You may have not realised but banks and any financial institutions have been deputised by the regulators to be the financial police. They need to ensure that none of their client use financial services to commit crimes or launder the proceeds of a crime, under the penalty of heavy (up to multi billions) fines. Particularly in the US.
I am pretty sure this is what is forcing paypal to do this. And also why I wish good luck to startups who think they will disrupt this massively over regulated industry.
I worked for a financial services related startup for a while and was involved in implementing KYC/AML protections and AFAIK there isn't any relation between this and those laws. KYC is simply identifying your customers (nothing related to what they are doing) e.g. drivers license info, home address, etc. AML has to do with financial instruments passing through a business' account from customer (a) to customer (b) (in some cases (a) and (b) being the same individual). Given they are processing subscriptions here it seems far more likely that this is somehow related to RIAA/MPAA, or at least a fear of said groups.
It's not about onboarding/general KYC since this isn't about end users.
Paypal does it's own risk assessment for business partners, what I'm pretty sure this is is a simple "classification" case.
Paypal classifies the type of business you are and if you belong to certain types of businesses they put some requirements on you based on regulations and their own internal requirements usually produced by their legal department.
Paypal has probably seen what happened to file sharing websites like Mega and if you are tagged as a file sharing service they want to ensure that you do everything to prevent it being used for piracy, including being able to audit it themselves and to be able to either put pressure on you or cut off their services if they think they are at too much of a risk.
Now I understand that Seafile isn't anything like Mega but It's also not exactly on the scale of dropbox this also means that most likely no one at Paypal really knows what it is, or where they are heading business wise and so they just stick some additional requirements on them.
Also (this is true for 2-3 years ago, I don't know if it is still the case) filesharing websties and other sites that you can buy "premium currency" such as various online games, vidoe chat apps (usually porgnography) etc. are the main source of fraud for compromised accounts as far as Paypal goes this on it's own can bring on additional requirements from Paypal.
That's the minimum, but it's certainly not all there is to it.
Know Your Customer really means know your customer.
As one of many practical examples, when dealing with a legal entity such a trust, merely identifying its officers is insufficient -- you must also identify the beneficial owner (BO). Effectively, this means that you have to look through all possible shell companies until you arrive at a natural person.
I don't know if you want to advertise lack of enforcement so loudly. Your practices would leave you to vulnerable to litigation if one of your customers were laundering money or committing crimes through your service. You've done enough to survive an audit if there have been no issues, but you'd be found negligent if there are.
To be fair, boldfield did say "worked for ... for a while" which implies they're no longer with the company (which might be a story in its own right). Still, it's good advice for others chiming in who may presently be in the same position.
> You may have not realised but banks and any financial institutions have been deputised by the regulators to be the financial police. They need to endure that none of their client use financial services to commit crimes or launder the proceeds of a crime, under the penalty of heavy (up to multi billions) fines. Particularly in the US.
While I fully agree with this statement, PayPal's actions here seem excessive even by the broadest interpretations of anti-money-laundering regulations. Furthermore, AML regulations target a specific set of transactions and/or individuals.
"Monitoring all traffic for illegal content" is a vague statement that could mean anything. Illegal where? Illegal how?
Edit: I forgot to mention: PayPal operates as a credit institution (ie, a bank) within the EU, so the strict AML regulations the parent alluded to apply to it directly.
Paypal seems to have a long and ugly history of aggressive-yet-incoherent legal interpretations.
They lock down donations to any unpopular group, and refuse to release already-held funds. They freeze Kickstarter campaigns as soon as someone says the word "fraud", and cause the exact damage they're trying to prevent by tying up all the funds so neither backers nor creators can get the money.
They're incredibly capricious, and as far as I can tell have taken the stance that overcaution is always acceptable.
Because PayPal doesn't want to lose money from customers that use their complaint system or worse through chargeback from the credit card companies.
As far as donations for dubious causes goes well if they think that it will either lose them business due to reputation, or worse lose them money if a government decides to freeze those funds they will cut it off.
PayPal for the most part is not a fractional lender when you have a 1000$ in a PayPal account PayPal has to reserve the full amount, PayPal isn't protected from a run over by central banks and what limited protection it has is probably performed by underwriters at not the most beneficial of terms.
If some one is opening a donation account for ISIS, anti LGBT or w/e you might call an "unpopular cause" and that either causes them a huge PR headache or worse a government decides to freeze those funds they lose a lot of money.
This can be complicated even further since while the funds are frozens the users who transferred these funds might be eligible for protection under PayPal's own policies and if not then they can always initiate a chargeback from their own credit card company.
It is true that banks will go a long way to try to satisfy banking regulators. But unless you have some evidence I am simply unwilling to believe that banking regulators can make up any restrictions they like without regard for the actual requirements of federal law.
But unless you have some evidence I am simply unwilling to believe that banking regulators can make up any restrictions they like without regard for the actual requirements of federal law.
The actual requirements of federal law are often (intentionally) formulated on such a high level that in practice, the banking regulator does end up specifying the actual rules.
Say, for example, a federal law requires that banks "take reasonable measures to impede money laundering".
Now what those "reasonable measures" are is usually determined by the overseeing regulator (eg: the SEC). Sure, you can disagree with their assessment, but they'll fine you anyway and then, the best-case scenario is that after X years in court, the fine gets overturned.
Not only is that true, it's usually not even the regulators that are making up the final actionable items. Businesses hire independent auditors who need to make sure their clients are well clear of what the regulators would be concerned with, and so push them to go even farther. And of course, once you have passed one audit, the next year's audit will be even more strict, even if the regulations themselves have not changed. The auditors do need to justify their own employment, after all.
Coming from a bank (but with limited interaction with regulators), regulators usually try to work within the law. However, I would like to remind you the law is all contradicting and has literally tens if not hundreds of thousands of various laws each one with its own implications.
Point being, regulators can justify just about anything. That is why all large banks have an army of lawyers. They then work with regulators to find some middle ground.
The law is very complicated, but it generally gives regulators that actual power. They can make demands to specific banks. They can even make demands to specific banking systems; like, a regulator can go to a bank and say "You need to make your AML system do Y instead of X."
And the bank has to do it or they end up like HSBC. In fact, that was exactly why HSBC was fined billions. Regulators told them to do specific things, like use Form X in Iran instead of Form Y, or classify Mexico with risk measure N+1 instead of N, and they didn't do them. This is all in the various public records.
It's considered a given that money laundering occurs at every big bank. It's impossible not to happen at an organization of that size.
This entire subthread is about how AML is enforced. Specifically, it's enforced by regulators doing whatever they feel they need to do. The punishment wasn't for money laundering, it's for money laundering in a manner that obedience, according to the regulators, would have caught.
For international banks, it's especially arbitrary because regulations are so loose overseas. In the UK it's very easy to move small amounts anonymously. This is routinely used for small-time laundering by organized crime and banks are fully aware of it. The long arm of US law goes after UK banks handling Mexican dirty money, but not UK banks handling UK dirty money. A lot of what constitutes "illegal money laundering" is actually political.
But payday loan companies and credit cards that charge 29% interest plus hundreds of dollars in feeds to "help people with poor credit" are fine.
Supporting US government entities in defense that kill tons of innocent people every day; that's fine too.
Self regulating? Man that works so well, especially in 2008. We're going to let you keep doing that too.
Weed stores in states where it's legal? Hi it's the DEA. We're confiscating these accounts for you. Here's a fine (at least until later this year, but still only for medicinal marijuana)
It's a cluster fuck of bullshit. Of course you can always use a different payment provider, but with PayPal being just so damn easy with very little competition, it's like saying if Amazon removed your eBook, just publish it somewhere else. The trouble is the distribution networks are so big that they become the only means of distribution. If you control 90% of the market and shut down a DropBox competitor, you're choosing which companies succeed.
> Self regulating? Man that works so well, especially in 2008.
What self regulating existed in 2008? Banking and finance have been hyper regulated for decades. There are no industries more regulated than those. There was no self-regulating and you won't be able to point to any substantial self-regulating that caused the housing bubble and crash (unless you're talking about the Fed's low interest rate policies). The SEC, Fed, FHA, CFPB, and Treasury were intentionally looking the other way while vast fraud was occurring because all of the voters were getting rich off of housing and stock market bubbles. The Fed was laughing during their meetings about the bubble, you can read the minutes today.
Oh yeah, and guess what, housing is higher today than it was at the bubble peak (and so is the stock market mini-bubble today). So are we self-regulated again now? Nope, we're even more regulated now, with all the big banks directly and strictly under control of the Fed; it all has to do with artificially low interest rates, which is universally understood at this point - the Fed now openly admits to creating asset inflation to try to spur the economy.
Regulation has done a great job in several industries of concentrating the industries into a few major players, because it is incredibly difficult to comply for new/small companies. Banking and finance is one, telecom is another.
Telecoms got itself monopolised just fine before regulations came along. AT&T sealed in the concept of operating as a regulated monopoly. But that goes back to 1913.
There are industries which tend naturally toward monopolies, with transport, communications, broadcast, and software among them. There are also industries which tend naturally away from monopolies, such as sandwich shops, cement providers, and laundromats.
(Not that there cannot be some concentration, or even national chains among these. But they're rarely dominant.)
Transport, comms, banking, and information technology, tend toward monopolies.
Consulting is a mixed bag -- if you're relying on creativity, not so much, but if you're relying on marketing and business contacts, both of which are far more a network effect (with strong lock-in elements), yes. Contrast your typical small-gig design shop vs. the Big Declining n Accounting Firms, or IBM and Oracle (consulting / business services).
Retail can be local (small effects) or global: large grocery stores, WalMart, Amazon.
There are other effects as well. I've been curious about Maersk's adoption of ultra-large cargo ships, even as shipping volumes have been falling. While there's a financing-design-build lag, there's also the possiblity that having and operating a large ship puts pressures on other operators -- if you're operating and loading, you're taking cargo which would go onto smaller vessels.
Lobbying from these industries players for bad regulation might have helped but regulation is usally nothing bad. I'm happy in EU knowing that most stuff I can buy is at least to some degree vetted for killing me.
Payday loan companies in particular were hit hard by Operation Choke Point in 2013 (I worked at a "lending startup" that was targeted and had to pivot; a lot of payday/consumer lending companies ended up shutting down).
Have they been deputized into service or pressed into mandatory service? My understanding is that the Know Your Client (KYC) laws are mandatory, with multi-billion dollar fines for companies who violate them. (HSBC has gotten into trouble with this recently)
I think what the grandparent meant to say with being "deputized to be the financial police" is that the extent of this mandatory service has become so substantial that financial institutions often are left with the feeling that they are performing work (at their own expense) which feels like work that law enforcement should be doing.
It used to be that law enforcement pointed out the bad guys, or even just suspects, to you. Now, you're supposed to identify and report possible bad guys to law enforcement.
There's nothing wrong with that on principle, of course, but in practice, every bank must now train some personnel to detect not only suspicious individuals or transactions, but even suspicious patterns of transactions.
And that's when you start feeling like you've been deputized -- it feels like you are performing a criminil investigation on behalf of others.
The same position is true for UK and EU as for USA: a firm handling money can't accept it unless they've done anti-money laundering checks. This includes e.g. identity checking, and checking both sender and sometimes also recipient for criminal associations.
For example, Seafile could have said "Files are accessible only to one customer. It is of course possible to share passwords. However, we use geoip to monitor the number of locations used by each customer, and take appropriate action when a customer's set is oddly large. This should effectively block the use of Seafile for piracy." Perhaps Paypal would have said no, but perhaps yes.
I don't agree that Seafile should be under any obligation to do that. If customers want to share files, let them. Storage services shouldn't ever look at what the files contain or their metadata.
edit: looks like paypal openly states it won't process for file sharing services who don't monitor content. I guess most services that don't have a high dispute rate...
Last year I saw a customer (not at Seafile) who accessed our (paid) service from 20 different countries on the same day. Do you think that customer travelled to all those countries on that day? Do you think we were wrong to look for such globetrotting customers? Do you think we were wrong, or Seafile would be wrong, to look for customers who share their account with their hundred best friends?
Yes, you were, of course, it's none of your damn business what your customers use your product for as long as they pay for it and it's not obviously illegal. If you are concerned about resource usage, limit the resources that you sell per account, and then enforce that limit if you like, but don't stick your nose into other people's lives.
And I must say I find it particularly strange that you seem to find it somehow impossible how someone could use an internet service from 20 countries in one day. I mean, it's the internet, right? A computer on every continent is only a few mouse clicks away. And international teams, either of freelancers, or of employees of a company, working together on projects, isn't exactly unusual either.
How can it be "not obviously illegal" if you're not checking. Side note, piracy is illegal in a lot of countries.
If my account was accessed from 20 different countries in a day you can be damn well sure I'd want to be given a heads up too, as it's likely my account has been compromised.
> How can it be "not obviously illegal" if you're not checking. Side note, piracy is illegal in a lot of countries.
How could something be obvious if you have to check? Lots of stuff you can do in an appartment is illegal, too. That's still no reason for a landlord to install cameras to check. It's just none of their damn business.
It's obvious if a potential customer asks whether your service is good for warez hosting, or if a potential tenant ask whether your appartment is well-suited for getting rid of bodies. Anything where you have to violate their privacy in order to find out just is not obvious, and it's not your job to monitor people's private lives for possible illegal activity (and it is highly unethical to do so--it's what totalitarian regimes do, read up on the GDR's Stasi if you want to know what living in such a society is like).
> If my account was accessed from 20 different countries in a day you can be damn well sure I'd want to be given a heads up too, as it's likely my account has been compromised.
If you want to monitor your own account (or want to have someone, like the hoster, monitor it for you), feel free. It's still none of the hoster's business to investigate it any further without your explicit instruction to do so.
A streaming service, actually, and one which doesn't sell to teams. The T&C prohibit giving anyone the password, with an exception for household members, so concurrent use from 20 countries stretches credulity.
It depends. If the purpose is to prevent access to customer data not authorized by the customer then it's ok. If you do it to further the interests of anyone other than your customer it's unethical.
Yes, you were wrong. Maybe the user was just lending the files to his/her best friends? Or some other kind of fair use... You can't just generalize that all file-sharing is illegal.
Fair use doesn't even enter the question. How do you know the customer didn't own the copyright on his files, and was well within his rights to share the files with anyone of his choosing?
You may have not realised but banks and any financial institutions have been deputised by the regulators to be the financial police. They need to ensure that none of their client use financial services to commit crimes or launder the proceeds of a crime, under the penalty of heavy (up to multi billions) fines. Particularly in the US.
I am pretty sure this is what is forcing paypal to do this. And also why I wish good luck to startups who think they will disrupt this massively over regulated industry.