The European Union’s recent proposal that centralized crypto exchanges and custody wallet providers must collect and verify personal data on self-custodial wallet holders demonstrates the dangers of recycling traditional finance rules (TradFi) and applying them to crypto without the conceptual differences to consider. We can expect to see more of this as countries attempt to apply the Financial Action Task Force (FATF) travel rule, originally designed for remittances, to the transfer of crypto assets.
The (missing) link between self-determination, control and identity
The aim of the proposed EU rules is to “ensure that crypto assets can be traced in the same way as traditional money transfers”. This assumes that any self-custodial wallet can be linked to a person’s verifiable identity, and that person necessarily controls the wallet. This assumption is wrong.
Related: Authorities are trying to fill the gap in non-hosted wallets
In TradFi, a bank account is linked to the verified identity of its owner, giving them control over that account. For example, if you share your online banking details with your partner, they do not become the account holder. Even if your partner changes their credentials, you can regain control by identifying yourself to the bank and having the details reset. Your identity gives you ultimate control that cannot be permanently lost or stolen. In return for the bank’s custody protection, you naturally lose sovereignty over your assets.
Crypto asset self-custody is different. Control (ie, ability to transact) over the self-custodial wallet rests with whoever holds the private keys to that wallet. Control is not tied to anyone’s identity and there is no one to prove your identity to. All you have to do is download a piece of software and securely store your private keys. In exchange for that responsibility, you retain self-sovereign ownership.
Implementation of the proposed rules
Let’s look at how a depot wallet provider would go about complying with the EU proposal. Suppose Alice wants to send 0.3 Ether (ETH) from her custodial wallet account to Bob’s self-custodial wallet to pay for Bob’s consulting services. Before the transfer is made, the custodial wallet provider would need to 1) collect Bob’s name, wallet address, residential address, personal identification number, and date and place of birth; and 2) verify the accuracy of such information. Broadly speaking, the same details would be required for a transfer from Bob’s wallet to Alice’s Depot wallet account. Alice would probably have to ask Bob to send her his details, and Alice would then provide it to the custodian wallet provider – as recently recommended by a custodian wallet provider in a similar context.
The rules would apply to even the smallest transactions – there is no minimum threshold. Custodial wallet providers might also need to hold incoming transfers (causing greater custody risks) and return them to the self-custodial wallet if verification is unsuccessful.
Related: Crypto in Canada: where are we today and where are we headed?
Identity does not equal control, which makes compliance impossible
While collecting data and potentially holding incoming transfers is operationally cumbersome, the risks of verification requirements may be downright impossible to comply with. In TradFi, the point of identity verification is to ensure that the person who claims to control a bank account is the same. But how could the custodial wallet provider comply with the verification requirement if control of Bob’s self-custodial wallet does not depend on his identity?
Even if the custodian provider was able to confirm that Bob is who he says he is, that doesn’t mean he controls the wallet. It could be controlled by a decentralized autonomous organization that redistributes payments to members like Bob or a criminal group, with Bob merely being their money mule. There is no third party to prove Bob’s identity to in order to conduct transactions – whoever controls the private keys is the “bank”.
Exposing legitimate users to disproportionate security risks
Let’s assume that deposit wallet providers manage to comply with the proposed rules or a less strict version of them that does not require verification. Custodial wallet providers would need to maintain large databases of self-custodial wallet users, exposing users to the risk of data breaches. For legitimate users, ie those who reveal their true identity and actually control the associated self-custodial wallet, this risk has far greater consequences than TradFi data collection (e.g. the FATF’s travel policy on remittances).
In TradFi, if a criminal compromises someone’s bank account or card, they won’t get very far since the bank can freeze the account. By definition, self-custodial wallets lack this feature. Self-sovereign ownership secured by cryptography and the user’s own vigilance is seen as a benefit by tens of millions of users worldwide, including those locked out of the banking system. However, self-sovereignty presupposes privacy.
Once privacy is compromised – for example by hacking the database of the self-managed wallet provider – users are exposed to an unfair risk compared to TradFi. Knowing an individual’s name, address, date of birth, and ID number along with their on-chain activity would make it easier for criminals to launch highly personalized phishing attacks that target users’ devices to obtain private keys , or to blackmail them, including threats to physical security. Once private keys are compromised, the user irrevocably loses control of their wallet.
Related: The loss of privacy: why we must fight for a decentralized future
As criminals will find ways to circumvent the rules — for example, by running their own nodes to interact with the blockchain without ever having to rely on custodial wallet providers or self-custodial wallet software — only the legitimate ones will Users have to bear these security risks.
Inconsistencies with the EU’s own policy framework
Security aside, the proposal raises broader privacy concerns. The reporting obligation would conflict with the principles of the General Data Protection Regulation (GDPR) such as data minimization, which requires that the data collected be adequate, relevant and limited to what is necessary for the purpose for which it was collected. Ignoring for a moment the argument that data collection serves little purpose, given the lack of a connection between self-custody control and identity, it’s hard to see – even by TradFi standards – how important or necessary the home address, date of birth and ID number are of a person are for a referral. While banks regularly store such data about their account holders, as the account holder you do not need to ask (and know!) these details when sending money or paying for a service.
It is also unclear how long depot wallet providers would need to store the data – according to the GDPR, personal data should only be kept for as long as necessary to fulfill the purpose of collection. It is also not clear how users’ individual rights under the GDPR such as the “right to be forgotten” and the “right to rectification” could be respected if their personal data is linked to their on-chain history that has not changed can be.
Related: Browser cookies are not consent: The new way to data protection according to the EU data protection regulation fails
The lack of a risk-based assessment or a minimum threshold (other than the €1,000 threshold for fiat transfers) is also not in line with EU policy principles. The proposal appears to treat all crypto transfers with suspicion simply because they involve crypto assets.
Now is the time to engage in dialogue with policymakers
Faced with the prospect of developing costly compliance processes that would likely not effectively enforce the rules, and risking penalties for non-compliance and potential data breaches, EU-based custody wallet providers might decide to restrict transfers to and from self-custody wallets altogether. You can also start serving EU users from outside the EU. This sends bad signals to the crypto industry and risks deterring tech talent and capital from the EU, similar to the recent departure of some crypto operators from the UK.
Related: Consolidation and centralization: How Europe’s new AML regulation will affect crypto
More users can also switch to peer-to-peer transactions and decentralized players to avoid the onerous rules. While this might be beneficial for some users, the EU should encourage smooth interconnectivity between centralized and decentralized actors and encourage users’ freedom to choose how to conduct transactions.
The proposal will now be negotiated between EU lawmakers from April 28, with the final text expected by the end of June. If the rule is adopted in its current form, there is still an opportunity to review it within 12 months of its entry into force. However, we cannot count on that – now is the time for the European crypto industry to coordinate and collaborate with policymakers. Rather than forcibly applying TradFi rules to an evolving technology, we should encourage outcome-based policies that allow for the emergence of novel compliance solutions that respect the way crypto works.
This article does not contain any investment advice or recommendation. Every investment and trading move involves risk and readers should do their own research when making a decision.
The views, thoughts, and opinions expressed herein are solely those of the author and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Natalie Linhart is Legal Counsel at ConsenSys, where she advises on products such as MetaMask, NFT experiences and institutional staking. She also focuses on European regulatory issues affecting the crypto industry. She previously worked as a Financial Regulatory and Derivatives Counsel at Clifford Chance London, advising clients on launching financial products, accessing new markets and mitigating regulatory risk. She also worked on derivatives and debt capital markets transactions, including at a global investment bank.
https://cointelegraph.com/news/self-custody-control-and-identity-how-regulators-got-it-wrong How regulators got it wrong