FATF as in: Facebook As The Foe or Facebook As The Friend ?

Dear Mr Billingslea, dear Members of the FATF and dear civil servants in the room,

As you are nearing the end of a very productive year I wish to commend you on your very hard and wise work of the last year. If we look back on the objectives that the President laid out for 2018-2019 we can see the many accomplishments of this year. It has been a very productive year and one that will be remembered for many years to come. Because you will define what FATF truly stands for. 

Of course there are some commentators that challenge the legitimacy of your work on virtual assets. They outline that your so called open-ended mandate is by definition constrained by the boundaries set by Human RightTreaties, UN Resolutions, Fourth Amendments or rulings of the EU court ofJustice (Tele2) or the US Supreme Court (Carpenter). And they outline that effectively the FATF Standards are leading to a privacy infringement under those Human Rights agreements. I leave those comments aside for now. Historians and judges may be the judge for that.

For now, I wish to draw your attention to a practical dilemma that you will be facing the upcoming week. The dilemma is: does FATF stand for Facebook As The Foe or Facebook As The Friend? 

The answer depends on your own view: which society do you wish to leave behind for your kids?

FATF: Facebook As The Foe
While you were looking out of the frame of libertarian misuse of virtual currencies for all kinds of criminal purposes, you may have forgotten to look out the other window: at bigtech players such as Facebook and Google. Widening your view is of particular relevance now that you are about to endorse a virtual asset recommendation that obliges names of citizens to be sent along with virtual asset transfers (one way or the other).

Let's take a closer look at Facebook. They have thrown the privacy hundreds of million people under the bus. They opened up their systems to developers and allowed mass scale harvesting of personal data to other companies. They have come under severe criticism for this. And they changed a lot of operations, moved people out and such, all in other to counter the criticism about their harvesting of data. Bottom line: they need to remove personal data or ensure that they have proper consent from citizens that are properly informed on the whereabouts of their personal data.

Their latest project is a cryptocurrency / virtual asset programme, with the naam Libra. It leads to the creation of a world currency, backed by a combination of assets. And Facebook will cooperate with other bigtech and Fintech players to make it happen. As the Wall Street Journal outlines:

FATF-virtual asset rule: cryponite to send and harvest personal data without caring about consent 
I am wondering if you have thought trough your recommendation on standards for virtual assets sufficiently. Are you aware that Facebook itself will become a huge Virtual Asset Service Provider? Are you aware that it is now soliciting other big tech companies to become verification nodes in their virtual asset programme? And are you aware this means they don't have to ask any consent from the users who use their coins, to add name information in or with the transaction (whichever way they see fit, as long as they oblige). And this information must also be shared with counterparts (if any) meaning that if I operate a verification node, I am sitting on the information as well? 

The unintended consequence of what you are doing with the virtual asset rules is that, in times of personal data as the economic fuel for society, you are handing out cryptonite to all kinds of private sector players that want to have a free pass for passing on and harvesting personal information. All kind of other companies may follow suit as the FATF-rule is really an easy tool in the box of companies that actively seek to engage in regulatory arbitrage to avoid privacy rules as much as possible. 

Facebook as the Friend....?
The other alternative is that the FATF effectively sees Facebook as a friend. You are aware of the above consequence and view it as a necessary consequence that will be very helpful in capturing the criminals of the future. That would mean that with the FATF-rule you have deliberately chosen to marry with bigtechs.

Now if I Imagine the biggest data-harvesting company in the world marrying the world-wide law enforcers in the world I must say I am sort of afraid to imagine what their kids will look like. This would be too big a confluence of private and public sector roles and it will have a desastrous impact on the world. Some may argue that we were already living in Orwells 1984, but with this rule you will have definitely sealed the deal. 

What you may just do when agreeing to this virtual asset rule, is outlaw all the citizens of their world. Their data are free for all to harvest and in the process you will ride along to see if you capture a terrorist every now and then. 

Historic data does show, by the way, that all the virtual transaction data will not really help as evaluations of the impact of the travel rule indicate that the number of crooks preventively caught in 15 years of its use can be counted on one or two hands. It is always other law enforcement info that gets you to detect them beforehand, never the transaction data.  

What will FATF stand for: wich kind of society do you leave behind?
Will FATF stand for Facebook as the Foe and will you reconsider virtual asset article 7b?
Or will FATF stand for Facebook as the Friend and will you outlaw all personal data of world citizens?

Next week the choice is up to you. I have a hunch you will be going for the Facebook is my Friend model. Because in your groupthink you may be driven to annihilate all kinds of perceived criminal evil even when the tools for doing so are ineffective. Or just beause your are inclined to do as is told and answer to call of your bosses as they said to approve the virtual asset rules. 

Thereafter, you may end up seeing your choice annulled by judges. This may be the result of lengthy procedures or otherwise geopolitical incidents in which one of the kids of the marriage of FATF and Facebook will have turned evil. And then, each one of you in the room will have to answer towards its citizens, politicians, children and grandchildren: how did you not see this coming? 

Don't finalise the paragraph 7b text
I call upon you to consider the above with an open mind and an open heart.
Do the right thing: vote to re-consider or postpone finalisation of the pragraph 7b text. 

Postponing allows for more time to explore all impacts and consequences and have a further debate on what you wish the true acronym FATF to stand for.

Simon Lelieveldt

G20 and FATF should not infringe on the human right to privacy by prescribing mass surveillance for virtual assets !

Over the past weeks, I have been sounding the alarm as to the envisaged FATF-recommendations in the area of virtual assets. Essentially they require the private sector to build in a privacy leaking front-door in all blockchain applications, so that law enforcement officials in the whole world will have useful information already available nearby (rather than having to ask for it when need arises).

While at first I merely looked at it technically, seeing it as a disproportional silly measure by regulators who don't understand blockchain technology, over the past weeks I have learnt that it could also be viewed as part of a larger debate on the human right to privacy. People sent me more information on this matter including this dissertation (link: M. Wesseling: mustread!).

The dissertation outlines how a similar measure in the banking domain (the travel rule) was first rejected in US congress, to be adopted within weeks after the 9/11 attack. The dissertation also shows the mechanism of depolitization: making something a technical 'thingy' in order to avoid the true political debate on public interests that need to be balanced.

State vs citizens: police versus privacy 
What is at stake here is a political debate on the degree of surveillance measures that a society needs to prevent criminality versus the degree of human privacy and freedom that people need to live a dignified live in which they can communicate freely and are innocent until proven guilty (and not the other around).

Let's have a close look at the two fundamental public policy issues at stake:

The human right to privacy in a digital age
Under UN Resolution RESOLUTION 28/16 (the right to privacy in the digital age), article 8.2 of the European Convention on Human Rights and the EU Court decision on data retention (ECLI:EU:C:2016:970) the EU understanding on mass surveillance of personal data of innocent persons is that it may very well constitute a violation of the right to privacy in cases where it is disproportional and no sufficient safeguards are in place.

However, the human right to privacy is often not taken into account when developing anti-terrorist policies. Scientific evaluations of the implementation of such policies outline that social side effects, such as excessive reporting of transactions and privacy of citizens, (often) remain underexposed in public discussions. Similarly a recent dissertation in the Netherlands clarifies that, when applying the EU Court of Justice criteria to the European Anti-Money Laundering Directive, 17 infringements of human rights can be identified.

Upcoming FATF-proposal to prevent fraud/crime/terrorism and apply broad rules to virtual assets
This is exactly what is at stake with a recommendation that is phrased in paragraph 7b of an interpretative note for Recommendation 15 of the FATF.It requires all private sector entities to register and submit the names of the parties participating in a virtual asset transfer to all counterparts in the value chain. This is not based on suspicion of criminal behaviour but required as a standard data export for all use cases and customers transferring virtual assets.

The virtual assets are defined as all non-regulated digital representations of value which may be transferred or held:

‘..countries should consider virtual assets as “property,” “proceeds,” “funds”, “funds or other assets,” or other “corresponding value”.

As such the rule effectively requires private sector market players to develop a messaging system (and adapt internal systems) to make sure future blockchain applications also functions as a structure of mass surveillance. However, any law enforcement official may obtain the relevant information on a case-by-case basis with a proper legal warrant at the individual organisation involved in a virtual asset transfer. The proposed rule constitutes an unnecessary measure that brings personal data of innocent people into the public domain, without any further proper guarantees for its treatment.

The rule has met with very heavy push back during a private sector consultation (in Spring 2019) due to its incompatibility with privacy laws and its unclear definition. The FATF members did not take this into account. Therefore, in the Netherlands, the NGO Privacy First joined the initiative of a group of virtual asset service providers (VBNL) to urgently request the Dutch Ministry of Finance to not approve the proposal. This has not lead to any further response.

What disturbs me in the process, is that the private sector has effectively formulated an adapted wording which would balance the two public policy interest more properly (see the redacted statement in the graphic below). But FATF-officials and governments appear to ignore it.



The public policy train moves on towards the G-20, without due process / democratic controls in place
Right now, the process underway is one in which we will see all kind of news reports about the G20 Ministers of Finance discussing and deciding on virtual assets. We will see the FATF adopting its rule in their 16-20 June meeting. And then the G-20 heads of state adopting it in Osaka. There will be many news bulletins and spins outlining how important and good these steps are. And the FATF will be complimented for their laudable work in this area. But don't be fooled by the spinning.

It is important to note that there has not been a sufficient and proper political debate on the balance between human rights and anti-terrorism measures. And as we already have Human Right Treaties in place outlining that mass surveillance and retaining of data of innocent people are a human right infringement, we can only conclude that our Ministries of Finance and Governments are about to make a historical and major mistake that violate their own commitments to privacy. There is no reason to boast about that.

Are all governments and private sector players benevolent forever?
What is lacking is the fundamental helicopter view on the relation between states and their people. For this I refer to yesterdays blog post, outlining the fundamental considerations that led Phil Zimmerman to develop encryption tool Pretty Good Privacy for the people:

"Zimmerman outlined one very significant theme during his speech. He noted that the assumption of a continuous benevolent government is not realistic. Governments come and go, some may be more democratic than others and even strong democracies may turn into dictatorships, depending on the circumstances. It is therefore important to design society, governments and the technologies that we use to manage society, guarantee that a balance exists between the powers of government and those of the public. The public, the people should always be allowed to remain digitally out of sight of government. Such a robust structure would be important to ensure a fair treatment of the people over a long period of time."

It is too bad, that our governments appear to be unable to properly balance the political interests at hand. Reality is that we do not live in paradise: both governments and market players may have ill intentions and we should be open to that fact of life. In this respect it is clear that a range of private sector players provided more than one elegant suggestion to help with the criminal perspective, while still protecting it. Why would there be a reason to ignore this?

I do understand the dynamics however. In the words of Ian Grigg:

'It's hard to have a serious discussion on terrorism.  It’s too much of a magic password that shuts down critical thinking.'

What's up next is, that we will need to resort to national and supranational courts to re-address this issue and correct our governments. Because like it or not, the future of our democracies is at stake.


------
And a video on this same topic here, for those who are more into the looking/listening mode:

FATF and EU need to fundamentally rethink their approach to virtual assets/currencies...

Virtual currencies are on the radar of regulators for quite some time. Yet it is clear that they still struggle with definitions (which always happens when new technologies arise). The FATF is a key example now that they are seeking to harmonise international guidelines for applying FATF-rules to the crypto-world.

In this post I will look at some of the issues at stake and explain why the FATF-exercise requires a lot more time and thinking before the FATF (or EU) move forward. Do note that this is a longread, more geared to specialists in the field, than the general public.

For the public it boils down to this. The US is pushing all countries in the world to a situation where with each virtual or crypto transaction, your information needs to be distributed (by definition) to other players in the value chain.

But as the crypto definitions in countries diverge (and the FATF-definition is ill defined, potentially covering everything in the world), the only sensible thing to do is to stick with the local definitions of crypto-assets and to demand transaction information to be stored locally at the point of transaction. Any law enforcer wishing access to that information should thus approach the relevant local authority for that information.

Apart from this legal argument, we must acknowledge the recent regime changes in the world. It is by no means clear that countries that used to obey the law and follow the rule of law, will do so in the future. Thus, foreign law enforcers may become tools in the hands of local undemocratic rulers.

That is an additional argument that requires the EU (but also the FATF itself) to avoid the situation that a local law enforcer in an undemocratic country can get EU data by harvesting its home companies data for the EU-info, without having an appropriate legal warrant under EU-rules.

And now for the longread part of it...

Definitions: always tough
Back in 2012, the ECB had a hard time grasping the concept of cryptocurrencies. They used the fact whether or not virtual currencies were regulated as their guiding principle:
A virtual currency can be defined as a type of unregulated, digital money, which is issued and usually controlled by its developers, and used and accepted among the members of a specific virtual community.

The US regulator (FINCEN) chose the following approach in 2013:
In contrast to real currency, “virtual” currency is a medium of exchange that operates like a currency in some environments, but does not have all the attributes of real currency. In particular, virtual currency does not have legal tender status in any jurisdiction. This guidance addresses “convertible” virtual currency. This type of virtual currency either has an equivalent value in real currency, or acts as a substitute for real currency. 

FINCEN then applied the money transmitter laws in an extensive way to bring exchanges of virtual currencies into their supervisory remit.

Later on, the ECB changed its definition to:
For the purpose of this report, it is defined as a digital representation of value, not issued by a central bank, credit institution or e-money institution, which in some circumstances can be used as an alternative to money. 
The EU stance remained that cryptocurrencies did not conform with definitions of funds and such in the EU legislation, hence their exchange and use was not regulated as such. Of course the integrity and consumer risks were identified and warned for.

In the FATF-context (2015) we read:
Virtual currency is a digital representation of value that can be digitally traded and functions as (1) a medium of exchange; and/or (2) a unit of account; and/or (3) a store of value, but does not have legal tender status (i.e., when tendered to a creditor, is a valid and legal offer of payment)6 in any jurisdiction. It is not issued nor guaranteed by any jurisdiction, and fulfills the above functions only by agreement within the community of users of the virtual currency. 

While these definitions may seem to work at first sight, we still need some creativity to determine the boundaries of these virtual currencies. Essentially it is possible to bring any loyalty point scheme under these definitions, as they do not use a subject based qualification to determine what exactly virtual currencies are.

At that point in time, where the focus was mostly on payments and such, using the experience we had with e-money definitions, I suggested a framework based on objects of the digital values at hand:

	User cannot buy tokens at all (loyalty-type)	User earns tokens and can buy additional (hybrid of loyalty/payment)	User buys and sells tokens (payment-type)
Tokens used in digital issuer-domain only		World of Warcraft	World of Warcraft Lynden Dollar
Tokens used in digital or physical issuer-domain only	Starbucks	Nintendo Points -Digital Payment loyalty schemes for single retailers
Tokens used at other entities than the issuer	Frequent Flyer Programmes	Frequent Flyer Programmes	Bitcoin, e-money on mobile phone's

I think it would be fair to say that, while we pretend to have solved the application of crypto-legislation to the payment-type currencies, we actually haven't truly done so. There are still classification issues pending, but they may have appeared to be too irrelevant to matter,

Enter: ICO's and token frameworks
The next stage however was the widening of the blockchain concept, the application of crypto to generic tokens and the use of tokens as a form of share, security or other representation of objects, value, cash flows. This leads to a big confusion all around the world whether or not to view some tokens as security tokens, utility tokens and such. So, while our first definition already had flaws, we chose a new wording to cover this brave new world: crypto-assets or virtual assets.

As ESMA noted in their warning on ICO's at the time:
Where ICOs qualify as financial instruments, it is likely that firms involved in ICOs conduct regulated investment activities, in which case they need to comply with the relevant legislation.
So the essential discussion of application of financial law was left to local supervisors interpretations and definition of financial instruments.

The definition-side remained quite weak, with crypto-assets being loosely described as:
Crypto-assets are a type of private asset that depends primarily on cryptography and Distributed Ledger Technology (DLT). There are a wide variety of crypto-assets. Examples of crypto-assets range from so-called cryptocurrencies or virtual currencies, like Bitcoin, to so-called digital tokens issued through Initial Coin Offerings (ICOs). Some crypto-assets have attached profit or governance rights while others provide some consumption value. Still others are meant to be used as a means of exchange. Many have hybrid features. 

ESMA noted then that there were many variations and that it was not necessary to regulate all forms of crypto-assets. In 2019 they published an updated analysis with still a very weak definition of crypto-assets:
Crypto-assets are a type of private asset that depend primarily on cryptography and distributed ledger technology as part of their perceived or inherent value. A wide range of crypto-assets exist, including payment/exchange-type tokens (for example, the so-called virtual currencies (VCs)), investment-type tokens, and tokens applied to access a good or service (so-called ‘utility’ tokens).

In their report they distinguish between payment, investment and utility token, to immediately outline that this distinction does not cover everything. So the definition issue remains as well as the question: which type of digital token falls under which type of regulation. Hence the EU is in need of more EU clarity on the subject.

On the other side of the ocean, the SEC has further fleshed out how to interpret generic financial sector rules to digital asset issuance/use. In a long awaited guidance note the answer ends up being: it depends on the way you structure the functionality of the token/asset and the use between investors and issuer. So depending on those features, it may well be a regular financial instrument and facilitating trading may constitute a regulated business of operating an exchange.

The FATF-approach: hammering financial services law into hardly defined virtual assets
In essence, the idea of the FATF is now to make sure all crypto-related business is covered in a layer of regulation that at the least ensures proper KYC and AML/CTF rules. As such, this can be appreciated and understood as a recognition of the fact that cryptocurrencies and crypto-assets are here to stay. If we bring the sale of high-value items such as diamonds or gold watches under the FATF-KYC/AML remit, it makes sense to also do so for digital goods/assets/cryptocurrencies (whichever legal status they have).

We do have a problem however, which is that the definition used by FATF, since October 2018, is still shaky:
A virtual asset is a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations. 

This definition is so wide, that the FATF needs to explain:
The FATF emphasises that virtual assets are distinct from fiat currency (a.k.a. “real currency,” “real money,” or “national currency”), which is the money of a country that is designated as its legal tender.

The further definitions of virtual asset service provider clarify the intent of the FATF-definition: they wish to cover both former virtual currencies and the ICO area and use a very broad definition to describe virtual asset service providers. These are companies that for a business conduct:
i. exchange between virtual assets and fiat currencies; 
ii. exchange between one or more forms of virtual assets; 
iii. transfer of virtual assets; 
iv. safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; 
v. participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset

These definitions are very shaky grounds to use. One particular troublesome issue is that the virtual asset definition has a negative part: it does not cover currencies, securities and other financial assets that are already covered elsewhere in the FATF-recommendations. It is a catch all phrase that brings all loyalty points in the world under the FATF-remit. Now, the FATF will of course outline that that was not their intent, but as soon as you devise a crypto-based loyalty scheme, who is going to decide?

And taking it one step further: if I convert my multilevel marketing scheme into digitally represented agreements on a blockchain, do these new tokens qualify as a contract (not covered) or as their value and virtual assets? And how does this interpretation play out in the US vs the EU legislative context?

I am certain there is a host of applications/use cases where we will find the FATF definitions being not suitable for use. How about CO2-emission rights. World of Warcraft-tools. Shared ownership of my house or my bycicle. I would urge the FATF to do some more thinking in that respect. The negative catch-all in a definition (it is a virtual asset when all other definitions in our recommendations fail) is just not good enough.

I can only commend the FATF on one point however. The positive thing about the definition is that it speaks of representation of value. This implies a monetary or self-invented value/currency. It does not state that it is about the representation of physical assets or objects (such as real estate). Or that value can also be understood to consist of anything in the real world, to which value can be attributed (ie. everything).

Applying FATF-money transmission rules to crypto-assets: technicalities!
Right now the FATF has closed its public consultation on applying the money transmission rules to crypto-assets. They are hammering a payments-network idea onto cryptocurrencies and crypto-assets alike to not just demand identification and transaction monitoring. The idea is to also apply the addition of originator and beneficiary into crypto-transactions:

(b) R.16 – Countries should ensure that originating VASPs obtain and hold required and accurate originator information and required beneficiary information2 on virtual asset transfers, submit the above information to beneficiary VASPs and counterparts (if any), and make it available on request to appropriate authorities. It is not necessary for this information to be attached directly to virtual asset transfers. Countries should ensure that beneficiary VASPs obtain and hold required originator information and required and accurate beneficiary information on virtual asset transfers, and make it available on request to appropriate authorities. Other requirements of R.16 (including monitoring of the availability of information, and taking freezing action and prohibiting transactions with designated persons and entities) apply on the same basis as set out in R.16

Where the approach worked in 2001 in a world where a payment was a payment, funds are funds and wire transfers are wire transfers how can it work in a world where fundamentally the core definition of virtual asset or crypto-asset is as vague as it is in EU and the US?

The whole exercises strikes me as a hasty effort, given that the authors have not noticed that also the interpretative note for Recommendation 16 should be changed to include virtual assets (exempting intra-VASP payments and e-commerce virtual currency payments from the scope). And it is clear that the US is driving the FATF to adopt the above change hastily - and without solid analysis - by June 2019.

To me, there is only one logical conclusion: in the decentralised world of virtual assets, with jurisdictions each applying different boundaries to crypto-stuff, there is no sufficiently harmonised basis to enforce the attachment of data to each transaction. Requiring service providers to hold the info and make it available by request is not a problem, but sending it out as we did with the former FATF7-rules is impossible due to the patchwork of diverging definitions.

In my response to the FATF-consultation I have outlined this problem:

In addition I would like to note that the divergent legal status of virtual assets (considering its wide definition) in different countries may have the consequence that under some local laws the transfer is not financial in nature and will not be covered under the financial legislation and AML/TF frameworks. It is possible that a sufficient legal basis is lacking in some jurisdictions to apply the crossborder wire transfer regime to such non-financial transactions and that data protection regulations take prevalence. This could be solved by applying the domestic wire transfer regime to transfers of virtual assets, regardless of their potential cross-border nature. The further application of this regime on the domestic level can then be geared to the specific legal qualifications for virtual assets in that specific jurisdiction.

My proposal is to follow the most efficiënt way. Strike out the part that says: submit the above information to beneficiary VASPs and counterparts (if any).  It is simply not proportional and economically sensible to demand as the FATF to include privacy-sensitive information in crypto-transactions. Officers can can have access by asking and demonstrating lawfulness of the request via international channels. But the day and age of using local tricks and harvesting local companies for EU-data should be over.

The area of digital assets, virtual assets is so ill-defined that the FATF cannot claim a full competency, as the legal basis in a number of jurisdictions will not be there. We should also keep in mind that the catch all definition - not elsewhere regulated under these FATF-rules - is still written under from the FATF role of being Financial Action Task Force, focusing on financial industry and financial services as the main objective. So if my home country defines certain digital goods as digital goods and not in scope of crypto legislation, that to me would be the end of the remit for the FATF (and it would remain out of scope of the catch-all clause as well).

So much for the technicalities.

Applying FATF-money transmission rules to crypto-assets: geopolitics
We should recognize that we are in a different moment in time than in 2001, when the FATF-7 rules were introduced. At that point in time the US was a beacon for democracy and rule of law. But it isn't any more.

It's role became fuzzy when it turned out that US law enforcers had used US based servers of EU companies (Swift) to get hold of EU-data. And this made the EU sensitive to the protection of its citizens against unwarranted overly ambitious law enforcing in other countries.

We should again be sensitive. The EU, but also the FATF, also have an obligation to protect their citizens from unduly harassment and intrusion by law enforcement authorities. And creating tons of data outside the consent-scope of the citizen does not sound like a good protection at all.

Right now, we can witness around the world, an increase in countries with all kinds of 'strong leaders' that violate human rights agreements, do not obey the rule of law, that are involved in money laundering schemes, do not listen to lawful requests of their constituents and ignore climate agreements.

I think the EU has a duty to not cooperate with implementation of so-called FATF-requirements when it is clear they are increasingly unable to protect the privacy and guarantuee the lawfulness of the data exchange. Requesting other states to go get the data (and ensure that it is proportional) is a better way forward.

In sum: improve definitions and reconsider the worldwide distribution of transaction data for virtual assets/currencies
While I think that FATF should fully reconsider its definitions and redo its homework, this virtual-asset momentum and this train that is being pushed by the US may be rolling too fast to stop it. So as a stop-gap one could propose to eliminat 7b or at least strike out the distribution line:

(b) R.16 – Countries should ensure that originating VASPs obtain and hold required and accurate originator information and required beneficiary information2 on virtual asset transfers, submit the above information to beneficiary VASPs and counterparts (if any), and make it available on request to appropriate authorities. It is not necessary for this information to be attached directly to virtual asset transfers. Countries should ensure that beneficiary VASPs obtain and hold required originator information and required and accurate beneficiary information on virtual asset transfers, and make it available on request to appropriate authorities. Other requirements of R.16 (including monitoring of the availability of information, and taking freezing action and prohibiting transactions with designated persons and entities) apply on the same basis as set out in R.16

The FATF-proposal is disproportional, technically unsound and uneconomic. We'd better store the citizens data locally and ensure distribution on piecemeal basis, based on solid legal grounds, only when there is a true virtual asset under local definitions.

To the EU I ask to protect my reasonable concerns as a private citizen and not implement the proposal that comes out, until it ensures that my data stay local where they are and are not distributed at large to possibly evil states, dubious countries and their law enforcers.

The latter holds particularly true when we can observe that the chair of the FATF, the US Treasury Secretary, is not living up to his national constitutional obligations to comply with the US law himself.


PS. I noted that the interpretative note to recommendation actually also holds an additional new definition, apart from the main text:
1. For the purposes of applying the FATF Recommendations, countries should consider virtual assets as “property,” “proceeds,” “funds”, “funds or other assets,” or other “corresponding value”. Countries should apply the relevant measures under the FATF Recommendations to virtual assets and virtual asset service providers (VASPs).

E-money: an innovation revisited...

I think it is fair to say that technology and payment innovation occurs in several 'rounds'. It's sort of a boxing game where enterprises seek their niche in terms of consumer/company services but also in terms of regulatory niches. This holds true in particular for the domain of e-money.

Some fifteen years ago (I feel quite old when writing this) the buzz was all about Mondex and e-cash: two new e-money schemes. The development of these schemes coincided with the increased use of the Internet as well as the use of mobile phones. And there was a lot of debate on which rules to apply. Should e-money issues become banks or not. I remember setting up a specific branche-organisation (11a2: here's the old website) and conference on that specific issue.

While in this first round it appeared to be the case that anyone using digital coins for consumer payments needed to be regulated similarly, it turned out in a later round of regulation that some industries, notably telco's and transport companies, succeeded in convincing the regulator that their consumer money was not the same as the consumer money in banks. And this lead to a reshuffle of all kinds of regulations to allow for this.

The regulatory developments of 2011 essentially mark the conclusion of this second reshuffling round of regulation on e-money. And the industry has adapted in the meantime and is now looking forward to the new challenges, as we see the further development of mobile phone's, tablets and many other exciting new opportunities for e-money.

Should anyone be interested in the current state of affairs of the European e-money market or regulation I would warmly advise to sign up for the e-money conference of the Electronic Money Association (EMA). All players are there and all topics are on the table.

Skimmers detected this morning

Nice article in newspaper: attentive customers discovered skimming device on an ING ATM. See also the two foto's:
foto 1
foto 2

The beginning of the end: blocking payments for gambling...

Quite interesting both the US officials (Treasury and Fed) see proposed rule here and the Dutch government seek to stop 'unlawful betting practices' by demanding the banks that execute the payments to block those.

Well, if we go down this road and allow our governments to dictate which payments which customers may send/acccept (and instruct our banks to act accordingly), we may as well make the Treasuries our single national payment institution. This is what in my view will happen.

First the rules will be targeted to situations to which no one can protest: companies that sell child porn. This will get the first round of regulation off the ground.

Then the question will be: can we also stop payments to/from betting companies? Which is not so easy: in the Netherlands all non-Dutch government agreed betting (from abroad) is viewed as illegal. But that is a political judgment call, stemming from the fract that our government earns money from some of those companies that it has provided a betting license with. With a little luck, you also get this second round of rules agreed.

Third, we will see how it's not the national government prescribing to block payments to/from specific companies/customers, but local police officers or DA's. And they'll also be allowed to automatically fine the users that try to make payments to those companies that are considered blacklisted. Because those users are doing something illegal too....

Now, while this last scenario appears politically impossible now, it won't be once we're used to the first two interventions.

It is quite bluntly a disgrace that politicians and policymakers so improperly and so recklessly invade our privacy and dictate our and the banks' behaviour. If the bottom line is that police officials are not sufficiently equipped to catch crooks... fine, provide them with more resources. But don't try short-cutting it with using tools/means that will only end up backfiring at some point in time.

Or as Kant would say it, put yourself in the position of the other and question yourself once again if the proposed ruling is fair to all involved...

Postbank puts link to Virus Remover from Kaspersky on its web

The attacks on banks continue in cyberspace. And to such an extent that Postbank found the need to warn its users to check their PC and use the Postbank Virus Remover by Kaspersky Lab. Apparently the virus listens for the inlog-code and later on asks for tan-codes to be used in transactions.

Well, we've come a long way since in 1995 or 1996 first virtual demonstrates that it was easy to eavesdrop on the web. By now First Virtual is long gone and the eavesdropping is done professionally. And the importance of user education increases per minute.

Tweakers.net: virus attack on ABN AMRO

Although it is summer (or because it is summer...?) the news continues on internetfrauds. Tweakers.net noticed that ABN AMRO had sent out a warning to its customers to ask them clean up their PC with a specific tool.

Why don't those criminals take a long vacation...?

Amsterdam incident to capture Nigerian fraudsters

Last week De Koopman reported that Amsterdam police have captured 111 Africans, in an effort to capture 419-scam artists. Local TV station AT5 discovered that the police just raided a cafe where, just before an African-music concert, a lot of concert-goers were present.

In the end it turned out that only 2 fraudsters were captured and that the mayor of Amsterdam wasn't informed beforehand of the raid. And he stated he was a bit embarassed about the whole situation.

Government simulates chaotic payments after hacking attack

See the article here that outlines that Dutch Government simulated its response to a hackers attack that lead to stops in payment systems, wrongly paid unemployment benefits, trains going wrong etcetera. The government stated that the simulation went fine and response of its officials was ok.

So we can rest assured that the government watches over us...

ABN AMRO introduces additional anti-skimming measures

See the ABN AMRO Press Release here.

POS-skimming reported, hundreds of victims

See the article (in Dutch) in Nieuws.nl outlining that in the province of North Holland, the police received more than 160 notifications over the weekend that skimming occurred (when paying in a shop). The POS-terminal has been taken away by the police. Total sum of money involved is unknown. Banks did outline that of course customers would be compensated.

P&S news 50 is out...

With:
1. ECB and European Commission – Joint statement on the adoption of the Payment Services Directive
2. PayPal Europe – granted banking licence by the CSSF in Luxembourg
3. United Kingdom – Google checkout launched in the UK
4. Sweden – New structure for cash handling
5. Visa payWave – contactless payment solutions get a global brand name

Articles, speeches and reports:
1. European Commission – SEPA conference for public administrations
2. ECB – "The new SEPA landscape from vision to reality (and back)", speech by Gertrude Tumpel-Gugerell
3. ECB – “Modernising payments: No pain no gain”, speech by Gertrude Tumpel-Gugerell
4. Banca d'Italia – Guidelines for the business continuity of payment system significant infrastructures
5. Bank of England – Financial Stability Paper No. 2 – A new approach to assessing risks to financial stability
6. Magyar Nemzeti Bank – April 2007 Report on Financial Stability
7. Sveriges Riksbank – The use of cash and the size of the shadow economy in Sweden
8. Bank of Canada – Modelling Payments Systems: A Review of the Literature
9. Bank of Canada – Managing Adverse Dependence for Portfolios of Collateral in Financial Infrastructures
10. Federal Reserve Bank of Kansas City – Interchange Fees in Australia, the UK and the United States: Matching Theory and Practice
11. Federal Reserve Bank of Boston – Study of Consumer Behavior and Payment Choice: A survey of Federal Reserve System Employees
12. Federal Reserve Bank of Boston – Update of the Consumer Payments Research Industry Reference Guide
13. Federal Reserve Bank of Boston – Emerging payments industry briefing: "Mobile phone: the new way to pay?"
14. CapGemini - World Retail Banking Report 2007
15. UEAPME – The European association of craft, small and medium-sized enterprises has published a position paper on the SEPA
16. ForeSee – Bank customer satisfaction higher through online bill payment.

ESI: gaming PSP and e-money instituion: annual report

Readers that are interested in the 'hidden' world of gaming and payments for gaming, may appreciate the ESI press release containing a description of the developments in 2006 for this gaming payment service provider.

Fiscal 2007 was a year of significant decline in ESI's North American payment processing business for non-domestic internet merchants for U.S. consumers. ESI's strategy during the year was focused on expanding its market in North America before the enactment of the Unlawful Internet Gambling Enforcement Act (the "UIGEA") which lead to the cessation of the payment processing business for non-domestic internet gaming merchants for U.S. consumers.

Essentially they got stuck into US-litigation over their payment service provision for gaming in the US. And the US authorities also seized a part of their assets (as with e-gold):
Subsequent to year end approximately US$ 8.31 million Merchant Reserve Funds in the USA were seized by the U.S. Department of Justice (DoJ). The company is continuing to work with the DoJ through its legal counsel to resolve the situation.

So they refocused, obtained an e-money license (for penetration towards Europe) and had an IPO saving their financial day...

- Obtained an e-money license from the UK Financial Services Authority. This allows us to launch our products in Europe.
- Sourcing investment for growth. The Company raised $10 million through an Initial Public Offering of its shares which listed on the Toronto Stock Exchange, on March 30, 2006.

US cops now heavy after e-gold; seize gold assets

Ian Griggs reports that US Cops now have come in for the gold at e-gold. See also my previous post on the indictment of the founders.

E-gold founders indicted

Ian's Financial Cryptography log mentions that: e-gold founders are indicted and explains a bit of background. Nothing new here and nothing personal either. US Cops and government are all around with this anti-gambling, anti-money laundering, anti-terrorist, anti-everything rage. They did so with ABN AMRO as well.

In doing so the US firmly succeed in driving business away from their country for the sake of a good feeling. Because crime doesn't stop if you only pick out the obvious or nearby examples. It is a consequence of culture as well. And the source of all this bad stuff is of course the US culture (which has spread around the globe for quite some years) that values the pursuit of money, value and hapiness as a core constitutional value.

So the US is essentially fighting itself, which will be an eternal battle of no cultural change occurs simultaneously. Meanwhile gambling sites focus on EU markets, ABN AMRO sells it's US branches of LaSalle in response to being fined, large companies leave the New York Exchange, making the whole of US a puritan reservate and the remaining whities the indians of the future?

Dutch banks publish statement on SWIFT data transfer

Yesterday, the Dutch banks published an advertisement in all newspapers on the SWIFT-case. This is the result of a silly debate between data protection authority and banks on this issue.

A silly debate because essentially there has not been a breaking of rules by the banks, nor by SWIFT. There has indeed been a lot of political arousal, but that is not the same as breaking the law. And politicians should be so smart not agree rules on the one hand (obliging banks to cooperate with the police) and play stupid on the other hand (be angry if the banks live up to those rules).

Trustworthy Computing Resources: the internet battlefield

On the page of the Trustworthy Computing Resources there is a scary article on the Internet battlefield. Containing a nice and complex graphic with all kinds of attacks. With the conclusion that:
it’s clear from the diagram that there is no silver bullet that will address all issues. The threats (spoofing, pharming, phishing, DNS-hijacking etc) are continuously evolving and blended together by the Bad Guys to form new attacks.

These issues call for a strategy which makes it easier for users to assess whether they are on the correct site (i.e. stronger mutual authentication) and moves away from using shared secrets to authenticate (e.g. username and password).

Payments and Settlements News 47

The 47th Payments and Settlements News - P+S-N is out and contains some interesting stuff that I didn't yet cover here:
- Denmark/Norway – Merger of card processing operations of PBS and BBS
- Voca and LINK announce intention to merge
- Latvia – Launch of the internet-based e-money scheme iNauda
- Philadelphia Fed – "Prepaid Cards: Vulnerable to Money Laundering?"

ABN AMRO intensifies campaign to inform customers about viruses and risks

See this press release of the ABN AMRO Press Room to find out that this week's phishings expedition resulted in 4 people activating a virus and allowing a man-in-the-middle attack. Criminals immediately exploited the vulnerabilities by executing urgent transfers. ABN AMRO immediately compensated these four customers and have now taken the urgent-payment-transfer offline. Furthermore ABN AMRO intensifies its customer awareness programme with five rules:
1- check the lock and the ABN AMRO certificate,
2- always check the actual payments via the PC
3- never open e-mails from someone you don't know
4- only install software from trusted sources
5- protect your pc with a virus-scanner and a firewall.

Let's hope this helps.