Thursday, October 12, 2023

Long story short: Dutch judge finds DNB (Dutch AML-supervisor for crypto) did overstep its mandate in registration verifications and invalidates parts of AML law

Over the past five years, we have seen a debate unfold in the Netherlands where the Dutch central bank forced the Ministry of Finance to adopt rules that go beyond the AMLD5 directive. And finally, the judge brings clarity: regulators and supervisor overstepped their mandate. 

Registration or licensing of crypto players here in Netherlands?

Where the AMLD5 directive says: you must register crypto companies with a check on management capability and UBO reputation, the Dutch central bank went way beyond that. It wrote a letter to the Ministry of Finance that it wanted a license regime and kept on asking for all components of a license regime. And they got it in the end with the Ministry of Finance denying to press and parliament thay they upgraded the law. This was well beyond the advice of the Council of State, which outlined the impossibility of doing this, well in advance. 

I wrote a range of articles about that (this one), was the driving force in the law suit on the improper verification requirements asked to be allowed to register and helped out prepare the next law suit on illegal acts of the supervisor, meaning that all the cost borne for those illegal acts cannot be charged to companies. 

One and a half year ago I penned the experience down in this blog when I started out a sabbatical. For me, there is no use in doing compliance work if supervisors don't stick to the law themselves. So I wanted to reflect on that and meanwhile the law suit against DNB was being prepared and unfolded. 

Now finally after 5 years of banging the drum on the topic, the Rotterdam Court fully agreed and acknowledged that the Dutch supervisor, DNB, has acted illegally by imposing and requiring more information than necessary for the prescribed registration regime under AMLD5. It effectively turned it into a licensing regime and that was not the idea/intention. 

Court judgment: Dutch law declared invalid where it turns registration into licensing regime

Their verdict translated (h/t Chat GPT) tells it loud and clear. All parts of the Wwft and lower level rules that are in conflict with the registration regime as defined in AMLD5 are declared invalid as being in violation of higher EU-law.  

3.6 While the processing of registration requests in this manner by DNB involves a task assigned to it by or under the Wwft, and the resulting activities, there is no basis for this in the AMLD5. As noted by the Advisory Division of the Council of State in its advice of June 3, 2019 (no. W06.19.0080/III and TK, 2018-2019, 35245, no. 4) on the Implementation Law amending the fourth anti-money laundering directive, the directive does not allow the prescribed registration obligation to be structured as an (additional) licensing obligation, where a prior assessment takes place to determine whether an institution can comply with its Wwft obligations. However, the legally prescribed method of processing registration requests has given the registration obligation that form. For example, in the case of a registration request under Article 3, paragraph 1, subparagraph n, of the Implementation Regulation, data must be provided on the organization of business operations with regard to the integrity and controlled business conduct referred to in Article 23j of the Wwft, which provision aims to ensure that a provider of services related to virtual currency organizes its business operations in such a way that it can comply with the requirements set by the Wwft (EK, 2019-2020, 35245, C, p. 8). The explanation on the registration form used by DNB indicates that DNB wishes to obtain detailed data from the submitter of a registration request, indicating a thorough prior assessment of whether this provider can meet its Wwft obligations.

3.7. The conclusion is that Article 23d, paragraph 1, of the Wwft and Article 23c, paragraph 1, of the Wwft, read in conjunction with Article 1a of the Implementation Decree and Article 3 of the Implementation Regulation, to the extent that these articles go beyond obtaining and assessing the data needed to register a provider under Article 23f of the Wwft in the public register of providers and to test the suitability and reliability of the policymaker(s) and ultimate beneficial owner(s) of the provider, are invalid due to conflict with the scope of the registration obligation laid down in Article 47 of the AMLD5.

3.8. This invalidity means that the way in which DNB assesses registration requests cannot be partially seen as falling under a task assigned to it by or under the Wwft and the resulting activities."

What's next?

1. DNB will have to refund the invoices for supervision over 2021 as a result of the fact that a large part of the cost pertained to activities without legal mandate which cannot be recovered. So the Ministry of Finance will have to pay this as it doesn't make sense to charge any private entity for the legal wrongdoings and supervisors overstepping their mandate.

2. DNB will have to revise the registration regime and make it a true registration regime. They can no longer apply the 10step approach (copy paste licensing) and extensive list of questions and must remain with a small list. Effectively the main focus of registrations will have to be on evaluating quality of management and reputation of UBO. Registrations must be done in 2 months instead of the current 6-12 months evaluation period.

3. If DNB wants to add specific demands and requests it will have to send out specific request immediately after registration and should do so on the basis of a prior risk assessment as to nature of company and businss positioning/management (they will have sufficient information on that as a result of the management evaluation procedure in the registration).

4. DNB needs to ask an independent accountant to separate the forbidden registration costs which included checking wallet verification requirements, doing extensive study of documentation from the practical application process prescribed under AMLD5. This will mean that 75% of the costs of crypto supervision in 2021, 2022 and 2023 will have to be dropped. 

5. DNB will most likely also appeal against the verdict although ideally they would make excuses for having gone beyond their mandate both as a supervisor and in their role as 'advisor' of the Ministry of Finance. This excuse can be made without cost given that it is DNBs vision that even when they make a fault they are not legally liable for it. This is also in Dutch law (a good from post financial crisis). 

A 'told you so' with mixed feelings

Well. I told you so. For 5 years I've been telling regulators and DNB that their policy decision to do more than the EU directive was at odds with our institutional frameworks. But hey, who listens to crypto players: those casino's, those money launderers. It was fairly easy for the central bank and ministry of Finance to frame their way out of the debate. They also misrepresented the facts.

Appeals to higher ethics and the institutional boundaries did not work. Not formally, not informally. And I've really pushed every button I could find. Because you don't want to end up resolving things in court. And if you do, you want to prove that you tried your best to prevent coming there. Which means the stuff had to go to couurt. The powers that be thought they were right and they could ignore the EU rules and the advice/knowledge of State of Council of incompatibility of their plans with those rules. 

Usually that works, by the way. Because companies and industry organisation usually aren't that well documented and don't come prepared. But this time was different. DNB and Ministry of Finance had just pulled an identical trick in the payment sector, so this was a second time around for the legal and compliance industry involved. And that made a difference. The supporting legal industry did not fall for the easy crypto-money laundering frame. The legal industry recognised the DNB-overstepping-mandate reality.

Still this is all mixed feelings. Why don't we just respect EU rules, whether in government or in companies. That would have made our life a fair bit more pleasant. Why did we have to go at lenght to do this batlle? Do we really need to go on and start a third law suit now (when DNB doesn't come round to acknowledging their errors of judgment)? 

So yes, this is a told you so moment. But I mostly hope this legal verdict is were things will change so that there is no need to write about a third told you so moment in the future. 

Monday, August 14, 2023

Annulment procedure for the EU version of the FATF Travel rule: Q&A


Ok, so you may have been reading a complex thread on social media about the European travel rule for crypto companies and the impact it has on fundamental rights to privacy and freedom to provide services. And you may be wondering. What is it? What's happening. How can I contribute? 

Well, it's a long story with quite some history (see this blog herehere and here) but I will try to summarize the situation as of mid August 2023. Blog may be adapted over time by the way.

What is this annulment procedure all about?
Simply put, the European legislator decided upon promulgating a regulation that obliges future virtual asset providers to broadcast personal data for all transactions along in the international value chain for reasons of preventing money laundering and terrorist finance. 

This is in spite of abundant repetitive case verdicts of the Court of Justice that annuls Directives and amends legislation which violates the proportionality principles and forgets the test of strict necessity of such measures (see also a detailed analysis in the dissertation of Carolin Kaiser, outlining incompatibility of AML-rules with Court of Justice rulings and EU Treaty rules on human rights). 

Where can I find the disputed requirement(s) in the EU regulation?
You will find it in the articles 14-23 of the regulation which outline a bunch of information to be added to crypto-asset transfers (or being sent along via separate communication channel). Senders should add the information, receivers should check whether it is there and notify/remind the sender when it is incomplete. All in all it is an elaborate set of instructions for all crypto asset players.

What personal data is involved?

Well, first of all, the fact that you as a customer (or receiver) own virtual assets (a fact that, see the ledger hack, has proven to be very private and sensitive information). It regards the following information about the sender/originator: 

(a) the name of the originator;

(b) the originator’s distributed ledger address, in cases where a transfer of crypto-assets is registered on a network using DLT or similar technology, and the crypto-asset account number of the originator, where such an account exists and is used to process the transaction;

(c) the originator’s crypto-asset account number, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology;

(d) the originator’s address, including the name of the country, official personal document number and customer identification number, or, alternatively, the originator’s date and place of birth; and

(e) subject to the existence of the necessary field in the relevant message format, and where provided by the originator to its crypto-asset service provider, the current LEI or, in its absence, any other available equivalent official identifier of the originator.

And it also covers data of the person/entity that you are sending information to:

(a)  the name of the beneficiary, 

(b) the beneficiary’s distributed ledger address, in cases where a transfer of crypto-assets is registered on a network using DLT or similar technology, and the beneficiary’s crypto-asset account number, where such an account exists and is used to process the transaction;

(c) the beneficiary’s crypto-asset account number, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology; and

(d) subject to the existence of the necessary field in the relevant message format, and where provided by the originator to its crypto-asset service provider, the current LEI or, in its absence, any other available equivalent official identifier of the beneficiary.

Why is the requirement challenged as disproportional?
Article 24 of the same regulation says that, when police show their badge, all relevant information of suspected customers must be handed over without delay. So law enforcement and governments can get all the info when they want it, as long as they demonstrate authority. This will mean due process is guaranteed and only individual customer data is handed over when an actual suspicion or involvement for money laundering and terrorist finance is at stake.  
Article 24
Provision of information
Payment service providers and crypto-asset service providers shall respond fully and without delay, including by means of a central contact point in accordance with Article 45(9) of Directive (EU) 2015/849, where such a contact point has been appointed, and in accordance with the procedural requirements laid down in the national law of the Member State in which they are established or have their registered office, as applicable, to enquiries exclusively from the authorities responsible for preventing and combating money laundering or terrorist financing of that Member State concerning the information required under this Regulation.
So this begs the question. If local and European police/law enforcement can get all the information they need at their fingertips for all cases related to money laundering and terrorist finance, why would we broadcast full transaction details to all the players in the value chain around the world? 
The practical, and constitutional question under the EU treaties on fundamental rights is: is it truly strictly necessary, proportional and in line with the risk based nature of anti money laundering regulation to send out and broadcast/disseminate all data for all transactions/originators/beneficiaries of all crypto asset transfers (of which the high majority have nothing to do with money laundering or terrorist finance) to all other virtual asset players in the world, including those in non-EU territories? 
What are the timelines for the anullment action ?
As the regulation was published on June 9, 2023, there is until August 23, 2023 to file an annulment action under the rules of procedure of the EU. This is a request to the General Court to strike out a regulation or parts of a regulation which are deemed unconstitutional and where claimants have a direct interest to have the regulation being annulled.
Who will be filing the annulment action?
Right now the process of finding funders is well underway. There is a clear perspective on funding but the other challenge is to find the proper claimants and legal angle for this action. At present, Simon Lelieveldt is coordinating and executing the efforts to create the right setting for this annulment action. 
The main idea, at present, is to use the information, experiences and court case findings of the Dutch crypto community to align the claimants with a direct interest. These will be primarily virtual asset providers, their industry organisation and possibly individual clients who find their privacy violated/breached. 
The legal/compliance experts doing the action will be myself and the litigation law firm with whom we  have previously been successful in litigating against the abuse of premature non risk based prescription of FATF-recommendations as a part of the registration process for crypto providers. 
What would motivate claimants, what are the interests at stake?
As a basic principle it should not be up to individual providers of crypto services to be forced to litigate to resolve the conflict of laws that are inherently present in the current ruleset's on anti money laundering and fundamental rights of privacy and freedom of services delivery. The EU regulator should assure compatibility with fundamental rights beforehand, but has failed to do so in this case.
The direct consequence is that providers individually and as a sector will be faced with high operational costs, disproportionate burdens and the risk of fines for transgressing fundamental rights of their customers. This risk is not hypothetical: it has already taken place in the Netherlands (see case law) and cost a lot of money. 
What are the chances of succes?
While to the outsider it is evident that virtual asset providers and their industry organisation as well as NGOs such as Privacy First have a legitimate concern, the technical details of EU court proceedings may be more complex. So there are some hurdles and the challenge is to present the case with the proper angles/arguments as well.
In practice, the range of legal arguments is a bit wider than outlined above and it should be possible to find the right legal angle. The current first phase of the action is however still to validate the approach, risks and chances of success. If these appear too slim, the action may not start. 
How can I contribute?
No crypto funding is possible. This will trigger a range of detailed questions and such as well as possible blocking of my bank account under the current policies of my bank. Unfortunately my bank is doing this but that is another regulatory topic (and perhaps a later case in court). 
So, should you wish to support the annulment action you can donate only in fiat, using the following details: S. Lelieveldt at KNAB Bank, international bank account number: NL86 KNAB 0615 8954 92 (BIC: KNABNLH2, Amsterdam, the  Netherlands). International payments need to be done via intermediary bank ABN AMRO (BIC:  ABNANL2A, Amsterdam, the Netherlands). 
Legal disclaimer: please understand that this is not a service agreement of some form but a donation allowing me to direct my energy/time or the resources towards achieving this goal in any way I see fit. This could be setting up a foundation, contributing to other relevant regulatory consultations or helping out other initiatives with achieving the same objective.

=====================
Further QenA's and backgroud.

So are the articles 14-23 in the regulation proportional ?
Previously the European Data Protection Board already advised strongly to limit anti money laundering regulations to stuff that is strictly necessary. See their letter of April 2021:
Pursuant to Article 52 of the Charter, any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others7 . This means that legislative measures that limit the right to privacy and data protection have to be specific in order to correspond to objectives of general interest pursued and should not constitute disproportionate and unreasonable interference undermining the substance of those rights.
Now. Let's do our own research.
If a well targeted article 24 for a limited set of citizens involved with money laundering and terrorist finance is in place, don't the articles 14-23, that apply to all citizens, all transactions regardless of their involvement in money laundering and terrorist finance appear to be somewhat excessive ? 
Implementing the systems and changing them is very costly to implement. It does not add any informational value but rather significantly increases the risk of data breaches for parties to the transactions. It is a disproportionate nice-to-have requirement for government which violates the main principles of data minimization. 
As such individual virtual asset providers may be fined by data protection authorities, sued by their customers or beneficiaries for infringing their fundamental rights or for damages due to data breaches. All these risks do not exist when only article 24 is in place as the formal legal nature/context of the policy request creates further safeguards.

Hey, is that also third party privacy issue popping up?

Yes indeed. This regulation is not only an infringement to customers of VASPs, but to all receivers of virtual asset transfers from the European Union. Those recipients will be unable to know where and which data on them has been submitted, stored and retained by the sending VASP as they have no legal relation with that entity. Yet the sending VASP processes their personal information and distributes it regardless of the existence of any provable relation to money laundering or terrorist finance. 

The consequence of this construct is similar as that for the Second Payment Services Directive and the European Data Protection Board has in 2020 stipulated in its guideline that for these uninvolved third party data, called  'silent party' data, controllers need to take serious precautions. 

In this respect, the controller (AISP or PISP) has to establish the necessary safeguards for the processing in order to protect the rights of data subjects. This includes technical measures to ensure that silent party data are not processed for a purpose other than the purpose for which the personal data were originally collected by PISPs and AISPs. If feasible, also encryption or other techniques should be applied to achieve an appropriate level of security and data minimisation.

Also the EDPB outlines that no other processing of data is allowed outside the scope of the regulation: 

With regard to further processing of silent party data on the basis of legitimate interest, the EDPB is of the opinion that these data cannot be used for a purpose other than that for which the personal data have been collected, other on the basis of EU or Member State law. 

How about the international data transfer and privacy issues?

Yes, good point. The regulation is a one size fits all for crypto-transfers, whereas for fiat-transactions differences are made between in EU and EU/non-EU countries. This leads to the question how non EU countries deal with data that EU companies are forced to distribute all over the world.

In the immediate post 9/11 political discussion in Europe it became clear that European citizens and politicians were being cheated upon by the US government (that was harvesting EU data immediately after the 9/11 attack). A range of measures, discussions etc followed after the illegal snooping of the US on EU customer data was found out. This is also described by Mara Wesseling. In today's terms we can see a repeat of the topic during the Max Schrems discussions on Facebook data, which also has a serious bearing on financial transactions and financial transaction information exchange.

In essence, those discussions on legitimacy and data protection for international data transfer have not really been resolved. And the current EU regulation does not change it, as it obliges companies to distribute data to entities without proper assurance that the receiving companies/countries protect the data of customers sufficiently. Which means that all VASPs that fully follow this regulation can be held liable by data protection supervisors or citizens that face damages from data breaches and insufficient data protection measures of those VASPs. 

So why still this requirement, does it work in practice?

Well, all law enforcers/governments in essence just land grab each tool in the toolbox to claim it is useful. And for this regulation they say: 'this is an obligation for banks too, so crypto must follow'. However, the bank regulation is in operation for almost 2 decades now and no formal evaluations of the effectivity and usefulness have been done. 

The fact that other players have the same obligation does not mean it is therefore suddenly proportional. Rather, it is disproportional to the other players as well, but those are unwilling to challenge the rule as over the years they are being fined into submission.

Where does this idea/requirement come from?

Way back from 1995 onwards, the world was less digital and we had little big data floating all around the world. Intelligence and law enforcement community were however keen to introduce far reaching KYC and data transfer requirements. The first efforts in the US were unsuccessful but the 9/11 attacks completely changed the momentum, as documented by Mara Wesseling in her dissertation:

The attacks of 11 September 2001 substantially changed the urgency and importance assigned to these different debates. The relative insignificance of the amounts of money involved in terrorism, the burden on the financial sector, the civil liberties implications of strengthened regulation, and the doubts about the use of UN economic sanctions, all became subordinate to the increased urgency of terrorism (p.90-91).

The story for financial institutions after 9/11/2001 was simple. A whole bunch of intrusive regulations were forced upon them with the following explanation: "If we need to get to a terrorist, we need to be aware of their transactions fast en early and the current structure of paperwork and international law enforcement is too complex and timely. So rather than file proper paperwork based on due diligence we request financial institutions to broadcast the data all over the world so any local police officer can investigate the two legs of a financial transaction by requesting access to the transaction data at the local end."

Politically banks couldn't resist cooperating for fear of being branded cooperative with terrorists. And mind you, the terrorist approach was in essence an upgrade of previous efforts to get banks on board to do KYC to prevent money laundering. But that political frame got a bit outdated so the 9/11 attacks were a welcome present to the law enforcement/intelligence community as a momentum to change the scenery in a fundamental way.

What is the risk of this regulation?

In essence, the broadcasting requirement as it was implemented after 9/11 in banking, was a shortcut for local law enforcement (or other national security offices) that would provide easy access to EU data in the US for example. And make no mistake: local governments weren't waiting for the law to be in place, they just got what they wanted and started downloading swift transactions within 2 weeks of the 9/11 attack. This became known only five years later, Wesseling explains:

The main risk involved in this data harvesting/broadcasting regulation is that it is used for other purposes in a way that is not specifically and officially set out in law. The application of the rule would then lead to data processing of citizens data without legal title. And it is exactly this challenge that one Dutch VASP, Bitonic, faced in 2020. Either violate the AVG or AML-laws. 

Bitonic succeeded in challenging supervisors requirements related to this rule and then deleted all customer data that were unduly harvested/collected. But in order to remain in business and keep their license to operate they were first of all forced by financial supervisors to consciously violate the AVG. But close readers of the regulation will now understand what is meant with the article 23. Supervisors will use this regulation to force payment service providers and crypto-asset service providers to restrict transfers of assets that are not to the liking of the supervisor and that are beyond the scope of the regulation itself.

23. Payment service providers and crypto-asset service providers shall have in place internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures when performing transfers of funds and crypto-assets under this Regulation.

Wasn't the constitutionality of this rule checked in the impact assessment of the EU?
Brief answer: Hardly. The political dynamics are: we copied the idea from the bank regulation and it's an obligation of the FATF and we're going to implement it. And then there is a page or three with a bunch of lip service to Data Protection Framework and privacy. Yes, we should limit to what is necessary and we will consult the European Data Protection Supervisor and perhaps also the European Data Protection Board. 

Have a look yourself. The impact assessment for this regulation lists the implementation of the requirement as one of several measures and does not evaluate possible alternate operational methods or proportionality. It does not contain the strictly necessary test for the requirements. It simply says: the Financial Action Task Force tells us to do it, and we expand the existing regulation towards crypto. Hence, the existing illegitimacy and disproportionality of banking rules on this topic are copied onto the crypto world. 
What would motivate claimants coming from the Dutch sector?
As a basic principle it should not be up to individual providers of crypto services to be forced to litigate to resolve the conflict of laws that are inherently present in the current ruleset's on anti money laundering and fundamental rights of privacy and freedom of services delivery. The EU regulator should assure compatibility with fundamental rights beforehand, but has failed to do so in this case.
The direct consequence is that providers individually and as a sector will be faced with high operational costs, disproportionate burdens and the risk of transgressing fundamental rights of their customers. This risk is not hypothetical: it has already taken place in the Netherlands and the assumption that a financial supervisor will operate within the boundaries and limitations of case verdicts of the Court of Justice on privacy is theoretic. 
See the blog here: when registering for their registration as virtual asset service providers, the Dutch central bank forced providers to violate the GDPR by imposing an unconstitutional and unlawful requirement, based on the FATF-requirements. This has resulted in very considerable additional cost to the business and violations of the privacy of customers. Virtual asset providers were facing the choice to either violate the GDPR or the AML-rules, with a solution only coming via the intervention of a judge. This turned out to be very costly and - in hindsight - unnecessary. 

Rather than waiting for these constitutional accidents to happen again during the licensing process for Mica-r, the market players may wish to address them in advance to ensure legal clarity and compatibility with fundamental rights. 

Wednesday, August 09, 2023

Annulment procedure for the EU version of the FATF Travel rule

Ok, so you may have been reading a complex thread on social media about the European travel rule for crypto companies and the impact it has on fundamental rights to privacy and freedom to provide services. And you may be wondering. What is it? What's happening. How can I contribute? 

Well, it's a long story with quite some history (see this blog here, here and here) but I will try to summarize the situation as of mid August 2023. Blog may be adapted over time by the way.

What is this anullment procedure all about?
Simply put, the European legislator decided upon promulgating a regulation that obliges future virtual asset providers to broadcast personal data for all transactions along in the international value chain for reasons of preventing money laundering and terrorist finance (while simultanoeusly requiring it to be handed over without undue delay if a policy officer asks for it). 

This broadcasting requirement is in spite of abundant repetitive case verdicts of the Court of Justice that anulls Directives and amends legislation which violates the proportionality principles and forgets the test of strict necessity of such measures (see also a detailed analysis in the dissertation of Carolin Kaiser, outlining incompatibility of AML-rules with Court of Justice rulings and EU Treaty rules on human rights). 

Where can I find the disputed requirement(s) in the EU regulation?
You will find it in the articles 14-23 of the regulation which outline a bunch of information to be added to crypto-asset transfers (or being sent along via separate communication channel). Senders should add the information, receivers should check whether it is there and notify/remind the sender when it is incomplete. All in all it is an elaborate set of instructions for all crypto asset players.

What personal data is involved?

Well, first of all, the fact that you as a customer (or receiver) own virtual assets (a fact that, see the ledger hack, has proven to be very private and sensitive information). It regards the following information about the sender/originator: 

(a) the name of the originator;

(b) the originator’s distributed ledger address, in cases where a transfer of crypto-assets is registered on a network using DLT or similar technology, and the crypto-asset account number of the originator, where such an account exists and is used to process the transaction;

(c) the originator’s crypto-asset account number, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology;

(d) the originator’s address, including the name of the country, official personal document number and customer identification number, or, alternatively, the originator’s date and place of birth; and

(e) subject to the existence of the necessary field in the relevant message format, and where provided by the originator to its crypto-asset service provider, the current LEI or, in its absence, any other available equivalent official identifier of the originator.

And it also covers data of the person/entity that you are sending information to:

(a)  the name of the beneficiary, 

(b) the beneficiary’s distributed ledger address, in cases where a transfer of crypto-assets is registered on a network using DLT or similar technology, and the beneficiary’s crypto-asset account number, where such an account exists and is used to process the transaction;

(c) the beneficiary’s crypto-asset account number, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology; and

(d) subject to the existence of the necessary field in the relevant message format, and where provided by the originator to its crypto-asset service provider, the current LEI or, in its absence, any other available equivalent official identifier of the beneficiary.

Why is the requirement challenged as disproportional?
Article 24 of the same regulation says that, when police show their badge, all relevant information of suspected customers must be handed over without delay. So law enforcement and governments can get all the info when they want it, as long as they demonstrate authority. This will mean due process is guarantueed and only individual customer data is handed over when an actual suspicion or involvement for money laundering and terrorist finance is at stake.  
Article 24
Provision of information
Payment service providers and crypto-asset service providers shall respond fully and without delay, including by means of a central contact point in accordance with Article 45(9) of Directive (EU) 2015/849, where such a contact point has been appointed, and in accordance with the procedural requirements laid down in the national law of the Member State in which they are established or have their registered office, as applicable, to enquiries exclusively from the authorities responsible for preventing and combating money laundering or terrorist financing of that Member State concerning the information required under this Regulation.
So this begs the question. If local and European police/law enforcement can get all the information they need at their fingertips for all cases related to money laundering and terrorist finance, why would we broadcast full transaction details to all the players in the value chain around the world? 
The practical, and constitutional question under the EU treaties on fundamental rights is: is it truly strictly necessary, proportional and in line with the risk based nature of anti money laundering regulation to send out and broadcast/disseminate all data for all transactions/originators/beneficiaries of all crypto asset transfers (of which the high majority have nothing to do with money laundering or terrorist finance) to all other virtual asset players in the world, including those in non-EU territories? 
What are the timelines for the anullment action ?
As the regulation was published on June 9, 2023, there is until August 23, 2023 to file an anullment action under the rules of procedure of the EU. This is a request to the General Court to strike out a regulation or parts of a regulation which are deemed unconstitutional and where claimants have a direct interest to have the regulation being anulled.
Who will be filing the anullment action?
Right now the process of finding funders is well underway. There is a clear perspective on funding but the other challenge is to find the proper claimants and legal angle for this action. At present, Simon Lelieveldt is coordinating and executing the efforts to create the right setting for this anullment action. 
The main idea, at present, is to use the information, experiences and court case findings of the Dutch crypto community to align the claimants with a direct interest. These will be primarily virtual asset providers, their branche organisation and possibly individual clients who find their privacy breached. 
The legal/compliance experts doing the action will be myself and the litigation law firm with whom we  have previously been successful in litigating against the abuse of premature non risk based prescription of FATF-recommendations as a part of the registration process for crypto providers. 
What would motivate claimants, what are the interests at stake?
As a basic principle it should not be up to individual providers of crypto services to be forced to litigate to resolve the conflict of laws that are inherently present in the current rulesets on anti money laundering and fundamental rights of privacy and freedom of services delivery. The EU regulator should assure compatibility with fundamental rights beforehand, but has failed to do so in this case.
The direct consequence is that providers individually and as a sector will be faced with high operational costs, disproportionate burdens and the risk of fines for transgressing fundamental rights of their customers. This risk is not hypothetical: it has already taken place in the Netherlands (see case law) and cost a lot of money. 
What are the chances of succes?
While to the outsider it is evident that virtual asset providers and their branche organisation as well as NGOs such as Privacy First have a legitimate concern, the technical details of EU court proceedings may be more complex. So there are some hurdles and the challenge is to present the case with the proper angles/arguments as well.
In practice, the range of legal arguments is a bit wider than outlined above and it should be possible to find the right legal angle. The current first fase of the action is however still to validate the approach, risks and chances of success. If these appear too slim, the action may not start. 
How can I contribute?
No crypto funding is possible. This will trigger a range of detailed questions and such as well as possible blocking of my bank account under the current policies of my bank. Unfortunately my bank is doing this but that is another regulatory topic (and perhaps a later case in court). 
So, should you wish to support the anullment action you can fund only in fiat, using the following details: S. Lelieveldt at KNAB Bank, international bank account number: NL86 KNAB 0615 8954 92 (BIC: KNABNLH2, Amsterdam, the  Netherlands). International payments need to be done via intermediairy bank ABN AMRO (BIC:  ABNANL2A, Amsterdam, the Netherlands).
Legal clarification: please understand that this is not a service agreement of some form but a donation allowing me to direct my energy/time or the resources towards achieving this goal in any way I see fit. This could be setting up a foundation, contributing to other relevant regulatory consultations or helping out other initiatives with achieving the same objective.

=====================
Further QenA's and backgroud.

So are the articles 14-23 in the regulation proportional ?
Previously the European Data Protection Board already advised strongly to limit anti money laundering regulations to stuff that is strictly necessary. See their letter of April 2021:
Pursuant to Article 52 of the Charter, any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others7 . This means that legislative measures that limit the right to privacy and data protection have to be specific in order to correspond to objectives of general interest pursued and should not constitute disproportionate and unreasonable interference undermining the substance of those rights.
Now. Let's do our own reserch.
If a well targeted article 24 for a limited set of citizens involved with money laundering and terrorist finance is in place, don't the articles 14-23, that apply to all citizens, all transactions regardless of their involvement in money laundering and terrorist finance appear to be somewhat excessive ? 
Implementing the systems and changing them is very costly to implement. It does not add any informational value but rather significantly increases the risk of data breaches for parties to the transactions. It is a disproportionate nice-to-have requirement for government which violates the main principles of data minimisation. 
As such individual virtual asset providers may be fined by data protection authorities, sued by their customers or beneficiaries for infringing their fundamental rights or for damages due to data breaches. All these risks do not exist when only article 24 is in place as the formal legal nature/context of the policy request creates further safeguards.

Hey, is that also third party privacy issue popping up?

Yes indeed. This regulation is not only an infringement to customers of VASPs, but to all receivers of virtual asset transfers from the European Union. Those recipients will be unable to know where and which data on them has been submitted, stored and retained by the sending VASP as they have no legal relation with that entity. Yet the sending VASP processes their personal information and distributes it regardless of the existence of any provable relation to money laundering or terrorist finance. 

The consequence of this construct is similar as that for the Second Payment Services Directive and the European Data Protection Board has in 2020 stipulated in its guideline that for these uninvolved third party data, called  'silent party' data, controllers need to take serious precautions. 

In this respect, the controller (AISP or PISP) has to establish the necessary safeguards for the processing in order to protect the rights of data subjects. This includes technical measures to ensure that silent party data are not processed for a purpose other than the purpose for which the personal data were originally collected by PISPs and AISPs. If feasible, also encryption or other techniques should be applied to achieve an appropriate level of security and data minimisation.

Also the EDPB outlines that no other processing of data is allowed outside the scope of the regulation: 

With regard to further processing of silent party data on the basis of legitimate interest, the EDPB is of the opinion that these data cannot be used for a purpose other than that for which the personal data have been collected, other on the basis of EU or Member State law. 

How about the international data transfer and privacy issues?

Yes, good point. The regulation is a one size fits all for crypto-transfers, whereas for fiat-transactions differences are made between in EU and EU/non-EU countries. This leads to the question how non EU countries deal with data that EU companies are forced to distribute all over the world.

In the immediate post 9/11 political discussion in Europe it became clear that European citizens and politicians were being cheated upon by the US government (that was harvesting EU data immediately after the 9/11 attack). A range of measures, discussions etc followed after the illegal snooping of the US on EU customer data was found out. This is also described by Mara Wesseling. In todays terms we can see a repeat of the topic during the Max Schrems discussions on Facebook data, which also has a serious bearing on financial transactions and financial transaction information exchange.

In essence, those discussions on legitimacy and data protection for international data transfer have not really been resolved. And the current EU regulation does not change it, as it obliges companies to distribute data to entities without proper assurance that the receiving companies/countries protect the data of customers sufficiently. Which means that all VASPs that fully follow this regulation can be held liable by data protection supervisors or citizens that face damages from data breaches and insufficient data protection measures of those VASPs. 

So why still this requirement, does it work in practice?

Well, all law enforcers/governments in essence just land grab each tool in the toolbox to claim it is useful. And for this regulation they say: 'this is an obligation for banks too, so crypto must follow'. However, the bank regulation is in operation for almost 2 decades now and no formal evaluations of the effectivity and usefulness have been done. 

The fact that other players have the same obligation does not mean it is therefore suddenly proportional. Rather, it is disproportional to the other players as well, but those are unwilling to challenge the rule as over the years they are being fined into submission.

Where does this idea/requirement come from?

Way back from 1995 onwards, the world was less digital and we had little big data floating all around the world. Intelligence and law enforcement community were however keen to introduce far reachting KYC and data transfer requirements. The first efforts in the US were unsuccesfull but the 9/11 attacks completely changed the momentum, as documented by Mara Wesseling in her dissertation:

The attacks of 11 September 2001 substantially changed the urgency and importance assigned to these different debates. The relative insignificance of the amounts of money involved in terrorism, the burden on the financial sector, the civil liberties implications of strengthened regulation, and the doubts about the use of UN economic sanctions, all became subordinate to the increased urgency of terrorism (p.90-91).

The story for financial institutions after 9/11/2001 was simple. A whole bunch of intrusive regulations were forced upon them with the following explanation: "If we need to get to a terrorist, we need to be aware of their transactions fast en early and the current structure of paperwork and international law enforcement is too complex and timely. So rather than file proper paperwork based on due diligence we request financial institutions to broadcast the data all over the world so any local police officer can investigate the two legs of a financial transaction by requesting access to the transaction data at the local end."

Politically banks couldn't resist cooperating for fear of being branded cooperative with terrorists. And mind you, the terrorist approach was in essence an upgrade of previous efforts to get banks on board to do KYC to prevent money laundering. But that political frame got a bit outdated so the 9/11 attacks were a welcome present to the law enforcement/intelligence community as a momentum to change the scenery in a fundamental way.

What is the risk of this regulation?

In essence, the broadcasting requirement as it was implemented after 9/11 in banking, was a shortcut for local law enforcement (or other national security offices) that would provide easy access to EU data in the US for example. And make no misstake: local governments weren't waiting for the law to be in place, they just got what they wanted and started downloading swift transactions within 2 weeks of the 9/11 attack. This became known only five years later, Wesseling explains:

The main risk involved in this data harvesting/broadcasting regulation is that it is used for other purposes in a way that is not specifically and officiely set out in law. The application of the rule would then lead to data processing of citizens data without legal title. And it is exactly this challenge that one Dutch VASP, Bitonic, faced in 2020. Either violate the AVG or AML-laws. 

Bitonic succeeded in challenging supervisors requirements related to this rule and then deleted all customer data that were unduly harvested/collected. But in order to remain in business and keep their license to operate they were first of all forced by financial supervisors to consciously violate the AVG. But close readers of the regulation will now understand what is meant with the article 23. Supervisors will use this regulation to force payment service providers and crypto-asset service providers to restrict transfers of assets that are not to the liking of the supervisor and that are beyond the scope of the regulation itself.

23. Payment service providers and crypto-asset service providers shall have in place internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures when performing transfers of funds and crypto-assets under this Regulation.

Wasn't the constitutionality of this rule checked in the impact assessment of the EU?
Brief answer: Hardly. The political dynamics are: we copied the idea from the bank regulation and it's an obligation of the FATF and we're going to implement it. And then there is a page or three with a bunch of lip service to Data Protection Framework and privacy. Yes, we should limit to what is necessary and we will consult the European Data Protection Supervisor and perhaps also the European Data Protection Board. 

Have a look yourself. The impact assessment for this regulation lists the implementation of the requirement as one of several measures and does not evaluate possible alternate operational methods or proportionality. It does not contain the strictly necessary test for the requirements. It simply says: the Financial Action Task Force tells us to do it, and we expand the existing regulation towards crypto. Hence, the existing illegitimacy and disproportionality of banking rules on this topic are copied onto the crypto world. 
What would motivate claimants coming from the Dutch sector?
As a basic principle it should not be up to individual providers of crypto services to be forced to litigate to resolve the conflict of laws that are inherently present in the current rulesets on anti money laundering and fundamental rights of privacy and freedom of services delivery. The EU regulator should assure compatibility with fundamental rights beforehand, but has failed to do so in this case.
The direct consequence is that providers individually and as a sector will be faced with high operational costs, disproportionate burdens and the risk of transgressing fundamental rights of their customers. This risk is not hypothetical: it has already taken place in the Netherlands and the assumption that a financial supervisor will operate within the boudaries and limitations of case verdicts of the Court of Justice on privacy is theoretic. 
See the blog here: when registering for their registration as virtual asset service providers, the Dutch central bank forced providers to violate the GDPR by imposing an inconsitutional and unlawful requirement, based on the FATF-requirements. This has resulted in very considerable additional cost to the business and violations of the privacy of customers. Virtual asset providers were facing the choice to either violate the GDPR or the AML-rules, with a solution only coming via the intervention of a judge. This turned out to be very costly and - in hindsight - unnecessary. 
Rather than waiting for these constitutional accidents to happen again during the licensing process for Mica-r, the market players may wish to address them in advance to ensure legal clarity and compatibility with fundamental rights.