The recent European Union proposal requiring centralized crypto exchanges and custodial wallet providers to collect and verify personal information about self-custodial wallet holders shows the dangers of recycling traditional finance (TradFi) rules and applying them to crypto without appreciating the conceptual differences. We can expect to see more of this as countries look to implement the Financial Action Task Force (FATF) Travel Rule, initially designed for wire transfers, to transfers of crypto assets.
- The (missing) link between self-custody, control and identity
- Implementing the proposed rules
- Identity does not equal control, making compliance impossible
- Exposing legitimate users to disproportionate security risks
- Inconsistencies with EU’s own policy framework
- Now is the time to engage with policymakers
The aim of the proposed EU rules is “to ensure crypto-assets can be traced in the same way as traditional money transfers.” This assumes that each self-custodial wallet can be linked to someone’s verifiable identity and that this person necessarily controls the wallet. This assumption is wrong.
Related: Authorities are looking to close the gap on unhosted wallets
In TradFi, a bank account is linked to the verified identity of its holder, giving them control over that account. For example, sharing your online banking details with your partner doesn’t make them the account holder. Even if your partner changes the login details, you can regain control by proving your identity to the bank and having it reset the details. Your identity gives you ultimate control which cannot be permanently lost or stolen. Of course, in exchange for the bank’s custody protections, you lose self-sovereignty over your assets.
Self-custody of crypto assets is different. Control (i.e., the ability to transact) over the self-custodial wallet is held by whoever has the private keys to that wallet. Control is not linked to anyone’s identity and there is no one to prove your identity to. All you need is to download a piece of software and safely store your private keys. In exchange for this responsibility, you maintain self-sovereign ownership.
Implementing the proposed rules
Let’s look at how a custodial wallet provider would go about complying with the EU proposal. Assume that Alice wants to send 0.3 Ether (ETH) from her custodial wallet account to Bob’s self-custodial wallet to pay for Bob’s consulting services. Before the transfer goes through, the custodial wallet provider would have to 1) collect Bob’s name, wallet address, residential address, personal identification number, and date and place of birth; and 2) verify the accuracy of these details. Broadly the same details would be required for a transfer from Bob’s wallet to Alice’s custodial wallet account. Alice would likely need to ask Bob to send her his details, and Alice would then provide them to the custodial wallet provider — as recently recommended by a custodial wallet provider in a similar context.
The rules would apply even to the smallest transactions — there is no minimum threshold. Custodial wallet providers would conceivably also need to withhold incoming transfers (creating greater custody risks) and return them to the self-custodial wallet if the verification is unsuccessful.
Related: Crypto in Canada: Where are we today, and where are we heading?
Identity does not equal control, making compliance impossible
While collecting data and potentially withholding incoming transfers is operationally cumbersome, the verification obligation risks are potentially outright impossible to comply with. In TradFi, the point of identity verification is to ensure that the person controlling a bank account and claiming to do so is the same one. But how could the custodial wallet provider fulfill the verification obligation if control over Bob’s self-custodial wallet does not depend on his identity?
Even if the custodial wallet provider managed to confirm that Bob is the person he purports to be, this doesn’t mean that he controls the wallet. It could be controlled by a decentralized autonomous organization that redistributes payments to members like Bob or a criminal group, with Bob merely being their money mule. There is no third party to prove Bob’s identity to in order to transact — whoever controls the private keys is the “bank.”
Exposing legitimate users to disproportionate security risks
Let’s assume that custodial wallet providers manage to comply with the proposed rules, or a less stringent version of them that does not require verification. Custodial wallet providers would need to keep large databases of self-custodial wallet users, exposing users to the risk of data breaches. For legitimate users, i.e., those who declare their true identity and also actually control the related self-custodial wallet, this risk has far greater consequences than TradFi data collection (e.g., FATF’s Travel Rule for wire transfers).
In TradFi, if a criminal compromises someone’s bank account or card, they wouldn’t get very far because the bank can block the account. By definition, self-custodial wallets lack this feature. Self-sovereign ownership, secured through cryptography and the user’s own vigilance, is seen as an advantage by tens of millions of users worldwide, including those who are excluded from the banking system. However, self-sovereignty presumes personal privacy.
Once privacy is compromised — for example, by hacking the custodial wallet provider’s database of self-custodial wallet users — users are left exposed to an unfair level of risk compared to TradFi. Knowing someone’s name, address, date of birth and ID number, together with their on-chain activity, would make it easier for criminals to launch highly personalized phishing attacks, targeting users’ devices to retrieve private keys, or blackmailing them, including threats to physical safety. Once private keys are compromised, the user irreversibly loses control over their wallet.
Related: The loss of privacy: Why we must fight for a decentralized future
Since criminals will find ways around the rules — for example, by running their own nodes to interact with the blockchain without ever having to rely on custodial wallet providers or self-custodial wallet software — it will only be the legitimate users who will have to bear these security risks.
Inconsistencies with EU’s own policy framework
Security aside, the proposal raises broader privacy concerns. The reporting obligation would clash with General Data Protection Regulation (GDPR) principles such as data minimization, which requires that collected data are adequate, relevant and limited to what is necessary for the purpose of collecting them. Ignoring for a moment the argument that data collection serves little purpose, given the missing link between self-custodial control and identity, it’s hard to see — even by TradFi’s standards — how someone’s residential address, date of birth and ID number is relevant or necessary for making a transfer. While banks regularly keep such data about their account holders, you as the account holder don’t need to ask (and know!) these details when sending money or paying for a service.
It is also unclear for how long custodial wallet providers would need to store the data — under GDPR, personal data should be kept only for as long as necessary to fulfil the purpose of collection. Nor is it clear how users’ individual rights under GDPR such as the “right to be forgotten” and the “right to rectification” could be respected if their personal details are linked to their on-chain history, which cannot be altered.
Related: Browser cookies are not consent: The new path to privacy after EU data regulation fail
The lack of any risk-based assessment or a minimum threshold (unlike the 1,000 euro threshold for fiat transfers) is also out of line with EU policy principles. The proposal seems to treat all crypto transfers with suspicion just because they involve crypto assets.
Now is the time to engage with policymakers
Faced with the prospect of developing costly compliance processes that would likely fail to effectively implement the rules, and…