New FATF Guidelines May Have Unintended Consequences
As bitcoin and other cryptocurrencies begin to grow in the collective minds of regulators globally, the industry continues to see a substantial increase in scrutiny. Yet due to the unprecedented nature of the technology, regulators are struggling to apply old rules to new technology in a meaningful way.
Many of these regulations echo the comical “Red Flag Traffic Laws” that were passed around the time of the invention of the automobile. Ostensibly for safety reasons, this law mandated that there be at least three people employed to drive, including one who precedes the vehicle “on foot by not less than sixty yards, [who] shall carry a red flag constantly displayed, and shall warn the riders and drivers of horses of the approach of such locomotives.” Naturally, the law was later repealed as the compliance costs (social, financial, or otherwise) overwhelmingly outweighed any potential benefit.
In June 2019, the Financial Action Task Force (“FATF”) issued extensive guidance which aims to unify the approaches of crypto regulation among various jurisdictions. One of the stated goals behind the guidance is an attempt to “avoid jurisdictional arbitrage” by entities that may choose relocate to the least regulated country. Established in 1989 by the G7, the FATF evaluates the policies countries have in place to combat money laundering and terrorist financing. While the “guidance” is not legally binding international law, the rules can be used to apply pressure to non-complying jurisdictions. (Let’s put aside the question of whether an unelected body even should have this power to begin with.)
The new FATF rules are extensive, and go further than previous crypto guidance by broadening the types of activity in scope. The definition of a virtual asset service provider (“VASP”) is quite broad and includes a catch-all of “other possible business models” at the end of the definition. This opens questions around whether, for instance, Lightning Node operators, who anonymously route payments on the network on behalf of others for a small fee, could be caught in the dragnet.
But perhaps the most controversial part of the FATF guidance is Recommendation 16, which adopts what is known in the traditional financial world as the travel rule. The rule requires VASPs to share sender (originator) and receiver (beneficiary) information in cryptocurrency transactions above a certain threshold. Effective since 1996, this rule makes sense in a world where the only way for Alice in Texas to wire money to Bob in Spain is through an intermediary within the traditional banking system.
Without explicitly calling it the “travel rule”, the FATF guidance requires the same type of rules to be applied to VASPs. Specifically, the rule will require any entity falling under the definition of a VASP to identify senders and receivers involved in cryptocurrency transfers, similar to the way banks provide each other with customer information for wire transfers. For reasons described below, this rule will likely have some very unintended consequences.
To illustrate this point, suppose Alice has 1 bitcoin in custody with Exchange A and wants to send it Bob’s account at Exchange B.
If the travel rule were to apply, Exchange A would have to process the transaction on the blockchain, and simultaneously submit additional identifying information in a separate database accessible to Exchange B. Notably, unlike a wire transfer, the required information would not be included within the transfer instructions for technical and privacy reasons. Identifying information would need to be sent separately, and would need to be tied back to the bitcoin transaction by Exchange B.
Thus, in order to comply with the rule, VASPs will have to keep and update a list of all known VASP addresses. This is because there is no way to definitively determine who controls which bitcoin address without information external to the blockchain. If the recipient is indeed a VASP, they must ensure that identifying information is provided alongside the blockchain transaction. To add further complexity, most VASPs offer users multiple receive addresses (such as Hierarchical Deterministic or HD wallets), which can be created at will at any time. Accordingly, keeping an updated list of all addresses controlled by a VASP can become a major headache — one that regulated entities may choose to avoid. For instance, exchanges and other VASPs can simply make it a policy not to send funds directly to other known VASP addresses.
Now assume in the same example, Alice moves her bitcoin out of her exchange and holds her own keys in a non-custodial wallet for a short amount of time. If she were to then send Bob that same bitcoin to his account at Exchange B, there would be no travel rule requirement. Recall that the rule applies only to VASPs, which would not include individuals transacting on their own behalf for personal purposes. Once the funds are in the owner’s possession, the travel rule obligation ceases and the owner can send her funds where she wants.
Simple workarounds like this highlight the reasons behind the controversy around the FATF guidance. As written, the rule is unlikely to prevent any sort of illicit activity. In fact, it may only incentivize transactional activity to be pushed further underground and firmly outside the reach of regulators.
Importantly, it is worth asking what problems such rules actually solve. If all VASPs are already required to collect KYC information, what added benefit will this rule provide, especially if it easily circumvented? Like the Red Flag Traffic Laws, they appear to be forcing antiquated notions into a new protocol, resulting in high costs with no apparent benefit. Instead, it is likely to serve as a distraction for VASP compliance offices, who are scrambling to force a square peg into a round hole.
These resources can instead be focused on thinking of innovative ways to leverage the technology to stop and prevent harmful illicit activity. The open and public nature of the bitcoin blockchain, for instance, has recently helped law enforcement track down and bust a massive pedophilia ring.
In June 2020, the FATF is scheduled to review progress on Travel Rule solutions at its plenary meeting. It will be interesting to watch how it plays out.
