Cryptocurrency Landscape: How Regulators Are Responding to Money Laundering and Consumer Protection Risks

Overview

As cryptocurrency use continues to grow, regulators are adapting existing regulations for the crypto world, focusing on mitigating money laundering risks and enhancing consumer protections to match the security of payments in fiat currency. However, because of the challenges of effectively regulating crypto activities, money laundering may continue underground, prompting authorities to impose bans on cryptocurrency activity and provide their own central bank digital currency, as several countries have already done.

This analysis seeks to understand the current state of the actions that legislators in the UK and EU are taking to regulate and limit the money laundering capability of cryptocurrencies.

Background

In the last few years, the number of jurisdictions choosing to intervene in the sphere of cryptocurrencies has increased markedly. Analysis from a report by the Law Library of Congress, “Regulation of Cryptocurrencies around the World”, has shown an increase in jurisdictions applying anti-money laundering (AML) and tax regulations to firms in the cryptocurrency market from 33 in 2018, to 103 in November 2021.

For the most part, the regulatory option has been applied by authorities in Europe, as well as much of the Americas. Meanwhile, according to the report, the number of jurisdictions applying either an implicit or explicit ban on the cryptocurrency market has increased from 23 to 51 during the same period, most of which are in Africa, the Middle East and South East Asia.

Despite attempts to regulate the crypto market, however, there are practical limitations on what rules regulators can enforce. As Federal Reserve chairwoman Janet Yellen said in 2014, the US Federal Reserve (and by extension other regulatory authorities) does not have the ability to regulate cryptocurrencies as there is no central issuer, and therefore no entity to regulate.

Authorities wishing to regulate cryptocurrencies must therefore do so at central points of transfer from one party to another, rather than the currency itself. This could include: fiat money being withdrawn from a bank account to buy crypto; the transfer of cryptocurrency payments through central exchanges; and payment of a regulated product or service, such as legal services, using cryptocurrency.

Tailoring rules for crypto services

Regulators have typically tried to fit crypto-assets into existing rules, rather than create new laws specifically for crypto. For example, virtual asset service providers (VASPs), such as crypto exchanges operating in the EU and UK, must be compliant with the 5th Anti-Money Laundering Directive (5th AMLD) (Directive 2018/843) and the Money Laundering and Terrorist Financing (Amendment) Regulations 2019, which transposed the directive into UK legislation respectively — an analysis of the 5th AMLD from VIXIO can be found here.

Broadly, the requirements include:

• Third country policy towards jurisdictions that pose a high risk of money laundering, such as those on the FATF greylist.
• Standard and enhanced customer due diligence.
• Beneficial ownership information.
• Reporting obligations.
• Compliance with data protection rules.

In addition to the 5th AMLD, there have been proposals from the UK and EU, both seeking to fill in gaps on crypto regulation, where they can. In the UK, the Treasury-led UK regulatory approach to cryptoassets and stablecoins, which was published in January 2021, has taken a less prescriptive approach, focusing on continuing to enhance protections for retail customers while proactively engaging with crypto firms to move them into the Financial Conduct Authority’s (FCA) regulatory orbit. This includes allowing crypto firms to test out their products through the FCA’s regulatory sandbox and receive feedback.

The consultation proposes “to ensure that tokens which could be reliably used for retail or wholesale transactions (such as stablecoins) are subject to minimum requirements and protections as part of a UK authorisation regime”. If adopted, relevant regulations are likely to affect: issuers or systems operators of crypto coins, crypto-asset exchanges and crypto wallets, with the most relevant requirements for crypto exchanges and wallets (pgs 20-21) likely to be:

• Authorisation requirements prior to operating.
• Safeguarding requirements to ensure the security of the user’s crypto wallet and protect against cyber-attacks.
• Systems, controls, risk management and governance requirements.
• Notification and reporting requirements to customers and regulators.
• Recordkeeping requirements.
• Conduct requirements towards the rights of customers.
• Financial crime requirements applying AML rules.
• Outsourcing requirements to ensure continuous and adequate functioning.
• Operational resilience requirements.

Utility or exchange tokens, such as Bitcoin, however, are to remain unregulated for the meantime. This is in part because the FCA’s consumer research (Chapter 3) has shown UK consumers engaged in the crypto market are aware of the risks, with 89 percent of consumers aware their purchases are not subject to regulatory protection, and almost half of consumers saying they bought cryptocurrency as a gamble that could make or lose money.

Although the next steps of this regulatory workstream are still to be revealed, under the current roadmap, standard setting bodies re expected to complete their review of standards, principles and guidance by December 2021.

EU obligations on VASPs

Meanwhile, on July 20, 2021, the European Commission proposed a recast of the Regulation on information accompanying transfers of funds and certain crypto-assets. Unlike the UK, the proposals focus more on enhancing existing AML rules for crypto firms, making sure that information identifying the originator and beneficiary are recorded.

Crypto-assets are defined in the proposal as “a digital representation of value or rights which may be transferred and stored electronically, using distributed ledger technology or similar technology”. Once approved, the proposals would be applied uniformly throughout the EU and will be consistent with EU frameworks and Financial Action Task Force (FATF) standards. This includes making the definitions of crypto-assets and their respective service providers (CASPs) correspond to the definition of virtual assets and VASPs.

Under the new proposals, VASPs of the originator must ensure that transfers of crypto-assets are accompanied by:

• The name of the originator.
• The originator’s account number.
• Where such an account exists and is used to process the transaction.
• The originator’s address.
• The originator’s official personal document number
• The originator’s customer identification number or date and place of birth.

VASPs would also ensure that transfers of crypto-assets are accompanied by the name of the beneficiary and the beneficiary’s account number, where such an account exists and is used to process the transaction. This information must also be held and shared with counterparties to the transfer and be made available on request to the appropriate authorities (Article 14).

Additionally, VASPs of the beneficiary, the payment service provider (PSP) of the payee and the intermediary PSP should have effective risk-based procedures to determine whether the appropriate information is missing, such as monitoring after or during the transfers, and the correct action to take (Article 17).

Not all transactions are affected by the proposal, however, as the European Commission is aware of “not to impair the efficiency of crypto-asset transfer services” and balance the risk of money laundering with “the risk of driving transactions underground”, which would then have no regulatory oversight. To provide less of a burden, transfers of €1,000 or less are exempt from the obligation to check whether the information is accurate, although not if there are reasonable grounds to suspect money laundering. Transfers within the EU are also subject to only simplified information requirements, such as a payment account number or that originator and beneficiary address identifiers are recorded on the distributed ledger. This is in alignment with non-crypto specific customer due diligence requirements in the 5th AMLD.

Despite the different approaches taken by the UK and EU, the end result is likely to be a stricter regulatory environment for crypto wallets and exchanges, with both the UK and EU regulators seeking to nudge crypto firms into their orbit by applying standard financial services regulation.

However, for PSPs that are not crypto exchanges or crypto wallets, the new rules, if introduced in both the UK and the EU, will help to reduce the regulatory risk of crypto payments as the proposals mostly affect direct players in the crypto market. Therefore, despite a more stringent regulatory environment, PSPs should be able to take advantage of the greater mainstream interaction between themselves and crypto firms being permitted, which should also benefit the largest, regulated crypto firms.

A prisoner’s dilemma

Despite new rules for crypto firms, the enforcement of them is challenging for regulators, in part because the technology and corporate structure of cryptocurrency and crypto operators respectively are designed to evade being regulated. For example, in June 2021, a supervisory notice from the FCA about the crypto exchange Binance stated that “the FCA considers that the firm is not capable of being effectively supervised” due to “the firm’s membership of a global group which offers complex and high-risk financial products, which pose a significant risk to consumers”.

The lack of enforcement has meant regulators, such as the FCA, have had to resort to token measures of regulatory action, such as urging the public to take extreme caution when using cryptocurrency and, in some cases, issuing consumer warnings about specific firms such as Binance. And although Binance eventually complied with the FCA, its withdrawn application for a license with the Monetary Authority of Singapore suggests the firm is still trying to find the most preferred regulatory framework that it possibly can and ultimately deciding to comply with regulators when it suits its interests.

Additionally, because of the practical limitations on what regulators can enforce, the risk of money laundering is significantly higher if carried out via a peer-to-peer (P2P) network and the money remains in crypto form. Without a central touchpoint like an exchange, the technology of public and private key encryption can allow the real identities of two parties to remain completely hidden from the world and even each other. This may lead to a situation where crypto firms decide to become regulated, removing money laundering both from transactions they facilitate and the mainstream financial system, but where the bulk of money laundering occurs via P2P networks where regulators are unable to stop it. This would eventually cause a prisoner’s dilemma for crypto firms, where, despite their compliant actions, the technology of cryptocurrency is used by others in ways that hurt their trust from regulators.

One regulatory answer from authorities will be the launch of a central bank digital currency (CBDC), which governments across the world are experimenting with. As has been seen in Nigeria, China and potentially Thailand, the coming launch of a CBDC has sometimes come in tandem with a significant restriction of cryptocurrency activity to incentivise take-up of the national coin. Although this trend does not strongly suggest this kind of action could be taken by regulators in more developed countries, such as the UK or EU member states, that are more willing to work with crypto firms, it is an option that is likely to appear tempting to regulators if regulation alone proves ineffective against money laundering.

Conclusion

Overall, this analysis shows hardening attitudes to cryptocurrency all around the world, with some authorities preferring to regulate cryptocurrency transactions, while others are trying to suppress it. In the UK and EU, proposals for increased regulation have come in different forms, with the EU focusing on making sure crypto transactions of more than €1,000 are accompanied by beneficial ownership information, while UK regulators have chosen to implement more consumer protection and governance requirements.

However, as both proposals attempt to treat crypto activities similarly to a fiat payments transaction, this should help remove regulatory risk for PSPs and lead to greater synergy between conventional PSPs and crypto market players such as crypto exchanges. In the long term, however, actions to try to regulate all cryptocurrency transactions are unlikely to affect those via a P2P network, providing regulators with an incentive to suppress cryptocurrency activities altogether.