article is valid as at the date of its first publication. It is intended to provide a general guide to the subject matter and does not constitute legal advice. We recommend that you seek professional advice on your specific matter before acting on any information provided. For further information or advice, please contact infomalta@kyprianou.com or telephone +356 2016 1010.