Thursday, May 09, 2019

FATF and EU need to fundamentally rethink their approach to virtual assets/currencies...

Virtual currencies are on the radar of regulators for quite some time. Yet it is clear that they still struggle with definitions (which always happens when new technologies arise). The FATF is a key example now that they are seeking to harmonise international guidelines for applying FATF-rules to the crypto-world.

In this post I will look at some of the issues at stake and explain why the FATF-exercise requires a lot more time and thinking before the FATF (or EU) move forward. Do note that this is a longread, more geared to specialists in the field, than the general public.

For the public it boils down to this. The US is pushing all countries in the world to a situation where with each virtual or crypto transaction, your information needs to be distributed (by definition) to other players in the value chain.

But as the crypto definitions in countries diverge (and the FATF-definition is ill defined, potentially covering everything in the world), the only sensible thing to do is to stick with the local definitions of crypto-assets and to demand transaction information to be stored locally at the point of transaction. Any law enforcer wishing access to that information should thus approach the relevant local authority for that information.

Apart from this legal argument, we must acknowledge the recent regime changes in the world. It is by no means clear that countries that used to obey the law and follow the rule of law, will do so in the future. Thus, foreign law enforcers may become tools in the hands of local undemocratic rulers.

That is an additional argument that requires the EU (but also the FATF itself) to avoid the situation that a local law enforcer in an undemocratic country can get EU data by harvesting its home companies data for the EU-info, without having an appropriate legal warrant under EU-rules.

And now for the longread part of it...

Definitions: always tough
Back in 2012, the ECB had a hard time grasping the concept of cryptocurrencies. They used the fact whether or not virtual currencies were regulated as their guiding principle:
A virtual currency can be defined as a type of unregulated, digital money, which is issued and usually controlled by its developers, and used and accepted among the members of a specific virtual community.

The US regulator (FINCEN) chose the following approach in 2013:
In contrast to real currency, “virtual” currency is a medium of exchange that operates like a currency in some environments, but does not have all the attributes of real currency. In particular, virtual currency does not have legal tender status in any jurisdiction. This guidance addresses “convertible” virtual currency. This type of virtual currency either has an equivalent value in real currency, or acts as a substitute for real currency. 

FINCEN then applied the money transmitter laws in an extensive way to bring exchanges of virtual currencies into their supervisory remit.

Later on, the ECB changed its definition to:
For the purpose of this report, it is defined as a digital representation of value, not issued by a central bank, credit institution or e-money institution, which in some circumstances can be used as an alternative to money. 
The EU stance remained that cryptocurrencies did not conform with definitions of funds and such in the EU legislation, hence their exchange and use was not regulated as such. Of course the integrity and consumer risks were identified and warned for.

In the FATF-context (2015) we read:
Virtual currency is a digital representation of value that can be digitally traded and functions as (1) a medium of exchange; and/or (2) a unit of account; and/or (3) a store of value, but does not have legal tender status (i.e., when tendered to a creditor, is a valid and legal offer of payment)6 in any jurisdiction. It is not issued nor guaranteed by any jurisdiction, and fulfills the above functions only by agreement within the community of users of the virtual currency. 

While these definitions may seem to work at first sight, we still need some creativity to determine the boundaries of these virtual currencies. Essentially it is possible to bring any loyalty point scheme under these definitions, as they do not use a subject based qualification to determine what exactly virtual currencies are.

At that point in time, where the focus was mostly on payments and such, using the experience we had with e-money definitions, I suggested a framework based on objects of the digital values at hand:


User cannot buy tokens at all (loyalty-type)
User earns tokens and can buy additional (hybrid of loyalty/payment)
User buys and sells tokens
(payment-type)
Tokens used in digital issuer-domain only

World of Warcraft
World of Warcraft
Lynden Dollar
Tokens used in digital or physical issuer-domain only
Starbucks
Nintendo Points
-Digital Payment loyalty schemes for single retailers

Tokens used at other entities than the issuer
Frequent Flyer Programmes
Frequent Flyer Programmes
Bitcoin,
e-money on mobile phone's


I think it would be fair to say that, while we pretend to have solved the application of crypto-legislation to the payment-type currencies, we actually haven't truly done so. There are still classification issues pending, but they may have appeared to be too irrelevant to matter,

Enter: ICO's and token frameworks
The next stage however was the widening of the blockchain concept, the application of crypto to generic tokens and the use of tokens as a form of share, security or other representation of objects, value, cash flows. This leads to a big confusion all around the world whether or not to view some tokens as security tokens, utility tokens and such. So, while our first definition already had flaws, we chose a new wording to cover this brave new world: crypto-assets or virtual assets.

As ESMA noted in their warning on ICO's at the time:
Where ICOs qualify as financial instruments, it is likely that firms involved in ICOs conduct regulated investment activities, in which case they need to comply with the relevant legislation.
So the essential discussion of application of financial law was left to local supervisors interpretations and definition of financial instruments.

The definition-side remained quite weak, with crypto-assets being loosely described as:
Crypto-assets are a type of private asset that depends primarily on cryptography and Distributed Ledger Technology (DLT). There are a wide variety of crypto-assets. Examples of crypto-assets range from so-called cryptocurrencies or virtual currencies, like Bitcoin, to so-called digital tokens issued through Initial Coin Offerings (ICOs). Some crypto-assets have attached profit or governance rights while others provide some consumption value. Still others are meant to be used as a means of exchange. Many have hybrid features. 

ESMA noted then that there were many variations and that it was not necessary to regulate all forms of crypto-assets. In 2019 they published an updated analysis with still a very weak definition of crypto-assets:
Crypto-assets are a type of private asset that depend primarily on cryptography and distributed ledger technology as part of their perceived or inherent value. A wide range of crypto-assets exist, including payment/exchange-type tokens (for example, the so-called virtual currencies (VCs)), investment-type tokens, and tokens applied to access a good or service (so-called ‘utility’ tokens).

In their report they distinguish between payment, investment and utility token, to immediately outline that this distinction does not cover everything. So the definition issue remains as well as the question: which type of digital token falls under which type of regulation. Hence the EU is in need of more EU clarity on the subject.

On the other side of the ocean, the SEC has further fleshed out how to interpret generic financial sector rules to digital asset issuance/use. In a long awaited guidance note the answer ends up being: it depends on the way you structure the functionality of the token/asset and the use between investors and issuer. So depending on those features, it may well be a regular financial instrument and facilitating trading may constitute a regulated business of operating an exchange.

The FATF-approach: hammering financial services law into hardly defined virtual assets
In essence, the idea of the FATF is now to make sure all crypto-related business is covered in a layer of regulation that at the least ensures proper KYC and AML/CTF rules. As such, this can be appreciated and understood as a recognition of the fact that cryptocurrencies and crypto-assets are here to stay. If we bring the sale of high-value items such as diamonds or gold watches under the FATF-KYC/AML remit, it makes sense to also do so for digital goods/assets/cryptocurrencies (whichever legal status they have).

We do have a problem however, which is that the definition used by FATF, since October 2018, is still shaky:
A virtual asset is a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations. 

This definition is so wide, that the FATF needs to explain:
The FATF emphasises that virtual assets are distinct from fiat currency (a.k.a. “real currency,” “real money,” or “national currency”), which is the money of a country that is designated as its legal tender.

The further definitions of virtual asset service provider clarify the intent of the FATF-definition: they wish to cover both former virtual currencies and the ICO area and use a very broad definition to describe virtual asset service providers. These are companies that for a business conduct:
i. exchange between virtual assets and fiat currencies; 
ii. exchange between one or more forms of virtual assets; 
iii. transfer of virtual assets; 
iv. safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; 
v. participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset

These definitions are very shaky grounds to use. One particular troublesome issue is that the virtual asset definition has a negative part: it does not cover currencies, securities and other financial assets that are already covered elsewhere in the FATF-recommendations. It is a catch all phrase that brings all loyalty points in the world under the FATF-remit. Now, the FATF will of course outline that that was not their intent, but as soon as you devise a crypto-based loyalty scheme, who is going to decide?

And taking it one step further: if I convert my multilevel marketing scheme into digitally represented agreements on a blockchain, do these new tokens qualify as a contract (not covered) or as their value and virtual assets? And how does this interpretation play out in the US vs the EU legislative context?

I am certain there is a host of applications/use cases where we will find the FATF definitions being not suitable for use. How about CO2-emission rights. World of Warcraft-tools. Shared ownership of my house or my bycicle. I would urge the FATF to do some more thinking in that respect. The negative catch-all in a definition (it is a virtual asset when all other definitions in our recommendations fail) is just not good enough.

I can only commend the FATF on one point however. The positive thing about the definition is that it speaks of representation of value. This implies a monetary or self-invented value/currency. It does not state that it is about the representation of physical assets or objects (such as real estate). Or that value can also be understood to consist of anything in the real world, to which value can be attributed (ie. everything).

Applying FATF-money transmission rules to crypto-assets: technicalities!
Right now the FATF has closed its public consultation on applying the money transmission rules to crypto-assets. They are hammering a payments-network idea onto cryptocurrencies and crypto-assets alike to not just demand identification and transaction monitoring. The idea is to also apply the addition of originator and beneficiary into crypto-transactions:
(b) R.16 – Countries should ensure that originating VASPs obtain and hold required and accurate originator information and required beneficiary information2 on virtual asset transfers, submit the above information to beneficiary VASPs and counterparts (if any), and make it available on request to appropriate authorities. It is not necessary for this information to be attached directly to virtual asset transfers. Countries should ensure that beneficiary VASPs obtain and hold required originator information and required and accurate beneficiary information on virtual asset transfers, and make it available on request to appropriate authorities. Other requirements of R.16 (including monitoring of the availability of information, and taking freezing action and prohibiting transactions with designated persons and entities) apply on the same basis as set out in R.16

Where the approach worked in 2001 in a world where a payment was a payment, funds are funds and wire transfers are wire transfers how can it work in a world where fundamentally the core definition of virtual asset or crypto-asset is as vague as it is in EU and the US?

The whole exercises strikes me as a hasty effort, given that the authors have not noticed that also the interpretative note for Recommendation 16 should be changed to include virtual assets (exempting intra-VASP payments and e-commerce virtual currency payments from the scope). And it is clear that the US is driving the FATF to adopt the above change hastily - and without solid analysis - by June 2019.

To me, there is only one logical conclusion: in the decentralised world of virtual assets, with jurisdictions each applying different boundaries to crypto-stuff, there is no sufficiently harmonised basis to enforce the attachment of data to each transaction. Requiring service providers to hold the info and make it available by request is not a problem, but sending it out as we did with the former FATF7-rules is impossible due to the patchwork of diverging definitions.

In my response to the FATF-consultation I have outlined this problem:

In addition I would like to note that the divergent legal status of virtual assets (considering its wide definition) in different countries may have the consequence that under some local laws the transfer is not financial in nature and will not be covered under the financial legislation and AML/TF frameworks. It is possible that a sufficient legal basis is lacking in some jurisdictions to apply the crossborder wire transfer regime to such non-financial transactions and that data protection regulations take prevalence. This could be solved by applying the domestic wire transfer regime to transfers of virtual assets, regardless of their potential cross-border nature. The further application of this regime on the domestic level can then be geared to the specific legal qualifications for virtual assets in that specific jurisdiction.

My proposal is to follow the most efficiĆ«nt way. Strike out the part that says: submit the above information to beneficiary VASPs and counterparts (if any).  It is simply not proportional and economically sensible to demand as the FATF to include privacy-sensitive information in crypto-transactions. Officers can can have access by asking and demonstrating lawfulness of the request via international channels. But the day and age of using local tricks and harvesting local companies for EU-data should be over.

The area of digital assets, virtual assets is so ill-defined that the FATF cannot claim a full competency, as the legal basis in a number of jurisdictions will not be there. We should also keep in mind that the catch all definition - not elsewhere regulated under these FATF-rules - is still written under from the FATF role of being Financial Action Task Force, focusing on financial industry and financial services as the main objective. So if my home country defines certain digital goods as digital goods and not in scope of crypto legislation, that to me would be the end of the remit for the FATF (and it would remain out of scope of the catch-all clause as well).

So much for the technicalities.

Applying FATF-money transmission rules to crypto-assets: geopolitics
We should recognize that we are in a different moment in time than in 2001, when the FATF-7 rules were introduced. At that point in time the US was a beacon for democracy and rule of law. But it isn't any more.

It's role became fuzzy when it turned out that US law enforcers had used US based servers of EU companies (Swift) to get hold of EU-data. And this made the EU sensitive to the protection of its citizens against unwarranted overly ambitious law enforcing in other countries.

We should again be sensitive. The EU, but also the FATF, also have an obligation to protect their citizens from unduly harassment and intrusion by law enforcement authorities. And creating tons of data outside the consent-scope of the citizen does not sound like a good protection at all.

Right now, we can witness around the world, an increase in countries with all kinds of 'strong leaders' that violate human rights agreements, do not obey the rule of law, that are involved in money laundering schemes, do not listen to lawful requests of their constituents and ignore climate agreements.

I think the EU has a duty to not cooperate with implementation of so-called FATF-requirements when it is clear they are increasingly unable to protect the privacy and guarantuee the lawfulness of the data exchange. Requesting other states to go get the data (and ensure that it is proportional) is a better way forward.

In sum: improve definitions and reconsider the worldwide distribution of transaction data for virtual assets/currencies
While I think that FATF should fully reconsider its definitions and redo its homework, this virtual-asset momentum and this train that is being pushed by the US may be rolling too fast to stop it. So as a stop-gap one could propose to eliminat 7b or at least strike out the distribution line:
(b) R.16 – Countries should ensure that originating VASPs obtain and hold required and accurate originator information and required beneficiary information2 on virtual asset transfers, submit the above information to beneficiary VASPs and counterparts (if any), and make it available on request to appropriate authorities. It is not necessary for this information to be attached directly to virtual asset transfers. Countries should ensure that beneficiary VASPs obtain and hold required originator information and required and accurate beneficiary information on virtual asset transfers, and make it available on request to appropriate authorities. Other requirements of R.16 (including monitoring of the availability of information, and taking freezing action and prohibiting transactions with designated persons and entities) apply on the same basis as set out in R.16
The FATF-proposal is disproportional, technically unsound and uneconomic. We'd better store the citizens data locally and ensure distribution on piecemeal basis, based on solid legal grounds, only when there is a true virtual asset under local definitions.

To the EU I ask to protect my reasonable concerns as a private citizen and not implement the proposal that comes out, until it ensures that my data stay local where they are and are not distributed at large to possibly evil states, dubious countries and their law enforcers.

The latter holds particularly true when we can observe that the chair of the FATF, the US Treasury Secretary, is not living up to his national constitutional obligations to comply with the US law himself.


PS. I noted that the interpretative note to recommendation actually also holds an additional new definition, apart from the main text:
1. For the purposes of applying the FATF Recommendations, countries should consider virtual assets as “property,” “proceeds,” “funds”, “funds or other assets,” or other “corresponding value”. Countries should apply the relevant measures under the FATF Recommendations to virtual assets and virtual asset service providers (VASPs).



Tuesday, January 08, 2019

So what's up with the Google-licenses

Last weeks, we hear all kinds of stories on the Google-license, so let's have a closer look.

Google already has a license since 2007
Most people forget this, but the earliest register entry for Google dates back to 2007 for E-money, and was handed out to Google Payment Limited in London. I blogged about it then, and since then we could see a Google Wallet in the works, Google bucks. The register of the FCA/FSA still has the entry here, demonstrating that it was effective until 19/5/2011. The brand name in the register is for Google-checkout.

Passporting
Then from 19/5/2011 onwards there is the next register entry (with the register later being handed over to FCA by 31st of March 2013). The register entry is still for e-money with passports to other countries. These passports date from 18-5-2011 as our Dutch e-money register shows and the firm is also licensed to perform payments under the PSD1 definition. Offering additional PSD2 services is not part of this license.

As for trading names the FCA entry shows Google Wallet is used from 4-1-2013 to 23-1-2018 and since 20-2-2018 it has the brand names: Google Pay and Google Pay balance in the register as well. So the sum entry of all brand names in the UK register is:

  • Google Pay,
  • Google Pay balance,
  • Google Checkout,
  • Google Payment Limited,
  • Google Wallet

Brexit coming: seek refuge
Now, with the Brexit coming up, there is of course the question how to manage future uncertainty. Many players have been trying to solve the puzzle and my assumption is that the recent moves towards Lithuania and Ireland are Brexit-related. Lithuania is quickly becoming a hot spot for e-money licenses and taking over the dominant role of London in this respect. The license there will allow Google to continue operating in the e-money and payments domain and also offer Payment Initiation and Payment account services.  This makes Google Brexit-proof and PSD2-proof.

Also, we should note that Lithuania does a nice job in offering a digital form of license as well. Have a look at it over here.

When checking the Dutch register, I noted that there is no passport for the Lithuanian entry, but still the UK one. I expect however that the new passporting will become effective in a couple of months, so Google can continue its operations in the EU, now under the Lithuanian passport rather then the UK passport.

As for Ireland, the license is limited to issuing payment instruments and accepting payment transactions, which would point to the fact that Ireland may be the corporate base that also has a role in shaping the future payments infrastructure for Google. It also suits the concept of PSD2 that one has to get the license in the country where it is also used.

Conclusion
Google is since many years in the payments domain and treading carefully, applying different concepts and such. They made themselves Brexit and PSD2-proof by moving to Lithuania (where they are still wating for the passport procedures to finalise) and created additional future business flexibility by applying for payments issuing/transaction acquiring in Ireland.