EU Introduces Crypto Anti-Money Laundering Regulation
The Council of the EU has reached a political consensus on amendments to the 4th AML directive and, among other changes, introduced a definition of “virtual currencies”. After it comes in force, providers of exchange services between virtual and fiat currencies, and custodian wallet providers will have to comply with the AML directive.
I should firstly emphasize that only political consensus regarding the amendment has been reached and that the Council and the Parliament still need to adopt the proposed amendment, which will most likely happen. If you are thinking that you do not understand the EU legislative process very well, do not worry — you are one of the many (but feel free to read on it).
Not long ago, I praised the EU for its smart approach to blockchain legal issues, making a reference to the proposed amendment to the AML directive. I thought that the proposed amendment was clear and reasonable. I was relieved to see that the amendment would lessen the creative potential of the blockchain, but deliver clarity on an important compliance issue. When it comes to blockchain legal issues, I believe that reducing regulatory uncertainty is crucial to make blockchain business friendlier and safer for the consumers and cheaper for the entrepreneurs to run. Even though the proposed amendment has been to its present (hopefully final) version altered, my opinion remains the same.
The First “Country” with a Clear Definition of a Virtual Currency
The amendment sets out the following definition:
“virtual currencies” means a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency, and does not possess a legal status of currency or money, but is accepted by natural or legal persons, as a means of exchange, and which can be transferred, stored and traded electronically.
The amendment makes it explicitly clear in the preamble that virtual currencies should not to be confused with electronic money (Article 2(2) of Directive 2009/110/EC) nor with the term funds (meaning banknotes and coins, scriptural money or electronic money, point (25) of Article 4 of Directive 2015/2366/EU). The legislator made it equally clear that virtual currencies are not in-games currencies, which can be used exclusively within the specific game environment.
What is interesting to me is that the preamble also makes it clear that virtual currencies may also be used for other different purposes and find broader applications such as “means of exchange, investment purposes, store-of-value products or uses in online casinos.”
If we now try to analyse the content of the definition, we would break it down in the following:
a) digital representation of value — A lot of experts in finance, including some Nobel award winners, are discussing the value of Bitcoin and other virtual currencies. This part can be argued two ways — one is that every token on the blockchain represents some value. Blockchain is a value driven system where nothing happens without fuel. In practice, every token represents some value, monetary or functional. It will be very difficult to argue that there is a token, which value is zero. The other way is that this digital representation of value needs to be direct — namely that the value of token is directly evident (but not linked) in EUR or linked to a known scope and type of service.
b) not issued or guaranteed by a central bank or a public authority — For this element all tokens, known to me, match. Let’s wait and see what Estonia does.
c) not necessarily attached to a legally established currency — In its essence, no tokens are attached to a legally established currency as of today. It is true that for the most popular and biggest ones there is a direct trading pair either in EUR or USD, but this should not be considered as “being attached”. Project Tether (and similar ones) was however different. Legally wise, this element is somehow irrelevant — it says that a token either is or is not attached to a currency and that does not have effect on whether such token is a virtual currency or not.
d) does not possess a legal status of currency or money — This criterion is met with all known tokens as of today. No tokens, to my knowledge, possess such status.
e) is accepted by natural or legal persons, as a means of exchange — Again, it will be hard to argue that any token is not means of exchange. They are designed to be exchangeable and this is their main feature. In practice, it might happen that some tokens will not be accepted by anyone (for some reason), but such perhaps only temporary condition, might not be enough to exempt a particular token from the virtual currency definition.
f) can be transferred, stored and traded electronically — Tokens are by design transferable, storable and tradable. There might be certain rare exceptions to this, but in principle all tokens match this criterion.
In other words — it seems that most of the tokens known and existing today may fall within the “virtual currency” definition. This could not be an error in the concept or a mere coincidence, the EU must have wanted to design a definition, which would cover as many tokens as possible. This is also evident from the preamble, which clearly reads that “The objective of this Directive is to cover all the potential uses of virtual currencies.”
This makes the EU the first “country” in the world (to my knowledge, but please feel free to correct me), which introduced a clear and legally binding definition of anything on blockchain.
The issue, however, might occur that the definition is too wide and that practically all cryptographic tokens will for the purpose of EU law be considered as virtual currencies. Is this really what the commission wanted and is this beneficial to the industry? As long as only the gateways to fiat are subject to AML regulation, such definition is probably not an issue. But most likely is that in addition to virtual currency definition, we might also need a definition of cryptographic token. In any case, legislators should be careful with using this definition of virtual currencies, because it seems it covers practically all blockchain tokens.
Which Services Classify as “Exchanges”?
The amendment extends the scope of AML directive also to cover “providers engaged in exchange services between virtual currencies and fiat currencies.”
Again, the preamble gives us some insight into the rationale behind the provisions. It is said that fiat currencies are coins, banknotes and electronic money of a country that is designated as a legal tender and is accepted as a medium of exchange in the issuing country. The Commission is of view that exchange services poses a risk of money laundering and countering the financing of terrorism (AML/CFT) and consequently competent authorities should be able to monitor through obliged entities the use of virtual currencies.
Interestingly, the preamble explicitly reads that a large part of the virtual currency environment will remain anonymous because users can also transact without these providers.
My understanding consequently is that exchange of virtual currencies between entities is not governed by the AML directive as long as such activity is not a service. In other words, if entities A and B agree on exchange of 10 BTC for EUR and execute a transaction, this is not a service of exchange and such entities are not bound by the AML regulation. When A starts offering such transaction to consumers as a service, then it without doubt presents exchange service.
It seems that exchanges, providing only exchange of crypto to crypto, will remain free of compliance requirements under the AML directive.
Which Services Classify as “custodian wallet providers”?
The amendment provides that:
“custodian wallet provider” means an entity that provides services to safeguard private cryptographic keys on behalf of their customers, to hold, store and transfer virtual currencies.
I am a lawyer and I do not want to get too technical in this paper, but to my understanding as long as I hold the private key to the wallet, and none of third party providers also hold it, then such situation is out of scope of the AML Regulation. But when a third-party entity holds the private key to a blockchain wallet, where my funds (or better said — funds, not owned by such third-party provider) are stored, then such situation is regulated by the AML regulation.
This means that using MyEtherWallet (or Ledger Nano S, Trezor, Jaxx, Mist) to open a wallet on a blockchain network does not fall under the AML regulation. But using Bitwala (or Coinbase), which store the private key (even though they might share it with the users) would be regulated.
It seems that there are two main elements: 1) the private key to the wallet is (also or exclusively) held by the wallet provider, and 2) the funds in the wallet belong to the user and not the wallet provider. If these two elements are met, then the service provider is regulated by the AML regulation.
What Does This Mean for Exchanges and Wallet Providers?
Quite a lot. In practice, they need to comply with all provisions of the AML directive, or with the pertaining regulation of their country of incorporation.
In addition to all of the rules already put in place by the effective directive (such as risk assessment, customer due diligence, reporting, policies, procedures and supervision), the new AML directive will request the Member States to ensure that providers of exchange services between virtual currencies and fiat currencies, and custodian wallet providers, are registered with the AML authority of their jurisdiction.
In my understanding the wording of the new AML directive only imposes a duty of registration, not a duty of licensing. This means that in principle, when an exchange or wallet providers files its registration with the competent authority, such authority shall not have a right to refuse the registration (excluding if relevant information will be missing). This means that no special requirements are set to start operation as a wallet/exchange, but the AML authorities will have a registry of all companies, engaged in fiat-crypto exchange or custodial wallet services.
What Does This Mean for the ICOs?
At first glance it seems that nothing. But is this really the case?
It seems that the definition of exchanges does not encompass ICO companies as they do not enable their users to change their cryptos into fiat money. It also seems that they do not fall within the definition of custodial wallet providers as the funds, which they receive within the ICO transaction, belong to the ICO company, not to their users. In principle, ICO company does not hold their users’ private keys for the users’ wallets, but only holds private keys for its own wallets.
But there is a caveat hidden within the ICO transaction: most ICO companies then exchange the raised cryptos to fiat and deposit them at a bank account for their operational needs. Therefore they do, in some way, facilitate an exchange from cryptos to fiat. Because of this, a number of crypto exchanges and also banks refuse to work with ICO projects, which did not identify buyers of their tokens. This market behaviour forces ICO projects to voluntarily comply with the AML regulation, at least when it comes to identifying their users.
It seems that ICO transactions may pose a certain degree of money laundering risk, in particular where i) the token sale is not caped per user and consequently unlimited amounts of funds can be transferred to the ICO, and ii) the raised funds are consequently converted into fiat as if they belong to the ICO company, but it is not clear who the ICO company got them from. Consequently, it does make sense for the ICO companies to come up with their AML policy and identify the risks. There are two main possible ways, whereas one is identification of the buyers, and the second one is capping the buyers to a certain amount of funds they are allowed to use for purchase of tokens from the ICO. An important question is if ICOs shall also be, similarly to exchanges and custodial wallet providers, obliged to register themselves and comply with the AML regulation. As of now, they are not obliged to do that, and it is left to them whether they wish to do it voluntarily.
In case of ICO companies identifying the users, which buy their tokens, I also have to make a reference to the privacy regulation, due to which the projects shall make sure to comply with principles of purpose limitation, data minimisation and securing consent (in addition to all other provisions of the applicable privacy regulation).
Is EU the Place to be for Blockchain Ventures?
Yes! The European Commission is active in the space and has not done anything so far to hinder the development of the blockchain arena. The proposed amendment to the AML directive will in my opinion be warmly accepted by the industry. Already now, all reputable exchanges and wallet services providers identify their users and have AML policies in place. Complying with the new requirements will not be an issue for them. In addition, an important regulatory issue has now been cleared up and it is clear which activities need to comply with AML rules and which do not.
I believe that reducing regulatory uncertainty is fundamental for further development of the blockchain industry. If the EU will keep its slow paced but well thought approach to regulation, I believe that it will, as a regulatory environment, be a suitable jurisdiction for serious blockchain businesses.