On July 5, 2016, the European Union adopted a legislative proposal to amend its current Anti-Money Laundering framework, the 4th Anti-Money Laundering Directive (the “AML Proposal”). The AML Proposal, which would add virtual currency exchanges and custodial wallet providers to the existing AML framework, to “ensure increased transparency of financial transactions and of corporate entities,” requires exchanges and wallet providers to collect and monitor personal customer information as well as report suspicious transactions. The AML Proposal is open for commentary from Member States until the European Parliament and European Council meet to discuss the draft as early as this month. The AML Proposal, subject to comments, is due to be enacted as a new Directive in January 2017, after which Member States would be required to follow with individualized laws aligned with the final Directive.
For some exchanges and wallet providers, these new rules will not be too burdensome because they have already been collecting the information set forth in the AML Proposal. However the somewhat vague scope of the proposal has left some wallet providers unsure of whether they would be bound by the regulations. The AML Proposal applies to “[w]allet providers offering custodial services of credentials necessary to access virtual currencies.” Some providers, such as those who offer software wallets, do not hold keys for customers, while others, known as multisig wallet providers, require multiple signatures/keys in order for a customer to access a particular wallet. These types of wallet providers would need additional information from a customer in order to divulge information about their transactions in response to a request made by a third party. Those considering the implications of such regulations have expressed conflicting opinions about whether these kinds of wallet providers fall within the scope of the AML Proposal. Some think multisig keyholders are likely included in the scope of the AML Proposal:
Only those wallet providers offering custodial services of credentials necessary to access virtual currencies are to be included in the legislation. However, there is no primary purpose limitation, meaning anyone who has responsibility for taking care of virtual currency keys for someone else will likely need to carry out due diligence, monitor transactions and report suspicious activity. Multisig keyholders could well be caught by these provisions.
Others, however, believe that software and multisig wallets would be excluded under the AML Proposal because they do not hold the entire key necessary to disclose personal information for any of their customers’ wallets:
It should mean that service providers who do not hold keys for customers (like software wallets) or services providers who do hold keys but not enough to access a balance (like multisig wallet services) would be exempt.
In an effort to counter the potential sweeping inclusion of all wallets in the AML Proposal, Jouke Hofman, CEO of Bitcoin-brokerage Bitonic and exchange BL3P, initiated outreach to the Dutch Ministry of Finance, and other virtual currency wallet and exchange companies, to explain the need for more specific guidance on who exactly is covered by the directive and the importance of balancing anti-terrorism AML efforts with technological innovation:
Under the current provision, it's not that clear who or what the regulation applies to, exactly. It covers wallet providers that hold onto private keys of their users. But does it also include wallet providers that hold onto one key for a two-of-three multisig address? What if bitcoins are time-locked and wallet providers cannot spend the funds now, but perhaps in the future? And if the regulation applies to any key holder, where does the definition of a wallet provider begin? It's important these types of nuances are taken into account when drafting new regulation for an upcoming technology that's still very much in development.
Significant privacy and access concerns will exist if the AML Proposal is ultimately deemed to include multisig wallets or other wallets that require collecting personal data from the customer for the purpose of having a database readily accessible to the government. According to the directive, covered entities would be required to collect personal information from its customers, store it in a database, and report suspicious activities. The data would have to be easily accessible should the government require it for any purpose. What is most concerning is that there is no standard of proof that the government must provide in order to gain access to the customers’ personal information in the database.
The AML Proposal recognizes the importance of individual privacy rights by only requiring wallet providers to store “minimum data necessary to the performance of AML investigations” and by stating that the data collected should be essentially the same as the “set of data to be made available to the public [that is] limited, clearly and exhaustively defined, and should be of a general nature, so as to minimize the potential prejudice to the beneficial owners.” However, the mere recognition of these privacy considerations does not resolve the primary issue of government access to private information without first having to prove the need for it. In order to better balance individual privacy with the government’s interest in monitoring illegal activities, any regulation should include a standard of proof, such as probable cause or reasonable suspicion, before the wallet provider is required to give the government access to its customers’ data.
Another concern with the AML Proposal is the ability for individual wallet providers to comply with comprehensive compilation and reporting requirements. Corné Plooy, a developer with Amiko Pay, expressed his concern that stifling growth and innovation during a time of significant advancement for blockchain and virtual currency technology could disincentivize wallet providers from operating within Europe without accomplishing the goal of uncovering illegal activity:
A major difference between financial technology and other information technology like software or websites is that financial technology usually cannot be deployed without approval of existing parties like banks. I believe this is what stops the financial sector from having the same level of innovation as other IT-sectors. This is where Bitcoin makes a huge difference. It allows for a peer-to-peer economy, without dependence on large organizations. There is no longer a strong separation between the role of a consumer and that of a service provider. Anyone with a good idea and a bit of expertise can make their idea a reality, giving a huge boost to fintech innovation. Regulation may destroy that advantage. What would have become of Google if it had to perform a suspicious activities check on every website it linked to? What will happen if every user has to comply with AML/KYC regulations? That is a real concern if multisig key holders are considered wallet providers in the newly proposed E.U. regulations. Privacy concerns aside, individuals don't have the resources to apply these sorts of checks.
As with other attempts to regulate various aspects of virtual currencies through licenses and restrictions, to avoid stifling growth, any AML regulation adopted by the EU must achieve a balance between consumer/government protection, continued innovation, and privacy concerns. The AML Proposal is a good framework for achieving this balance. However, the proposal needs to be narrowed in scope as to the wallet providers it covers and it must provide some burden of proof for a government to access private customer data if it is going to fairly accomplish necessary AML goals without impinging on privacy rights and innovation any more than that which is necessary. Hopefully, the virtual currency businesses that are impacted by the AML Proposal will provide the necessary comments that will cause the EU to implement these necessary changes to the proposal.