José Antonio Bravo Mateu: "Compliance Shouldn't Be Surveillance, But an Advantage for Clients and Companies"
On this page
Table of contents
José Antonio Bravo Mateu is an expert in tax and fiscal consulting, specialized in cryptocurrency taxation. Holding a degree in Economic and Business Sciences from the Universitat de Valencia, he has a Master's in Taxation and Fiscal Advisory from CEF-UDIMA and a Master's in Economic and Financial Management from UOC. After 16 years as Head of Accounting and responsible for the tax area in a mid-sized company, Bravo Mateu decided to focus on independent consulting and training.
"Technology moves much faster than legislation," states Bravo Mateu, who considers it fundamental that companies have a solid compliance department to navigate the current complex regulatory landscape, especially in the realm of cryptocurrencies and digital assets.
Question: After many years working in various financial aspects in SMEs, you specialized in cryptocurrency taxation. Why? What about this technology attracts you so much?
Answer: I started reading about Bitcoin ($BTC) in 2013. I became interested in how it works and everything related to this technology. I was particularly interested in the Open Source aspect and how it relates to money. From there, I began studying what Bitcoin means and adapting my work as a fiscal advisor to the taxation of these digital assets.
I started to see how different taxable events with cryptocurrencies can fit into the Personal Income Tax, mainly, but also into other taxes. I began to speak, read, and specialize in this area.
Q: How has the regulation evolved since your first steps with crypto until now?
A: There has been a continuous interpretation of the regulations by the Administration. Primarily, there is no specific tax regulation except for some taxes or information obligations. For example, there is a recent obligation, from a year ago, to report cryptocurrencies held abroad or the obligation for service providers to report on client movements and balances.
All this has been interpreted through queries to the General Directorate of Taxes. Administrative doctrine has been created based on questions asked by taxpayers to the General Directorate of Taxes to understand how they must comply with their fiscal obligations.
Not all possible taxable events have been addressed. There are still taxable events that remain unclear.
I have seen, though, significant regulatory evolution in some cases, such as with MiCA, which affects markets and service providers more. This evolution is driven, in one way or another, by the Financial Action Task Force (FATF) and the OECD.
It's an ongoing evolution, with much work still to be done, but it has been progressing through interpretations and international regulations.
Q: Given that cryptocurrencies are mostly characterized by decentralization, how should one balance user privacy with the regulatory requirements of KYC?
A: This is quite a challenge to balance. The possibility of being pseudonymous with cryptocurrencies becomes quite biased from the moment you need to undergo due diligence procedures to acquire cryptocurrencies on Centralized Exchanges, where you will be identified, and more information about you will be known, like where you're domiciled.
However, service providers, the Exchanges, are a necessity in the evolution of cryptocurrencies. Initially, there's no economy where you can use cryptocurrencies as a means of payment, so they are acquired with the hope that they will become a means of payment in the future, mainly those that can be considered as such, like Bitcoin, Bitcoin Cash, etc.
I believe Exchanges are circumstantial. When there's a circular economy where Bitcoin or other cryptocurrencies can circulate as a means of payment, these centers won't be necessary, as the coins will be acquired by selling your work or goods and services, and you'll spend them. Therefore, they wouldn't be necessary.
So, I think this is an intermediate and necessary step that will be there for quite some time.
Q: What do you consider to be the greatest challenge currently facing companies when implementing KYC procedures? Because not complying with regulations carries substantial risks…
A: For service providers, it's crucial to conduct thorough due diligence and have well-studied procedures. Their business, survival, and market longevity depend on this. If they don't perform enough procedures, they could face significant sanctions from national anti-money laundering agencies. In Spain, for example, we're talking about SEPBLAC.
Therefore, for me, it's fundamental to create a good team with extensive knowledge about anti-money laundering procedures.
Q: So, it's essential that there's a company philosophy…
A: Absolutely. For me, and not just talking about cryptocurrencies, it's crucial that companies of a certain size have a compliance department. The goal is for this team to help the company understand all the regulations it must comply with.
In SMEs or similar organizations, this role might be an external advisor or service. But I believe that in any company, it's essential to have a good compliance department to understand norms that are increasingly complex and difficult for one person to grasp. Even someone studying law won't know the entire regulation; they'll know only a part and focus on that.
So, I think it's important that compliance departments have several professionals who can help the company comply with regulations from various perspectives: Civil, Commercial, Criminal, Labor, Anti-Money Laundering, Tax... helping them have a comprehensive view of how to comply with the regulations affecting the company.
Q: What role does technology play in the automation of KYC and AML processes? Can one be compliant without technology?
A: Technology, especially Generative AI, will greatly help compliance departments automate many processes. I'm thinking, for example, of biometric client identification, facial recognition, document verification... In other words, AI is helping and will help much more in meeting all these procedures. This will make compliance departments smaller but more efficient.
However, not everything can or should be entrusted to technology. There must be supervision by department heads to ensure and verify that what the AI is doing is correct.
So, can one be compliant without technology? Yes, it's possible, but it's much more costly and less efficient. We must rely on new technologies to meet objectives.
Q: What recommendations would you give to a company, an obliged entity, that must implement KYC and AML processes to comply with regulations?
A: Primarily, I would recommend that they use tools that help make processes efficient. And, of course, not to neglect regulatory compliance because it's extremely important. Especially in AML and data protection, compliance is fundamental for a good relationship with clients, not just with the administration.
Q: How do you balance regulatory compliance with a good user experience?
A: It's necessary to learn from our processes to see if changes are needed. We should focus on improving usability so that the client doesn't feel offended or annoyed by excessive information requests.
We must limit the information we request to the minimum, always complying with regulations, and ensure the procedure is user-friendly.
Q: If we were talking about anti-money laundering prevention, what are the common red flags or warning signs that companies should pay attention to?
A: For me, the most important alerts are related to the client's activity or nationality. Sometimes, clients from a country that might seem suspicious are avoided because compliance with them can be more complicated, and more data might be needed.
In AML, there are many things to refine. But since it depends on a regulation that doesn't even come from the European Union, but from above, it's complicated. What's needed is for processes to be refined from the bottom up; companies dedicated to anti-money laundering should detect issues that might cause false positives, which sometimes happens, and communicate these to the corresponding national agencies, who in turn would elevate them to international forums like the FATF. This way, I believe the process can be refined much more.
Often, I see that a lot of documentation is requested, which, in my opinion, isn't very important and can lead to false positives. So, it would be good for these incidents to be communicated from the bottom up to benefit the client primarily.
Q: This is a common scenario in real estate…
A: Yes, I was mainly talking about that. I've encountered this mostly in banking, with clients from regions like Russia, Ukraine, or China. I'm talking about years ago, around 2018 or so, when I was already dealing with these issues from people of different nationalities.
These people possibly came to work. And, despite not being on any blacklist or similar, due to their nationality, to avoid having to do deeper compliance and mitigate risks, they were often set aside.
I believe this needs to be refined much more. When we focus on cryptocurrencies, we see that international organizations still have a lot to learn. Sometimes, a public address is given, and one account can generate infinite public addresses. So, if I block one, it doesn't mean another can't be generated later that isn't on a U.S. or similar watchlist, belonging to the same person.
The treatment needs to be improved for both their surveillance and for the clients. Maybe a client who has transacted with this person with their account blocked, but is the third in the chain, might be prevented from transacting because they've dealt with this blocked profile due to money laundering issues.
A lot of refinement is needed, and understanding how the technical aspects of cryptocurrencies and address creation work.
Q: It always happens that technology is ahead of legislation.
A: That's something to always keep in mind: technology moves much faster than legislation. Despite the FATF having good knowledge of the technical aspects of cryptocurrencies like Bitcoin, sometimes it falls behind, perhaps out of caution. It might happen that tools are considered for money laundering. I'm thinking of cases like Tornado Cash or Samourai Wallet.
But we're really condemning people who are doing things to improve their privacy, not just from the state but also from potential acts against themselves, because these procedures can be used for money laundering, though not necessarily for that purpose. For example, a screwdriver can be used to screw in screws, but it can also be used to harm someone. That doesn't mean we should ban screwdrivers.
Therefore, anti-money laundering bodies need to make an effort to understand the real purpose of these tools. While they can be used criminally, they don't necessarily have a criminal intent.
This is something that has evolved in recent years regarding cryptocurrencies: companies dedicated to traceability, like Chain Analysis, have concluded that crimes detected in cryptocurrencies, despite the bad publicity, are much smaller than what is believed. We're talking about less than 1% of transactions.
Recently, one of these companies stated that most terrorist groups in the Middle East no longer use cryptocurrencies due to their traceability.
Q: How important do you consider it that institutions have a compliance-first philosophy?
A: Due diligence processes are important. Even if we're not obliged entities, knowing our client and ensuring they won't cause any legal issues is crucial. Having a well-controlled database with information on who they are, whether we can transact with them, or if there might be issues with third parties, is fundamental to me.
In other companies I've worked for, we've implemented somewhat lax due diligence procedures. We would use rating agencies or calls to third parties to create a client profile. We conducted an investigation to avoid commercial issues. These practices are and should be continued.
This also happens in the case of company acquisitions: before that, you should perform due diligence to know if the company has debts or similar issues. It's a lax compliance, not like that of KYC or AML processes, but it's still compliance.
Q: We conclude with a look to the future: From your perspective and experience so far, how do you think KYC and AML regulations will evolve in the coming years, mainly in their relationship with cryptocurrencies and other digital assets?
Well, the topic of AML legislation needs to improve significantly. So far, its effectiveness against potential crimes isn't entirely satisfactory. Can it prevent crimes? Yes. But from my point of view, people's perception should change: they shouldn't feel watched, which is often seen in the crypto realm, and instead see it as something necessary. Currently, it's seen as surveillance, and it should be viewed more as something focused on benefits for both the client and the company.
I believe it's an important challenge: to stop malicious agents, but if it's at the cost of cutting user freedoms, I think we'll face significant resistance. We must find a balance between regulation and user freedom. It's not easy, but it must be done. For that, education is fundamental.
I also consider the security of compliance databases crucial. For me, ensuring these databases are only visible to the companies using them and that the data is encrypted in case of any theft or hacking is a significant challenge. Why? Because between AML regulations and data protection regulations, there's a complex balance to maintain. We need to see how we can comply with both sets of regulations without one affecting the other.
Currently, AML procedures in due diligence databases could be affected and face issues with data protection.
Didit News
José Antonio Bravo Mateu: "Compliance Shouldn't Be Surveillance, But an Advantage for Clients and Companies"
