EUR 1000 Threshold for Self-hosted Wallets in AMLR and TFR: Privacy & UX Impacted?
The new European Anti-Money Laundering Regulation had stricter requirements approved by the European Parliament last March. It aims to close the gap in the EU's Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) policy, guaranteeing consistency between member countries and expanding the list of obliged entities to accommodate crypto assets service providers (CASPs). It is important to note that several steps remain before it becomes law and enters into force.
Among other changes, the proposal sets clearer requirements for due diligence on customers, third countries, and politically exposed persons (PEP). Additionally, beneficial ownership (BO) meaning was defined, and an online register should be available to certain interested parties - for example, the Anti Money Laundering Authority (AMLA), Financial Intelligence Units, and obliged entities. It also introduces a cap for crypto asset transfers - the main topic discussed in this blog.
The text limits anonymous crypto payments to EUR 1000 while allowing up to EUR 7000 for cash. This regulatory requirement is not a surprise as it follows the already approved Transfer of Funds Regulation (TFR), which also demands that CASPs transacting with self-hosted wallets identify the owners of such wallets before performing transfers above EUR 1000. Therefore, the AMLR is consistent with the TFR, both important parts of the European Union's AML Package - which also establishes the AMLA and the AML Directive. While the TFR implements the Travel Rule by adding requirements for CASPs, the AMLR covers a broader number of obliged entities by also applying to commercial payments that involve.
Does the EUR 1000 Threshold for Self-hosted Wallet Transactions Hurt Privacy and UX?
After each one of these bills' negotiation - AMLR and TFR - the crypto community has shown privacy concerns and is worried about a possible de facto ban on self-hosted wallets. In fact, conducting due diligence on self-hosted wallets before allowing a transfer to go through may add friction to the customer and discourage businesses to accept crypto as a form of payment. Most importantly, requiring companies to identify self-hosted wallet owners impacts people's privacy, when sensitive data is held by unknown entities.
However, both the privacy and effectiveness aspects of the regulation can be remedied with appropriate practices by the companies involved. When transacting above the threshold, companies will need to collect information on the self-hosted wallet owner, which can be achieved in a number of ways that vary in their levels of data protection and user experience. This will likely be approached by the European Banking Authority (EBA) guidelines months after the AMLR and TFR enter into force.
How Can CASPs Maintain Customer Privacy while Complying with the AMLR and TFR
Leveraging cryptographic signatures is the answer for efficient and uninterrupted transactions with self-hosted wallets. This is a core feature of every crypto wallet and is the most trustworthy way to identify the customer. They prove that they own and control a wallet since a message can only be signed with the wallet's private key. Moreover, this method allows the transaction to continue immediately, as the signature is verified through software, not relying on any compliance team's manual action as other options do.
The method also enables the whole compliance process to be done via software, which keeps sensitive information off of chat and email systems, a data protection nightmare. With 21 Travel Rule, the transfer continues seamlessly so the regulatory impact goes unnoticed by the customer and the compliance team's day-to-day.
Moreover, the customer's privacy can be heavily improved if the crypto companies involved in the transaction do not outsource the data handling. Instead, maintaining the personal identifiable information (PII) within the company's premises is the way to guarantee it is treated accordingly to the GDPR policy and stored in a known jurisdiction. Hence, there is no extra risk or legal work to be done when adopting a provider's solution. Finally, that way, companies can keep the PII away from honeypots (SaaS providers more frequently targeted by hacks due to the volume of information held).
With 21 Travel Rule, CASPs guarantee hassle-free transactions for their customers and compliance team, with a product made for wallet verification and the only one that supports every ownership method in the market. By keeping all data in one place and on the CASP's premises, customers and compliance teams will enjoy compliant transfers that are just as easy as before.
Get in touch with us today.