The recent European Union proposal requiring centralized crypto exchanges and custodial wallet providers to collect and verify personal information ab
The recent European Union proposal requiring centralized crypto exchanges and custodial wallet providers to collect and verify personal information about self-custodial wallet holders shows the dangers of recycling traditional finance (TradFi) rules and applying them to crypto without appreciating the conceptual differences. We can expect to see more of this as countries look to implement the Financial Action Task Force (FATF) Travel Rule, initially designed for wire transfers, to transfers of crypto assets.
The (missing) link between self-custody, control and identity
The aim of the proposed EU rules is “to ensure crypto-assets can be traced in the same way as traditional money transfers.” This assumes that each self-custodial wallet can be linked to someone’s verifiable identity and that this person necessarily controls the wallet. This assumption is wrong.
Related: Authorities are looking to close the gap on unhosted wallets
In TradFi, a bank account is linked to the verified identity of its holder, giving them control over that account. For example, sharing your online banking details with your partner doesn’t make them the account holder. Even if your partner changes the login details, you can regain control by proving your identity to the bank and having it reset the details. Your identity gives you ultimate control which cannot be permanently lost or stolen. Of course, in exchange for the bank’s custody protections, you lose self-sovereignty over your assets.
Self-custody of crypto assets is different. Control (i.e., the ability to transact) over the self-custodial wallet is held by whoever has the private keys to that wallet. Control is not linked to anyone’s identity and there is no one to prove your identity to. All you need is to download a piece of software and safely store your private keys. In exchange for this responsibility, you maintain self-sovereign ownership.
Implementing the proposed rules
Let’s look at how a custodial wallet provider would go about complying with the EU proposal. Assume that Alice wants to send 0.3 Ether (ETH) from her custodial wallet account to Bob’s self-custodial wallet to pay for Bob’s consulting services. Before the transfer goes through, the custodial wallet provider would have to 1) collect Bob’s name, wallet address, residential address, personal identification number, and date and place of birth; and 2) verify the accuracy of these details. Broadly the same details would be required for a transfer from Bob’s wallet to Alice’s custodial wallet account. Alice would likely need to ask Bob to send her his details, and Alice would then provide them to the custodial wallet provider — as recently recommended by a custodial wallet provider in a similar context.
The rules would apply even to the smallest transactions — there is no minimum threshold. Custodial wallet providers would conceivably also need to withhold incoming transfers (creating greater custody risks) and return them to the self-custodial wallet if the verification is unsuccessful.
Related: Crypto in Canada: Where are we today, and where are we heading?
Identity does not equal control, making compliance impossible
While collecting data and potentially withholding incoming transfers is operationally cumbersome, the verification obligation risks are potentially outright impossible to comply with. In TradFi, the point of identity verification is to ensure that the person controlling a bank account and claiming to do so is the same one. But how could the custodial wallet provider fulfill the verification obligation if control over Bob’s self-custodial wallet does not depend on his identity?
Even if the custodial wallet provider managed to confirm that Bob is the person he purports to be, this doesn’t mean that he controls the wallet. It could be controlled by a decentralized autonomous organization that redistributes payments to members like Bob or a criminal group, with Bob merely being their money mule. There is no third party to prove Bob’s identity to in order to transact — whoever controls the private keys is the “bank.”
Exposing legitimate users to disproportionate security risks
Let’s assume that custodial wallet providers manage to comply with the proposed rules, or a less stringent version of them that does not require verification. Custodial wallet providers would need to keep large databases of self-custodial wallet users, exposing users to the risk of data breaches. For legitimate users, i.e., those who declare their true identity and also actually control the related self-custodial wallet, this risk has far greater consequences than TradFi data collection (e.g., FATF’s Travel Rule for wire transfers).
In TradFi, if a criminal compromises someone’s bank account or card, they wouldn’t get very far because the bank can block the account. By definition, self-custodial wallets lack this feature. Self-sovereign ownership, secured through cryptography and…
cointelegraph.com