It looks as if cryptocurrency service providers will have to adopt stricter know-your-customer (KYC) policies all across the world — and not everyone is happy about that.

On February 22, 2019, the intergovernmental Financial Action Task Force on Money Laundering (FATF) published a draft recommendation for strict and uniform anti-money laundering (AML) regulation for cryptocurrency service providers, to be finalized by June 2019. The G20 — the 19 most powerful countries in the world plus the European Union — had already agreed in December 2018 to accept the recommendation by this intergovernmental body responsible for setting guidelines to combat money laundering and other financial crimes. As such, the recommendation will affect cryptocurrency businesses and users worldwide.

On May 6 and 7, 2019, in Vienna, the FATF met and spoke with cryptocurrency businesses as part of its annual private sector consultative forum, hosted by the United Nations Office on Drugs and Crime (UNODC), and chaired by the president of the FATF, Marshall Billingslea from the United States. Over 300 private sector representatives, including cryptocurrency companies, participated in the forum.

In a publication addressing the event, the FATF speaks of “fruitful dialogue with a multi-stakeholder group of virtual assets market players.” Yet, despite public industry pushback, there has so far been no indication that the intergovernmental task force is about to change its position on stricter KYC rules for cryptocurrency service providers.

The Recommendation

The central policy in the FATF recommendation is that cryptocurrency service providers — companies that buy, sell or transfer funds for customers — need to be licensed and would have to perform KYC checks on all transactions valued over 1,000 U.S. dollars or euros. Whenever relevant authorities ask for the KYC information, service providers must be able to present it.

The most controversial part of the recommendation is that this check wouldn’t only apply to incoming transactions — many service providers already perform such checks today — but also to outgoing transactions. Specifically, a service provider must know whether an outgoing transaction is made toward a user’s personal wallet or to another service provider. Moreover, if the outgoing transaction is made toward another service provider, the KYC information is required to be shared with that service provider. (This is known as the “Travel rule”, which applies to financial institutions.)

The draft recommendation reads:

“Countries should ensure that originating VASPs [virtual asset service providers] obtain and hold required and accurate originator information and required beneficiary information on virtual asset transfers, submit the above information to beneficiary VASPs and counterparts (if any), and make it available on request to appropriate authorities.”

Realistically, the only way for the cryptocurrency industry to comply with such rules (as also pointed out by Blockchain President and Chief Legal Officer Marco Santori while addressing similar, U.S.-specific guidance) may be to implement a communication layer, specifically for cryptocurrency service providers. In other words, a “SWIFT for crypto.”

In its own public statement, FATF did acknowledge that this part of the draft — which is included in Paragraph 7(b) — was not yet guaranteed to be part of the final recommendation. Its inclusion would depend on feedback from cryptocurrency businesses themselves, the organization wrote.

“Paragraph 7(b) of the Interpretive Note has not yet been finalised because it will benefit from private sector consultations to be conducted in May, it may be considered further to reflect technical implementation considerations, for final adoption in June 2019,” the public statement reads. “The FATF invites private sector entities and other experts to provide written comments on paragraph 7(b).”

Critique

Indeed, not everyone is happy with the draft recommendation.

Among the public critics of the draft recommendation is blockchain analytics firm Chainalysis. In a letter signed by COO Jonathan Levin and Global Head of Policy Jesse Spiro, the company cites technical limitations (service providers can’t tell whether a bitcoin address belongs to an individual user or another service provider) and unintended consequences (the added friction may drive more activity toward unregulated service providers). The letter also argues that money laundering is better mitigated through cooperation with service providers and the use of analytics tools such as those provided by Chainalysis.

“[I]n most circumstances, VASPs are unable to tell if a beneficiary is using a VASP or their own personal wallet in any given transaction,” per the letter. “Therefore, requiring a transmission of information identifying the parties is not feasible.” And, “Forcing onerous investment and friction onto regulated VASPs, who are critical allies to law enforcement, could reduce their prevalence, drive activity to decentralized and peer-to-peer exchanges, and lead to further de-risking by financial institutions.”

Last week, Dutch Bitcoin broker Bitonic (which also operates the European cryptocurrency exchange Bl3p) published its own critique concerning the guidelines. Aside from the practical challenges of complying with the policy proposed by FATF, Bitonic warns that it puts the privacy of European citizens at risk. User KYC information would not only be shared with other European service providers but also with service providers in the U.S. and the rest of the world, by extension making the information available to authorities abroad.

“We believe that it is undesirable from a privacy perspective that the U.S. are forcing the EU to endorse such an alarming obligation, which is not just relevant for companies that are active in the virtual currency space,” Bitonic notes.

It’s also not clear from the recommendation which types of companies would be considered “VASPs” exactly; some grey areas seem to remain. Some, like payment innovation consultant Simon Lelieveldt, have, for example, pointed out that its unclear which products would be considered “virtual assets,” raising a concern echoed by Bitonic. Similar regulations have, in the past, also left unclarity about whether multi-signature wallet providers should be considered custodial services.

Besides Chainalysis and Bitonic, critics of the draft recommendation include blockchain trade association The Chamber of Digital Commerce, payment service provider trade body the Electronic Money Association and blockchain analytics firm Ciphertrace.

Finalization

While the draft recommendation is not final yet, there is so far also no indication that the draft will be adjusted. This would mean that the stricter KYC rules will have to be adopted across G20 countries.

More specifically, the FATF issues a set of recommendations to implement as law. Since different countries have diverse legal, administrative and operational frameworks, as well as different financial systems, the FATF recommendations aren’t themselves laws, nor can countries implement them one on one. Instead, G20 members are expected to adopt laws in line with the recommendations.

How countries implement the rules will also be subject to periodic reviews by the FATF. Countries judged to be falling short could ultimately be added to a blacklist that restricts access to the global financial system.