Tuesday, January 05, 2021

Response by Simon Lelieveldt to FINCEN consultation on crypto, travel rules and such

This blogpost/longread (below) contains the content of reflections, as sent to the FINCEN as a response to the consultation on travel rule for crypto (Docket No. FINCEN-2020–0020; RIN №1506-AB47). It is written from the Dutch and European perspective and what makes it relevant for the US is that the Dutch supervisor has already imposed an even harsher rule (verification of beneficairy wallet holder for self-operated wallets regardless of amounts involved) as an undue (and legally disputed) market entrance rule. 

The blog is written from a personal perspective, based on my market and regulatory experience with 25 plus years of banking, e-money, crypto and e-payments. In essence I recommend the FINCEN to steer away from behaviour that qualifies as a human rights treaties violation and not force the private sector to disobey the human rights obligations that they independently have under those treaties. Regulators should align legal requirements into a coherent framework and not place the burden of incompatible requirements at the doorstep of the private sector. 

Of particular interest in this respect is the recent announcement of the European Data Protection Board (of late december 2020) which outlines their committment to step up their game and ensure that no AML/KYC measure infringes on human rights principles of privacy and innocense presumption: 

The EDPB considers it as a matter of the utmost importance that the anti-money laundering measures are compatible with the rights to privacy and data protection enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, the principles of necessity of such measures in a democratic society and their proportionality, and the case law of the Court of Justice of the European Union.

The brief version of my comments / summary is provided here, which is then followed by the detailed submission to the FINCEN, with hyperlinks replacing the footnotes of the original document.

======

Agency: Financial Crimes Enforcement Network (FINCEN)
Document Type: Rulemaking
Title: Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets
Document ID: FINCEN-2020-0020-0001

Comment:
Please find my contribution attached. Some highlights.

1. What worries me is that FINCEN are about to try to outdo the Crypto AG intelligence coup (the technical backdoor behind the scenes) by installing an overly intrusive surveillance front-door for crypto. Although this may seem surveillance business as usual to you, it is certainly not. It is not only a violation of human rights treaties in itself, but you are also forcing this violation upon the private sector, which has an independent duty under the same treaties to respect the human rights. I am therefore copying my response to the UN Special Rapporteur on privacy in a digital age and respectfully suggest you consult and abide with the relevant UN/EU Charters on human rights.

2. Why the FINCEN proposal is not justified: it continues the abuse of deliberate post 9/11 legal design flaws/choices that undermine human rights by misusing administrative law, financial supervision law instead of following penal law procedures which have proper safeguards for human rights.

3. Do also note that the European Data Protection Board has issued a clear statement outlining the limits of surveillance by states and under administrative law. In this respect do also take note of the dissertation by C. Kaiser of 2018, outlining that the EU KYC rules may be anulled if challenged in European courts. From an analytical perspective this would also hold true for the US rules and their compatibility with the UN charter on human rights.

4. Practically speaking: the FINCEN is being sloppy with data. Data breaches of FINCEN have a huge impact which is not catered for in terms of risk analysis and side effects. These side-effects, when quantified, outweight the benefits to a huge extend and less intrusive solutions will be available. But history shows that you are not seeking less intrusive powers but seek to increase your information position out of an organisational drive to remain in the game and grow bigger.

5. Finally, don't kid yourselves as to the relevance of picking up these bread crumbs on the table. You are punishing the citizens of the world, while leaving all big money launderers unchallenged. Most relevant example is that you have been unable to really do your job properly, How come that a well known money launderer was even able to become president of the US? I think you may want to reflect on your own organisation and functioning first,

I find it quite ironic that the US, that saved the Dutch population from a dictatorial regime, that taught us about the importance of human rights, true democracies, freedom of speech, privacy and the importance of the presumption of innocence, is now the country that violates the values it has inspired into others.

Uploaded File(s):

  • FINCEN-response-Lelieveldt-2020-01-04.pdf
  • FINCENFiles-thread-Annex 1.pdf
  • Annex-2-Lelieveldt submission FINCEN.pdf

=====


Policy Division
Financial Crimes Enforcement Network
PO Box 39 Vienna, VA 22183
United States of America


Dear Secretary Mnuchin,                         January 4, 2021


I would like to share some reflections on Docket Number FINCEN-2020-0020, RIN number 1506- AB47, and the proposed changes outlined in, FinCEN, Notice of Proposed Rulemaking, “Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets.” 

Although you limit the timeline of submission to 2 weeks, I am pleased to be able to still contribute to the debate, as the situation in the Netherlands is even worse. Without advance notice, the Dutch financial supervisor, DNB, has used its powers as a supervisor of a simple EU registration regime for crypto players to force upon the industry an even more intrusive obligation for all crypto-players in the Netherlands to verify beneficiaries of cryptowallets, regardless of the amount. The requirements imposed during the registration process will be challenged in court and you may wish to monitor those developments.

What worries me is that FINCEN are about to try to outdo the Crypto AG intelligence coup (the technical backdoor behind the scenes) by installing an overly intrusive surveillance front-door for crypto. Although this may seem surveillance business as usual to you, it is certainly not. It is not only a violation of human rights treaties in itself, but you are also forcing this violation upon the private sector, which has an independent duty under the same treaties to respect the human rights. I am therefore copying my response to the UN Special Rapporteur on privacy in a digital age and respectfully suggest you consult and abide with the relevant UN/EU Charters on human rights.

So who is writing this? 

Now let me introduce myself further. I am writing in my professional/personal capacity and driven by a personal motivation that is reflected in the seal/logo and motto in the right upper corner: the NOW is the PAST is the PRESENT is the FUTURE. The moto is imprinted, using an old coin press, upon a wooden coin, made out of a 130 year old tree that stood on the Amsterdam exchange square. The tree, an Elm, witnessed time passing by and the development of society and financial markets. It symbolises the value I attach to cherishing history, learn lessons and use those learnings for todays developments. I hope you may appreciate my reflections from this perspective and rest assured, I’ll get to the actualities of FATF and European privacy discussions in due time. 

Professionally, I started out my career In as an industrial engineer in the financial sector by documenting and publishing a study on electronic payments (EFTPOS) regulation in 1989. In my research I revealed that the US Intelligence agencies had been pushing DES to become aninternational standard. At the time I did not have the ability however to put this finding into a broader perspective. However, more recently it became clear from the Crypto AG case that it was part of a long standing practice in which the US was actively pushing backdoors in technology, to ensure continued surveillance of all citizens and governments of the world. I think it is fair to say this is indeed the ‘Intelligence coup of the century’. 

Since then I embarked on a professional career starting out at ING/Postbank, moving on to become a policy analist at the central bank, charged with developing supervisory frameworks for electronicmoney in the 1990s. By the time that I contributed to European legislation and supervision for electronic money issuers, your organisation, FINCEN seemed to have made a strategic decision toposition itself as the go-to supervisor for all kind of modern payments and e-money. Although I think such a move may be analytically unsound and undesirable, I also view this as a natural reality ofinstitutional power politics. It is up to citizens, politicians, courts and private sector organisations to push back and hence my reflections in this letter.

Next up in my career, I worked extensively in the payments policy department of the Dutch bankers association. As such I was quite involved in the international rulemaking for banks and actually wrote the Dutch implementation guideline for the FATF7-rule (the origin of the travel rule). I was also a close witness to the SWIFT privacy incident and subsequent discussions on the EU privacy shield. Later on I moved towards a role as head of the department on financial markets and bank supervision of the Dutch Bankers Association.

What struck me in those days was the very anecdotal evidence and political framing arguments in discussions on money laundering and prevention of terrorist financing. It seems that 15 years later the situation hasn’t changed and I would suggest the FINCEN to disclose and evaluate more precisely whether its role has been effective and whether this proposed rule actually adds any value when doing a broad analysis of costs/benefits. I’ll get to that issue later.

Since 2011 I am active as an independent regulatory consultant and interim compliance manager for both government agencies and private sector entities. In this work, which mostly covers payment instritutions, e-money and crypto, I try to reconcile justified regulatory requirements with business constraints/demands. And yes, the important wording is: justified

Let me try and explain why the FINCEN proposal is not justified: it continues the abuse of legal design flaws/choices that undermine human rights by misusing administrative law, financial supervision law instead of following penal law procedures which have proper safeguards for human rights.

Sidestep: what use are consultations if you don’t want to listen? 

The Dutch scientist Dr. M. Wesseling has written an extensive and worthwhile dissertation on theinternational and European fight against terrorist financing and money laundering. The dissertation outlines that the US intelligence agencies have smartly used the momentum of the 9/11 attacks to get something they wanted: spying possibilities via the front door of financial transactions, bypassing formal legal and penal law safeguards, by pushing bank regulation and administrative rules. So what happened before 9/11?

A third important discourse concerned civil liberties. In 1999, the US Treasury proposed strengthened Know Your Customer (KYC) regulations. These proposals faced stiff opposition in the US Congress for anti-regulatory reasons, but the main issue at stake was concerns over privacy (Eckert, 2008, p. 213, Napoleoni, 2004, p. 219). The US Treasury received more than 200,000 negative responses to its proposal from all political backgrounds objecting to the proposed requirements for banks to obtain extensive private information (Donohue, 2006, p. 359). The KYC proposal was also criticized for being a potential source of mistrust and resentment of government, particularly among immigrants and minority groups, as well as an undesirable form of generalized spying and reporting on citizens (Cato Institute, 1999).

What FINCEN has seen in these 2 weeks of consultation will analytically not be very different from the responses that the US Treasury received more than 20 years ago. I would suggest that you include a review of those responses into your work, as they will undoubtedly be just as relevant.

Wesseling outlines how the 9/11 attacks changed the regulatory picture completely with civil liberties and human rights being:

The attacks of 11 September 2001 substantially changed the urgency and importance assigned to these different debates. The relative insignificance of the amounts of money involved in terrorism, the burden on the financial sector, the civil liberties implications of strengthened regulation, and the doubts about the use of UN economic sanctions, all became subordinate to the increased urgency of terrorism. 

Although the 9/11 Commission would estimate in 2004 that the total costs of the attacks was between $400,000 and 500,000 and concluded that the costs of the attacks were relatively low compared to the amounts of daily financial transactions worldwide (2004, pp. 186-189), a radically different conclusion was drawn in the immediate aftermath of the 9/11 attacks. 

Starving terrorists of their money had become a key objective within global governance. Likewise, financial regulation, such as Know Your Customer requirements, had been strengthened with little opposition from politicians, civil society or the financial and banking sector. Their current scope exceeds by far any previous initiative, making the contentious proposals of the 1990s look soft. Civil liberties, it was now widely accepted, had to be traded in if they constituted an opportunity for terrorists to ‘hide’. 

What I am saying here is that since 9/11 your organization is in a group think tunnel which has the effect of a religion or a cult. There is a dangerous liaison between intelligence agencies, tax authorities and financial supervisors which impose all kinds of intrusive rules under the FATF-umbrella as so-called: recommendations. Instead of revisiting the post 9/11 approach as a regulatory overshoot, the groupthink has remained intact as it comes in handy.

Or to put it differently. The US have since 2001 moved the angle of their intelligence attack from hardware based intelligence and surveillance to the informational front door that lies in financial transaction data. And this move is so useful and successful that US authorities are now even able to pull it off in broad daylight. Generations of bank personnel have become used to KYC/AML procedures that infringe on human rights. Now, from this perspective, it is clear that there is no way FINCEN will actually read or take on board any of the remarks in this consultation. As an institution the FINCEN has by now also brainwashed itself into believing its approach is valid and legitimate. 

The big design flaw is that instead of penal law, the whole construct of administrative law and bank supervision law is misused to ensure unbridled and unchecked data flow of innocent citizens to authorities all around the world. So it is fair to say that the FINCEN has successfully contributed to maintaining a climate in which a legal design flaw is used in combination with a cultural ideology to hypnotise/brainwash financial professionals in acting in violation of clear human rights such as privacy and the right to be viewed as innocent until proven guilty.

Please see also Annex 1 to this letter (threadreader page - twitter feed) for a further explanation of the idiocy of still using administrative law when fine penal law structures exist and can be enforced to catch money launderers and terrorists on a spearfishing pull-request basis without the extensive data broadcasting and datamining requirements stemming from the pre-platform pre-big data age 2001. Then again, you could also read the 1999 consultation responses. All answers are in the public domain already. The real question is: FINCEN, are you listening. Really?

FINCEN violates human rights as a business model and should not force companies to join them 

Under UN Resolution RESOLUTION 28/16 (the right to privacy in the digital age), article 8.2 of the European Convention on Human Rights and the EU Court decision on data retention (ECLI:EU:C:2016:970), the EU understanding on mass surveillance of personal data of innocent persons is that it may very well constitute a violation of the right to privacy in cases where it is disproportional and no sufficient safeguards are in place.

In this respect I can recommend the dissertation by Dr. Carolin Kaiser from 2018, outlining that – under todays case law and interpretations - the current EU regulation of KYC/AML may well be annulled by the EU Court of Justice. I am pretty confident that by analogy the same will hold true for US KYC/AML legislation when read against the UN Charter of Human Rights. But let us focus on the EU situation more closely. 

Last month the European Data Protection Board issued an important statement outlining the importance they attach to protecting the human right toprivacy in particular given the intrusive money laundering procedures that have arisen all over the world.

The EDPB considers it as a matter of the utmost importance that the anti-money laundering measures are compatible with the rights to privacy and data protection enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, the principles of necessity of such measures in a democratic society and their proportionality, and the case law of the Court of Justice of the European Union. 

The EDPB therefore calls on the European Commission to be associated to the drafting process of any new anti-money laundering legislation in its early stages, with a view to provide legal advice on some key points from a data protection perspective, without prejudice to the consultation by the European Commission in line with Article 42 of Regulation 2018/1725 at a later stage. 

The EDPB is also ready to contribute to discussions within the Council of the EU and the European Parliament during the legislative process. Going forward, the EDPB stands ready to be involved and consulted in a timely manner by any European or international regulatory bodies or standard-setters, such as the Financial Action Task Force, currently chaired by an EU Member state, before issuance of the revision of their recommendations.

Coming back to the details of your proposed regulation. Human right treaties require that intrusive surveillance requires serious crime under human rights charters. It can hardly be argued that just the sheer use of unhosted wallets for higher amounts is a demonstration of this serious crime. The suspicion should come from formal police officers doing their job, not from private sector players which are obliged to snitch upon their customers and broadcast their data into all kinds of databases without reasonable suspicion being present.

Next up, you are also overlooking the fact that businesses are by themselves obliged to honour the human rights under the "Guiding Principles on Business and Human Rights: Implementing theUnited Nations ‘Protect, Respect and Remedy’ Framework", which were developed by the Special Representative of the Secretary-General on the issue of human rights and transnational corporations and other business enterprises. The Human Rights Council endorsed the Guiding Principles in its resolution 17/4 of 16 June 2011.

It should not be up to companies to reconcile conflicting legislative objectives. It is up to regulators to steer clear from conflicts of law and not impose undue human rights violations onto companies.

FATF: continuation of the ill-footed surveillance model

FINCEN is engaged in a regulatory experiment that has been agreed upon by the FATF in the summer of 2019 or 2020. Confronted with the new blockchain / virtual asset technology, the choice has been made to push the travel rule into the blockchain world. The US has used its leadership position of the FATF to push this agenda item through. Which essentially sums up 20 years of anti-money laundering policies worldwide. 

In Annex 2 I have listed the blogpost with which I tried to warn the FATF/public in spring 2019 on the fact that pushing through a travel rule for crypto is just as useless as it was for banks back in the days. There is no sufficient quantitative evidence that any of those rules has really benefited finding criminals and preventing terrorist attacks (see the dissertation of M. Wesseling). It is a cost burden to all professionals in the financial sector and the resources spent could be better allocated directly to police forces or Ministries of Justice instead, as this warrants better protection of suspect individuals.

The recent evaluation of the FATF virtual asset travel rule clearly outlines the 2-step approach that is being taken. First force the travel rule upon registered/licensed players, then as phase 2 force them to verify the beneficiary of wallet transactions. This is a requirement which even goes beyond the R15 and R16 regulations for banks !!

If I read the FATF document correctly the FATF-members have agreed to not follow a similar policy line but to use the year 2020/2021 as an experimentation year. The 12-month review of the revised fatf standards on virtual assets and virtual asset service providers is clear that there is no real risk present:
53. However, jurisdictions did not consider that there was sufficient evidence to warrant changing the revised FATF Standards at this point at time. There was insufficient evidence demonstrating that the number and value of anonymous peerto-peer transactions has changed enough since June 2019 to present a materially different ML/TF risk. Further research could be undertaken with the VASP sector, academics and software experts and engineers to better understand the scope of the unregulated peer-to-peer sector. 

Yet, the document also gives a path to further experimentation per jurisdiction. If government authorities put the risk levels on high, they may start to experiment with additional regulations:

54. The launch of new virtual assets however could materially change the ML/TF risks, particularly if there is mass-adoption of a virtual asset that enables anonymous peer-to-peer transactions. There are a range of tools that are available at a national level to mitigate, to some extent, the risks posed by anonymous peer-to-peer transactions if national authorities consider the ML/TF risk to be unacceptably high. This includes banning or denying licensing of platforms if they allow unhosted wallet transfers, introducing transactional or volume limits on peer-to-peer transactions or mandating that transactions occur with the use of a VASP or financial institutions. As of yet, no common practises or consistent international approach have emerged regarding the use of these different tools. Accordingly, there should be further work undertaken on the extent to which anonymous peer-to-peer transactions via unhosted wallets is occurring, the approach jurisdictions can take to mitigate the ML/TF risks, the extent to which the revised Standards enable jurisdictions to mitigate these risks and to continue to improve international co-operation and coordination.

Right now we have seen the FINMA issuing regulations beyond the informational travel rule, coming down to verifying the beneficiary of transactions. And the Dutch Central bank has also made thisrequirement a (disputed) prerequisite in their registration process for crypto companies. I view the FINCEN rules as a part of the same process.

What FINCEN is thus doing as a regulator/contributor to FATF discussion is something which could be called agile regulation. Where usually companies may seek to roll out products in not yet definitive form, I would qualify the current world wide regulatory approach on crypto assets and the travel rule as an agile form of experimentation, at the cost of the private sector.

Government agencies do not only have a duty to not write or impose conflicting requirements upon their constituents but also to ensure their actions are coordinated. But as the FATF intermediary paper says: As of yet, no common practises or consistent international approach have emerged regarding the use of these different tools. 

What you are proposing as FINCEN (and will be rolling out, as I fail to see any true intention of finding an optimal regulatory solutions) is an uncoordinated regulatory measure which will lead to increased cost in a number of different jurisdictions for an industry that is worldwide by nature. 

The side effects of the approach is that FINCEN and other regulators are making sure that only larger well capitalised companies in the crypto space can survive (as they are faced with different costs in different jurisdictions). Both by nature and their effect, the proposed rule impedes innovation and leads to undesirable market structures.

FINCEN operational risk and failures 

Now let’s turn to the track record of FINCEN itself. I will be blunt in a Dutch way here. You fail to keep your records safe. For this rule it means that basically we can envisage that at some point in time hackers will have the possession of names/address of owners of bitcoin addresses. This is an impact beyond the Ledger hack (which was already scary). It is the equivalent of throwing all peoples bank account statements in the streets. Which cannot be undone and I don’t see any appreciation of the operational/privacy risks that you create in this way. 

The FINCEN-files leak shows that you will be unable to prevent this data from being safe. It also shows that FINCEN is unable to do its job properly. You are going after the crumbs on the table and leave the big money laundering industries and players untouched. Case in point: at present the US still has a President that may better be labelled the money launderer in chief. No FINCEN authority, no AML/KYC rules have been able to prevent this from happening. 

US from inspiration to dystopian example?

Each moment in life encompasses all its previous moments as well as its future moments. That is the meaning of NOW is the PAST is the PRESENT is the FUTURE. 

The FINCEN proposal is clearly born out of a tradition of illegitimate government action, spurred by overactive intelligence desires of the US. It is the second biggest intelligence coup in progress which may deter a whole innovative open source blockchain technology from maturing into beneficial society solutions. Because with these rules you are making virtual assets, distributed ledgers and digital tokens into data drones, to be automatically sent to government. 

I find it quite ironic that the US, that saved the Dutch population from a dictatorial regime, that taught us about the importance of human rights, true democracies, freedom of speech, privacy and the importance of the presumption of innocence, is now the country that violates the values it has inspired into others. 

Ir. S.L. Lelieveldt, CCP