How the “travel rule” could change the world of decentralised finance
It has long been obvious that within the next few years we would witness attempts to regulate the world of decentralised finance. As it turns out, one of the most revolutionary laws may be introduced through an amendment to an obscure regulation on information accompanying money transfers.
I’m referring to the proposed changes to Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds—also known as WTR2. It is part of a broader package of regulations aimed at combatting money laundering and financing of terrorism. The main aim of WTR2 is to ensure that money transfers are accompanied by relevant information enabling identification of the parties to the transaction.
The broader context
To understand the broader context of the planned change, it is worth consulting documents of the Financial Action Task Force (FATF), the main international organisation responsible for global AML policy. The sources of AML rules can be found in FATF materials. In October 2021 FATF published its updated guidance on virtual assets, in which it stressed that FATF Recommendation 16, concerning information accompanying money transfers, also applies to virtual assets.
According to Recommendation 16:
“Countries should ensure that financial institutions include required and accurate originator information, and required beneficiary information, on wire transfers and related messages, and that the information remains with the wire transfer or related message throughout the payment chain.
Countries should ensure that financial institutions monitor wire transfers for the purpose of detecting those which lack required originator and/or beneficiary information, and take appropriate measures.”
The updated FATF guidance (like the interpretive note to FATF Recommendation 15) calls for application of Recommendation 16 to virtual asset service providers (such as cryptocurrency exchanges), referring to application of this recommendation in the context of virtual assets as the “travel rule.” In practice, applying this recommendation will require the collection of certain information about the originator and beneficiary of the transfer, particularly information enabling identification of these persons and verification of this data, for example checking against sanctions lists.
A key requirement is that an institution obliged to apply the “travel rule” should use appropriate security measures if it is unable to identify the originator or the beneficiary. FATF suggests that such measures might include for example temporary freezing of the virtual asset account until the relevant information is obtained.
FATF points to three basic scenarios in which a virtual asset service provider (VASP) will have to apply the “travel rule”:
- Traditional transfer of fiat currencies
- Transfer of virtual assets between the VASP and another entity obliged to apply AML rules (whether another VASP or some other financial institution)
- Transfer of virtual assets between the VASP and an entity not obliged to apply AML rules.
The greatest challenges are presented by the third scenario, as it involves transfers of virtual assets between the VASP and entities using “unhosted wallets,” i.e. accounts or addresses not controlled by any VASP. An example of such wallets would be addresses created directly on public blockchains. It is well-known that one of the fundamental paradigms of blockchain technologies is that these addresses remain anonymous. But FATF expects that in such instances, providers will demand the relevant information from their customers, including information about the counterparties to transactions using unhosted wallets.
Proposed changes
The response to the FATF recommendations in the EU is to be a new Regulation on information accompanying transfers of funds and certain crypto-assets (recast), which in practice would extend application of the current WTR2 to crypto. Work on the proposal is still underway, but we can already identify the main direction of the changes and the potential impact the new regulation may have on decentralised finance (DeFi).
Under the draft, obligations to identify and verify originators and beneficiaries of transfers would be imposed on crypto-asset service providers. The provider would also have to check the parties against sanctions lists. Until these duties were performed, the originator’s service provider could not execute the transfer of crypto-assets, and the beneficiary’s service provider could not make the received crypto-assets available to the beneficiary.
These duties would be relatively easy to implement in the case of transfers involving hosted crypto wallets. In the case of such wallets, there are typically centralised service providers maintaining the wallets, which apply know-your-customer (KYC) measures to their clients. It will be a much bigger challenge to implement these duties with respect to unhosted wallets. This is also the field in which the proposed regulation would make the most sweeping changes.
Unhosted wallets account for a major portion of the crypto market. In some segments, such as DeFi, they are the principal instrument of trade. These are wallets created directly on the decentralised ledger. Unlike with hosted wallets, there is no centralised entity maintaining the wallet. Anonymity is another essential feature of unhosted wallets. The holders of unhosted wallets do not need to register anywhere.
Crypto-asset service providers would have to identify and verify the holders of unhosted wallets if the transactions they execute are carried out with such wallets. Additionally, the current draft also calls for reporting to the competent authorities of any transfer from an unhosted wallet with a value above EUR 1,000. Identifying and verifying the holder of an unhosted wallet is a huge challenge because, as mentioned, these wallets are not operated by any centralised entity. Institutions implementing the duty to identify holders of unhosted wallets would probably rely primarily on information obtained from their customers. The proposal does not specify how in practice the identity of holders of unhosted wallets would be verified. It could thus be anticipated that different service providers would apply different verification methods.
Why are these obligations so important? Assuming the recast regulation is adopted in its current wording, when it enters into force centralised providers of crypto-asset transfer services (primarily exchanges) would not in practice be able to execute transfers of crypto involving anonymous addresses. Such addresses might represent unhosted wallets belonging to specific individuals or institutions, or addresses of protocols for DeFi services (e.g. decentralised exchanges, decentralised loan protocols, or addresses of smart contracts for certain DeFi services). Identification and verification of holders of unhosted wallets probably is feasible in practice. However, a large portion of the addresses of decentralised DeFi protocols cannot be ascribed to specific entities (as they are by definition decentralised, with no defined central operator). Providers of virtual asset transfer services would thus be unable to perform their identification obligations with respect to such protocols. This in turn could effectively bar transfers between such protocols and centralised exchanges.
Another solution that could have a major impact on the market is introduction of a “back list" of addresses and crypto-asset service providers, to be maintained by the European Banking Authority. Inclusion in that list would effectively preclude transactions with institutions or addresses on the list by providers of crypto-asset transfer services.
Undoubtedly the recast regulation will affect the scope of duties of decentralised entities providing crypto-asset services. KYC duties in relation to the parties to crypto transactions would be greatly expanded. For now it is hard to predict to what degree the new rules could impact further growth of decentralised finance. Restricting the possibility of conducting direct transactions between decentralised protocols and centralised exchanges, at least, would not spell the end of decentralised protocols. It appears that transfers of crypto-assets from or to such protocols will still be possible using unhosted wallets. The effect of the new rules might therefore be not so much elimination of DeFi protocols as the wholesale redirection of transfers involving such protocols into the decentralised world. This would lead to a clear division into the fully decentralised DeFi realm, in which KYC rules would not apply, and the centralised zone of crypto markets, which would be subject to rigorous KYC duties. The principal link between these separate realities would be unhosted wallets. After entry into force of the new rules, holders of such wallets would have to identified and verified if they wished to avail themselves of virtual asset transfer services from centralised providers, including exchange of crypto into fiat currencies.
Krzysztof Wojdyło