Why the Travel Rule Violates Fundamental Rights (for 20+ years already)

If you regularly use the word ‘travel rule’ you have become part of a codified subculture of payments and banking. In this subculture the travel rule, refers to the FATF-rule which require that — as the name implies — the personal information of the sender and receiver needs to “travels” with the payment information during the transaction.

With the mass usage and uptake of bitcoin, the Financial Action Task Force (FATF) figured it would also adopt/apply the so-called travel rule for crypto companies in 2019, and this rule process is now ongoing for some years. The FATF’s recommendation advises governments to require crypto companies to include and make available the name and address of both the sender and receiver of crypto transfers to receiving crypto providers.

What’s interesting is that governments have succeeded to hypnotise and enforce this rule onto the whole private sector without questions being asked. Resistance was futile. All will comply. And thus, most articles you read on the topic are about the how. How do I implement.

This article is about the why? Why should we implement it? Or better, where did it come from originally? Why is it unlawful and what could this unlawfulness mean for customers, crypto service providers and banks alike?

Where Did the Travel Rule Come From?

To understand its origins, we must go back to the early history of the travel rule at the start of this century. Shortly after the attacks in New York, the FATF (then a project group without a democratic mandate, and this remains unchanged) called for all transfers in the banking sector to include the name and address of the sender and receiver. This was implemented in the banking sector.

So let’s go to the origins: the note that can still be found on the OECD website. Let’s have a look at the original arguments and use case.

We can read from the above: sometimes the police in another country need information about the sender of a payment for investigation. And it’s such a hassle to submit an international legal request to obtain that information. So, if we simply attach this information to all transactions, the police in the receiving country can easily access all the necessary details through the receiving bank. Convenient, right?

The travel rule’s purpose is thus to preemptively and massively provide unsolicited answers to yet-to-be-asked questions about the identities of senders or receivers of payments, without a valid police order or suspicion.
This amounts to large-scale surveillance and complete monitoring, for which a legal balance is required: is the goal, such as preventing money laundering or terrorist financing, justified in proportion to the significant breach of customer privacy?

Controversial From the Start

If you want to get a glimpse of what policy life was like, right after the attacks on the New York Trade Centre, you can read the thesis by Mara Wesseling here. In her analysis of the fight against terrorisms we can read how, right after the attack, the US started snooping on all international transactions via Swift. Central banks knew this but didn’t tell anyone.

By the time this discussion became public, all banks in the world had already been hammered into compliance with the first version of the Travel Rule referred to above. I joined this ‘party’ against my will as a new employee of the Dutch bankers association. I had to explain member banks that: yes, the rule made no technical sense at all but it had to be implemented given that the political momentum was so huge that this was not the moment to hold analytical debates on the relevance, effectiveness or lawfulness of this rule.

And this remained the case as each subsequent terrorist attack was professionally harvested by regulators and Financial Action Task Force to broaden and harden their grip and prescribe more ineffective surveillance and control measures. This has become in its essence, from a sociological perspective a cult. A belief system where rational arguments do not matter. You join the cult, the religion, the beliefs and its belief system and get a warm community, as long as you stick with the beliefs.

Some ten years later, the rule was further pushed into EU law but the European Data Protection Supervisor was critical with respect to its future. See their opinion here and note that in essence, the bankers were right to oppose this measure for its disproportionality. There is really no need to send this stuff all around the world.

And do note, this was more than 5 years before we got to understand who Max Schrems was and why his battle on cross-border personal data transfers is so relevant.

Next stop in 2019: apply to crypto assets as well

As early as 2019, when the travel rule for cryptocurrencies was first proposed for crypto-companies in the context of the Financial Action Task Force on Fraud, the Dutch Association of Bitcoin Companies (VBNL) and Privacy First urged politicians to stop this gross invasion of privacy. They referenced the dissertation of researcher Kaiser, which explains in detail how the Fifth Anti-Money Laundering Directive violates not only privacy but also various other fundamental rights.

However, Minister Hoekstra responded coolly, saying: “Let’s wait and see. European regulations will eventually respect fundamental rights.” But things didn’t turn out well. The Dutch Central Bank (DNB) implemented an early version of the travel rule as a wallet verification requirement for crypto companies’ registration in the Netherlands. After the court intervened (see article here), they withdrew this requirement, as it was unlawful.

Meanwhile, the European Commission conveniently “forgot” to implement Article 65g of the old anti-money laundering directive, which required a report by January 2022 on the extent to which this directive violated fundamental rights. Instead, they pushed forward with implementing the travel rule and even stricter regulations.

Thus, on June 9, 2023, Regulation 2023/1113 was established, including the European travel rule. Its unique characteristic is that for crypto it applies from €0 (while FATF and other countries have a threshold of, for example, $1,000). This rule will take effect in Europe on December 30, 2024. In the meantime, FATF monitors whether all countries are implementing the travel rule properly.

Why Is the Travel Rule Unlawful?

Well, I’m gonna break this down into the following reasons (there’s more of course, there’s always more):

1. There is no EU-obligation to implement human right infringing rules due to international norms/standards/rules/resolutions of any kind and the Court of Justice will always act as a goalkeeper in this respect
2. It’s far beyond other legal precedents of Court of Justice on surveillance
3. The travel rule does not meet legal norms for bulk surveillance regimes
4. For crypto: it’s internally inconsistent to use a threshold of 0 euro in ‘risk-based’ regulation
5. Analytical flaw: why answer unasked questions?

1. There is no legal need/necessity to do this in the EU just because the FATF ‘advises’ us to do this

First of all, it’s nice that there’s an international project group of bureaucrats “advising” governments to monitor (and block if necessary) the financial activities of all citizens and companies.
But an “advice” from such a group does not make it law. Local legislation must be adopted and assessed against fundamental rights. Which is insufficiently the case here.

Local governments often claim that FATF ‘mandates’ this, but that’s incorrect. There is no obligation. Even if it were a resolution of the UN Security Council, it wouldn’t change the fact that in Europe, we have a duty to assess the fundamental rights and proportionality of anti-money laundering measures. This is why the European Court of Justice is authorized to assess the appropriateness of such rules under European law.

The Court outlined the above in 2008 with the famous Kadi case (C-402/05 P and C-415/05 P) in which a freezing of assets because of a UN-resolution was under discussion. The question was: does this formal UN rule trump our EU set of rules and can the Court of Justice intervene. The Court explained: it doesn’t matter if we agree supranationally via the UN, we still validate rules against our internal norms, human rights and lawfullness that we agreed in Europe:

5. Fundamental rights form an integral part of the general principles of law whose observance the Court ensures. For that purpose, the Court draws inspiration from the constitutional traditions common to the Member States and from the guidelines supplied by international instruments for the protection of human rights on which the Member States have collaborated or to which they are signatories. In that regard, the European Convention for the Protection of Human Rights and Fundamental Freedoms has special significance. Respect for human rights is therefore a condition of the lawfulness of Community acts, and measures incompatible with respect for human rights are not acceptable in the
Community. The obligations imposed by an international agreement cannot have the effect of prejudicing the constitutional principles of the EC Treaty, which include the principle that all Community acts must respect fundamental rights, that respect constituting a condition of their lawfulness which it is for the Court to review in the framework of the complete system of legal remedies established by the Treaty.

So in sum: there is no reason why you could not challenge the Travel Rule as unawful with the EU Court of Justice. But you can see that the last 20 years all banks haven’t raised a finger or done any effort to protect their customers privacy. They let themselves become ‘partners’ of crime-fighting and shove around the data worldwide. Fear for being fined in terms of AML-rulebreaking is bigger than the ambition to stick with human rights rules of the EU.

Now if you’re in the cult you say: FATF-rules are binding and need to be implemented. And if you’re the legal officer in the cult you say: ‘No, it’s a mere advice to the governments, there is no need to follow it’. But that last sentence is a word trick. Because all political momentum and letters read the same: we need to implement FATF-rules because we agreed to. And do also note: if a country is slow to adopt, they get a visit from the US Ambassador and some economic repercussions will be hung over the head when failing to comply. So it may look like an advice but it is essentially the formalisation of economic blackmail by the US, to ensure mass surveillance.

Then again: do also note: the Court of Justice does not agree with the idea that we should simply do it because an international group has decided to do so, or we decided to do everything the FATF or US tells us to do. We need to stick to our own norms.

2. It’s far beyond other legal precedents of Court of Justice on surveillance

When looking for precedents on mass monitoring and data retention in the Court of Justice’s case law, you’ll find numerous precedents where the Court takes a strong stand against excessive surveillance.

Key cases include Digital Rights Ireland in 2014 (C-293/12 and C-594/12), Tele2 Sverige and Watson in 2016 (C-203/15 and C-698/15), Privacy International, La Quadrature du Net in 2020 (C-623/17, C-511/18, C-512/18, C-520/18), and the judgment on Passenger Data in air traffic: C-817/19, June 21, 2022.

When applying this case law, it is evident that the Wire Transfer Regulation in the EU does not hold up in court. And there is more.

3. The travel rule does not meet legal norms for bulk surveillance regimes

The travel rule, with its direct requirement to send information worldwide, violates Convention 108+, which demands adequate data protection in the recipient country during international data transfers. It also conflicts with the European Court of Human Rights’ jurisprudence on bulk surveillance regimes, such as in the Centrum för Rättvisa v. Sweden case (no. 35252/08).

Again: when applying the norms for bulk surveillance to the Wire transfer regime you can see many anomalities. Like the structure in which private companies effectively supervise/enforce their business partners into compliance. That’s really a no-go area in a legal sense as supervision is a goverment mandate not to be outsourced to the private sector.

4. For crypto: it’s internally inconsistent to use a threshold of 0 euro in ‘risk-based’ regulation

In Europe a group of overactive Members of Parliament figured it would be good to lower the threshold for the travel rule to 0 euro (while even the FATF leaves open a 1000 dollar/euro threshold). This lowering the threshold amount to €0 is inconsistent with the essence of all anti-money laundering regulations. These rules are always intended to be risk-based. Removing a threshold designed to ensure proportionality clearly contradicts this principle.

5. Analytical flaw: why answer unasked questions?

In this time and age of data driven companies we must make sure to stick to our information logic. Did someone ask specifically for this data? If not: why send it around the world in the hope someone may be able to use it. It’s unsollicited mailing/forwarding of bulk personal data without a use case and with high detrimental side effects.

Although the cult will try to hypnotise you into believing that implementation of the Travel Rule is part of the quest for the Holy Grail, it is not. It is a rite, a self-harming deed to stay with the club and not be punished, rather than any effective measure. The core question remains:

Why should you or any company or person ever be bound to register and send everyone’s data to all jurisdictions globally, acting as an information drone for an unknown police officer somewhere who doesn’t yet know if they’ll even need the data?

Power Play or Upholding Fundamental Rights?

Any officer in need of data can request it via the legal route if needed. And large-scale tapping must follow special rules, authorizations, and legislation. How come we do not stick to those basic rules of crime fighting?

We must abolish the travel rule as a prehistoric regulation from a time when we weren’t as mindful of fundamental rights. With the recent child benefits scandal (which we had in the Netherlands) it’s evident that governments themselves can be the greatest violators of these rights. Therefore, it’s crucial for society to critically evaluate all structures that collect, store, and transfer data on a massive scale.

Although the reality is that customers will be forced to comply with the travel rule, crypto providers should realize that citing Regulation 2023/1113 as a legitimate legal basis is a farce. The travel rule was and is an unlawful violation of fundamental rights, and customers are legally correct in objecting to the processing of their data. If a customer suffers harm due to this, they are entitled to compensation.

A Matter of Time

It seems to be just a matter of time before the first lawsuits clarify this. Hopefully, the Court of Justice will not only annul the travel rule for crypto but also for the banking sector entirely. However, this could take years, but that shouldn’t stop crypto providers, customers or organisations such as Human Rights in Finance (HRIF.EU) from considering further action or legal procedures.

The above article is an expanded version of a summary article in Bitcoin Focus, in Dutch, on the same topic. I am publishing it so that visitors to Bitcoin Amsterdam 2024 can benefit from it as well. And I am dedicating it to the well known Dutch tech-journalist Herbert Blanksteijn with whom I spent many times discussing the topic in BNR Cryptocast.