On Wednesday, I covered the misleading messaging around Europeâs proposed new anti-money laundering law, which was advertised as âbanning anonymous crypto wallets.â That wasnât really true â the law affects only third-party custodians, not software or hardware wallets.
However, it turns out the rules, while not banning self-hosted anonymous wallets, could indirectly strangle them.Â
ââThis article is excerpted from The Node, CoinDesk's daily roundup of the most pivotal stories in blockchain and crypto news. You can subscribe to get the full newsletter here.Â
The provisions, and the larger strategy behind them, point to genuinely scary encroachments on financial freedom and should be opposed.
On the other hand, these pernicious portions of the European Union rules could be narrowed or removed before they are slated to be implemented in 2024. According to members of Europeâs Data Protection Authority, they may violate Europeâs recently implemented âGeneral Data-Protection Rules,â or GDPR.
The poison pill is in article 58 of the proposed rules (full PDF here):
 âOwners and beneficiaries of existing anonymous accounts, anonymous passbooks, anonymous safe-deposit boxes or crypto asset wallets shall be subject to customer due diligence measures before those accounts, passbooks, deposit boxes or crypto-asset wallets are used in any way.â
According to Simon Lelieveldt, compliance adviser for the Dutch crypto exchange Bitonic, this language would require that both the owners of hosted crypto wallets and the owner of any crypto wallet they transact with, including self-hosted wallets, be subject to know-your-customer procedures under the new rules. (At least in the U.S. we tend to use âbeneficiaryâ to mean the recipient of assets after the ownerâs death, but in this context, it just means transaction recipients.)
This, Lelieveldt argues, is part of a larger strategy to kill anonymous crypto wallets.
âIn sum, the travel rule is used as a wedge to push decentralized [wallets] into a legitimate custody world, making all else illegitimate and criminalized,â he told CoinDesk. âAnd it will be used to ban anonymous wallets from existing in the regulated world. Hence the expressed intentions of the (European) Commission are correct.âÂ
Lelieveldt delves into the point in this excellent Twitter thread, and has written at length about Bitonicâs successful confrontation with similar rules.
Itâs hard to say whether European authorities fully comprehend how draconian, malicious and outright absurd this measure is. At the highest level, it could be seen as making it illegal for any custodial crypto account holder to withdraw their holdings as cash. It sets a European agenda fundamentally hostile to the right to transact privately on the internet.
Itâs also very hard to imagine how it would work. The Financial Action Task Force (FATF), which broadly sets the agenda for international anti-money-laundering (AML) measures, itself says it âis not aware of any technically proven means of identifying the person that manages or owns an unhosted wallet, precisely and accurately in all circumstances.â Any system for linking identities to on-chain wallets would be subject to errors and abuse, for deep technological reasons.
But even more disturbing is the indirect nature of the initiative. As I wrote Wednesday, the proposed rules do nothing to directly âbanâ self-hosted wallets. But they would create a huge moat between third-party hosted wallets and self-hosted wallets, significantly undermining the utility of cryptocurrencies. Like residents of urban neighborhoods bifurcated by U.S. expressways in the mid-20th century, crypto users would be cut off from each other, undermining the technologyâs promise of peer-to-peer transactions.
Shockingly, this is an explicit enforcement strategy floated by the FATF in a March guidance document on virtual assets, (thanks again to Lelieveldt for the tip here). The document includes a list of âoptions to mitigate risks posed by P2P [peer-to-peer] transactions at a national level if the ML/TF (money laundering/terrorism financing) risks are unacceptably high. This includes measures that seek to bring greater visibility to P2P transactions, as well as to limit jurisdictionâs exposure to P2P transactions.â
(Remind yourself here that âjurisdictionsâ exposure to P2P transactionsâ is a synonym for âcitizensâ rights to transact freely.â)
The FATFâs third recommendation for controlling peer-to-peer transactions is âdenying licensing of VASPs (virtual asset service providers) if they allow transactions to/from non-obliged entities (i.e., private or unhosted wallets).
Now, there is some good (and fairly funny) news here. Before the draft AML rules were circulated publicly, the European Financial Commission received a fairly stern letter from the European Data Protection Board (EDPR), which oversees the enforcement of Europeâs General Data Protection Rule. When it was implemented, GDPR was largely seen in the context of social media and advertising, coming as it did in the wake of the Cambridge Analytica data scandal.
But the Data Protection Board is making it crystal clear that it regards financial data as subject to GDPR, too. And though the letter tiptoes around the issue, it hints that the board may regard the proposed new AML framework as flawed.
âThe EDPB ⦠has repeatedly noted the privacy and data protection challenges related to the AML framework ⦠a fair balance has to be struck between the interest to prevent money laundering and terrorist financing, on the one hand, and the interests underlying the fundamental rights to data protection and privacy, on the other,â the letter said.
The board points to principles including âdata minimizationâ and ânecessity and proportionalityâ as key to crafting AML regulations that donât violate GDPR. Digging into these is a task for another day. But suffice it to say that requiring transactorsâ detailed personal information be sent with every large financial transaction, as current AML rules often do, does not mesh easily with those principles.
âWhy broadcast 99.8% of redundant data of innocent citizens via the payment channels to capture 0.2% of the people [committing crimes],â Lelieveldt asks, âin a day and age where other surveillance technologies are better suited? Data breaches [of financial services] are just around the corner.â Rules requiring on-demand delivery of data about suspicious transactions to police, he says, would be just as effective while preserving privacy.
The new AML rules, moreover, could create a perverse incentive for companies whose data-centric business models are being threatened by rising privacy standards such as GDPR and Appleâs recent opt-in tracking feature.
Companies like âCambridge Analytica (or Facebook itself) will jump at the opportunity to use the FATF-crypto travel rule to push all the customer data along to all business partners under the pretense of complying with FATF rules,â Lelieveldt warns.
It would be great if cooler heads prevail and Europeâs AML rules are revised before theyâre implemented. But whatever the letter of the law, it seems unlikely that the Data Protection Board has the heft to go up against the Finance Commission, which can just start talking about âterrorist financingâ and use fear to push through pretty much whatever it wants.Â
Fighting back is going to require broad resistance. Itâs time for loud voices from around the world to make themselves heard.
