{"id":440165,"date":"2022-05-01T08:14:00","date_gmt":"2022-05-01T05:14:00","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/self-custody-control-and-identity-how-regulators-got-it-wrong\/"},"modified":"2022-05-01T08:14:00","modified_gmt":"2022-05-01T05:14:00","slug":"self-custody-control-and-identity-how-regulators-got-it-wrong","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/self-custody-control-and-identity-how-regulators-got-it-wrong\/","title":{"rendered":"# Self-custody, control and identity: How regulators got it wrong"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a299d5f22c27\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a299d5f22c27\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/self-custody-control-and-identity-how-regulators-got-it-wrong\/#%E2%80%9D_Self-custody_control_and_identity_How_regulators_got_it_wrong_%E2%80%9C\" >&#8221; Self-custody, control and identity: How regulators got it wrong &#8220;<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/self-custody-control-and-identity-how-regulators-got-it-wrong\/#The_missing_link_between_self-custody_control_and_identity\" >The (missing) link between self-custody, control and identity<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/self-custody-control-and-identity-how-regulators-got-it-wrong\/#Implementing_the_proposed_rules\" >Implementing the proposed rules<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/self-custody-control-and-identity-how-regulators-got-it-wrong\/#Identity_does_not_equal_control_making_compliance_impossible\" >Identity does not equal control, making compliance impossible<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/self-custody-control-and-identity-how-regulators-got-it-wrong\/#Exposing_legitimate_users_to_disproportionate_security_risks\" >Exposing legitimate users to disproportionate security risks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/self-custody-control-and-identity-how-regulators-got-it-wrong\/#Inconsistencies_with_EUs_own_policy_framework\" >Inconsistencies with EU\u2019s own policy framework<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/buradabiliyorum.com\/en\/self-custody-control-and-identity-how-regulators-got-it-wrong\/#Now_is_the_time_to_engage_with_policymakers\" >Now is the time to engage with policymakers<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"%E2%80%9D_Self-custody_control_and_identity_How_regulators_got_it_wrong_%E2%80%9C\"><\/span>&#8221; Self-custody, control and identity: How regulators got it wrong &#8220;<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<div class=\"post-content\" data-v-2a0745c6>The recent European Union proposal <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.europarl.europa.eu\/doceo\/document\/CJ12-PR-704888_EN.pdf\">requiring<\/a> centralized crypto exchanges and custodial wallet providers to collect and verify personal information about self-custodial wallet holders shows the dangers of recycling traditional finance (TradFi) rules and <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>lying them to crypto without appreciating the conceptual differences. We can expect to see more of this as countries look to implement the Financial Action Task Force (FATF) <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.fatf-gafi.org\/media\/fatf\/documents\/recommendations\/Updated-Guidance-VA-VASP.pdf\">Travel Rule<\/a>, initially <a rel=\"nofollow noopener\" target=\"_blank\" href=\"http:\/\/www.fatf-gafi.org\/publications\/fatfrecommendations\/documents\/internationalstandardsoncombatingmoneylaunderingandthefinancingofterrorismproliferation-thefatfrecommendations.html\">designed<\/a> for wire transfers, to transfers of crypto assets.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/s3.cointelegraph.com\/uploads\/2022-04\/14674e79-78d2-4b4c-913d-8856cfd9bfe3.png\"><\/figure>\n<h2><span class=\"ez-toc-section\" id=\"The_missing_link_between_self-custody_control_and_identity\"><\/span>The (missing) link between self-custody, control and identity<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The aim of the proposed EU <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.europarl.europa.eu\/news\/en\/press-room\/20220324IPR26164\/crypto-assets-new-rules-to-stop-illicit-flows-in-the-eu\">rules<\/a> is \u201cto ensure crypto-assets can be traced in the same way as traditional money transfers.\u201d This assumes that each self-custodial wallet can be linked to someone\u2019s verifiable identity and that this person necessarily controls the wallet. This assumption is wrong.<\/p>\n<p><strong><em>Related: <\/em><\/strong><strong><em>Authorities are looking to close the gap on unhosted wallets<\/em><\/strong><\/p>\n<p>In TradFi, a bank account is linked to the verified identity of its holder, giving them control over that account. For example, sharing your online banking details with your partner doesn\u2019t make them the account holder. Even if your partner changes the login details, you can regain control by proving your identity to the bank and having it reset the details. Your identity gives you ultimate control which cannot be permanently lost or stolen. Of course, in exchange for the bank\u2019s custody protections, you lose self-sovereignty over your assets.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/s3.cointelegraph.com\/uploads\/2022-04\/61fe57bd-f76e-45aa-8ce4-eea5c119bd2e.png\"><\/figure>\n<p>Self-custody of crypto assets is different. Control (i.e., the ability to transact) over the self-custodial wallet is held by whoever has the private keys to that wallet. Control is not linked to anyone\u2019s identity and there is no one to prove your identity to. All you need is to download a piece of software and safely store your private keys. In exchange for this responsibility, you maintain self-sovereign ownership. <\/p>\n<h2><span class=\"ez-toc-section\" id=\"Implementing_the_proposed_rules\"><\/span>Implementing the proposed rules<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Let\u2019s look at how a custodial wallet provider would go about complying with the EU proposal. Assume that Alice wants to send 0.3 Ether (ETH) from her custodial wallet account to Bob\u2019s self-custodial wallet to pay for Bob\u2019s consulting services. Before the transfer goes through, the custodial wallet provider would have to 1) collect Bob\u2019s name, wallet address, residential address, personal identification number, and date and place of birth; and 2) verify the accuracy of these details. Broadly the same details would be required for a transfer from Bob\u2019s wallet to Alice\u2019s custodial wallet account. Alice would likely need to ask Bob to send her his details, and Alice would then provide them to the custodial wallet provider \u2014 as recently <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/help.coinbase.com\/en\/coinbase\/trading-and-funding\/sending-or-receiving-cryptocurrency\/how-to-send-crypto\">recommended<\/a> by a custodial wallet provider in a similar context.<\/p>\n<p>The rules would apply even to the smallest transactions \u2014 there is no minimum threshold. Custodial wallet providers would conceivably also need to withhold incoming transfers (creating greater custody risks) and return them to the self-custodial wallet if the verification is unsuccessful. <\/p>\n<p><strong><em>Related: \u200b\u200b<\/em><\/strong><strong><em>Crypto in Canada: Where are we today, and where are we heading?<\/em><\/strong><strong><em> <\/em><\/strong><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Identity_does_not_equal_control_making_compliance_impossible\"><\/span>Identity does not equal control, making compliance impossible<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>While collecting data and potentially withholding incoming transfers is operationally cumbersome, the verification obligation risks are potentially outright impossible to comply with. In TradFi, the point of identity verification is to ensure that the person controlling a bank account and claiming to do so is the same one. But how could the custodial wallet provider fulfill the verification obligation if control over Bob\u2019s self-custodial wallet does not depend on his identity?<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/s3.cointelegraph.com\/uploads\/2022-04\/ce53af8f-64ec-4fdd-91b5-067c6b6583d0.png\"><\/figure>\n<p>Even if the custodial wallet provider managed to confirm that Bob is the person he purports to be, this doesn\u2019t mean that he controls the wallet. It could be controlled by a decentralized autonomous organization that redistributes payments to members like Bob or a criminal group, with Bob merely being their money mule. There is no third party to prove Bob\u2019s identity to in order to transact \u2014 whoever controls the private keys is the \u201cbank.\u201d<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Exposing_legitimate_users_to_disproportionate_security_risks\"><\/span>Exposing legitimate users to disproportionate security risks<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Let\u2019s assume that custodial wallet providers manage to comply with the proposed rules, or a less stringent version of them that does not require verification. Custodial wallet providers would need to keep large databases of self-custodial wallet users, exposing users to the risk of data breaches. For legitimate users, i.e., those who declare their true identity and also actually control the related self-custodial wallet, this risk has far greater consequences than TradFi data collection (e.g., FATF\u2019s <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/trip-and-travel\/\" data-internallinksmanager029f6b8e52c=\"10\" title=\"Trip &amp; Travel\" target=\"_blank\" rel=\"noopener\">Travel<\/a> Rule for wire transfers).<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/s3.cointelegraph.com\/uploads\/2022-04\/695637b8-a7ad-4918-b513-783cd65c4a40.png\"><\/figure>\n<p>In TradFi, if a criminal compromises someone\u2019s bank account or card, they wouldn\u2019t get very far because the bank can block the account. By definition, self-custodial wallets lack this feature. Self-sovereign ownership, secured through cryptography and the user\u2019s own vigilance, is seen as an advantage by tens of millions of users worldwide, including those who are excluded from the banking system. However, self-sovereignty presumes personal privacy.<\/p>\n<p>Once privacy is compromised \u2014 for example, by hacking the custodial wallet provider\u2019s database of self-custodial wallet users \u2014 users are left exposed to an unfair level of risk compared to TradFi. Knowing someone\u2019s name, address, date of birth and ID number, together with their on-chain activity, would make it easier for criminals to <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/fortune.com\/2022\/03\/22\/millions-stolen-nfts-scam-crypto-arthur-cheong\/\">launch<\/a> highly personalized phishing attacks, targeting users\u2019 devices to retrieve private keys, or blackmailing them, including threats to physical safety. Once private keys are compromised, the user irreversibly loses control over their wallet.<\/p>\n<p><strong><em>Related: <\/em><\/strong><strong><em>The loss of privacy: Why we must fight for a decentralized future<\/em><\/strong><\/p>\n<p>Since criminals will find ways around the rules \u2014 for example, by running their own nodes to interact with the blockchain without ever having to rely on custodial wallet providers or self-custodial wallet software \u2014 it will only be the legitimate users who will have to bear these security risks.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Inconsistencies_with_EUs_own_policy_framework\"><\/span>Inconsistencies with EU\u2019s own policy framework<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Security aside, the proposal raises broader privacy concerns. The reporting obligation would clash with <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/general\/\" data-internallinksmanager029f6b8e52c=\"3\" title=\"General\" target=\"_blank\" rel=\"noopener\">General<\/a> Data Protection Regulation (GDPR) principles such as data minimization, which requires that collected data are adequate, relevant and limited to what is necessary for the purpose of collecting them. Ignoring for a moment the argument that data collection serves little purpose, given the missing link between self-custodial control and identity, it\u2019s hard to see \u2014 even by TradFi\u2019s standards \u2014 how someone\u2019s residential address, date of birth and ID number is relevant or necessary for making a transfer. While banks regularly keep such data about their account holders, you as the account holder don\u2019t need to ask (and know!) these details when sending money or paying for a service.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/s3.cointelegraph.com\/uploads\/2022-04\/71092822-35d0-46d5-ba63-9e568a12332d.png\"><\/figure>\n<p>It is also unclear for how long custodial wallet providers would need to store the data \u2014 under GDPR, personal data should be kept only for as long as necessary to fulfil the purpose of collection. Nor is it clear how users\u2019 individual rights under GDPR such as the \u201cright to be forgotten\u201d and the \u201cright to rectification\u201d could be respected if their personal details are linked to their on-chain history, which cannot be altered.<\/p>\n<p><strong><em>Related: <\/em><\/strong><strong><em>Browser cookies are not consent: The new path to privacy after EU data regulation fail<\/em><\/strong><\/p>\n<p>The lack of any risk-based assessment or a minimum threshold (unlike the 1,000 euro threshold for fiat transfers) is also out of line with EU policy principles. The proposal seems to treat all crypto transfers with suspicion just because they involve crypto assets.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Now_is_the_time_to_engage_with_policymakers\"><\/span>Now is the time to engage with policymakers<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Faced with the prospect of developing costly compliance processes that would likely fail to effectively implement the rules, and risking penalties for non-compliance and potential data breaches, EU-based custodial wallet providers may decide to restrict transfers from and to self-custodial wallets altogether. They may also start servicing EU users from outside the EU. This sends bad signals to the crypto industry and risks discouraging tech talent and capital from the EU, similar to the recent departure of some crypto operators from the United Kingdom.<\/p>\n<p><strong><em>Related: <\/em><\/strong><strong><em>Consolidation and centralization: How Europe\u2019s new AML regulation will affect crypto<\/em><\/strong><\/p>\n<p>More users may also switch to peer-to-peer transactions and decentralized players to avoid the burdensome rules. While this could be beneficial for some users, the EU should encourage smooth interconnectivity between centralized and decentralized players and promote users\u2019 freedom to choose how they want to transact.<\/p>\n<p>The proposal has now moved to negotiations between the EU legislative bodies starting April 28, with the final text expected by the end of June. If the rule passes in its current form, there will still be a chance to review it within 12 months after its coming into force. However, we can\u2019t rely on this \u2014 now is the time for the European crypto industry to coordinate and engage with policymakers. Instead of forcibly applying TradFi rules to a developing <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" data-internallinksmanager029f6b8e52c=\"4\" title=\"Technology\" target=\"_blank\" rel=\"noopener\">technology<\/a>, we should promote outcome-based policies that allow the emergence of novel compliance solutions that respect how crypto works.<\/p>\n<p class=\"post-content__disclaimer\"><em>This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should conduct their own research when making a decision.<\/em><\/p>\n<p class=\"post-content__disclaimer\"><em>The views, thoughts and opinions expressed here are the author\u2019s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.<\/em><\/p>\n<p><template data-name=\"subscription_form\" data-type=\"law_decoded\"><\/template><\/p>\n<div>\n<div style=\"background: rgb(239, 239, 239); border: 1px solid rgb(204, 204, 204); padding: 10px;\"><strong>Natalie Linhart<\/strong> is a legal counsel at ConsenSys, where she advises on products including MetaMask, NFT experiences and institutional staking. She also focuses on European regulatory issues affecting the crypto industry. She previously worked as a financial regulatory and derivatives lawyer at Clifford Chance London, advising clients on launching financial products, accessing new markets and mitigating regulatory risks. She also worked on derivatives and debt capital markets transactions including at a global investment bank.<\/div>\n<\/div>\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">News<\/a> articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/general\/\" target=\"_blank\" rel=\"noopener\">General category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/cointelegraph.com\/news\/self-custody-control-and-identity-how-regulators-got-it-wrong\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8221; Self-custody, control and identity: How regulators got it wrong &#8220; The recent European Union proposal requiring centralized crypto exchanges and custodial wallet providers to collect and verify personal information about self-custodial wallet holders shows the dangers of recycling traditional finance (TradFi) rules and applying them to crypto without appreciating the conceptual differences. We can&#8230;<\/p>\n","protected":false},"author":1,"featured_media":440166,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/images.cointelegraph.com\/images\/1200_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjItMDQvM2IyZGZhNTgtYjIxZS00MWNkLTgzNzgtZDE4ODRmOTc5MTc1LmpwZw==.jpg","fifu_image_alt":"","footnotes":""},"categories":[1],"tags":[15047,74894,74863,74879,74355,28340,72705,71511,70934,4966],"class_list":["post-440165","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-privacy","tag-blockchain","tag-cryptocurrencies","tag-wallet","tag-adoption","tag-europe","tag-european-union","tag-government","tag-regulation","tag-united-kingdom"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/440165","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=440165"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/440165\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/440166"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=440165"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=440165"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=440165"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}