tl;dr - self custody is so important. It still poses lots of challenges to the surveillance state even though they are trying to lock it down.

These bastards can write something like this:

legitimate actors may also change their choice of payment instrument to the least intermediated and monitored option if they have concerns about their privacy or doubts about their privacy or doubts about their intermediaries’ ability and willingness to protect their payments data.

And still act like self custody is a problem.

They've built a system that only works because of intermediaries

implementation of AML/CFT measures generally relies on the existence of trusted intermediaries, or “obliged entities”, that intermediate in transactions on behalf of their customers and act as gatekeepers. In this intermediary role, these entities are in a unique position to screen customers, monitor transactions and report suspicious transactions to financial intelligence units.

Is it really so hard for them to imagine that perfectly normal people don't like being treated like criminals?

Complaining about how difficult it is to track cash payments, they say:

the physical nature of cash is likely to impose, by design, practical limitations on its usefulness for illicit purposes, which may cap the associated societal costs. Physical cash is often cumbersome and less portable than digital forms of money, making it impractical for large transactions, risky to store and transport, and time-consuming.

It's news to me that cash was designed to place limits on its usefulness.

Hence, we hypothesise that, in the absence of additional or alternative AML/CFT measures, self-hosted crypto payments present the lowest probability of detection and enforcement after cash.

Yes.

They acknowledge that people don't like others snooping on them and that the AML/CFT regime is an imposition on everybody. But they justify it as a "public good."

to address this trade-off, AML/CFT frameworks are generally implemented alongside strong data privacy measures.

This is laughable. To call any data privacy measures "strong" in the era of frequent billion-record hacks and leaks is stupid.

They describe very nicely how the scope of financial surveillance has only expanded (and dramatically so) since the 1990s.

There are some interesting notes about gift cards and how they are treated in the European regime.

Overall, a noticeable feature is that the regulatory approach for self-hosted cryptoasset wallets differs from that applied to cash (Section 3.2). In both cases, there is no intermediary that is well placed to act as an obliged entity. For cash, the main regulatory response has been the introduction of transaction limits, while similar limits have not been introduced for self-hosted cryptoassets. Following the discussion in Section 2, this may provide an incentive for malicious actors to shift from cash to self-hosted cryptoasset wallets.

It's amazing that even though their citizens want freedom from financial surveillance:

Consultations conducted by the ECB and the European Commission have shown that European citizens have a clear preference for a high level of privacy and that they favour privacy-enhancing features such as the ability to conceal the identity of the payer and the payee (ECB (2020), ECB (2021), EC (2023)) (see Graph 3). However, in the effort to strike the right balance between privacy and integrity, the ECB clarified that “full anonymity is not considered a viable option from a public policy perspective” (ECB (2022c)). Therefore, the DigEuro-Reg provides a bespoke AML/CFT framework for offline

This is so galling: apparently the bastards I'm charge believe that the people who elected them don't know what's best for them and should be ignored.

So here's what they propose for self custody:

conceivable regulatory options can apply consistently across payment instruments without intermediaries. First, for all instruments in this group, AML/CFT frameworks can leverage touch points, or entry/exit points, where illicit funds interact with those intermediaries in the first group of instruments, while acknowledging that this is a partial solution as it only allows for the monitoring of incoming and outgoing transactions.23 Examples of such touch points include cash withdrawals or deposits with commercial banks and the conversion between self-hosted stablecoins and commercial bank deposits or e-money.

Next, AML/CFT frameworks could involve entities/actors other than intermediaries for each instrument. The clearest example is cash, for which transaction limits have been imposed on payers and payees. One option involves imposing a uniform transaction limit across instruments to mitigate the waterbed effect, although enforceability challenges vary by instrument.

For example, transaction limits can be programmed into the design of an offline CBDC } and protocols and/or smart contracts on DLTs, ensuring compliance by default. While applying transaction limits to self-hosted cryptoassets is technically feasible, enforcing such requirements would likely prove challenging. Still, enforcing transaction limits for cash payments presents even greater challenges, primarily due to their anonymous and non-electronic nature.

A stronger emphasis could be placed on the responsibilities of and enforcement by the issuers of payment instruments. As issuers of banknotes, central banks have a role to play, as illustrated by the decision of the Eurosystem to discontinue the issuance of EUR 500 notes in 2019 to address AML/CFT concerns. Similarly, stablecoin issuers have complied with requests from authorities to freeze the coins in self-hosted wallets associated with illicit activities.

Another complementary approach for addressing the challenges associated with payment instruments without intermediaries could involve increasing the costs associated with non-compliance for private-sector issuers, payers, payees and entities that provide services or a platform for settling cryptoasset transactions, especially those engaged in professional activities.25 These exemplify the possible roles of lex specialis in addressing individual instrument characteristics.

All in all, this is a very frustrating read. I find it hard to believe that there are people who seriously buy in to the nanny state so deeply that they dismiss the risks of such state control so lightly.