The end of anonymity for Bitcoin et al.? The regulation of cryptocurrency under the fifth EU anti money laundering directive
On 9 July 2018 the fifth anti money laundering directive (EU) 2018/843 (AMLD 5) came into effect. EU member states must now convert it into national law by 10 January 2020. The new directive amends the fourth anti money laundering directive (AMLD 4) which was due for conversion into national law not long ago, by the end of June 2017. The AMLD 5 leads to a modification and tightening of various aspects of European AML law, including the topic of cryptocurrencies such as “Bitcoin”, “Ethereum” or “Litecoin”.
The impetus for the new rules on cryptocurrency – in the terminology of AMLD 5 called “virtual currency” – was the assessment by the European Commission that transactions with virtual currency benefit from a higher degree of anonymity than standard bank transfers and therefore entail a risk that cryptocurrency may be misused by terrorist organizations (see European Commission draft directive for AMLD 5 dated 05.07.2016, p. 12). The Commission identified as further risks the “irreversibility of transactions, [the lack of] means of dealing with fraudulent operations, the opaque and technologically complex nature of the industry, and the lack of regulatory safeguards” (loc. cit.). The regulatory approach of the Commission and consequently of AMLD 5 is to control the servicers that provide access to cryptocurrency for the broad public, i.e. the “gatekeepers” for cryptocurrency. These are on the one hand the online trading platforms for cryptocurrency (“Exchanges”) and on the other hand the servicers for the safeguarding of access data for cryptocurrency (“Wallet Provider”).
The new AML rules for Exchanges and Wallet Providers
The essential purpose of an Exchange is to convert virtual currency into statutory currency like Euros or US-Dollars (defined as “Fiat money” by AMLD 5) and vice versa. Until now the AML regime for Exchanges has been inconsistent throughout the EU. In Germany, for example, Exchanges are subject to AML rules because the German financial supervisory authority BaFin considers Bitcoins etc. as so-called “units of account” (“Rechnungseinheiten”) and consequently as financial instruments (“Finanzinstrumente”) within the meaning of § 1 para. 11 sentence 1 No 7 German Banking Act (KWG). From the German law perspective, therefore, an Exchange provides a financial service which requires a license and which, at the same time, qualifies as an obliged entity under AML laws. In Austria, on the other hand, there is no license requirement for Exchanges, nor do Exchanges fall under the Austrian AML laws. This will change with the implementation of AMLD 5. Henceforth, AML regulations will apply to all Exchanges for cryptocurrency throughout the EU. This means that customers of an Exchange must EU-wide undergo a full “Know Your Customer” (KYC) check in accordance with Art. 11 et seqq. of AMLD 5. Therefore, customers will have to be identified personally by their official identification document (in practice either personally in a cooperating bank or post office or through one of the recognized video identification procedures). The so called beneficial ownership of the transaction needs to be clarified in accordance with Art. 30 et seqq. of AMLD 5. Exchanges must also set up, document and regularly update risk management procedures for anti-money laundering. And they must report suspect transactions to the public authorities.
Wallet Providers are becoming obliged entities under AMLD 5 as well. This is an EU-wide novelty. New is also the technical definition of Wallet Providers which in the regulation terminology are called “custodian wallet providers” (so the term of the official English version). According to the definition contained in Art. 1 para. 1 No. 19 AMLD 5, this means “an entity that provides services to safeguard private cryptographic keys on behalf of its customers, to hold, store and transfer virtual currencies”.
At a closer look, this definition contains a considerable restriction of the scope of AMLD 5. The “safeguarding” (“custodian”) aspect is a key element of the definition. Because of this “custodian” element of the definition, only those providers are bound by the money laundering regulations that can access the cryptographic keys themselves (so called “Private Keys”) which are necessary to transfer units of virtual currency. As a result, Wallet Providers with a “Cloud”-solution will be affected, i.e. providers where the Private Keys are stored on servers of the Wallet Provider so that the customer can access his or her wallet using various devices, through an App on the smartphone or through any PC with an internet browser. In this model, the Wallet Provider holds the customer access data (the Private Key) on trust for the customer. Wallet providers offering this model will be bound by money laundering regulations in the future.
But there are also Wallet Providers who offer a software solution which allows Private Keys to be stored locally on the customer’s terminal (smartphone or PC). Sending and receiving units of virtual currency with these wallets is almost identically to “custodian wallets”, with the difference that the customer can access his wallet only through one device (meaning that in case the smartphone or PC gets lost or destroyed the cryptocurrency what was accessed through that wallet will be irretrievably lost). AMLD 5 does not apply to those providers who offer this sole software solution.
This regulatory self-restriction makes sense because the last-mentioned providers are merely offering software for one-off download by the customer without being normally able to monitor the executed transactions. These software providers are therefore unable to fulfil central obligations of the AML regime like the obligation to monitor and report suspicious transactions.
The EU law maker is well aware of this regulatory gap. AMLD 5 points out in recital 9: “The inclusion of providers engaged in exchange services between virtual currencies and fiat currencies and custodian wallet providers will not entirely address the issue of anonymity attached to virtual currency transactions, as a large part of the virtual currency environment will remain anonymous because users can also transact without such providers.”
Unclear “registration duty” for Wallet Providers and Exchanges
Another novelty is the requirement of “registration” for Exchanges and (Custodian) Wallet Providers, see Art. 47 para. 1 AMLD 5: “Member States shall ensure that providers of exchange services between virtual currencies and fiat currencies, and custodian wallet providers, are registered …”.
There is no further indication in AMLD 5 what this requirement of “registration” shall mean exactly. But some conclusions can be drawn from the origins of AMLD 5. The European Commission performed a so-called “Impact Assessment” study in preparation of the draft directive. In this study, various regulatory options were considered, on the one hand regulation of virtual currency in the context of the AML directives, on the other hand regulation under the second EU directive on payment services (PSD 2). Regulation pursuant to PSD 2 would have meant significantly increased obligations for Exchanges and Wallet Providers, including official licensing procedures, requirements for equity reserves and detailed obligations on risk management and consumer protection. The study came out in favor of the former approach and against the latter, more restrictive PSD 2 approach (and the vast majority of EU member states who were consulted by the Commission in the context of the study agreed, see the detailed analysis of the genesis of AMLD 5 by Houben/Snyers in their recent study on virtual currencies conducted on behalf of the EU Parliament, of July 2019, p. 65). The main argument against regulation within the framework of PSD 2 was that this would require a comprehensive overhaul of PSD 2 in order to adapt it to cryptocurrency servicers. This was also seen as disproportionate with regard to the anti-money laundering goal.
For the upcoming conversion of AMLD 5 into national law, this means that it would not be in line with the motives of AMLD 5 to combine the registration obligation with material, qualitative requirements such as reliability or expertise requirements prior to allowing registration because this would come close to a PSD 2 type regulation which was expressly not intended. Moreover, AMLD 5 follows only the aim of anti-money laundering and of combatting terrorism financing, not financial market or consumer protection policies. Therefore, the “registration” requirement should be seen exclusively in the context of the new classification of Exchange and Wallet Providers as obliged entities under anti-money laundering law: the national supervisory authorities cannot monitor compliance by Exchanges and Wallet Providers with the new AML rules if the authorities do not know which Exchanges and Wallet Providers are active within the respective Member State. The registration requirement referred to in Art. 47 para. 1 AMLD 5 should therefore be understood as a duty to register and nothing else. It will be in the national lawmakers’ responsibility to determine the procedural details of this registration.
If one really wants to, it will be possible also after AMLD 5 to do financial transactions with cryptocurrency “anonymously” (i.e. without transparency to governmental authorities through the AML regime of identifying customers and reporting suspect transactions). Virtual currency will still be transferable as an exclusive “peer-to-peer” transaction without regulated intermediaries as long as the users store their “Private Keys” locally on device-restricted electronic wallets. But if the virtual currency is converted into statutory currency the users will have to approach an Exchange, i.e. an entity obliged under the AML rules. The Exchange will then need to identify the particular user and clarify the beneficial ownership of the transaction. Regulatory supervision of compliance with these rules will be supported by the new registration requirement for Exchanges and (Custodian) Wallet Providers.