Thursday, April 7, 2022

The hoopla over the EU and self-custody wallets

There's been plenty of anger this week in the crypto world about a EU law that, if passed, would require European crypto exchanges to collect and verify information about so-called unhosted wallet users.

What the new rule boils down to is that if you have an account at an exchange like Coinbase, and you send some crypto off of the exchange to an unhosted wallet (i.e. a self-custody wallet or personal wallet), then Coinbase will have to verify the European owner of that unhosted wallet and store their information.

Messing around with self-custody wallets is verboten among crypto fans. But is the EU's proposed rule as unprecedented and unfair as the crypto press is making it out to be? I think the angst is overdone, and I'll show why.

One of tests we can perform to determine the fairness, or neutrality, of any new crypto-targeted anti-money laundering (AML) regulation is to ask the following question: does the same regulation already apply to cash and cash-remittance providers like Western Union? If so, then it's fair.

The "Western Union test" works on the assumption that cash and crypto function in similar ways, and so the principle of technological neutrality dictates that they should be regulated similarly for AML purposes. Both are transferable on a person-to-person basis, they can each be self-custodied (i.e. they don't require a bank), and they provide a degree of privacy. And so institutions that deal in crypto and/or cash should face the same AML requirements. Put differently, whatever Western Union is already obligated to do with cash, Coinbase must do with crypto.

So what does the test tell us? A quick glance at Article 5 of EU Regulation 2015/847 indicates that payment service providers are already required to identify anyone from whom they receive cash, or to whom they pay out cash. Which means that if a customer of Western Union asks an agent to disburse 1500 in banknotes to a European, it must verify the recipient's ID.

And so the "Western Union test" indicates that it's only fair that Coinbase be required to verify the ID of the owner of an unhosted wallet to which it pays 1500 worth of crypto. Like cash, like crypto.

AML regulation often exempts service providers from ID requirements for small transfers. But the potential EU law on verifying the identity of unhosted wallet owners does not come with an exemption. Even if Coinbase only pays out a tiny amount (say 50 in crypto) to an unhosted wallet, identifying the owner would be necessary. I don't like this aspect of the law, but it does pass the "Western Union test," as I'll show.

I'm not a fan of a lack of thresholds for transfers to unhosted wallets because thresholds allow those without an ID -- say refugees and homeless people -- to make payments. Thresholds also afford licit users a window for privacy. We should try to preserve a small privacy safe haven.

While I'm not the fan of  lack of a crypto threshold, the measure does pass the "Western Union test." In the EU's case, there is no verification exemption for transfers received or paid out in cash. That is, even if Western Union disburses a tiny 50 in cash to someone, identity verification is still required. (See Article 5, Section 3 of  EU Regulation 2015/847). And so its fair to subject Coinbase and a €50 transfer to an unhosted wallets to the same stringency.

Even though the EU's new crypto regulation passes my "Western Union test," crypto advocates are unlikely to be fans of this legislation. But they can still protest. Don't want to go through an AML process for unhosted wallets? Then don't use payments service providers like Coinbase. Always transfer coins bilaterally through self-custodial wallets.

P.S. There is one way in which the EU's proposed law doesn't pass the "Western Union test." It would require that for every transfer received from an unhosted wallet, the payment services provider inform the competent authorities (see Article 16, section 4a). This requirement doesn't exist for cash and cash-based payments providers like Western Union. Yes, a cash payment requires ID verification, but as far as I know there is no notification requirement. So in this one respect, the new law doesn't treat cash and crypto in a consistent manner.

P.P.S. I am open to the idea that traceable crypto like Bitcoin should be subject to less stringency than cash, in the form of a higher threshold, and that untraceable crypto like Zcash and tumbled crypto would be subject to the same stringent threshold as cash. So for example, if cash enjoys a $1000 exemption, then Zcash should also get a $1000 exemption, and so should bitcoins mixed by Wasabi, but unmixed bitcoins should get a less stringent $3000 exemption.

No comments:

Post a Comment