Beyond KYC: Regulators Set to Adopt Tough New Rules for Crypto Exchanges

UPDATE (June 11, 22:30 UTC): The FATF has set a precise release date, June 21, for the finalized guidance on crypto businesses, a spokesperson said.

The Takeaway

• The Financial Action Task Force (FATF) is set to finalize new international standards for regulating cryptocurrency firms next month.
• Those standards are widely expected to subject crypto exchanges, wallet providers and others to the “travel rule” long followed by correspondent banks.
• Industry representatives say this requirement would be onerous if not unworkable for crypto businesses, and bad for user privacy.
• FATF "recommendations" aren’t legally binding, but countries that don’t follow them get blackballed in the global economy.

The cryptocurrency industry is bracing for forthcoming international regulatory standards that would require exchanges to collect and share information about where and to whom they are sending money.

This would go beyond the basic “know your customer” (KYC) rules that bedevil many crypto users. In addition to verifying and keeping records of their own users’ identities, exchanges and other service providers would have to pass customer information to each other when transferring funds, just as banks are required to do. This is known in the U.S. as the “travel rule”.

Many in the blockchain industry have argued that this practice is at best onerous if not completely unworkable with cryptocurrency and apt to drive users away from regulated platforms.

Industry representatives recently made a last-ditch effort to persuade the Financial Action Task Force (FATF), an intergovernmental body, to reconsider or delay the proposed standard.

About 200 to 300 people, ranging from chief compliance officers of top exchanges to regional bitcoin brokers, attended FATF’s consultative meeting in Vienna, Austria, on May 6–7 to voice their concerns.

But the regulators – particularly those from the U.S., which holds the FATF’s rotating one-year presidency – appeared set on finalizing the standard with at most minor tweaks, according to four people who attended the Vienna meeting and spoke to CoinDesk on condition of anonymity.

Sigal Mandelker, the U.S. Treasury’s Under Secretary for Terrorism and Financial Intelligence, reinforced that impression in a speech last week at Consensus 2019 in New York.

For one thing, she said the standard was on track for publication next month.

“During its presidency of the FATF, the United States has worked with other countries to clarify how all countries should regulate and supervise activities and providers in the digital currency space,” Mandelker said, adding:

“We anticipate that in June the FATF will adopt a final version of its Interpretative Note, along with updated guidance to further assist countries and industry with their obligations.”

While Mandelker did not mention the travel rule, she referenced the 30-page clarifying guidance on cryptocurrency released May 9 by the Financial Crimes Enforcement Network, or FinCEN, a bureau of the Treasury Department. That guidance cites the travel rule throughout as something cryptocurrency businesses must follow.

“I encourage you all to read it closely,” she said.

Square peg, round hole

The Group of 7 (G7) advanced economies created the FATF to combat money laundering and terrorist financing, and the proposed standard seeks to prevent such actors from exploiting crypto.

"Some of the features of emerging technologies that appeal most to users and businesses – like speed of transfers, rapid settlement, global reach, and increased anonymity – can also create opportunities for rogue regimes and terrorists,” Mandelker said in her speech.

At issue is a single paragraph in the interpretive note on "virtual asset service providers" (VASPs), a category that includes exchanges and hosted wallet providers, that FATF put out for public comment in February.

Paragraph 7(b) reads in part:

“Countries should ensure that originating VASPs obtain and hold required and accurate originator [sender] information and required beneficiary [recipient] information on virtual asset transfers, submit the above information to beneficiary VASPs ... and make it available on request to appropriate authorities.”

Likewise, when exchanges receive crypto payments on customers’ behalf, they should have to “obtain and hold originator information."

To Joseph Weinberg, co-founder of the blockchain startups Shyft Network and Paycase Financial, this is shoehorning digital currencies into analog-era practices.

While the travel rule and similar regulations were written for a world when funds were always sent through intermediaries, “cryptocurrency transactions can occur from person to person, machine, smart contracts, and any other infinite set of potential endpoints – not just exchanges or businesses,” noted Weinberg, who is also an advisor on blockchain issues to the Organisation for Economic Co-operation and Development (OECD).

He added:

“This would become excessively onerous to manage and could drive the entire ecosystem back into the dark ages.”

A compliance officer at a U.S. exchange was more measured in his assessment, calling the pending requirements feasible, but a "paper-chasing exercise" and a "nuisance" that won't further law enforcement goals.

"We'll end up bothering good customers and asking them for information we can't verify," the executive said.

Illustrating the challenge, Global Digital Finance (GDF), a trade group based in London, noted in an April comment letter to the FATF that unlike a wire transfer, which by design requires bank, branch and account numbers for the recipient, a crypto transaction requires only an address.

Hence, an exchange sending crypto on a customer’s behalf “does not know with any certainty who the destination address is owned by, as there is no register of such addresses and new addresses can be created at any time.” Indeed, the sending exchange can’t be sure whether the recipient address belongs to another business, regulated or otherwise, or to an individual.

Further, the proposed reporting requirements could easily be circumvented, GDF argued. For example, a customer could send funds from an exchange to a non-custodial wallet (where the user controls the private keys). The owner of that wallet could then send the coins to someone at a different exchange, and neither platform would have captured both sides of the transaction.

As such, the standard could have the unintended consequence of “encouraging P2P transfers via non-custodial wallets, which are significantly harder for law enforcement to track or control,” warned the GDF letter, which executives from U.S. exchanges Coinbase and Circle and even bank-owned enterprise blockchain firm R3 co-signed.

FATF has teeth

To be sure, even if the FATF does adopt the guidance with the contentious part intact, the requirements wouldn’t take effect overnight. Member countries would first have to pass legislation or write rules putting the recommendations into effect.

But make no mistake: the oft-used phrase “FATF recommendations” understates the organization’s influence.

"The FATF recommendations are not legally-binding international law; however, because the FATF's members – 36 economies and two regional bodies – include the largest and most important financial systems in the world, its rules have teeth,” said Julia Morse, Assistant Professor in the Department of Political Science at the University of California, Santa Barbara.

“When countries with large financial systems like the United States and the U.K. implement FATF standards, they change how international banks and financial firms do business globally. This creates downstream effects for countries that are not FATF members,” she said.

Further, the FATF examines member countries’ compliance with its standards, and those that don’t follow the standards can become pariahs in the global financial system.

“If non-compliance is severe enough, states/jurisdictions can be placed on a FATF graylist or, eventually, a blacklist. That serves as a strong warning to financial institutions around the world that transactions with those jurisdictions are suspect,” said Mark T. Nance an Associate Professor in the School of Public and International Affairs at North Carolina State University.

For now, industry members are awaiting the final guidance and hoping that governments will give them enough time to agree on a solution for sharing information among companies.

Industry leaders should be “recommending an extended adoption timeframe to ensure proper implementation and coordination across the industry implement,” Weinberg said.

There is some precedent for a grace period: FinCEN finalized the U.S. version of the bank travel rule in 1995 but due to required software changes it was not put into practice until 2004, according to American Banker.

Yet apart from the operational burdens on exchanges and hosted wallet providers, a travel rule-like requirement will likely be anathema to privacy-conscious crypto users.

Already uneasy entrusting their personally identifiable information (PII) to regular hacking targets, the cypherpunk crowd may chafe at having this sensitive data shared with yet more entities.

As Weinberg put it:

“This would eliminate pseudonymity as it pertains to any regulated entity and with it a significant portion of the basic appeal and premise of cryptocurrency.”

Sigal Mandelker image by Anna Baydakova for CoinDesk