Wednesday, June 22, 2022

Open Letter to European regulators on the migration path to a future EU crypto-market with licensed and trustworthy companies

In this blog post, I will share the letter below, which I just sent off to a EU Commission Official from FISMA. I hope the letter speaks for itself as I don't have the time to elaborate/explain. Do note that I did redact the letter slightly by the way, to make the blog post better readable. 

=== 

It has been a while since we had contact on the infringement of the Dutch government with respect to the AMLD5. I would like to notify you that, based on the evaluation  after two years as well as the outcome of a number of legislative procedures and consultations, it seems to me that the infringement complaint might deserve some new attention.

New infringement complaint due to recent legal developments

In particular the human rights/privacy infringement that the current AMLD might already constitute ay not have been sufficiently paid attention to, which I view as a omission, given that we know the EU Court of Justice position with respect to the Data Retention Directive (2014) and most recently, with respect to the PNR Directive (verdict of this week).

In addition the European Data Protection Board has made its concerns on the legitimacy and proportionality of the AML regulations very clear. Also, the Dutch Council of State issued an advice on proposed Dutch legislation, which in essence lays out a no to mass surveillance and transaction monitoring in the financial sector.

Considering the legal clarity that has now arisen, I may re-iterate my previous infringement complaint on the Dutch implementation on the AMLD5. I hope that the recent verdict of the EU Court of Justice as well as the additional documentation and information on the Dutch situation will provide a new evidence base which allow the Commission to asess the complaint with an open mind and considering the new evidence provided after two years of the law having entered into force here in the Netherlands.

New local evidence on lack of enforcement in Netherlands
As new evidence I would like to point out that formal statements by the Dutch Ministry of Finance clarify that large international players that should comply with the AMLD5 are not sufficiently being held to the law by the Dutch Central Bank, despite the sector vehemently requesting the central bank to do so (as of November 2020) in its role of a supervisor. As such DNB is bound to ensure a level playing field and fair competition in the EU, but the failure to supervise/enforce the law distorts the market terribly.

What we can thus now see here in the Netherlands is that large international players are willingly ducking the national legislation with the Dutch central bank being unable to enforce the law and only issuing a mere warning (which in itself does not constitute enforcement action under the supervision law). It is pretty clear that some large nonEU players are biding their time until the MICAR and AMLR arrive and hope to use the EU passport regime while taking the explicit risk to be fined for past wrongdoings and actively deciding to steer clear from registration (using all their means/efforts/lawyers to stall the discussion).

Strategic objective of the EU: don't give away the crypto-market to big tech as you did with the payments market
What the European Commission may be facilitating unwillingly, constitutes the giving away of the EU crypto market to international non EU players, that can be seen to be succesfull in their strategy (see the registration of Binance in France, while under investigation and enforcement action in the Netherlands, UK and a host of other countries). We have seen millions consumer fraud shift among non-regulated players in the Netherlands while these companies use opaque structures to service the Dutch market, channel funds to their systems. Recent articles in the Dutch Financieele Dagblad reiterate the lack of enforcement and damage this does to the existing industry.

Just as the EU regulator gave away the PSD2 market to big tech companies by allowing them to misuse their monopoly position on the 3rd authentication factor (biometrics) and platform dominance to force in the Google/Apple pay type of revenue skimming new payments, the EU regulator may also unintentionally invite non EU crypto players to take over the EU market, if the current infringements of governments (that allow their supervisors to let illegal/unlawful actors to play a waiting game for EU legislation instead of enforcing those players with a strict regime) are not addressed properly.

It is time for the EU Commission to show its true colours and understand the geopolitical relevance of having a strong EU bloc of cryptocompanies rather than an invited and facilitated monopoly of non-EU big platform players. Even if you decide to lay my fourth infringement complaint aside, please take note of the strategic damage that you might be doing if you accept that companies that did not honour EU laws when they were based on AMLD5, deserve preferential treatment by taking their applications for license in a first come first serve order.

A need for clear rules / incentive structure upon the shift to licensing regimes for crypto
The EU Commission should be a proponent of a migration regime for new AML and MICA-r regulations where EU companies and non-EU companies that have fully implemented all EU regulations of the EU states since AMLD5 get a preferred fast track treatment for their applications. Those that have not done so should not be able to gain any commercial or legal advantage based on the standard financial supervisor reasoning: let's start with the crypto companies first. Such a procedure would constitute a perverse incentive structure where disobeying EU law pays off.

Instead, those big international crypto companies that have in one or more EU states not complied with the current rules can be clearly considered of insufficient reputation/standing due to this fact. They should pay off their open non-compliance debt by both paying the fines applicable to ducking the rules so far and by being the last in line to receive a license under the new rules. In particular for legislation that seeks to avoid the risks of money laundering / illicit profit making, I fail to see why major actors in the market might be condoned by EU authorities or supervisors for previous, visible transgressions of EU-based local legislation.

I hope the Commission appreciates my point of view and its relevance for a future thriving crypo-market with properly regulated companies of good standing and willingness to comply with EU rules.

with kind regards
Simon Lelieveldt

Saturday, May 29, 2021

Crypto-episode as a part of the Dutch financial history timeline

Over the past two years a historic sequence of events unfolded in the Netherlands with respect to the introduction of a crypto registration regime for providers of crypto wallet and crypto exchange services. It is a very interesting episode historically as it bears resemblence with a number of previous/similar episodes where the Dutch central bank hits the breaks and stifles innovation. 

What is happening is that the Dutch central bank (DNB) is pushing very strict rules onto newcomers in the payments/crypto market, without having a proper mandate to do so. There is an age-old example of halting the introduction of the credit-card, as well as a 20-years old intervention with DNB stopping mobile innovators with e-money that I will not flesh out right now. 

What I will do is describe how over the past couple of years new payment institutions were forced into getting a licence instead of a registration as prescribed under the upgraded PSD2 (EU) directive. This is the relevant backdrop against which it is easier to understand why the crypto-industry faced a similar treatment in 2020. 

There was one difference however: this time, one company came prepared and succesfully pushed DNB back (disclosure: I am consulting that company on regulatory/compliance issues). 

PSD2-service: access to the account (8) requires a license in NL rather than registration

The brief version of the events that played out in the Netherlands for payment service institutions were the following. The European Commission added 2 new company activities to the list of activities that require further regulation. Service number 7 involved initiating payment transactions on behalf of the customer at another company: this required a full-on registration. Companies offering only acces to the account of customers at other banks or payments companies were subject to a less elaborate registration regime, as outlined in article 33 of the PSD2.

However in the Netherlands, despite a policy existing to not do topping up of Brussels rules, the Ministry of Finance and DNB have a tendency to ignore that policy. So the companies that only required a registration for providing access to the account under the PSD2 were made subject to a licensing regime. The consequence was not just an increase in burders but also unlogical duties being appliced to those players, for example the duty to do transaction monitoring themselves (while they did not initiate or execute any transaction). 

In an effort to be the first on the market many companies in the Netherlands tried to convince DNB that the license regime and subsequent market entry rules were illegitimate, but no one dared to take DNB to court. So as we say in the Netherlands, quite some companies had to swallow a melon and make serious extra costs. Still, the episode did quite some harm as to the legitimacy of the DNB supervisor as many legal counsels agreed DNB was evidently overstepping its legal mandate. 

The PSD2 registration process for payment institutions in the Netherlands is therefore to be taken into account on the evaluation of what happend to the crypto-industry. As it may have signalled to DNB itself that it could easily ignore European rules with no one in the market complaining, it signalled to the legal/regulatory market that rationally it could not be assumed that DNB would by definition operate within its legal mandate. 

Crypto-services: require a registration in the EU but turned into de facto license regime in NL

By end of 2017 and mid 2018, the Dutch Ministry of Finance and DNB were in agreement that a fast transposition of the AMLD5-directive would be needed to bring crypto-companies under the remit of the appropriate supervisory regime. The EU directive and its previous impact assessment was very clear; a license regime would lead to too much credibility/legitimacy of the cryptocompanies, so only a registration regime was to be implemented, with possible license regimes following in a next stage of EU regulation (known as MICA-r). 


However, on advice otf DNB, the Dutch Ministry of Finance started transposing the directive and consulted a licensing regime with the market in December 2018. As the actual rules of the license still bore resemblance to the registration regime mentioned in the Directive, the industries comments focused on unworkable technicalities and explanations by the Ministry. The formal legal advice of the Council of State however, was quite explicit and it advised against the introduction of the law as long as a supervisory license mechanism and supervisory rules would be part of it. It stated that the transposition of this EU Directive is not the place for such rules.

In response the Dutch Ministry of Finance changed the law and made a new version. In this new version, the label of the license regime was changed to registration, but the essence became more of a supervisory regime. As a new set of rules the Ministry included further inspections and checks of business plan, organisation, risk management etc originating from the Act on Supervision of the Financial Sector. The actual legal construct includes a detailed evaluation of the company, a revocation of registration when a company is no longer compliant with the rules and a prohibition to operate on the market without a registration. This is a supervisory regime in disguise, which is beyond the necessities of the AMLD5 and goes against the advice of the Council of State.

For further details on the development of the law you can read this article, then see an update of January 2020 because something interesting happened. By mid-december the government websites by accident displayed this letter of the central bank that fully confirmed its intentions to push for a license regime and license access conditions for crypto companies. FTM, the investigative journalists, published a full article on it by end 2019 that details the wording games used by regulator and supervisor to hide a license regime behide the wording: 'registration'. An English version of events can be found in this article

The article raised quite some concerns in the Senate where the Ministry of Finance very explicitly and repeatedly explained: no no, it's not a license regime, but a registration regime. There is a huge difference between the two, a registration is being done while a license is being granted. So with this assurance the market hoped that supervisor DNB would change its course. The market assumed that the supervisor would take note of parliamentary discussions and guidance/explanation of the regulator.

DNB applied de facto license regime/application process leading to court case / market pushback

In practice De Nederlandsche Bank did not alter its previous course or any of its intentions and applied the full on registration procedure for payment institutions to crypto companies. It forgot about its obligation to register companies in 2 months, forced the application of risk frameworks that were used in the trust office market and came up with a self-invented interpretation of the Sanctions law that was beyond the rules. This latter requirement meant that crypto companies, in order to be registered, had to fullfill an ex-ante requirement of asking screenshots/video's of customers software wallets for each transaction to be made.

Grudgingly the market complied to the illegitimate requirement with one crypto company Bitonic, taking the measure to court. The interesing fact was that they filed a complaint against a positive decision of granting the registration with the request to the judge to kick out the illegitimate registration requirement on those screenshots.


Now to cut a long story short: the court case attracted an online viewing of many thousands and lead to the judge ordering DNB to redo its homework. Finding out that it was impossible to explain how a square could have the form of a circle, DNB had to withdraw its requirement but only did so for this single company (although half a year ago, the market is still waiting on clarification whether the requirement will also be lifted for them). 

What actually happened in the Netherlands is that DNB was already anticipating stringent FATF rules that suggest that product introduction or licensing moments are the moment in time to exert pressure onto crypto-companies to make them do what supervisors want. In this case, the FATF rules are not yet adopted in Europa, so the central bank figured it could use an age-old Sanctions law to the same effect. 

The market however had already witnessed DNB overstepping its boundaries, turning EU registrations into Dutch licenses with undue requirements so Bitonic as one of the players came prepared and called DNB's bluff. And next up will be a discussion on supervisory costs for crypto-companies where the whole market will do so again. 

Historic pattern

The historic pattern at play here is the interplay between regulators and market, fuelled by media incidents and publications. When in the 1970s credit cards appeared in the EU market and markets were mainly national, it only took national consensus between market players and central banks to keep one of the players (Visa) out of the market. 

Later on, when EU rules dictated that all cards had to be allowed an fair competition would need to be in place, the central bank mainly stuck to its legal remit. For some time in the 1990s the central bank also assisted in analysing the market and promoting innovation, opening up the closed EFTPOS structure in the Netherlands in the process. Still, when instructed by European powers that be it succumbed to the request to exempt European mobile operators from the application of e-money rules in 2002/2003, to the detriment of small innovators in the market. 

Other than that, the legality regimes were most prominent as the basis for DNBs action (or inaction). Supervision was done so prudently that during crises the central bank didn't act convincingly and fast enough. Under media and political pressure, the course of the central bank became more politically inspired. It had to be seen as interventionist and proactive and whether or not this was fully based on legal rules was a consideration that moved to the background. 

Even the European Banking Authority noticed this and very politely didn't name the offendors FINMA and DNB by name, while this remark was directed at them:

164. The EBA has since observed that, in the absence of an EU‐wide approach, there are indications that Member States, in anticipation of a forthcoming FATF Mutual Evaluation or to attract VASP business, have adopted their own VASP AML/CFT and wider regulatory regimes. As these regimes are not consistent, this creates confusion for consumers and market participants, undermines the level playing field and may lead to regulatory arbitrage. This exposes the EU’s financial sector to ML/TF risk.

If history is any guide however, it may require more than one law suit to make DNB change course, so keep a close watch on the Netherlands because it appears as if -as in the Muppet lab- the future of tomorrows crypto regulation is being made here today.  

Tuesday, January 05, 2021

Response by Simon Lelieveldt to FINCEN consultation on crypto, travel rules and such

This blogpost/longread (below) contains the content of reflections, as sent to the FINCEN as a response to the consultation on travel rule for crypto (Docket No. FINCEN-2020–0020; RIN №1506-AB47). It is written from the Dutch and European perspective and what makes it relevant for the US is that the Dutch supervisor has already imposed an even harsher rule (verification of beneficairy wallet holder for self-operated wallets regardless of amounts involved) as an undue (and legally disputed) market entrance rule. 

The blog is written from a personal perspective, based on my market and regulatory experience with 25 plus years of banking, e-money, crypto and e-payments. In essence I recommend the FINCEN to steer away from behaviour that qualifies as a human rights treaties violation and not force the private sector to disobey the human rights obligations that they independently have under those treaties. Regulators should align legal requirements into a coherent framework and not place the burden of incompatible requirements at the doorstep of the private sector. 

Of particular interest in this respect is the recent announcement of the European Data Protection Board (of late december 2020) which outlines their committment to step up their game and ensure that no AML/KYC measure infringes on human rights principles of privacy and innocense presumption: 

The EDPB considers it as a matter of the utmost importance that the anti-money laundering measures are compatible with the rights to privacy and data protection enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, the principles of necessity of such measures in a democratic society and their proportionality, and the case law of the Court of Justice of the European Union.

The brief version of my comments / summary is provided here, which is then followed by the detailed submission to the FINCEN, with hyperlinks replacing the footnotes of the original document.

======

Agency: Financial Crimes Enforcement Network (FINCEN)
Document Type: Rulemaking
Title: Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets
Document ID: FINCEN-2020-0020-0001

Comment:
Please find my contribution attached. Some highlights.

1. What worries me is that FINCEN are about to try to outdo the Crypto AG intelligence coup (the technical backdoor behind the scenes) by installing an overly intrusive surveillance front-door for crypto. Although this may seem surveillance business as usual to you, it is certainly not. It is not only a violation of human rights treaties in itself, but you are also forcing this violation upon the private sector, which has an independent duty under the same treaties to respect the human rights. I am therefore copying my response to the UN Special Rapporteur on privacy in a digital age and respectfully suggest you consult and abide with the relevant UN/EU Charters on human rights.

2. Why the FINCEN proposal is not justified: it continues the abuse of deliberate post 9/11 legal design flaws/choices that undermine human rights by misusing administrative law, financial supervision law instead of following penal law procedures which have proper safeguards for human rights.

3. Do also note that the European Data Protection Board has issued a clear statement outlining the limits of surveillance by states and under administrative law. In this respect do also take note of the dissertation by C. Kaiser of 2018, outlining that the EU KYC rules may be anulled if challenged in European courts. From an analytical perspective this would also hold true for the US rules and their compatibility with the UN charter on human rights.

4. Practically speaking: the FINCEN is being sloppy with data. Data breaches of FINCEN have a huge impact which is not catered for in terms of risk analysis and side effects. These side-effects, when quantified, outweight the benefits to a huge extend and less intrusive solutions will be available. But history shows that you are not seeking less intrusive powers but seek to increase your information position out of an organisational drive to remain in the game and grow bigger.

5. Finally, don't kid yourselves as to the relevance of picking up these bread crumbs on the table. You are punishing the citizens of the world, while leaving all big money launderers unchallenged. Most relevant example is that you have been unable to really do your job properly, How come that a well known money launderer was even able to become president of the US? I think you may want to reflect on your own organisation and functioning first,

I find it quite ironic that the US, that saved the Dutch population from a dictatorial regime, that taught us about the importance of human rights, true democracies, freedom of speech, privacy and the importance of the presumption of innocence, is now the country that violates the values it has inspired into others.

Uploaded File(s):

  • FINCEN-response-Lelieveldt-2020-01-04.pdf
  • FINCENFiles-thread-Annex 1.pdf
  • Annex-2-Lelieveldt submission FINCEN.pdf

=====


Policy Division
Financial Crimes Enforcement Network
PO Box 39 Vienna, VA 22183
United States of America


Dear Secretary Mnuchin,                         January 4, 2021


I would like to share some reflections on Docket Number FINCEN-2020-0020, RIN number 1506- AB47, and the proposed changes outlined in, FinCEN, Notice of Proposed Rulemaking, “Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets.” 

Although you limit the timeline of submission to 2 weeks, I am pleased to be able to still contribute to the debate, as the situation in the Netherlands is even worse. Without advance notice, the Dutch financial supervisor, DNB, has used its powers as a supervisor of a simple EU registration regime for crypto players to force upon the industry an even more intrusive obligation for all crypto-players in the Netherlands to verify beneficiaries of cryptowallets, regardless of the amount. The requirements imposed during the registration process will be challenged in court and you may wish to monitor those developments.

What worries me is that FINCEN are about to try to outdo the Crypto AG intelligence coup (the technical backdoor behind the scenes) by installing an overly intrusive surveillance front-door for crypto. Although this may seem surveillance business as usual to you, it is certainly not. It is not only a violation of human rights treaties in itself, but you are also forcing this violation upon the private sector, which has an independent duty under the same treaties to respect the human rights. I am therefore copying my response to the UN Special Rapporteur on privacy in a digital age and respectfully suggest you consult and abide with the relevant UN/EU Charters on human rights.

So who is writing this? 

Now let me introduce myself further. I am writing in my professional/personal capacity and driven by a personal motivation that is reflected in the seal/logo and motto in the right upper corner: the NOW is the PAST is the PRESENT is the FUTURE. The moto is imprinted, using an old coin press, upon a wooden coin, made out of a 130 year old tree that stood on the Amsterdam exchange square. The tree, an Elm, witnessed time passing by and the development of society and financial markets. It symbolises the value I attach to cherishing history, learn lessons and use those learnings for todays developments. I hope you may appreciate my reflections from this perspective and rest assured, I’ll get to the actualities of FATF and European privacy discussions in due time. 

Professionally, I started out my career In as an industrial engineer in the financial sector by documenting and publishing a study on electronic payments (EFTPOS) regulation in 1989. In my research I revealed that the US Intelligence agencies had been pushing DES to become aninternational standard. At the time I did not have the ability however to put this finding into a broader perspective. However, more recently it became clear from the Crypto AG case that it was part of a long standing practice in which the US was actively pushing backdoors in technology, to ensure continued surveillance of all citizens and governments of the world. I think it is fair to say this is indeed the ‘Intelligence coup of the century’. 

Since then I embarked on a professional career starting out at ING/Postbank, moving on to become a policy analist at the central bank, charged with developing supervisory frameworks for electronicmoney in the 1990s. By the time that I contributed to European legislation and supervision for electronic money issuers, your organisation, FINCEN seemed to have made a strategic decision toposition itself as the go-to supervisor for all kind of modern payments and e-money. Although I think such a move may be analytically unsound and undesirable, I also view this as a natural reality ofinstitutional power politics. It is up to citizens, politicians, courts and private sector organisations to push back and hence my reflections in this letter.

Next up in my career, I worked extensively in the payments policy department of the Dutch bankers association. As such I was quite involved in the international rulemaking for banks and actually wrote the Dutch implementation guideline for the FATF7-rule (the origin of the travel rule). I was also a close witness to the SWIFT privacy incident and subsequent discussions on the EU privacy shield. Later on I moved towards a role as head of the department on financial markets and bank supervision of the Dutch Bankers Association.

What struck me in those days was the very anecdotal evidence and political framing arguments in discussions on money laundering and prevention of terrorist financing. It seems that 15 years later the situation hasn’t changed and I would suggest the FINCEN to disclose and evaluate more precisely whether its role has been effective and whether this proposed rule actually adds any value when doing a broad analysis of costs/benefits. I’ll get to that issue later.

Since 2011 I am active as an independent regulatory consultant and interim compliance manager for both government agencies and private sector entities. In this work, which mostly covers payment instritutions, e-money and crypto, I try to reconcile justified regulatory requirements with business constraints/demands. And yes, the important wording is: justified

Let me try and explain why the FINCEN proposal is not justified: it continues the abuse of legal design flaws/choices that undermine human rights by misusing administrative law, financial supervision law instead of following penal law procedures which have proper safeguards for human rights.

Sidestep: what use are consultations if you don’t want to listen? 

The Dutch scientist Dr. M. Wesseling has written an extensive and worthwhile dissertation on theinternational and European fight against terrorist financing and money laundering. The dissertation outlines that the US intelligence agencies have smartly used the momentum of the 9/11 attacks to get something they wanted: spying possibilities via the front door of financial transactions, bypassing formal legal and penal law safeguards, by pushing bank regulation and administrative rules. So what happened before 9/11?

A third important discourse concerned civil liberties. In 1999, the US Treasury proposed strengthened Know Your Customer (KYC) regulations. These proposals faced stiff opposition in the US Congress for anti-regulatory reasons, but the main issue at stake was concerns over privacy (Eckert, 2008, p. 213, Napoleoni, 2004, p. 219). The US Treasury received more than 200,000 negative responses to its proposal from all political backgrounds objecting to the proposed requirements for banks to obtain extensive private information (Donohue, 2006, p. 359). The KYC proposal was also criticized for being a potential source of mistrust and resentment of government, particularly among immigrants and minority groups, as well as an undesirable form of generalized spying and reporting on citizens (Cato Institute, 1999).

What FINCEN has seen in these 2 weeks of consultation will analytically not be very different from the responses that the US Treasury received more than 20 years ago. I would suggest that you include a review of those responses into your work, as they will undoubtedly be just as relevant.

Wesseling outlines how the 9/11 attacks changed the regulatory picture completely with civil liberties and human rights being:

The attacks of 11 September 2001 substantially changed the urgency and importance assigned to these different debates. The relative insignificance of the amounts of money involved in terrorism, the burden on the financial sector, the civil liberties implications of strengthened regulation, and the doubts about the use of UN economic sanctions, all became subordinate to the increased urgency of terrorism. 

Although the 9/11 Commission would estimate in 2004 that the total costs of the attacks was between $400,000 and 500,000 and concluded that the costs of the attacks were relatively low compared to the amounts of daily financial transactions worldwide (2004, pp. 186-189), a radically different conclusion was drawn in the immediate aftermath of the 9/11 attacks. 

Starving terrorists of their money had become a key objective within global governance. Likewise, financial regulation, such as Know Your Customer requirements, had been strengthened with little opposition from politicians, civil society or the financial and banking sector. Their current scope exceeds by far any previous initiative, making the contentious proposals of the 1990s look soft. Civil liberties, it was now widely accepted, had to be traded in if they constituted an opportunity for terrorists to ‘hide’. 

What I am saying here is that since 9/11 your organization is in a group think tunnel which has the effect of a religion or a cult. There is a dangerous liaison between intelligence agencies, tax authorities and financial supervisors which impose all kinds of intrusive rules under the FATF-umbrella as so-called: recommendations. Instead of revisiting the post 9/11 approach as a regulatory overshoot, the groupthink has remained intact as it comes in handy.

Or to put it differently. The US have since 2001 moved the angle of their intelligence attack from hardware based intelligence and surveillance to the informational front door that lies in financial transaction data. And this move is so useful and successful that US authorities are now even able to pull it off in broad daylight. Generations of bank personnel have become used to KYC/AML procedures that infringe on human rights. Now, from this perspective, it is clear that there is no way FINCEN will actually read or take on board any of the remarks in this consultation. As an institution the FINCEN has by now also brainwashed itself into believing its approach is valid and legitimate. 

The big design flaw is that instead of penal law, the whole construct of administrative law and bank supervision law is misused to ensure unbridled and unchecked data flow of innocent citizens to authorities all around the world. So it is fair to say that the FINCEN has successfully contributed to maintaining a climate in which a legal design flaw is used in combination with a cultural ideology to hypnotise/brainwash financial professionals in acting in violation of clear human rights such as privacy and the right to be viewed as innocent until proven guilty.

Please see also Annex 1 to this letter (threadreader page - twitter feed) for a further explanation of the idiocy of still using administrative law when fine penal law structures exist and can be enforced to catch money launderers and terrorists on a spearfishing pull-request basis without the extensive data broadcasting and datamining requirements stemming from the pre-platform pre-big data age 2001. Then again, you could also read the 1999 consultation responses. All answers are in the public domain already. The real question is: FINCEN, are you listening. Really?

FINCEN violates human rights as a business model and should not force companies to join them 

Under UN Resolution RESOLUTION 28/16 (the right to privacy in the digital age), article 8.2 of the European Convention on Human Rights and the EU Court decision on data retention (ECLI:EU:C:2016:970), the EU understanding on mass surveillance of personal data of innocent persons is that it may very well constitute a violation of the right to privacy in cases where it is disproportional and no sufficient safeguards are in place.

In this respect I can recommend the dissertation by Dr. Carolin Kaiser from 2018, outlining that – under todays case law and interpretations - the current EU regulation of KYC/AML may well be annulled by the EU Court of Justice. I am pretty confident that by analogy the same will hold true for US KYC/AML legislation when read against the UN Charter of Human Rights. But let us focus on the EU situation more closely. 

Last month the European Data Protection Board issued an important statement outlining the importance they attach to protecting the human right toprivacy in particular given the intrusive money laundering procedures that have arisen all over the world.

The EDPB considers it as a matter of the utmost importance that the anti-money laundering measures are compatible with the rights to privacy and data protection enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, the principles of necessity of such measures in a democratic society and their proportionality, and the case law of the Court of Justice of the European Union. 

The EDPB therefore calls on the European Commission to be associated to the drafting process of any new anti-money laundering legislation in its early stages, with a view to provide legal advice on some key points from a data protection perspective, without prejudice to the consultation by the European Commission in line with Article 42 of Regulation 2018/1725 at a later stage. 

The EDPB is also ready to contribute to discussions within the Council of the EU and the European Parliament during the legislative process. Going forward, the EDPB stands ready to be involved and consulted in a timely manner by any European or international regulatory bodies or standard-setters, such as the Financial Action Task Force, currently chaired by an EU Member state, before issuance of the revision of their recommendations.

Coming back to the details of your proposed regulation. Human right treaties require that intrusive surveillance requires serious crime under human rights charters. It can hardly be argued that just the sheer use of unhosted wallets for higher amounts is a demonstration of this serious crime. The suspicion should come from formal police officers doing their job, not from private sector players which are obliged to snitch upon their customers and broadcast their data into all kinds of databases without reasonable suspicion being present.

Next up, you are also overlooking the fact that businesses are by themselves obliged to honour the human rights under the "Guiding Principles on Business and Human Rights: Implementing theUnited Nations ‘Protect, Respect and Remedy’ Framework", which were developed by the Special Representative of the Secretary-General on the issue of human rights and transnational corporations and other business enterprises. The Human Rights Council endorsed the Guiding Principles in its resolution 17/4 of 16 June 2011.

It should not be up to companies to reconcile conflicting legislative objectives. It is up to regulators to steer clear from conflicts of law and not impose undue human rights violations onto companies.

FATF: continuation of the ill-footed surveillance model

FINCEN is engaged in a regulatory experiment that has been agreed upon by the FATF in the summer of 2019 or 2020. Confronted with the new blockchain / virtual asset technology, the choice has been made to push the travel rule into the blockchain world. The US has used its leadership position of the FATF to push this agenda item through. Which essentially sums up 20 years of anti-money laundering policies worldwide. 

In Annex 2 I have listed the blogpost with which I tried to warn the FATF/public in spring 2019 on the fact that pushing through a travel rule for crypto is just as useless as it was for banks back in the days. There is no sufficient quantitative evidence that any of those rules has really benefited finding criminals and preventing terrorist attacks (see the dissertation of M. Wesseling). It is a cost burden to all professionals in the financial sector and the resources spent could be better allocated directly to police forces or Ministries of Justice instead, as this warrants better protection of suspect individuals.

The recent evaluation of the FATF virtual asset travel rule clearly outlines the 2-step approach that is being taken. First force the travel rule upon registered/licensed players, then as phase 2 force them to verify the beneficiary of wallet transactions. This is a requirement which even goes beyond the R15 and R16 regulations for banks !!

If I read the FATF document correctly the FATF-members have agreed to not follow a similar policy line but to use the year 2020/2021 as an experimentation year. The 12-month review of the revised fatf standards on virtual assets and virtual asset service providers is clear that there is no real risk present:
53. However, jurisdictions did not consider that there was sufficient evidence to warrant changing the revised FATF Standards at this point at time. There was insufficient evidence demonstrating that the number and value of anonymous peerto-peer transactions has changed enough since June 2019 to present a materially different ML/TF risk. Further research could be undertaken with the VASP sector, academics and software experts and engineers to better understand the scope of the unregulated peer-to-peer sector. 

Yet, the document also gives a path to further experimentation per jurisdiction. If government authorities put the risk levels on high, they may start to experiment with additional regulations:

54. The launch of new virtual assets however could materially change the ML/TF risks, particularly if there is mass-adoption of a virtual asset that enables anonymous peer-to-peer transactions. There are a range of tools that are available at a national level to mitigate, to some extent, the risks posed by anonymous peer-to-peer transactions if national authorities consider the ML/TF risk to be unacceptably high. This includes banning or denying licensing of platforms if they allow unhosted wallet transfers, introducing transactional or volume limits on peer-to-peer transactions or mandating that transactions occur with the use of a VASP or financial institutions. As of yet, no common practises or consistent international approach have emerged regarding the use of these different tools. Accordingly, there should be further work undertaken on the extent to which anonymous peer-to-peer transactions via unhosted wallets is occurring, the approach jurisdictions can take to mitigate the ML/TF risks, the extent to which the revised Standards enable jurisdictions to mitigate these risks and to continue to improve international co-operation and coordination.

Right now we have seen the FINMA issuing regulations beyond the informational travel rule, coming down to verifying the beneficiary of transactions. And the Dutch Central bank has also made thisrequirement a (disputed) prerequisite in their registration process for crypto companies. I view the FINCEN rules as a part of the same process.

What FINCEN is thus doing as a regulator/contributor to FATF discussion is something which could be called agile regulation. Where usually companies may seek to roll out products in not yet definitive form, I would qualify the current world wide regulatory approach on crypto assets and the travel rule as an agile form of experimentation, at the cost of the private sector.

Government agencies do not only have a duty to not write or impose conflicting requirements upon their constituents but also to ensure their actions are coordinated. But as the FATF intermediary paper says: As of yet, no common practises or consistent international approach have emerged regarding the use of these different tools. 

What you are proposing as FINCEN (and will be rolling out, as I fail to see any true intention of finding an optimal regulatory solutions) is an uncoordinated regulatory measure which will lead to increased cost in a number of different jurisdictions for an industry that is worldwide by nature. 

The side effects of the approach is that FINCEN and other regulators are making sure that only larger well capitalised companies in the crypto space can survive (as they are faced with different costs in different jurisdictions). Both by nature and their effect, the proposed rule impedes innovation and leads to undesirable market structures.

FINCEN operational risk and failures 

Now let’s turn to the track record of FINCEN itself. I will be blunt in a Dutch way here. You fail to keep your records safe. For this rule it means that basically we can envisage that at some point in time hackers will have the possession of names/address of owners of bitcoin addresses. This is an impact beyond the Ledger hack (which was already scary). It is the equivalent of throwing all peoples bank account statements in the streets. Which cannot be undone and I don’t see any appreciation of the operational/privacy risks that you create in this way. 

The FINCEN-files leak shows that you will be unable to prevent this data from being safe. It also shows that FINCEN is unable to do its job properly. You are going after the crumbs on the table and leave the big money laundering industries and players untouched. Case in point: at present the US still has a President that may better be labelled the money launderer in chief. No FINCEN authority, no AML/KYC rules have been able to prevent this from happening. 

US from inspiration to dystopian example?

Each moment in life encompasses all its previous moments as well as its future moments. That is the meaning of NOW is the PAST is the PRESENT is the FUTURE. 

The FINCEN proposal is clearly born out of a tradition of illegitimate government action, spurred by overactive intelligence desires of the US. It is the second biggest intelligence coup in progress which may deter a whole innovative open source blockchain technology from maturing into beneficial society solutions. Because with these rules you are making virtual assets, distributed ledgers and digital tokens into data drones, to be automatically sent to government. 

I find it quite ironic that the US, that saved the Dutch population from a dictatorial regime, that taught us about the importance of human rights, true democracies, freedom of speech, privacy and the importance of the presumption of innocence, is now the country that violates the values it has inspired into others. 

Ir. S.L. Lelieveldt, CCP

Thursday, September 24, 2020

Facebook: a limited network exemption in the Netherlands?

Here is a brief post, to alert professionals in the field to the fact that Facebook Inc has in the Netherlands been registered as an exempt institution out of scope of the payments directive based on the article 3k/3l in the PSD2:


The filing occured in february 2020 but it is not the only entry in our registers. The same company holds an incoming EU-license, originating from Ireland, to do payments business as a cross-border service. So there is a generic incoming payments license (see the blog here), the discussion on Libra/Calibra (see here) but also a local exemption.

What is the exemption all about: origins

When we go back to the original legislation we see the PSD2 having an exemption for small scale payment methods. 

This exemption dates back to the e-money directive of 2000 which stipulated a waiver for small scale appearances of e-money. 


And this waiver was born out of the understanding of supervisors that it would not make sense to go about checking all kinds of sports events, local stadiums or situations where owners of closed loop ecosystems offered digital forms of money on cards. It specifically took out campus-money systems as too irrelevant to be concerned about. Although also those campus systems were bound to rules as to refunding on request, proper contractual arrangements and limits on the devices.

Exemption in practice for Facebook: for gaming

The register seems to outline in-gaming payments as the focus for the exemption: 

Facebook provides an in-gaming payment service which enables Facebook users to purchase digital content within online games.

Now, as I don't know the details of the mechanism at play, nor the considerations of the regulator, I do wonder how this works. Does this mean that if Facebook puts in place a closed loop payment environment for games, they steer away from all regulation? Regardless of their worldwide scope?

I don't think this was really the intention of that exemption, so I am a bit puzzled here. 

Or is it a crypto-asset?

The next question is: would it perhaps fall under the definition of crypto-asset of the recently proposed EU legislation:"

(b) ‘crypto-asset’ means a digital representation of value or rights, which may be transferred and stored electronically, using distributed ledger or similar technology;  

Technically I would say yes, because similar technoloy in terms of distributed ledgers is a wide concept, effectively encompassing all ICT-tooling available. But the jury is still out of course.


Where are we heading with Facebook in Europe?

While we can fuss about the small print, as above, I think the regulators would be well advised to look at the broader picture. Facebook has a bad track record in terms of supporting proper communication, democracy and being responsible to parliaments. It violates EU privacy laws and is taking the EU to court to push away that problem.

Meanwhile all the stablecoin reports have a huge red bulb flashing: watch out for worldwide bigtech platforms doing their own payment think and destabilising economies. Don't let them move. With the result that Facebook quickly rebranded its Libra initiative into a different name (separating profitable single wallet business from the dead-on-arrival Libra-long term identity play - see 3 blogs here).

Of course I might be missing something here in the picture. But if anyone can explain why it would make sense to exempt inpayment gaming payments on worldwide Facebook as a limited network, I am open to ideas.

 

Saturday, May 02, 2020

Contemplating 75 years of freedom: a dark story on three Dutch lessons never learnt

First of all I must warn all readers. This is not a happy blogpost. It is not funny. It is a dark and sobering tale of lessons that we should have learnt in the Netherlands. A tale about lessons that we never learnt. Lessons that still hold immense value today. Lessons that we owe it to be taken to heart when we reflect on the 75 years of freedom that we will celebrate next week.

From Rotterdam to Amsterdam: records and track records
This post connects two cities that I lived in for the longest time in my life. First of all; Rotterdam, the place of my birth. It was bombed to ashes early on in WorldWar 2. Except for one place: the city hall. Reason being? That's where the population records were. Cunning Germans, as my dad explained to me. 

Next up is Amsterdam, where the Anne Frank house and her statue form the background against which new children grow up in freedom. Where Stolpersteine remind us of those who lived here before us. Where the elder lady with her dog told us what is was like to grow up here. How the Germans were raiding the houses and pushing their bajonets into the ceilings to discover if people were hiding.

Amsterdam is the city of the 'dot-map'. It is the map that the Amsterdam city administration drew up on request of the occupying Germans, that wanted to know: where do the jewish people live?

It sounds like a simple question: an administrative thing, strange request perhaps, but why not just answer it? Let's cooperate collaborate. So the map says: One dot is 10 jews. Take it in and look history in the face.

The particular situation here in the Netherlands (J.H.Blom - source) was that our government had fled and the Germans put their officials in charge of the Dutch civil servants. This is a marked contrast with Denmark, where they let the Germans enter with the military but stayed in office and controlled their bureaucracy.

There is a lot more to read in the study of Blom but one of the very striking elements is the efficient bureaucracy in the Netherlands, in combination with a tendency to cooperate and answer properly to Authority. Whichever the source of Authority.

The very sad fact of the matter is that after the war we could learn that in Western Europe, the Netherlands turned out to be the country where 75% of its Jewish population died, as compared to 40% in Norway and Belgium, 25% in France and almost 0% in Denmark.

If we look history in the ugly eye, this is (literally) a track record that the Dutch must carry as a scar on and in their souls. A fact that obliges us to honour the deceased and make sure that we learnt something. But do we really?

History is distant and can be easily forgotten
This is all maps and statistics from earlier days. If we wish we can look away and forget. So let me warn you as I bring the lesson closer to home. To this end I draw on a pre-Corona visit that I paid to the excellent exposition covering 300 years of insurer Stad Rotterdam. now ASR. During the visit I stopped by and looked at the part on World War II, where I bumped into someone who turned out to have contributed to that part of the exposition.

He is a commited lawyer who until today still tries to resolve the administrative wrongdoings of the past. His story on what he found in archives, on what he did not find, was very sobering. He had seen files where a fanatic anti-semite employee hammered a J multiple times on the insurance policies of Jewish clients. And he explained how the Germans would start out with simple requests with more serious consequences kicking in later.

A typical example of this is the introduction of a generic duty to register and issue personal ID-s. This was formally introduced in October 1940 in the Netherlands and came info effect in April 1941. And then, one year later, all IDs of Jewish people needed to be stamped with a J. So we see bureaucratic evil of the end made possible by fairly innocent baby steps in the beginning.

Administrative witnesses of the insurance sector: during the World War 2
One of the most well known German tricks pulled in World War 2 in Amsterdam was the take over and manipulation of the Lippman Rosenthal brand by setting up a sort of second bank or branch-office with the same name. This second office was effectively German run and a 'robbery-bank' that sold off assets of Jewish clients. This bank plays a sinister role in the documents that I will be publishing here.

It started out with a request that Jewish people declare to their bank that they are Jewish, as via a specific Regulation, the only bank paying out the life insurances would be the Li-Ro-robbery bank. Here's the snapshot of the regulation and the form to be filled in.

Regulation outlining obligatioo to insurers to pay out
their clients only via the Li-Ro robbery bank

And here is the form and letter that people were sent. Please declare yourself to be Jewish.

Form with request to fill in if you are Jewish or not

Now the involved insurers didn't really all like this idea and they figured out: if we don't know for certain if someone is deceased, we can't really transfer all the money to Li-Ro bank. So the exposition shows a bank writing to the Li-Ro bank on this specific issue. 

Now beware of the answer which dates to January 1943.  I will translate it here:
Through the contact that we have with the relevant authorities we have been informed that Jewish people that have been deported by government order will be totally taken out of the society and nothing will be ever possibly heard of them. As a result they are, sort of automatically, also completely annihilated in respect to your administration but we note that, if no further measures are taken, their remaining insurances would continue to exist.
It will be clear to you that the circumstances in which the aforementioned Jewish people find themselves in society - but with respect to you as well - have lead to a situation that is equal to that where an insurance policy ends due to the death of the insured, which means that we need to find a way to bring those insurance to a pay-out.
We invite you, the pay to us the relevant reserves that you have amassed to this end, while deducting a considerable reward for the risks that you have taken.We look forward to your proposal.



Administrative witnesses: after the war
Imagine that you survived this World War 2. And that you want to claim the insurance funds that you are entitled to. And the response being: please can you prove that the person you are referring to is actually dead? Survivors of the war atrocities had to endure long and terrible administrative procedures to restore their rights.

Here is a witness that matters. It is a letter dating from 1950 and it is a declaration by a Red Cross official. It specifies the dates of deportation as well as the names of three survivors who have had to make a personal declaration to the Red Cross. It says that
... it is clear from the declaration of those three people (out of 33.000 deported to Sobibor), who stayed of a longer period in time in the camp, that almost all people that came to Sobibor were almost immediately being suffocated by gas and cremated afterwards. Given that nothing has ever been heard since the conclusion is that the person in question has died on 11-6-1943 of the consequence of suffocation.


No happy ending.... 
There is no happy ending to this story.

Survivors had to fight administrative wars and it took until 1999 before some sort of settlement was made between representatives of the Jewish community and the Dutch Insurance Industry. Part of the settlement is that a Foundation for individual claims SJOA has been set up. And until today the foundation is still actively assisting and doing research to do justice.

Which brings me full square back to my neighbourhood in Amsterdam. There are not just the silent physical reminders of history, the Stolpersteine in the streets. We also find reminders on the web, in this list of holders of insurance premiums. If I type in the names of the streets around me, their names come back to help me remember what happened.

Three lessons to heed...
We, society in general but the Dutch in particular, owe it to all of those who gave their lives during the war, hoping for true freedom, to heed three lessons we appear to have never really learnt:

1- we must better understand the mechanics, the workings of records, administrations and bureaucracies and the ease with which what looks like a legitimate government action can turn into an evil one that starts a persecution on illegitimate grounds,

2- we must remember that it is the atrocities of World War 2 that made us formulate the Human Rights Declaration, which formulates the fundamental rights that protect us,

3- we must cherish and protect our fundamental right to privacy as one of the most important defenses against bureaucracies turning evil.


Tuesday, February 04, 2020

Perspectives on (Ca-)Libra #3: Why the Libra is not e-money (on the history of e-money and stablecoins)

Quickly after the announcement of Libra, I, stated that Libra could not be viewed as e-money. Now has come the time to explain my earlier analysis (of June 2019) as to the organisational set up and regulatory qualification of Libra.
Libra is a privately issued and distributed digital  and virtual ‘currency’, that is intended to function as a means of payment. It is not a true currency because its actual composition/counter value is a basket of fiat-currencies and financial instruments. It is not e-money as the Libra is not ‘monetary value’. The digital value qualifies as a financial instrument (a mini-participation in an open ended investment fund) and is used in an open source payment instrument, to be used for payment and acquiring. Both payments and securities legislation apply, as well as the relevant competition and consumer protection rules. 
The Libra association is a manager of the governance and operational arrangements and activities that come with using the virtual currency Libra and participating in the Libra (payment) scheme. This Libra scheme is a private and commercial arrangement which:
- defines a unit of account for a new virtual currency: the Libra,
- defines the asset mix that backs one currency unit,
- lays out the distribution and management rules of the currency units and reserve funds,
- lays out commercial rules and does a private placement to further promote the use of the Libra by giving them away (for free or at a discount). 
Definitions of e-money and term: monetary value
The reason why Libra, as a basket of different currencies, cannot be considered e-money is that it doesn't qualify as such under the definition as it is not monetary value. And to comprehend the definition we must understand that the e-money directive has had a first version and that the European Central Bank was clear on its analysis. E-money is a fiat currency in a digital shape and must be treated as such in terms of: reporting requirements for monetary aggregates, redeemability (at par), assurance that customer fiat money equivalent was kept safe etcetera.

The definition and use of the term 'monetary value' in the first version reflects that all we could think of was digital tokens that one-on-one reflected the physical or existing scriptural account-money forms. This is particularly clear from the consideration 19 in the Opinion of the central bank on the first draft directives.


What we can see here is a central bank ensuring that redeemability against the fiat currency is obliged, in combination with a definition of e-money which does not allow offering e-money at a discount:
"electronic money" shall mean monetary value as represented by a claim on the issuer which is:
(i) stored on an electronic device;
(ii) issued on receipt of funds of an amount not less in value than the monetary value issued;
(iii) accepted as means of payment by undertakings other than the issuer.
Redeemability
1. A bearer of electronic money may, during the period of validity, ask the issuer to redeem it at par value in coins and bank notes or by a transfer to an account free of charges other than those strictly necessary to carry out that operation.
To me, the full analysis and reasoning behind the e-money rules, can only mean that e-money thus covers the 100% forms of convertible fiat currencies. The whole regulatory construct and monetary safeguards in the e-money directive wouldn't work for other constructs. Also, the idea of issuing anything else than a digital equivalent of fiat-currency would have been hypothetical.We are talking the days that each digital player would seek maximum acceptance of the public of any new forms of payments, by piggy-backing on the trust/security mechanisms of the fiat instruments. Introducing a non-fiat-related digital currency was just a step too far and it's not what the E-money directive was meant to support.

When the second e-money directive came in and was aligned with the EU payments directive, it changed some of the structure and definitions. The ECB opinion as to redeemability and monetary matters remained unchanged however, so in essence the rules are still of the same construct. E-money means a one-on-one converted form of existing fiat money and all kinds of monetary statistics, redeemability etc are still in place for the wide variety of mechanisms that now use this regulatory avenue.

We must also understand that at that time we were nowhere near the existence of worldwide consumer platforms with such inherent power to dictate an alternate currency alongside fiat currencies. But now we do have those, including one that tries to issue and launch a Libra. Given the EU e-money directive however, the only reason this Libra would qualify as e-money is when it would be a 100% EU currency backing the Libra. As this is not the case, the Libra will not qualify as e-money.

Should we adapt the EU definition for e-money then?
In theory one could argue that the e-money definition needs adjustment in order to allow the Libra basket of currencies to be regulated. But this doesn't make sense from a financial instruments/securities perspective.

Whenever you dilute a 100% currency basket in the users own currency towards a different asset base, you reform the token at hand into a investment basket. The user is exposed to an additional form of currency and counterparty risk, which does not exist when using the 100% e-money form. Of course the issuer of the financial instrument can proclaim the new asset base to be stable. Or almost stable, but the rules of the financial instrument game are different. If you issue such combinations of assets, you must warn the user of risks, assess whether he/she may be up to the investment/risks that they are taking and so on.

Not obliging Libra to have to do so would be creating an uneven playing field towards all kinds of other providers of financial instruments that equally seek to provide their financial services to customers via a similar asset package that can be bought in tiny portions. In addition, the monetary concerns involved in overissuance of the e-money product may go beyond the geography of the central banks involved as monetary authorities in the currency basket. Merely allowing a basket of currencies as backing for an e-money product would not be consistent with the ECB analysis on relevant monetary considerations and rules to ensure financial stability.

So, as stable as you may give your product a name or try to sell it to the public or regulators, all regulatory and market experts know that no currency basket will ever be stable. Effectively, suggesting the fact that it would be stable for the end-user would be mis-selling of the product, misleading the consumer and what have you. So name it stablecoin as you like, but it remains a risky participation in an investment fund/currency basket. And all rules under EU securities to such investments do apply. Meaning disclosure rules, but also rules as to who can trade/distribute this instrument. It will not at all be open to trade for everyone, without restrictions.

Does paying with Libra involve a payment instrument then?
Next up is the question what exactly qualifies as a payment instrument in the Libra setup. In my view the financial participation is a digital asset/financial instrument. And of course, if you wish, such an instrument could be used to pay. Rather than sending someone digital fiat currencies, the provision of the tradeable digital financial instrument would consist the payment. The payment with Libra would thereby be a payment in kind, as if I exchange a bread for a bottle of water.

So is there a payment instrument involved and where is it?

Next up is the question if we can see a payment instrument, a payment order and a payment transaction under the Payment Services Directive, leading to the placing, transferring or withdrawing of funds. I think the main idea in this respect is to take the intentions of Libra to serve as a worldwide payment system as a starting point. This means we will have to take a close look at the question if tools are provided to the user (yes) meaning those tools (wallets) may qualify as payment instruments, if they move funds, which are defined as:
banknotes and coins, scriptural money or electronic money as defined in point (2) of Article 2 of Directive 2009/110/EC;
If the Libra is not banknotes and coins nor eletronic money, we only have the wonder if it could qualify as scriptural money. But this is indeed where it becomes a bit complicated. As the ECB put it, when advising on the Payment Services Directive:
12.10 The term ‘scriptural money’ is used in the proposed directive without being defined, e.g. in Article 3(b), Article 4(8) of the proposed directive and paragraph 7 of the Annex to the proposed directive. It is suggested that a definition of scriptural money should be established (in the definitions article), bearing in mind that only central banks and credit institutions (which include e-money institutions) may hold such funds.
So we have two options. We could consider the Libra issued by Libra association to the Libra association members (who are all registered security companies, allowed to offer, trade and sell financial products to the public and each other) a form of scriptural money. This is not illogical, given the explicit intentions of the Libra association and it would require the regulatory flexibility to allow for a self issued unit of account / securities product to be viewed as a form of money.

The other option is of course to not view the Libra as scriptural money and not apply the Payment Services Directive to a payment instrument which has a worldwide scope and impact. Although this may sound illogical, it is not illogical at all. The apps and tools that are used to pass on the Libra to other consumers would still have to comply with all securities related regulations. Users would have to sign up, pass suitability tests, issuers, brokers and exchanges of the Libra would need to have their MIFID licenses and such, so the customer would still be protected.

The exercise does show however that the Libra association has had little consideration to the relevant EU requirements and definitions when choosing Switzerland as their jurisdiction. Their guess may have been that they might be able to convince the local regulator to bend the rules a little, but the choice of a currency basket (and financial instrument structure) effectively deters its worldwide inclusive use for cross-border payments. Alternatively, a choice for a single currency basket might work, which would make it regular e-money, to which the PSD and all kinds of KYC/AML rules apply. Yet, this would mean that there needs to be a single issuer in the business model, as the reselling of e-money is prohibited under the EU regulations.

It is this considerable ignorance of relevant EU rules that has made it clear to me that Libra and Facebook will at no point in time be able to make their business model work. A brief visit to any innovation hub at any central bank would have made the above inconsistencies clear, but they apparently chose to ignore this. And the reason may be that the Swiss policy papers on stablecoins may have provided them with the impression that there was some leeway here. But even the relevant local supervisor has explained to them that both securities and payments legislation applies and that their business model will not work.

Then again, this is Facebook, pushing and moving so why could they have been so wrong in their assessment?

My hunch is that Facebook have applied a US centric approach to the whole regulatory debate on issuance of stablecoins and forgot how the regulatory regimes between EU and US differ. But for that I refer to the PS.

The main conclusion for now is: Libra does not qualify as e-money and the transfer of Libra might constitute a payment transfer, depending on the view one has with respect to the application of the word scriptural money under todays context.

February 5, 2020


PS. Regulatory regimes for stablecoins (US) and e-money (EU)
To put this in perspective for US readers, I want to shed a regulatory light onto the difference between stablecoins and e-money and the relevance of 1990s legislative landscapes in the US en Europe with respect to payments. The background against which the e-money directive was being developed here in Europe, was one in which - just as now - all over the world, people were thinking about the best forms of regulation of a new phenomenom: e-cash: electronic cash or Internet cash.

At that point in time I worked for the Dutch central bank and I investigated the difference between the existing regulatory regimes in Europe and in the US payments (see the American Law Review article here). And the big thing to take away here is that:
- the US had both banking supervision laws and money transmission laws,
- Europe did not have money transmission laws and only bank supervision regulation (somewhat harmonized under EU rules).

The consequence of this difference is that the US regulators had a clear money transmission framework that they could use, to apply to new forms of Internet payments and digital coins. In essence they all proclaimed new internet payment stuff to be some fort of money transmission, either by their design or by their nature. And thus: the regulation of those new forms of payment was easily done. No change in laws was required.

In Europe, there was no uniform payment legislation on a European scale. Different member states had different local rules on payments. We had to have a euro in place and many years of deliberation before we even ended up with a harmonised Payment Services Directive in 2007. So we had no payments legislation but we did have some form of e-cash begging to be regulated somehow. As the ECB had clearly outlined its concerns in this respect.

So the fierce debate in Europe was: should e-money be considered the functional equivalent of banking?

The main reasoning was: upon issuance of an e-money token of 1 euro, the issuer receives one euro of the public. This means attracting deposits from the public, which is part of the banking definition. Whereas central banks and Ministries of Finance felt this way, the Ministries of Economic Affairs succeeded in convincing them that an intermediate, light-weight banking regime should be set up. So we got an E-money Directive, creating EU license regimes for organisations that issue electronic money to the public, upon receipt of regular fiat money, which electronic money is then used for all sorts of payments.

The digital e-money had to be issued and redeemed at a 1 on 1 level (at par) and the e-money organisation had to safeguard the full reserve in a separate financial vehicle (or insurance arrangement). No license would be given if the safeguards weren't in place, so this means that the European e-money regime boils down to a regulatory regime which safeguards e-money. Or, what most US people would view as stablecoins (digital tokens, to be issued, traded, sold and transacted on the basis of an at-par rule with the original fiat currency).

Now back to the US. Initially the US payments regulation thus seemed well suited to adapt to new technologies. The birth of the bitcoin and other currencies created an issue. In essence, the US regulators didn't care to define a separate token or form of e-money into their payments regulation. They just stated that virtual currencies were a form of currencies and hence the money transmission regulations should be in place somehow.

Therefore Tether and TrueUSD are registered with the Fincen, but without the legal European safeguards in place to guarantuee the peg. Then again the New York bitlicense regime does have those safeguards, but it is clear that no US regime for stablecoins exists. We can see that the US now lags in regulatory terms. It has fragmented state laws on payments, where EU caught up with harmonised payments legislation and harmonised e-money legislation. And the European e-money regime is essentially the unified EU stablecoin regime for tokens that seek a 1-1 peg with a fiat currency.