On 5 July 2016, the European Commission (the Commission) adopted a proposal for a directive that, when passed, will begin to narrow the regulatory gap between the U.S. and the EU for virtual currency exchange platforms and custodian wallet providers. Under the Commission’s proposed amendments to the Fourth Anti-Money Laundering Directive1 (4MLD), virtual currency exchange platforms and custodian wallet providers will fall under the scope of 4MLD and will be required to perform customer due diligence for all relationships. This marks the end of the relatively light-touch regulation this sector has enjoyed up to this point and, if the U.S. serves as an example, this initial step will likely mark the beginning of increased regulation of fintech firms and digital currency activities in the EU.
Background The Commission adopted 4MLD on 20 May 2015, to be implemented and applicable in Member States by 26 June 2017. The 4MLD incorporated recommendations of the Financial Action Task Force (FATF) from 2012. After the recent string of terrorist attacks in the EU and beyond, the Commission announced on 2 February 2016 its adoption of an Action Plan2 against terrorist financing, which included both immediate actions to be taken to tackle the abuse of the financial system for terrorist financing purposes as well as new actions to be proposed as amendments to 4MLD to further these initiatives.
The immediate actions outlined in the Action Plan included: (1) bringing forward the date for the transposition and application of 4MLD to the end of 2016 at the latest; (2) accelerating work under 4MLD to provide for the identification of high-risk third countries with strategic deficiencies in the area of anti-money laundering (AML) / countering terrorist financing; and (3) improving the exchange of financial intelligence between EU Financial Intelligence Units (FIUs) and third countries’ FIUs, and between FIUs and the private sector, in line with current FATF recommendations and best practices.
The Action Plan’s ‘new actions’, in the form of proposed amendments to 4MLD, were formally adopted by the Commission on 5 July 2016. The Commission’s proposal3 included a draft directive amending 4MLD and aimed at “tackling terrorist financing risks linked to virtual currencies” by bringing virtual currency exchange platforms and custodian wallet providers under 4MLD. Among the proposed amendments to 4MLD is the EU’s first legal definition under EU law for ‘virtual currencies’ which, under the implementation of 4MLD, will be required to be included in the AML legislation for all Member States.
The Commission said in its press release4 on 5 July 2016 that “[w]ith regard to improving the detection of suspicious virtual currency transactions, six regulatory options were examined. The option retained consists of a combination of means, namely (i) bringing virtual currency exchange platforms and (ii) custodial wallet providers under the scope of [4MLD], while (iii) allowing more time to consider options as regards a system of voluntary self-identification of virtual currency users.”
According to the Commission’s press release, the directive outlining the proposed amendments to 4MLD will be adopted by the European Parliament and the Council of Ministers under the ordinary legislative procedure and, when passed, Member States will have to implement these changes and 4MLD by the end of the year.
Proposed Amendments The proposed amendments to 4MLD specifically impacting virtual currency exchanges and custodian wallet providers include:
- Under Article 2(3) of 4MLD, inclusion of virtual currency exchanges “engaged primarily and professionally in exchange services between virtual currencies and fiat currencies” and “wallet providers offering custodial services of credentials necessary to access virtual currencies”, as entities to whom the obligations of 4MLD apply.
- Revision of the definition of ‘electronic money’ under Article 3(16) to incorporate the definition under Article 2 of the Electronic Money Directive (the EMD)5 (excluding monetary value in Articles 1(4) and 1(5) of the EMD).
- Addition of the definition of ‘virtual currencies’6 at Article 3(18)7 of 4MLD.
- Requirement under Article 47(1) of 4MLD for Member States to ensure “providers of exchanging services between virtual currencies and fiat currencies, [and] custodian wallet providers…are licensed or registered”.
Additionally, Article 65 of 4MLD requires the Commission to draw up a report on the implementation of 4MLD for submission to the European Parliament and Council by 26 June 2019, and under the proposed amendments this “report shall be accompanied, if necessary, by appropriate proposals, including, where appropriate, with respect to virtual currencies, empowerments to set-up and maintain a central database registering users’ identities and wallet addresses accessible to FIUs, as well as self-declaration forms for the use of virtual currency users”.
Potential Effects The immediate effect of these changes is that virtual currency exchanges and custodian wallet providers will be required to apply customer due-diligence controls when exchanging virtual for real currencies, and anonymous virtual currency holding and transfers will no longer be possible via EU exchanges and wallet companies. This will create an extra cost and operational burden for the EU exchanges and wallet companies which have up until this point operated without such requirements. While this won’t be a new procedure for larger financial institutions and banks active in the fintech space, the larger firms will now need to perform due diligence on third party vendors and entities they contract with in order to ensure appropriate safeguards are in place.
In addition, entities in the fintech and virtual currency industries may have concerns about the specificity of the proposed terms. For example, under the proposed amendments, multisig key holder companies, which only hold one of the two keys needed to access a virtual currency wallet, may be subject to the new know-your-customer (KYC) requirements, but exchanges that only exchange virtual currency for different virtual currencies could argue that they are not subject to such requirements.
Furthermore, the inclusion of these firms under 4MLD likely will open the door for future and more far-reaching obligations and requests for information. First, Member States are now required to license or register these exchanges and wallets, and the more familiar national regulators become with the activities and structures of these firms, the more likely increased scrutiny will be placed on operations which currently are not largely understood. Additionally, as set out in the proposed changes to Article 65, the Commission already envisions the creation of “a central database registering users’ identities and wallet addresses” that will be accessible to EU FIUs as well as potentially “self-declaration forms for the use of virtual currency users”.
U.S. Regulatory Comparison The U.S. has had AML requirements similar to those now proposed by the EU applicable to virtual currency businesses since 2013. The U.S. Financial Crimes Enforcement Network (FinCEN), the regulator responsible for enforcement of the U.S. Bank Secrecy Act, issued guidance on 18 March 2013, identifying conduct that would cause virtual currency companies to become money services businesses (MSBs) (the 2013 Guidance). Generally, the 2013 Guidance included in the MSB definition a person that accepts and transmits convertible virtual currency or that buys or sells convertible virtual currency in exchange for currency of legal tender or another convertible virtual currency (e.g., a virtual currency exchanger, defined as “a person engaged as a business in the exchange of virtual currency for real currency, funds, or other virtual currency”, is deemed an MSB)8. We note that the 2013 Guidance specifically states that an entity exchanging virtual currency for another convertible virtual currency is covered by the regulation, in contrast to the proposed amendments to 4MLD discussed above. U.S. MSBs must register with FinCEN, appoint an AML compliance officer, and implement an AML programme reasonably designed to address money laundering risks raised by its business, including by reporting suspicious transactions to FinCEN.
Individual states soon followed, enacting or proposing their own requirements and equivalent laws affecting virtual currency companies. For example:
- The New York State Department of Financial Services9 published final rules regarding a new licensing requirement for providing virtual currency services in New York (the BitLicense) in June 2015. Entities conducting “Virtual Currency Business Activity” in New York or conducting activities that involve a New York resident are required to obtain a BitLicense. Applicants for a BitLicense are required to have, among other things, AML/KYC, consumer protection and cybersecurity programmes.
- Other states, such as Connecticut10, New Hampshire11, and, as of 5 July 2016, North Carolina12 have amended their money transmitter regulations, generally requiring businesses that transmit virtual currency to comply with the applicable state regulations and obtain appropriate licence(s), with specific requirements varying by state.
- Other states, including California, Pennsylvania and South Carolina, are currently considering digital currency-specific proposals that include AML and/or licence requirements.
Conclusion The EU had been a favoured jurisdiction for fintech firms due to the light-touch regulation in this area but now the regulatory gap between the EU and the U.S. has begun to close, with more regulation likely to come on both sides of the pond.