Things to know:
– The Transfer of Funds Regulation (TFR) aims to prevent payment systems from being used to launder money or finance terrorism, a commendable goal we fully support.
– First applied to traditional payment systems in 2015, the TFR is being expanded to also cover transfers of crypto assets. This is the EU implementation of the Financial Action Task Force’s (FATF) “Travel Rule.” However, the TFR goes far beyond the recommendations of FATF in ways that will have unintended consequences.
– If adopted, the TFR would impose a vast financial surveillance regime on Europe, stifle innovation and undermine the self-hosted wallets that individuals use to securely protect their digital assets. This measure would also diminish the European capacity to seize the full potential of the Blockchain revolution and offer a competitive advantage to other regions of the world.
– What can you do? Time is short. The EU Parliament ECON and LIBE committees are scheduled to vote on the TFR on Thursday, March 31st. If you believe in privacy and security, contact members of the committees and urge them to vote against Compromise D and E of the Transfer of Funds Regulation.
Just a few days ago, we celebrated that the European Parliament voted NOT to ban Proof-of-work technology (and therefore Bitcoin) and we asked, “what is next?” We did not have to wait long to find out.
Yesterday, March 29th, the final text of the revised Transfer of Funds Regulation (TFR) was distributed to MEPs on the ECON and LIBE committees of the European Parliament. They will vote on it tomorrow (Thursday, March 31st, 2022).
Crypto: a tool for money laundering? Just 232 times less used than fiat currencies
First, let’s set the stage. The TFR is supposedly about preventing financial crime, of which crypto assets are allegedly a great enabler. However, the fundamental premise underlying the TFR is demonstrably false.
In their recently published 2022 report, Chainalysis found that only 0.15% of cryptocurrency transactions in 2021 involved some element of criminality. Of that, money laundering accounted for just 0.05% of all cryptocurrency transaction volume in 2021. In dollar terms, Chainalysis reports that $8.6 billion worth of cryptocurrency was laundered in 2021. Meanwhile, the UN Office on Drugs and Crime estimates that up to $2 trillion – 5% of global GDP – is laundered every year through the traditional financial system in fiat currencies. Moreover, the transparency and immutability of public blockchains equips law enforcement with greater tracking capabilities than they have for fiat currency.Using these figures, the amount laundered through fiat currency is more than 232 times greater than the amount laundered through crypto. These facts call into question the fundamental EU principles of necessity and proportionality.
The TFR takes the wrong approach
So, how does the TFR suggest to tackle this problem? Here’s the short version:
- Removing privacy from the blockchain: For every crypto asset transfer involving an “unhosted” wallet (defined as “a crypto-asset wallet address that is not held or managed by a provider of crypto-asset transfers” (Article 3)), the TFR would require Crypto Asset Service Providers (CASPs) to COLLECT personally identifiable information (PII) on both the sender and recipient (even if such person is not a customer of and has no relationship with the CASP), VERIFY the accuracy of the collected information, and REPORT such information to EU and national anti-money laundering (AML) authorities upon request or automatically for all transactions over 1,000 EUR. (Articles 14, 16).
- Registering your crypto history: Create a government registry linking blockchain addresses to their owners and counterparties, and a public registry of “non-compliant” CASPs and “high risk” wallet addresses. (Articles 16, 18ad).
- Ban CASPs from interacting with DeFi protocols and decentralized exchanges. (Article 18aa).
From the TFR, it is clear that Parliament seems to believe “unhosted wallets” are primarily used by criminals, but why? What are we really talking about here?
At its core, a digital asset wallet consists of a public blockchain address and a private key. A private key is a unique string of random characters. It is all one needs to custody and control one’s digital assets. Thus, an unhosted wallet can be as simple as a so-called “brain wallet” (committing the private key to memory), a “paper wallet” (writing it down on a piece of scrap paper), or a physical wallet (for example, inscribing it into some physical medium like stainless steel).
Of course, we at Ledger believe the safest way to protect one’s private key is with our Ledger hardware devices.
How the TFR exposes EU citizens & Institutions to greater risks
Privacy in the EU is a fundamental right. In fact, the right to privacy is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8), and the European Charter of Fundamental Rights (Article 7). It seems that the TFR does not plan to uphold these “fundamental” rights for cryptocurrency transactions seemingly because 0.05% of them may involve money laundering.
Similarly, the GDPR extends to EU citizens the “right to be forgotten” (Article 17), unless, of course, the personal data you’d like to erase involves a crypto transaction, in which case the TFR mandates it be stored by a CASP for five to ten years and by government agencies indefinitely. Strange, no?
All kidding aside, there is an important question here: how would the massive surveillance regime envisioned in the TFR actually expose EU citizens to greater risk of crime? Read on.
Criminals hack crypto exchanges for the same reason Willie Sutton robbed banks, “because that’s where the money is.” The security offered by Ledger devices is not only effective because the hardware and encryption are nearly impossible to break, but also because of risk/reward dynamics. The risk/reward profile of robbing one bank is far more attractive than cracking safes in 100 individual homes. The same is true for crypto exchanges and hardware wallets. Unfortunately, crypto exchanges get hacked all the time.
Government agencies are vulnerable to hacks, too. In December 2020, the European Medicines Agency was hacked, releasing data on the Covid-19 vaccine. A range of EU institutions including the European Commission and European Banking Authority were recently breached. But by far, the largest government hack to date is the SolarWinds breach, in which Russian hackers penetrated the U.S. Departments of Defense, State, Justice and Homeland Security, as well as 6 EU agencies.
Just yesterday, on March 29th, 2022, the European Court of Auditors warned of shortcomings at EU agencies that posed a problem for their overall cybersecurity: “Since EU bodies are strongly interconnected, a weakness in one can expose others to security threats,” the ECA reported. And yet, despite the proven inability of government agencies to safeguard the sensitive personal data of citizens, the TFR’s mandatory reporting regime would create a massive new honeypot of financial transaction data coupled with PII, such as your home address. Paired with the inherent transparency of public blockchains, it is simply a recipe for disaster.
With your blockchain address and your home address, criminals could see exactly how much crypto you own and choose whether to attack you virtually, through hacking, phishing or other online frauds, or physically, by means of robbery, kidnapping, and extortion. This is how the TFR will make EU citizens less safe.
The TFR’s other unintended consequences
Of course, there will be other unintended consequences that are just as important. To name a few, the TFR will:
- Reduce financial freedom. Blockchain and crypto-assets are a great enabler for financial freedom, allowing individuals to have complete ownership of their assets, assuming they use a self-hosted wallet. The TFR’s intrusion into law-abiding citizens’ private financial lives will suppress freedom and erode public trust in EU institutions.
- Reduce consumer protection. Due to the inherently borderless nature of software and internet technologies, the TFR will not prevent Europeans from accessing decentralized technologies. Rather, it will deny them the ability to access those technologies through trusted and regulated EU-based platforms, exposing them to greater risk.
- Reduce financial inclusion. Underprivileged populations are far more likely to be unbanked or underbanked than higher earners. Even FATF has acknowledged the role its AML standards have played in denying individuals access to basic financial services. Self-hosted wallets on public blockchains provide a low cost means for those “de-risked” populations to access financial services. The TFR’s efforts to discourage the use of self-hosted wallets will only serve to deny the underprivileged a tool well suited to their needs.
- Place Europe at a competitive disadvantage versus the United States, Asia and emerging markets. Entrepreneurs, innovators and the existing blockchain industry in Europe will have even more incentive to leave or grow their businesses elsewhere.
- Reduce law enforcement effectiveness. Law enforcement benefits from attribution data obtained when suspects interact with regulated CASPs. By erecting a virtual Berlin Wall between the centralized and decentralized crypto markets, the TFR will actually reduce law enforcement visibility into the decentralized market.
What can you do?
Time is short. The EU Parliament ECON and LIBE committees are scheduled to vote on the TFR on Thursday, March 31st. If you believe in privacy and security, contact members of the committees and urge them to vote against Compromise D and E of the Transfer of Funds Regulation.