Recent European Union proposals requiring custodial wallet providers and centralized crypto exchanges to verify and collect personal information on self-custodial holders of wallets shows the dangers in recycling traditional finance rules (TradFi), and applying them to cryptocurrency without understanding the conceptual differences. As countries implement the Financial Action Task Force Travel Rule (FATF), originally designed to transfer wire funds, we can expect to see more.
The missing link between identity, control, and self-custody
Proposed EU rules aim to “ensure crypto-assets are traceable in the same manner as traditional money transfers.” This assumption is incorrect.
Related: Authorities look to close the gap in unhosted wallets
TradFi allows you to link a bank account to the verified identity and give you control of that account. Your partner can’t share your online banking information with you, but it doesn’t make them account holder. You can still regain control if your partner changes your login details. Your identity is your ultimate control, which can’t be lost or stolen forever. In exchange for bank custody protections, your self-sovereignty will be lost.
Different rules apply to self-custody for crypto assets. The private keys to the wallet are what give control (i.e. the ability to transact) to the self-custodial account. The control is not tied to any person’s identity, and you don’t have to prove your identity. You only need to download software and store your private keys. You will be responsible for your own self-sovereignty.
Implementing the rules
Let’s take a look at how a custodial provider of wallets would comply with the EU proposal. Let’s say Alice wishes to transfer 0.3 Ether (ETH), from her custodial account to Bob’s self–custodial pocket to pay for Bob’s consulting services. The custodial wallet provider will need to 1) get Bob’s name and wallet address, residential address, personal ID number, date and place of birth, and 2) verify these details. The same information would be needed to transfer Bob’s wallet from Alice’s custodial account. Alice would need to ask Bob for his details. Alice would then give them to the custodial provider of wallets — as was recently recommended by a custodial provider in a similar context.
Even the smallest transactions would be covered by these rules. There is no minimum transaction threshold. If verification fails, custodial wallet providers might also be required to withhold any incoming transfers. This would increase custody risks and make it more difficult to return the funds to their self-custodial wallet.
Related: Crypto in Canada: What are our current positions and where are they going?
Compliance is impossible because identity does not mean control.
Although collecting data and possibly withholding incoming transfer payments is a cumbersome operation, verification obligations can be difficult to meet. The purpose of identity verification in TradFi is to verify that the person who controls a bank account is the same person as the one claiming to control it. How can the custodial provider of a wallet fulfill his verification obligation if Bob’s control over the wallet is not dependent on his identity?
Although the custodial wallet provider confirmed that Bob was the person he claimed to be, it doesn’t necessarily mean that he has control of the wallet. It could be managed by an autonomous decentralized organization that redistributes money to members such as Bob, or a criminal group. Bob is merely their money mule. Bob cannot be identified by any third party in order to transact. The “bank” controls the private keys.
Exposed legitimate users to disproportionate security risk
Let’s say that custodial wallet provider manages to follow the proposed rules or a more stringent version that doesn’t require verification. Custodial wallet providers will need to maintain large databases of self custodial wallet users. This could expose users to data breaches. This risk is far more severe for legitimate users (i.e. those who are honest about their identity and have control of the self-custodial wallet).
TradFi allows criminals to compromise someone’s bank accounts or cards. The bank can then block the account. This feature is not available in self-custodial wallets. Tens of millions of people worldwide see self-sovereign ownership as a benefit. It is secured by cryptography and the user’s own vigilance. Self-sovereignty does not mean that you will be able to keep your identity private.
Users are exposed to a higher level of risk than TradFi if their privacy is compromised, such as by hacking into the custodial bank provider’s database users who have self-custodial accounts. Criminals could use the information of a person’s address, date and birth, along with their on-chain activity to launch highly targeted phishing attacks targeting users’ devices in order to steal private keys or blackmail them. This would include threats to physical safety. The user loses irreversible control of their wallet if private keys are stolen.
Similar: Privacy loss: Why we must fight to decentralize the future
Criminals will find ways to circumvent the rules, such as running their own nodes to interact on the blockchain and not having to rely upon custodial software or custodial wallet providers. It will be only legitimate users that will have to take these security risks.
Inconsistencies in EU’s policy framework
The proposal raises privacy concerns beyond security. This would violate General Data Protection Regulation (GDPR), which stipulates that data collected must be adequate, relevant, and only used for their intended purpose. Forget about the argument that data collection is useless. Given the absence of self-custodial control or identity, it’s difficult to see, even using TradFi’s standards, how someone’s address, date and birth are relevant or necessary for making a transaction. Although banks keep this information about account holders regularly, they don’t have to ask. These details are needed to send money or pay for services.
It is not clear how long custodial wallet service providers would have to keep the data. GDPR states that personal data should only be retained for the purposes of collection. It is not clear what users’ individual rights under GDPR, such as the “right of being forgotten” or the “right for rectification”, could be protected if their personal data are tied to their on-chain history. This cannot be altered.
Related: Browser cookies do not give consent: Privacy after EU data regulations fail
EU policy principles are also not in line with the absence of any risk-based assessment and a minimum threshold (unlike for fiat transfers, which is 1,000 euros), All crypto transfers will be treated with suspicion simply because they involve crypto assets.
This is the right time to get in touch with policymakers
EU-based custodial wallet provider may choose to limit transfers to and from self-custodial accounts altogether, in order to avoid costly compliance processes. They might also begin to service EU users from outside of the EU. This could send negative signals to the crypto sector and may discourage tech talent and capital from EU. It is similar to the departure of crypto operators from the United Kingdom.
Similar: Consolidation & centralization: How Europe’s new AML regulation will impact crypto
Peer-to-peer transactions may be more popular than decentralized players and decentralized players, which will allow users to bypass the burdensome rules. This could be beneficial to some users but the EU needs to encourage seamless interconnectivity between central and decentralized players. It should also allow users to make their own decisions about how to transact.
Now, the proposal is moving to negotiations between the EU legislative body starting April 28. The final text should be ready by June. The rule can still be reviewed within 12 months if it is passed in its current form. We can’t trust this, however. Now is the right time for the European cryptocurrency industry to collaborate with policymakers. Instead of imposing TradFi rules on a developing technology, we should encourage outcome-based policies that promote the development of new compliance solutions that respect crypto’s workings.
This article is not intended to provide investment advice. Every trade and investment involves risk. Readers should do their research before making any decision.
These views, thoughts, and opinions are solely the author’s and do not necessarily reflect the views or opinions of Cointelegraph.
ConsenSys’ legal counsel Natalie Linhart advises on products such as MetaMask and NFT experiences, as well institutional staking. She is also interested in European regulatory issues that affect the crypto industry. She was previously a Clifford Chance London financial regulatory and derivatives attorney, where she advised clients on accessing new markets, launching financial products and mitigating regulatory risk. She was also involved in derivatives and capital markets transactions, including at a global investment banking.