Thursday, October 12, 2023

Long story short: Dutch judge finds DNB (Dutch AML-supervisor for crypto) did overstep its mandate in registration verifications and invalidates parts of AML law

Over the past five years, we have seen a debate unfold in the Netherlands where the Dutch central bank forced the Ministry of Finance to adopt rules that go beyond the AMLD5 directive. And finally, the judge brings clarity: regulators and supervisor overstepped their mandate. 

Registration or licensing of crypto players here in Netherlands?

Where the AMLD5 directive says: you must register crypto companies with a check on management capability and UBO reputation, the Dutch central bank went way beyond that. It wrote a letter to the Ministry of Finance that it wanted a license regime and kept on asking for all components of a license regime. And they got it in the end with the Ministry of Finance denying to press and parliament thay they upgraded the law. This was well beyond the advice of the Council of State, which outlined the impossibility of doing this, well in advance. 

I wrote a range of articles about that (this one), was the driving force in the law suit on the improper verification requirements asked to be allowed to register and helped out prepare the next law suit on illegal acts of the supervisor, meaning that all the cost borne for those illegal acts cannot be charged to companies. 

One and a half year ago I penned the experience down in this blog when I started out a sabbatical. For me, there is no use in doing compliance work if supervisors don't stick to the law themselves. So I wanted to reflect on that and meanwhile the law suit against DNB was being prepared and unfolded. 

Now finally after 5 years of banging the drum on the topic, the Rotterdam Court fully agreed and acknowledged that the Dutch supervisor, DNB, has acted illegally by imposing and requiring more information than necessary for the prescribed registration regime under AMLD5. It effectively turned it into a licensing regime and that was not the idea/intention. 

Court judgment: Dutch law declared invalid where it turns registration into licensing regime

Their verdict translated (h/t Chat GPT) tells it loud and clear. All parts of the Wwft and lower level rules that are in conflict with the registration regime as defined in AMLD5 are declared invalid as being in violation of higher EU-law.  

3.6 While the processing of registration requests in this manner by DNB involves a task assigned to it by or under the Wwft, and the resulting activities, there is no basis for this in the AMLD5. As noted by the Advisory Division of the Council of State in its advice of June 3, 2019 (no. W06.19.0080/III and TK, 2018-2019, 35245, no. 4) on the Implementation Law amending the fourth anti-money laundering directive, the directive does not allow the prescribed registration obligation to be structured as an (additional) licensing obligation, where a prior assessment takes place to determine whether an institution can comply with its Wwft obligations. However, the legally prescribed method of processing registration requests has given the registration obligation that form. For example, in the case of a registration request under Article 3, paragraph 1, subparagraph n, of the Implementation Regulation, data must be provided on the organization of business operations with regard to the integrity and controlled business conduct referred to in Article 23j of the Wwft, which provision aims to ensure that a provider of services related to virtual currency organizes its business operations in such a way that it can comply with the requirements set by the Wwft (EK, 2019-2020, 35245, C, p. 8). The explanation on the registration form used by DNB indicates that DNB wishes to obtain detailed data from the submitter of a registration request, indicating a thorough prior assessment of whether this provider can meet its Wwft obligations.

3.7. The conclusion is that Article 23d, paragraph 1, of the Wwft and Article 23c, paragraph 1, of the Wwft, read in conjunction with Article 1a of the Implementation Decree and Article 3 of the Implementation Regulation, to the extent that these articles go beyond obtaining and assessing the data needed to register a provider under Article 23f of the Wwft in the public register of providers and to test the suitability and reliability of the policymaker(s) and ultimate beneficial owner(s) of the provider, are invalid due to conflict with the scope of the registration obligation laid down in Article 47 of the AMLD5.

3.8. This invalidity means that the way in which DNB assesses registration requests cannot be partially seen as falling under a task assigned to it by or under the Wwft and the resulting activities."

What's next?

1. DNB will have to refund the invoices for supervision over 2021 as a result of the fact that a large part of the cost pertained to activities without legal mandate which cannot be recovered. So the Ministry of Finance will have to pay this as it doesn't make sense to charge any private entity for the legal wrongdoings and supervisors overstepping their mandate.

2. DNB will have to revise the registration regime and make it a true registration regime. They can no longer apply the 10step approach (copy paste licensing) and extensive list of questions and must remain with a small list. Effectively the main focus of registrations will have to be on evaluating quality of management and reputation of UBO. Registrations must be done in 2 months instead of the current 6-12 months evaluation period.

3. If DNB wants to add specific demands and requests it will have to send out specific request immediately after registration and should do so on the basis of a prior risk assessment as to nature of company and businss positioning/management (they will have sufficient information on that as a result of the management evaluation procedure in the registration).

4. DNB needs to ask an independent accountant to separate the forbidden registration costs which included checking wallet verification requirements, doing extensive study of documentation from the practical application process prescribed under AMLD5. This will mean that 75% of the costs of crypto supervision in 2021, 2022 and 2023 will have to be dropped. 

5. DNB will most likely also appeal against the verdict although ideally they would make excuses for having gone beyond their mandate both as a supervisor and in their role as 'advisor' of the Ministry of Finance. This excuse can be made without cost given that it is DNBs vision that even when they make a fault they are not legally liable for it. This is also in Dutch law (a good from post financial crisis). 

A 'told you so' with mixed feelings

Well. I told you so. For 5 years I've been telling regulators and DNB that their policy decision to do more than the EU directive was at odds with our institutional frameworks. But hey, who listens to crypto players: those casino's, those money launderers. It was fairly easy for the central bank and ministry of Finance to frame their way out of the debate. They also misrepresented the facts.

Appeals to higher ethics and the institutional boundaries did not work. Not formally, not informally. And I've really pushed every button I could find. Because you don't want to end up resolving things in court. And if you do, you want to prove that you tried your best to prevent coming there. Which means the stuff had to go to couurt. The powers that be thought they were right and they could ignore the EU rules and the advice/knowledge of State of Council of incompatibility of their plans with those rules. 

Usually that works, by the way. Because companies and industry organisation usually aren't that well documented and don't come prepared. But this time was different. DNB and Ministry of Finance had just pulled an identical trick in the payment sector, so this was a second time around for the legal and compliance industry involved. And that made a difference. The supporting legal industry did not fall for the easy crypto-money laundering frame. The legal industry recognised the DNB-overstepping-mandate reality.

Still this is all mixed feelings. Why don't we just respect EU rules, whether in government or in companies. That would have made our life a fair bit more pleasant. Why did we have to go at lenght to do this batlle? Do we really need to go on and start a third law suit now (when DNB doesn't come round to acknowledging their errors of judgment)? 

So yes, this is a told you so moment. But I mostly hope this legal verdict is were things will change so that there is no need to write about a third told you so moment in the future. 

Monday, August 14, 2023

Annulment procedure for the EU version of the FATF Travel rule: Q&A


Ok, so you may have been reading a complex thread on social media about the European travel rule for crypto companies and the impact it has on fundamental rights to privacy and freedom to provide services. And you may be wondering. What is it? What's happening. How can I contribute? 

Well, it's a long story with quite some history (see this blog herehere and here) but I will try to summarize the situation as of mid August 2023. Blog may be adapted over time by the way.

What is this annulment procedure all about?
Simply put, the European legislator decided upon promulgating a regulation that obliges future virtual asset providers to broadcast personal data for all transactions along in the international value chain for reasons of preventing money laundering and terrorist finance. 

This is in spite of abundant repetitive case verdicts of the Court of Justice that annuls Directives and amends legislation which violates the proportionality principles and forgets the test of strict necessity of such measures (see also a detailed analysis in the dissertation of Carolin Kaiser, outlining incompatibility of AML-rules with Court of Justice rulings and EU Treaty rules on human rights). 

Where can I find the disputed requirement(s) in the EU regulation?
You will find it in the articles 14-23 of the regulation which outline a bunch of information to be added to crypto-asset transfers (or being sent along via separate communication channel). Senders should add the information, receivers should check whether it is there and notify/remind the sender when it is incomplete. All in all it is an elaborate set of instructions for all crypto asset players.

What personal data is involved?

Well, first of all, the fact that you as a customer (or receiver) own virtual assets (a fact that, see the ledger hack, has proven to be very private and sensitive information). It regards the following information about the sender/originator: 

(a) the name of the originator;

(b) the originator’s distributed ledger address, in cases where a transfer of crypto-assets is registered on a network using DLT or similar technology, and the crypto-asset account number of the originator, where such an account exists and is used to process the transaction;

(c) the originator’s crypto-asset account number, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology;

(d) the originator’s address, including the name of the country, official personal document number and customer identification number, or, alternatively, the originator’s date and place of birth; and

(e) subject to the existence of the necessary field in the relevant message format, and where provided by the originator to its crypto-asset service provider, the current LEI or, in its absence, any other available equivalent official identifier of the originator.

And it also covers data of the person/entity that you are sending information to:

(a)  the name of the beneficiary, 

(b) the beneficiary’s distributed ledger address, in cases where a transfer of crypto-assets is registered on a network using DLT or similar technology, and the beneficiary’s crypto-asset account number, where such an account exists and is used to process the transaction;

(c) the beneficiary’s crypto-asset account number, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology; and

(d) subject to the existence of the necessary field in the relevant message format, and where provided by the originator to its crypto-asset service provider, the current LEI or, in its absence, any other available equivalent official identifier of the beneficiary.

Why is the requirement challenged as disproportional?
Article 24 of the same regulation says that, when police show their badge, all relevant information of suspected customers must be handed over without delay. So law enforcement and governments can get all the info when they want it, as long as they demonstrate authority. This will mean due process is guaranteed and only individual customer data is handed over when an actual suspicion or involvement for money laundering and terrorist finance is at stake.  
Article 24
Provision of information
Payment service providers and crypto-asset service providers shall respond fully and without delay, including by means of a central contact point in accordance with Article 45(9) of Directive (EU) 2015/849, where such a contact point has been appointed, and in accordance with the procedural requirements laid down in the national law of the Member State in which they are established or have their registered office, as applicable, to enquiries exclusively from the authorities responsible for preventing and combating money laundering or terrorist financing of that Member State concerning the information required under this Regulation.
So this begs the question. If local and European police/law enforcement can get all the information they need at their fingertips for all cases related to money laundering and terrorist finance, why would we broadcast full transaction details to all the players in the value chain around the world? 
The practical, and constitutional question under the EU treaties on fundamental rights is: is it truly strictly necessary, proportional and in line with the risk based nature of anti money laundering regulation to send out and broadcast/disseminate all data for all transactions/originators/beneficiaries of all crypto asset transfers (of which the high majority have nothing to do with money laundering or terrorist finance) to all other virtual asset players in the world, including those in non-EU territories? 
What are the timelines for the anullment action ?
As the regulation was published on June 9, 2023, there is until August 23, 2023 to file an annulment action under the rules of procedure of the EU. This is a request to the General Court to strike out a regulation or parts of a regulation which are deemed unconstitutional and where claimants have a direct interest to have the regulation being annulled.
Who will be filing the annulment action?
Right now the process of finding funders is well underway. There is a clear perspective on funding but the other challenge is to find the proper claimants and legal angle for this action. At present, Simon Lelieveldt is coordinating and executing the efforts to create the right setting for this annulment action. 
The main idea, at present, is to use the information, experiences and court case findings of the Dutch crypto community to align the claimants with a direct interest. These will be primarily virtual asset providers, their industry organisation and possibly individual clients who find their privacy violated/breached. 
The legal/compliance experts doing the action will be myself and the litigation law firm with whom we  have previously been successful in litigating against the abuse of premature non risk based prescription of FATF-recommendations as a part of the registration process for crypto providers. 
What would motivate claimants, what are the interests at stake?
As a basic principle it should not be up to individual providers of crypto services to be forced to litigate to resolve the conflict of laws that are inherently present in the current ruleset's on anti money laundering and fundamental rights of privacy and freedom of services delivery. The EU regulator should assure compatibility with fundamental rights beforehand, but has failed to do so in this case.
The direct consequence is that providers individually and as a sector will be faced with high operational costs, disproportionate burdens and the risk of fines for transgressing fundamental rights of their customers. This risk is not hypothetical: it has already taken place in the Netherlands (see case law) and cost a lot of money. 
What are the chances of succes?
While to the outsider it is evident that virtual asset providers and their industry organisation as well as NGOs such as Privacy First have a legitimate concern, the technical details of EU court proceedings may be more complex. So there are some hurdles and the challenge is to present the case with the proper angles/arguments as well.
In practice, the range of legal arguments is a bit wider than outlined above and it should be possible to find the right legal angle. The current first phase of the action is however still to validate the approach, risks and chances of success. If these appear too slim, the action may not start. 
How can I contribute?
No crypto funding is possible. This will trigger a range of detailed questions and such as well as possible blocking of my bank account under the current policies of my bank. Unfortunately my bank is doing this but that is another regulatory topic (and perhaps a later case in court). 
So, should you wish to support the annulment action you can donate only in fiat, using the following details: S. Lelieveldt at KNAB Bank, international bank account number: NL86 KNAB 0615 8954 92 (BIC: KNABNLH2, Amsterdam, the  Netherlands). International payments need to be done via intermediary bank ABN AMRO (BIC:  ABNANL2A, Amsterdam, the Netherlands). 
Legal disclaimer: please understand that this is not a service agreement of some form but a donation allowing me to direct my energy/time or the resources towards achieving this goal in any way I see fit. This could be setting up a foundation, contributing to other relevant regulatory consultations or helping out other initiatives with achieving the same objective.

=====================
Further QenA's and backgroud.

So are the articles 14-23 in the regulation proportional ?
Previously the European Data Protection Board already advised strongly to limit anti money laundering regulations to stuff that is strictly necessary. See their letter of April 2021:
Pursuant to Article 52 of the Charter, any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others7 . This means that legislative measures that limit the right to privacy and data protection have to be specific in order to correspond to objectives of general interest pursued and should not constitute disproportionate and unreasonable interference undermining the substance of those rights.
Now. Let's do our own research.
If a well targeted article 24 for a limited set of citizens involved with money laundering and terrorist finance is in place, don't the articles 14-23, that apply to all citizens, all transactions regardless of their involvement in money laundering and terrorist finance appear to be somewhat excessive ? 
Implementing the systems and changing them is very costly to implement. It does not add any informational value but rather significantly increases the risk of data breaches for parties to the transactions. It is a disproportionate nice-to-have requirement for government which violates the main principles of data minimization. 
As such individual virtual asset providers may be fined by data protection authorities, sued by their customers or beneficiaries for infringing their fundamental rights or for damages due to data breaches. All these risks do not exist when only article 24 is in place as the formal legal nature/context of the policy request creates further safeguards.

Hey, is that also third party privacy issue popping up?

Yes indeed. This regulation is not only an infringement to customers of VASPs, but to all receivers of virtual asset transfers from the European Union. Those recipients will be unable to know where and which data on them has been submitted, stored and retained by the sending VASP as they have no legal relation with that entity. Yet the sending VASP processes their personal information and distributes it regardless of the existence of any provable relation to money laundering or terrorist finance. 

The consequence of this construct is similar as that for the Second Payment Services Directive and the European Data Protection Board has in 2020 stipulated in its guideline that for these uninvolved third party data, called  'silent party' data, controllers need to take serious precautions. 

In this respect, the controller (AISP or PISP) has to establish the necessary safeguards for the processing in order to protect the rights of data subjects. This includes technical measures to ensure that silent party data are not processed for a purpose other than the purpose for which the personal data were originally collected by PISPs and AISPs. If feasible, also encryption or other techniques should be applied to achieve an appropriate level of security and data minimisation.

Also the EDPB outlines that no other processing of data is allowed outside the scope of the regulation: 

With regard to further processing of silent party data on the basis of legitimate interest, the EDPB is of the opinion that these data cannot be used for a purpose other than that for which the personal data have been collected, other on the basis of EU or Member State law. 

How about the international data transfer and privacy issues?

Yes, good point. The regulation is a one size fits all for crypto-transfers, whereas for fiat-transactions differences are made between in EU and EU/non-EU countries. This leads to the question how non EU countries deal with data that EU companies are forced to distribute all over the world.

In the immediate post 9/11 political discussion in Europe it became clear that European citizens and politicians were being cheated upon by the US government (that was harvesting EU data immediately after the 9/11 attack). A range of measures, discussions etc followed after the illegal snooping of the US on EU customer data was found out. This is also described by Mara Wesseling. In today's terms we can see a repeat of the topic during the Max Schrems discussions on Facebook data, which also has a serious bearing on financial transactions and financial transaction information exchange.

In essence, those discussions on legitimacy and data protection for international data transfer have not really been resolved. And the current EU regulation does not change it, as it obliges companies to distribute data to entities without proper assurance that the receiving companies/countries protect the data of customers sufficiently. Which means that all VASPs that fully follow this regulation can be held liable by data protection supervisors or citizens that face damages from data breaches and insufficient data protection measures of those VASPs. 

So why still this requirement, does it work in practice?

Well, all law enforcers/governments in essence just land grab each tool in the toolbox to claim it is useful. And for this regulation they say: 'this is an obligation for banks too, so crypto must follow'. However, the bank regulation is in operation for almost 2 decades now and no formal evaluations of the effectivity and usefulness have been done. 

The fact that other players have the same obligation does not mean it is therefore suddenly proportional. Rather, it is disproportional to the other players as well, but those are unwilling to challenge the rule as over the years they are being fined into submission.

Where does this idea/requirement come from?

Way back from 1995 onwards, the world was less digital and we had little big data floating all around the world. Intelligence and law enforcement community were however keen to introduce far reaching KYC and data transfer requirements. The first efforts in the US were unsuccessful but the 9/11 attacks completely changed the momentum, as documented by Mara Wesseling in her dissertation:

The attacks of 11 September 2001 substantially changed the urgency and importance assigned to these different debates. The relative insignificance of the amounts of money involved in terrorism, the burden on the financial sector, the civil liberties implications of strengthened regulation, and the doubts about the use of UN economic sanctions, all became subordinate to the increased urgency of terrorism (p.90-91).

The story for financial institutions after 9/11/2001 was simple. A whole bunch of intrusive regulations were forced upon them with the following explanation: "If we need to get to a terrorist, we need to be aware of their transactions fast en early and the current structure of paperwork and international law enforcement is too complex and timely. So rather than file proper paperwork based on due diligence we request financial institutions to broadcast the data all over the world so any local police officer can investigate the two legs of a financial transaction by requesting access to the transaction data at the local end."

Politically banks couldn't resist cooperating for fear of being branded cooperative with terrorists. And mind you, the terrorist approach was in essence an upgrade of previous efforts to get banks on board to do KYC to prevent money laundering. But that political frame got a bit outdated so the 9/11 attacks were a welcome present to the law enforcement/intelligence community as a momentum to change the scenery in a fundamental way.

What is the risk of this regulation?

In essence, the broadcasting requirement as it was implemented after 9/11 in banking, was a shortcut for local law enforcement (or other national security offices) that would provide easy access to EU data in the US for example. And make no mistake: local governments weren't waiting for the law to be in place, they just got what they wanted and started downloading swift transactions within 2 weeks of the 9/11 attack. This became known only five years later, Wesseling explains:

The main risk involved in this data harvesting/broadcasting regulation is that it is used for other purposes in a way that is not specifically and officially set out in law. The application of the rule would then lead to data processing of citizens data without legal title. And it is exactly this challenge that one Dutch VASP, Bitonic, faced in 2020. Either violate the AVG or AML-laws. 

Bitonic succeeded in challenging supervisors requirements related to this rule and then deleted all customer data that were unduly harvested/collected. But in order to remain in business and keep their license to operate they were first of all forced by financial supervisors to consciously violate the AVG. But close readers of the regulation will now understand what is meant with the article 23. Supervisors will use this regulation to force payment service providers and crypto-asset service providers to restrict transfers of assets that are not to the liking of the supervisor and that are beyond the scope of the regulation itself.

23. Payment service providers and crypto-asset service providers shall have in place internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures when performing transfers of funds and crypto-assets under this Regulation.

Wasn't the constitutionality of this rule checked in the impact assessment of the EU?
Brief answer: Hardly. The political dynamics are: we copied the idea from the bank regulation and it's an obligation of the FATF and we're going to implement it. And then there is a page or three with a bunch of lip service to Data Protection Framework and privacy. Yes, we should limit to what is necessary and we will consult the European Data Protection Supervisor and perhaps also the European Data Protection Board. 

Have a look yourself. The impact assessment for this regulation lists the implementation of the requirement as one of several measures and does not evaluate possible alternate operational methods or proportionality. It does not contain the strictly necessary test for the requirements. It simply says: the Financial Action Task Force tells us to do it, and we expand the existing regulation towards crypto. Hence, the existing illegitimacy and disproportionality of banking rules on this topic are copied onto the crypto world. 
What would motivate claimants coming from the Dutch sector?
As a basic principle it should not be up to individual providers of crypto services to be forced to litigate to resolve the conflict of laws that are inherently present in the current ruleset's on anti money laundering and fundamental rights of privacy and freedom of services delivery. The EU regulator should assure compatibility with fundamental rights beforehand, but has failed to do so in this case.
The direct consequence is that providers individually and as a sector will be faced with high operational costs, disproportionate burdens and the risk of transgressing fundamental rights of their customers. This risk is not hypothetical: it has already taken place in the Netherlands and the assumption that a financial supervisor will operate within the boundaries and limitations of case verdicts of the Court of Justice on privacy is theoretic. 
See the blog here: when registering for their registration as virtual asset service providers, the Dutch central bank forced providers to violate the GDPR by imposing an unconstitutional and unlawful requirement, based on the FATF-requirements. This has resulted in very considerable additional cost to the business and violations of the privacy of customers. Virtual asset providers were facing the choice to either violate the GDPR or the AML-rules, with a solution only coming via the intervention of a judge. This turned out to be very costly and - in hindsight - unnecessary. 

Rather than waiting for these constitutional accidents to happen again during the licensing process for Mica-r, the market players may wish to address them in advance to ensure legal clarity and compatibility with fundamental rights. 

Wednesday, August 09, 2023

Annulment procedure for the EU version of the FATF Travel rule

Ok, so you may have been reading a complex thread on social media about the European travel rule for crypto companies and the impact it has on fundamental rights to privacy and freedom to provide services. And you may be wondering. What is it? What's happening. How can I contribute? 

Well, it's a long story with quite some history (see this blog here, here and here) but I will try to summarize the situation as of mid August 2023. Blog may be adapted over time by the way.

What is this anullment procedure all about?
Simply put, the European legislator decided upon promulgating a regulation that obliges future virtual asset providers to broadcast personal data for all transactions along in the international value chain for reasons of preventing money laundering and terrorist finance (while simultanoeusly requiring it to be handed over without undue delay if a policy officer asks for it). 

This broadcasting requirement is in spite of abundant repetitive case verdicts of the Court of Justice that anulls Directives and amends legislation which violates the proportionality principles and forgets the test of strict necessity of such measures (see also a detailed analysis in the dissertation of Carolin Kaiser, outlining incompatibility of AML-rules with Court of Justice rulings and EU Treaty rules on human rights). 

Where can I find the disputed requirement(s) in the EU regulation?
You will find it in the articles 14-23 of the regulation which outline a bunch of information to be added to crypto-asset transfers (or being sent along via separate communication channel). Senders should add the information, receivers should check whether it is there and notify/remind the sender when it is incomplete. All in all it is an elaborate set of instructions for all crypto asset players.

What personal data is involved?

Well, first of all, the fact that you as a customer (or receiver) own virtual assets (a fact that, see the ledger hack, has proven to be very private and sensitive information). It regards the following information about the sender/originator: 

(a) the name of the originator;

(b) the originator’s distributed ledger address, in cases where a transfer of crypto-assets is registered on a network using DLT or similar technology, and the crypto-asset account number of the originator, where such an account exists and is used to process the transaction;

(c) the originator’s crypto-asset account number, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology;

(d) the originator’s address, including the name of the country, official personal document number and customer identification number, or, alternatively, the originator’s date and place of birth; and

(e) subject to the existence of the necessary field in the relevant message format, and where provided by the originator to its crypto-asset service provider, the current LEI or, in its absence, any other available equivalent official identifier of the originator.

And it also covers data of the person/entity that you are sending information to:

(a)  the name of the beneficiary, 

(b) the beneficiary’s distributed ledger address, in cases where a transfer of crypto-assets is registered on a network using DLT or similar technology, and the beneficiary’s crypto-asset account number, where such an account exists and is used to process the transaction;

(c) the beneficiary’s crypto-asset account number, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology; and

(d) subject to the existence of the necessary field in the relevant message format, and where provided by the originator to its crypto-asset service provider, the current LEI or, in its absence, any other available equivalent official identifier of the beneficiary.

Why is the requirement challenged as disproportional?
Article 24 of the same regulation says that, when police show their badge, all relevant information of suspected customers must be handed over without delay. So law enforcement and governments can get all the info when they want it, as long as they demonstrate authority. This will mean due process is guarantueed and only individual customer data is handed over when an actual suspicion or involvement for money laundering and terrorist finance is at stake.  
Article 24
Provision of information
Payment service providers and crypto-asset service providers shall respond fully and without delay, including by means of a central contact point in accordance with Article 45(9) of Directive (EU) 2015/849, where such a contact point has been appointed, and in accordance with the procedural requirements laid down in the national law of the Member State in which they are established or have their registered office, as applicable, to enquiries exclusively from the authorities responsible for preventing and combating money laundering or terrorist financing of that Member State concerning the information required under this Regulation.
So this begs the question. If local and European police/law enforcement can get all the information they need at their fingertips for all cases related to money laundering and terrorist finance, why would we broadcast full transaction details to all the players in the value chain around the world? 
The practical, and constitutional question under the EU treaties on fundamental rights is: is it truly strictly necessary, proportional and in line with the risk based nature of anti money laundering regulation to send out and broadcast/disseminate all data for all transactions/originators/beneficiaries of all crypto asset transfers (of which the high majority have nothing to do with money laundering or terrorist finance) to all other virtual asset players in the world, including those in non-EU territories? 
What are the timelines for the anullment action ?
As the regulation was published on June 9, 2023, there is until August 23, 2023 to file an anullment action under the rules of procedure of the EU. This is a request to the General Court to strike out a regulation or parts of a regulation which are deemed unconstitutional and where claimants have a direct interest to have the regulation being anulled.
Who will be filing the anullment action?
Right now the process of finding funders is well underway. There is a clear perspective on funding but the other challenge is to find the proper claimants and legal angle for this action. At present, Simon Lelieveldt is coordinating and executing the efforts to create the right setting for this anullment action. 
The main idea, at present, is to use the information, experiences and court case findings of the Dutch crypto community to align the claimants with a direct interest. These will be primarily virtual asset providers, their branche organisation and possibly individual clients who find their privacy breached. 
The legal/compliance experts doing the action will be myself and the litigation law firm with whom we  have previously been successful in litigating against the abuse of premature non risk based prescription of FATF-recommendations as a part of the registration process for crypto providers. 
What would motivate claimants, what are the interests at stake?
As a basic principle it should not be up to individual providers of crypto services to be forced to litigate to resolve the conflict of laws that are inherently present in the current rulesets on anti money laundering and fundamental rights of privacy and freedom of services delivery. The EU regulator should assure compatibility with fundamental rights beforehand, but has failed to do so in this case.
The direct consequence is that providers individually and as a sector will be faced with high operational costs, disproportionate burdens and the risk of fines for transgressing fundamental rights of their customers. This risk is not hypothetical: it has already taken place in the Netherlands (see case law) and cost a lot of money. 
What are the chances of succes?
While to the outsider it is evident that virtual asset providers and their branche organisation as well as NGOs such as Privacy First have a legitimate concern, the technical details of EU court proceedings may be more complex. So there are some hurdles and the challenge is to present the case with the proper angles/arguments as well.
In practice, the range of legal arguments is a bit wider than outlined above and it should be possible to find the right legal angle. The current first fase of the action is however still to validate the approach, risks and chances of success. If these appear too slim, the action may not start. 
How can I contribute?
No crypto funding is possible. This will trigger a range of detailed questions and such as well as possible blocking of my bank account under the current policies of my bank. Unfortunately my bank is doing this but that is another regulatory topic (and perhaps a later case in court). 
So, should you wish to support the anullment action you can fund only in fiat, using the following details: S. Lelieveldt at KNAB Bank, international bank account number: NL86 KNAB 0615 8954 92 (BIC: KNABNLH2, Amsterdam, the  Netherlands). International payments need to be done via intermediairy bank ABN AMRO (BIC:  ABNANL2A, Amsterdam, the Netherlands).
Legal clarification: please understand that this is not a service agreement of some form but a donation allowing me to direct my energy/time or the resources towards achieving this goal in any way I see fit. This could be setting up a foundation, contributing to other relevant regulatory consultations or helping out other initiatives with achieving the same objective.

=====================
Further QenA's and backgroud.

So are the articles 14-23 in the regulation proportional ?
Previously the European Data Protection Board already advised strongly to limit anti money laundering regulations to stuff that is strictly necessary. See their letter of April 2021:
Pursuant to Article 52 of the Charter, any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others7 . This means that legislative measures that limit the right to privacy and data protection have to be specific in order to correspond to objectives of general interest pursued and should not constitute disproportionate and unreasonable interference undermining the substance of those rights.
Now. Let's do our own reserch.
If a well targeted article 24 for a limited set of citizens involved with money laundering and terrorist finance is in place, don't the articles 14-23, that apply to all citizens, all transactions regardless of their involvement in money laundering and terrorist finance appear to be somewhat excessive ? 
Implementing the systems and changing them is very costly to implement. It does not add any informational value but rather significantly increases the risk of data breaches for parties to the transactions. It is a disproportionate nice-to-have requirement for government which violates the main principles of data minimisation. 
As such individual virtual asset providers may be fined by data protection authorities, sued by their customers or beneficiaries for infringing their fundamental rights or for damages due to data breaches. All these risks do not exist when only article 24 is in place as the formal legal nature/context of the policy request creates further safeguards.

Hey, is that also third party privacy issue popping up?

Yes indeed. This regulation is not only an infringement to customers of VASPs, but to all receivers of virtual asset transfers from the European Union. Those recipients will be unable to know where and which data on them has been submitted, stored and retained by the sending VASP as they have no legal relation with that entity. Yet the sending VASP processes their personal information and distributes it regardless of the existence of any provable relation to money laundering or terrorist finance. 

The consequence of this construct is similar as that for the Second Payment Services Directive and the European Data Protection Board has in 2020 stipulated in its guideline that for these uninvolved third party data, called  'silent party' data, controllers need to take serious precautions. 

In this respect, the controller (AISP or PISP) has to establish the necessary safeguards for the processing in order to protect the rights of data subjects. This includes technical measures to ensure that silent party data are not processed for a purpose other than the purpose for which the personal data were originally collected by PISPs and AISPs. If feasible, also encryption or other techniques should be applied to achieve an appropriate level of security and data minimisation.

Also the EDPB outlines that no other processing of data is allowed outside the scope of the regulation: 

With regard to further processing of silent party data on the basis of legitimate interest, the EDPB is of the opinion that these data cannot be used for a purpose other than that for which the personal data have been collected, other on the basis of EU or Member State law. 

How about the international data transfer and privacy issues?

Yes, good point. The regulation is a one size fits all for crypto-transfers, whereas for fiat-transactions differences are made between in EU and EU/non-EU countries. This leads to the question how non EU countries deal with data that EU companies are forced to distribute all over the world.

In the immediate post 9/11 political discussion in Europe it became clear that European citizens and politicians were being cheated upon by the US government (that was harvesting EU data immediately after the 9/11 attack). A range of measures, discussions etc followed after the illegal snooping of the US on EU customer data was found out. This is also described by Mara Wesseling. In todays terms we can see a repeat of the topic during the Max Schrems discussions on Facebook data, which also has a serious bearing on financial transactions and financial transaction information exchange.

In essence, those discussions on legitimacy and data protection for international data transfer have not really been resolved. And the current EU regulation does not change it, as it obliges companies to distribute data to entities without proper assurance that the receiving companies/countries protect the data of customers sufficiently. Which means that all VASPs that fully follow this regulation can be held liable by data protection supervisors or citizens that face damages from data breaches and insufficient data protection measures of those VASPs. 

So why still this requirement, does it work in practice?

Well, all law enforcers/governments in essence just land grab each tool in the toolbox to claim it is useful. And for this regulation they say: 'this is an obligation for banks too, so crypto must follow'. However, the bank regulation is in operation for almost 2 decades now and no formal evaluations of the effectivity and usefulness have been done. 

The fact that other players have the same obligation does not mean it is therefore suddenly proportional. Rather, it is disproportional to the other players as well, but those are unwilling to challenge the rule as over the years they are being fined into submission.

Where does this idea/requirement come from?

Way back from 1995 onwards, the world was less digital and we had little big data floating all around the world. Intelligence and law enforcement community were however keen to introduce far reachting KYC and data transfer requirements. The first efforts in the US were unsuccesfull but the 9/11 attacks completely changed the momentum, as documented by Mara Wesseling in her dissertation:

The attacks of 11 September 2001 substantially changed the urgency and importance assigned to these different debates. The relative insignificance of the amounts of money involved in terrorism, the burden on the financial sector, the civil liberties implications of strengthened regulation, and the doubts about the use of UN economic sanctions, all became subordinate to the increased urgency of terrorism (p.90-91).

The story for financial institutions after 9/11/2001 was simple. A whole bunch of intrusive regulations were forced upon them with the following explanation: "If we need to get to a terrorist, we need to be aware of their transactions fast en early and the current structure of paperwork and international law enforcement is too complex and timely. So rather than file proper paperwork based on due diligence we request financial institutions to broadcast the data all over the world so any local police officer can investigate the two legs of a financial transaction by requesting access to the transaction data at the local end."

Politically banks couldn't resist cooperating for fear of being branded cooperative with terrorists. And mind you, the terrorist approach was in essence an upgrade of previous efforts to get banks on board to do KYC to prevent money laundering. But that political frame got a bit outdated so the 9/11 attacks were a welcome present to the law enforcement/intelligence community as a momentum to change the scenery in a fundamental way.

What is the risk of this regulation?

In essence, the broadcasting requirement as it was implemented after 9/11 in banking, was a shortcut for local law enforcement (or other national security offices) that would provide easy access to EU data in the US for example. And make no misstake: local governments weren't waiting for the law to be in place, they just got what they wanted and started downloading swift transactions within 2 weeks of the 9/11 attack. This became known only five years later, Wesseling explains:

The main risk involved in this data harvesting/broadcasting regulation is that it is used for other purposes in a way that is not specifically and officiely set out in law. The application of the rule would then lead to data processing of citizens data without legal title. And it is exactly this challenge that one Dutch VASP, Bitonic, faced in 2020. Either violate the AVG or AML-laws. 

Bitonic succeeded in challenging supervisors requirements related to this rule and then deleted all customer data that were unduly harvested/collected. But in order to remain in business and keep their license to operate they were first of all forced by financial supervisors to consciously violate the AVG. But close readers of the regulation will now understand what is meant with the article 23. Supervisors will use this regulation to force payment service providers and crypto-asset service providers to restrict transfers of assets that are not to the liking of the supervisor and that are beyond the scope of the regulation itself.

23. Payment service providers and crypto-asset service providers shall have in place internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures when performing transfers of funds and crypto-assets under this Regulation.

Wasn't the constitutionality of this rule checked in the impact assessment of the EU?
Brief answer: Hardly. The political dynamics are: we copied the idea from the bank regulation and it's an obligation of the FATF and we're going to implement it. And then there is a page or three with a bunch of lip service to Data Protection Framework and privacy. Yes, we should limit to what is necessary and we will consult the European Data Protection Supervisor and perhaps also the European Data Protection Board. 

Have a look yourself. The impact assessment for this regulation lists the implementation of the requirement as one of several measures and does not evaluate possible alternate operational methods or proportionality. It does not contain the strictly necessary test for the requirements. It simply says: the Financial Action Task Force tells us to do it, and we expand the existing regulation towards crypto. Hence, the existing illegitimacy and disproportionality of banking rules on this topic are copied onto the crypto world. 
What would motivate claimants coming from the Dutch sector?
As a basic principle it should not be up to individual providers of crypto services to be forced to litigate to resolve the conflict of laws that are inherently present in the current rulesets on anti money laundering and fundamental rights of privacy and freedom of services delivery. The EU regulator should assure compatibility with fundamental rights beforehand, but has failed to do so in this case.
The direct consequence is that providers individually and as a sector will be faced with high operational costs, disproportionate burdens and the risk of transgressing fundamental rights of their customers. This risk is not hypothetical: it has already taken place in the Netherlands and the assumption that a financial supervisor will operate within the boudaries and limitations of case verdicts of the Court of Justice on privacy is theoretic. 
See the blog here: when registering for their registration as virtual asset service providers, the Dutch central bank forced providers to violate the GDPR by imposing an inconsitutional and unlawful requirement, based on the FATF-requirements. This has resulted in very considerable additional cost to the business and violations of the privacy of customers. Virtual asset providers were facing the choice to either violate the GDPR or the AML-rules, with a solution only coming via the intervention of a judge. This turned out to be very costly and - in hindsight - unnecessary. 
Rather than waiting for these constitutional accidents to happen again during the licensing process for Mica-r, the market players may wish to address them in advance to ensure legal clarity and compatibility with fundamental rights.


Wednesday, June 22, 2022

Open Letter to European regulators on the migration path to a future EU crypto-market with licensed and trustworthy companies

In this blog post, I will share the letter below, which I just sent off to a EU Commission Official from FISMA. I hope the letter speaks for itself as I don't have the time to elaborate/explain. Do note that I did redact the letter slightly by the way, to make the blog post better readable. 

=== 

It has been a while since we had contact on the infringement of the Dutch government with respect to the AMLD5. I would like to notify you that, based on the evaluation  after two years as well as the outcome of a number of legislative procedures and consultations, it seems to me that the infringement complaint might deserve some new attention.

New infringement complaint due to recent legal developments

In particular the human rights/privacy infringement that the current AMLD might already constitute ay not have been sufficiently paid attention to, which I view as a omission, given that we know the EU Court of Justice position with respect to the Data Retention Directive (2014) and most recently, with respect to the PNR Directive (verdict of this week).

In addition the European Data Protection Board has made its concerns on the legitimacy and proportionality of the AML regulations very clear. Also, the Dutch Council of State issued an advice on proposed Dutch legislation, which in essence lays out a no to mass surveillance and transaction monitoring in the financial sector.

Considering the legal clarity that has now arisen, I may re-iterate my previous infringement complaint on the Dutch implementation on the AMLD5. I hope that the recent verdict of the EU Court of Justice as well as the additional documentation and information on the Dutch situation will provide a new evidence base which allow the Commission to asess the complaint with an open mind and considering the new evidence provided after two years of the law having entered into force here in the Netherlands.

New local evidence on lack of enforcement in Netherlands
As new evidence I would like to point out that formal statements by the Dutch Ministry of Finance clarify that large international players that should comply with the AMLD5 are not sufficiently being held to the law by the Dutch Central Bank, despite the sector vehemently requesting the central bank to do so (as of November 2020) in its role of a supervisor. As such DNB is bound to ensure a level playing field and fair competition in the EU, but the failure to supervise/enforce the law distorts the market terribly.

What we can thus now see here in the Netherlands is that large international players are willingly ducking the national legislation with the Dutch central bank being unable to enforce the law and only issuing a mere warning (which in itself does not constitute enforcement action under the supervision law). It is pretty clear that some large nonEU players are biding their time until the MICAR and AMLR arrive and hope to use the EU passport regime while taking the explicit risk to be fined for past wrongdoings and actively deciding to steer clear from registration (using all their means/efforts/lawyers to stall the discussion).

Strategic objective of the EU: don't give away the crypto-market to big tech as you did with the payments market
What the European Commission may be facilitating unwillingly, constitutes the giving away of the EU crypto market to international non EU players, that can be seen to be succesfull in their strategy (see the registration of Binance in France, while under investigation and enforcement action in the Netherlands, UK and a host of other countries). We have seen millions consumer fraud shift among non-regulated players in the Netherlands while these companies use opaque structures to service the Dutch market, channel funds to their systems. Recent articles in the Dutch Financieele Dagblad reiterate the lack of enforcement and damage this does to the existing industry.

Just as the EU regulator gave away the PSD2 market to big tech companies by allowing them to misuse their monopoly position on the 3rd authentication factor (biometrics) and platform dominance to force in the Google/Apple pay type of revenue skimming new payments, the EU regulator may also unintentionally invite non EU crypto players to take over the EU market, if the current infringements of governments (that allow their supervisors to let illegal/unlawful actors to play a waiting game for EU legislation instead of enforcing those players with a strict regime) are not addressed properly.

It is time for the EU Commission to show its true colours and understand the geopolitical relevance of having a strong EU bloc of cryptocompanies rather than an invited and facilitated monopoly of non-EU big platform players. Even if you decide to lay my fourth infringement complaint aside, please take note of the strategic damage that you might be doing if you accept that companies that did not honour EU laws when they were based on AMLD5, deserve preferential treatment by taking their applications for license in a first come first serve order.

A need for clear rules / incentive structure upon the shift to licensing regimes for crypto
The EU Commission should be a proponent of a migration regime for new AML and MICA-r regulations where EU companies and non-EU companies that have fully implemented all EU regulations of the EU states since AMLD5 get a preferred fast track treatment for their applications. Those that have not done so should not be able to gain any commercial or legal advantage based on the standard financial supervisor reasoning: let's start with the crypto companies first. Such a procedure would constitute a perverse incentive structure where disobeying EU law pays off.

Instead, those big international crypto companies that have in one or more EU states not complied with the current rules can be clearly considered of insufficient reputation/standing due to this fact. They should pay off their open non-compliance debt by both paying the fines applicable to ducking the rules so far and by being the last in line to receive a license under the new rules. In particular for legislation that seeks to avoid the risks of money laundering / illicit profit making, I fail to see why major actors in the market might be condoned by EU authorities or supervisors for previous, visible transgressions of EU-based local legislation.

I hope the Commission appreciates my point of view and its relevance for a future thriving crypo-market with properly regulated companies of good standing and willingness to comply with EU rules.

with kind regards
Simon Lelieveldt

Saturday, May 29, 2021

Crypto-episode as a part of the Dutch financial history timeline

Over the past two years a historic sequence of events unfolded in the Netherlands with respect to the introduction of a crypto registration regime for providers of crypto wallet and crypto exchange services. It is a very interesting episode historically as it bears resemblence with a number of previous/similar episodes where the Dutch central bank hits the breaks and stifles innovation. 

What is happening is that the Dutch central bank (DNB) is pushing very strict rules onto newcomers in the payments/crypto market, without having a proper mandate to do so. There is an age-old example of halting the introduction of the credit-card, as well as a 20-years old intervention with DNB stopping mobile innovators with e-money that I will not flesh out right now. 

What I will do is describe how over the past couple of years new payment institutions were forced into getting a licence instead of a registration as prescribed under the upgraded PSD2 (EU) directive. This is the relevant backdrop against which it is easier to understand why the crypto-industry faced a similar treatment in 2020. 

There was one difference however: this time, one company came prepared and succesfully pushed DNB back (disclosure: I am consulting that company on regulatory/compliance issues). 

PSD2-service: access to the account (8) requires a license in NL rather than registration

The brief version of the events that played out in the Netherlands for payment service institutions were the following. The European Commission added 2 new company activities to the list of activities that require further regulation. Service number 7 involved initiating payment transactions on behalf of the customer at another company: this required a full-on registration. Companies offering only acces to the account of customers at other banks or payments companies were subject to a less elaborate registration regime, as outlined in article 33 of the PSD2.

However in the Netherlands, despite a policy existing to not do topping up of Brussels rules, the Ministry of Finance and DNB have a tendency to ignore that policy. So the companies that only required a registration for providing access to the account under the PSD2 were made subject to a licensing regime. The consequence was not just an increase in burders but also unlogical duties being appliced to those players, for example the duty to do transaction monitoring themselves (while they did not initiate or execute any transaction). 

In an effort to be the first on the market many companies in the Netherlands tried to convince DNB that the license regime and subsequent market entry rules were illegitimate, but no one dared to take DNB to court. So as we say in the Netherlands, quite some companies had to swallow a melon and make serious extra costs. Still, the episode did quite some harm as to the legitimacy of the DNB supervisor as many legal counsels agreed DNB was evidently overstepping its legal mandate. 

The PSD2 registration process for payment institutions in the Netherlands is therefore to be taken into account on the evaluation of what happend to the crypto-industry. As it may have signalled to DNB itself that it could easily ignore European rules with no one in the market complaining, it signalled to the legal/regulatory market that rationally it could not be assumed that DNB would by definition operate within its legal mandate. 

Crypto-services: require a registration in the EU but turned into de facto license regime in NL

By end of 2017 and mid 2018, the Dutch Ministry of Finance and DNB were in agreement that a fast transposition of the AMLD5-directive would be needed to bring crypto-companies under the remit of the appropriate supervisory regime. The EU directive and its previous impact assessment was very clear; a license regime would lead to too much credibility/legitimacy of the cryptocompanies, so only a registration regime was to be implemented, with possible license regimes following in a next stage of EU regulation (known as MICA-r). 


However, on advice otf DNB, the Dutch Ministry of Finance started transposing the directive and consulted a licensing regime with the market in December 2018. As the actual rules of the license still bore resemblance to the registration regime mentioned in the Directive, the industries comments focused on unworkable technicalities and explanations by the Ministry. The formal legal advice of the Council of State however, was quite explicit and it advised against the introduction of the law as long as a supervisory license mechanism and supervisory rules would be part of it. It stated that the transposition of this EU Directive is not the place for such rules.

In response the Dutch Ministry of Finance changed the law and made a new version. In this new version, the label of the license regime was changed to registration, but the essence became more of a supervisory regime. As a new set of rules the Ministry included further inspections and checks of business plan, organisation, risk management etc originating from the Act on Supervision of the Financial Sector. The actual legal construct includes a detailed evaluation of the company, a revocation of registration when a company is no longer compliant with the rules and a prohibition to operate on the market without a registration. This is a supervisory regime in disguise, which is beyond the necessities of the AMLD5 and goes against the advice of the Council of State.

For further details on the development of the law you can read this article, then see an update of January 2020 because something interesting happened. By mid-december the government websites by accident displayed this letter of the central bank that fully confirmed its intentions to push for a license regime and license access conditions for crypto companies. FTM, the investigative journalists, published a full article on it by end 2019 that details the wording games used by regulator and supervisor to hide a license regime behide the wording: 'registration'. An English version of events can be found in this article

The article raised quite some concerns in the Senate where the Ministry of Finance very explicitly and repeatedly explained: no no, it's not a license regime, but a registration regime. There is a huge difference between the two, a registration is being done while a license is being granted. So with this assurance the market hoped that supervisor DNB would change its course. The market assumed that the supervisor would take note of parliamentary discussions and guidance/explanation of the regulator.

DNB applied de facto license regime/application process leading to court case / market pushback

In practice De Nederlandsche Bank did not alter its previous course or any of its intentions and applied the full on registration procedure for payment institutions to crypto companies. It forgot about its obligation to register companies in 2 months, forced the application of risk frameworks that were used in the trust office market and came up with a self-invented interpretation of the Sanctions law that was beyond the rules. This latter requirement meant that crypto companies, in order to be registered, had to fullfill an ex-ante requirement of asking screenshots/video's of customers software wallets for each transaction to be made.

Grudgingly the market complied to the illegitimate requirement with one crypto company Bitonic, taking the measure to court. The interesing fact was that they filed a complaint against a positive decision of granting the registration with the request to the judge to kick out the illegitimate registration requirement on those screenshots.


Now to cut a long story short: the court case attracted an online viewing of many thousands and lead to the judge ordering DNB to redo its homework. Finding out that it was impossible to explain how a square could have the form of a circle, DNB had to withdraw its requirement but only did so for this single company (although half a year ago, the market is still waiting on clarification whether the requirement will also be lifted for them). 

What actually happened in the Netherlands is that DNB was already anticipating stringent FATF rules that suggest that product introduction or licensing moments are the moment in time to exert pressure onto crypto-companies to make them do what supervisors want. In this case, the FATF rules are not yet adopted in Europa, so the central bank figured it could use an age-old Sanctions law to the same effect. 

The market however had already witnessed DNB overstepping its boundaries, turning EU registrations into Dutch licenses with undue requirements so Bitonic as one of the players came prepared and called DNB's bluff. And next up will be a discussion on supervisory costs for crypto-companies where the whole market will do so again. 

Historic pattern

The historic pattern at play here is the interplay between regulators and market, fuelled by media incidents and publications. When in the 1970s credit cards appeared in the EU market and markets were mainly national, it only took national consensus between market players and central banks to keep one of the players (Visa) out of the market. 

Later on, when EU rules dictated that all cards had to be allowed an fair competition would need to be in place, the central bank mainly stuck to its legal remit. For some time in the 1990s the central bank also assisted in analysing the market and promoting innovation, opening up the closed EFTPOS structure in the Netherlands in the process. Still, when instructed by European powers that be it succumbed to the request to exempt European mobile operators from the application of e-money rules in 2002/2003, to the detriment of small innovators in the market. 

Other than that, the legality regimes were most prominent as the basis for DNBs action (or inaction). Supervision was done so prudently that during crises the central bank didn't act convincingly and fast enough. Under media and political pressure, the course of the central bank became more politically inspired. It had to be seen as interventionist and proactive and whether or not this was fully based on legal rules was a consideration that moved to the background. 

Even the European Banking Authority noticed this and very politely didn't name the offendors FINMA and DNB by name, while this remark was directed at them:

164. The EBA has since observed that, in the absence of an EU‐wide approach, there are indications that Member States, in anticipation of a forthcoming FATF Mutual Evaluation or to attract VASP business, have adopted their own VASP AML/CFT and wider regulatory regimes. As these regimes are not consistent, this creates confusion for consumers and market participants, undermines the level playing field and may lead to regulatory arbitrage. This exposes the EU’s financial sector to ML/TF risk.

If history is any guide however, it may require more than one law suit to make DNB change course, so keep a close watch on the Netherlands because it appears as if -as in the Muppet lab- the future of tomorrows crypto regulation is being made here today.