This blogpost/longread (below) contains the content of reflections, as sent to the FINCEN as a response to the consultation on travel rule for crypto (Docket No. FINCEN-2020–0020; RIN №1506-AB47). It is written from the Dutch and European perspective and what makes it relevant for the US is that the Dutch supervisor has already imposed an even harsher rule (verification of beneficairy wallet holder for self-operated wallets regardless of amounts involved) as an undue (and legally disputed) market entrance rule.
The blog is written from a personal perspective, based on my market and regulatory experience with 25 plus years of banking, e-money, crypto and e-payments. In essence I recommend the FINCEN to steer away from behaviour that qualifies as a human rights treaties violation and not force the private sector to disobey the human rights obligations that they independently have under those treaties. Regulators should align legal requirements into a coherent framework and not place the burden of incompatible requirements at the doorstep of the private sector.
Of particular interest in this respect is the recent announcement of the European Data Protection Board (of late december 2020) which outlines their committment to step up their game and ensure that no AML/KYC measure infringes on human rights principles of privacy and innocense presumption:
The EDPB considers it as a matter of the utmost importance that the anti-money laundering measures
are compatible with the rights to privacy and data protection enshrined in Articles 7 and 8 of the
Charter of Fundamental Rights of the European Union, the principles of necessity of such measures in
a democratic society and their proportionality, and the case law of the Court of Justice of the European
Union.
The brief version of my comments / summary is provided here, which is then followed by the detailed submission to the FINCEN, with hyperlinks replacing the footnotes of the original document.
======
Agency: Financial Crimes Enforcement Network (FINCEN)
Document Type: Rulemaking
Title: Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets
Document ID: FINCEN-2020-0020-0001
Comment:
Please find my contribution attached. Some highlights.
1. What worries me is that FINCEN are about to try to outdo the Crypto AG intelligence coup (the technical backdoor behind the scenes) by installing an overly intrusive surveillance front-door for crypto. Although this may seem surveillance business as usual to you, it is certainly not. It is not only a violation of human rights treaties in itself, but you are also forcing this violation upon the private sector, which has an independent duty under the same treaties to respect the human rights. I am therefore copying my response to the UN Special Rapporteur on privacy in a digital age and respectfully suggest you consult and abide with the relevant UN/EU Charters on human rights.
2. Why the FINCEN proposal is not justified: it continues the abuse of deliberate post 9/11 legal design flaws/choices that undermine human rights by misusing administrative law, financial supervision law instead of following penal law procedures which have proper safeguards for human rights.
3. Do also note that the European Data Protection Board has issued a clear statement outlining the limits of surveillance by states and under administrative law. In this respect do also take note of the dissertation by C. Kaiser of 2018, outlining that the EU KYC rules may be anulled if challenged in European courts. From an analytical perspective this would also hold true for the US rules and their compatibility with the UN charter on human rights.
4. Practically speaking: the FINCEN is being sloppy with data. Data breaches of FINCEN have a huge impact which is not catered for in terms of risk analysis and side effects. These side-effects, when quantified, outweight the benefits to a huge extend and less intrusive solutions will be available. But history shows that you are not seeking less intrusive powers but seek to increase your information position out of an organisational drive to remain in the game and grow bigger.
5. Finally, don't kid yourselves as to the relevance of picking up these bread crumbs on the table. You are punishing the citizens of the world, while leaving all big money launderers unchallenged. Most relevant example is that you have been unable to really do your job properly, How come that a well known money launderer was even able to become president of the US? I think you may want to reflect on your own organisation and functioning first,
I find it quite ironic that the US, that saved the Dutch population from a dictatorial regime, that taught us about the importance of human rights, true democracies, freedom of speech, privacy and the importance of the presumption of innocence, is now the country that violates the values it has inspired into others.
Uploaded File(s):
- FINCEN-response-Lelieveldt-2020-01-04.pdf
- FINCENFiles-thread-Annex 1.pdf
- Annex-2-Lelieveldt submission FINCEN.pdf
=====
Policy Division
Financial Crimes Enforcement Network
PO Box 39 Vienna, VA 22183
United States of America
Dear Secretary Mnuchin, January 4, 2021
I would like to share some reflections on Docket Number FINCEN-2020-0020, RIN number 1506-
AB47, and the proposed changes outlined in, FinCEN, Notice of Proposed Rulemaking, “Requirements
for Certain Transactions Involving Convertible Virtual Currency or Digital Assets.”
Although you limit the timeline of submission to 2 weeks, I am pleased to be able to still contribute
to the debate, as the situation in the Netherlands is even worse. Without advance notice, the Dutch
financial supervisor, DNB, has used its powers as a supervisor of a simple EU registration regime for
crypto players to force upon the industry an even more intrusive obligation for all crypto-players in
the Netherlands to verify beneficiaries of cryptowallets, regardless of the amount. The requirements
imposed during the registration process will be challenged in court and you may wish to monitor
those developments.
What worries me is that FINCEN are about to try to outdo the Crypto AG intelligence coup (the
technical backdoor behind the scenes) by installing an overly intrusive surveillance front-door for
crypto. Although this may seem surveillance business as usual to you, it is certainly not. It is not
only a violation of human rights treaties in itself, but you are also forcing this violation upon the
private sector, which has an independent duty under the same treaties to respect the human
rights. I am therefore copying my response to the UN Special Rapporteur on privacy in a digital age
and respectfully suggest you consult and abide with the relevant UN/EU Charters on human rights.
So who is writing this?
Now let me introduce myself further. I am writing in my professional/personal capacity and driven by
a personal motivation that is reflected in the seal/logo and motto in the right upper corner: the NOW
is the PAST is the PRESENT is the FUTURE. The moto is imprinted, using an old coin press, upon a
wooden coin, made out of a 130 year old tree that stood on the Amsterdam exchange square. The
tree, an Elm, witnessed time passing by and the development of society and financial markets. It
symbolises the value I attach to cherishing history, learn lessons and use those learnings for todays
developments. I hope you may appreciate my reflections from this perspective and rest assured, I’ll
get to the actualities of FATF and European privacy discussions in due time.
Professionally, I started out my career In as an industrial engineer in the financial sector by
documenting and publishing a study on electronic payments (EFTPOS) regulation in 1989. In my
research I revealed that the US Intelligence agencies had been pushing DES to become aninternational standard. At the time I did not have the ability however to put this finding into a
broader perspective. However, more recently it became clear from the Crypto AG case that it was
part of a long standing practice in which the US was actively pushing backdoors in technology, to
ensure continued surveillance of all citizens and governments of the world. I think it is fair to say this
is indeed the ‘Intelligence coup of the century’.
Since then I embarked on a professional career starting out at ING/Postbank, moving on to become a
policy analist at the central bank, charged with developing supervisory frameworks for electronicmoney in the 1990s. By the time that I contributed to European legislation and supervision for
electronic money issuers, your organisation, FINCEN seemed to have made a strategic decision toposition itself as the go-to supervisor for all kind of modern payments and e-money. Although I think
such a move may be analytically unsound and undesirable, I also view this as a natural reality ofinstitutional power politics. It is up to citizens, politicians, courts and private sector organisations to
push back and hence my reflections in this letter.
Next up in my career, I worked extensively in the payments policy department of the Dutch bankers
association. As such I was quite involved in the international rulemaking for banks and actually wrote
the Dutch implementation guideline for the FATF7-rule (the origin of the travel rule). I was also a
close witness to the SWIFT privacy incident and subsequent discussions on the EU privacy shield.
Later on I moved towards a role as head of the department on financial markets and bank
supervision of the Dutch Bankers Association.
What struck me in those days was the very anecdotal evidence and political framing arguments in
discussions on money laundering and prevention of terrorist financing. It seems that 15 years later
the situation hasn’t changed and I would suggest the FINCEN to disclose and evaluate more precisely
whether its role has been effective and whether this proposed rule actually adds any value when
doing a broad analysis of costs/benefits. I’ll get to that issue later.
Since 2011 I am active as an independent regulatory consultant and interim compliance manager for
both government agencies and private sector entities. In this work, which mostly covers payment
instritutions, e-money and crypto, I try to reconcile justified regulatory requirements with business
constraints/demands. And yes, the important wording is: justified.
Let me try and explain why the
FINCEN proposal is not justified: it continues the abuse of legal design flaws/choices that
undermine human rights by misusing administrative law, financial supervision law instead of
following penal law procedures which have proper safeguards for human rights.
Sidestep: what use are consultations if you don’t want to listen?
The Dutch scientist Dr. M. Wesseling has written an extensive and worthwhile dissertation on theinternational and European fight against terrorist financing and money laundering. The dissertation
outlines that the US intelligence agencies have smartly used the momentum of the 9/11 attacks to
get something they wanted: spying possibilities via the front door of financial transactions, bypassing
formal legal and penal law safeguards, by pushing bank regulation and administrative rules. So what
happened before 9/11?
A third important discourse concerned civil liberties. In 1999, the US Treasury proposed
strengthened Know Your Customer (KYC) regulations. These proposals faced stiff opposition in
the US Congress for anti-regulatory reasons, but the main issue at stake was concerns over
privacy (Eckert, 2008, p. 213, Napoleoni, 2004, p. 219). The US Treasury received more than
200,000 negative responses to its proposal from all political backgrounds objecting to the
proposed requirements for banks to obtain extensive private information (Donohue, 2006, p.
359). The KYC proposal was also criticized for being a potential source of mistrust and
resentment of government, particularly among immigrants and minority groups, as well as an
undesirable form of generalized spying and reporting on citizens (Cato Institute, 1999).
What FINCEN has seen in these 2 weeks of consultation will analytically not be very different from
the responses that the US Treasury received more than 20 years ago. I would suggest that you
include a review of those responses into your work, as they will undoubtedly be just as relevant.
Wesseling outlines how the 9/11 attacks changed the regulatory picture completely with civil
liberties and human rights being:
The attacks of 11 September 2001 substantially changed the urgency and importance
assigned to these different debates. The relative insignificance of the amounts of money
involved in terrorism, the burden on the financial sector, the civil liberties implications of
strengthened regulation, and the doubts about the use of UN economic sanctions, all became
subordinate to the increased urgency of terrorism.
Although the 9/11 Commission would estimate in 2004 that the total costs of the attacks was
between $400,000 and 500,000 and concluded that the costs of the attacks were relatively
low compared to the amounts of daily financial transactions worldwide (2004, pp. 186-189), a
radically different conclusion was drawn in the immediate aftermath of the 9/11 attacks.
Starving terrorists of their money had become a key objective within global governance.
Likewise, financial regulation, such as Know Your Customer requirements, had been
strengthened with little opposition from politicians, civil society or the financial and banking
sector. Their current scope exceeds by far any previous initiative, making the contentious
proposals of the 1990s look soft. Civil liberties, it was now widely accepted, had to be traded
in if they constituted an opportunity for terrorists to ‘hide’.
What I am saying here is that since 9/11 your organization is in a group think tunnel which has the
effect of a religion or a cult. There is a dangerous liaison between intelligence agencies, tax
authorities and financial supervisors which impose all kinds of intrusive rules under the FATF-umbrella as so-called: recommendations. Instead of revisiting the post 9/11 approach as a regulatory
overshoot, the groupthink has remained intact as it comes in handy.
Or to put it differently. The US have since 2001 moved the angle of their intelligence attack from
hardware based intelligence and surveillance to the informational front door that lies in financial
transaction data. And this move is so useful and successful that US authorities are now even able
to pull it off in broad daylight. Generations of bank personnel have become used to KYC/AML
procedures that infringe on human rights. Now, from this perspective, it is clear that there is no way
FINCEN will actually read or take on board any of the remarks in this consultation. As an institution
the FINCEN has by now also brainwashed itself into believing its approach is valid and legitimate.
The big design flaw is that instead of penal law, the whole construct of administrative law and bank
supervision law is misused to ensure unbridled and unchecked data flow of innocent citizens to
authorities all around the world. So it is fair to say that the FINCEN has successfully contributed to
maintaining a climate in which a legal design flaw is used in combination with a cultural ideology to
hypnotise/brainwash financial professionals in acting in violation of clear human rights such as
privacy and the right to be viewed as innocent until proven guilty.
Please see also Annex 1 to this letter (threadreader page - twitter feed) for a further explanation of the idiocy of still using
administrative law when fine penal law structures exist and can be enforced to catch money
launderers and terrorists on a spearfishing pull-request basis without the extensive data
broadcasting and datamining requirements stemming from the pre-platform pre-big data age 2001.
Then again, you could also read the 1999 consultation responses. All answers are in the public
domain already. The real question is: FINCEN, are you listening. Really?
FINCEN violates human rights as a business model and should not force companies to join them
Under UN Resolution RESOLUTION 28/16 (the right to privacy in the digital age), article 8.2 of the
European Convention on Human Rights and the EU Court decision on data retention
(ECLI:EU:C:2016:970), the EU understanding on mass surveillance of personal data of innocent
persons is that it may very well constitute a violation of the right to privacy in cases where it is
disproportional and no sufficient safeguards are in place.
In this respect I can recommend the dissertation by Dr. Carolin Kaiser from 2018, outlining that –
under todays case law and interpretations - the current EU regulation of KYC/AML may well be
annulled by the EU Court of Justice. I am pretty confident that by analogy the same will hold true for
US KYC/AML legislation when read against the UN Charter of Human Rights.
But let us focus on the EU situation more closely.
Last month the European Data Protection Board issued an important statement outlining the importance they attach to protecting the human right toprivacy in particular given the intrusive money laundering procedures that have arisen all over the
world.
The EDPB considers it as a matter of the utmost importance that the anti-money laundering
measures are compatible with the rights to privacy and data protection enshrined in Articles 7
and 8 of the Charter of Fundamental Rights of the European Union, the principles of necessity
of such measures in a democratic society and their proportionality, and the case law of the
Court of Justice of the European Union.
The EDPB therefore calls on the European Commission to be associated to the drafting
process of any new anti-money laundering legislation in its early stages, with a view to
provide legal advice on some key points from a data protection perspective, without prejudice
to the consultation by the European Commission in line with Article 42 of Regulation
2018/1725 at a later stage.
The EDPB is also ready to contribute to discussions within the Council of the EU and the
European Parliament during the legislative process. Going forward, the EDPB stands ready to
be involved and consulted in a timely manner by any European or international regulatory
bodies or standard-setters, such as the Financial Action Task Force, currently chaired by an EU
Member state, before issuance of the revision of their recommendations.
Coming back to the details of your proposed regulation. Human right treaties require that intrusive
surveillance requires serious crime under human rights charters. It can hardly be argued that just
the sheer use of unhosted wallets for higher amounts is a demonstration of this serious crime. The
suspicion should come from formal police officers doing their job, not from private sector players
which are obliged to snitch upon their customers and broadcast their data into all kinds of
databases without reasonable suspicion being present.
Next up, you are also overlooking the fact that businesses are by themselves obliged to honour the
human rights under the "Guiding Principles on Business and Human Rights: Implementing theUnited Nations ‘Protect, Respect and Remedy’ Framework", which were developed by the Special
Representative of the Secretary-General on the issue of human rights and transnational corporations
and other business enterprises. The Human Rights Council endorsed the Guiding Principles in its
resolution 17/4 of 16 June 2011.
It should not be up to companies to reconcile conflicting legislative objectives. It is up to regulators to
steer clear from conflicts of law and not impose undue human rights violations onto companies.
FATF: continuation of the ill-footed surveillance model
FINCEN is engaged in a regulatory experiment that has been agreed upon by the FATF in the summer
of 2019 or 2020. Confronted with the new blockchain / virtual asset technology, the choice has been
made to push the travel rule into the blockchain world. The US has used its leadership position of the
FATF to push this agenda item through. Which essentially sums up 20 years of anti-money laundering
policies worldwide.
In Annex 2 I have listed the
blogpost with which I tried to warn the FATF/public in spring 2019 on the
fact that pushing through a travel rule for crypto is just as useless as it was for banks back in the days.
There is no sufficient quantitative evidence that any of those rules has really benefited finding
criminals and preventing terrorist attacks (see the
dissertation of M. Wesseling). It is a cost burden to
all professionals in the financial sector and the resources spent could be better allocated directly to
police forces or Ministries of Justice instead, as this warrants better protection of suspect individuals.
The
recent evaluation of the FATF virtual asset travel rule clearly outlines the 2-step approach that is
being taken. First force the travel rule upon registered/licensed players, then as phase 2 force them
to verify the beneficiary of wallet transactions. This is a requirement which even goes beyond the
R15 and R16 regulations for banks !!
If I read the FATF document correctly the FATF-members have agreed to not follow a similar policy
line but to use the year 2020/2021 as an experimentation year. The 12-month review of the revised
fatf standards on virtual assets and virtual asset service providers is clear that there is no real risk
present:
53. However, jurisdictions did not consider that there was sufficient evidence to warrant
changing the revised FATF Standards at this point at time. There was insufficient evidence
demonstrating that the number and value of anonymous peerto-peer transactions has
changed enough since June 2019 to present a materially different ML/TF risk. Further
research could be undertaken with the VASP sector, academics and software experts and
engineers to better understand the scope of the unregulated peer-to-peer sector.
Yet, the document also gives a path to further experimentation per jurisdiction. If government
authorities put the risk levels on high, they may start to experiment with additional regulations:
54. The launch of new virtual assets however could materially change the ML/TF risks,
particularly if there is mass-adoption of a virtual asset that enables anonymous peer-to-peer
transactions. There are a range of tools that are available at a national level to mitigate, to
some extent, the risks posed by anonymous peer-to-peer transactions if national authorities
consider the ML/TF risk to be unacceptably high. This includes banning or denying licensing of
platforms if they allow unhosted wallet transfers, introducing transactional or volume limits
on peer-to-peer transactions or mandating that transactions occur with the use of a VASP or
financial institutions. As of yet, no common practises or consistent international approach
have emerged regarding the use of these different tools. Accordingly, there should be further
work undertaken on the extent to which anonymous peer-to-peer transactions via unhosted
wallets is occurring, the approach jurisdictions can take to mitigate the ML/TF risks, the
extent to which the revised Standards enable jurisdictions to mitigate these risks and to
continue to improve international co-operation and coordination.
Right now we have seen the FINMA issuing regulations beyond the informational travel rule, coming
down to verifying the beneficiary of transactions. And the Dutch Central bank has also made thisrequirement a (disputed) prerequisite in their registration process for crypto companies. I view the
FINCEN rules as a part of the same process.
What FINCEN is thus doing as a regulator/contributor to FATF discussion is something which could be
called agile regulation. Where usually companies may seek to roll out products in not yet definitive
form, I would qualify the current world wide regulatory approach on crypto assets and the travel rule
as an agile form of experimentation, at the cost of the private sector.
Government agencies do not only have a duty to not write or impose conflicting requirements upon
their constituents but also to ensure their actions are coordinated. But as the FATF intermediary
paper says: As of yet, no common practises or consistent international approach have emerged
regarding the use of these different tools.
What you are proposing as FINCEN (and will be rolling out, as I fail to see any true intention of finding
an optimal regulatory solutions) is an uncoordinated regulatory measure which will lead to increased
cost in a number of different jurisdictions for an industry that is worldwide by nature.
The side effects of the approach is that FINCEN and other regulators are making sure that only larger
well capitalised companies in the crypto space can survive (as they are faced with different costs in
different jurisdictions). Both by nature and their effect, the proposed rule impedes innovation and
leads to undesirable market structures.
FINCEN operational risk and failures
Now let’s turn to the track record of FINCEN itself. I will be blunt in a Dutch way here. You fail to keep
your records safe. For this rule it means that basically we can envisage that at some point in time
hackers will have the possession of names/address of owners of bitcoin addresses. This is an impact
beyond the Ledger hack (which was already scary). It is the equivalent of throwing all peoples bank
account statements in the streets. Which cannot be undone and I don’t see any appreciation of the
operational/privacy risks that you create in this way.
The FINCEN-files leak shows that you will be unable to prevent this data from being safe. It also
shows that FINCEN is unable to do its job properly. You are going after the crumbs on the table and
leave the big money laundering industries and players untouched. Case in point: at present the US
still has a President that may better be labelled the money launderer in chief. No FINCEN authority,
no AML/KYC rules have been able to prevent this from happening.
US from inspiration to dystopian example?
Each moment in life encompasses all its previous moments as well as its future moments. That is the
meaning of NOW is the PAST is the PRESENT is the FUTURE.
The FINCEN proposal is clearly born out
of a tradition of illegitimate government action, spurred by overactive intelligence desires of the US.
It is the second biggest intelligence coup in progress which may deter a whole innovative open
source blockchain technology from maturing into beneficial society solutions. Because with these
rules you are making virtual assets, distributed ledgers and digital tokens into data drones, to be
automatically sent to government.
I find it quite ironic that the US, that saved the Dutch population from a dictatorial regime, that
taught us about the importance of human rights, true democracies, freedom of speech, privacy and
the importance of the presumption of innocence, is now the country that violates the values it has
inspired into others.
Ir. S.L. Lelieveldt, CCP
