New customer identification rules pose a problem for cryptocurrency exchanges

A ruling by an important inter-government financial oversight body will force regulators of cryptocurreny exchanges to make privacy more difficult. The Financial Action Task Force (FATF) issued a final recommendation on June 24 that effectively forces all 38 member countries—and many others besides—to impose strict anti-money laundering (AML) requirements with substantial know your customer (KYC) data on cryptocurrencies that attempt to end the anonymity built into their DNA ever since Bitcoin.

FATF members have until June 2020 to enact regulations that impose identification requirements on both exchanges and their customers.

The problem, blockchain AML/KYC and intelligence firm Chainalysis wrote in a public comment to the FATF in April, is that “[v]irtual assets were invented to reduce the dependence on intermediaries in financial transactions … This poses a unique challenge for financial regulators, as they have traditionally deputized monitoring to regulated intermediaries.”

What the FATF rules do is force cryptocurrency exchanges to be those deputized middlemen, performing the KYC/AML duties that banks currently do with fiat currency transactions.

While the “recommendations” are technically voluntary, it’s important to understand that what the FATF wants, it gets. It’s members include all of the G20 (although Saudi Arabia’s membership is through the Gulf Co-operation Council). Any country—not just members—that does not follow its recommendations is put on a blacklist that effectively kicks it out of the world’s financial system—an economically ruinous outcome.

First off, the new rules require all cryptocurrency exchanges and other money transmitters—virtual asset service providers (VASP) in FATF lingo—to get licenses where they were created or, if a “natural person,” where they reside and do business. This does not apply to VASPs that are already licensed as financial institutions.

VASPs must also be required to monitor and report any suspicious transactions, which means they have been appointed that regulated monitoring intermediary.

Second, member countries must also establish supervisory and enforcement agencies, and “dissuasive” civil or criminal penalties for both the VASP and their executives and directors. Industry self-regulatory bodies are not acceptable.

Third, any transaction of more than 1,000 U.S. dollars or euros must be scrutinized by VASPs for the name and address, as well as the date and place of birth, or the customer or national identity number of the originator of any transaction. The name and an account number (such as a digital wallet) of the recipient must also be tracked. While this tracking information need not be attached directly to the transaction, it must be retained and available to authorities.

Taken together, what this means is that cryptocurrency transactions must be treated like normal banking transactions.

In a suggestive addition, FATF added, “[s]ome countries may decide to prohibit virtual asset activities based on their own assessment of the risks and regulatory context, or to support other policy goals.”

The problem with all this is not just that the FATF’s new AML/KYC and terrorist financing requirements are difficult to manage, costly to implement, and defeat the privacy that is among the core features of decentralized cryptocurrencies from bitcoin on. It’s that they may not even be technically possible, according to the statement made on April 8 by Chainalysis COO Jonathan Levin and Global Head of Policy Jesse Spiro to the FATF.

In urging the organization not to adopt the recommendations it just did, Levin and Spiro said, “virtual assets are designed to provide a way to move value without the need to identify the participants in a transaction. In fact, in most circumstances, VASPs are unable to tell if a beneficiary is using a VASP or their own personal wallet in any given transaction. Therefore, requiring a transmission of information identifying the parties is not feasible.”

One result of these regulations would be to drive cryptocurrency traders to decentralized and peer-to-peer exchanges, which don’t have central managers or executives to penalize, they wrote.

This would actually make cryptocurrency transactions harder to trace, as blockchain intelligence companies like Chainalysis, as well as “regulators, law enforcement, and banks, can leverage blockchain analytics tools to identify suspicious activity and mitigate money laundering, terrorism financing, and other illicit activity,” said Spiro and Levin. And as centralized exchanges do collect KYC data, these suspicious transactions—which can be identified through public keys—can be traced to individuals. With decentralized exchanges (DEX), they can’t.

It’s also unclear how DEX’s will fare under the new FATF rules. Note that FATF comment about countries choosing to “prohibit virtual asset activities,” due to risk, regulatory needs, or other policy goals.

Even if DEXs remain legal, people using them will face tighter regulations. under guidance issued on May 9 by the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN), DEXs in the U.S. freed escaped being classified as money services businesses (MSB) which must collect KYC and AML data. Individuals acting as or using P2P exchanges did not, which FinCEN made clear with a recent enforcement action.

On April 18, FinCEN assessed its first civil penalty on an individual, Eric Powers, for acting as a money transmitter without following the Bank Secrecy Act’s reporting requirements. Powers was fined $35,000 and barred from acting as an MSB.

“Obligations under the [Bank Secrecy Act] apply to money transmitters regardless of their size,” said FinCEN director Kenneth Blanco, in a statement. By failing to follow the rules, even individuals like Powers “put our financial system and national security at risk and jeopardize the safety and well-being of our people, as well as undercut responsible innovation in the financial services space,” he added.