EU takes aim at ransomware with plans to make Bitcoin traceable, prohibit anonymity

The European Commission (EC) has set out new legislative proposals to strengthen its anti-money laundering (AML) and countering terrorism financing (CFT) rules to tackle financial crime. A key element of those proposals includes changes to make crypto asset transfers more traceable and secure by forcing companies to collect certain details on recipients and senders and prohibiting the use of anonymous cryptocurrency wallets.

In a press release announcing the legislative proposals, the EC explains how the new laws would enhance traceability of cryptocurrency and why the scale of the problem warrants such action.

“At present, only certain categories of crypto asset service providers are included in the scope of EU AML/CFT rules. Today’s amendments will ensure full traceability of crypto asset transfers, such as Bitcoin, and will allow for prevention and detection of their possible use for money laundering or terrorism financing,” the EC writes. “In addition, anonymous crypto asset wallets will be prohibited, fully applying EU AML/CFT rules to the crypto sector.”

Under the proposals, a new AML Authority will be created that will be central to coordinating national authorities to ensure the private sector correctly and consistently applies EU rules, with the goal of closing the loopholes that criminals can exploit, said the Commissioner responsible for financial services, financial stability and Capital Markets Union, Mairead McGuinness. 

The new proposals will be examined by the European Parliament and Council. If passed, they could come into force in 2024.

New AML/CFT rules not enough to stop ransomware

With the new rules, the EU clearly intends to “close loopholes in the existing AML/CFT regime,” says Martha Bennett, VP and principal analyst at Forrester, but she warns that loopholes may still remain that cybercriminals will take advantage of.

“The prohibition on anonymous crypto asset wallets is in line with the latest FATF Travel Rule proposals, and hence no surprise,” Bennett tells CSO. “However, according to some unverified reports, non-custodial privacy wallets and unhosted wallets held by users themselves may be exempt from the proposals, which potentially leaves a loophole.”

Bennett believes that any impact on reducing cybercrime such as ransomware will be small in the short term. “As long as cybercriminals can move their coins (as they are, mixed or changed to a different cryptocurrency) to a jurisdiction, or number of jurisdictions, with less oversight but sufficient liquidity, rules like these are an inconvenience, but not a showstopper.” Rather, coordinated, globally action is required to make it increasingly difficult for criminals to access cash and/or launder their coins, she argues. “Only once a certain threshold is reached will regulation act as a deterrent to the type of organized crime groups that are behind the current spate of attacks.”

Erhan Temurkan, head of information security at FinTech company Bink, echoes similar sentiments, and while he views the legislation as a positive move that has been a long time coming, he says the overall impact on reducing cybercrime will likely be minimal. “Cybercriminals are known to use what is called Bitcoin tumbler/mixer services whereby an original cryptocurrency is taken and mixed into several microtransactions, and in some cases even into another cryptocurrency in order to conceal the true identity of the original sender. I can see these services being leveraged further when the legislation is introduced.”