In the beginning, Bitcoin was anonymous which allowed for transactions without any knowledge of the other party, besides their account number. With the substantial growth of Bitcoin and the crypto market comes the increased risk of criminal financial activity and regulator demands for more Know Your Customer (KYC) procedures. Now, KYC requirements for crypto wallets are under consideration.
While ensuring fair and safe markets is vital, people also have a reasonable right to financial privacy. The public expects protection from financial crimes such as fraud, money laundering and tax evasion. But the promise of crypto to offer decentralized peer-to-peer transactions without interference is a powerful model for economic growth and self-sovereignty.
When it comes to crypto, how can the needs of society be balanced with the needs of a person? Can both crypto privacy and oversight be attainable? Can unhosted crypto wallets be regulated in a clear, reasonable and fair manner?
Anonymity as a feature
The original purpose of Bitcoin was to create a peer-to-peer electronic cash system that does not need trusted third parties. By using a public ledger (blockchain) and a provable mathematical model, there’s no need to have banks or other organizations verify transactions.
The ability to bypass organizations is one of the key selling points for cryptocurrencies. They don’t rely on governments and institutions changing policies or determinations. They operate based on math, and people can transact freely without censorship or judgment.
While the public element provides the transparency to ensure that transactions are correctly recorded, it also displays all activity of an account. But “privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous.” Using this technique doesn’t provide true anonymity but rather pseudo-anonymity.
This pseudo-anonymity of the public keys is key to the debate; if a public key is known, all the transactions that occur from the account are traceable to the owner of that public key.
In the early years of Bitcoin, there was little effort put into discovering or tracing public keys. One result is that money launderers and criminals seized upon this privacy to transfer and hide their ill-gotten gains. As crypto gained in popularity, law enforcement discovered ways to uncover public keys and trace the activities of criminals. But these investigations are complex.
Financial accounts require financial regulations
To help ensure that the growth of crypto doesn’t hinder the fight against financial crime, lawmakers and regulators are growing KYC requirements for the industry.
Crypto exchanges that provide the ability to buy or sell virtual assets (such as crypto) with fiat currency (such as the U.S. dollar) are the most obvious to fall under the scope of these regulations. These centralized exchanges represent the most significant portion of crypto accounts and transactions. As they deal with money and have obvious account creation requirements, there are clear parallels with traditional financial accounts. As other financial accounts have long required KYC, many jurisdictions have deemed that crypto follows similar practices.
While every jurisdiction is different, through rulings, guidance, new legal additions, or entirely new laws, in general, any country where centralized crypto exchanges operate requires KYC. Having an account means the exchange knows your public key and can connect transactions to your identity. And, if requested, they could provide this information to law enforcement or government officials.
Regulating decentralized innovations
As noted, crypto was initially about peer-to-peer transactions, so no central intermediary is needed by design. Transferring crypto funds only requires knowing the crypto account number of the other account.
A person can receive, store or send crypto to other accounts using crypto-wallets. These wallets can also perform transactions through decentralized exchanges, that match buy and sell requests.
It’s important to note that these crypto wallets and decentralized exchanges are fundamentally software code; they don’t need:
- An owner
- An operator
- A jurisdiction
- Any connection to a named person or legal entity
For many crypto enthusiasts, this is ideal, as this decentralized architecture bypasses what they see as authoritarian controls. For many regulators, these decentralized wallets and services are a loophole that threatens a flood of tainted, hard-to-trace funds.
Tracking all transfers of crypto-assets
Financial regulators exist to ensure fair and safe markets, limit financial crime and control money laundering. It’s not surprising that some regulators are looking to outlaw anonymous crypto wallet transactions.
In the EU, new proposed AML regulations include requirements that “all transfers of crypto-assets will have to include information on the source of the asset and its beneficiary, information that is to be made available to the competent authorities.” The proposal includes crypto wallets.
Ernest Urtasun, one of the drafters of the legislation, states
Criminals thrive where rules allowing for confidentiality allow for secrecy and anonymity. With this proposal for a regulation, the EU will close this loophole.
The crypto industry is united in opposition to this legislation and point out the new requirements:
- Go beyond FATF recommendations
The Financial Action Task Force October 2021 Guidance for Virtual Assets and Virtual Asset Service Providers suggests “risks related to P2P transactions should be monitored in an ongoing and forward-looking manner.”
- Conflict with GDPR standards
Providing Personally Identifiable Information for every transaction poses privacy and security risks and goes against the philosophy of data minimization (collect only necessary information).
- Are technically impractical, if not impossible
Centralized exchanges control access to accounts and are able to collect and be accountable for KYC information. With decentralized transactions, what party is responsible for KYC? Is a person expected to collect, verify and properly manage another person’s KYC information?
Coinbase’s Chief Policy Officer Faryar Shirzad posits
For transactions with self-hosted wallets, requiring the widespread collection, record holding, and verification of wallet data is hugely harmful. The verification requirement, in particular, is almost impossible to satisfy, raises serious privacy issues and should be fixed.
Pascal Gauthier, CEO of hardware wallet maker Ledger, notes the regulations
Could ultimately cost the European Union billions in economic damage, tens of thousands of jobs, and force the Web3 revolution out of the EU.
Most industry participants are not against regulation, but this proposal has raised serious concerns.
In the U.S., FinCEN proposed Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets, which also mentions unhosted wallets. The proposal would require banks and money service businesses to verify the identity of their customer and file a report with the transaction and counterparty information if:
- A counterparty is using an unhosted wallet, and
- The transaction is greater than $10,000.
The proposal resulted in a significant number of comments and ultimately resulting in the proposal being pulled off the table. The proposal indicates FinCEN’s intent to not allow unhosted wallets to become a significant loophole for untraceable funds, and many expect the proposal to be revived in some form.
Protecting privacy and the public
While neither the EU nor the U.S. have passed specific requirements around the use of anonymous crypto wallets, it seems to be a matter of time. They seem to fall under travel rule “obligations to obtain, hold, and transmit required originator and beneficiary information in order to identify and report suspicious transactions, monitor the availability of information, take freezing actions, and prohibit transactions with designated persons and entities.”
Taking action now, both operationally and educating regulators about risks and solutions, is prudent and recommended initiatives include:
- Using blockchain analytics to understand transaction flows and uncover potential problematic accounts to help reduce risk.
- Working with industry groups such as the Travel Rule Protocol and the Travel Rule Information Sharing Alliance to build standard solutions and creating tools that meet the needs of both industry and regulators.
- Deploying crypto wallet tracking and monitoring technology that flags accounts connected with criminals, sanctions or money laundering.
- Performing initial solid and ongoing KYC procedures on all accounts to respond to any audit or information request confidently.
- Being involved with regulators regularly to better understand what they are looking for and to help guide your compliance program.
- Continuing to innovate. Crypto is among the most innovative sectors, and compliance innovations can help the industry produce significant growth.
For the crypto industry to become fully mainstream, it needs to ensure that it fosters legitimate financial activities and limits financial crime. The industry can’t grow to its potential if the perception is that it’s filled with con artists and criminals.
But privacy is fundamental to the functioning of modern free societies. Putting onerous monitoring obligations on crypto transactions can provide extraordinary surveillance abilities for governments beyond a reasonable scope.
Cash is private. There is value in ensuring new digital transaction forms that emerge are equally private for most accounts and transactions. Taking a risk-based approach that focuses risk controls on where the problems are and not mass restrictions will better serve the needs of people and the public.
The potential of decentralization does not need to sacrifice security. We can create trustworthy peer-to-peer electronic cash systems that protects both privacy and the public.