Blockchain Legal Frameworks

Europe's launch of a digital wallet is a game changer for #banking and #payments, far beyond than we can imagine. Let’s take a look.   What happened?   On 29 Feb 2024 the EU adopted regulation to launch a European Digital Identity Wallet (EUDIW) that will harmonize #digitalidentity across Europe.   Main provisions:   —   EUDIW is an app allowing citizens to digitally identify themselves, store and manage identity data and official documents in digital form   —   Many wallets in each member state with the same technical standards, UX and functionality   —   Addressing both online and offline public and private services across the EU —   Recognized throughout Europe   —   Voluntary   —   Free for natural persons, businesses may be subject to fees   —   User control over their personal data   —   E-signature   —   EUDIW Toolbox based on the Architecture and Reference Framework (ARF) defining common specifications, referenced in implementing acts (legislative texts) across all EU Member States   —   Pilot projects until 2025 - 360 private companies and public authorities across the EU - testing everyday scenarios   —   Successor of the eIDAS regulation (launched in 2014)   Example use cases:   —   Access or open a bank account —   Perform onboarding process (AML, KYC) —   Initiate a payment —   Apply for a loan —   Submit a tax declaration —   Enroll for university —   Rent a car or book a hotel online —   Strong Customer Authentication   Implications for the #finance industry:   —   EUDIWs will unify all physical documents (IDs, passports, driving licenses, etc) under a digital front layer   —   Financial institutions and online platforms with more than 45 mn users (i.e. Amazon, Facebook) will be obliged to accept EUDIW   —   Banks will not have to maintain anymore their own authentication mechanisms, however the wallet will largely complement and not replace banks’ solutions   —   Service providers, such as PSPs or credit card companies may have to pay for identification services (i.e. to onboard customers)   —   PSD2 authentication requirements will be met via EUDIWs paving the ground for an increase in payment initiation and account information calls and boosting POS-based use cases such as QR code payments or payment initiation at POS   —   A combination with the Digital Euro is almost certain   Players in #financialservices will be influenced across 4 directions:   —   User experience —   Compliance —   Reduction of fraud —   New use cases   Impact:   —   Europeans can save up to 855,000 hours of time and businesses more than €11 bn a year   —   80 % EU citizens' adoption expected by 2030   Timing:   —   Publication in the EU Official Journal – Mar 2024   —   6 - 12 months for Implementing Acts   —   Within 24 months after Implementing Acts, Member States must provide EUDIWs. Organizations must accept them as an authentication method in the following year   Opinions: my own, Graphic sources: European Commission, Innopay, Gataca

🇫🇷 🤝🏻🇩🇪 : joint French-German proposals by our cyber agencies ANSSI - Agence nationale de la sécurité des systèmes d'information and the Federal Office for Information Security (BSI) Security on a decisive topic : the European digital Identity wallet 🇫🇷 ANSSI and 🇩🇪 BSI issued a new joint paper on remote identity verification ⭐️Following an initial joint publication in 2023, ANSSI and BSI are now releasing a new joint document aligned with the updated European regulatory framework. 🌍 Last month, Director General of ANSSI @Vincent Strubel & German counterpart Claudia Plattner reaffirmed the trusted relationship between #ANSSI and #BSI on the topic of remote identity verification. 📈 Since February 2024, the regulatory shift introduced by eIDAS 2 has brought forth the #EU Digital Identity Wallet, which may be issued based on remote identity verification. At the same time, cyber threats have continued to evolve, and European standardisation work on remote identity verification has progressed. Key takeaway =a secure and trusted EUDI Wallet depends on: 🔹Strong, harmonized standards 🔹Advanced defenses against remote attacks 🔹Cross-border interoperability and regulatory support. 🛡️ High Assurance is Essential for EUDI Wallet Onboarding. Remote identity proofing, particularly video-based methods, are being explored as alternatives to national eID systems but present significant technical and security risks. 🎯 3️⃣ Critical Verification Goals to ensure trustworthiness: 🔹Biometric genuineness 🔹Document authenticity (genuine, current, and physically possessed) 🔹Face matching (the face matches the ID document photo). ⚠️ 2️⃣ major categories of attacks: 🔹Presentation Attacks: use of photos, masks, or replayed videos in front of the camera. Exploit the fact that many ID document security features are not verifiable remotely. 🔹 Injection Attacks : Bypass the camera using pre-recorded or AI-generated data; Deepfakes and synthetic documents pose increasing challenges. ✅ Recommendations for Strengthening the Ecosystem 🔹Harmonise Evaluation Criteria -Establish pan-European test specifications directly mapped to LoA High. -Mandate biometric attack testing in evaluations 🔹Bridge the Document Verification Gap -Develop standards for remote verification of ID documents. -Promote chip reading over OCR where legally possible. -Ensure legal frameworks enable conformity assessment bodies to perform robust testing. #cyber #scybersecurity #Europe

#FinTech | #Compliance : Existing anti-money laundering (AML) approaches relying on trusted intermediaries have limited effectiveness with decentralised record-keeping in permissionless public blockchains. The public transaction history on blockchains can enable AML and other compliance efforts, such as FX regulations, by leveraging the provenance and history of any particular unit or balance of a #cryptoasset , including #stablecoins . An AML compliance score based on the likelihood that a particular cryptoasset unit or balance is linked with illicit activity may be referenced at points of contact with the #banking system ("off-ramps"), preventing inflows of the proceeds of illicit activity and supporting a culture of "duty of care" among crypto market participants. Source - BIS

𝗖𝗮𝗻 𝗚𝗗𝗣𝗥 𝗮𝗻𝗱 𝗕𝗹𝗼𝗰𝗸𝗰𝗵𝗮𝗶𝗻 𝘄𝗼𝗿𝗸 𝘁𝗼𝗴𝗲𝘁𝗵𝗲𝗿? 7 𝗞𝗲𝘆 𝗹𝗲𝗴𝗮𝗹 𝗾𝘂𝗲𝘀𝘁𝗶𝗼𝗻𝘀 𝗮𝗻𝘀𝘄𝗲𝗿𝗲𝗱 (𝗘𝗗𝗣𝗕 02/2025 𝗚𝘂𝗶𝗱𝗲𝗹𝗶𝗻𝗲𝘀 𝗜𝗻𝘀𝗶𝗱𝗲) New expert report by Varteni Kasapian (Partner, Data Protection Expert) and Ioanna Patsalidou (Associate, PhD Candidate at King’s College London) Published by: Christos Patsalides LLC Blockchain brings transparency, decentralisation, and innovation. But it also clashes with Europe’s strict data protection law, the GDPR. This new legal report explores how these two forces can coexist, and what blockchain developers and businesses must do now to stay compliant. 𝗪𝗵𝗮𝘁 𝗿𝗲𝗮𝗱𝗲𝗿𝘀 𝘄𝗶𝗹𝗹 𝗹𝗲𝗮𝗿𝗻: ·      7 major legal tensions between GDPR and blockchain ·      Practical guidance from the EDPB 02/2025 Guidelines ·      Compliance checklists and steps for smart contract systems and DAOs 𝗞𝗲𝘆 𝗹𝗲𝘀𝘀𝗼𝗻𝘀 𝗹𝗲𝗮𝗿𝗻𝗲𝗱: 1.    𝗜𝗺𝗺𝘂𝘁𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝘃𝘀. 𝗥𝗶𝗴𝗵𝘁 𝘁𝗼 𝗯𝗲 𝗙𝗼𝗿𝗴𝗼𝘁𝘁𝗲𝗻: Blockchain can’t delete data, but GDPR requires it. 2.    𝗗𝗮𝘁𝗮 𝗖𝗼𝗻𝘁𝗿𝗼𝗹𝗹𝗲𝗿 𝗗𝗶𝗹𝗲𝗺𝗺𝗮: Identifying legal responsibility is challenging in decentralised systems. 3.    𝗟𝗮𝘄𝗳𝘂𝗹 𝗕𝗮𝘀𝗶𝘀 𝗜𝘀𝘀𝘂𝗲𝘀: Consent alone is not enough; other legal bases must be evaluated. 4.    𝗗𝗮𝘁𝗮 𝗠𝗶𝗻𝗶𝗺𝗶𝘀𝗮𝘁𝗶𝗼𝗻: Store less on-chain. Off-chain alternatives and pseudonymisation are crucial. 5.    𝗖𝗿𝗼𝘀𝘀-𝗕𝗼𝗿𝗱𝗲𝗿 𝗥𝗶𝘀𝗸𝘀: Decentralised storage triggers GDPR compliance gaps in international transfers. 6.    𝗔𝘂𝘁𝗼𝗺𝗮𝘁𝗲𝗱 𝗗𝗲𝗰𝗶𝘀𝗶𝗼𝗻𝘀 & 𝗦𝗺𝗮𝗿𝘁 𝗖𝗼𝗻𝘁𝗿𝗮𝗰𝘁𝘀: Human oversight must be integrated to meet Article 22. 7.    𝗡𝗲𝘄 𝗚𝘂𝗶𝗱𝗲𝗹𝗶𝗻𝗲𝘀 02/2025: The EDPB provides clear legal and technical steps for responsible innovation. 𝗔𝗰𝘁𝗶𝗼𝗻𝗮𝗯𝗹𝗲 𝘀𝘁𝗲𝗽𝘀 𝗳𝗼𝗿 𝗯𝗹𝗼𝗰𝗸𝗰𝗵𝗮𝗶𝗻 𝗯𝘂𝘀𝗶𝗻𝗲𝘀𝘀𝗲𝘀: ·      Conduct Compliance Readiness Assessments ·      Implement Privacy by Design and Default ·      Explore off-chain data storage wherever possible ·      Engage with regulators and public consultations ·      Perform Data Protection Impact Assessments (DPIAs) when personal data is involved 𝗖𝗼𝗻𝗰𝗹𝘂𝘀𝗶𝗼𝗻: GDPR and blockchain don’t have to be at odds. With thoughtful architecture and compliance planning, businesses can protect users and embrace innovation. 𝗡𝗼𝘄 𝗼𝘃𝗲𝗿 𝘁𝗼 𝘆𝗼𝘂: ·      Should decentralised systems adapt to GDPR, or should regulation evolve? ·      How can we assign accountability without central authorities? ·      Would you trust a blockchain system with your personal data? Let’s open the conversation. The future of trust in Web3 may depend on how we answer these questions. Maurizio Di Vito Bob Mastrolilli Renaud LE SQUEREN Vitaly Bondar Karolis Juskys Nemanja Škarin Simon Schmitz, ACCA Giulia Calloni Alexandre Gallez Lorenzo Montini-Maring Stefano Cafiero Massimiliano Gozzi Barbara Azoulay Bato Kikic Ruiqi Tan

Cryptocurrencies are often abused for money laundering. Although I don’t believe they are exploited more than traditional fiat currencies, the truth is that cryptocurrencies are in some cases used for: ↳ Laundering illicit proceeds ↳ Evading sanctions ↳ Financing terrorism ↳ Supporting cyberattacks and ransomware But blockchain - the underlying tchnology can be used those committing those actions. But only if we understand how. Here are 4 ways blockchain supports AML efforts: 1️⃣ Permanent transaction records ↳ Once recorded, blockchain transactions cannot be altered or deleted. Each transaction is cryptographically linked to the one before it, creating a permanent, verifiable chain of records. This ensures that the entire transaction history remains intact and tamper-proof. => It allows investigators to reconstruct the transactions and trace movement of funds with precision. 2️⃣ Publicly visible data ↳ Most blockchains (like Bitcoin and Ethereum) are transparent. Anyone can see the movement of funds. You don’t need access requests to view transactions. => This enables real-time tracing of fund flows and immediate identification when assets reach high-risk or sanctioned wallets. 3️⃣ Use of blockchain analytics tools ↳ These tools link addresses to real-world persons or entities. They can identify whether a wallet has previously transacted with darknet markets, mixers, scam-related addresses, or other high-risk services. => This helps compliance teams detect high-risk activity early by flagging wallets with known exposure to illicit sources. 4️⃣ Faster response in investigations ↳ Traditional payment tracing through banks often takes days or even weeks. In contrast, blockchain data is accessible immediately. Investigators can view and analyze transactions in real time. => This allows compliance teams to act quickly—conducting internal reviews without delay and filing Suspicious Transaction Reports (STRs) more promptly when required. Blockchain is not a risk-free environment, but it offers tools we’ve never had before! The question is: Are we using them effectively? What do you think? Does blockchain enable or prevents financial crime?

How do you promote compliance with #AntiMoneyLaundering (#AML) rules in a world of public permissionless #Blockchains? In a new Bank for International Settlements – BIS bulletin, Iñaki Aldasoro, Sang Hyuk Lim, Fernando Perez-Cruz, Hyun Song Shin and I put forward an approach to AML compliance that makes use of the very features that make #Blockchain impervious to traditional approaches. As the full history of transactions on the blockchain is publicly available, it can inform an assessment of how closely a particular unit of a cryptoasset is associated with past or current #IllicitActivity (such as #MoneyLaundering, #TerrorismFinancing, etc). A diagnostic AML compliance score could be referenced in any further interventions by authorities when #Cryptoassets (including #Stablecoins) are presented for conversion to fiat currency at the off-ramps – notably, at the point of contact with the banking system. https://lnkd.in/eh9ssGf9

"The rapid evolution of #cryptoassets, including #stablecoins, and retail central bank digital currency (#CBDC) has led to changes in #regulatory_frameworks to incorporate them. The expansion of options beyond bank deposits and cash calls for a holistic analysis of the effectiveness of anti-money laundering (#AML) and combating the financing of terrorism (#CFT) regimes across different payment instruments. … Several conceivable #regulatory_options can apply consistently across payment instruments #without_intermediaries. First, for all instruments in this group, AML/CFT frameworks can leverage touch points, or #entry_exit_points, where illicit funds interact with those intermediaries in the first group of instruments, while acknowledging that this is a partial solution as it only allows for the monitoring of incoming and outgoing transactions.   Examples of such touch points include #cash_withdrawals or #deposits with #commercial_banks and the conversion between self-hosted #stablecoins and commercial bank deposits or e-money. …   A stronger emphasis could be placed on the responsibilities of and enforcement by the #issuers_of_payment_instruments. As issuers of banknotes, central banks have a role to play, as illustrated by the decision of the Eurosystem to discontinue the issuance of EUR 500 notes in 2019 to address AML/CFT concerns. Similarly, #stablecoin_issuers have complied with requests from authorities to freeze the coins in self-hosted wallets associated with illicit activities."   — From: Andrea Minto, Anneke Kosse, Takeshi Shirakami and Peter Wierts, From Cash to Crypto: Towards a Consistent Regulatory Approach to Illicit Payments, Bank for International Settlements [#BIS], BIS Papers No. 166, March 3, 2026   The full paper is here: https://lnkd.in/geZds7wy

Stablecoin anti-money laundering (AML) and sanctions compliance programs? On March 23, 2026, Treasury's Financial Crimes Enforcement Network (FinCEN) sent over to the OIRA (Office of Information and Regulatory Affairs) a proposed rule titled "Permitted Payment Stablecoin Issuers Anti-Money Laundering/Countering the Financing of Terrorism Program and Sanctions Compliance Program Requirements". OIRA's job is to review the proposed rule and, if it meets all the required legislative and various Executive Order requirements, approve it. They generally do that in 30-90 days. Once approved, FinCEN then sends it to the Federal Register for "notice and comment" publication. What jumps out at me about this is the title, which contemplates two programs for permitted payment stablecoin issuers: an AML/CFT program, and a sanctions compliance program. With that, permitted payment stablecoin issuers would be the only financial institutions that would be required, by regulation, to have a sanctions compliance program. There is nothing in our existing sanctions (OFAC) related laws and regulations that requires an institution to have a sanctions compliance program: currently, lack of a program, or lack of an effective program, goes to penalty, not liability.