Did you know that the international community coordinates on their financial surveillance systems? Many Americans don't even know that our own Treasury Department and banking system keeps tabs on our financial activities every day. This quiet financial surveillance, overseen mostly by an organization called the Financial Crimes Enforcement Network (FinCEN), is expansive enough. Unfortunately, a new proposal on cryptocurrency transactions from the international equivalent of FinCEN, the Financial Action Task Force (FATF), threatens to be even more aggressive in spying on financial activities.
The FATF describes itself as a "global money laundering and terrorist financing watchdog." It is an inter-governmental body that sets regulatory standards for the more than 200 countries and jurisdictions that heed its advice. The FATF issues periodic recommendations for how these institutions should set up what's called anti-money laundering/know your customer (AML/KYC) rules, which mostly require that financial systems collect and maintain private records on billions of people across the world. Their recommendations don't have the immediate force of law, but member states and allies take their rubrics very seriously as they craft their own rules.
The gang has been around since 1989, and FATF has expanded its recommendations and scope along with the trials of the times. September 11 was a biggie for the FATF, as the organization pivoted to focus on terrorist financing. The new millennium also saw the addition of a jurisdictional blacklist, which is a who's who of those currently on the outs with the international order. Today, it includes Iran and North Korea.
As you might imagine, the rise of cryptocurrencies has been of great interest to the FATF. These technologies allow for direct value transfer online. As such, they fit awkwardly upon an international surveillance network premised upon collections obligations by third-party financial facilitators.
It's useful to start with how financial reporting requirements have traditionally applied. Monetary surveillance operates through service providers in our financial system. They are supposed to review transactions for anything that looks suspicious or indicative of things like money laundering or tax evasion. Sometimes that means keeping records on large or international transfers. Sometimes that means notifying the feds if something looks particularly dodgy in the eyes of the government. It often means that third-party financial institutions keep detailed personal information on all customers, even to just open an account.
But notice what is not included: many kinds of cash transactions among individuals or most businesses. You don't need to collect someone's ID before accepting cash for a run-of-the-mill transaction. This doesn't mean that crimes can't be committed with such transactions. It's logistically unworkable and would be an even more extreme burden on privacy than the third-party-operated financial surveillance we have in place. So such private transfers are thankfully exempt from financial reporting requirements.
With a direct cryptocurrency transaction, where there is no bank, there is no potential for a bank to collect data on transactions. It's like a cash transaction. For these reasons, FinCEN has generally updated its financial reporting obligations to clarify that AML/KYC rules do not apply to fully decentralized transactions or applications, as they are similarly logistically unworkable. America's top AML/KYC cop hasn't gotten everything with cryptocurrency right, and it is currently proposing rules that would expand financial surveillance for direct virtual currency transactions, but its rules have at least been mostly consistent with how we treat cash transactions in the past.
Not so with the FATF. Its most recent draft guidance proposes a self-described "expansive" standard for cryptocurrency (what they call virtual asset service providers or VASPs) surveillance that could threaten the privacy and safety of innocent users across the world. Peter Van Valkenburgh of Coin Center, a cryptocurrency advocacy group, has the rundown on the biggest problems with the FATF proposal.
Two major errors permeate the document. First, it's just internally inconsistent. A cryptocurrency user or business or developer that earnestly wants to comply with the FATF standards as written would have a hard time knowing whether or not they would be legally considered a VASP.
For instance, at one point, the FATF says that "one may develop and sell virtual asset platform software without being a VASP." That's great to hear! Software developers almost never act as cryptocurrency custodians, so they should be exempt from financial reporting requirements as they wouldn't have access to this data anyway.
But wait a second. Elsewhere in the document, the FATF says "one may not deploy programs whose functions fall under the definition of VASP." Huh? So if a software developer pushes a live version of software that a custodian uses, they're in trouble? Which one is it?
There are similar contradictions throughout: "one may develop and sell virtual asset platform software without being a VASP" but "one may not automate a process that provides covered services without being a VASP"; then "one will be a VASP if they can conduct a transaction on behalf of another person" but "being unable to complete a transaction does not disqualify you from being a VASP." How is the cryptocurrency community supposed to comply with rules that are so paradoxical?
This brings us to the second major problem. As currently written, if these inconsistencies are resolved, they may likely be in the direction of more surveillance. The FATF says that it developed these new rules to purposefully be "expansive." No longer will the international standard for financial reporting requirements be mostly limited to third-party custodians with control of customer funds. Rather, when it comes to cryptocurrency, now all sorts of non-custodians may be unceremoniously deputized as financial snoops, including those merely "conducting business development," "facilitating transactions" (a.k.a. mining), "integrating software into telecommunications platforms," "deploying programs," and "changing rules within software protocols."
This is not only a huge logistical headache for the hundreds of thousands of people around the world who engage in these activities every day and yet have no access to the kind of data that might be required of them. It's a major threat to the privacy of billions of innocents around the globe.
Van Valkenburgh points out that many FATF members are also signatories or at least aligned with the values of documents such as the International Covenant on Civil and Political Rights (ICCPR), the European Convention on Human Rights (ECHR), and the U.S. Constitution. These agreements outline and protect human rights to privacy and expression that are threatened by the kind of expansive surveillance proposed by the new rules.
This is before getting into the counterproductive tactic of making it harder for honest cryptocurrency users to comply with non-workable financial reporting requirements. Bad actors will find ways to send money using cash, virtual cash, or maybe World of Warcraft gold. They weren't too keen on using regulated third parties, anyway. These proposed financial reporting requirements will only make it harder for non-criminals to access the financial channels they need while pushing the criminals further underground.
The good news about the proposed rules is that they are still merely a draft. There is time to work with the FATF to improve the language so that it is clearer and more appropriate and respectful of our human rights to privacy. Still, it is concerning that these errors regarding cryptocurrency operations and our rights to privacy are still common in the highest levels of policymaking. It's a reminder that although established institutions do have self-interested incentives to crack down on cryptocurrency, a lot of times, they just don't know what it is they are looking at.