CryptoUK and Members Respond to HM Treasury Amendments to the Money Laundering Regulations 2017 Consultation (Oct 2021)
Amendments to the Money Laundering, Terrorist Financing and Transfer of
Funds (Information on the Payer) Regulations 2017 (MLRs) – HM Treasury (HMT)
Consultation Paper (Consultation)
CryptoUK (CUK) and its members welcome the opportunity to comment on the Consultation regarding the various amendments proposed to be made to the MLRs.
In responding to the Consultation, we set out the views of our members and others in the community and seek to offer pragmatic relevant suggestions as to how we believe HMT is able to implement rules that achieve the outcomes intended whilst also enabling the competitiveness of the UK in being a destination for the burgeoning cryptoasset market.
Consultation questions
56. Do you agree with the overarching approach of tailoring the provisions of
the FTR to the cryptoasset sector?
CUK and its members are supportive of HMT’s efforts to ensure that payments that run the risk of money laundering and terrorist financing are detected and recorded. We understand the importance for both financial institutions and regulators in understanding the identities of the originators and beneficiaries of a single payment. On the basis that Recommendation 16 of the FATF Recommendations (R.16) has been implemented in UK law via the FTR, CUK and its members agree that tailoring the relevant provisions of the FTR to the cryptoasset sector is appropriate to ensure a suitable level of consistency between the implementation of R.16 for fiat transactions and cryptoasset transactions, in order to not put the UK’s cryptoasset market participants at a disadvantage to their corresponding fiat market participants.
However, whilst we agree with the intention of the Consultation’s proposals and the approach of providing a detection framework tailored to the cryptoasset sector, we disagree with certain aspects of the Consultation’s requirements which we consider give rise to both direct and indirect unintended implications which have, amongst other consequences, the ability to stifle the cryptoasset industry in the UK. We set out our reasons for disagreeing with the Consultation’s requirements and proposed solutions in Q.63 below.
57. In your view, what impacts would the implementation of the travel rule have
on businesses, both in terms of costs and wider impacts? Please provide
evidence where possible.
N/A
58. Do you agree that a grace period to allow for the implementation of
technological solutions is necessary and, if so, how long should it be for?
CUK and its members agree that implementation should be subject to a grace period.
Permitting an extended implementation period would enable VASPs of all sizes to
implement compliant solutions to the travel rule.
We consider that a one year grace period would be sufficient to enable firms to enact
the requirements. If HMT enacts a grace period, we would propose the grace period
applies to all of the Consultation’s recommendations simultaneously.
However, if HMT is minded to stagger the grace periods by reference to differing
obligations within the Consultation, we would strongly suggest that HMT considers
providing separated phase-in periods for: (i) the obligation to ensure that the personal
information of the originator and beneficiary is transmitted and received alongside the
transfer (as described in paragraph 6.10 of the Consultation); and (ii) the remaining
travel rule framework as set out in the Consultation (e.g. relating to linked transactions
as set out in paragraph 6.11 of the Consultation, and the prevention of access by the
beneficiary to the transmitted cryptoasset as set out in paragraph 6.28 of the
Consultation).
Our reason for proposing a staggered grace period, if HMT is so minded, is to ensure
the mitigation of the risks arising from the ‘sunrise issue’ whereby firms in jurisdictions
that have already enacted R.16 are placed at a commercial advantage to firms
established in jurisdictions which have not enacted R.16. In essence, firms in the
former jurisdictions will refuse to, or are otherwise unable to conduct business with
firms in the latter jurisdiction, leading to firms in the latter jurisdiction being effectively
exiled from international cryptoasset business. Given that the core tenet of R.16 is to
ensure that the beneficiary “information remains with the wire transfer or related
message throughout the payment chain”, enacting requirements as to this element of
the Consultation first would assist with mitigating any negative impacts on UK firms of
the sunrise issue, and thereby mitigate the risk to the UK industry of falling behind the
curve internationally.
Supplementing this, we would encourage HMT to engage with regulators in global
centres to ensure consistent application of the travel rule, both as to content and
timing.
59. Do you agree that the above requirements, which replicate the relevant
provisions of the FTR, are appropriate for the cryptoasset sector?
[
CUK and its members believe that the following requirements referenced in the
Consultation from the FTR are appropriate for the cryptoasset sector: information
accompanying transfers of cryptoassets; validation of information and detection of
missing information; and information retention, protection and sharing.
However, we do not believe that the obligations on intermediary cryptoasset service
providers is appropriate in its current formulation for the cryptoasset sector. This is on
the basis that the definition of ‘intermediary cryptoasset service providers’ is drafted
too widely as it captures: i) all intermediary cryptoasset service providers involved in
the transfer of cryptoassets, regardless of whether those intermediaries have control
over the transfer or not; and ii) intermediaries that are indirectly acting for the
beneficiary or originator’s cryptoasset service provider, which may bring into place
actors that are not responsible for the transfer.
We understand that HMT is proposing to conduct additional ‘deep-dive’ roundtables
on this point, and we would be keen to attend and provide our observations.
60. Do you agree that GBP 1,000 is the appropriate amount and denomination of
the de minimis threshold?
CUK and its members appreciate HMT’s proposal to include a de minimis threshold
below which limited beneficiary information may be provided.
Having said that, the application of a de minimis threshold risks increasing the
complexity of the rules such that they become difficult to police internally, particularly
given the system requirements required to determine the real-time application of the
de minimis threshold in an environment where cryptoasset values fluctuate compared
to the relatively small fiat amount that is being proposed as the threshold. The result
is that compliant firms risk adding an unnecessary layer of complexity in their
implementation and monitoring of a rule that is already complex to implement, whilst
firms and less compliance-focused competitors may be able to misuse the application
of a de minimis threshold, particularly in light of cryptoasset businesses’ unique selling
point involving anonymity and the ease and cost-efficacy of payments outside of the
normal fiat checks.
CUK and its members would also highlight that consideration of other jurisdictions’
implementation of the de minimis threshold is key. Whichever threshold the UK
implements, UK firms will be forced in practice to implement the strictest threshold for
international transfers. Whilst FATF appear to recommend USD 1,000, we understand
that other major jurisdictions are considering implementing the travel rule with a de
minimis threshold lower than USD 1,000. In this circumstance, the practical application
of the travel rule for UK firms will likely follow the lower threshold major jurisdiction’s.
We also believe that the responsibility for calculating whether the de minimis threshold
has been reached should be on the receiving VASP on the basis that such a VASP
will likely have more information on the transactions entered into by the beneficiary on
which is acts – this is particularly pertinent in the case of transactions originating from
different originator VASPs that are made to the same beneficiary.
[
CUK and its members would also encourage HMT to consider whether a de minimis
threshold is appropriate for intragroup transfers. As with many pieces of financial
services regulation, intragroup transfers are typically exempt or subject to lighter-touch
requirements in the provision of data to regulatory authorities – for instance, we note
the exemption from the various reporting requirements under the European Markets
Infrastructure Regulation (648/2012(EU)). To avoid unnecessary reporting that does
not further support HMT’s intention in enacting the travel rule, we would recommend
that all intragroup transfers between group entities are exempted from HMT’s
recommendations.
61. Do you agree that transfers from the same originator to the same beneficiary
that appear to be linked, including where comprised of both cryptoasset and fiat
currency transfers, made from the same cryptoasset service provider should be
included in the GBP 1,000 threshold?
Whilst CUK and its members are cognizant of HMT’s rationale for this requirement –
to avoid arbitraging any de minimis threshold – we would encourage HMT to make a
distinction in the treatment between wholly linked cryptoasset transfers and linked
cryptoasset and fiat currency transfers.
Our rationale for making such a distinction is because it is not clear how either a fiat
currency PSP or a cryptoasset VASP can each be made responsible for transactions
that are differing in nature. For instance, this would require additional messaging
systems and agreement on the estimation of the cryptoasset component’s value, as
between the fiat currency PSP and the cryptoasset VASP.
CUK and its members would also request additional clarity and guidance over what it
means to link transactions in general. Under the FTR, our understanding that linking
transactions has been applied inconsistently – for instance, as to the timeframes in
which to link transactions and also across separate institutions. We would therefore
recommend that additional guidance is provided and that this guidance is consistent
as between both the FTR and the Consultation’s proposals.
62. Do you agree that where a beneficiary’s VASP receives a transfer from an
unhosted wallet, it should obtain the required originator information, which it
need not verify, from its own customer?
CUK and its members are of the view that the requirement for beneficiary VASPs to
not verify the required originator information from its customers is correct. For HMT to
legislate otherwise would put undue burden on the VASP and potentially open the
VASP to unnecessary liability.
63. Are there any other requirements, or areas where the requirements should
differ from those in the FTR, that you believe would be helpful to the
implementation of the travel rule?
CUK and its members disagree with certain aspects of HMT’s proposals for
implementing certain provisions of the FTR. Our main point of disagreement concerns
data privacy. This is because the requirement for personally identifiable information to
stay with the transfer throughout the payment chain risks undermining the direction of
[
wider data privacy regulation at a time when data privacy is becoming increasingly
important to both regulators and users of such services alike. For instance, as the
travel rule requires the sharing of information that includes both the physical location
(where above any enacted de minimis threshold) and possibly the value of the
beneficiary’s held cryptoassets, there is an inherent risk to individual privacy and to
personal safety which can arise from: i) hacks and personally identifiable information
leaks and abuse of collected information for identity theft; ii) transaction IDs being used
to determine how much of the relevant cryptoasset the holder controls; iii) physical
and cyber attacks against holders; iv) fake VASPs masquerading as legitimate VASPs
to collect such information; v) the monitoring of transactions by oppressive regimes;
and vi) denial of service attacks. By way of example of the malicious focus on
cryptoasset users’ wallets, the wallet provider – Ledger’s – 2020 data leak of 270,000
pieces of detail information led to numerous phishing campaigns and physical
deliveries of compromised hardware wallets to unsuspecting Ledger wallet owners.
As a result, CUK and its members propose that HMT includes a qualification to the
travel rule to the effect that “equivalent controls are achieved via alternative
message/information flows” (Qualification). The incorporation of the Qualification
means that alternative protocols are able to be devised which can facilitate the
intention of the travel rule, whilst also addressing, primarily, the data privacy concerns
noted previously. For instance, we note the whitepaper issued by the Travel Rule
Information Sharing Alliance (TRISA) which seeks to provide a chain analysis-style
protocol by which the information necessary to identify AML/CTF malfeasance is
maintained whilst also ensuring privacy concerns are responded to – please see their
white paper here: DRAFT: Privacy-Preserving Travel Rule Compliance V2 – Trisa.io.
TRISA’s solution demonstrates how encrypted envelopes and zero knowledge proofs
can work together to allow entities to comply with the spirit of relevant regulations while
protecting user privacy and enabling regulators to receive the information needed to
provide effective supervision. We understand that this whitepaper has been presented
for consideration by the US Department of the Treasury’s FinCEN and has been
viewed favourably.
It further seems appropriate for the law to recognise purposive rules and guidance to
enable the furtherance (and avoid unintended stifling) of the UK’s position in
remittance style solutions involving cryptoassets transactions. For example, if the UK
makes prescriptive requirements in respect of the travel rule, jurisdictions in which
entities are provided more flexibility as to the rule’s implementation will likely see an
influx of cryptoasset service providers. Given the international nature of the payment
services and, more narrowly, the cryptoasset industries, jurisdictions in which firms
are offered flexibility whilst abiding by the intention of the travel rule are likely to win
out when it comes to attracting innovation.
As mentioned previously with respect to the TRISA proposal, a proportionate approach
would appear to be to enable firms to undertake chain analysis-style checks that the
cryptoassets used for the purpose are not tainted in any way. We are happy to provide
HMT with further comment and insight into how solutions would operate within the
spirit of the travel rule.
[
If a non-purposive/prescriptive approach is taken, HMT will allow a situation where
some firms operate non-compliant solutions because there may be limited solutions
available for firms that need to comply with the requirement, or such solutions are not
cost effective for smaller VASPs given that they are provided by third party providers.
This may risk the viability of the UK as a destination for cryptoasset firms and oversight
by UK regulators of end-users. Other firms who are focused on compliance will then
stifle innovation since there are limited ways of operating where they are confident that
they will be operating compliantly. The undermining of the UK as a destination for
cryptoasset businesses is also exacerbated by the ‘sunrise issue’ which we have
discussed in Q.58 above.
We would also note that we would encourage HMT to revisit its treatment of
intermediary cryptoasset services providers; we have provided commentary on this in
