Remarks before the European Parliament on Proposals for Self-Custodied (Unhosted) Crypto Wallets

Are Crypto-Assets Different?

A Forum hosted by the Vice President of the European Parliament in Collaboration with INATBA Finance WC

April 27, 2022

Vice President Kaili, thank you for the opportunity to participate in this important forum. Ever since I first set foot in Germany as a 16-year-old exchange student, I have been an admirer of, and participant in, the transatlantic relationship. It is always a delight to have opportunities like this to advance our shared journey.

I’ve been asked to talk about the Parliament’s legislative proposal requiring owners of self-custodied (or ‘unhosted’) wallets to share identifying information about themselves with exchanges and virtual asset providers whenever they transact, regardless of the size of the transaction in which they engage.

The proposal is part of several work streams aiming to fight illicit finance — an objective that deserves the public’s support. Money laundering provides the oxygen for drug traffickers, terrorists, illegal arms dealers, corrupt public officials, and others to operate and expand their criminal enterprises.[1] When money laundering goes unchecked, our institutions erode, the public safety is endangered, and the very stability of our markets and even monetary system can falter.

For this reason, regulators have long sought as the basis of their work information as to transactions most likely to serve bad actors threatening the integrity of the global financial system. In the United States, we undertook our journey in 1970 with the Bank Secrecy Act. At the time, regulators took a look at the existing technology to craft a system to exercise surveillance. With no tools available to observe transactions themselves, they did the next best thing: they required financial institutions, which did have access to the desired information, to report certain forms of suspicious activity. They also wanted a view of large scale transactions, and set an automatic reporting threshold for activities that were ostensibly larger than every day commercial transactions. Agencies around the world would model and eventually adopt similar strategies.

Fast forward a half century, and now, with the coming of crypto, regulators are faced with a novel financial and commercial market with unprecedented transparency and informational characteristics. The most important: unlike 1970, regulators have at their fingertips a means of independently and directly observing financial transactions as they take place.

As a consequence, regulators no longer need banks, exchanges or even crypto wallets to see the movement of digital assets. Governments, like every one else, can follow bitcoins and Ether on the blockchain as they move from address to address, and watch as they are used for illicit purposes. And they can employ in house capabilities or commercial forensics firms to observe where bitcoins from multiple addresses are spent in a single transaction, revealing multi-input schemes with one individual having control over both spender addresses, allowing investigators to lump them into a single identity.[2] De-anonymization can involve steps as simple as following the money until it lands at a wallet that can be tied to a known wallet, or one with an exchange where a simple subpoena strips away the myth of anonymization.[3]

Cryptocurrency on open blockchains possesses, in short, many qualities more transposable to fighting crime than enabling it. Immutability. Publicness. And Visibility.[4]

Which is why I believe the Parliament’s reforms deserve serious attention. They raise more than a question of surveillance. Or for that matter, even crypto. Instead, I interpret the debate as one that should most properly be understood as an expression of frustration with money laundering, and what the Parliament can do about it. Money laundering is estimated to be between a $800 billion and $2 trillion industry, and only $8 billion last year involved cryptocurrency.[5] Moreover, despite a rise in cyber-laundering — a development which does deserve continued attention — crypto transactions involving illicit addresses represented just 0.15% ($14 billion) of digital assets transaction volume in 2021.[6]

Against this backdrop, and with trilogue deliberations on the proposal beginning tomorrow, I’d like to frame today’s discussion along the lines of what crypto means for money laundering — and not the other way around. Taking the time to kick the tires on the technology helps to rigorously think through the tradeoffs of the proposal, and helps set the stage for thinking through where policymaking might be most effective.

As I mentioned earlier this year to FinCEN in a keynote address, distributed ledgers require policymakers to rethink from the ground up how to move AML/KYC strategy into the 21st century.[7] A basic tenant of AML/KYC has been, rationally, to keep people some out of markets, especially those who might do damage to the financial system. But that posture has come with the downside of “M&M surveillance” — hard on the outside, soft on the inside.[8] And actors able to evade SARs have considerable leeway to evoke havoc within financial systems once they pass initial screens.

Infrastructures like blockchain technologies invite a very different, and radical thesis: to let everyone ‘in’, and to use decentralized screens and the immutability of the blockchain to not only prevent, but also track bad actors. To learn from their habits and transactions. To create metadata that could be leveraged to not only keep bad people out, but to get good people, and especially the underserved, in.[9]

Taking the time to understand the technology also helps policymakers grasp just what transparency is already available, and the very risks of asking for more information without any rails or safeguards. It’s hardly hyperbolic to observe that the proposed rules depart from hard fought European principles embedded in GDPR. The proposed amendments would not only require owners of self custodied wallets to report their identities to exchanges and other virtual asset services providers. They would also require sharing additional personal information, possibly including addresses, birth dates, driver licenses or passport numbers, occupations, and phone numbers with private actors that are themselves often located abroad. And once shared, the information could be hacked, bought or purchased, or used in-house, to surveil individuals indefinitely. Additionally, both foreign and domestic VASPs — private actors — would be positioned to collect all past and future information on a European customer or transaction not otherwise exempted.

It is also worth noting that foreign governments would presumably have access to similar information and surveillance capacity. Because most governments impose reporting requirements on all transactions (crypto or otherwise), they, too, will have insight into address owners and their identities — and by extension, future commercial activities. This marks a considerable departure from even today’s BSA where suspicious activities must be reported, but FinCEN does not automatically have the ability to observe all transactions emanating from an account on an ongoing basis.[10] It also raises the prospect of individuals prompted to transact with VASPs in less well regulated jurisdictions out of fear of private sector, or government, surveillance.

Some of these questions do not have easy answers. But it is a journey the EU must take seriously — to ask how to combat money laundering effectively, and in ways proportionate to the risk, and commensurate with the EU’s longstanding values.

I do think that creating the right context for deliberations is essential. As a law professor living in Washington, D.C., I find it noteworthy that the EU lacks a Financial Intelligence Unit comparable to FinCEN, and that these discussions are taking place in the absence of any formal institutional apparatus to administer or enforce rules relating to digital assets, or anything else.

As many of you are well aware, EU member states are responsible for combating money laundering and terrorism financing, leading to uneven outcomes throughout the region, inefficiencies with industry, and difficulties in coordinating with international counterparts. Resources should be brought to bear to address this problem first. Coordination with Europe’s considerable cyber and forensics expertise in the private sector, perhaps in the form of an experts group, would be a great start. As would be building out Europol’s nascent European Financial and Economic Crime Centre (EFECC), and positioning it in ways to inform deliberations not only among member states, but in Brussels as well. By supporting technical experts familiar with the technology, strategies could be deployed to tackle the most challenging parts of the industry — issues like chain hopping and mixing services employed with the purpose of enabling money laundering — without getting bogged down in issues of limited relevance to the mission of fighting crime.

Europe can succeed, and so can the world, when we’re all focused on the issues that need smart policy solutions, now. Doing so requires institution building in ways that support effective and informed deliberation.

[1] John McDowell & Gary Novis, The Consequences of Money Laundering and Financial Crime, https://www.hsdl.org/?view&did=3549 (last visited April 25, 2022).

[2] Andy Greenberg, The Crypto Trap, WIRED, April 7, 2022, at 63, https://www.wired.com/story/tracers-in-the-dark-welcome-to-video-crypto-anonymity-myth.

[3] Id.

[4] See TRM Labs Explanatory Document, TRM tracks the poly network hack as attacker communicates in real time, https://www.trmlabs.com/post/trm-tracks-the-poly-network-hack-as-attacker-communicates-in-real-time-via-input-data (last visited Apr 25, 2022) (demonstrating how the flow of illicit funds from hacking can be traced as swaps are executed).

[5] United Nations Explanatory Document, Money Laundering, https://www.unodc.org/unodc/en/money-laundering/overview.html#:~:text=The%20estimated%20amount%20of%20money,goes%20through%20the%20laundering%20cycle (last visited Apr 25, 2022).

[6] Jonathan Levin, Written Testimony of Jonathan Levin, Co-Founder and Chief Strategy Officer

Chainalysis Inc. Before the U.S. Senate Banking Committee, (Thursday, March 17, 2022), https://www.banking.senate.gov/imo/media/doc/Levin%20Testimony%203-17-223.pdf. That is a quantum roughly equivalent to the $14 billion lost by consumers in just overdraft fees by banks in 2020. Michael Mosier, “Understanding the Role of Digital Assets in Illicit Finance,” Written Testimony Before the Senate Committee on Banking, Housing, and Urban Affairs (Thursday, March 17, 2022).

[7] Chris Brummer, FinCEN Black History Month Keynote, MEDIUM (February 23, 2022) at https://chrisbrummer.medium.com/fincen-keynote-address-february-23-2022-fb9ffd70a201.

[8] Id.

[9] For more, see Chris Brummer, Disclosure, Dapps, and DeFi, forthcoming, Stanford J. of Blockchain L. and Pol., https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4065143 (exploring how blockchain technology could help promote disclosure challenges found in legacy regulatory systems) (forthcoming).

[10] Instead, a specific (and separate) judicially-authorized legal process would be required.