EU’s TFR regulation poses a significant risk to data privacy and Web3
In the wake of the European Parliament’s approval of the EU Funds Transfer Regulation (TFR) in crypto markets, the EU has been conducting an alleged risk assessment to identify and address threats of money laundering and terrorism financing.
The proposal of the TFR regulation, modified from FATF’s initial “Travel Rule”, has been updated to bring into scope Crypto Asset Service Providers (CASPs) and un-hosted wallets (wallets not hosted by CASPs) to purportedly deal more effectively with AML risks in the crypto industry. Unfortunately, the proposal is fundamentally flawed.
Under the TFR proposal, CASPs should collect and verify Personal Identifiable Information (PII) on users for ALL transfers to un-hosted wallets, including the originator’s name, account number, address, personal document number, identification number/date and place of birth, as well as the name of the beneficiary and their account number. All transfers above €1,000 would additionally require submission to the authorities.
Ironically, for a Parliament globally known to place value on privacy and personal data (GDPR as a good example), should this legislation pass, it would mean every crypto transfer from a CASP to an un-hosted wallet would have to be recorded and verified. Additionally, in the case of transfers larger than €1,000, they have to be submitted to the authorities whether an inherent risk is apparent or not, creating a multitude of unnecessary data honeypots ready for exploitation.
As a founder and avid believer in the potential of DeFi to reshape our financial paradigms, these proposals from our governing bodies appear to be heavily shortsighted and inconsiderate of the implications they may bear. They are also discriminating crypto holders over fiat holders as they are formulated much stricter.
The suggested processes would substantially undermine the basic privacy of any user of crypto assets and present a great intrusion into an individual’s private life. The collection of the wallet owners’ private information in many centralized databases also poses a risk for future exploitation. The information about a user’s residence and accounts (with an exploited public address then publicly available on-chain), is further leading to an unjustifiable increased physical and digital threat.
There are also questions in terms of feasibility and whether the suggested framework can be implemented by the industry without excessive overhead costs threatening the entire business model. The probability of success and whether such meticulous monitoring will in fact reduce the risks of money laundering activities is also questionable since transactions between two self-hosted wallets remain entirely unmonitored.
It’s important to bear in mind that crypto and the underlying blockchain technology provide unprecedented transparency thanks to their open-source, immutable design and tamper-proof ledger. Know-Your-Transaction (KYT) software and tooling are still being underused and, if properly implemented, can provide far more oversight than any transaction in the traditional financial environment.
Furthermore, crypto transactions involving illicit addresses came down to only 0.15% in 2021. In comparison, between 2%-5% of global GDP annually is connected to money laundering and illicit activity, according to the UN. Crypto transfers would be disproportionately targeted with the suggested regulation.
The way things are looking now, it appears that this draft will lead to a significant competitive disadvantage for crypto players operating in the EU. This will ultimately lead the EU to fall behind on yet another technological paradigm, as previously experienced with the development of Web 2.0 (Internet), where the EU failed miserably to bring forward a global champion (like the Silicon Valley for instance).
Understanding technology, and thereupon building a feasible framework that reflects the true nature of what it has to offer, is not only the EU’s responsibility but also our own. Entire economies and industries are changing with the help of technological innovation, so how we regulate things should too.
To take action, the Web3 community also formulated a more elaborated open-source open letter (not attached to any companies or commercial interests) addressed to the EU representatives, who are still in the Trilogue phase before the proposal will be converted into law eventually.
Please join us in signing the letter.
Related article: How Europe's finance hubs are implementing crypto regulation