Categories
GDPR Privacy Regulation

GDPR Article 35 and Article 25 Square Off

For those not buried in the details of the European General Data Protection Regulation (GDPR), there is often confusion about be the differences between Data Protection Impact Assessments (Article 35) and Data Protection by Design and Default (Article 25). Many people assume that DPIAs, as the impact assessments are called, are synonymous with with Data Protection by Design and Default. This article we highlight some of the key differences.

Article 35 Data Protection Impact Assessments

  • Applies to: processing of personal data that likely poses a high risk to individuals, especially where there is automated processing, processing large scale special categories of information or systematic monitoring of public spaces
  • Requires: documentation of the measures to address the risk and demonstrate compliance with the regulation
  • When: prior to processing

Article 25 Data Protection by Design and Default

  • Applies to: all processing of personal data
  • Requires: implementing appropriate technical and organizational measures designed to implement data protection principles and only process the personal data necessary for the specific purposes
  • When: at the time of determination of the means of processing AND at the time of processing

I’ve obviously summarized the language of the articles but only to highlight the differences. So let me dive a little further. First off, you’ll notice the first key distinction on the applicability. DPIAs are only necessary for high risk processing, whereas Data Protection by Design (and default) applies to ALL processing of personal data. Of course, to get to a DPIA, most organizations rely on some threshold analysis which would suggest whether or not the processing is high risk. This is not necessary for Data Protection by Design because it applies to all processing.

The second key distinction is that DPIAs are about documenting your measures and compliance whereas Data Protection by Design is about implementing measures. Article 35 DPIA is about proving you’re complying whereas Article 25 Data Protection by Design and Default is about trying to comply (i.e. the measures are “designed” to implement data protection principles). Presumably, if you’ve designed data protection into your processing, the DPIA is about ensuring that you’ve formally documented it (with all your i’s dotted and t’s crossed). An example might help. If you’re planning on collecting contact information of potential customers at a concert, you might implement an organizational measure (a policy) that tells your employees to ensure they tell potential customers what their data will be used for. That is a measure designed to comply with the data protection principle of transparency. Will some of your people forget to tell them? Perhaps. Perfection is not the goal. Change this up to you’re planning on video recording individuals at the concert and doing demographic analysis on ethnicities in attendance. Now you fall under the systematic monitoring clause of Article 35 (and special categories clause as well). You have to document how you’re complying with the regulation, including all the technical and organizational measures. Maybe only three employees have access to the data. Maybe you’re doing this under the lawful basis of being carried out in the public interest. Maybe you had notice printed on the back of the ticket before everyone entered. Document. Document. Document is what DPIAs are all about.

The final key distinction is about timing. For DPIAs, you need to do that anytime prior to processing. The idea here is if you don’t have the documentation or can’t prove your complying with the regulation, that would stop you from processing the personal data at high risk to the individuals (or at least give you pause). Because, Data Protection by Design is about implementing measures rather than documenting those measures, it must be done (1) when you determine what processing you’re going to do and (2) at the time of processing. The reason for this is because the measure may have different effects at different times. For instance, one measure (in accordance with the data minimization principle) might be to exclude collection of certain information, say ethnicity, when asking for contact information. This might be implemented on the form being used to collect data by not having an ethnicity field. Since we create the form at the “time of determination of the means of processing” we’re implementing that measure at that time. Another measure might be to audit the forms to make sure employees aren’t secreting marking codes next to minority names and contact information. That measure would obviously be at the “time of the processing itself.”

Categories
GDPR Privacy Regulation

Lawful Basis under GDPR: Performance of a Contract

The newly enacted General Data Protection Regulation (GDPR) in the European Union provides for six lawful bases for processing data. Just as a baseline for readers who may not be familiar with the GDPR, in general processing is prohibited unless you have a lawful basis.  Article 6 of the regulation provides for the list of bases:

  1. Consent
  2. Necessary for performance of a contract
  3. Necessary for compliance with the law
  4. Necessary to protect vital interest of the data subject
  5. Necessary for task carried out in the public interest
  6. Necessary for a legitimate interest of the controller or third party

The most common justification by organizations is probably (6) legitimate interest. The easiest example of this would be fraud prevention. An organization has a legitimate interest in preventing fraud from occurring. Of course, the balancing test for legitimate interest must still be carried out. You can’t justify doing just anything you want on the basis of fraud prevention.

The basis which garners the most press and most debate is consent. In fact, the regulation devotes an entire article to what constitute valid consent. The Working Party 29, the official EU advisory group on data protection , also published a 30 page guide to consent. Consent is essentially a last resort for organizations wanting to use data. If you can’t find a valid basis under the other five, consent is your only option.

Bases 3, 4 and 5 are fairly narrow and of limited general purpose use, only available in certain circumstances.

Which leaves us #2 performance of a contract, the subject of this post. In full, the text of the regulation on this reads: “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Unfortunately, many are read this option too broadly as, simply, part of a “contract.”  In other words, their feeling is that, anything put into the contract, makes this a valid basis for processing. But let’s look a little closer.

processing is necessary for the performance of a contract to which the data subject is party”

First off, it’s clear the data subject must be a party to a contract. It can’t be a contract between two organizations concerning the data subject (or their information).  What about the other part of that sentence “necessary for the performance of a contract?” While performance is not defined under the Principles of European Contract Law (PECL), non-performance is in Art 1:301:

“`non-performance‘ denotes any failure to perform an obligation under the contract, whether or not excused, and includes delayed performance, defective performance and failure to co-operate in order to give full effect to the contract.”

Article 7 of PECL goes on to describe, in more detail, issues of performance. One can deduce from the counter definition that performance means completion of an obligation under the contract (in a timely, non-defective and cooperative way).  Article 6:101 describes that a statement in a contract gives rise to an obligation to a party, if the other party reasonably expected it to give rise to that obligation, taking into account (a) the apparent importance of the statement to the other party; (b) whether the party was making the statement in the course of business; and (c) the relative expertise of the parties. Clause (a) is crucial in the analysis for the lawful basis of performance of a contract under GDPR.

In order for “performance of a contract” to be the lawful basis, the processing of data must be necessary to fulfill an obligation, under the contract, of the controller which is important to the data subject.

Let’s look at a clear example: I hire you to design and print business cards for me. Without my name and contact information, it would be impossible for you to fulfill your obligation under the contract. I’ve set you up for failure and arguably non-performed my obligations for failure to co-operate if you’re not allowed to use that information. Processing of that data is necessary for your performance.

Let’s look at one more common one, payment processing. You hire my consulting firm to provide privacy by design training and the firm expects payment for that service. In receiving that payment, I’m in receipt of your personal information, which may be supplied to a payment processor, used to create an invoice, etc. From the contracts perspective, the obligations are that you pay the firm and that the firm provides training services.  Processing payment is for the firm’s benefit (aka in their legitimate interest in facilitating payment) not to fulfill an obligation to you.

The bottom line is, just because there is a contract, doesn’t mean the lawfulness of processing is based on performance of that contract. It has to support and be necessary to perform your obligations under the contract.

Categories
1st Amendment Privacy Regulation

Agency Information Collection Activities: Arrival and Departure Record (Forms I-94 and I-94W) and Electronic System for Travel Authorization

June 5th, 2016

U.S. Customs and Border Protection
Attn: Paperwork Reduction Act Officer
Regulations and Rulings
Office of Trade
90 K Street NE.
10th Floor
Washington, DC 20229-1177.

I am writing in response to the notice published in Federal Register on 6/23/2016 entitled “Agency Information Collection Activities: Arrival and Departure Record (Forms I-94 and I-94W) and Electronic System for Travel Authorization

I am responding to the question of “whether the collection of information is necessary for the proper performance of the functions of the agency, including whether the information shall have practical utility.”

The proposed changes to the I-94W and I-94 forms, albeit small, have potentially grave ramifications to the fundamental ideals upon which the United States is founded and practically will result in no net improvement to the security of the country.

Constitutional Problems – Chilling effect on speech

In 1996, a three judge panel from the Eastern District of Pennsylvania declared the Communications Decency Act unconstitutional. Judge Dalzell, writing the opinion of court, declared: “[T]he Internet may fairly be regarded as a never-ending worldwide conversation. The Government may not, through the CDA, interrupt that conversation. As the most participatory form of mass speech yet developed, the Internet deserves the highest protection from governmental intrusion (emphasis added).”
The Internet, in its present form, is used by billions of individuals around the world to communicate with each other. Whether it is for business, pleasure, entertainment, enlightenment or political discourse, social media on the Internet is perhaps the principle forum today by which people of diverse cultures, countries and mindsets interact on a daily basis. Ostentatiously, the objective of the form change, is to identify social media profiles of visitors to the United States. The social media profiles will be reviewed and analyzed, whether by automated or manual means. Potentially, individuals whose social media profiles indicate they are in some way threatening to the United States, will be prohibited from entry, or their entry will be more closely scrutinized.
What is more likely the outcome is that
(1) Individuals with controversial writings will choose not to visit the United States, reducing the diversity of ideas and discussion on those topics (within the geographic United States).
(2) Individuals with controversial thoughts will scrutinize their social media presence and avoid discussions on those thoughts on what Judge Dalzell called “a never-ending worldwide conversation.” This will reduce the diversity of ideas and discussions on those topics (on the Internet).

The chilling effect is not just on foreign nationals but negatively affects the ability of United States citizens to listen to and discuss controversial topics with foreigners abroad. In 1965, the Supreme Court in Lamont v. Postmaster General, 381. U.S. 301 struck down section 305 of the Postal Service and Federal Employees Salary Act because it required the Postmaster General to detain foreign mailings of communist political propaganda unless the addressee affirmatively acknowledge their acceptance and desire to receive such material. The Supreme Court recognized that this would reduce the recipient’s unfettered access to constitutionally protected speech, and thus the act was unconstitutional. The courts have consistently ruled that acts of government, even when they do not have a direct prohibition on speech, but have a chilling effect, are never the less, unconstitutional. This change to form I-94 and I-94W will have a similar effect.

As to the necessity of the proposed change to the function of the agency, an unconstitutional act can never be necessary.

Practical Utility of the proposed change

Selection bias is defined as “selection of individuals, groups or data for analysis in such a way that proper randomization is not achieved, thereby ensuring that the sample obtained is not representative of the population intended to be analyzed.” The simple fact is that those attempting to enter the United States to perform terrorist acts are simply not going to list their Jihadi forum screennames on the I-94 forms. Those filling out this optional section are most likely to be people who believe the mundanity of their social presences leaves them immune from any issue with entering the U.S. This will result in three practical problems:
(1) While Facebook, Twitter and a few others constitute the biggest players in social media, there are thousands upon thousands of smaller social media sites catering to every niche, minority and social group. Further, many people maintain multiple identities on different platforms. Any collection of information will, no doubt, be incomplete.
(2) Large amounts of data from visitors who pose no threat will be collected, resulting in wasted effort and resources by the government to review that data, whether by automated or manual means.
(3) Since many of the most threatening visitors or potential visitors will provide no or sanitized information only, the most likely people that this is going to stop are those whose social media posts or connections are taken out of context or who, while not representing a threat to the U.S., have controversial views. This will result in investigatory efforts into and dealing with appeals from individuals who have wrongly denied entry. Additionally, for those that are denied entry, it will result a chilling effect and inability for those in the U.S. to interact, learn from and discuss topics with the denied party.

The net result is the proposed change is likely subject to a claim of unconstitutionality and practically will not achieved the desired ends.

Sincerely,

R. Jason Cronk, Esq.
Florida Bar #90009

Categories
Bitcoin FINCEN Regulation

FinBEN issues ruling on Beanie Baby Payment System

{Update Watch this video about beanie babies subsequent to my post

}

 

FIN-2014-R012
Issued: October 27, 2014
Subject: Request for Administrative Ruling on the Application of
FinBEN’s Regulations to a beanie baby Payment System

Dear [ ]:

This responds to your letter of January 6, 2014, seeking an administrative ruling from the Financial Baby Enforcement Network (“FinBEN”) on behalf of [ ] (the “Company”), about the Company’s possible status as a money services business (“MSB”) under the Bank Secrecy Act (“BSA”). Specifically, you ask whether the beanie baby payment system the Company intends to set up (the “System”) would make the Company a money transmitter under the BSA. Based on the following analysis of the description of the System to provide payments to merchants who wish to receive customer payments in beanie babies, FinBEN finds that, if the Company sets up the System, the Company would be a money transmitter and should comply with all risk management, risk mitigation, recordkeeping, reporting, and transaction monitoring requirements corresponding to such status.

You state in your letter that the Company wishes to set up a System that will provide beanie baby-based payments to merchants in the United States and (mostly) Latin America, who wish to receive payment for goods or services sold in beanie babies. The Company would receive payment from the buyer or debtor in currency of legal tender (“real currency”), and transfer the equivalent in beanie babies to the seller or creditor, minus a transaction fee. The current intended market for the System is the hotel industry in four Latin American countries where, because of currency controls and extreme inflation, merchants face substantial foreign exchange risks when dealing with overseas customers.

According to your letter, a merchant will sign up with the Company to use the System, and incorporate the Company’s software into its website. Customers purchasing the merchant’s goods or services (e.g., hotel reservations) will pay for the purchase using a credit card. Instead of the credit card payment going to the merchant, it will go to the Company, which will transfer the equivalent value in beanie babies to the merchant. The Company pays the merchant using the reserve of beanie babies it has acquired from wholesale purchases from beanie baby exchangers (such as Ebay) at the Company’s discretion (thus the Company assumes any exchange risk that occurs during the time between the Company’s wholesale purchases and its payment to a merchant). The Company has no agreement with the customer and will only make payment to the merchant.

You maintain that the Company should not be regulated as a money transmitter because it does not conform to the definition of currency exchanger, due to the fact that the Company makes payments from an inventory of beanie babies it maintains, rather than funding each individual transaction. You also maintain that, should the Company be considered an exchanger of currency, the Company’s business should be covered under an exemption that applies to certain payment processing activities, 1 and/or the Company’s transmissions should be deemed integral to the transaction and thereby covered under another exemption from money transmission.2

FinBEN’s beanie baby Guidance

On March 18, 2013, FinBEN issued guidance on the application of FinBEN’s regulations to transactions in beanie babies (the “Guidance”).3 FinBEN’s regulations define “currency” as “[t]he coin and paper money of the United States or of any other country that is designated as legal tender and that circulates and is customarily used and accepted as a medium of exchange in the country of issuance.”4 In contrast to real currency, “beanie baby” currency is a medium of exchange that operates like a currency in some environments, but does not have all the attributes of real currency. In particular, beanie babies do not have legal tender status in any jurisdiction. The Guidance addresses “convertible” beanie baby. This type of beanie baby either has an equivalent value in real currency, or acts as a substitute for real currency.

For purposes of the Guidance, FinBEN refers to the participants in generic beanie baby arrangements, using the terms “exchanger,” “administrator,” and “user.” An exchanger is a person engaged as a business in the exchange of beanie babies for real currency, funds, or other beanie babies. An administrator is a person engaged as a business in issuing (putting into circulation) a beanie baby, and who has the authority to redeem (to withdraw from circulation) such beanie baby. A user is a person that obtains beanie babies to purchase goods or services.5 Under the Guidance, both exchangers and administrators are considered to be money transmitters unless a limitation or exemption from the definition of money transmitter applies to that person.6

  1.  31 CFR § 1010.100(ff)(5)(ii)(B).
  2. 31 CFR § 1010.100(ff)(5)(ii)(F).
  3. FIN-2013-G001(“Application of FinBEN’s Regulations to Persons Administering, Exchanging, or Using Beanie babies,” March 18, 2013).
  4. 31 CFR § 1010.100(m).
  5. FIN-2014-R001 “Application of FinBEN’s Regulations to Beanie baby Mining Operations” – 01/30/2014, clarified that a user is a person that obtains beanie baby to purchase goods or services on the user’s own behalf. (emphasis added)
  6. See FIN-2013-G001.

 

 

 

 

 

FinBEN disagrees with your position that the Company does not convert the customer’s real currency into beanie babies because the Company purchases and stores large quantities of beanie babies that the Company then uses to pay the merchant. As described above, the Company is an exchanger under the Guidance because it engages as a business in accepting and converting the customer’s real currency into beanie babies for transmission to the merchant. The fact that the Company uses its cache of beanie babies to pay the merchant is not relevant to whether it fits within the definition of money transmitter. An exchanger will be subject to the same obligations under FinBEN regulations regardless of whether the exchanger acts as a broker (attempting to match two (mostly) simultaneous and offsetting transactions involving the acceptance of one type of currency and the transmission of another) or as a dealer (transacting from its own reserve in either beanie babies or real currency).

 

FinBEN concludes that the Company would be a money transmitter, specifically because it is acting as an exchanger of beanie babies, as that term was described in the Guidance. Additionally, you then ask, if FinBEN determines that the Company is an exchanger, whether either an exemption for certain payment processing activities or an exemption for transactions integral to the sale of other goods or services would apply.

 

FinBEN’s definition of money transmission and existing exemptions

 

On July 21, 2011, FinBEN published a Final Rule amending definitions and other regulations relating to MSBs (the “Rule”).7 The amended regulations define an MSB as “a person wherever located doing business, whether or not on a regular basis or as an organized or licensed business concern, wholly or in substantial part within the United States, in one or more of the capacities listed in paragraphs (ff)(1) through (ff)(7) of this section. This includes but is not limited to maintenance of any agent, agency, branch, or office within the United States.”8

 

BSA regulations, as amended, define the term “money transmitter” to include a person that provides money transmission services, or any other person engaged in the transfer of funds. The term “money transmission services” means the acceptance of currency, funds, or other value that substitutes for currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means.9 The regulations also stipulate that whether a person is a money transmitter is a matter of facts and circumstances, and identifies circumstances under which a person’s activities would not make such person a money transmitter.10

7. Bank Secrecy Act Regulations – Definitions and Other Regulations Relating to Money Services Businesses, 76 FR 43585 (July 21, 2011).
8. 31 CFR § 1010.100(ff).
9. 31 CFR § 1010.100(ff)(5)(i)(A).
10. 31 CFR § 1010.100(ff)(5)(ii).

 

 

 

 

 

 

 

FinBEN stipulates four conditions for the payment processor exemption to apply to a particular business pattern:

 

  • the entity providing the service must facilitate the purchase of goods or services, or the payment of bills for goods or services (other than money transmission itself);

 

  • the entity must operate through clearance and settlement systems that admit only BSA-regulated financial institutions;

 

  • the entity must provide the service pursuant to a formal agreement; and

 

  • the entity’s agreement must be at a minimum with the seller or creditor that provided the goods or services and receives the funds.11

 

The Company fails to satisfy one of these conditions. The Company is not operating through clearing and settlement systems that only admit BSA-regulated financial institutions as members. According to your letter the real currency payments from the consumer take place within a clearing and settlement system that only admits BSA-regulated financial institutions as members (specifically, a credit card network), however, the payment of the beanie babies equivalent to the merchant, by definition, takes place outside such a clearing and settlement system, either to a merchant-owned beanie baby wallet or to a larger beanie baby exchange that admits both financial institution and non-financial institution members, for the account of the merchant.

 

With regard to whether the money transmission is integral to the provision of the Company’s service, and thus potentially eligible for exemption, FinBEN has concluded that the money transmission that takes place within the System does not qualify for the exemption. There are three fundamental conditions that must be met for the exemption to apply:

 

  1. The money transmission component must be part of the provision of goods or services distinct from money transmission itself;

 

  1. The exemption can only be claimed by the person that is engaged in the provision of goods or services distinct from money transmission;

 

  1. The money transmission component must be integral (that is, necessary) for the provision of the goods or services.

 

In FinBEN’s view, the payment service that the Company intends to offer meets the definition of money transmission. Such money transmission is the sole purpose of the

11 See 31 CFR § 1010.100(ff)(5)(ii)(B); see also FIN-2013-R002 (“Whether a Company that Offers a Payment Mechanism Based on Payable-Through Drafts to its Commercial Customers is a Money Transmitter” – 11/13/2013). FIN-2013-R002 clarifies that for the payment processor exemption to apply, the entity must use a clearance and settlement system that intermediates solely between BSA regulated institutions.

 

 

 

 

 

Company’s System, and is not a necessary part of another, non-money transmission service being provided by the Company. Although rendered before the 2011 modifications to MSB definitions and in some cases involving a different type of MSB, FinBEN reached the same conclusion in several administrative rulings that apply to this particular point.12

 

For the above reasons, FinBEN has determined that the Company is engaged in money transmission, and such activity is not covered by either the payment processor or the integral exemption. Please note that FinBEN would reach the same conclusions if payments were made in stuffed toys other than beanie babies. As a money transmitter, the Company will be required to (a) register with FinBEN, (b) conduct a comprehensive risk assessment of its exposure to money laundering,13 (c) implement an Anti-Money Laundering Program based on such risk assessment, and (d) comply with the recordkeeping, reporting and transaction monitoring obligations set down in Parts 1010 and 1022 of 31 CFR Chapter X. Examples of such requirements include the filing of Currency Transaction Reports (31 CFR § 1022.310) and Suspicious Activity Reports (31 CFR § 1022.320), whenever applicable, general recordkeeping maintenance (31 CFR § 1010.410), and recordkeeping related to the sale of negotiable instruments (31 CFR § 1010.415). Furthermore, to the extent that any of the Company’s transactions constitute a “transmittal of funds” (31 CFR § 1010.100(ddd)) under FinBEN’s regulations, then the Company must also comply with the “Funds Transfer Rule” (31 CFR § 1010.410(e)) and the “Funds Travel Rule” (31 CFR § 1010.410(f)).

 

This ruling is provided in accordance with the procedures set forth at 31 CFR Part 1010 Subpart G. In arriving at the conclusions in this administrative ruling, we have relied upon the accuracy and completeness of the representations you made in your communications with us. Nothing precludes FinBEN from arriving at a different conclusion or from taking other action should circumstances change or should any of the information you have provided prove inaccurate or incomplete. We reserve the right, after redacting your name and address, and similar identifying information for your clients, to publish this letter as guidance to financial institutions in accordance with our regulations.14 You have fourteen days from the date of this letter to identify any other information you believe should be redacted and the legal basis for redaction.

12. See FIN-2008-R007 (“Whether a Certain Operation Protecting On-line Personal Financial Information is a Money Transmitter” – 06/11/2008); FIN-2008-R004 (“Whether a Foreign Exchange Consultant is aCurrency Dealer or Exchanger or Money Transmitter” – 05/09/2008); FIN-2008-R003 (“Whether a Person That is Engaged in the Business of Foreign Exchange Risk Management is a Currency Dealer or Exchanger or Money Transmitter” – 05/09/2008); and FIN-2008-R002 (“Whether a Foreign Exchange Dealer is a Currency Dealer or Exchanger or Money Transmitter” – 05/09/2008).
13. We caution the Company about incorporating into its comprehensive risk assessment the delicate balance between helping merchants avoid losses due to the fluctuation of their currencies of legal tender because of inflationary trends or devaluation, on the one hand, and collaboration with their potential evasion of foreign exchange control regulations applicable in their jurisdictions, on the other
14. 31 CFR §§ 1010.711-717.

 

 

 

 

 

If you have questions about this ruling, please contact FinBEN’s regulatory helpline at (703) 905-3591.

 

 

Sincerely,

 

//signed//

 

Ty Toy
Head Beanie Counter
Policy Division

 

[The preceding is a parody. Please do not rely on it for legal advice in your beanie baby payment system. ]

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Categories
Bitcoin FINCEN Merchant acceptance Regulation

How FINCEN regulations affects cloud based solutions in payment tech.

Just a few weeks ago, the Financial Crimes Enforcement Network (FINCEN) released a ruling about the applicability of the payment processor exception to a Bitcoin based company.

As a little background, generally any company that transfers value between one party and another (or from one location to another) is deemed a money transmitter and subject to applicable regulatory controls. There is an exception for “payment processors” who merely process payments on behalf of merchants [See (5)(ii)(B) ].

In the recent ruling, the company requesting clarification wanted to accept remittance in U.S. Dollars from presumably U.S. customers of Latin American hotels and send those hotels the commensurate value in bitcoin. The company argued they fell under the payment processor exception. FINCEN disagreed. Without going into to much detail, the basis of the ruling was that for the payment processor exemption to apply, the  “payment processor exemption to apply, the entity must use a clearance and settlement system that intermediates solely between BSA regulated institutions.” (BSA is the Bank Secrecy Act).

While this is bad for the company that requested the ruling, it’s even worse for the Bitcoin community at large. Why?

[Disclaimer, the following is not to be construed as legal advice and s not meant to pick on Blockchain.info. I’m a customer of blockchain.info and use their API to facilitate transactions for my privacy preserving disposable email service 1ncemail.]blockchain

Blockchain.info offers a very simple API that allows merchants to accept bitcoin on their websites and integrate such into their shopping cart or other systems. The API works like many other payment processors in that when money is received it makes a call to a URL on the merchant’s server indicating payment has been received. The merchant then appropriately credits the customer’s account.

The problem (from a regulatory perspective) is that Blockchain.info’s API generates a payment transaction wallet to accept payment for the merchant and then forwards that payment on to the merchant’s wallet. In that respect, Blockchain.info is moving value from one person (the consumer) to another (the merchant) and they can’t rely on the payment processor exception because they are going through BSA regulated entities to send value to the merchant.

Now, of course, if Blockchain.info provided the same functionality of the API in software the merchant downloaded and installed on their own servers, there wouldn’t be an issue, because they are merely providing software, not facilitating the actual transmission. I would say the API could provide the primary function (monitoring a transaction wallet address for payment and calling a URL) without running afoul of the regulations. But because Blockchain.info has control of that intermediary wallet, they are in fact a money transmitter, for the purposes of the regulations.

I actually think this ruling might be a prelude to FINCEN considering miners as money transmitters. And I hesitate to suggest, if someone presented the Bitcoin system in the abstract (without reference Bitcoin) to FINCEN asking for clarification if miners were money transmitters, they would unquestionably say yes.

 

 

Categories
Bitcoin Regulation Security

Bitcoin and the Zombie Apolcalypse

Today I get to talk about two of my favorite topics: Bitcoin and the Zombie Apocalypse. Though both have entered popular culture, unfortunately only one is real. But there is a real phenomenon very closely related to the day of the dead that has relevance to the Bitcoin community.

That phenomenon is a pandemic.

A pandemic is an epidemic infectious disease that spreads far beyond a small localized population to infect whole countries, continents or even the globe. Why is this relevant to Bitcoin? Well Bitcoin is very well situated to survive a pandemic which affects large population. The decentralized and diverse nature of the ecosystem makes it extremely resilient to distribution. As long as the base network persists and at least one mining operation continues, Bitcoin will remain an effective value transfer system.

However, there are two Achilles heels. The first is that many Bitcoin users don’t interact directly with the Blockchain but rather go through a service which monitors to the blockchain for transactions. Whether it is a hybrid wallet or a payment service like BitPay or Coinbase, if these company’s servers go offline, it effectively cuts off their customers from the network. As we have seen to date (with the implosion of so many Bitcoin businesses), they are ill prepared for the significant risks they are undertaking.

Major financial institutions are subject to guidelines published by the FFIEC, including business continuity planning for pandemics. I would be willing to bet that even the most solid names in Bitcoin don’t have a good business continuity or disaster recovery plan.

Eat more Bitcoin!
Night of the Living Dead

The second issue Bitcoin has is the need for all transactions to occur online. While fully offline digital currency is not efficient nor realistic, a hybrid approach which has some offline capablities is important in a world that might have spotty internet service, electricity or intelligent devices. While a few people have tried to move Bitcoin offline by producing tokens with private keys embedded behind holograms, its a jerry-rigged and not very good method of creating offline money with Bitcoins. I do hope to change that.