FATF: Possible Death Of Privacy Coins?

This is a very disturbing recommendation from the FATF (financial action taskforce) and could be implementen in June 2019…Especially important paragraph 7b

Scary for the privacy coins though…They want wallet providers, banks, exchanges to show the details of both senders AND receivers for each transaction…Goes against the GDPR if you ask me where the users should have the right to their own data

It’s for sure an interesting case but in many cases it makes sense.

For example IF a company doesn’t has detailed info on Sender/Receiver/Date/Amount/Reason than every company could fake their books if you think about it. This includes several different tax avoidance, faking the bilance and 101 other things that are illegal.

As soon as you have to declare something, be it to the tax department or similar it just must have these Sender/Receiver/Date/Amount/Reason or they can’t check it if needed.

About the GDPR, pretty sure it’s confirm with it as after a given amount of time, let’s say 5 or 10 years in which many companies (at least in europe have to keep all paper work/books/whatever) the data can get or even must get deleted.

Just some thoughts as it’s new land for everyone…

Someone trying to get their orders filled? ever heard of viewing keys?..and whats up with this non secure .org site? Sounds just like the Bitfinex subpoena thing, we know how that ended.

This comes back to the “travel” rule and it only applies to transactions over USD EUR 1000
If you’re a money transmitter in the United States you’re basically already subject to all of that anyways (and if you’re not you’re still subject to claiming taxes on anything over $600 I believe)
I’ve looked into crypto ATMs, OTCs, all of it requires liscenses (which is the easy part), aml / kyc, reporting everything including any suspicious activity which is predefined
Doable but it doesn’t really spark Joy

But yeah dont let this keep you awake,


1 Like

Good points…Maybe I need to switch a button in my head about privacy/freedom…(For some unknown reason it doesn’t feel right though)

First thing I noticed too about that they didn’t have a non-secure site :). Very disappointing to see this on such an important international website

yeah…:frowning: …they say it is about money laundring but it is about control and power…

Heres a FinCen pdf that fear mongers would prefer you not read
It basically says that although these financial institutions are required to collect and share this information with each other which ain’t nothing new here in the US, they are also very much required to, in good faith at least, protect it as well

That’s why Zcash is compliant because you can simultaneously encrypt all the information AND send the user information along in the memo to be verified at the other end
View keys would only make it even more so
(And you know I just thought about it it stands to reason that maybe the best way other coins could comply is to use zcash as that secondary channel to send the information!)

Just took the time with my morning tea to read the whole FATF paper. Below the interesting parts that directly adress privacy coins:

Initial Risk Assessment:
28. …Similarly, VA products or services that facilitate pseudonymous or anonymity-enhanced transactions also pose higher ML/TF risks, particularly if they inhibit a VASP’s ability to identify the beneficiary.
The latter is especially concerning in the context of VAs, which are cross-border in nature. If
customer identification and verification measures do not adequately address the risks associated with non-face-to-face or opaque transactions, the ML/TF risks increase, as does the
difficulty in tracing the associated funds and identifying transaction counterparties.

  1. c) The specific types of VAs that the VASP offers or plans to offer and any unique
    features of each VA, such as AECs, embedded mixers or tumblers, or other
    products and services that may present higher risks by potentially obfuscating
    the transactions or undermining a VASP’s ability to know its customers and
    implement effective customer due diligence (CDD) and other AML/CFT
    f) Exposure to Internet Protocol (IP) anonymizers such as The Onion Router
    (TOR) or Invisible Internet Project (I2P), which may further obfuscate transactions or activities and inhibit a VASP’s ability to know its customers and implement effective AML/CFT measures;

FATF Definitions and Features of the VASP Sector Relevant for AML/CFT

  1. The FATF Recommendations require all jurisdictions to impose specified AML/CFT
    requirements on FIs and DNFBPs and ensure their compliance with those obligations. In the
    Glossary, the FATF defines:

a) “Financial institution” as any natural or legal person who conducts as a business one or more of several specified activities or operations for or on behalf of a customer;

b) “Virtual asset” as a digital representation of value that can be digitally traded
or transferred and can be used for payment or investment purposes.

c) “Virtual asset service provider” as any natural or legal person who is not
covered elsewhere under the Recommendations and as a business conducts
one or more of the following activities or operations for or on behalf of another
natural or legal person:
i. Exchange between virtual assets and fiat currencies;
ii. Exchange between one or more forms of virtual assets;
iii. Transfer of virtual assets; and
iv. Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets;
v. Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

  1. Notably, the scope of the FATF definition includes both virtual-to-virtual and virtual-to-fiat
    transactions or financial activities or operations.

  2. A VASP may fall into one or more of the five categories of activity or operation described under
    the VASP definition (i.e., “exchange” of virtual/fiat, “exchange” of virtual/virtual, “transfer,”
    safekeeping and/or administration,” and “participation in and provision of financial services
    related to an issuer’s offer and/or sale”).

  3. …Rather, the VA and VASP definitions are intended to capture specific financial activities and
    functions (i.e., transfer, exchange, safekeeping and administration, issuance, etc.) and assets
    that are fungible—whether virtual-to-virtual or virtual-to-fiat.

  4. Similarly, AML/CFT regulations will apply to covered VA activities and VASPs, regardless of
    the type of VA involved in the financial activity (e.g., a VASP that uses or offers AECs to its
    customers for various financial transactions), the underlying technology, or the additional
    services that the platform potentially incorporates (such as a mixer or tumbler or other
    potential features for obfuscation).

  5. Due to the potential for increased anonymity or obfuscation of VA financial flows and the challenges associated with conducting effective customer identification and verification, VAs and VASPs in general may be regarded as higher ML/TF risks that may potentially require the application of enhanced due diligence measures, where appropriate.

  6. A jurisdiction has the discretion to prohibit VA activities or VASPs, based on their assessment
    of risk and national regulatory context or in order to support other policy goals not addressed
    in this Guidance …

  7. As discussed previously, VAs have certain characteristics that may make them more
    susceptible to abuse by criminals, money launderers, terrorist financiers, and other illicit
    actors, including their global reach, capacity for rapid settlement, ability to enable “individual
    user-to-individual user” transactions (sometimes referred to as “peer-to-peer”), and potential
    for increased anonymity and obfuscation of transaction flows and counterparties. In light of
    these characteristics, countries may therefore go further than what Recommendation 10
    requires by requiring full CDD for all transactions involving VAs or performed by VASPs (as
    well as other obliged entities, such as banks that engage in VA activities), including “occasional
    transactions” below the USD/EUR 1 000 threshold, in line with their national legal
    frameworks. Such an approach is consistent with the risk-based approach set out in
    Recommendation 1, provided that it is justified on the basis of the country’s assessment of
    risks (e.g., through the identification of higher risks). Additionally, jurisdictions, in establishing
    their regulatory and supervisory regimes, should consider how the VASP can determine and
    ensure that the transactions are in fact only conducted on a one-off or occasional basis rather
    than a more consistent (i.e., non-occasional) basis.

  8. Countries also should consider the risk factors associated with the VA product, service,
    transaction, or delivery channel, including whether the activity involves pseudonymous or
    “anonymous transactions,” “non-face-to-face business relationships or transactions,” and/or
    “payment[s] received from unknown or un-associated third parties” (see INR. 10 15© as well
    as the examples of higher and lower risk indicators listed in paragraph 31 of this Guidance).
    The fact that nearly all VAs include one or more of these features or characteristics may result
    in countries determining that activities in this space are inherently higher risk, based on the
    very nature of VA products, services, transactions, or delivery mechanisms.

  9. In these and other cases, the enhanced due diligence (EDD) measures that may mitigate the
    potentially higher risks associated with the aforementioned factors include:
    a) corroborating the identity information received from the customer, such as a
    national identity number, with information in third-party databases or other
    reliable sources;
    b) potentially tracing the customer’s IP address; and
    c) searching the Internet for corroborating activity information consistent with
    the customer’s transaction profile, provided that the data collection is in line
    with national privacy legislation.

  10. Countries also should consider the enhanced CDD measures detailed in INR. 10, paragraph 20,
    including obtaining additional information on the customer and intended nature of the
    business relationship, obtaining information on the source of funds of the customer, obtaining
    information on the reasons for intended or performed transactions, and conducting enhanced
    monitoring of the relationship. Additionally, countries should consider the measures required
    for FIs that engage in fiat-denominated activity that is non-face-to-face (such as mobile services) or that is comparable to VA transactions in assessing their risks and developing
    mitigating controls accordingly

  11. For example, the information available on the blockchain or other type of distributed ledger
    may enable relevant authorities to trace transactions back to a wallet address, though may not
    readily link the wallet address to the name of an individual. The wallet address contains a user
    code that serves as a digital signature in the distributed ledger (i.e., a private key) in the form
    of a unique string of numbers and letters. However, additional information will be necessary
    to associate the address to a real or natural person.

stopping here as it would get way to long …

full text here:

1 Like

You should have kept reading

Oh its not all doom and gloom

Those #s are 188 and 189


The powerful global money laundering watchdog, FATF (Financial Action Task Force), today released a Red Flag Indicators document for digital assets. “Anonymity” is #3 out of 6 areas of concern.

Red Flag Indicators Related to Anonymity

  • Transactions by a customer involving… anonymity-enhanced cryptocurrency (AEC) or privacy coins.
  • [Exchanging BTC]… for an AEC or privacy coin.

This is the kind of narrative that stands squarely the way of z transactions gaining traction (and sometimes holding back t transactions as well, as we saw in Okex delisting ZEC entirely one year ago).

That being said, in their opening statement they emphasize that “the mere presence of these features does not automatically suggest an illicit transaction… should be considered in THE CONTEXT of other characteristics about the customer and relationship, or a logical business explanation.”

That’s an opening that we should welcome with open arms. We should fund projects that help create make this “context” solid in they eyes of law enforcers. I don’t believe any of us who are active on this forum want to encourage bad behavior either. The onus is on us to make what we have built non-scary to the rest of the world.

Screen Shot 1

Screen Shot 2

Screen Shot 3


Could you expound on that? What additional ‘context’ regarding users would you want projects to help furnish to regulators / LE?


This is why we say “shielding” as if we are protecting ourselves from attackers. ECC/ZF brand values are on point. MGRC should double down keeping in mind that it serves as a liason between devs and end users (if you assume Zcash Network Flywheel model).

Re: re: narratives,

As I’ve always said, Privacy for GOOD!

Moreover, we leave zero address (z-address) on the permanent, public ledger!

And, as always, you know where to z2z.to/

Not only will we get traction, we will get lift off: J curves!

1 Like

Great question. I have some ideas, but admittedly I think there’s still a lot to explore to get to a more satisfying answer.

Short answer:

  1. have third parties do the law enforcers’ homework of confirming contextual legitimacy for them
    One thing i’ve learned in sales and business development is that if you want a deal to happen, you have a much better chance if you do all the homework for your counterpart - all the slides, financial analyses, even scripts for talking to their bosses.

  2. support their ongoing initiatives e.g. the Travel Rule
    Fit your story into theirs, don’t ask them to read your story.

  3. take the middle ground

  4. talk to all stakeholders (including the regulators/law enforcers) and come up with better ideas than the ones above…


Long winded answer, for those with patience:

The FATF provided an opening for “CONTEXT” being an acceptable way to deal with what they perceive as a risk of privacy coin transactions.

If people who perform z transactions can prove, in a way that is satisfying to law enforcers, that there is there a plausible, not-illegitimate reason for the funds to move (the “context” fits), that “blesses” the transaction.

For example, consider this scenario: I run a website selling online Toastmaster courses; students use a mix of crypto and fiat to pay me from all over the world; I tell the VASP exchange during their due diligence on me that I expect US$2000-10,000 per week in crypto revenues; every week I convert the crypto i receive into ZEC on a VASP exchange; finally I send all the ZEC to my own private z address. Transactions that fit this model of flows should not raise any red flags.

But law enforcers don’t yet have a solid system for knowing if VASPs are doing their job of monitoring flows to ensure they match legitimate use cases (i.e. known contexts). What if i suddenly convert $100,000 into ZEC and move it to a z address, how do they know the VASP is monitoring and reporting this? So the easier thing for them to do is to frown on all transactions involving z transactions. If something illicit pops up on their radar later, they lose the trail once it hits this z transaction.

Building such a “solid system” can mean a few things.

(Note that these are just ideas that may work and should be tested. They do not reflect where I think the line for privacy should be drawn; for example some people may believe that they should not have to explain/justify their financial transactions to anyone. I don’t think our only position should be to acquiesce to the prevailing sentiment/pressures, but nonetheless these are some ways to integrate z transactions into the wider ecosystem.)

1) Third party solutions.

These solutions could verify the pattern and sources/destinations of funds are as described to VASPs when a user went through KYC or due diligence. Like a Chainalysis or Elliptic but focused on privacy coins.

Having a third party creates a layer for law enforcers that “checks” VASPs’ compliance with their own policies.

These solutions may need to hold viewing keys. They should be designed by people who are experts in privacy and security, since it would defeat the purpose if z transactions users see them holding viewing keys as a potential risk.

2) Accelerate the development of solutions and standards that support the Travel Rule.

The better the Travel Rule is implemented across VASPs, the less nervous law enforcers need to be. Such solutions/standards could be Netki’s TransactID service, and the Travel Rule Information Sharing Architecture. Shawn’s excellent Perkins Coie document explains this (see page 36).

3) Schrodinger’s viewing keys?

Create addresses where law enforcers could look up z transactions that have opted in to some level of scrutiny, but the owners of the addresses will know when their transactions are viewed. This is different than the current viewing keys, which need to be provided specifically to the viewer, and viewing does not result in detection.

I hate this idea because then the people that don’t opt in might appear more suspicious / “guilty,”, but there is something to be said for finding a balance between complete privacy and at least being notified when your privacy may have been compromised and being able to take necessary action if you want to.

Perhaps this would be tolerable for people who want some privacy from the public/bad actors but can settle for some amount of permissioned access.

4) Even better than my ideas above would be to have people come up with more and better ideas!

They’d collaborate with or interview regulators, law enforcers, exchanges, auditors, even the FATF, and everyone who would be involved in ensuring the integrity of our financial system.

^^ my two cents. Digging around in my pockets to see if there are more cents to add…


I appreciate the thought you’ve put into this, @ml_sudo, and thank you for elaborating.

My initial reaction is that what you suggest is a level of collaboration with, and legitmisation of, powers-that-be which I personally hope the MGRC wouldn’t entertain spending funds upon.

If this is the fate of exchange relationships with Zcash, then I pray P2P decentralised solutions will make such fiat onramps irrelevant, exchange listings be damned.

I have my own definition of bad behaviour which I wouldn’t want to encourage, and maybe it doesn’t diverge much from your own. But discouraging what constitutes ‘bad’ behaviour as arbitrarily defined by regulators, be it Belarus or the United States, shouldn’t be a starting point when it comes to protocol design or funding decisions.

Obviating the power of the sovereign to define at their whim what is ‘good’ and ‘bad’ usages of the peaceful exchange of money ought to be a core purpose of privacy-enhancing technology.

That’s not a pitch you can make to a regulator, but it’s something we should never forsake. Cybercoins are a tool for liberation.

Please tell me if I’m shortsighted or haven’t fully grokked your suggestions, and that hard-privacy non-KYC Zcash can coexist with ‘enhanced due-dilligence’ ZEC, but at the very least, funds flowing to a company like Chainalysis or Elliptic I believe would be a betrayal of our ethos. Doing so would be weaponising coinbase rewards against the privacy of the ecosystem.