The recent European Union proposal requiring centralized crypto exchanges and custodial wallet providers to collect and verify personal information about self-custodial wallet holders shows the dangers of recycling traditional finance (TradFi) rules and applying them to crypto without appreciating the conceptual differences. We can expect to see more of this as countries look to implement the Financial Action Task Force (FATF) Travel Rule, initially designed for wire transfers, to transfers of crypto assets.
The (missing) link between self-custody, control and identity
The aim of the proposed EU rules is “to ensure crypto-assets can be traced in the same way as traditional money transfers.” This assumes that each self-custodial wallet can be linked to someone’s verifiable identity and that this person necessarily controls the wallet. This assumption is wrong.
Related: Authorities are looking to close the gap on unhosted wallets
In TradFi, a bank account is linked to the verified identity of its holder, giving them control over that account. For example, sharing your online banking details with your partner doesn’t make them the account holder. Even if your partner changes the login details, you can regain control by proving your identity to the bank and having it reset the details. Your identity gives you ultimate control which cannot be permanently lost or stolen. Of course, in exchange for the bank’s custody protections, you lose self-sovereignty over your assets.
Self-custody of crypto assets is different. Control (i.e., the ability to transact) over the self-custodial wallet is held by whoever has the private keys to that wallet. Control is not linked to anyone’s identity and there is no one to prove your identity to. All you need is to download a piece of software and safely store your private keys. In exchange for this responsibility, you maintain self-sovereign ownership.
Implementing the proposed rules
Let’s look at how a custodial wallet provider would go about complying with the EU proposal. Assume that Alice wants to send 0.3 Ether (ETH) from her custodial wallet account to Bob’s self-custodial wallet to pay for Bob’s consulting services. Before the transfer goes through, the custodial wallet provider would have to 1) collect Bob’s name, wallet address, residential address, personal identification number, and date and place of birth; and 2) verify the accuracy of these details. Broadly the same details would be required for a transfer from Bob’s wallet to Alice’s custodial wallet account. Alice would likely need to ask Bob to send her his details, and Alice would then provide them to the custodial wallet provider — as recently recommended by a custodial wallet provider in a similar context.
The rules would apply even to the smallest transactions — there is no minimum threshold. Custodial wallet providers would conceivably also need to withhold incoming transfers (creating greater custody risks) and return them to the self-custodial wallet if the verification is unsuccessful.
Related: Crypto in Canada: Where are we today, and where are we heading?
Identity does not equal control, making compliance impossible
While collecting data and potentially withholding incoming transfers is operationally cumbersome, the verification obligation risks are potentially outright impossible to comply with. In TradFi, the point of identity verification is to ensure that the person controlling a bank account and claiming to do so is the same one. But how could the custodial wallet provider fulfill the verification obligation if control over Bob’s self-custodial wallet does not depend on his identity?
Even if the custodial wallet provider managed to confirm that Bob is the person he purports to be, this doesn’t mean that he controls the wallet. It could be controlled by a decentralized autonomous organization that redistributes payments to members like Bob or a criminal group, with Bob merely being their…
Read More: cointelegraph.com