Saturday, May 29, 2021

Crypto-episode as a part of the Dutch financial history timeline

Over the past two years a historic sequence of events unfolded in the Netherlands with respect to the introduction of a crypto registration regime for providers of crypto wallet and crypto exchange services. It is a very interesting episode historically as it bears resemblence with a number of previous/similar episodes where the Dutch central bank hits the breaks and stifles innovation. 

What is happening is that the Dutch central bank (DNB) is pushing very strict rules onto newcomers in the payments/crypto market, without having a proper mandate to do so. There is an age-old example of halting the introduction of the credit-card, as well as a 20-years old intervention with DNB stopping mobile innovators with e-money that I will not flesh out right now. 

What I will do is describe how over the past couple of years new payment institutions were forced into getting a licence instead of a registration as prescribed under the upgraded PSD2 (EU) directive. This is the relevant backdrop against which it is easier to understand why the crypto-industry faced a similar treatment in 2020. 

There was one difference however: this time, one company came prepared and succesfully pushed DNB back (disclosure: I am consulting that company on regulatory/compliance issues). 

PSD2-service: access to the account (8) requires a license in NL rather than registration

The brief version of the events that played out in the Netherlands for payment service institutions were the following. The European Commission added 2 new company activities to the list of activities that require further regulation. Service number 7 involved initiating payment transactions on behalf of the customer at another company: this required a full-on registration. Companies offering only acces to the account of customers at other banks or payments companies were subject to a less elaborate registration regime, as outlined in article 33 of the PSD2.

However in the Netherlands, despite a policy existing to not do topping up of Brussels rules, the Ministry of Finance and DNB have a tendency to ignore that policy. So the companies that only required a registration for providing access to the account under the PSD2 were made subject to a licensing regime. The consequence was not just an increase in burders but also unlogical duties being appliced to those players, for example the duty to do transaction monitoring themselves (while they did not initiate or execute any transaction). 

In an effort to be the first on the market many companies in the Netherlands tried to convince DNB that the license regime and subsequent market entry rules were illegitimate, but no one dared to take DNB to court. So as we say in the Netherlands, quite some companies had to swallow a melon and make serious extra costs. Still, the episode did quite some harm as to the legitimacy of the DNB supervisor as many legal counsels agreed DNB was evidently overstepping its legal mandate. 

The PSD2 registration process for payment institutions in the Netherlands is therefore to be taken into account on the evaluation of what happend to the crypto-industry. As it may have signalled to DNB itself that it could easily ignore European rules with no one in the market complaining, it signalled to the legal/regulatory market that rationally it could not be assumed that DNB would by definition operate within its legal mandate. 

Crypto-services: require a registration in the EU but turned into de facto license regime in NL

By end of 2017 and mid 2018, the Dutch Ministry of Finance and DNB were in agreement that a fast transposition of the AMLD5-directive would be needed to bring crypto-companies under the remit of the appropriate supervisory regime. The EU directive and its previous impact assessment was very clear; a license regime would lead to too much credibility/legitimacy of the cryptocompanies, so only a registration regime was to be implemented, with possible license regimes following in a next stage of EU regulation (known as MICA-r). 


However, on advice otf DNB, the Dutch Ministry of Finance started transposing the directive and consulted a licensing regime with the market in December 2018. As the actual rules of the license still bore resemblance to the registration regime mentioned in the Directive, the industries comments focused on unworkable technicalities and explanations by the Ministry. The formal legal advice of the Council of State however, was quite explicit and it advised against the introduction of the law as long as a supervisory license mechanism and supervisory rules would be part of it. It stated that the transposition of this EU Directive is not the place for such rules.

In response the Dutch Ministry of Finance changed the law and made a new version. In this new version, the label of the license regime was changed to registration, but the essence became more of a supervisory regime. As a new set of rules the Ministry included further inspections and checks of business plan, organisation, risk management etc originating from the Act on Supervision of the Financial Sector. The actual legal construct includes a detailed evaluation of the company, a revocation of registration when a company is no longer compliant with the rules and a prohibition to operate on the market without a registration. This is a supervisory regime in disguise, which is beyond the necessities of the AMLD5 and goes against the advice of the Council of State.

For further details on the development of the law you can read this article, then see an update of January 2020 because something interesting happened. By mid-december the government websites by accident displayed this letter of the central bank that fully confirmed its intentions to push for a license regime and license access conditions for crypto companies. FTM, the investigative journalists, published a full article on it by end 2019 that details the wording games used by regulator and supervisor to hide a license regime behide the wording: 'registration'. An English version of events can be found in this article

The article raised quite some concerns in the Senate where the Ministry of Finance very explicitly and repeatedly explained: no no, it's not a license regime, but a registration regime. There is a huge difference between the two, a registration is being done while a license is being granted. So with this assurance the market hoped that supervisor DNB would change its course. The market assumed that the supervisor would take note of parliamentary discussions and guidance/explanation of the regulator.

DNB applied de facto license regime/application process leading to court case / market pushback

In practice De Nederlandsche Bank did not alter its previous course or any of its intentions and applied the full on registration procedure for payment institutions to crypto companies. It forgot about its obligation to register companies in 2 months, forced the application of risk frameworks that were used in the trust office market and came up with a self-invented interpretation of the Sanctions law that was beyond the rules. This latter requirement meant that crypto companies, in order to be registered, had to fullfill an ex-ante requirement of asking screenshots/video's of customers software wallets for each transaction to be made.

Grudgingly the market complied to the illegitimate requirement with one crypto company Bitonic, taking the measure to court. The interesing fact was that they filed a complaint against a positive decision of granting the registration with the request to the judge to kick out the illegitimate registration requirement on those screenshots.


Now to cut a long story short: the court case attracted an online viewing of many thousands and lead to the judge ordering DNB to redo its homework. Finding out that it was impossible to explain how a square could have the form of a circle, DNB had to withdraw its requirement but only did so for this single company (although half a year ago, the market is still waiting on clarification whether the requirement will also be lifted for them). 

What actually happened in the Netherlands is that DNB was already anticipating stringent FATF rules that suggest that product introduction or licensing moments are the moment in time to exert pressure onto crypto-companies to make them do what supervisors want. In this case, the FATF rules are not yet adopted in Europa, so the central bank figured it could use an age-old Sanctions law to the same effect. 

The market however had already witnessed DNB overstepping its boundaries, turning EU registrations into Dutch licenses with undue requirements so Bitonic as one of the players came prepared and called DNB's bluff. And next up will be a discussion on supervisory costs for crypto-companies where the whole market will do so again. 

Historic pattern

The historic pattern at play here is the interplay between regulators and market, fuelled by media incidents and publications. When in the 1970s credit cards appeared in the EU market and markets were mainly national, it only took national consensus between market players and central banks to keep one of the players (Visa) out of the market. 

Later on, when EU rules dictated that all cards had to be allowed an fair competition would need to be in place, the central bank mainly stuck to its legal remit. For some time in the 1990s the central bank also assisted in analysing the market and promoting innovation, opening up the closed EFTPOS structure in the Netherlands in the process. Still, when instructed by European powers that be it succumbed to the request to exempt European mobile operators from the application of e-money rules in 2002/2003, to the detriment of small innovators in the market. 

Other than that, the legality regimes were most prominent as the basis for DNBs action (or inaction). Supervision was done so prudently that during crises the central bank didn't act convincingly and fast enough. Under media and political pressure, the course of the central bank became more politically inspired. It had to be seen as interventionist and proactive and whether or not this was fully based on legal rules was a consideration that moved to the background. 

Even the European Banking Authority noticed this and very politely didn't name the offendors FINMA and DNB by name, while this remark was directed at them:

164. The EBA has since observed that, in the absence of an EU‐wide approach, there are indications that Member States, in anticipation of a forthcoming FATF Mutual Evaluation or to attract VASP business, have adopted their own VASP AML/CFT and wider regulatory regimes. As these regimes are not consistent, this creates confusion for consumers and market participants, undermines the level playing field and may lead to regulatory arbitrage. This exposes the EU’s financial sector to ML/TF risk.

If history is any guide however, it may require more than one law suit to make DNB change course, so keep a close watch on the Netherlands because it appears as if -as in the Muppet lab- the future of tomorrows crypto regulation is being made here today.  

Tuesday, January 05, 2021

Response by Simon Lelieveldt to FINCEN consultation on crypto, travel rules and such

This blogpost/longread (below) contains the content of reflections, as sent to the FINCEN as a response to the consultation on travel rule for crypto (Docket No. FINCEN-2020–0020; RIN №1506-AB47). It is written from the Dutch and European perspective and what makes it relevant for the US is that the Dutch supervisor has already imposed an even harsher rule (verification of beneficairy wallet holder for self-operated wallets regardless of amounts involved) as an undue (and legally disputed) market entrance rule. 

The blog is written from a personal perspective, based on my market and regulatory experience with 25 plus years of banking, e-money, crypto and e-payments. In essence I recommend the FINCEN to steer away from behaviour that qualifies as a human rights treaties violation and not force the private sector to disobey the human rights obligations that they independently have under those treaties. Regulators should align legal requirements into a coherent framework and not place the burden of incompatible requirements at the doorstep of the private sector. 

Of particular interest in this respect is the recent announcement of the European Data Protection Board (of late december 2020) which outlines their committment to step up their game and ensure that no AML/KYC measure infringes on human rights principles of privacy and innocense presumption: 

The EDPB considers it as a matter of the utmost importance that the anti-money laundering measures are compatible with the rights to privacy and data protection enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, the principles of necessity of such measures in a democratic society and their proportionality, and the case law of the Court of Justice of the European Union.

The brief version of my comments / summary is provided here, which is then followed by the detailed submission to the FINCEN, with hyperlinks replacing the footnotes of the original document.

======

Agency: Financial Crimes Enforcement Network (FINCEN)
Document Type: Rulemaking
Title: Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets
Document ID: FINCEN-2020-0020-0001

Comment:
Please find my contribution attached. Some highlights.

1. What worries me is that FINCEN are about to try to outdo the Crypto AG intelligence coup (the technical backdoor behind the scenes) by installing an overly intrusive surveillance front-door for crypto. Although this may seem surveillance business as usual to you, it is certainly not. It is not only a violation of human rights treaties in itself, but you are also forcing this violation upon the private sector, which has an independent duty under the same treaties to respect the human rights. I am therefore copying my response to the UN Special Rapporteur on privacy in a digital age and respectfully suggest you consult and abide with the relevant UN/EU Charters on human rights.

2. Why the FINCEN proposal is not justified: it continues the abuse of deliberate post 9/11 legal design flaws/choices that undermine human rights by misusing administrative law, financial supervision law instead of following penal law procedures which have proper safeguards for human rights.

3. Do also note that the European Data Protection Board has issued a clear statement outlining the limits of surveillance by states and under administrative law. In this respect do also take note of the dissertation by C. Kaiser of 2018, outlining that the EU KYC rules may be anulled if challenged in European courts. From an analytical perspective this would also hold true for the US rules and their compatibility with the UN charter on human rights.

4. Practically speaking: the FINCEN is being sloppy with data. Data breaches of FINCEN have a huge impact which is not catered for in terms of risk analysis and side effects. These side-effects, when quantified, outweight the benefits to a huge extend and less intrusive solutions will be available. But history shows that you are not seeking less intrusive powers but seek to increase your information position out of an organisational drive to remain in the game and grow bigger.

5. Finally, don't kid yourselves as to the relevance of picking up these bread crumbs on the table. You are punishing the citizens of the world, while leaving all big money launderers unchallenged. Most relevant example is that you have been unable to really do your job properly, How come that a well known money launderer was even able to become president of the US? I think you may want to reflect on your own organisation and functioning first,

I find it quite ironic that the US, that saved the Dutch population from a dictatorial regime, that taught us about the importance of human rights, true democracies, freedom of speech, privacy and the importance of the presumption of innocence, is now the country that violates the values it has inspired into others.

Uploaded File(s):

  • FINCEN-response-Lelieveldt-2020-01-04.pdf
  • FINCENFiles-thread-Annex 1.pdf
  • Annex-2-Lelieveldt submission FINCEN.pdf

=====


Policy Division
Financial Crimes Enforcement Network
PO Box 39 Vienna, VA 22183
United States of America


Dear Secretary Mnuchin,                         January 4, 2021


I would like to share some reflections on Docket Number FINCEN-2020-0020, RIN number 1506- AB47, and the proposed changes outlined in, FinCEN, Notice of Proposed Rulemaking, “Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets.” 

Although you limit the timeline of submission to 2 weeks, I am pleased to be able to still contribute to the debate, as the situation in the Netherlands is even worse. Without advance notice, the Dutch financial supervisor, DNB, has used its powers as a supervisor of a simple EU registration regime for crypto players to force upon the industry an even more intrusive obligation for all crypto-players in the Netherlands to verify beneficiaries of cryptowallets, regardless of the amount. The requirements imposed during the registration process will be challenged in court and you may wish to monitor those developments.

What worries me is that FINCEN are about to try to outdo the Crypto AG intelligence coup (the technical backdoor behind the scenes) by installing an overly intrusive surveillance front-door for crypto. Although this may seem surveillance business as usual to you, it is certainly not. It is not only a violation of human rights treaties in itself, but you are also forcing this violation upon the private sector, which has an independent duty under the same treaties to respect the human rights. I am therefore copying my response to the UN Special Rapporteur on privacy in a digital age and respectfully suggest you consult and abide with the relevant UN/EU Charters on human rights.

So who is writing this? 

Now let me introduce myself further. I am writing in my professional/personal capacity and driven by a personal motivation that is reflected in the seal/logo and motto in the right upper corner: the NOW is the PAST is the PRESENT is the FUTURE. The moto is imprinted, using an old coin press, upon a wooden coin, made out of a 130 year old tree that stood on the Amsterdam exchange square. The tree, an Elm, witnessed time passing by and the development of society and financial markets. It symbolises the value I attach to cherishing history, learn lessons and use those learnings for todays developments. I hope you may appreciate my reflections from this perspective and rest assured, I’ll get to the actualities of FATF and European privacy discussions in due time. 

Professionally, I started out my career In as an industrial engineer in the financial sector by documenting and publishing a study on electronic payments (EFTPOS) regulation in 1989. In my research I revealed that the US Intelligence agencies had been pushing DES to become aninternational standard. At the time I did not have the ability however to put this finding into a broader perspective. However, more recently it became clear from the Crypto AG case that it was part of a long standing practice in which the US was actively pushing backdoors in technology, to ensure continued surveillance of all citizens and governments of the world. I think it is fair to say this is indeed the ‘Intelligence coup of the century’. 

Since then I embarked on a professional career starting out at ING/Postbank, moving on to become a policy analist at the central bank, charged with developing supervisory frameworks for electronicmoney in the 1990s. By the time that I contributed to European legislation and supervision for electronic money issuers, your organisation, FINCEN seemed to have made a strategic decision toposition itself as the go-to supervisor for all kind of modern payments and e-money. Although I think such a move may be analytically unsound and undesirable, I also view this as a natural reality ofinstitutional power politics. It is up to citizens, politicians, courts and private sector organisations to push back and hence my reflections in this letter.

Next up in my career, I worked extensively in the payments policy department of the Dutch bankers association. As such I was quite involved in the international rulemaking for banks and actually wrote the Dutch implementation guideline for the FATF7-rule (the origin of the travel rule). I was also a close witness to the SWIFT privacy incident and subsequent discussions on the EU privacy shield. Later on I moved towards a role as head of the department on financial markets and bank supervision of the Dutch Bankers Association.

What struck me in those days was the very anecdotal evidence and political framing arguments in discussions on money laundering and prevention of terrorist financing. It seems that 15 years later the situation hasn’t changed and I would suggest the FINCEN to disclose and evaluate more precisely whether its role has been effective and whether this proposed rule actually adds any value when doing a broad analysis of costs/benefits. I’ll get to that issue later.

Since 2011 I am active as an independent regulatory consultant and interim compliance manager for both government agencies and private sector entities. In this work, which mostly covers payment instritutions, e-money and crypto, I try to reconcile justified regulatory requirements with business constraints/demands. And yes, the important wording is: justified

Let me try and explain why the FINCEN proposal is not justified: it continues the abuse of legal design flaws/choices that undermine human rights by misusing administrative law, financial supervision law instead of following penal law procedures which have proper safeguards for human rights.

Sidestep: what use are consultations if you don’t want to listen? 

The Dutch scientist Dr. M. Wesseling has written an extensive and worthwhile dissertation on theinternational and European fight against terrorist financing and money laundering. The dissertation outlines that the US intelligence agencies have smartly used the momentum of the 9/11 attacks to get something they wanted: spying possibilities via the front door of financial transactions, bypassing formal legal and penal law safeguards, by pushing bank regulation and administrative rules. So what happened before 9/11?

A third important discourse concerned civil liberties. In 1999, the US Treasury proposed strengthened Know Your Customer (KYC) regulations. These proposals faced stiff opposition in the US Congress for anti-regulatory reasons, but the main issue at stake was concerns over privacy (Eckert, 2008, p. 213, Napoleoni, 2004, p. 219). The US Treasury received more than 200,000 negative responses to its proposal from all political backgrounds objecting to the proposed requirements for banks to obtain extensive private information (Donohue, 2006, p. 359). The KYC proposal was also criticized for being a potential source of mistrust and resentment of government, particularly among immigrants and minority groups, as well as an undesirable form of generalized spying and reporting on citizens (Cato Institute, 1999).

What FINCEN has seen in these 2 weeks of consultation will analytically not be very different from the responses that the US Treasury received more than 20 years ago. I would suggest that you include a review of those responses into your work, as they will undoubtedly be just as relevant.

Wesseling outlines how the 9/11 attacks changed the regulatory picture completely with civil liberties and human rights being:

The attacks of 11 September 2001 substantially changed the urgency and importance assigned to these different debates. The relative insignificance of the amounts of money involved in terrorism, the burden on the financial sector, the civil liberties implications of strengthened regulation, and the doubts about the use of UN economic sanctions, all became subordinate to the increased urgency of terrorism. 

Although the 9/11 Commission would estimate in 2004 that the total costs of the attacks was between $400,000 and 500,000 and concluded that the costs of the attacks were relatively low compared to the amounts of daily financial transactions worldwide (2004, pp. 186-189), a radically different conclusion was drawn in the immediate aftermath of the 9/11 attacks. 

Starving terrorists of their money had become a key objective within global governance. Likewise, financial regulation, such as Know Your Customer requirements, had been strengthened with little opposition from politicians, civil society or the financial and banking sector. Their current scope exceeds by far any previous initiative, making the contentious proposals of the 1990s look soft. Civil liberties, it was now widely accepted, had to be traded in if they constituted an opportunity for terrorists to ‘hide’. 

What I am saying here is that since 9/11 your organization is in a group think tunnel which has the effect of a religion or a cult. There is a dangerous liaison between intelligence agencies, tax authorities and financial supervisors which impose all kinds of intrusive rules under the FATF-umbrella as so-called: recommendations. Instead of revisiting the post 9/11 approach as a regulatory overshoot, the groupthink has remained intact as it comes in handy.

Or to put it differently. The US have since 2001 moved the angle of their intelligence attack from hardware based intelligence and surveillance to the informational front door that lies in financial transaction data. And this move is so useful and successful that US authorities are now even able to pull it off in broad daylight. Generations of bank personnel have become used to KYC/AML procedures that infringe on human rights. Now, from this perspective, it is clear that there is no way FINCEN will actually read or take on board any of the remarks in this consultation. As an institution the FINCEN has by now also brainwashed itself into believing its approach is valid and legitimate. 

The big design flaw is that instead of penal law, the whole construct of administrative law and bank supervision law is misused to ensure unbridled and unchecked data flow of innocent citizens to authorities all around the world. So it is fair to say that the FINCEN has successfully contributed to maintaining a climate in which a legal design flaw is used in combination with a cultural ideology to hypnotise/brainwash financial professionals in acting in violation of clear human rights such as privacy and the right to be viewed as innocent until proven guilty.

Please see also Annex 1 to this letter (threadreader page - twitter feed) for a further explanation of the idiocy of still using administrative law when fine penal law structures exist and can be enforced to catch money launderers and terrorists on a spearfishing pull-request basis without the extensive data broadcasting and datamining requirements stemming from the pre-platform pre-big data age 2001. Then again, you could also read the 1999 consultation responses. All answers are in the public domain already. The real question is: FINCEN, are you listening. Really?

FINCEN violates human rights as a business model and should not force companies to join them 

Under UN Resolution RESOLUTION 28/16 (the right to privacy in the digital age), article 8.2 of the European Convention on Human Rights and the EU Court decision on data retention (ECLI:EU:C:2016:970), the EU understanding on mass surveillance of personal data of innocent persons is that it may very well constitute a violation of the right to privacy in cases where it is disproportional and no sufficient safeguards are in place.

In this respect I can recommend the dissertation by Dr. Carolin Kaiser from 2018, outlining that – under todays case law and interpretations - the current EU regulation of KYC/AML may well be annulled by the EU Court of Justice. I am pretty confident that by analogy the same will hold true for US KYC/AML legislation when read against the UN Charter of Human Rights. But let us focus on the EU situation more closely. 

Last month the European Data Protection Board issued an important statement outlining the importance they attach to protecting the human right toprivacy in particular given the intrusive money laundering procedures that have arisen all over the world.

The EDPB considers it as a matter of the utmost importance that the anti-money laundering measures are compatible with the rights to privacy and data protection enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, the principles of necessity of such measures in a democratic society and their proportionality, and the case law of the Court of Justice of the European Union. 

The EDPB therefore calls on the European Commission to be associated to the drafting process of any new anti-money laundering legislation in its early stages, with a view to provide legal advice on some key points from a data protection perspective, without prejudice to the consultation by the European Commission in line with Article 42 of Regulation 2018/1725 at a later stage. 

The EDPB is also ready to contribute to discussions within the Council of the EU and the European Parliament during the legislative process. Going forward, the EDPB stands ready to be involved and consulted in a timely manner by any European or international regulatory bodies or standard-setters, such as the Financial Action Task Force, currently chaired by an EU Member state, before issuance of the revision of their recommendations.

Coming back to the details of your proposed regulation. Human right treaties require that intrusive surveillance requires serious crime under human rights charters. It can hardly be argued that just the sheer use of unhosted wallets for higher amounts is a demonstration of this serious crime. The suspicion should come from formal police officers doing their job, not from private sector players which are obliged to snitch upon their customers and broadcast their data into all kinds of databases without reasonable suspicion being present.

Next up, you are also overlooking the fact that businesses are by themselves obliged to honour the human rights under the "Guiding Principles on Business and Human Rights: Implementing theUnited Nations ‘Protect, Respect and Remedy’ Framework", which were developed by the Special Representative of the Secretary-General on the issue of human rights and transnational corporations and other business enterprises. The Human Rights Council endorsed the Guiding Principles in its resolution 17/4 of 16 June 2011.

It should not be up to companies to reconcile conflicting legislative objectives. It is up to regulators to steer clear from conflicts of law and not impose undue human rights violations onto companies.

FATF: continuation of the ill-footed surveillance model

FINCEN is engaged in a regulatory experiment that has been agreed upon by the FATF in the summer of 2019 or 2020. Confronted with the new blockchain / virtual asset technology, the choice has been made to push the travel rule into the blockchain world. The US has used its leadership position of the FATF to push this agenda item through. Which essentially sums up 20 years of anti-money laundering policies worldwide. 

In Annex 2 I have listed the blogpost with which I tried to warn the FATF/public in spring 2019 on the fact that pushing through a travel rule for crypto is just as useless as it was for banks back in the days. There is no sufficient quantitative evidence that any of those rules has really benefited finding criminals and preventing terrorist attacks (see the dissertation of M. Wesseling). It is a cost burden to all professionals in the financial sector and the resources spent could be better allocated directly to police forces or Ministries of Justice instead, as this warrants better protection of suspect individuals.

The recent evaluation of the FATF virtual asset travel rule clearly outlines the 2-step approach that is being taken. First force the travel rule upon registered/licensed players, then as phase 2 force them to verify the beneficiary of wallet transactions. This is a requirement which even goes beyond the R15 and R16 regulations for banks !!

If I read the FATF document correctly the FATF-members have agreed to not follow a similar policy line but to use the year 2020/2021 as an experimentation year. The 12-month review of the revised fatf standards on virtual assets and virtual asset service providers is clear that there is no real risk present:
53. However, jurisdictions did not consider that there was sufficient evidence to warrant changing the revised FATF Standards at this point at time. There was insufficient evidence demonstrating that the number and value of anonymous peerto-peer transactions has changed enough since June 2019 to present a materially different ML/TF risk. Further research could be undertaken with the VASP sector, academics and software experts and engineers to better understand the scope of the unregulated peer-to-peer sector. 

Yet, the document also gives a path to further experimentation per jurisdiction. If government authorities put the risk levels on high, they may start to experiment with additional regulations:

54. The launch of new virtual assets however could materially change the ML/TF risks, particularly if there is mass-adoption of a virtual asset that enables anonymous peer-to-peer transactions. There are a range of tools that are available at a national level to mitigate, to some extent, the risks posed by anonymous peer-to-peer transactions if national authorities consider the ML/TF risk to be unacceptably high. This includes banning or denying licensing of platforms if they allow unhosted wallet transfers, introducing transactional or volume limits on peer-to-peer transactions or mandating that transactions occur with the use of a VASP or financial institutions. As of yet, no common practises or consistent international approach have emerged regarding the use of these different tools. Accordingly, there should be further work undertaken on the extent to which anonymous peer-to-peer transactions via unhosted wallets is occurring, the approach jurisdictions can take to mitigate the ML/TF risks, the extent to which the revised Standards enable jurisdictions to mitigate these risks and to continue to improve international co-operation and coordination.

Right now we have seen the FINMA issuing regulations beyond the informational travel rule, coming down to verifying the beneficiary of transactions. And the Dutch Central bank has also made thisrequirement a (disputed) prerequisite in their registration process for crypto companies. I view the FINCEN rules as a part of the same process.

What FINCEN is thus doing as a regulator/contributor to FATF discussion is something which could be called agile regulation. Where usually companies may seek to roll out products in not yet definitive form, I would qualify the current world wide regulatory approach on crypto assets and the travel rule as an agile form of experimentation, at the cost of the private sector.

Government agencies do not only have a duty to not write or impose conflicting requirements upon their constituents but also to ensure their actions are coordinated. But as the FATF intermediary paper says: As of yet, no common practises or consistent international approach have emerged regarding the use of these different tools. 

What you are proposing as FINCEN (and will be rolling out, as I fail to see any true intention of finding an optimal regulatory solutions) is an uncoordinated regulatory measure which will lead to increased cost in a number of different jurisdictions for an industry that is worldwide by nature. 

The side effects of the approach is that FINCEN and other regulators are making sure that only larger well capitalised companies in the crypto space can survive (as they are faced with different costs in different jurisdictions). Both by nature and their effect, the proposed rule impedes innovation and leads to undesirable market structures.

FINCEN operational risk and failures 

Now let’s turn to the track record of FINCEN itself. I will be blunt in a Dutch way here. You fail to keep your records safe. For this rule it means that basically we can envisage that at some point in time hackers will have the possession of names/address of owners of bitcoin addresses. This is an impact beyond the Ledger hack (which was already scary). It is the equivalent of throwing all peoples bank account statements in the streets. Which cannot be undone and I don’t see any appreciation of the operational/privacy risks that you create in this way. 

The FINCEN-files leak shows that you will be unable to prevent this data from being safe. It also shows that FINCEN is unable to do its job properly. You are going after the crumbs on the table and leave the big money laundering industries and players untouched. Case in point: at present the US still has a President that may better be labelled the money launderer in chief. No FINCEN authority, no AML/KYC rules have been able to prevent this from happening. 

US from inspiration to dystopian example?

Each moment in life encompasses all its previous moments as well as its future moments. That is the meaning of NOW is the PAST is the PRESENT is the FUTURE. 

The FINCEN proposal is clearly born out of a tradition of illegitimate government action, spurred by overactive intelligence desires of the US. It is the second biggest intelligence coup in progress which may deter a whole innovative open source blockchain technology from maturing into beneficial society solutions. Because with these rules you are making virtual assets, distributed ledgers and digital tokens into data drones, to be automatically sent to government. 

I find it quite ironic that the US, that saved the Dutch population from a dictatorial regime, that taught us about the importance of human rights, true democracies, freedom of speech, privacy and the importance of the presumption of innocence, is now the country that violates the values it has inspired into others. 

Ir. S.L. Lelieveldt, CCP