Privacy in payment networks – crypto vs traditional, FATF rules

Non-crypto payment networks such as credit cards are tied to a name. Often a billing address is required, which is sometimes verified.

Since payment card security is based on knowing a few numbers (card number, expiry date and CVV) that are passed on to third parties, it is a good idea to verify some of the data that is not printed on the card. Some data are forbidden to be stored by the operators (CVV). Some payment gateways verify the billing address. This reason is largely redundant with the advent of 3D Secure payments or services like Google Pay and Apple Pay, payments are verified based on another factor (e.g. SMS or confirmation in the card issuer’s app).

The billing address is also used for risk assessment. If you are accessing from a Russian IP address, but the card is issued and used in Slovakia, there is a high probability that it is a theft and the payment network will often reject such a transaction.

Cryptocurrencies solve these problems by making transactions electronically signed and irreversible. The provider does not need to know the identity of the client to make a payment at all, and also does not have to worry about chargebacks or fraud. If the payment is confirmed in the network, the merchant can be 100% sure that he has received the money irreversibly.

Another reason for decreased privacy is that the provider of products or services needs to charge the correct VAT. As many people realise that, especially for electronic services, it is enough to select “I am from Hong Kong” (Hong Kong does not have VAT), some providers verify the billing address with the card issuer so that it is not so easy to bypass paying VAT.

Other fiat payment networks are in a similar position with privacy. However, it is not only the retailer and the payment network that obtains information about the customer’s personal data. As I mentioned above, PayPal, for example, has terms and conditions stating that it can share your personal information with over 600 entities. Regulations such as the OECD CRS, FATCA and so on even impose an obligation on every provider of banking, financial and payment services to automatically inform the tax authorities. Anti-money laundering regulations in turn force them to block transactions or inform the financial police. All of these information shares are automatic once certain conditions are met – it’s not a case of ‘after all, I’m making a small turnover’ or ‘I’m not doing anything wrong’. This data is sent, processed and retained for a long time.

The first and fundamental problem with automatic data sharing is – can the recipient protect it? The recipient is often a government institution. In Slovakia, we have experience that the state institution cannot protect even the most sensitive data on health status and PCR test results for SARS-Cov-2. And we are talking about a technical hack; the second and much more likely attack vector is simply selling the data to an employee who has access to it. But government institutions are not the only recipients of data – marketing firms, credit bureaus, and the like. Imagine that when you make a payment, an information firework is set off that sends out information about that payment to various third parties with whom you don’t automatically have a voluntary relationship.

Another problem is that the payment network operator is very likely to know your entire buying behaviour – what you buy and where you buy it. Especially in Slovakia, after the introduction of the eKasa system, information is stored in a database accessible from the Internet not only about where and for how much you bought, but also exactly what items you bought. The information that you have printed on the receipt will be sent directly to the Financial Administration. Of course, the receipt (unlike an invoice) does not directly state your identity – but when you pay by card, it is possible to match the identity to the receipt (by terminal and amount).

In addition, this information is stored in the systems for a long time. I personally find it very annoying when a bank employee digs into my account movements in an attempt to sell me other products. It is clear to me that any bank employee can theoretically see all my account movements and get quite a lot of sensitive information. And not only theoretically can, but there is a known case in my country where a bank employee, Filip Rybanic, abused this. In this case, however, the court found the bank employee guilty of a criminal offence.

Thus, classic payment networks are the worst possible from the point of view of privacy – they show not only when and for how much, but also where I bought (name of the store, location of the terminal).

It is important to understand that we do not need to know the identity of the customer to provide most products and services. We are sometimes forced to do so by regulation, but it is not necessary for the actual provision. If I am selling virtual servers, phone number services, domains, web addresses, access to software as a service, an e-book, an online course, and so on, I don’t need to know the customer’s first name, last name, and address at all. And if I don’t have that information, I don’t need to protect it.

Cryptocurrencies do not automatically carry an identity with the payment. I don’t need to know your email, first name, last name or address to create a cryptocurrency account. A wallet-signed transaction is all I need to make a payment. Cryptocurrencies thus make it easier to comply with government regulations such as GDPR – if I don’t have personal data, I don’t have to protect it.

From this perspective, cryptocurrencies preserve both the privacy and security of the payment at the same time.

FATF-GAFI and the crypto travel rule

However, the invasion of privacy is making its way into cryptocurrency payment networks as well. The story of financial regulation is a complicated one, but I think it is a very interesting one. Most people think that the way that anti-money laundering regulations and many others are created is probably like this – officials (of the European Union, for example) sit down with experts, try to come up with sensible rules, and then put those rules forward as a proposal to be debated by a commission and later the parliament. This gets approved and then the parliaments of the individual EU countries adopt it into their legislation. This is the visible part, which comes after the rule has been in place for a long time. So what is the reality?

It works like this. FATF-GAFI, a non-profit and non-governmental organisation, issues “recommendations” to combat money laundering. It also produces “watch lists” of countries or organisations that are not doing enough to combat money laundering. If a country or organization wants to show that it is fighting money laundering, the country or bank in the payment network accepts the FATF-GAFI “recommendations.” Since this is the consensus standard of the majority in the payment network, if an entity wants to participate in the payment network, it must somehow prove that it is fighting money laundering.

This is most easily demonstrated by implementing their recommendations as rules – and following and enforcing those rules on other partners. The European Union’s AML5 is the implementation of the FATF-GAFI recommendations into a coherent legal framework. Many of these rules were already being enforced by banks and countries before regulation was ever adopted, because if someone wanted to send money to the US, for example, the correspondent bank would ask them what they were doing against money laundering. And the easiest thing to do is to show ‘we are implementing this standard’.

That is, the adoption of rules in the banking network goes the other way around – it arises through mutual coercion in the banking network and then gradually translates into written rules. Let us note that the regulation of the banking network is done by a non-profit, based in the OECD building in Paris, which is not elected by anyone and has no official legislative power. Yet it can write rules that the whole world follows – not just members of the OECD, the EU or any other entity.

The FATCA and OECD CRS regulations were adopted in a very similar way – they were “virally disseminated through the network effect”. Simply in a “if you want to do business with us, you have to follow these rules” way.

FATF-GAFI has a second role – enforcement, which “monitors money laundering”. So, for example, they will find that Panama has not directly implemented the FATF-GAFI rules into law, but has fought money laundering in its own way. The result was that in 2019, Panama was put on a “watchlist” of jurisdictions that are at risk from a money laundering perspective. They didn’t get there because they were proven to have laundered money in specific cases, but because they chose to fight money laundering in a different way.

What does it mean? Anyone following the FATF-GAFI recommendations must specifically screen all transactions with Panama. This slows down international trade, which is why Panama has done everything it can to get off the watchlist – FATF-GAFI has practically put a law on the table for MPs to pass. The OECD CRS rule has been extended in a very similar way.

What does this have to do with Bitcoin? One of the FATF-GAFI “recommendations” is to “tag” cryptocurrency transactions. If a transaction is worth more than $1000, it should somehow verify the identity of the sender and communicate it to the other party. This information does not need to go directly through the blockchain. Protocols have started to emerge that allow such an exchange of personal data.

The first to follow this rule are the exchanges that support deposits and withdrawals in government fiat money. These need to be plugged into the classical financial network for their business. The FATF-GAFI travel rule has already been adopted and is being enforced through the financial system, regardless of whether it has been approved by national or EU parliaments.

These rules are now being extended to other VASPs (Virtual Asset Service Providers – a new term introduced by FATF-GAFI), which include wallet providers, payment gateways and practically everyone who is touching crypto in any way. And one of the “recommendations” to be implemented in 2021 is to make sure that VASPs only accept cryptocurrency transactions from wallets of other VASPs. So “self-hosted” or “anonymity enhanced” wallets are to be considered of high risk of money laundering and should be “considered” deeply. Because investigating transactions is often not profitable, this is a “nicely sounding” ban. We will see how exactly it will be implemented.

How does this enforcement work in practice? An illustrative thought experiment:

  1. We declare that “untagged” BTC transactions are used for money laundering
  2. We will create a standard for transaction tagging
  3. Banks, exchanges and the like will start implementing this because they don’t want their partners in the fiat payment network to close their accounts or disconnect them from the payment network
  4. FATF-GAFI monitors which countries and which institutions do and do not comply
  5. If a country ignores this (and thus is not “in the cartel”), they declare them a “money laundering center” and put them on a watchlist
  6. This makes it much more difficult for them to interact with traditional financial systems of the world. The watchlist is global for all transactions, so if someone does not want to implement a travel rule for cryptocurrency transactions, the consequence is a restriction of access to international trade overall – the watchlist does not just apply to one segment. The country is very likely to say “screw some few Bitcoin traders, let’s enact this because we don’t want to be on the watchlist”.
  7. FATF-GAFI and the consultants will supply the exact wording of the law, which they will translate into the local language and correctly paraphrase the sections of the “recommendations”. Members of Parliament pass the law in Parliament, basically unaware of what it is and how it came about.
  8. FATF-GAFI will add a press release to its website on its successful cooperation with another country and will issue a case study on how it has curbed further money laundering.

Every deposit and withdrawal from the exchange will therefore be marked with our identity – name, surname, address, residence, etc. That “innocent KYC data” that used to be collected and shared with chain analysis firms or under court order at most will become part of our transactions – by the way, this data can be populated retrospectively as well, since they knew your identity when you made withdrawals and know which transactions are withdrawals of your funds. This is if you went through a KYC exchange.

Dystopian vision of introducing financial tracking into cryptocurrencies

In time, states may force merchants to accept only cryptocurrencies marked as such. If a person wants to use cryptocurrencies to pay for anything legally, anonymity will be gone. And so the individual cryptocurrency “coins” will be divided into legal (marked with an identity) and illegal, which will be unusable for legal purchases. I don’t mean that some cryptocurrencies will be legal and some won’t, but the balance in the wallet will be marked and unmarked. Think of it like banknotes, some are stamped and you’ll be able to use those to buy at the grocery store or hipster cafe and unstamped ones that will only be usable in the grey and underground economy.

Technical solutions to increase privacy would be unusable in such a case – coinjoin or other mixing and privacy-enhancing methods would simply turn the cryptocurrency units into unmarked ones. Using this mixing technique would be linked to our identity, so we would very likely be visited by some financial authority asking why we put our money in an anonymizing tool.

I think an even worse thing than not regulating or banning cryptocurrencies (which everyone thought was the worst case scenario, with the result “crypto can’t be banned”) would be to legalize it. And only legal, stamped crypto will be allowed to be used.

Why bother with cryptocurrencies then, if this is a possible scenario in my opinion? In fact, such a dystopian future is already well established in the fiat world. Cryptocurrencies are internet protocols that allow privacy and can play the role of digital cash even in a parallel economy. Cryptocurrencies are therefore getting better from a privacy perspective and allow for a parallel economy without surveillance – and this is their advantage even if “approved” uses continue to be monitored. We already see the first steps towards this dystopian future in the current FATF-GAFI recommendations proposal.