28 Jun TFOFR – INATBA Second Response with Amendment Suggestions – Update

INATBA’s initial response on the AMLR was issued in March 2022. It featured three key obstacles for the proliferation of crypto assets set forth by the texts of the AML Package, and it focused primarily on the Transfer of Funds Regulation (TOFR) – more commonly known as the Travel Rule – which inscribes the Consumer Due Diligence (CDD) requirements for all Crypto Asset Service Providers (CASPs) that transact with crypto assets.

The three key obstacles were:

• Definitions; Which Should Reflect the Industry More Accurately than in AMLD, AMLR and TFOFR.

• Applying the principle of “same risk, same rules” to AML requirements (Threshold).

• Exchange consumer information accompanying transfers of funds across multiple CASPs while protecting privacy.

This document expands on the initial key obstacles by listing the specific articles that are in question, providing an alternative wording of these articles and the rationale behind these proposed changes. These proposals feature the insights and consensus of INATBA’s 170 members.

Please note that this document will touch upon the three issues listed above, but also expand upon them. The primary reason for this is because of the now-public versions of the file which feature two additional drafts from both the European Council and the European Parliament. These texts were not public when our initial response was made. The additional texts, with their own amendments to the original file, provide both amendments that are on par with INATBA’s initials suggestions, but have also proposed changes which further hinder the blockchain and crypto-asset industry in Europe – sometimes more so than the original version of the ToFR.

As this file moves into the Trilogues, it is of paramount importance that the key topics highlighted in this second, descriptive output are corrected before the file passes into law. A principled approach which follows proportionality, business and technology neutrality, and the listed goals of Europe for Blockchain technology must be followed by policy-makers.

INATBA and its members are always open to industry feedback and bilateral conversations with the policy-makers working on regulations aimed at the blockchain and crypto-asset industries. To provide any additional feedback, please contact us at secretariat@inatba.org. INATBA will continue to advocate for the changes needed for the file to achieve its goals without hindering the growth of our industry.

 

Executive Summary: 

In this document, INATBA and its members expand on the amendment suggestions needed to harmonise the regulation with the realities and potential of the European crypto-asset and blockchain industries. 

This document will analyse the initial text proposed by the Commission and the follow-up versions with amendments written by the Council and European Parliament (EP).

Firstly, the EP’s version expands upon the definitions of hosted and unhosted wallets, clarifying one of the biggest sources of confusion seen in the original document. INATBA thanks the Parliament for their proposed change. 

However, both Council and EP versions do not tackle significant items raised by INATBA members, and sometimes proposed amendments which countered the direction that our members believe this regulation should be moving to. Namely, the Council’s proposal removed the 1,000 EUR reporting threshold, making any and all crypto-asset transactions eligible for CDD requirement – something significantly more onerous than both the Commission’s version and FATF recommendations. In addition, the requirement placed on CASPs to not only collect, but also verify, any and all CDD data provided by their customers creates a substantially less friendly environment for the growth of this industry in the EU, which will be largely ineffective and raises significant consumer protection issues. 

Simply put, INATBA members believe that CASPs, the innovation, talent and job creation they bring, will relocate to other jurisdictions which are unreachable by the proposed regulation. Since crypto-asset services are digital and web-based, it will become substantially harder for European authorities to enforce these requirements to nonconforming CASPs. This is a very real possibility, and one that only a balanced regulatory approach can effectively curb. 

INATBA welcomes any and all suggestions from interested parties on these documents and on our amendment suggestions, and implore policy makers to reconsider some of their positions. This document will expand further on the rationale and suggested wording of key highlighted articles in all three of the TOFR’s versions.

Article 3 (16 & 18a)     Issue 1: Definitions

_________________________________________________________________
Original Text of the Commission: 

N/A

_________________________________________________________________

Amended Text by the European Parliament:

For the purposes of this Regulation, the following definitions apply:

(16) ‘provider of crypto-asset transfers’ means any natural or legal person whose occupation or business includes the provision of services relating to the transfer of the property of crypto-assets on behalf of another natural or legal person.

(18 a) ‘unhosted wallet‘ means a wallet address that is not held or managed by a provider of crypto-asset transfers;

_________________________________________________________________

Rationale Behind Change:

INATBA members support the efforts to clarify the definitions of the TOFR.

Definitions were highlighted on the original response document since they were incomplete. The update of the definition of unhosted wallets matches our proposal and we thus support the European Parliament’s amendments. Members also encourage policy makers to change the term from “Unhosted Wallets” to “Self-hosted Wallets”.

To expand slightly, amendment (16) has INATBA’s support as it covers the important part of FATF’s VASP definition that was not fully translated into MiCA’s CASP definition, although there are intricacies that need to be reviewed, especially for M2M micropayments. (18a) clarifies the description for unhosted wallets, simplifying what technology and products are in scope of these requirements.  INATBA members are in support of this amendment made in the EP’s version of the document.

However, there are concerns among the industry that amendment (16) regarding the definition of “provider of crypto-asset transfers” is imprecise and would have unforeseen consequences for the emerging machine economy. Service providers that offer technical integration with smart devices, for example smart cars paying for road tolls or smart meters automatically trading excess energy, would face new requirements which would make the use cases unworkable. Such definition should be consistent with the MiCA definition of Crypto-Asset Service Provider (CASP) in article 3(8) and with 3(9) related services involved in transfer in the sense of TFOFR, namely the placing, execution of orders and exchange of crypto-assets; and even direct or indirect platform management services facilitating the transaction (like IoT platforms) as CATP (crypto-asset transfer service providers).

Article 15(2)           Issue 3: Proportionality

_________________________________________________________________
Original Text by the Commission:

By way of derogation from Article 14(1), transfers of crypto assets not exceeding EUR 1,000 that do not appear to be linked to other transfers of crypto assets which, together with the transfer in question, exceed EUR 1,000, shall be accompanied by at least the following information:

(a) the names of the originator and of the beneficiary;
(b) the account number of the originator and of the beneficiary or, where Article 14(3) applies, the insurance that the crypto-asset transaction can be individually identified;

By way of derogation from Article 14(5), the crypto-assets service provider of the originator shall only verify the information on the originator referred to in this paragraph, first subparagraph, points (a) and (b), in the following cases:

(a) the crypto-assets service provider of the originator has received the crypto-assets to be transferred in exchange of cash or anonymous electronic money;
(b) the crypto-assets service provider of the originator has reasonable grounds for suspecting money laundering or terrorist financing.

EDITOR NOTE: Council’s amended version suggests the removal of this threshold entirely.

_________________________________________________________________

Amended Text:

“Propose that exemptions are amended to match transaction reporting thresholds equal to those in Art. 2.5 of the EU Directive 2015/847 (ie existing interbanking transaction) or at, the least, maintained as originally suggested in the Commission’s initial draft”

_________________________________________________________________

Rationale Behind Change:

Blockchain-based transactions are, by the technology’s nature, public and traceable. This means that any person can review and track blockchain transactions through chain explorers, like blockchain.org or etherscan.io. Many sophisticated analytics solutions exist and have already been used by authorities to trace and track criminally suspicious transactions.

In addition, CASPs perform existing KYC and other CDD operations as part of the rules imposed through AMLD5. Cross-referencing the existing consumer identity information collected by CASPs can provide a clear view of nearly all stakeholders in the industry and their operations.

The inherent value of this Decentralized Ledger Technology is the trust and openness it provides to its users. As such, the AML risk of blockchain based transactions is lower compared to risks found in private silos within financial institutions. After all, the historic opaqueness of financial institutions is the reason AML reporting standards exist.

As such, the AML reporting threshold should therefore be significantly higher than the one proposed in the original draft of this regulation. Contrary to that, the Council and the Parliament have proposed to remove any and all transactions thresholds, meaning that any and all transactions from CASPs to Unhosted Wallets will have to perform onerous consumer information collection and verification processes.

This goes against the principles of being technology neutral and especially the proportionality of requirements. INATBA members believe that the threshold should, at the least, be lifted to match existing financial transactions thresholds given in Art. 2.5 of the EU Directive 2015/849 , if not expanded to a significantly higher figure.

In addition, even with emerging automated solutions, significant resources will have to be diverted away from compliance resources fighting actual illicit activity to deal with bulk data collection regarding very low risk transactions, thus rendering AML supervision inefficient and against the proper application of the proportionality principle.

As INATBA members believe the legislation should be as forward-looking as possible, we should bear in mind that rapid development of the crypto ecosystem will most likely result in accepting payment with crypto assets by more and more entities and institutions. In fact, it should be an ultimate goal of both industry stakeholders and policy makers to enable it and encourage the usage of crypto assets even in day-to-day transactions (e.g. purchases at stores and restaurants). It should be stressed that removing the threshold entirely will result in a need for KYC verification for each and every crypto-asset transaction (including aforesaid day-to-day, minor transactions). There is a significant risk that removing the threshold will cease this development due to sellers of goods and services not willing to carry an unproportional compliance burden.

If this requirement, proposed by the Council and the Parliament, becomes law, Europe will yet again fall short of industry expectations and lose resources and talent to comparative jurisdictions.

Article 14(5b)       Issue 2: Verification of unhosted wallets

_________________________________________________________________

Amended Text of the European Parliament: 

5b. In the case of a transfer of crypto assets made to an unhosted wallet, the provider of crypto-asset transfers of the originator shall collect and retain the information referred to paragraphs 1 and 2, including from its customer, verify the accuracy of that information in accordance with paragraph 5 of this Article and Article 16(2), make such information available to competent authorities upon request, and ensure that the transfer of crypto assets can be individually identified. For transfers to unhosted wallets which are already verified and have a known beneficiary, providers of crypto-asset transfers shall not be required to verify the information of the originator accompanying each transfer of crypto assets. Such information shall be made available to competent authorities upon request in accordance with Article 33 of Directive (EU) 2015/849.

Providers of crypto-asset transfers shall adopt effective measures to ensure that the verification of the ownership information in relation to unhosted wallets does not cause undue delay to the execution of the intended transfers.

_________________________________________________________________

Amended Text:

“Propose that the requirements to verify the information about unhosted wallets are deleted”

_________________________________________________________________

Rationale Behind Change:

Requirements proposed by both the original draft of this regulation and international financial regulatory bodies like FATF, stated that operators in the industry should store consumer due diligence (CDD) information and share with authorities upon request. 

Yet again, the European Parliament’s draft goes well beyond the suggested requirements of international bodies and the Commision, proposing significantly more onerous requirements for the collection and, more importantly, the verification of CDD information collected related to unhosted wallets.

The European Parliament’s proposal would require providers to verify information on both the originator and the beneficiary in a transaction involving an unhosted wallet. In many cases this would not be possible or it would be disproportionately onerous for the provider to undertake verification measures in relation to a party that is not a customer or related person within the context of a contractual, professional or commercial activity of the provider.

Not only is the verification requirement an ineffective control and risk mitigant, it also raises significant consumer protection issues. There are both data privacy and security issues created by requiring significant data collection and storage (particularly of non-customer information). The requirement is at odds with privacy & data minimisation principles enshrined under EU law puts CASPs and users at increased security risk.

From a GDPR perspective, self hosted wallet users have not chosen to interact with CASPs—as a customer or otherwise, and do not contract with CASPs. In many instances, these self hosted wallet users will not know how their data is used or disclosed, nor how to exercise their GDPR rights of access, correction, transfer, deletion and objection. This is at odds with the fundamental objective of EU data protection principles, which emphasize giving individuals transparency and control over how their personal information is collected and stored.

From a security standpoint, collection of extensive personal information of non-customer counterparties is especially risky for crypto businesses given the sensitive nature of blockchain data. If the name and physical address associated with a self-hosted wallet were disclosed, it could allow bad actors to potentially track a person’s entire financial history on the blockchain and use that information in improper ways.  That unprecedented access to personal information has no analogue in traditional finance.

This verification requirement, in combination with the removal of the thresholds for crypto-asset transactions undermines the ability of obligated entities in the European crypto-asset industry to seamlessly interact with unhosted wallets and fully participate in the future development of the decentralized crypto-asset industry. INATBA members implore the Council and the European Parliament to reconsider these amendments and remove them during the Trilogues.

As per the above amendment recommendation, INATBA members believe that these requirements are too onerous and provide very little benefits in terms of preventing AML risks, particularly within the context of DLT public-permissioned systems like Alastria’s, facilitating an effective and fast tracking of suspicious laundering crypto-transfers. This might result in impeding the development of the crypto-assets industry and significantly decreasing the attractiveness of EU states for crypto businesses., promoting forum shopping and deterring crypto-industry investment.

Article 14(6)         Issue 3: Proportionality

_________________________________________________________________
Original Text: 

Verification as referred to in paragraph 5 shall be deemed to have taken place where (a) the identity of the originator has been verified in accordance with Article 13 of Directive (EU) 2015/849 [and the information obtained pursuant to that verification has been stored in accordance with Article 40 of that Directive or (b) Article 14(5) of Directive (EU) 2015/849 applies to the originator.

_________________________________________________________________

Amended Text:

“Propose that the requirements to verify the information about unhosted wallets are deleted”

_________________________________________________________________

Rationale Behind Change:

As per the above amendment recommendation, INATBA members believe that these requirements are too onerous. Please review the amendment suggestions for Article 14(5b) for further clarification of our position and rationale.

Article 16(4a)       Issue 2: Verification of unhosted wallets

_________________________________________________________________
Amended Text of the European Parliament:

Where there is a transfer of crypto assets from an unhosted wallet, the provider of crypto-asset transfers of the beneficiary shall collect and retain the information referred to in Article 14(1) and (2) from its customer, verify the accuracy of that information in accordance with paragraph 2 of this Article and Article 14(5), make such information available to competent authorities upon request, and ensure that the transfer of crypto assets can be individually identified. For transfers of crypto assets from unhosted wallets which are already verified and have a known originator, providers of crypto-asset transfers shall not be required to verify the information of the originator accompanying each transfer of crypto-assets.

The provider of crypto-asset transfers shall maintain a record of all transfers of crypto assets from unhosted wallets and notify the competent authority of any customer having received an amount of EUR 1,000 or more from unhosted wallets.

Providers of crypto-asset transfers shall adopt effective measures to ensure that the intended transfers are not unduly delayed by verification of the ownership information in relation to unhosted wallets and by reporting procedures. 

_________________________________________________________________

Amended Text: 

“Propose that the requirements to verify the information about unhosted wallets are deleted”

_________________________________________________________________

Rationale Behind Change:

In addition to the recommendations and rationales set out above, this requirement to report all customers receiving or making transactions to / from self hosted wallets is completely disproportionate to the risks posed and raises significant surveillance concerns and high private registration costs, deterring or even blocking the emerging CASP industry. In the absence of any suspicious activity, this reporting will place an undue burden on both CASPs and authorities with no obvious benefit – diverting resources at all levels away from fighting financial crime. Further, there is already an established process for SARs filing which all CASPs will have to adhere to. We suggest more detailed cost-benefit analysis to this extent.

Article 18ac (2, 3 and 4)   Issue 3: Proportionality

_________________________________________________________________
Amended Text by the Parliament: 

2.(3) wallet, services risk factors: 

• a) privacy wallets, mixers or tumblers, or other anonymising services for transfers of crypto-assets; 
• b) crypto-asset wallet addresses, including unhosted wallets, identified as being linked to money laundering, terrorist financing.

3. The provider of crypto-asset transfers shall also determine on a risk sensitive basis whether to reject any future transfers of crypto assets from or to, or restrict or terminate its business relationship with, a provider of crypto-asset transfers associated with a high risk of money-laundering, terrorist financing and other criminal activities. 

4. Notwithstanding paragraph 1, with respect to privacy wallets, mixers or tumblers, or other anonymising services for transfers of crypto assets, the provider of the crypto-asset transfer shall obtain additional information on the purpose of the intended transfer and a justification for legitimate use, before deciding whether to reject or suspend a transfer, and shall report its decision to the competent authority.

_________________________________________________________________

Amended Text: 

“Propose that the use of privacy wallets, mixers and tumblers is reviewed by obligated entities in accordance with a risk-based approach, and will not be prevented if appropriate information can be obtained from the customer.”

_________________________________________________________________

Rationale Behind Change: 

INATBA members believe that existing requirements placed on CASPs can alleviate the risk posed by the use of privacy enhancing decentralised applications. In many cases, such utilities are used by persons in need of enhanced privacy protection. CASPs should be guided to perform the relevant and necessary checks to ensure that such persons are allowed access to their services without avoiding AML obligations, as is the case in public-permissioned protocols under proof of authority (PoA) – but the current version, if it remains unchanged, outright removes this ability from CASPs.