Response to consultation on Guidelines on preventing the abuse of funds and certain crypto-assets transfers for ML/TF (Travel rule Guidelines)
Question 1. Do you agree with the proposed provisions? If you do not agree, please explain how you think these provisions should be amended, and set out why they should be amended. Please provide evidence of the impact these provisions would have if they were maintained as drafted'?
I refer to the published travel rule draft guidance in regard to self-hosted addresses with transfers over 1000 EURO involving CASPS/PSPS (Covered in section 8 -Transfers of crypto-assets made from or to self-hosted addresses (Article 14 (5) and Article 16 (2) of Regulation (EU) 2023/1113).
I would like to highlight one significant aspect of self-hosted addresses that I could not see addressed in the Consultation paper or acknowledged in the public hearing discussion that I attended.
I wholeheartedly agree with the need for greater transparently in cryptocurrency transfers to prevent against money laundering/tax evasion and TF. I also agree that where possible, crypto asset transfers follow the same rules as in traditional finance transfers, for example a direct transfer of funds via SEPA from one provider to another.
When you send a SEPA transfer from a bank account to another bank account between two providers, the receiving provider can expect to be made aware of a basic level of personal information about the client (such as name of account owner), along with their account details under current travel rules (as I understand them).
However, with self-hosted cryptocurrency addresses or ‘wallets’, the public address hash can be used to reveal every interaction done on the history of the wallet, through open source blockchain explorers.
Because the nature of self-hosted wallets is such that a public address allow anyone to view the history of the wallet on the blockchain, as soon as a public address has been verified as linked to an individual, whoever holds this data has greater private information about the client available to them compared to what they would have with a traditional payment transfer subject to travel rules.
When service providers receive this information or potentially even share with third parties, they are not only sharing a public account reference and a client’s name, but also the interaction/transaction history of the wallet dating back to wallet creation along with any other associated public wallets, and pre-dating any interaction with the service provider in question.
The act of linking an address to a person immediately changes the nature of the data associated to it. This privacy aspect in regard to linking these wallet types to their owners is something that should not be dismissed.
I would therefore recommend the EBA give a greater consideration of the enhanced level of person information that will be held by applicable providers enforcing travel rules on these transfers. This presents risks both to the provider and the user sacrificing their information - if the data was to be lost or hacked, this could put the provider’s clients at significant risk and therefore comes with a greater risk of reputational harm to the providers themselves. It also raises the question of whether it is suitable or necessary for CASPS/PSPs to hold this level of client data, especially given many CASPS may be start up companies, subject to historically limited regulation and without a long history to have earned client trust.
I would recommend steps to enforce limits on how this enhanced level of personal data should be shared, stored and maintained, whilst still maintaining the goals of increased transparency in certain transfers.
Greater emphasis should be placed on protection of client data and only obtaining the minimum that is needed to ensure mandatory source of funds information is satisfied in the context of the specific transaction or business relationship. Providers should be obliged to provide users information on exactly to what degree their data will be shared (if applicable) – with who and for what purpose, and how long it will be stored for.
I would also recommend that CASPS following these rules and collecting this data be carefully monitored to ensure they have at a minimum, an industry standard implementation of information security measures in order to protect their users from data compromises.