The Meaning of Inbuilt Anonymisation under MiCA

27-09-2024

Bastien Choquez

Titles III and IV of the Markets in Crypto-Assets Regulation (Regulation EU 2023/1114 – MiCA) entered into application on June 30th, 2024. Title III applies to crypto-assets that qualify as asset-referenced tokens (ARTs), while Title IV applies to those that qualify as electronic-money tokens (EMTs). In addition to these two categories of crypto-assets, crypto-assets that fall within MiCA’s scope may fall within a third category, englobing crypto-assets that do not qualify as ARTs or EMTs under MiCA’s Title II.

This classification is primordial for issuers, offerors to the public, and persons seeking admission to trading since the above-mentioned Titles specifically regulate these activities. On the other hand, crypto-asset service providers (CASPs) must also consider the regulatory classification of any crypto-asset in relation to which they intend to provide services regulated under MiCA, as specific rules may apply according to the crypto-asset’s classification.

For instance, it is crucial for CASPs operating a trading platform to comply with MiCA’s Articles 76(2) and 76 (3). These articles set out specific requirements for the assessment and admission of crypto-assets. Article 76(2) obliges CASPs to assess the suitability of the crypto-assets they admit to trading and ensure they comply with the platform's operating rules. Furthermore, Article 76(3) prohibits the admission to trading of “crypto-assets that have an inbuilt anonymisation function” unless the CASP can identify token holders and their transaction history.

This article aims to define what constitutes an ‘inbuilt anonymisation function’ and how the term is interpreted under MiCA to establish the potential implications for issuers, offerors, persons seeking admission to trading, and CASPs. Moreover, to ensure a comprehensive understanding of the full regulatory scope applicable to such crypto-assets under EU laws, the analysis presented in this article extends to other European frameworks, such as the Transfer of Funds Regulation (Regulation EU 2023/1113 – TFR) and the EU’s Anti-Money Laundering (AML) laws.

“Inbuilt Anonymisation Function” from a Technical Perspective

It is safe to say that the term ‘Inbuilt anonymisation function’ refers to technologies that enhance privacy and protect user identities. However, to understand how MiCA captures crypto-assets labelled in the industry as ‘privacy coins’ under this notion, it is important to establish what inbuilt anonymisation functions are from a technical perspective. In this perspective, the term usually refers to functionalities implemented within crypto-assets or their distributed ledger technology (DLT, or blockchain) that automatically anonymise transactions and/or user data.

This can include technologies such as ‘Ring Signatures’, a type of cryptographic signature that makes it impossible to determine which member of a group signed a transaction, or ‘Ring Confidential Transactions’, a feature that hides the transaction amount, adding an extra layer of privacy. Monero (MNR), one of the most well-known privacy-focused crypto-assets, notably used these two technologies. The project also used ‘Stealth Addresses’, one-time addresses that are created for each transaction.

Another well-known project, Zcash (ZEC), offers users the option of ‘Shielded’ transactions, which provide enhanced privacy features. Those transactions are sent from ‘Shielded’ or ‘Z-addresses’, providing full encryption of transaction data. To verify these transactions where users' data are encrypted, the project developed Zero-Knowledge Proofs (or zk-SNARKs), enabling transactions to be verified without revealing any information about the sender, receiver, or transaction amount. As mentioned, it is important to note that this feature is optional.

The privacy project Secret Network offers a different set of privacy features. The project released ‘Secret Contracts’, which can be defined as smart contracts with the additional ability to process encrypted inputs and outputs. This functionality ensures that the data processed by the contracts remains confidential, even from the nodes executing the contracts. The native crypto-asset of the Secret Network, Secret (SCRT), used its own SNIP-20 token standard, ensuring that transaction amounts and addresses involved in transactions remain private.

Despite their privacy features, Secret Tokens allow for selective disclosure, enabling regulatory compliance when necessary. Indeed, Secret token holders can prove the origin of their funds or provide transaction history when required and only to the extent to which it is required, without revealing all transaction data and history.

What does “Inbuilt Anonymisation Function” mean under MiCA?

MiCA refers to ‘inbuilt anonymisation functions’ under Article 76. However, it is the sole instance where EU legislators mentioned crypto-assets using such functions within the text of MiCA. Therefore, the notion is undefined under this regulation. If it is possible to define what inbuilt anonymisation functions are from a technical perspective, the exact scope of this notion remains unclear on the legal scale. However, the text of Article 76 calls for several observations.

Firstly, the prohibition concerns “crypto-assets that have an inbuilt anonymisation function”. From a technical perspective, one may argue that the anonymisation function can also be built within the DLT infrastructure or within the rules governing the validation of transactions through the DLT network rather than within the crypto-asset itself. For instance, the ‘Stealth Addresses’ used within Monero would not meet the criterion of Article 76(3), as those addresses are not transferable and, therefore, do not constitute crypto-assets. Consequently, the formulation used in Article 76 also leaves outside of MiCA’s scope certain services, such as mixers, enhancing privacy and anonymity.

Secondly, the example of Zcash raises another issue, as the project offers privacy functions as an option. Indeed, users may opt for ‘transparent transactions’, where all transaction details are publicly visible on the blockchain, and ‘shielded transactions’, where the transaction details are fully encrypted and not publicly visible. Therefore, the applicability of MiCA’s Article 76(3) is arguable, as such an optional feature could conflict with the term ‘inbuilt’, which suggests that the anonymisation function must be a ‘by default’ feature excluding users’ discretion.

Third, the ‘selective disclosure’ feature offered by the Secret Network also questions the applicability of the exemption provided under Article 76(3) in scenarios where CASPs can identify holders of such crypto-assets and their transaction history. In this instance, MiCA does not ultimately impose CASPs to identify the source of the funds. Therefore, it is unsure whether CASPs should be able to establish the full transaction history, tracing back to the original purchase of crypto-assets against fiat, or if disclosing information uniquely in relation to the attended transaction would suffice to meet this criterion.

What are the Legal Implications for Crypto-Assets with Inbuilt Anonymisation Functions under MiCA?

When analysing the scope of MiCA’s Article 76(3), it is important to remember that this article was incorporated within MiCA’s Title V related to the authorisation and operating conditions for CASPs. Therefore, MiCA does not properly restrict the issuance of crypto-assets that have built-in anonymisation functions, nor does it restrict their offering to the public. More surprisingly, MiCA does not restrict persons seeking admission to trading to seek admission to trading of such crypto-assets, as there exists no reference to such assets under Titles II, III and IV.

What MiCA does restrict is the admission to trading of those crypto-assets that have built-in anonymisation functions. This prohibition does not apply to all CASPs but only to those that operate a trading platform. Therefore, other CASPs can continue to offer regulated services in relation to these crypto-assets, such as the custody and transfer of crypto-assets on behalf of clients. More arguably, MiCA does not prohibit the execution of orders or the reception and transmission of orders in relation to these crypto-assets.

Therefore, nothing prevents CASPs established in the EU from transmitting orders to third parties established outside the EU for execution. In this scenario, CASPs would be able to provide a service similar in appearance to their clients, the only distinction being that orders are not executed within a trading platform in the EU but outside of the EU. This consideration seems to contradict the purpose of MiCA’s Article 76(3) and allows CASPs to circumvent this prohibition rather easily.

Finally, in its Consultation Paper ‘Technical Standards specifying certain requirements of MiCA - second consultation paper’, the European Securities and Markets Authority (ESMA) proposed a list of records to be kept by CASPs, depending on the nature of their services and activities. Under the regulators’ guidelines, CASPs operating a trading platform for crypto-assets must keep records of cases where crypto-assets have an inbuilt anonymisation function.

The broader Regulatory Implications under other EU Frameworks

When assessing the regulatory implications applicable to crypto-assets that present inbuilt anonymisation functions, one must extend the scope of the analysis further than MiCA. As demonstrated above, the scope of the restriction introduced in Article 76(3) is extremely limited. Particularly, the custody, transfer, and exchange of those crypto-assets is not prohibited, enabling CASPs and their clients to perform transactions using those crypto-assets. However, as the anonymisation features that some crypto-assets may offer also introduce risks in relation to money laundering and terrorist financing, other European frameworks apply to those assets.

The Transfer of Funds Regulation

The TFR implements rules regarding information that must accompany transfers of funds and certain crypto-assets. Its Recital 8 outlines EU legislators’ approach to crypto-assets: “Their global reach, the speed at which transactions can be carried out and the possible anonymity offered by their transfer make virtual assets particularly susceptible to criminal misuse, including in cross-border situations”.

Recital 17 also promotes a broader scope than the one pertaining to crypto-assets with inbuilt anonymisation functions under MiCA: “Certain transfers of crypto-assets entail specific high-risk factors for money laundering, terrorist financing and other criminal activities, in particular transfers related to products, transactions or technologies designed to enhance anonymity, including privacy wallets, mixers or tumblers”. Therefore, the TFR aims to target and regulate not only the transferred crypto-assets but also the technologies and services through which they are transferred, among which the legislators mentioned privacy wallets and mixers.

Privacy wallets are crypto-asset wallets designed to enhance transaction privacy and anonymity. They use various techniques and technologies to obscure transaction details, making it more difficult for third parties to trace the flow of funds or identify wallet owners. Moreover, mixers and tumblers are services that enhance privacy by mixing crypto-assets from potentially identifiable transfers with other crypto-assets to obscure the trail back to the original source. Both privacy wallets and mixers are services distinct from the operation of a trading platform and would not fall under the scope of MiCA’s Article 76.

Two considerations must be made regarding the TFR's specific scope. Firstly, requirements under the TFR apply to all CASPs, defined by reference to the definition of CASPs under MiCA. For instance, Article 14 requires CASPs to provide information on originators of transfers of crypto-assets, such as the originator’s name, DLT address, personal document number, and customer identification number. The same information must be provided by the originator's CASP regarding the beneficiary of the transfer.

Therefore, these transparency and traceability requirements apply to any CASPs processing transfers of crypto-assets. Such requirements further restrict the potential use of crypto-assets with inbuilt anonymisation functions, as such assets may prevent the identification of the originator and beneficiary of the transfer. Additionally, the term ‘transfer of crypto-assets’ has its own definition under the TFR and is not limited to the definition of this service under MiCA but also covers services such as exchanges of crypto-assets. Furthermore, Article 14 also applies to situations where the originator and the beneficiary of the transfer are the same person and situations where the CASP of the originator is also the CASP of the beneficiary of the transfer.

Secondly, these requirements also restrict the provision of certain services and technologies, such as privacy wallets and mixers. Indeed, when they qualify as CASPs and intervene in transfers of crypto-assets, entities providing such services must comply with the TFR dispositions. As the technology they provide may also prevent the identification of both the originator and the beneficiary of the transfer, these services would most likely not be able to comply with the TFR.

In consequence, and to ensure the traceability of such transfers in most cases, EU legislators entrusted the European Banking Authority (EBA) to issue guidelines specifying the enhanced due diligence (EDD) measures that obliged entities – a category that includes CASPs – should apply, “including the adoption of appropriate procedures such as the use of distributed ledger technology (DLT) analytic tools, to detect the origin or destination of crypto-assets”.

The use of such analytic tools appears inevitable for CASPs to meet the requirements of TFR’s Recital 39, which, regarding transfers exceeding €1,000 sent to or received from a self-hosted address, obliges CASPs to verify whether the self-hosted address is effectively owned or controlled by their client.

AML Directives and Regulation

As highlighted under the TFR, EU legislators considered that crypto-asset transfers introduce new risks regarding money laundering and financing of terrorism. For this reason, besides the TFR, EU AML laws also apply to CASPs since the entry into force of Directive EU 2018/843 (AMLD5) on July 9th, 2018, and its implementation into national laws by January 10th, 2020, at the latest. This directive extended the scope of the previous AML directive (Directive EU 2015/849 – AMLD4) to CASPs providing exchange services between virtual currencies and fiat currencies and CASPs providing custody services.

To further harmonise the AML/CFT requirements applicable within the Union, EU legislators subsequently proposed to regulate the field through a regulation, a legislative instrument that is directly applicable to all EU Member States, contrarily to directives which require Member States to transpose the text of the directive into their national law. This was done with the adoption of Regulation EU 2024/1624 (AMLR), which came into force on July 10th, 2024, and will become applicable to all Member States by July 10th, 2027.

Recital 160 of this Regulation outlines the ambition to restrict further the provision of services in relation to crypto-assets with built-in anonymisation functions. It states that: “In order to ensure effective application of AML/CFT requirements to crypto-assets, it is necessary to prohibit the provision and the custody of anonymous crypto-asset accounts or accounts allowing for the anonymisation or the increased obfuscation of transactions by crypto-asset service providers, including through anonymity-enhancing coins. That prohibition does not apply to providers of hardware and software or providers of self-hosted wallets insofar as they do not possess access to or control over those crypto-asset wallets”.

It is interesting to note that if the legislators referred in this Recital to ‘anonymity-enhancing coins’, this term has been defined under Article 2(1)(25) of the Regulation as “crypto-assets that have built-in features designed to make crypto-asset transfer information anonymous, either systematically or optionally”. Not only is the term defined, but it is defined in a way that allows it to encompass technologies and services where the anonymisation features are optional, such as Zcash.

Accordingly, Article 79(1) prohibits CASPs from keeping anonymous crypto-asset accounts as well as any account “allowing for the anonymisation of the customer account holder or the anonymisation or increased obfuscation of transactions, including through anonymity-enhancing coins”. However, this prohibition does not apply where the entity providing such accounts does not have access or control over those wallets. This exclusion appears justified, as in such scenarios, the service provided would neither meet MiCA’s definition of custody services.

The Regulation includes other requirements for CASPs in accordance with the TFR, such as the obligation under Article 19(3)(a) to apply customer due diligence (CDD) measures when carrying out an occasional transaction that amounts to a value of at least €1,000, or the equivalent in national currency. Additionally, Article 40 allows CASPs to require additional information on the origin and destination of the crypto-assets when assessing the risks associated with transfers of crypto-assets directed to or originating from a self-hosted address.

Conclusion

In conclusion, the regulatory framework applicable to crypto-assets with in-built anonymisation functions in the EU is fragmented between various directives and regulations. MiCA only prohibits CASPs operating a trading platform from admitting to trading such crypto-assets. On the other hand, the TFR does not expressively prohibit the provision of services in relation to such assets, but the rules it imposes regarding information that must accompany transfers of crypto-assets further restrict, in practice, the possibility of providing transfer and exchange services in relation to these assets. Finally, the dispositions of the AMLR, which will become applicable in all Member States with the same intensity, offer a broader definition of the notion of an ‘inbuilt anonymisation function’ and expressively prohibit CASPs from providing custody services in relation to those crypto-assets. Therefore, projects developing anonymisation technologies and services in the field of crypto-assets cannot ignore the regulatory implications of such products under EU laws.

---

Topic

Crypto regulation MiCA