Regulating the Technology (Placement)

Abstract

This chapter examines the placement phase of MLFT. This chapter starts in Sect. 5.2 by examining the definition of virtual wallets under the EU Anti-Money Laundering Directive. Section 5.2 examines the definition of entity under this Directive. It concludes that whilst the term entity is broadly formulated it creates risk by excluding the non-custodian wallets. Section 5.3 therefore discusses whether non-custodian wallets should be supervised or remain anonymous. This section concludes that non-custodian wallets should supervise itself. Section 5.4 then continues by discussing how these non-custodian wallets can supervise themselves through smart assets and AI. Section 5.5 then continues by analysing the legal requirements for such a supervisory approach. This approach includes creating a digital legal personality for the digital wallet. The digital legal personality could be used to create an insurance system for such wallets in case of damages. In such a case the insurer would have the power to represent the wallet in legal proceedings. Section 5.6 then continues by discussing how such a system could aid in the prevention of digital scams and how transactions to third-countries should be incorporated. Section 5.7 continues by discussing incorporating smart contracts into the regulatory system. Particular attention is paid to regulating the criminal smart contracts (csc). Section 5.8 provides a conclusion and recommendations.

5.1 Introduction: The EU Approach to the Placement of Funds

This chapter will discuss the legal framework in place and the framework needed to regulate the Metaverse to reduce MLFT at the placement phase. Whilst the primary focus of this chapter will be the placement phase some of the proposals will have a spill-over into the other stages of MLFT. The legal framework will be limited to that of the European Union. The EU’s AMLD was updated in 2018 through the introduction of AMLD5 with the aim to include supervision of virtual currencies.¹ Specifically, the AMLD5 includes the supervision of fiat/crypto exchange services and virtual wallets.

The EU therefore theoretically has covered the supervision of the placement phase. To insert cryptocurrency requires an exchange from fiat currency to a virtual wallet. Furthermore, any cryptocurrency paid in return for criminal activities is also supervised through the supervision of wallets. The system furthermore mimics the supervision of banks in the sense that similar monitoring duties are assigned. Nevertheless, there are some differences. The first is the general approach that the providers of exchange and storage services have to register not apply for a license. Additionally, the registration within one EU country does not generate authority to provide these services in other EU countries. Prima facie the EU therefore has opted for a system with little cooperation between the Member States. Initially a bad sign for approaching such a global issue. Furthermore the registration seems a softer requirement than that of the licensing used for other financial institutes.

The approach, however, does not necessarily have to reduce the effectiveness of the legal framework. That a registration is not valid throughout the EU is perhaps bad for the internal market and it may also increase the burden for the institutions offering these services. This, however, does not have to reduce the effectiveness of the supervisory system. More importantly, the question is whether all possibilities of entering funds into the Metaverse have been incorporated into the legal framework.

5.2 Entity

To encompass all methods of placing funds into the Metaverse the definition of a wallet has to incorporate all forms of wallets. The AMLD5 defines a wallet provider as:

“custodian wallet provider” means an entity that provides services to safeguard private cryptographic keys on behalf of its customers, to hold, store and transfer virtual currencies.²

With this definition, the custodian wallets are brought under the supervision of national entities. Wallet providers will have to register with national supervisors and conduct the duties specific to the jurisdiction. In the Netherlands these duties flow forth from the Wet ter voorkoming van witwassen en financiering van terrorisme (Wwft)³ and the Sanctiewet.⁴ These duties include the verification of the identity of customers and reporting of suspicious transactions. Prima facie the directive in combination with national supervision would seriously hamper any anonymous transactions taking place in the Metaverse. This would theoretically mitigate a large risk factor of MLFT, as the wallet is generally considered to provide anonymity.⁵ To do so, however, it needs to cover all forms of wallets that can be found in the Metaverse.

As stated in the second chapter there are three primary routes through which funds can be held in the Metaverse. Those are separate wallet providers, through the avatar and through the reality provider. The regulation is broadly formulated using the word ‘entity’. The term entity is by no means a clear definition. Godlieb considers that the Commission is particularly vague on this topic.⁶ Unclear legislation is generally undesirable, in this case, however, it should be considered positive. Technology is an ever-changing organism and therefore legal statutes are often obsolete before they are published. The European Banking Authority considered there were more than 200 different types of virtual currency in existence in 2014, the report further expected more would be developing every day.⁷ In 2022 there were over 18,000 different cryptocurrencies available.⁸ Technology continues to develop and detailed legislation would only play catch-up. Open terminology in law based upon intention can halt the technology race that currently exists between lawmakers and criminals.⁹ Fairfield argues that good law should have a sense of stability and innovation.¹⁰ The language of law should thus encompass new technologies.¹¹ The most straightforward approach is to use open language without (unnecessary) details. Open language with fewer details risks a conflict with legal certainty. Legal certainty is a concept that requires the law to be sufficiently clear so its subjects know their rights and duties. Open language does not necessarily provide the clarity needed to know one’s duties. Nevertheless, open language does not have to conflict with legal certainty if its practices are sufficiently clear.

The law on paper and the law in practice should be considered independently. Laws that seem vague can have a legal practice surrounding them that is far clearer.¹² Legal statutes can therefore be phrased rather openly if the intention of the law is clear. Consider the smuggling of drugs. The legislation includes the (intention) to pass a border with illegal substances. How the substance passes the border, whether the substance is hidden on the person’s body or within their suitcase is irrelevant. The practice surrounding the law makes it clear that it includes all forms of drug smuggling. The question is whether the same can be said from the MLFT framework. Is the intention of MLFT regulated whilst the term entity includes all forms of technology?

The intention of the legal framework is quite clear, namely to prevent MLFT. As discussed in the previous chapter, money laundering is a process of moving money from the illegal economy to the legal economy. The final stage includes the conversion of money into assets of value. To regulate the intention of money laundering therefore requires the regulation of moving value from the illegal to the legal economy. Similarly, financing of terrorism has the intention of moving value to a terrorist group. This broad definition does not have to form a legal obstacle. The EU regulation implementing sanctions against specific terrorist groups is equally broad. It considers providing any economic advantage or economic resources. The latter is defined as any form of tangible or intangible asset or fund.¹³ The term money laundering within the AMLD is equally broadly defined for criminal law purposes. The intention is therefore regulated broadly for criminal law purposes but then changes direction. The AMLD does not consider all entities offering services that can be used for money laundering, but rather it creates a list of services that fall within the scope of the AMLD5. For legal certainty purposes, it makes sense to create a list. Lists are clear, however by generating the list the AMLD has excluded risky technologies. In particular with regard to the exclusion of non-custodian wallets.

Preamble 8 of AMLD5 defines the aim of bringing the custodian wallet providers within the legal framework. It considers that by placing these wallets under supervision terrorists will find it more difficult to transfer funds into the EU.¹⁴ The term entity in combination with this aim should therefore be considered as any custodian entity that enables funds to be transferred from and to its domain of supervision. Whether this entity also provides other services, such as providing an avatar or virtual location, should not matter. It therefore is an appropriate use of a vague term entity. Whilst the definition of entities is broadly formulated there is an important restriction to the type of wallets that are regulated. To avoid the anonymity of transfers the AMLD5 included custodian wallet providers within the scope of the directive.¹⁵ The AMLD5, however, states that this inclusion will not fully break through the anonymity because transactions can occur without custodian wallet providers.¹⁶ Leaving out the non-custodian wallets forms a risk to the integrity of the Metaverse environment.

5.3 Custodian and Non-custodian Wallets

The impact assessment from the European Commission considers that the framework should cover all custodian wallets.¹⁷ Leaving out players would drastically reduce the effect of the AMLD5.¹⁸ The Dutch legislator further adds that financial institutions have a gateway function to the economy.¹⁹ To purposefully exclude wallets would therefore be contrary to the intention of the AMLD5. Nevertheless, the wallets have been separated into two categories. The “custodian” and “non-custodian” wallets. The AMLD5 only places the custodian wallet under its legal framework.²⁰ The difference between the two depends on the safekeeping of the encryption key. The transfer of cryptocurrencies requires two keys. A public key acts like an address and a private key is the proof-of-ownership code. The keys are somewhat comparable to the numbers involved in a bank account. The public key is the bank account number, to which the money is transferred. The private key on the other hand is like the PIN that is needed to transfer the money. The custodian wallet acts like a bank vault that stores both money and PIN. If you lose access to your vault (custodian wallet) the bank can grant you access after verifying your identity.

A non-custodian wallet, however, does not safeguard the encryption key. The owner of the cryptocurrency has to remember the private key to transfer the cryptocurrency. If the user loses the key, the currency cannot be traded anymore. The currency will be stuck within the account, like a vault with only one key once the key is lost so are its contents. There are two types of non-custodian wallets. The first is the so-called hot wallets, which are permanently connected to the internet. The second category is the cold wallets, which can be disconnected and stored offline. These would include wallets such as hardware (stored on USB) or even good old-fashioned paper wallets. To move currency to another wallet, all wallets need an internet connection. As it is the wallet does not actually store the currency as a physical wallet. The wallet is the gateway to interacting with the blockchain.²¹ This gateway can only interact with the blockchain through connection. A piece of paper can store the keys but to transact the user will need to install a software wallet. Similarly, a USB can be kept offline whilst storing your currency but to transact it will need to use the internet.

Concerning the Metaverse this division means that any wallet that is provided as a service, the custodian wallet, would be part of the supervisory framework. An avatar or virtual room provider that provides a password-protected payment service to its customer would have to comply with the AMLD5. The wallets that are offered without storing private keys would not. This division is based on the notion that a software provider cannot monitor the client’s transactions.²² The software provider sells the wallet and is then considered disconnected from the wallet. Whilst a restaurant can check whether the customer eats his or her vegetables, the grocery store that sells vegetables cannot verify that the customer eats the produce. The result is that the non-custodian wallets have not been given any duties with regard to MLFT. The non-custodian wallets in particular the hardware wallets, are however considered much safer. Storing a piece of paper or USB stick carries the risk of damage or loss but hacking a USB or piece of paper not connected to the internet is impossible.

There are two different views with regard to the regulation of non-custodian wallets. The first vision is that non-custodian wallets should not be regulated. The argument is that cash is also unregulated and anonymous.²³ This argument, however, is largely incorrect. Firstly because large cash transactions are generally considered suspicious and reported. Secondly, cash in the eurozone often is acquired through a regulated bank. Few people receive their wages, benefits or other form of income in cash. Therefore large sums of cash are either acquired through a bank withdrawal. When spending large sums of cash it is considered suspicious and customer verification duties apply. Furthermore, a cash transfer, unless sent by post, requires physical nearness and is slow. Unlike the transfer through virtual currency which is fast and does not require the sender and receiver to be in physical proximity. It is therefore not a convincing argument to say that cash is unregulated and therefore there is no need to regulate non-custodian wallets. The second vision regarding not regulating non-custodian wallets is that they cannot perform monitoring duties. This vision is considered more often and is more serious, than the cash argument but is not perse correct either. In particular when examining the extent of the duties the wallets have to perform in order to be registered as a wallet provider.

Wallet services have to register with the national supervisory authority in order to provide their services. The extent of the duties in order to complete this registration was under discussion in a lower court case in the Netherlands.²⁴ In this case, the wallet provider was asked by the Dutch Central Bank (DNB) to complete customer verification per transaction. The judge in the case considered that such requirements by the DNB were unlikely to be in compliance with the EU legislation. As the judge considered the EU legislator had opted for a registration system rather than a licensing system.²⁵ In particular, the judge considered the wallet provider had taken other measures to prevent MLFT. These measures included customer verification when the account was set up. The company furthermore only accepted customers with Single Euro Payments Area (SEPA) regulated bank accounts.²⁶ The judge therefore considered that it would be unlikely that the customer verification required by DNB would be in compliance with EU law.²⁷ The judge in question did not give a final ruling as to this matter, only suspicions. The merits of the case were not discussed in depth as it concerned a preliminary provision hearing. Nevertheless, the judge divided the duties into two categories. The first set of duties are the due diligence measures taken by the wallet provider to comply with the Know Your Customer (KYC) principles at the moment of registration. The second set of duties was the due diligence that is exercised when transferring into the real economy. In this case by only allowing customers to convert virtual currency into fiat currency to their own (supervised) SEPA account. The DNB’s measures were aimed at per-transaction due diligence. The per-transaction verification is focused on a continuing monitoring process. The latter was rejected by the Dutch lower court as a duty. To argue therefore that the exclusion of non-custodian wallets is based on monitoring seems redundant. Rather the question should be asked whether the software provider can conduct due diligence when selling the software. And secondly, whether transactions can be monitored when these are transferred from or into fiat currency.

Customer verification entails that the provider of the wallet knows the customer’s identity. There are two options with regard to customer identification upon sale. The first is a physical in-store verification. In this case, the customer would have to purchase the software in a physical store and present identification upon purchase. This process could be introduced quite easily. There is, however, a risk if this is the only approach used. The more regulation that is applicable to providers, the more difficult it is for start-ups to enter the market. It may even overburden small enterprises and push them out of the market.²⁸ If all software providers have to offer a physical shop where they sell the software and customers are mandated to make their purchase in a physical location, this may hinder competition. The burden of such regulation is therefore a good argument to limit regulation, perhaps even abolish customer due diligence. Regulation, however, aims to protect and create a fair and safe market. Preventing the financing of crime and terrorism is an obvious example of a goal that regulation should aim to achieve. A balance must be found between protecting the public good and allowing new or smaller actors to enter and remain in the market. In order to achieve such a balance the financial services provisions market should be analyzed.

Two observations can be made with regard to the market structure. The first is that the products provided can be considered a service (in the case of custodian wallets) and a software app (in the case of non-custodian wallets). The production of apps is generally considered a competitive market. This is particularly true because the competition in app stores is fierce.²⁹ The main risk of regulating highly competitive markets is inappropriate and unevenly enforced regulation.³⁰ The regulation should therefore be limited to what is needed and be equal within the EU. However, there is a second observation namely the risk associated with inflexible regulation.³¹ Providing payment infrastructure originally depended upon the institution having a banking permit. The permits resulted in high barriers to entry³² and there was very limited competition. The requirement of physical due diligence would raise high barriers for wallet providers, as shops would be needed at various locations. Competition between banks is good for the consumers,³³ it is difficult for consumers to switch to a different bank thus decreasing competition in the banking sector.³⁴ Switching from wallet to wallet, however, is more flexible. The relative monopoly that banks had on providing payment services through the permit system is changing. The wallet market may increase competition but it needs dynamic and flexible regulation.³⁵ Thus providing ample reason to abandon the need for due diligence, as these are the most burdensome for service providers.³⁶ However, the size and speed of MLFT are changing too and as discussed earlier the virtual currencies increase the risk of MLFT. It therefore does not seem prudent to abolish with due diligence. Rather the question is whether due diligence can be done more cost-efficiently through remote verification.

The identity of an individual wishing to purchase an application can be remotely uploaded and verified. Banks have been operating through online verification to open a payment account for several years. Biometrical information can be dependently verified through mobile devices under various circumstances.³⁷ A copy of a passport combined with facial recognition could ensure the software provider has knowledge of the identity of their customer. This process will be further facilitated with the introduction of the European Digital Identity. A project currently conducted by the European Commission in order to facilitate digital identity verification for citizens.³⁸ Linking this verification process to the database of persons who have sanctions enforced upon them would provide effective due diligence. Currently, similar proposals are being considered by the European Central Bank. Their report on the digital euro includes a discussion of a bearer (or token-based) digital euro. In their analysis of how the bearer digital euro would be designed, the ECB considers the device capable of identifying the user’s identity.³⁹ A device (such as a mobile phone) and application able to identify the user should not be considered futuristic. Rather it can be used and should be incorporated within regulation. Slightly more difficult is to verify a corporate client. The wallet has to establish a corporate management structure. Whilst this process is somewhat more difficult, this identification can be done through official documents of the Chamber of Commerce (CoC) or notarized documents. Furthermore, since 2020 Member States have begun implementing the Ultimate Beneficial Ownership (UBO) register. This register was due to be completed on the 27th of March 2022. This register can be used as an aid to verify ownership structures. Some company structures have been excluded from the duty to register. Hence it is likely the verification would be done through a combination of the CoC, notarized and UBO documents. Thus demonstrating that remote due diligence is not impossible and does not need human interaction. Remote due diligence is more affordable for software developers and could break the anonymity of non-custodial wallets. The non-custodian wallets could therefore abide by the first set of rules identified by the Dutch court.

The second set of duties the judge court identified is when virtual currency is converted into fiat currency. The company in the Dutch case was considered to abide by that obligation because they only accepted transactions to and from SEPA accounts. These SEPA accounts had to be registered with the owner. Non-custodian wallets could have a similar limitation, whereby the software can only conduct transactions with the owner’s own SEPA account. Theoretically, this would fulfil all the duties set by the Dutch judge. Unfortunately, it is not that simple when considering the Metaverse implications. The wallet in the Dutch case was exclusively used to buy and sell cryptocurrency. The function of the cryptocurrency was comparable to that of an investment portfolio. The wallets used in the Metaverse will however be focused on being used as payment facilitation. Thus requiring the possibility to transact with third parties. The possibility to transact with third parties entails the need to monitor transactions. Transaction monitoring is a continuous process that needs to be conducted by either an external party (such as the original developer) or the wallet itself. The first option is not very different from custodian wallets. The second option is therefore more interesting but requires a new way of thinking; namely through the concept of digital entities.

5.4 Digital Entity

The monitoring process is divided into four stages; risk identification, risk analysis, risk management and risk monitoring.⁴⁰ There have been various risks pre-identified by the FATF.⁴¹ The risks can be categorized into two different sets of criteria. The first are the objective risks. In the case of wallets, this includes transactions with a value of €15,000.⁴² Furthermore, wallets have to report transactions when they suspect these transactions involve a form of MLFT. These suspicions are based on subjective criteria. Subjective criteria are mostly identifiable through various reports. An example of this is transactions to countries with high MLFT risks, such as those identified by the Commission.⁴³ However subjective criteria also include other non-identified criteria. These would include a shop whereby a lot of transactions are conducted in cash. Or a shop where the takings are considerably different from its competitors. The detection of these suspicious transactions based on subjective risk criteria is no longer a manual process but one conducted through algorithms.⁴⁴ The algorithm can contain the coding needed in order to identify such risks. The hits generated by the algorithm are manually inspected and reported to the FIU. The question is whether this human intervention is needed. The algorithm could be directly linked to the FIU and report when suspicious activities occur. This process would eliminate the need for a software developer to remain involved. It may sound ridiculous to take out the human activity. However, in the detection of MLFT, many of the processes have been replaced by technology. Manual activity within the detection of suspicious transactions is already limited.⁴⁵ To successfully set up a system whereby AI replaces human intervention, requires two criteria to be met.

The first criterion is that for an algorithm to bring forth the appropriate amount of results, neither too few nor too many, the algorithm needs to work. Whilst algorithms do aid in the detection of MLFT, there are different interpretations about what algorithms are (most) efficient. Some argue in favour of an algorithm based on finding outliers.⁴⁶ Whereby the algorithm finds the transactions that are considered unconventional based on conventional payments. The opposite, however, is also argued. Whereby the algorithm aims to detect MLFT based on patterns of MLFT.⁴⁷ To decide what is the most efficient algorithm is not a straightforward choice. For such a system to work a choice, however, must be made on what is an acceptable level of efficiency. This choice is furthermore made difficult because the algorithm must also be able to detect suspicious activity for NFTs. NFTs are a relatively new technology, in comparison with cryptocurrencies. However, the large amount of fraudulent activity through NFTs has attracted the attention of various scholars. These scholars have proposed various strategies to detect wash trading with NFTs through algorithms.⁴⁸ Some argue a visual confirmation of the data will always be necessary.⁴⁹ This however is not a particular problem as the algorithm is used to flag a potential illegal situation. The confirmation can be ensured by the FIU. The second criterion for successfully linking an algorithm to the FIU is that of reducing false positives.

It is the task of the responsible financial institution to sieve through the results of the algorithm and decide which transactions to report. If the results of the algorithm were directly linked to the FIU this would increase the investigative task of the FIU. With custodian wallets, the commercial supervisor investigates the hits and filters through to spot false positives. This job aims to limit the amount of false positives with the FIU. Based upon data from 2019 the FIU in the Netherlands received 68.000 notifications of suspicious transactions, the FIU considered 15.000 of these notifications to be suspicious.⁵⁰ That means that the accuracy of these notifications is a little above 22%. An algorithm that has a false positive ratio of 22% or less is therefore an acceptable rate to give direct notice to the FIU. The accuracy and efficiency of recent algorithms have severely improved. A recently developed algorithm claims a 90% accuracy in detecting ML groups. It further claims a 96% accuracy in discovering ML accounts.⁵¹ Higher levels of accuracy can be obtained but with the tradeoff of a higher number of false positives. The monitoring could then effectively be done by the wallet itself if it can achieve high detection levels without more than 22% false positives. Whilst it is therefore technically possible to link an algorithm to the FIU, the question raises who is responsible in case of possible mistakes.

You cannot make an omelette without breaking eggs. Similarly, you cannot run an algorithm without encountering biases. Using an algorithm to monitor suspicious transactions entails the potential for biases and thus claims for damages. The question is who is responsible and liable for the damages? The algorithm? The following paragraphs argue that it is possible to consider algorithms as digital entities. And hold the digital entity responsible for the potential damages.

The term ‘entity’ which was mentioned before, is broadly formulated. It would likely include any service provider that facilitates wallets whether this is the provider’s main focus or not. However, when disconnecting the monitoring process from the software provider to the algorithm, the algorithm has to comply with the law. If the algorithm complies with the legal requirements, it can be connected to the FIU. If the algorithm does not comply with the legal requirements, it cannot be connected to the FIU and should be considered inappropriate for use on the EU market. The term ‘entity’ is broad but not particularly aimed at a piece of software primarily based upon an algorithm. To think about algorithms or codes as subject to law or part of the legal framework, however, is not new. The software can determine what actions are or are not allowed in a certain setting.⁵² Though regulators increasingly rely on codes to execute law there are some difficulties with this approach.

The first obstacle is the rigidity of regulation.⁵³ The rules in code are inflexible and stringent, rather than decisions made on a case-by-case basis. The flip side is that algorithms can detect suspicious transactions before they occur and can prevent them from happening or at the very least warn their users.⁵⁴ Theoretically, a transaction could be prevented from occurring if too suspicious. Such an approach would solve the problem of the finality of transactions. The problem whereby transactions conducted over a blockchain are difficult or near impossible to reverse. However, it would also make it difficult to conduct legitimate transactions deemed as suspicious. Theoretically, such actions could be prohibited unless prior permission is given by a certified institution (i.e. notary), yet these would be costly and time-consuming. The second issue with reliance upon algorithms is that they can be discriminatory.⁵⁵

The algorithm is programmed by humans and can have human flaws written into it. Furthermore, this bias can be perpetuated and reinforced by the algorithm.⁵⁶ Depending on the consequences, these biases can have a large impact on the users.⁵⁷ It should be noted that the problem of bias occurs with human supervision as well. However, in such a case the (legal)person is liable for the damages. The supervising entities using the algorithm are then responsible for being able to explain the decision, thus preventing a black box.⁵⁸ The liability in case of biases or other reasons for damages with an independent algorithm is not necessarily clear. Some argue the developer is responsible for any damage that occurs, therefore the software itself would not need a liability framework.⁵⁹ However, others argue that a legal framework not adapted to the use of algorithm-based software as legal subjects, risks the formation of accountability gaps.⁶⁰ The risks of accountability gaps with regard to non-custodian wallets are highly likely.

In the case of non-custodian wallets in particular it raises questions such as who (or what) is responsible for biases? Or who is responsible for ensuring a consistent level of efficiency over time? These questions are difficult to answer. The algorithm used for the wallets can take two shapes. The first is a normal code that does not adjust and the second is a self-learning algorithm. The simple algorithm is what is used most often. It includes coding and data placed into the algorithm by the user, see Fig. 5.1.

Fig. 5.1

Simple algorithm

In case of damages, the easy solution is to hold the user responsible for the algorithm. Generally speaking, this is based upon the concept of a “right to an explanation” whereby the developer or user has to be able to explain how the algorithm generates a decision.⁶¹ This specific explanation is commonly entailed in national jurisdictions. The right to an explanation in France is codified through the right of subjective explanation in its Digital Republic Act.⁶² In the Netherlands, a similar right has been formulated by the Council of State to emphasize party equality.⁶³ The responsibility for explanation would thus be on the FIU. Whilst technically possible this would increase the burden on the FIU. Furthermore, a simple algorithm would have difficulty maintaining a high level of accuracy over time. The amount of updating would thus force a more active role on the developer. Thereby creating a hybrid form of wallet, whereby the transactions are not monitored but the algorithm is. This duty might be difficult for small developers. The more effective alternative is that of a complex algorithm that is connected to (risk) databases and is self-learning. In particular, the algorithm is also provided with feedback from (non)successful cases of MLFT and updates on subjective risk catalogues. The algorithm then relies on its coding, which comes from the developer, variously identified criteria and feedback from the supervisor (see Fig. 5.2).

Fig. 5.2

Non-custodian wallet algorithm

The self-learning algorithm is the most efficient as risk factors can be automatically updated and increase its efficiency through a feedback loop. Whereby the algorithm is provided with feedback on which cases were involved with MLFT. This makes the algorithm more efficient but also creates legal complexity. For example, the algorithm mentioned earlier that claims a 90–96% accuracy rate, is based on clustering technology.⁶⁴ The clustering technology is one whereby the algorithm learns unsupervised. Unsupervised learning means that the algorithm can learn from unlabeled data sets. Thereby reducing the need for human intervention. Whilst this technology increases the algorithm’s efficiency and reduces intervention it creates a conundrum. The reduction of human intervention makes it difficult for the human to understand why the algorithm has reached an outcome. In particular, a developer will have little influence over or knowledge of the feedback the algorithm receives from the FIU. Thus it is difficult to hold the developer or user accountable for a decision made without the explicit understanding and consent of the developer.⁶⁵ Other suggested solutions such as reprogramming in case of malfunctioning the algorithm may not be efficient either. Without understanding why the algorithm fails it is difficult to predict whether reprogramming is the solution.⁶⁶ Additionally when considering that in case of bias, the solution is reprogramming, one effectively creates a legal responsibility upon the algorithm. The algorithm either must be reprogrammed or be rendered non-compliant with the legal framework. The notion of holding the algorithm responsible would be a solution to the debate on accountability. A piece of software, however, cannot simply be classified as a biological being or a company.⁶⁷ The EU Parliament therefore recommended that AI should be given a new classification specific to its digital identity.⁶⁸

Such a new classification, however, raises various questions about the legal framework.⁶⁹ To distill the legal framework it is necessary to distinguish between two different sets of AI. The first is one whereby the algorithm is a tool used by humans to extend their abilities. Such a classification generates less legal complexities as it is the human who is using the tool and thus is responsible. The second classification is when AI replaces human performance. This type of AI requires a more comprehensive set of rights and duties.⁷⁰ The algorithm used in non-custodian wallets would fall under both categories. It takes over from humans in MLFT detection. However, the investigation and final decision to prosecute remains with the FIU. The use of AI to take over part of the human process is an argument for a comprehensive legal identity, some argue even beyond that of normal humans.⁷¹ Treating the non-custodian wallet as a separate entity offers some opportunities. Thereby raising the question of what legal personality should be granted.

5.5 Classification of Digital Personality

The approach to awarding full legal personality entails the award of potential liability to the algorithm. In order to compensate for potential damages the algorithm would need resources. This could be achieved either through a minimum level of funds in a bank account or through insurance.⁷² This approach theoretically works in the case of a self-driving vehicle. I.e. a self-driving bus service could pay for such insurance automatically through the passenger fees. Each time a passenger uses the service a percentage of their ticket could automatically flow to the insurance company. This type of system would not require a connection between the producer and the intelligent machine after creation. The question is whether this would work with non-custodian wallets. In order for such a system to work the non-custodian wallet would have to generate an income whereby automatically (part of) the revenues flow to an insurance company. These revenues could be made through transaction fees or paid advertisements. In case of contested liability, legal representation could occur through the insurance company. The algorithm would have a full legal personality but is represented through its insurance. Though a full legal personality would solve various issues it does not fit within the legal framework.

Full legal personality can be based upon either natural persons or legal persons. Both of these personalities are based upon either rational persons or a company represented by rational and responsive directors. The main argument against basing the legal personhood is that the AI would hold human rights.⁷³ This argument is, however, not true. The holding of human rights is often limited to what we consider “full humans”. In the course of history slaves, women and minorities have not held (all) human rights. Nevertheless, we associate natural persons with the ideas of humans and humanity.⁷⁴ AI is not a human and is not directly comparable with natural persons. Even though the rights associated with being a person can be limited, the rationale is off. The next option for a full legal personality is that of legal personhood. The type of personality given to companies. The legal person would then be the AI which is represented through its directors. In this case that would be either the developer or the supervisor. In case of a dispute between the insurance company and the algorithm, the developer or supervisor will be considered the addressee. In case of a dispute over pricing with the insurer, the wallet will have to be represented by its developer. Though this type of personality fits better than the figure of natural personhood, it is not exactly right either. The director(s) of a firm are considered to act on behalf of the firm and to have control over the firm. Neither the supervisor nor the developer has full control over the algorithm’s decision-making. To award full legal personality to the algorithm is therefore a bridge too far. One answer might therefore be to consider the wallet and its algorithm subject to a set of limited rights and rules.⁷⁵ One such approach involves examining the non-custodian wallet through the principal-agency theory.

To construct a form of semi-legal personality the principal-agency theory can be applied.⁷⁶ Whereby the algorithmic entity, in this case the non-custodian wallet, is considered the agent that is given its mandate through coding. The agent has a set of duties and is considered separate but attached to the principal. This theory applied to the non-custodian wallet, offers various opportunities for supervision. The algorithm can be considered subject to quality standards. The developer can be held liable for the malfunctioning of the algorithm due to wrongful programming. Providing such a legal personality would furthermore enable the agents to cooperate with each other.⁷⁷ Whilst this creates a situation whereby there is some separation between the creation phase and monitoring phase, there are some issues. As mentioned earlier it is not always easy to spot why an algorithm has malfunctioned, nor is it always a fault within programming. The principal-agent theory furthermore assumes an agent capable of human aspects, such as moral awareness and free will.⁷⁸ The framework furthermore relies upon two parties. The first is the principal who provides the instructions and the second is the agent who executes these instructions. The algorithm within the non-custodian wallet would however receive input from the developer and the supervisor. The principal-agent theory is therefore not suitable as a legal framework for non-custodian wallets. There are different ways other than principal-agent theory to regulate algorithmic entities. An interesting take upon the partial-legal personality is that of the German teilrechtsfähigkeit.

The “teilrechtsfähigkeit” approach is one whereby a person or entity only has half a legal personality.⁷⁹ The rights and duties are granted based upon a functional approach, whereby those rights and duties that are needed are awarded.⁸⁰ In this case, the non-custodial wallet would be given the duty to be based upon a supervisor-approved algorithm. With the right and duty to take insurance against damage claims. The wallet would have a form of civil law responsibility and if so desired could have criminal liability too. The wallet software could be given fines in case of malfunction. The question, however, is whether this is desirable when the wallet neither intends to malfunction nor its instructions are based upon input from other legal entities. The free will, upon which our criminal justice system is based, is not present within algorithms. Criminal liability is therefore not a duty to be placed upon AI. Private liability for damages on the other hand can be partially awarded to an algorithm. Damages under private law can have two motives. The compensatory damages aim to compensate a victim and the punitive damages aim to punish the wrongdoer. The AI should be awarded the duty to pay compensatory damages, but not punitive damages. Punitive damages are a civil law form of punishment and should not be awarded as the AI lacks free will. The content duties and responsibilities should be awarded by the law. These duties and rights would need to allow for the creation of a non-custodian wallet that can be supervised. Whereby the duties mirror those of the custodian supervisors.

The difficulty of removing human interaction is the right to an explanation, whereby third parties have a right to know why their transaction is considered suspicious. This right was mentioned earlier in relation to simple algorithms. Simple algorithms can be explained by the user and the user is generally responsible for publishing the data that was entered into the algorithm and the decisions that were made.⁸¹ The complex algorithms that would be used for non-custodian wallets would not be easy to explain. In particular, because there is not one party that inserts the data or understands the algorithm after it has started self-learning. The algorithm would therefore have to be able to explain itself. This type of system is difficult to generate but it is not impossible. A new generation of algorithms is being developed. This type of algorithm is XAI whereby the algorithm is programmed to develop and consider constitutional values.⁸² Strides towards human explanations from algorithms are made,⁸³ thus increasing the possibility of an algorithm that can fulfil the duty of explaining its decision-making. The concept of a ‘black box’ is real but increasingly algorithms can avoid creating an impenetrable system. The right to an explanation should furthermore not be confused with the right to a simple explanation. A local court in The Netherlands therefore stated that the right to an explanation included that the defense or an expert could inspect the data.⁸⁴ The continued development of AI and increased complexity may require experts to interpret and explain the data and coding.⁸⁵ Furthermore, the risk of avoiding the supervisory framework is also real. Not only criminals will try and avoid supervision. Avoiding customer identification will form an easier and less costly process for customers. Considering the speed and easiness of transferring currency through the Metaverse, it would be unwise to leave a category of wallets unregulated. Creating legislation that focuses on digital entities would be the most resilient. The concept of what constitutes different entities is flexible and hence can adapt as technology advances.

By regulating non-custodian wallets through their algorithms, monitoring is increased. The additional legislation reduces the potential for money laundering but it risks pushing smaller providers out of the markets through the increased regulation. The resulting limited supply might generate fewer choices for consumers. Thus preventing optimal development of the market. To avoid such a situation from occurring a third category should be added to the regulatory framework. In addition to the custodian and the non-custodian wallet with a monitoring algorithm, the law should identify the supervised anonymous wallet (SA-wallet). The SA-wallet could be constructed using similar legislation as is currently used for anonymous general-purpose prepaid cards. The AMLD5 considers that whilst these cards have their use, they are highly vulnerable to MLFT. General purpose cards with a non-EU origin, are only accepted when they abide by an MLFT framework with similar standards to those of the EU.⁸⁶ It is therefore recommended to place limits upon anonymous wallets. The incorporation of anonymous wallets into the legal framework, however, does require supervision. The supervisor would be responsible for assessing the wallet’s limits and adding them to their list of supervised entities.

This approach would enable an exhaustive supervisory framework that allows various wallet structures to exist with supervision. Nevertheless, the EU can only generate such a framework for those wallets offering services from or within the EU jurisdiction. The problem is that consumers can quite easily use wallets from outside the EU jurisdiction. To limit the use of unsupervised wallets the EU can use the Internet of Things.

5.6 Jurisdiction on Transactions Made to Third-Countries

The Metaverse will incorporate a wide array of wallets which will be located in various jurisdictions. These transactions can increase international trade and competition. The ease by which wallets from various jurisdictions can be used however also carries the risk of rule avoidance. As discussed in Sect. 4.4.2 this can occur through forum-shopping of providers by choosing low-regulated jurisdictions. Or by avoiding choosing a jurisdiction altogether and operating in full anonymity.

Currently, the AMLD5 approaches this issue by applying the legislation to those offering their services from or in the EU. This system aims to regulate the wallets within the EU and thereby the currencies flowing in and out of the EU. This system is theoretically sound but practically generates two risks. The first risk is the broad definition of offering services to the various Member States. There are some guidelines to determine whether a service is offered within the Member States.⁸⁷ These guidelines are wide and open to discussion. In particular, in Member States where English is widely, but not officially, spoken a piece of software can be used without it being officially offered in the state. It is important to consider therefore that a wallet can be easily accessed and installed globally even when not specifically offered to a certain market. Therefore the EU system will not be able to regulate all wallets accessible within the internal market. Secondly, such an approach does not discuss how to consider a transaction between regulated wallets and those whereby the jurisdiction cannot be established. When transferring funds to another bank account the jurisdiction is established through the physical location of the bank. This is often identified through the bank account’s International Bank Account Number (IBAN). Whilst there are several such numbers used internationally, the identification of the bank and the jurisdiction is relatively easy. Software wallets are not required to carry jurisdiction identification numbers. Thus raising the question of how to regulate transactions to such wallets. The combination of accessibility and un-identifiability creates serious holes in the current legislative approach. These gaps can be mitigated if wallets are considered as things within the Internet of Things.

The IoT refers to a system of objects that can be physical, virtual or hybrid which can communicate with each other to facilitate various system functions.⁸⁸ The entities within the IoT network can communicate and receive data from each other. The communication between entities allows for impact assessment of transactions. It can provide assistance in preventing MLFT and consumer protection to an extent that is yet to be explored in the financial system. To avoid risky transactions the wallet of the sender would need to be able to establish to whom the receiving wallet belongs, where that person is physically located and under what jurisdiction the wallet is regulated. This can be implemented to warn consumers when there is a likelihood of a scam. For example, a Somali pirate (wallet A) tries to provoke a consumer (wallet B) to transfer money by pretending to be a relative.⁸⁹ Wallet A sends a transaction request to wallet B. In response to receiving this request, wallet B asks for further details such as location. Wallet A can verify its own location through the device’s GPS or a specific app and work as a tracker. The entity (Wallet A) on the tracker transmits this data to Wallet B. Wallet B upon receiving the information that Wallet A is accessed from Somalia (or has no location) considers that the transaction is suspicious and warns its owner to not engage in the transaction. A second form of implementation is to avoid transactions between high and low-regulated jurisdictions. For example, a wallet supervised by the Dutch supervisor could engage in a transaction with a wallet supervised by the French supervisor but not with a non-supervised or poorly supervised wallet. The technology to facilitate such communications and transactions is available.⁹⁰ This type of communication is not only possible but already occurs between other things communicating via the internet. The strategy on how to regulate such wallets can therefore be mirrored upon the Internet of Things (IoT). The question is how to regulate the wallets as part of the IoT.

The IoT is not extensively regulated in the EU. In 2009 the Commission identified 14 points of action.⁹¹ Despite this early communication, legislative action has been limited. In 2018 a Directive was published that included the IoT, the Directive concerned the use and allocation of radio communication.⁹² More recently in 2021, the IoT was mentioned once on the EU’s strategic research agenda.⁹³ In 2022 the Commission published its sectoral report on the IoT which focused on various aspects, in particular competition.⁹⁴ The EU approach on how to regulate the entities, however, is not yet defined. There are several approaches possible to regulate the IoT. The first is that of anarchy.

The anarchist approach favours bottom-up regulation. The regulation would ideally, according to anarchism, form organically through network cooperation.⁹⁵ Wachhaus describes that the IoT will shape in different networks which are hard to detect by a central institution.⁹⁶ His vision is that the networks will be able to organize themselves through clear communication and common goals.⁹⁷ Using his approach to successfully implement an anarchistic approach to governance and regulation thus requires communication and common goals. When considering the entities that can be used for payment in the Metaverse these can likely communicate very clearly. The entities are designed to be able to communicate and transact with each other. Furthermore, there appears to be a common goal, namely to conduct efficient global transactions. Thus creating a theoretically strong argument to use an anarchist approach to regulate digital payment entities. Prima facie this regulatory approach seems to be supported by economic theory. Coase argued that under certain circumstances the ideal outcome concerning externalities will be reached, without relying on government intervention.⁹⁸ His theory takes the example of pollution and a factory, but more scenarios may apply. In the case of wallets, the negative externality would be the increased risk of MLFT through regulation. The latter is indicated by the tendency of various financial institutes to locate in low-tax and low-regulatory jurisdictions.⁹⁹ Whilst consumer users will wish for a safe system, firms may focus on efficient and low-cost systems. The ideal outcome would be a system that is regulated and monitored to prevent MLFT from occurring. For the anarchist approach to work, the networks have to be able to regulate themselves. According to Coase, this would be possible when the transaction costs are negligible. Theoretically, these costs are low as communication between digital entities is cheap and easy. As the earlier example of a potential Somali pirate demonstrates the wallets can communicate with ease. The information provided to the consumer can then help the consumer in estimating the risks and acting accordingly. In theory, the consumer would reject any risky transactions and only transact with (well) regulated wallets. In theory therefore those with savory intentions would opt to use well-regulated wallets. The theory, however, is unlike to meet reality.

The reality is that communication between digital entities will likely be strong. This, however, does not mean a user has all the needed information. If we assume that a user wishes to install a safe software wallet, the user requires knowledge of what level of regulation and safety checks apply to the wallets. This means the customer will have to research the regulatory framework applicable to its own wallet. Furthermore, any well-regulated wallet will require customer verification. Thus increasing the effort needed from the consumer in order to use the software. When transacting the user will receive communication from the other party’s wallet. The information, however, may include what regulatory framework is applicable to the software but not how strong the regulatory framework is. The user will then have to research whether it considers this regulatory framework safe. The need to research the regulatory framework indicates a discrepancy of information between the parties. The user is thereby forced to either accept the risk or spend resources researching the system. The transaction costs of Coase’s theorem are therefore not negligible. This is even more so if the options for the consumer are low. The result would be for the consumer either not to conduct the transaction or accept the risk. If the consumer chooses to accept the risks the consequent externality is that of a higher MLFT risk. The tendency of businesses to locate in less regulated jurisdictions therefore decreases the chances of a successful governance system based on anarchism. The unregulated economy would then outgrow the regulated economy, whilst the opposite is intended. Coase’s theorem furthermore included the use of government-regulated systems when needed.¹⁰⁰ The current EU approach whereby the EU regulates the EU territory as a single public body does not seem to work either. A middle ground should be introduced. Weber introduces an approach based on regulation through multiple stakeholders.

The proposal made by Weber is to approach the IoT through a ‘multi-stakeholder in governance’.¹⁰¹ In this approach, there are multiple regulatory entities which are decentralized and consider the needs of all stakeholders.¹⁰² This approach can largely be identified in the current AML framework. Whereby the rules are harmonized at the EU level. Nevertheless, various entities contribute to the governance and implementation of these rules. These entities include national supervisors and supranational bodies such as the FATF and Commission who identify specific risks. With regard to the Metaverse, the multi-stakeholder approach seems the most inclusive and efficient. The national supervisors can collaborate to create a European virtual compliance certificate. Thus replacing the current registration in all Member States with a virtual European Passport (as is custom with other financial service providers). To maximize efficiency, however, stakeholder selection would need to include private parties such as reality and wallet providers.

The stakeholders that could be allowed a seat at the table in this network approach are the large Metaverse reality providers. It is not unlikely that some Metaverse realities will be more popular than others. The realities that operate with large volumes of transactions and/or users should be allowed a voice in this network. They can contribute to the risk identification assessments and even be allowed to apply for supervisory status. Let us consider an example whereby a Metaverse reality consists of a large international shopping street with various traders from different jurisdictions. This Metaverse reality could function as a universally accessible shopping street like the Dutch PC Hoofdstraat or French Champs-Élysées. The primary difference is that the shops are not registered in a single jurisdiction, nor is their jurisdiction clear due to the lack of a physical location. A virtual customer could purchase a high-priced item through various anonymous wallets. The cash equivalent of the transaction would have to be reported by the shop owner. In the Metaverse such reporting duties will often be unclear. The virtual reality provider could in such cases act as the monitoring entity where suspicious transactions have to be reported. The reality provider could operate as a liaison with the national supervisor. Furthermore, the reality provider could be awarded supervisory duties to ensure unregulated wallets cannot engage with its environment. Engaging with private parties would enable the regulators to identify which environments are deemed ‘safe’. The supervisor could in response provide a digital certificate confirming that the environment complies with the safety standards of the EU. A similar approach could be used towards wallet providers.

The Commission has identified countries with high MLFT risks. Wallets regulated under these jurisdictions should thus be considered risky. The consequence however is that wallet providers in these jurisdictions have less opportunity to compete with highly regulated jurisdictions. Thus excluding them from the virtual market. This exclusion can be accepted but that does not seem fair. The EU could design an opt-in strategy whereby these providers can opt into the EU’s regulatory framework. The most logical opt-in supervisor would be the newly proposed EU AML Supervisory Authority.¹⁰³ This authority will be responsible for AML supervision at the EU level. The potential disadvantage is a high number of individual providers who would wish to register. Particularly when individual parties wish to opt in. Rather, however, the EU could work with a system whereby it delegates that responsibility and allows for private parties to provide such certification. The EU AML Authority then strictly supervise the private parties providing the certificates. Whilst the governance approach is generally laudable there are two difficulties with this approach.

The multi-stakeholder approach requires a new way of thinking about regulation.¹⁰⁴ In particular, the network approach is ahead of the law. The law has not yet caught up with the network approach.¹⁰⁵ For this system to be successful the law has to assign clear responsibilities to the parties involved. Governance within the current EU Economic and Monetary Union (EMU) functions under the threat of the law.¹⁰⁶ Thus ensuring that parties are obliged to take their task seriously or risk judicial sanctions.¹⁰⁷ Judicial sanctions, however, require a clear assignment of obligations. To regulate the network governance, the law will have to provide clear standards and potential liabilities and/or punishments if these standards are not met.¹⁰⁸ These standards in combination with serious actors could monitor and regulate the Metaverse economy. The standards, however, need developing. The second difficulty is the question of whether consumers should be prevented from transacting with unregulated wallets. Thus creating the distinction between wallets that are registered with a supervisor and those that are not. To promote the use of supervised wallets. The law could require registered wallets only to allow the execution of transactions with registered wallets. This rule would be written into the software coding of the wallet in order to be registered with a supervisor. De facto this creates a closed economy only accessible through supervised entities. The non-registered wallets could either opt to be registered or operate outside the EU only. As these wallets could still be downloaded, though the use could be prohibited, it risks creating two payment systems.

Creating two economies is not ideal. Nevertheless, there is currently already a system of two economies in place due to the differentiation of custodian and non-custodian wallets. Furthermore by creating a fully regulated system consumers can enjoy the protection of regulation. The question is whether consumers should be mandated to use the system. If there is no legal obligation for consumers to use the regulated system, they should do so voluntarily. For consumers to use the regulated system they will have to judge using the regulated system as more valuable than the unregulated system. There are various arguments to consider that the consumer would opt for the regulated wallet. The first argument resides in the moral judgement of the consumer. There are different shades of grey when considering the informal economy. A consumer will have a different moral attitude towards human trafficking than towards informal labour.¹⁰⁹ If the regulated wallet is trusted to prevent MLFT this would nudge the consumer towards its use. Similar observations can be made with regard to fair trade labels. Consumers are willing to purchase and consume responsibly.¹¹⁰ Nevertheless, there is also evidence that it also depends on the personal values of the consumer.¹¹¹ The use of ethical purchasing is therefore not a guarantee of success. Additionally, consumers do not always purchase ethically despite their intentions. This phenomenon is called the ‘intention-behavior gap’, behavioural economists are currently unsure as to why this phenomenon takes place.¹¹² Hence nudging based on ethical considerations may not be effective enough. Stronger regulation by excluding non-regulated wallets is therefore required.

The second argument that registered wallets would generate more consumption, however, is trust. Consumers may trust regulated technology more than non-regulated technology. The higher level of consumer protection would therefore assist in pushing the non-regulated wallets into decline. There is, however, the argument here that cryptocurrencies were invented to avoid regulated institutions. Thus reducing the likelihood that consumers will prefer to use a regulated wallet. Nevertheless, there is good reason to believe consumers will not opt for safety. In particular when the risk of fraud or MLFT is wrongly estimated. Based on privacy and car insurance, Bailey considers this underestimating the risks that apply to the consumers’ perception of IoT.¹¹³ Consumers overestimate their control over their own driving behaviour and subsequently underestimate the risk of sharing their monitored driving information.¹¹⁴ Considering the wrongful estimation of risks there is a strong argument to protect the consumer from harm. Additionally, Bailey continues by indicating consumers prefer a purchase today over higher future costs. Privacy concerns in the future are thereby estimated as a lower concern than the use of technology today. In particular with IoT, the negative consequences are not certain.¹¹⁵ One solution to these issues according to Bailey is the mandatory disclosure.¹¹⁶ Disclosure of the risky transaction through the wallets is possible before the transaction is executed. Nevertheless, this disclosure does not work reducing consumers’ optimism.¹¹⁷ The second legal solution is requiring explicit consent for the risk from the consumer. This is the so-called opt-in system rather than opt-out.¹¹⁸ Whereby a consumer has to specifically agree to take a certain risk. The explicit consent would be integrated into the wallet system. The consumer will have to verify that it wishes to make the transaction after receiving the information from the counterparty’s device. Nevertheless, it is questionable whether this system is secure enough to prevent MLFT. Consumers will remain overly optimistic and likely to make a purchase. Bailey considers that limiting the consumers’ options through legislation would be heavy-handed. It would reduce rational consumers’ choices and would prevent consumers from learning from their mistakes.¹¹⁹ Whilst these are potentially correct with regard to privacy issues these arguments are less appropriate in the case of MLFT. The outcomes of a violation of the consumer’s privacy would be harmful to the consumer involved. However, MLFT carries externalities beyond that of the individual consumer. Furthermore, violence is often associated with gun and drug sales but not the financial system that facilitated MLFT.

The third nudging option is for governments to promote the use of regulated wallets by their own adoption. Governments transact only through regulated virtual wallets and mandate businesses located within their jurisdiction to do the same. If businesses and the government use regulated wallets, consumers will be forced into using regulated wallets. Whilst technically possible this risks the same issue as previously considered with the current regulatory approach. Governments can influence businesses on their territory. However, the current global trade would provide ample opportunity for consumers to purchase products from or through lesser-regulated jurisdictions. Thus such an approach would not be a likely solution. The fourth option to nudge consumers into using a regulated wallet is by using criminal law. Rather than directly prohibition the regulatory wallets the government could deem any transaction suspicious and the consumer will have to prove the transaction was not suspicious. This solution is close to prohibiting the non-regulated wallets and is not perfect either. In particular, because it would entail a huge burden upon the FIU and criminal justice system. The more effective option is therefore to prohibit the use of unsupervised software wallets. This creates a legal framework that is largely regulated, though avoiding regulation is nearly always possible. It does not solve the second issue associated with the Metaverse and placement namely that of smurfing through smart contracts.

5.7 Smart Contracts

The previous paragraphs have discussed the reduction of anonymity when placing funds into the Metaverse. Whilst anonymity is the largest risk associated with the placement phase it is not the only one. Another important issue is the existence of smart contracts that can be built into the Metaverse. Smart contracts are contracts that operate automatically without the need for intermediaries. An example of a basic smart contract is that of a vending machine. Whereby you pay €2,00 and the machine gives you the beverage (and change if needed). The transaction occurs fully automatically without the need for the beverage sales agent to be present. A smart contract is built upon a blockchain and written in coding language. These contracts are created in environments that facilitate writing smart contracts. The code for a smart contract is rather particular and can be found in special ‘coding dictionaries’ such as Java Script or Solidity. After writing (and testing) these contracts can be connected to the wallets and deployed via the blockchain. Smart contracts can be used within the Metaverse if they are written in code compatible with EVM bytecode. The latter is compatible with the largest coding dictionary currently available. It is therefore a reasonable assumption that smart contracts will be used in the Metaverse. Whilst the use of smart contracts is still limited, these contracts can facilitate and improve the efficiency of trade. Despite their advantages, smart contracts can also reduce the effort needed to commit financial crimes. There are two different risks that smart contracts pose. The first is the smart contracts that facilitate crimes.

The first category is those smart contracts that offer payment in return for criminal activity. These types of contracts can include the sale of trade secrets or the promise of payment for a murder. The smart contract can facilitate the arrangement of criminal activity without trust. A normal contract requires the parties to trust each other. If a person pays for a terrorist event to take place and the other party does not execute, the person paying cannot go to court. Because a judge will likely convict the claimant for financing terrorism.¹²⁰ Within the world of criminal smart contracts (CSC), trust is no longer necessary. Instead, the CSC is negotiated and once accepted placed upon the blockchain. Once on the blockchain, the CSC cannot be altered. The CSC will execute payment automatically when it is told the event has taken place. When the CSC gains the confirmation that the crime has been committed it will send payment to the agreed executer. The automatic payment reduces the need to trust the opposing party. These CSCs are technically feasible and a realistic threat.¹²¹ The difficulty at present is to connect smart contracts to a trusted external source that informs the CSC that the event has taken place. A smart contract that promises payment in return for terrorist activity would look as demonstrated in Fig. 5.3.

Fig. 5.3

Criminal smart contract for the financing of terrorism

The figure demonstrates a simple smart contract for financing terrorist activity. It shows that an anonymous party can offer a payment in return for an attack. The second party (Party B) can accept the terms. The contract then moves on to the blockchain and will automatically pay Party B when the event has been finalized. The problem at present is how to record the event on the blockchain. A blockchain only approves an event to its chain when all nodes consider the event to have happened. Since not all nodes (computers running the blockchain) will process the event at the same time, little deviations may occur. These deviations cause the event to be denied on the blockchain. It is however only a matter of time before this problem is solved. There are already services that provide (accurate) external information, such as weather events, to the blockchain called Oracles. These services will likely expand to include external events. A terrorist CSC is therefore only a matter of time.

The second category of smart contracts is when the smart contract is used to commit a crime. As discussed in Chap. 4, funds are generally placed within the system through a process called ‘smurfing’. This process entails placing a high volume of low sum values into the system to avoid detection. Placing these funds into the system can be done manually by placing small funds into different wallets or by placing small funds into the same wallet over time. The manual effort needed to place the funds into the wallet(s) can be replaced by a smart contract. Smart contracts can furthermore be used to execute transactions in order to layer the funds placed into the system. Smurfing is a technique that is conducted to prevent detection from supervisors. The need to avoid detection will increase when the anonymity of wallets is lifted (or at least seriously decreased). The question is therefore how to supervise and detect CSCs.

Despite the current innovation in smart contracts, the legislation has not yet been updated to the extent necessary. There is some argument that CSCs are unlikely to succeed.¹²² The likelihood of a successful conclusion of a CSC was based upon a contract to leak information. This contract would be hindered by unreliable initiators and the freeriding problem. Consumers would wait until other consumers had purchased the goods and thereby released the information.¹²³ These factors play a reduced role in financing terrorism or smurfing. The CSCs would only have two wallets connected. The free-rider problem is therefore much lower.

The Commission has commissioned a report on regulating blockchains and smart contracts.¹²⁴ The report, however, does not specifically address smart contracts for criminal activities. The CSCs themselves are likely to be illegal in most countries. National criminal codes are unlikely to distinguish between a physical agreement and a digital agreement to commit a crime. Criminalizing an activity, however, is fruitless without proper monitoring and policing. There is currently no set plan from the EU to monitor smart contracts within the framework of MLFT. There are, however, several approaches possible to monitoring and regulating smart contracts. There are four phases in the life span of a smart contract. The first is the creation of the contract, the second is the freezing, the third is execution and the fourth is the finalization.¹²⁵

A smart contract is created through coding, using a coding language. This coding language is generated by tech firms in the form of a complex coding dictionary. A logical first step would be to prohibit any coding language that allows the creation of CSCs. The language of ‘terrorist’ or ‘attack’ could be prohibited. This type of approach would prevent such contracts from the ability to be drafted. Whilst technically possible it would not solve the problem and create more difficulties. Firstly the coding language can be replaced by using different words. Secondly, such an approach creates difficulty in drafting insurance contracts. What if a smart insurance policy wishes to include or exclude a terrorist attack? The third difficulty is that in the case of money laundering, placing small amounts of money into the Metaverse through a smart contract is not illegal by itself. A contract that states that every x amount of time y amount of money should be transferred, is not inherently for unsavoury intentions. The illegality of smurfing is through its intention to launder money. It is therefore not recommended to prohibit the coding of structuring contracts. Such a prohibition would risk prohibiting any code that entails payment of a long-term contract. Regulating the coding language therefore does not seem like a valid option. The next part within the first stage of the CSC is the offering and acceptance phase. Hereby a CSC offer would be placed on an illegal market and accepted before it is placed upon the blockchain. Whilst it is the most appropriate place to supervise it is certainly difficult. It would entail a supervisory duty upon each marketplace. The marketplace for such contracts is unlikely to be compliant with such duties. This supervision is furthermore within the realm of criminal code which is beyond the scope of this book.

The second phase of a smart contract is that of the freeze phase.¹²⁶ During this phase, the CSC is verified by the nodes and deployed to the blockchain. It is difficult to regulate this phase in the smart contract’s life cycle. The nodes verify the information but do not form a monitoring function. It would currently be very difficult to find a system to have these nodes form a monitoring function. The programs used to deploy a smart contract to the blockchain can be regulated. These programs allow a user to create a smart contract, test it and place it on the blockchain. The testing of a smart contract occurs through modelling. The modelling can test whether a smart contract is secure and functional.¹²⁷ These modelling techniques can be adapted to include a risk assessment for MLFT. The program would check the contract before deployment to establish whether the contract is likely used for MLFT. It could then prohibit the contract from being deployed. Though it would be an effective approach these deployment programmes could likely be avoided. It would furthermore reduce the speed of deploying smart contracts. It is nevertheless advisable to bring such programmes under the scope of AML legislation. Partially because it reduces the possibility of generating anonymous smart contracts. Secondly setting technological standards for preventing MLFT, decreases the possibility of creating CSCs through the accepted platforms.

The third phase is when the blockchain receives the information that the event has taken place. To prohibit the blockchain from receiving information on terrorist attacks is a difficult approach. One approach is to decrease the likeliness of the accuracy of the external data reaching the CSCs. These technologies are in their early development but do show promise.¹²⁸ Such approaches would reduce the likelihood of successful implementation of the CSCs. The approach, however, focuses on the smart contract itself rather than the person or people behind the smart contract. Therefore even if such techniques were used to decrease the effectiveness of CSCs, a supervisory strategy to detect the criminals behind the contract is still needed. Detecting the person(s) behind the CSC is possible through the contact between the wallet and the CSC.

The fourth phase is that of finalization, in this phase, the payment is provided. The previous paragraphs considered the supervisory powers of the wallet. The CSC for calling card crimes such as the organization of a terrorist attack also need to communicate with a wallet. The first approach would be to consider transactions coming in after an attack has been reported to the wallet, as suspicious. This approach, however, includes everyone who receives insurance payouts or an unrelated payment briefly after an attack. It furthermore as a method is focused on finding the attacker after the event, rather than before. The supervisor intends to prevent attacks from taking place. With regard to the smurfing contracts, a duty of notice can be introduced.

Currently, financial institutions have to conduct an investigation when a transaction or a combination of transactions reaches a threshold. A similar duty can be introduced for wallets with regard to smart contracts. A smart contract reaching a combined threshold would be investigated. Such legislation would closely follow the current legislation for banking. Furthermore, a smart contract that is concluded for legitimate reasons would remain possible. Though technically possible and closely mimicking the other legislation, this system is not foolproof. Smurfing through regular payment accounts takes effort. The effort is still highly reduced through the use of smart contracts and criminals may use multiple smart contracts to remain out of sight. Nevertheless, the reporting rule would be an excellent start.

In general, legislation to monitor and supervise MLFT should target the first and last stages of the smart contract. In the first and last phases, the wallets are used to communicate. These wallets are connected to the people who intend to commit MLFT. The freezing stage can be targeted through the deployment mechanism. This would however target the entering of the freezing stage rather than the verification from the nodes itself. The third phase is that of the blockchain. When the CSC is placed on the blockchain it will be difficult to regulate. Though there are techniques to reduce proper finalization, these are policing techniques rather than monitoring and supervisory issues.

5.8 Conclusion and Recommendations

The first difficulty when considering MLFT and the Metaverse is the variety of wallets available. The wallets can be generated either on their own or as part of a variety of services. The wide variety means that for a legislative response to be effective it should cover all forms of wallets. The EU approach uses the term entity to describe the wallet provider. This term is considerably broad and therefore unlikely to distinguish between pure wallets and wallets offered as part of a package. More difficult, however, is the regulatory exclusion of non-custodian wallets.

Non-custodian wallets have been excluded from the regulatory framework. Non-custodian wallets are wallets sold as a product rather than a service. Therefore the developer is gone once the product has been sold. This does not fit with the current legislative approach that focuses on human supervision. The focus on human supervision, however, is outdated. Even in other areas of the financial sector human supervision is largely replaced with algorithms. Humans only filter the outcomes of the algorithm. This filtering job sounds important but as it turns out the number of false positives remains rather high despite human intervention. To make an algorithm directly responsible for supervision is therefore a realistic alternative. The algorithm can be built into the non-custodian wallet and directly communicate with the national FIU. To make such a system successful the national supervisor has to develop standards of algorithmic efficiency. This allows for a fair judgement of algorithms before they enter the market. Secondly, a system of accountability for mistakes should be developed. This accountability should be created along with a new legal personality for digital entities. To shift focus on the quality of algorithms and other aspects of technology is scary to any legislator. Nevertheless, this shift would allow for non-custodian wallets to be part of the regulated framework, rather than form their own unregulated market.

A further step towards embracing technology into the regulatory framework is by developing the Internet of Things. A system in which things communicate with each other over the internet. By considering wallets as things participating in the IoT more consumer protection can be generated. The wallet can protect its user from possible scams and it can exclude non-regulated wallets. This approach is technically feasible but would require further development of the legislative framework. In particular, the legislator should respond to data protection and protection for the consumer against himself.

In short, the EU legislator has generated a broad framework. The framework, however, is over-reliant on humans. Embracing the use of technology whilst regulating its standards would allow for a more effective supervisory framework against MLFT. This thereby concludes the placement phase of the MLFT in the Metaverse. As discussed earlier the placement phase is only the first of three phases. The next chapter will therefore continue by discussing the second phase: layering.