Another Schrems II in the making? Trump’s privacy moves could wreck EU-US Data Transfers (again)

EU privacy pros, brace yourselves, transatlantic data transfers might be on the chopping block once more. 

In a move that is already raising alarms in the privacy and compliance world, President Donald Trump has removed key members of the Privacy and Civil Liberties Oversight Board (PCLOB), the very body meant to ensure US surveillance practices respect privacy rights. 

Why does this matter for GDPR compliance? Because the PCLOB plays a key role in the EU’s trust in US data protection mechanisms under the new EU-US Data Privacy Framework (DPF). Without it, European regulators could pull the plug on the DPF just like they did with Privacy Shield, throwing companies back into legal uncertainty. 

Déjà Vu? we have been here before 

First, Safe Harbor ( an agreement between EU and U.S that allowed companies to transfer personal data from the EU to the U.S based on a self-certification of adequate privacy protections) collapsed. Then, Schrems II , a case brought by Max Shrems, an Austrian privacy advocate and lawyer which led the CJEU to invalidate the Privacy Shield (the successor of Safe Harbour) in 2020 because. The Court found that U.S surveillance laws were deemed incompatible with GDPR and the fundamental rights guaranteed by the EU Charter. The DPF was supposed to fix this by strengthening oversight, but with the PCLOB in disarray, is it still credible? 

If the EU decides the US isn’t holding up its end of the deal, we could see: 

  • Another invalidation of EU-US data transfers 
  • More legal battles from privacy activists (Schrems III?) 
  • Companies scrambling for Standard contractual clauses (SCCs) or costly local hosting solutions 

What’s next? 

European regulators will likely demand answers and possibly rethink the DPF’s adequacy decision. Max Schrems and his organization “None of your business “(NOYB) could challenge the framework in court and history tells us they tend to win. But most importantly, businesses relying on EU-US data flows should prepare for disruption and explore alternative compliance strategies. Nonetheless, to ensure compliance, conducting a Data Transfer Impact Assessment (DTIAs) is strongly advised 

What’s your take? 

Is this just political noise, or are we on the verge of yet another GDPR disaster? Should companies start future-proofing their data transfer strategies now?

 

Need help navigating the shifting landscape of EU-US data transfers? Our experts can support you in assessing risks and future-proofing your data transfer strategy.

Please reach out to us on: info@compliancechamps.com

Read more articles here.

 

The Bybit hack; 4-key Compliance and AML lessons we learned from North Korea’s largest crypto hack.

On February 21, 2025, Bybit fell victim to a cyberattack that resulted in an unprecedented loss of approximately $1.46 billion in digital assets. To put the breach into perspective, the previous largest crypto heist was the $611 million that was stolen from Poly Network in 2021. Early reports pointed to the notorious Lazarus Group, a North Korean state-backed cybercriminal organization, which has already been implicated in several high-profile hacks and money laundering operations in the past. The FBI has since confirmed the Lazarus Group as the perpetrators of the attack.

The breach raises critical questions regarding the security of centralized exchanges, particularly in the wake of the Digital Operational Resilience Act (DORA). What truly underscores the importance of compliance and anti-money laundering (AML) measures is the speed with which the stolen funds were funnelled into laundering networks. TRM Labs estimates that at least $160 million was laundered within the first 48 hours, with this figure surpassing $400 million within a week, illustrating a level of operational efficiency and professionalism we haven’t seen before.

How the funds were laundered, an overview

With the stolen funds still circulating through the crypto ecosystem, examining the methods used to obfuscate the origin of the stolen funds is more relevant than ever. The Lazarus Group’s laundering tactics were notably sophisticated, leveraging various crypto services and decentralized exchanges (DEXs) to hide the trail of illicit funds.

The laundering operation commenced immediately after the breach, when the stolen assets- initially consisting of mETH and sETH (liquid staking tokens)[1]– were converted into ETH using DEXs. This step was vital to avoid intervention by token issuers, who could potentially freeze the compromised assets. Since Ether and Bitcoin are not controlled by a centralized authority, they are less susceptible to being frozen.

Following the conversion to ETH, the Lazarus group employed a common money laundering technique known as “layering”, dispersing the funds through multiple intermediary wallets in an attempt to conceal the origin of the funds and hinder tracking efforts. While the inherent transparency of the blockchain allow for the tracing of transactions, this strategy bought the hackers time to move the funds to different wallets, swap tokens, use cross-chain bridges, and interact with no-KYC instant swap services. Using these crypto services, the hackers swapped significant amounts of ETH for other cryptocurrencies, especially BTC and DAI.

Historically, North Korea has relied on crypto mixers as part of its laundering operations to obfuscate the origin of stolen assets before converting them into fiat currencies. With increased scrutiny and law enforcement actions targeting mixing services, it appears the Lazarus Group is now prioritizing speed and efficiency over privacy.

Key Compliance and AML Takeaways

The aftermath of the Bybit hack provides several important lessons for compliance officers, regulatory bodies, and businesses operating in the cryptocurrency sector. While the hack highlights vulnerabilities that still exist, it also underscores the importance of strong compliance frameworks, robust AML practises, and industry-wide cooperation. Some key takeaways include:

1. Enhanced Transaction Monitoring Systems

The sophistication of the laundering methods used in this case highlights the necessity for cryptocurrency platforms to implement advanced transaction monitoring systems. A combined effort between blockchain analytics firms, law enforcement and centralized exchanges were able to actively trace the stolen funds, identifying and flagging wallets related to the Lazarus Group. While several centralized exchanges were able to freeze assets, a large portion of the stolen funds remain under the hackers’ control and further attempts to launder these funds are expected in the coming days or weeks. The ongoing investigations illustrate both the effectiveness of blockchain- and transaction monitoring, as well as the challenges presented by cryptocurrency services such as DeFi protocols that potentially do not leverage blockchain analytics.

2. Strengthening KYC and AML Standards:

Crypto exchanges must ensure they adhere to stringent Know Your Customer (KYC) procedures and performing regular AML checks throughout the lifecycle of their client. While KYC requirements are now standard across exchanges, many DeFi platforms continue to lag in establishing robust identity verification processes. As decentralized finance and privacy tools continue to evolve, there is a growing need for a more rigorous approach to user onboarding and transaction monitoring to prevent illicit activity. A notable example of decentralized protocol already taking such actions is Chainflip, which implemented an emergency software update, blocking incoming funds tied to the hack.

3. Collaboration within the industry and law enforcement agencies

Effective collaboration within the industry and with law enforcement agencies is vital in combating money laundering threats and protecting the ecosystem. In response to the hack, Bybit launched a bounty program offering rewards of up to 10% for successfully frozen funds. This initiative sparked collaboration among industry actors, complicating efforts by the hackers to convert stolen assets into fiat currencies. This demonstrates the importance of swift, collaborative responses to protect the integrity of the cryptocurrency ecosystem and defend against these sophisticated cyber-attacks.

4. Education and Awareness

The Bybit hack highlights the need for continuous education and awareness within the crypto industry. Firms should invest in regular training for compliance teams to stay ahead of emerging laundering tactics. Moreover, educating users on the risks of interacting with unregulated platforms remains crucial to curbing illicit activity in the crypto space.

 

Conclusion: The Path Forward for Crypto Compliance

The Bybit hack serves as a reminder of the vulnerabilities currently present in the crypto ecosystem. As illicit actors become increasingly sophisticated in their methods, the need for robust compliance and AML measures has never been greater. Exchanges, DeFi platforms, and regulators must work together to close the gaps in the current system, implement strong monitoring tools, and ensure that the crypto space remains a safe and secure environment for legitimate users.

The ongoing investigations and the collaborative actions taken in response to the hack exemplify the cryptocurrency sector’s growing commitment to improving security standards and protecting users from illicit activity. By focusing on enhancing compliance frameworks, tightening KYC and AML standards, and fostering a culture of cooperation, the industry is taking crucial steps toward mitigating the risks of future breaches.

 

Do you seek support and assistance in enhancing your Crypto Compliance Framework?

Please reach out to us on: info@compliancechamps.com

Read more articles here.


[1] Liquid staking tokens refer to obtain a tradeable asset in exchange for staking a cryptocurrency in a proof-of-stake blockchain.

Getting ready for DORA compliance: what financial institutions should know for 2025

DORA compliance is now in effect! as of 17 January 2025, financial institutions are required to meet the standards set by the Digital Operational Resilience Act (DORA). With national supervisors like the Dutch Authority for the Financial Markets (AFM) increasing their supervision, it’s time to prioritize your preparations! here’s a quick breakdown of what to expect and how to stay ahead.

What’s changing in 2025?

Starting this year, supervisory authorities will actively review how financial institutions comply with DORA. This includes submitting critical information to the European Supervisory Authorities (ESAs), EIOPA, ESMA, and EBA and ensuring operational resilience across the financial sector.

For a detailed look at the DORA regulation, you can access the official text here: DORA Regulation (EU) 2022/2554.

Key Priorities for 2025

1. Submitting the register of information

The first big milestone for DORA compliance is the register of information. Here’s what you need to know:

  • Deadline: the AFM and DNB must submit the first registers of information to the ESAs by 30 April 2025.
  • Action needed: If your organization is subject to DORA, expect an information request from the AFM soon after DORA takes effect. Preparing now is important to meet the deadline.
  • Annual updates: After the initial submission, you’ll need to provide updates yearly. The AFM and DNB will verify your register before it’s sent to the ESAs.

This register helps ESAs identify critical ICT third-party providers, who will then come under direct ESA supervision.

 

2. Reporting ICT-related incidents

Major ICT incidents must be reported promptly. Here’s how it works:

  • Notification timeline:
    • Notify the AFM or DNB within 4 hours of classifying an incident as “major.”
    • Submit an intermediate report within 72 hours.
    • Deliver a final report within 1 month.
  • Proactive communication: while mandatory for major incidents, voluntary reporting of cyber threats is also encouraged. This helps build a clearer picture of sector-wide risks.

The AFM will assess your reports for completeness and may request additional details to understand the full impact.

 

3. Threat-led penetration testing (TLPT)

For some firms, TLPT will become part of compliance efforts. Firms designated by the AFM will undergo rigorous testing to ensure resilience against cyber threats.

  • Designation: If your firm is selected, you’ll be notified by letter.
  • Preparation: the AFM will guide you through the process, from planning to execution.
  • Certification: successful completion earns your firm a certificate demonstrating compliance.

 

What Should You Do Next?

  1. Act now: start preparing your register of information and review incident reporting protocols.
  2. Engage your team: ensure your ICT and compliance teams understand DORA’s requirements.
  3. Stay updated: follow updates from the AFM and be ready to act on any requests or notifications.

Why DORA matters

DORA isn’t just about meeting regulatory demands; it’s about strengthening the financial sector’s resilience in an increasingly digital world. By preparing early, your organization can avoid unnecessary risks, show compliance, and build trust with stakeholders.

Let’s embrace this challenge as an opportunity to improve operational resilience and cybersecurity across the board. Is your organization ready for DORA? Share your thoughts below!

Building resilience in a crypto-powered financial system

The European Banking Authority (EBA) has taken another significant step towards integrating crypto assets into the regulatory framework, with its recent consultation on draft technical standards. This consultation is a key move in ensuring financial stability while supporting innovation in such a rapidly evolving sector.

As businesses and financial institutions increasingly engage with crypto assets, the challenges of managing associated risks have become more present. The EBA’s proposed standards, rooted in the Basel Committee’s prudential guidelines, aim to provide clarity on capital requirements for crypto-asset exposures. By doing so, they seek to strike a balance between risk mitigation and maintaining a level playing field in the financial ecosystem.

These are the key aspects of the consultation:

  1. Classification of crypto-assets: The framework outlines distinctions between tokenized traditional assets, stablecoins, and unbacked crypto-assets, tailoring capital requirements to the specific risk profiles of each category.
  2. Risk sensitivity: The draft standards propose different treatments for crypto assets based on their volatility, liquidity, and transparency. This approach helps address concerns related to potential market disruptions.
  3. Operational and market risks: Beyond credit and counterparty risks, the standards consider the operational and market risks unique to crypto assets, ensuring a complete risk management.

For firms operating in the crypto space, this consultation signals the importance of aligning operational practices with growing regulatory expectations. Compliance professionals must stay ahead of these developments, proactively assessing their exposure and ensuring robust frameworks to meet potential requirements.

At Compliance Champs we understand the complexity of managing regulations like these, therefore we are here to help businesses interpret and implement these changes effectively.

The EBA’s initiative is the proof to the increasing recognition of crypto assets within mainstream finance. While challenges remain, this regulatory clarity is a step forward in enabling sustainable growth and innovation.

What are your thoughts on these draft standards? Let’s discuss how these measures might shape the future of crypto-asset regulation.

New EU travel rules go into effect in 2025, some crypto coins and bank cards can’t be used.

Elevating TBML Risk Management: from window dressing to data-driven approach

https://compliancechamps.com/wp-content/uploads/2024/06/Elevating-TBML-Risk-Management-from-window-dressing-to-data-driven-approach.pdf” title=”Elevating TBML Risk Management – from window dressing to data-driven approach

Financial Freedom against Money Laundering

Tornado cash, what is it? Tornado cash is a cryptocurrency tumbler, a decentralized application built on the Ethereum blockchain that facilitates privacy for its users. It facilitates privacy by pooling the crypto of all its users, mixing them, and send the user different crypto making it almost impossible to trace the origin of the transaction. Blockchains are very transparent, and you can see which wallets make transactions with each other. To use Tornado Cash, you deposit funds into the protocol and claim your deposit minus a fee in your wallet.

On the seventh of august 2022, the Office of Foreign Asset Control (OFAC) placed Tornado Cash on the sanctions list. The protocol would have helped criminals to launder their money. Crypto analyst company Elliptic concluded that 1,5 billion dollars were laundered with Tornado Cash. It is now illegal for US citizens and companies to use the tool.

There is a lot of skepticism about placing Tornado Cash on the sanction list, Tornado Cash is not a company but a DAO (Decentralized Autonomous Organization) – simplified, a protocol that runs without any human interaction. An interesting recent example is that someone made a transaction to Black Rock, the world’s largest investment management firm based in the US, using Tornado Cash. This would imply that BlackRock is unwittingly involved in an illegal transaction.

Does Tornado Cash have any legal value? Yes, if someone lives in an oppressive regime, they might want to increase their privacy. An example demonstrating the legitimate utility of Crypto Mixers occurred when Vitalik Buterin, one of the co-founders of Ethereum, donated funds to Ukraine in support of its conflict against Russia. Consider the significance of privacy for a Russian individual seeking to contribute financially to Ukraine’s cause.

Alexey Pertsev, one of the developers of Tornado Cash, got arrested right after the US placed Tornado Cash on the sanctions list. He is held responsible for laundering over 1,2 billion dollars and might face a 64-month sentence. The controversy in this case is that crypto mixers are not illegal by law, which is why some find the accusation unfair.

In conclusion it all comes back to the question: “How do we provide a high level of privacy while making money laundering impossible?”

AMLD5 versus MiCAR

With the MiCAR approaching, a lot of parties involved with crypto-assets, including crypto-asset service providers (CASPs), will have to implement this new regulation. Services like the placing of crypto-assets and providing advice on crypto-assets need to comply to an extensive set of requirements, while these services were not yet regulated under the AMLD5.

Under the AMLD5, CASPs in the Netherlands providing the services for the exchange between virtual currencies and fiat currencies and providing custodian wallet services fall under the scope of the Money Laundering and Terrorist Financing (Prevention) Act (Wwft), which includes the AMLD5 implementation.

In this article we would like to look at some of the most significant differences between the current AMLD5 regime and the new MiCAR regime:

  • MiCAR requires a license, which takes a lot more effort to receive than a registration, due to the more extensive range of requirements included in the regulation. AMLD5 only requires a registration.
  • Where the AMLD focusses on AML-CFT issues and risks, the MiCAR has broadened this scope and includes rules on for example market abuse and sets prudential requirement for CASPs.
  • MiCAR is a Regulation instead of a Directive (AMLD5). A Regulation is directly applicable in Member States after its entry into force (another example is the GDPR). A Directive first needs to be implemented in the national laws of a member state. Just like the AMLD5 was implemented in the Wwft.
  • The competent authority for most service providers under the MiCAR, including the crypto-asset services that currently require a registration, will be the AFM instead of the DNB under which they are currently registered. The DNB will however become the competent authority for issuers of ARTs and EMTs.
  • MiCAR introduces passporting opportunities, whereas registration only permits service providers to offer and market services in one country. As a result, under the old regime, a CASP (Crypto-Asset Service Provider) needed to apply for registration in multiple countries to offer and market services there.
  • Lastly, a lot more services are in scope of the MiCAR. The registration only focuses on service providers offering services for the exchange between virtual currencies and fiat currencies and providing custodian wallet services. The MiCAR focusses on a lot more crypto-asset services (full list of CASP-services can be found in article 3 (1) under 16 MiCAR).

The MiCAR regime leads to further regulation in the crypto market, with more crypto parties required to obtain and maintain a license. It is an understatement to say that challenging times are ahead.

Travel Rule

Let’s start at the beginning. Initially, the Travel Rule only applied to financial institutions. AMLD4 was adopted to ensure that the Financial Action Task Force (FATF) requirements on wire transfer service providers, and in particular the obligation on payment service providers to accompany transfers of funds with information on the payer and the payee, were applied uniformly throughout the EU. The latest changes introduced in June 2019 in the FATF standards on new technologies, have provided new and similar obligations for crypto-asset service providers, also known as CASPs, to facilitate the traceability of transfers of crypto-assets.

The Travel Rule is established for the purpose of preventing, detecting, and investigating money laundering and terrorist financing. The Travel Rule applies to transfers of funds, in any currency, which are sent or received by a payment service provider, or an intermediary payment service provider established in the EU. It shall also apply to transfers of crypto-assets, including transfers of crypto-assets executed by means of crypto-ATMs, where the CASP, or the intermediary CASP, of either the originator or the beneficiary has its registered office in the EU.

Since the Travel Rule is new in the crypto sector, we will focus on the requirements and implications for CASPs and financial institutions that are engaged in crypto- assets transfers. The Travel Rule requires CASPs to accompany transfers of crypto assets with information on the originators and beneficiaries of those transfers. CASPs are also required to obtain, hold, and share that information with their counterpart on the other end of the crypto assets transfer and make it available to competent authorities on request. The CASP should carry out due diligence of its counterparty. Because the personal data of the transacting parties ‘travels’ with their transfers, the regulation was dubbed the “Travel Rule”. Examples of information that needs to be shared with the counterparty are the name of the originator or beneficiary, blockchain address, address, country, and personal document number.

Interesting to mention is that the FATF recommends that countries adopt a de minimis threshold of 1,000 USD/EUR for Crypto- assets transfers, while keeping in mind that there would be fewer requirements for Crypto-assets transfers below the threshold compared to those above the threshold. The Transfer of Funds Regulation however applies to all transactions regardless of the amount. There is only one exception: A CASP is only required to verify the information on the user of a self-hosted address in the case of a transfer of an amount exceeding EUR 1 000 that is sent or received on behalf of a client of a CASP to or from a self-hosted address.

Of course, every new regulation has its own challenges and implications for the market it will apply to. We would like to name a few:

  • Lack of technical resources and extra costs for CASPs: Compliance with the Travel Rule requires implementations and adjustments of the systems that are in place, which will most likely add costs to the business operations.
  • Lack of interoperability: CASPs use various protocols and solutions that are not always able to interact with each other, complicating communication, and data exchange.
  • Non-uniformity among jurisdictions: countries adopt the Travel Rule based on their own regulations, which may deviate from FATF standards. In particular, jurisdictions may have different de minimis thresholds as mentioned before, varying originator and beneficiary data to be collected and transferred, etc.
  • Another industry concern is the so-called ‘Sunrise Issue’. The Travel Rule requirements are enforced at a different pace across jurisdictions. This means that one CASP may be Travel Rule-obligated while its cross-border counterparty may not be.

The EU Travel Rule shall apply as of the 30th of December 2024. In the meantime, the crypto market will be working hard on implementing the Travel Rule within its business.

Something to look out for is that by 1 July 2026, the Commission of the EU shall issue a report assessing the risks posed by transfers to or from self-hosted addresses or entities not established in the EU, as well as the need for specific measures to mitigate those risks, and propose, if appropriate, amendments to the Transfer of Funds Regulation.

Compliance Champs and ChainComply announce partnership

Dutch-based crypto asset compliance advisory Compliance Champs and Belgium-based Crypto AML SaaS provider ChainComply today announced its intention to create a strategic partnership to strengthen the offering for both companies, specifically for clients within Europe.

, , :
We are thrilled to announce this partnership with ChainComply, which allows us to further mitigate the financial economic crime risk for financial institutions and crypto asset service providers. ChainComply provides a customer-friendly solution to obtaining transaction data, source of funds information and identifying the potential risks of these end-clients. In addition, it is a highly efficient way of performing KYC investigations which will enable a large cost reduction for financial institutions and crypto asset service providers.

, , :
We are pleased to announce the establishment of a strategic partnership between Compliance Champs and ChainComply. SaaS companies like ours may have a fantastic product, but implementation can be tricky for customers. Compliance Champs brings deep knowledge and experience, helping our customers get the most out of our SaaS product by customizing it to their specific needs and workflows.

info@compliancechamps.com

ChainComply
lukasz.lukaszewski@chaincomply.io

Compliance Champs is a Rotterdam-based niche consultancy firm which focuses on advising financial institutions (banks, insurance companies and asset managers) and crypto service providers regarding their compliance risk management. Energised by the intersection of laws and regulations, business operations and the rapid technological developments and leveraging extensive experience and expertise in the field, Compliance Champs is able to deliver end-to-end solutions that help clients to become and stay compliant. This is done by applying a holistic approach which covers the full spectrum of delivery, from regulatory gap and impact analysis and policy development until operational implementation.

ChainComply provides enhanced KYT due diligence solutions for banks and crypto exchanges’ fin-crime departments and relieves them from stressing over their interactions with crypto exchanges.

ChainComply develops a SaaS tool that scans the client’s crypto exchange and blockchain transaction history to reveal the source of funds of crypto holders. The company solution simplifies complex transaction streams and identifies high-risk transactions and patterns, enabling AML teams to understand their clients better and meet regulatory obligations efficiently. Learn more at: www.chaincomply.io

The European Central Bank competes with Bitcoin

The ECB has several reasons for developing a CBDC. They want to reduce reliance on private money. Money put into circulation by the central bank is what we call public money. These are physical banknotes and coins. Private money is money put into circulation by commercial banks. This is money you can access online. With current technological developments and their adoption, cash is becoming increasingly obsolete. The ECB wants to avoid becoming completely dependent on private money because it has a number of downsides.

The Austrian school of economics questioned monetary policy as early as the 19th century. Monetary policy would cause fluctuations in the business cycle. Ideas from the Austrian school have been adopted in the most famous crypto: Bitcoin.

In short, Bitcoin is the largest cryptocurrency in market size. Bitcoin is an alternative payment currency and therefore offers competition with the euro. Friedrich Hayek an economist from the movement of the Austrian school of economics states in a report “Choice in Currency,” that people should be able to choose which currency they want to pay with. As a result, the best currency will be used the most. The ECB sees the increase in the adoption of cryptocurrencies as a threat and would like to have more control over payments itself. By innovating the euro, people would regain confidence in the euro. An example of a possible advantage is that payments could go directly between parties (peer-to-peer), like the possibilities that Bitcoin offers. This means there is no third party to whom you must pay transaction fees. This should make cross-border payments cheaper.

Through the CBDC, the ECB can properly track financial traffic. The ECB would be able to track the financial behavior of individuals. To use the CBDC, users must follow an onboarding process like opening a bank account. In doing so, they provide personal data. Governments have indirect visibility into the data at the ECB. In other words, the financial behavior of individuals may become visible to the government. This creates privacy concerns. For the CBDC to be a success, the ECB needs to ensure the privacy of the people using the CBDC. Studies suggest that people will use a CBDC only if it offers good privacy. Privacy is a basic human right, and it helps against unjust power abuse. But to what extent should we allow privacy within the CBDC process without blurring compliance requirements.

The offline CBDC should provide more privacy for lower transactions. This involves limiting the amount and number of transactions. This should make it less attractive for criminals to abuse the digital euro.

For the online CBDC, the current plan is to screen transaction data in the same way as the regular banking system does. The transaction monitoring will be done by Payment Service Providers, most likely commercial banks. Only the most necessary data will then be shared with the ECB, and this will be done pseudo anonymously. This means that not the individual’s data will be sent, but for example only his/her account number.

Not only Europe is developing a CBDC. Other countries are looking into the possibilities as well. China is working on the Digital Yuan, which they see as an additional tool for monitoring and controlling citizen behavior. Strangely enough, they are offering the same possibilities as the ECB is planning with the Digital Euro. According to a press release of the Central bank of China, the digital yuan would be anonymous for small transactions and monitored according to legal requirements for larger amounts. Again, the data would not be shared with governments, only where required by law. China is trying to get citizens to use the CBDC, but less than 20% actually do so. It seems that the people who created a wallet did so to participate in the lotteries offered when creating an account and not to use the CBDC.

China is trying to get its citizens to use the E-yuan because the CBDC could be programmable. This means that the government can attach conditions to the money. This means that the government could potentially only allow people to spend the CBDC for certain spending purposes. For example, the government can stipulate that their citizens cannot buy more than one airline ticket. This way of financial control is the biggest dream of an authoritarian superstate. Europe says it will not make the digital euro programmable and wants to establish this by law.

Is programmability always bad? This can be debated. Programmability can also protect individuals. For example, a gambling addict could gamble only a limited portion of his income, or an alcoholic could buy limited liquor. People in debt can also be helped by using part of their income immediately to pay off debts. However, this does raise the question of whether this is not the responsibility of the individual rather than the government.

The government could also have an interest in programmable money. They could send grants directly from the government to the allocation for which the grant is intended. Thus, subsidies could not be used for other purposes. In addition, taxes could be paid directly to the government.

Venezuela launched the Petro in 2018, this CBDC would be backed by commodities such as oil, gold and diamonds. Therefore, its value would be much more stable than the bolivar, Venezuela’s currency, which is subject to hyperinflation. Despite the government’s effort, adoption of the Petro remained limited. After a corruption scandal involving the mismanagement of the underlying commodities, Venezuela decided to stop the CBDC project.

A CBDC was also introduced in Nigeria: the eNaira. The population shows little interest. The government is trying to encourage the eNaira by placing restrictions on cash, among other stimulants. In the Bahamas, the Sand Dollar is also not a success despite all the incentives offered by the government.

We can conclude that for the innovative digital euro to be a success, the ECB will have to be able to safeguard the privacy of its users. More importantly, convince the public that their data is safe with the ECB. Global examples show that there is little interest in a CBDC. The most common argument against this is privacy concerns. Overall, the question remains: how do we meet the compliance requirements without citizens sacrificing their privacy?

In this article, by CBDC, we mean retail CBDC.