Amendments to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) – HM Treasury (HMT) Consultation Paper (Consultation)
CryptoUK (CUK) and its members welcome the opportunity to comment on the Consultation regarding the various amendments proposed to be made to the MLRs.
In responding to the Consultation, we set out the views of our members and others in the community and seek to offer pragmatic relevant suggestions as to how we believe HMT is able to implement rules that achieve the outcomes intended whilst also enabling the competitiveness of the UK in being a destination for the burgeoning cryptoasset market.
56. Do you agree with the overarching approach of tailoring the provisions of
the FTR to the cryptoasset sector?
CUK and its members are supportive of HMT’s efforts to ensure that payments that run the risk of money laundering and terrorist financing are detected and recorded. We understand the importance for both financial institutions and regulators in understanding the identities of the originators and beneficiaries of a single payment. On the basis that Recommendation 16 of the FATF Recommendations (R.16) has been implemented in UK law via the FTR, CUK and its members agree that tailoring the relevant provisions of the FTR to the cryptoasset sector is appropriate to ensure a suitable level of consistency between the implementation of R.16 for fiat transactions and cryptoasset transactions, in order to not put the UK’s cryptoasset market participants at a disadvantage to their corresponding fiat market participants.
However, whilst we agree with the intention of the Consultation’s proposals and the
approach of providing a detection framework tailored to the cryptoasset sector, we
disagree with certain aspects of the Consultation’s requirements which we consider
give rise to both direct and indirect unintended implications which have, amongst other
consequences, the ability to stifle the cryptoasset industry in the UK. We set out our reasons for disagreeing with the Consultation’s requirements and proposed solutions in Q.63 below.
57. In your view, what impacts would the implementation of the travel rule have on businesses, both in terms of costs and wider impacts? Please provide evidence where possible.
58. Do you agree that a grace period to allow for the implementation of technological solutions is necessary and, if so, how long should it be for?
CUK and its members agree that implementation should be subject to a grace period. Permitting an extended implementation period would enable VASPs of all sizes to implement compliant solutions to the travel rule.
We consider that a one year grace period would be sufficient to enable firms to enact the requirements. If HMT enacts a grace period, we would propose the grace period applies to all of the Consultation’s recommendations simultaneously.
However, if HMT is minded to stagger the grace periods by reference to differing obligations within the Consultation, we would strongly suggest that HMT considers providing separated phase-in periods for: (i) the obligation to ensure that the personal information of the originator and beneficiary is transmitted and received alongside the transfer (as described in paragraph 6.10 of the Consultation); and (ii) the remaining travel rule framework as set out in the Consultation (e.g. relating to linked transactions as set out in paragraph 6.11 of the Consultation, and the prevention of access by the beneficiary to the transmitted cryptoasset as set out in paragraph 6.28 of the
Our reason for proposing a staggered grace period, if HMT is so minded, is to ensure the mitigation of the risks arising from the ‘sunrise issue’ whereby firms in jurisdiction that have already enacted R.16 are placed at a commercial advantage to firms established in jurisdictions which have not enacted R.16. In essence, firms in the former jurisdictions will refuse to, or are otherwise unable to conduct business with firms in the latter jurisdiction, leading to firms in the latter jurisdiction being effectively exiled from international cryptoasset business. Given that the core tenet of R.16 is to
ensure that the beneficiary “information remains with the wire transfer or related message throughout the payment chain”, enacting requirements as to this element of the Consultation first would assist with mitigating any negative impacts on UK firms of the sunrise issue, and thereby mitigate the risk to the UK industry of falling behind the curve internationally.Supplementing this, we would encourage HMT to engage with regulators in global centres to ensure consistent application of the travel rule, both as to content and timing.
59. Do you agree that the above requirements, which replicate the relevant provisions of the FTR, are appropriate for the cryptoasset sector?CUK and its members believe that the following requirements referenced in the Consultation from the FTR are appropriate for the cryptoasset sector: information accompanying transfers of cryptoassets; validation of information and detection of missing information; and information retention, protection and sharing.
However, we do not believe that the obligations on intermediary cryptoasset service providers is appropriate in its current formulation for the cryptoasset sector. This is on the basis that the definition of ‘intermediary cryptoasset service providers’ is drafted too widely as it captures: i) all intermediary cryptoasset service providers involved in the transfer of cryptoassets, regardless of whether those intermediaries have control
over the transfer or not; and ii) intermediaries that are indirectly acting for the beneficiary or originator’s cryptoasset service provider, which may bring into place actors that are not responsible for the transfer.
We understand that HMT is proposing to conduct additional ‘deep-dive’ roundtables on this point, and we would be keen to attend and provide our observations.
60. Do you agree that GBP 1,000 is the appropriate amount and denomination of
the de minimis threshold?
CUK and its members appreciate HMT’s proposal to include a de minimis threshold below which limited beneficiary information may be provided.
Having said that, the application of a de minimis threshold risks increasing the complexity of the rules such that they become difficult to police internally, particularly given the system requirements required to determine the real-time application of the de minimis threshold in an environment where cryptoasset values fluctuate compared to the relatively small fiat amount that is being proposed as the threshold. The result is that compliant firms risk adding an unnecessary layer of complexity in their implementation and monitoring of a rule that is already complex to implement, whilst firms and less compliance-focused competitors may be able to misuse the application of a de minimis threshold, particularly in light of cryptoasset businesses’ unique selling point involving anonymity and the ease and cost-efficacy of payments outside of the normal fiat checks.
CUK and its members would also highlight that consideration of other jurisdictions’ implementation of the de minimis threshold is key. Whichever threshold the UK implements, UK firms will be forced in practice to implement the strictest threshold for international transfers. Whilst FATF appear to recommend USD 1,000, we understand that other major jurisdictions are considering implementing the travel rule with a de minimis threshold lower than USD 1,000. In this circumstance, the practical application of the travel rule for UK firms will likely follow the lower threshold major jurisdiction’s.
We also believe that the responsibility for calculating whether the de minimis threshold has been reached should be on the receiving VASP on the basis that such a VASP will likely have more information on the transactions entered into by the beneficiary on which is acts – this is particularly pertinent in the case of transactions originating from different originator VASPs that are made to the same beneficiary.
CUK and its members would also encourage HMT to consider whether a de minimis threshold is appropriate for intragroup transfers. As with many pieces of financial services regulation, intragroup transfers are typically exempt or subject to lighter-touch requirements in the provision of data to regulatory authorities – for instance, we note the exemption from the various reporting requirements under the European Markets Infrastructure Regulation (648/2012(EU)). To avoid unnecessary reporting that does not further support HMT’s intention in enacting the travel rule, we would recommend that all intragroup transfers between group entities are exempted from HMT’s
61. Do you agree that transfers from the same originator to the same beneficiary
that appear to be linked, including where comprised of both cryptoasset and fiat
currency transfers, made from the same cryptoasset service provider should be
included in the GBP 1,000 threshold?
Whilst CUK and its members are cognizant of HMT’s rationale for this requirement – to avoid arbitraging any de minimis threshold – we would encourage HMT to make a distinction in the treatment between wholly linked cryptoasset transfers and linked cryptoasset and fiat currency transfers.
Our rationale for making such a distinction is because it is not clear how either a fiat currency PSP or a cryptoasset VASP can each be made responsible for transactions that are differing in nature. For instance, this would require additional messaging systems and agreement on the estimation of the cryptoasset component’s value, as between the fiat currency PSP and the cryptoasset VASP.
CUK and its members would also request additional clarity and guidance over what it means to link transactions in general. Under the FTR, our understanding that linking transactions has been applied inconsistently – for instance, as to the timeframes in which to link transactions and also across separate institutions. We would therefore recommend that additional guidance is provided and that this guidance is consistent as between both the FTR and the Consultation’s proposals.
62. Do you agree that where a beneficiary’s VASP receives a transfer from an unhosted wallet, it should obtain the required originator information, which it need not verify, from its own customer?
CUK and its members are of the view that the requirement for beneficiary VASPs to not verify the required originator information from its customers is correct. For HMT to legislate otherwise would put undue burden on the VASP and potentially open the VASP to unnecessary liability.
63. Are there any other requirements, or areas where the requirements should differ from those in the FTR, that you believe would be helpful to the implementation of the travel rule?
CUK and its members disagree with certain aspects of HMT’s proposals for implementing certain provisions of the FTR. Our main point of disagreement concerns data privacy. This is because the requirement for personally identifiable information to stay with the transfer throughout the payment chain risks undermining the direction of wider data privacy regulation at a time when data privacy is becoming increasingly important to both regulators and users of such services alike. For instance, as the travel rule requires the sharing of information that includes both the physical location (where above any enacted de minimis threshold) and possibly the value of the beneficiary’s held cryptoassets, there is an inherent risk to individual privacy and to personal safety which can arise from: i) hacks and personally identifiable information leaks and abuse of collected information for identity theft; ii) transaction IDs being used to determine how much of the relevant cryptoasset the holder controls; iii) physical and cyber attacks against holders; iv) fake VASPs masquerading as legitimate VASPs to collect such information; v) the monitoring of transactions by oppressive regimes; and vi) denial of service attacks. By way of example of the malicious focus on cryptoasset users’ wallets, the wallet provider – Ledger’s – 2020 data leak of 270,000 pieces of detail information led to numerous phishing campaigns and physical deliveries of compromised hardware wallets to unsuspecting Ledger wallet owners.
As a result, CUK and its members propose that HMT includes a qualification to the
travel rule to the effect that “equivalent controls are achieved via alternative message/information flows” (Qualification). The incorporation of the Qualification means that alternative protocols are able to be devised which can facilitate the intention of the travel rule, whilst also addressing, primarily, the data privacy concerns noted previously. For instance, we note the whitepaper issued by the Travel Rule Information Sharing Alliance (TRISA) which seeks to provide a chain analysis-style protocol by which the information necessary to identify AML/CTF malfeasance is maintained whilst also ensuring privacy concerns are responded to – please see their white paper here: DRAFT: Privacy-Preserving Travel Rule Compliance V2 – Trisa.io. TRISA’s solution demonstrates how encrypted envelopes and zero knowledge proofs can work together to allow entities to comply with the spirit of relevant regulations whileprotecting user privacy and enabling regulators to receive the information needed to provide effective supervision. We understand that this whitepaper has been presented for consideration by the US Department of the Treasury’s FinCEN and has been
It further seems appropriate for the law to recognise purposive rules and guidance to enable the furtherance (and avoid unintended stifling) of the UK’s position in remittance style solutions involving cryptoassets transactions. For example, if the UK makes prescriptive requirements in respect of the travel rule, jurisdictions in which entities are provided more flexibility as to the rule’s implementation will likely see an influx of cryptoasset service providers. Given the international nature of the payment services and, more narrowly, the cryptoasset industries, jurisdictions in which firms are offered flexibility whilst abiding by the intention of the travel rule are likely to win
out when it comes to attracting innovation.
As mentioned previously with respect to the TRISA proposal, a proportionate approach would appear to be to enable firms to undertake chain analysis-style checks that the cryptoassets used for the purpose are not tainted in any way. We are happy to provide HMT with further comment and insight into how solutions would operate within the spirit of the travel rule.
If a non-purposive/prescriptive approach is taken, HMT will allow a situation where some firms operate non-compliant solutions because there may be limited solutions available for firms that need to comply with the requirement, or such solutions are not cost effective for smaller VASPs given that they are provided by third party providers. This may risk the viability of the UK as a destination for cryptoasset firms and oversight by UK regulators of end-users. Other firms who are focused on compliance will then stifle innovation since there are limited ways of operating where they are confident that they will be operating compliantly. The undermining of the UK as a destination for cryptoasset businesses is also exacerbated by the ‘sunrise issue’ which we have
discussed in Q.58 above.
We would also note that we would encourage HMT to revisit its treatment of intermediary cryptoasset services providers; we have provided commentary on this in Q.59.