On 5th July 2016, the European Commission (the “Commission”) published a proposal for a Directive amending the Fourth Money Laundering Directive (“Proposed Directive”), which sets out, amongst other things, to bring into scope currently unregulated virtual currency (VC) exchange platforms and custodian wallet providers. These entities would now have to carry out customer due diligence (CDD) measures and report suspicious transactions to the relevant Member States’ Financial Intelligence Units (FIUs).
This is intended to tackle the anonymity associated with VC and to make the information on the identity of users easily available to FIUs, although it is admitted that in itself this measure does not eliminate anonymity as VC can be traded without these intermediaries.
Our view is that a system of voluntary self-identification of VC users could be a ground-breaking development in the world of VC. Is it something that is coming further down the line or maybe a significant opportunity is being missed here?
Allowing self-identification of VC users is not immediately apparent as one of the measures which have been deliberated by the Commission as part of the changes concerning VC. The Explanatory Memorandum to the Proposed Directive only alludes that out of six options considered, the option maintained includes “allowing more time to consider options as regards a system of voluntary self-identification of virtual currency users”. This option, therefore, has not made it into the text of the Proposed Directive, apart from a reference in Recital (7), which states "the possibility to allow users to self-declare to designated authorities on a voluntary basis should be further assessed."
The Commission’s impact assessment sheds more light into what options were considered. The option of requiring mandatory registration of users was ruled out. The voluntary registration alternative included VC users self-identifying themselves to national authorities or to an international body such as the EBA (with acknowledged cost-efficiencies for the latter option). It has been put forward that this would enable FIUs to rapidly verify the identities of registered users1. It also has been correctly acknowledged that this could go a long way of “weeding out” criminals who would be unlikely to register.
Had this registration proposal made its way though, it could have provided a perfect solution for VC exchanges or custodian wallet providers for verifying the identity of its users. You can imagine a world where such a centrally-operated VC user register could operate akin to electronic identity verification databases, for example in the UK, where the information collected about the user is compared against the information held in databases for satisfying know-your-customer (KYC) obligations.
But perhaps this is wishful thinking.
Cost and complicated organisational implications provided an immediate barrier. Furthermore, in practice, would a national authority or the EBA be able to carry out this job? It is also not likely to be directly within the remit of the services to be provided by any such authority, without an explicit legislative mandate to make a register accessible to companies for CDD purposes (as, for example, has now been done in respect of company and trust ultimate beneficial ownership information registers).
Also, the effectiveness of any such register (to the FIUs as much as VC exchanges or wallet providers) is also only as good as the checks on the information submitted. For example, it was not clear if it would be part of the registration process to verify (let alone if it was to be to a standard that could be relied upon for CDD purposes) the identity of VC users. The impact analysis hints that the register was considered to only hold two data fields: the identity of the user and VC addresses2. If the identity of the users is not verified at this point, the whole exercise seems rather pointless as VC users could use bogus identities.
Although it seems that the voluntary registration was close to making it into the proposal, as it was part of the “preferred package” according to the Commission’s Impact Assessment3, perhaps it is not surprising it has not made it through to the Proposed Directive given that, alongside the proposed date of its transposition (December, 2016) there is very little time to resolve any questions, let alone determine how to implement the infrastructure for such registration.
So where does this leave the VC exchanges and custodian wallet providers?
Under the proposal they will have to perform CDD on their users, without the comfort of checking any register. The Proposed Directive also does not provide a comprehensive regulatory framework of VC exchanges/wallet providers as they will not be regulated in the same way as other payment service providers.
Without passporting, VC exchanges and custodian wallet providers will possibly have to get licensed or register in every single EU country they intend to provide VC-related services in and, given the nature of VC and ease of transfers, it is not likely to be immediately clear which competent authority they are now answerable to. Whilst the Proposed Directive allows flexibility in the methods employed to verify the identity of VC users, those who know anything about operating across Europe will know that differences in national implementation of directives often hinder successful replication and economies of uniform systems and controls around areas such as know-your-customer.
So could a trusted third party come forward to take on a voluntary registration outside the Proposed Directive?
This is clearly an opportunity for a global or at least EU trusted third party to take on and offer a real solution to I.D. for VC users. The key elements required, initially, are a secure trusted platform to hold the data and run the register, a fully verifiable and auditable KYC information gathering and verifying system, and a reputation both in technology, KYC and law that enables both the VC users and the regulators to accept it. So how could this voluntary register (VR) work and how could it be made commercially viable? Firstly, it would need to be easily accessible to all VC users in a viral way such that if you register you can also view your counterparty to see if they are also registered. If they are also registered you know they are trusted. You can also, with the counterparty's authority, get confirmation from the VR that they are who they say they are and that they have had their I.D. registered and verified. This also gives the opportunity for the VR to store different levels of I.D. verification to give different levels of clearance. In addition, in a similar way to Amazon and Uber, after each transaction each of the VC users could rate their counterparty and the cumulative rating could also be held on the VR for registered VC users to view. In this way, over time, the VR could become a very powerful tool in the VC community giving VC users a lot more confidence in the VC world and in turn really giving credibility and legitimacy to VC's.
Conclusion
What is clear is that any system of voluntary self-identification by VC users is still a long way off working in practice and at any rate not in a way that could be used by VC exchanges or custodian wallet providers as a meaningful source of information for know-your-customer purposes in time for Proposed Directive’s changes coming into force.
1 Commission, ‘Impact Assessment Accompanying the document Proposal for a Directive of the European Parliament and the Council amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing and amending Directive 2009/101/EC’ SWD(2016) 223 final, para. 5.3.2.1.
2 Id., para. 6.3.2.1.1.
3 Id., para. 6.3.2.4.
