How regulators got it wrong


The recent European Union proposal requiring centralized cryptocurrency exchanges and custodial wallet providers to collect and verify personal information about custodial wallet holders shows the dangers of recycling the rules of traditional finance (TradFi) and apply them to cryptocurrencies without appreciating the conceptual differences. We can expect to see more of this as countries look to implement the Financial Action Task Force (FATF) Travel Rule, initially designed for wire transfers, for transfers of crypto assets.

The (missing) link between self-custody, control and identity

The goal of the EU’s proposed rules is to “ensure that crypto assets can be traced in the same way as traditional money transfers.” This assumes that each self-custody wallet can be linked to someone’s verifiable identity and that this person necessarily controls the wallet. This assumption is wrong.

Related: Authorities seek to close the gap in non-hosted wallets

At TradFi, a bank account is linked to the verified identity of its owner, giving them control over that account. For example, sharing your online banking details with your partner does not make them account holders. Even if your partner changes your login details, you can regain control by proving your identity to the bank and having them reset the details. Your identity gives you ultimate control that cannot be permanently lost or stolen. Of course, in exchange for the bank’s custody protections, you lose sovereignty over your assets.

The self-custody of crypto assets is different. Control (i.e. the ability to transact) over the self-custody wallet is in the hands of whoever holds the private keys for that wallet. The control is not linked to anyone’s identity and there is no one to prove your identity. All you need is to download a piece of software and securely store your private keys. In exchange for this responsibility, you maintain sovereign ownership of yourself.

Application of the proposed rules

Let’s see how a provider of custody wallets would comply with the EU proposal. Suppose Alice wants to send 0.3 Ether (ETH) from her escrow wallet account to Bob’s escrow wallet to pay for Bob’s consulting services. Before the transfer takes place, the wallet escrow provider would need to 1) collect Bob’s name, wallet address, residential address, personal identification number, and date and place of birth; and 2) verify the accuracy of these details. Generally speaking, the same details would be required for a transfer from Bob’s wallet to Alice’s custodial wallet account. Alice will likely need to ask Bob to send her data, and then Alice will provide it to the escrow wallet provider, as was recently recommended by a escrow wallet provider in a similar context.

The rules would apply even to the smallest transactions: there is no minimum threshold. Custodial wallet providers may also need to hold incoming transfers (which creates higher custody risks) and return them to the custodial wallet if verification is unsuccessful.

Related:Crypto in Canada: Where are we today and where are we headed?

Identity does not equal control, making compliance impossible

While the data collection and possible retention of incoming transfers is cumbersome from an operational standpoint, the risks of the verification obligation are potentially impossible to meet. At TradFi, the point of identity verification is to ensure that the person who controls a bank account and claims to do so is the same person. But how could the provider of the custodial wallet fulfill the verification obligation if control over Bob’s custodial wallet does not depend on his identity?

Even if the wallet custody provider was able to confirm that Bob is the person he claims to be, this does not mean that he controls the wallet. He could be controlled by a decentralized autonomous organization that redistributes payments to members like Bob or a criminal group, with Bob simply being his money mule. There is no third party to prove Bob’s identity to in order to transact: whoever controls the private keys is the “bank”.

Exposing legitimate users to disproportionate security risks

Let’s assume that custodial wallet providers manage to comply with the proposed rules, or a less stringent version of them that does not require verification. Custodial wallet providers would need to maintain large databases of custodial wallet users, exposing users to the risk of data breaches. For legitimate users, i.e. those who declare their true identity and also control the related self-custody wallet, this risk has far greater consequences than TradFi data collection (eg FATF travel rule for wire transfers) .

In TradFi, if a criminal compromises someone’s bank account or card, they won’t get very far because the bank can block the account. By definition, self-custodial wallets lack this feature. Tens of millions of users around the world see self-sovereign ownership, secured through cryptography and user self-monitoring, as an advantage, including those who are excluded from the banking system. However, self-sovereignty presupposes personal privacy.

Once privacy is compromised, for example by hacking the custodial wallet provider’s custodial wallet user database, users are exposed to an unfair level of risk compared to TradFi. Knowing someone’s name, address, date of birth, and ID number, along with their activity on the chain, would make it easier for criminals to launch highly targeted phishing attacks, targeting users’ devices to retrieve private keys or blackmailing them, including physical security threats. Once the private keys are compromised, the user irreversibly loses control of their wallet.

Related: The loss of privacy: why we must fight for a decentralized future

Since criminals will find ways to circumvent the rules, for example by running their own nodes to interact with the blockchain without having to rely on custodial wallet providers or custodial wallet software, only legitimate users will have to bear these security risks.

Inconsistencies with the EU’s own political framework

Aside from security, the proposal raises broader privacy concerns. The obligation to inform would clash with the principles of the General Data Protection Regulation (GDPR), such as data minimization, which requires that the data collected is adequate, relevant and limited to what is necessary for the purpose of collecting it. Ignoring for a moment the argument that data collection is of little use, given the missing link between self-custody control and identity, it is difficult to see, even by TradFi standards, how residential address, date of birth and someone’s identification number are relevant or necessary. for making a transfer. While banks regularly store such data about their account holders, you as the account holder do not need to ask for (or know!) these details when sending money or paying for a service.

It’s also unclear how long custodial wallet providers would need to store the data; under the GDPR, personal data should be kept only for as long as necessary to fulfill the purpose of the collection. It is also unclear how individual users’ rights under the GDPR, such as the “right to be forgotten” and the “right to rectification”, can be respected if their personal data is linked to their on-chain history, which cannot be Modify.

Related: Browser cookies are not consent: the new path to privacy after EU data regulation fails

The lack of a risk-based assessment or a minimum threshold (as opposed to the €1,000 threshold for fiat transfers) is also not in line with EU political principles. The proposal appears to treat all cryptocurrency transfers with suspicion just because they involve crypto assets.

Now is the time to engage with policymakers

Faced with the prospect of developing costly compliance processes that are unlikely to implement the rules effectively, and risking penalties for non-compliance and potential data breaches, EU-based custodial wallet providers may decide to restrict transfers to and from towards self-custodial wallets entirely. . They can also start providing services to EU users from outside the EU. This sends bad signals to the crypto industry and risks discouraging tech talent and capital from the EU, similar to the recent exit of some UK crypto operators.

Related: Consolidation and centralization: how Europe’s new AML regulation will affect cryptocurrencies

More users can also switch to peer-to-peer transactions and decentralized players to avoid the onerous rules. While this might be beneficial for some users, the EU should foster seamless interconnectivity between centralized and decentralized actors and promote users’ freedom to choose how they want to transact.

The proposal has now moved on to negotiations between EU legislative bodies from April 28, with the final text expected to be ready by the end of June. If the rule is approved in its current form, there will still be a chance to review it within 12 months after it goes into effect. However, we cannot rely on this: now is the time for the European crypto industry to coordinate and engage with policy makers. Instead of forcing the rules of TradFi on a developing technology, we must promote results-based policies that allow for the emergence of novel compliance solutions that respect the workings of cryptocurrencies.

This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should do their own research when making a decision.

The views, thoughts, and opinions expressed here are those of the author alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.