Dutch judge slaps DNB (Dutch central bank) on the wrist in court case of crypto-pioneer Bitonic on wallet-verification !
Last months FATF consultation on virtual asset providers had my particular interest as we are facing an unexplainable access condition in the Netherlands, imposed by the central bank (DNB) our current supervisor on VASPs:
- Netherlands-based Bitonic says it has had to bring in extra verification measures for external wallets due to requirements from the country’s central bank (De Nederlandsche Bank, DNB)
- A delisting of privacy coins is occurring in the Netherland but also around the world
Now I was wondering if it could be that last months FATF-consultation holds the key to this discussion? Are these strict add-on rules and wallet-verification requirements (which in the Netherlands are ‘based’ on Sanction law) actually in the FATF-consultation or are they a Dutch add-on, established by DNB itself?
It turns out it might be both, but either way the EBA has already caught DNB in the act of frontrunning the FATF-rules by overreaching and actually even pointed that out in formal papers. Also, confirming this viewpoint, a Dutch administrative court issued (on April 7) a very favourable verdict for Bitonic (formally questioning the legitimacy of the DNB-behaviour under the required registration regime), so do read on if you want to know the further details…..
First of all: Europe chose a registration regime for crypto in AMLD5
As a reminder of the situation in Europe. The European Banking Authority previously very explicitly requested the European Commission to take out the ambiguity between license regime and registration for virtual asset providers (VASPs) and make a choice when drafting the final AMLD5 directive that designates VASPs as obliged entities:
As the Impact Asessment showed, an overwhelming choice was made for a registration regime (option C) in line with a previous advice of the EBA (idea being to make the market/transactions/actors visible via the AMLD5 but not give it too much legitimacy by handing out licenses in line with PSD2-regimes):
All Member States were consulted and 27 supported option C with one exception having a preference for option D.
The Dutch changed their mind from registration towards license regime
This registration regime at first also appeared to be the base idea in the Netherlands until mid 2018, seeing from statements of Ministry of Finance and the Central Bank.
Then suddenly, at the end of 2018 (after the FATF chose to bring crypto under its rules), both the Ministry of Finance and the Central Bank started launching the idea to impose a license regime. That resulted in a complex Dutch discussion on wording and content of the law. In the end the law had the wording ‘registration’ but it still looked very much like a license regime (see extensive article here).
Effectively what might indeed have happend was that the Netherlands were eying the upcoming 2020 FATF review. As a letter to parliament clarifies, the Dutch wanted to be the best in class when the FATF Mutual Evaluation came up: ‘We refer to our ambition to be one of the frontrunners at the point in time of the FATF Mutual Evaluation in 2021’.
Now the European Banking Authority noticed this (as it had also noticed the FINMA statements) and provided a diplomatic comment, or slap on the wrist, in its mid 2020 report. Doing something more and different than a registration is unproductive and undermines the level playing field in Europe.
Still, this is at the same time that the FATF encouraged countries to pro-actively adress risks as a part of their 2020-interim review on crypto-rules. The report suggest using the market acces mechanism to force the market into submission, when it comes to external wallets or peer-2-peer usage of virtual assets:
Promises and reality in the Netherlands: FATF-anticipation?
However, in discussions in Dutch parliament and with the crypto-sector, it was explicitly outlined that the FATF-recommendations (travel rule and such) would only become applicable via the EU-legislative roadmap. See the slide presented in november 2019 to the crypto-industry. It says: the above (FATF) is not (yet) applicable, and refers to the travel rule in particular.
This didn’t prevent the central bank however from constructing a new requirement, based on Sanctions law 1977, to screen customers and beneficiaries of all external wallets (wether selfhosted or hosted at VASP). Expert will recognise that it mirrors the FINMA-wording almost literally.
DNB also clarified that technically speaking there was the obligation to do video-calls, make screenshots or do message signing. Legal or procedural solutions would not do the job. So we had a central bank requiring verification of the beneficiary of a crypto-transaction as well as proof of ownership of the wallet.
This was a major setback and unexpected move and early November 2020, within 3 weeks of a deadline requiring the close of business (if unregistered) Some 25/38 VASPs registering in NL asked DNB to revoke this self-constructed requirement (must-read letter). But DNB refused and still refuses to revoke it.
So was this DNB-move (while referring to an ancient Sanctions law) indeed in the FATF-playbook as consulted?
The answer is yes and no.
Yes, the FATF clearly suggests that countries may require upfront controls to be put in place, before licensing/registering companies in their market, ‘as it is much more difficult to do so later’.
And yes, the FATF-consultation texts list the possibility of requring stringent controls or prohibiting the use of external wallets as well as some of the measures competent authorities might take:
But the answer is also no, as the FATF text outlines that there is no need for verification of the beneficiary, for reasons of sanctions screening (although monitoring of transactions should occur):
And the report holds another no for the need or possibility to do a technical verification of the person that holds the wallet. DNB imposes this full requirement for all transaction amounts and all types of external wallets on the market. But the FATF states this is technically not possible and not a useful requirement:
So in general, the strict registration approach of DNB (examine and force measures before market introduction rather than after) does find its inspiration in the FATF-procedure approach, but the specific DNB-requirements on wallet-verification and verification beneficiary don’t. DNB is frontrunning the procedure approach of the FATF but the additional requirements are not in there by default.
So: Yes and No, the EBA was right to observe:
DNB frontruns the FATF in terms of process but overreaches in terms of actual requirements by requiring verification of beneficiary
Fist of all there is the matter that EBA identified. Is DNB indeed frontrunning the FATF-rules, because of the upcoming FATF Mutual Evaluation and abusing the registration procedure to that end (turning it into licensing again)?
On that issue the Dutch crypto-industry points out that the Ministry of Finance has formally acknowledged, time and again, that although the legal text might look to imply a license regime, the nature of the law was what was intended in the Netherlands: a mere registration. You can have a look yourself (here’s the youtube link — switch on subtitles if necessary).
Second there is the question: does the wallet-verification requirement of DNB finds it proper base in the Sanctions law? The market says no, supported by an external expert opinion. But DNB says Yes. So this was undecided for some time.
Law suit Bitonic moving forward nicely
Next up, the ball went to the Dutch court, as one of the market players, supported by the industry, requested an temporary relief of the wallet-verification requirement, outlining that the Sanctions law could not be extended to include verification of beneficiaries and control of ownership for recipients of goods.
“The preliminary relief judge, however, has doubts as to whether DNB, in view of the (European) laws and regulations, was able to apply the registration requirement in the manner in which it did so in this case.”
“The interpretation that DNB has given to the registration regime in the case of Bitonic appears, in the provisional opinion, to display characteristics of a licensing regime, because the interpretation of the registration requirement has been subjected to a fairly far-reaching preliminary assessment.
”The judge ordered DNB to pay the bill for the law suit and to use 6 weeks to better demonstrate the legal underpinnings of its requirement, while making all kinds of remarks that hinted at the fact that under the EU-registration perspective of the AMLD5 it would be impossible anyhow to set prior rules before registrations (as DNB had itself previously also explained this was the reason they really wanted a license regime).
A very important note made during the proceedings was on the disproportionality of the requirement. A full surveillance of all customers was required for all amounts. This brings in the European human rights angle into the picture on which my FINCEN-response sheds a seaprate light.
How will this end?
In the short run we may see a temporary solution in the Dutch market, where the legal proceedings lead to the central bank backing off in terms of harsh requirements and no longer imposing a de facto license regime as a registration was set out in the law.
UPDATE: The central bank indeed withdrew its requirement:
But the long-run then?
In the long run, there is still the need for Europe to push back against the FATF-recommendations and a need for crypto-industry, but more generally the public, to understand that with its very wide scoping, the FATF is essentially bringing all future virtual assets, goods, services and value into its remit.
The consequence is that any big data company can then, while pointing at the FATF rules, legitimize sending originator and recipient customer data via its systems to all parties in the value chain. This alas is the unhappy marriage of bigtech and FATF which in Juni 2019 already made me fear that FATF unfortunately stands for Facebook As The Friend.
Does that mean that we should all reply to the current FATF consultation?
I don’t think so. Last time I gave an elegant way forward for the crypto travel rule they recognised a loophole and immediately closed it down. They are a private organisation, not a formal international organisation, so they are not bound by formal rules, human rights treaties and such. They are single-minded in their pursuit of mass surveillance on all citizens which in my view makes them a private organisation with a goal that is illegitimate.
Instead of responding to the consultation it would be better to set up an international movement that formally demands that the association FATF be very quickly restructured dismantled and converted into a formal international organisation with the inherent duty to respect human rights in all elements of its work procedures and to be subject to oversight and freedom of information requests and such.