23 Jan 2018
The increasing integration of digital currencies into the mainstream financial industry, and in particular the explosive rise of bitcoin, has caught the attention of both criminals and financial regulators.
Regulation of anti-money laundering (AML) / counter-financing of terrorism (CFT) risks associated with digital currencies has so far largely focussed on extending existing regulations which already apply to traditional financial institutions to include digital currency exchanges.
The question is, how well will AML/CTF regimes designed for traditional fiat currencies perform when applied to digital currencies?
Applying existing AML/CTF frameworks to digital currencies is a good first step, according to Yaya J. Fanusie, a former United States CIA (Central Intelligence Agency) counterterrorism analyst and currently the director of Analysis at the Foundation for Defense of Democracies’ Center on Sanctions and Illicit Finance.
“I think it is important, it is useful, but I’d say it’s a starting point. Those types of requirements won’t cover everything to begin with, but they provide a starting point that regulators need to start thinking about how to iterate on that.”
The learning curve for managing ML/TF risk associated with digital currencies is likely to be steep and occasionally bumpy. Here are some factors to keep in mind:
1.Digital currencies are not all created equal
There are significant differences in the technologies which underpin different digital currencies. This is important from an AML/CTF perspective because it means that methodologies for laundering may be unique to each currency, and deep technical expertise in each specific currency may be needed to detect and trace illicit money flows.
An example of this is the difference between bitcoin and Monero. Bitcoin is based on a distributed ledger network known as the blockchain. Transactions recorded on the blockchain can be viewed by anyone, which makes bitcoin one of the easiest digital currencies for tracking transactions as they move through the system.
Monero, on the other hand, is widely recognised by experts as being far more difficult to trace. Monero is also based on a blockchain, but makes use of a range of cryptographic techniques including ring signatures, stealth addresses and RingCT to conceal the senders, recipients and value of transactions
Responding to the substantial differences between different digital currencies will demand a regulatory regime which is both flexible enough to cope with diversity and stringent enough not to let things slip through the net, along with a high level of technical expertise from regulators.
“Folks working for regulators and folks in government need to hire more cryptographers,” says Fanusie, “You need people who are really steeped in the technology of how the tokens work.”
2.Digital currencies are evolving
Digital currencies are generally new, and evolving rapidly. Even the largest and most well established currencies such as bitcoin and Ethereum are likely to undergo dramatic technical changes in the coming months and years.
As the technology changes, so too do the opportunities for criminals and regulators. Managing ML/TF risks means keeping up with the curve and adapting to new developments as they emerge.
A major example involving bitcoin is the Lightning Network. The Lightning Network is a proposed technological solution to bitcoin’s problems operating at scale.
The core concept is that it creates an additional layer on which transactions can be made without being committed to the bitcoin blockchain for a designated period of time, and so reduces the bottleneck of transactions. It hasn’t yet been implemented but if it is, it could potentially undermine bitcoin’s transparency and make it harder for regulators to monitor.
Once again adaptability, deep expertise and keeping a finger on the pulse of the digital currency community are likely to be critical for regulators. It will also require working with the people within the digital currency community to promote an awareness of why money laundering and terrorism financing presents a risk to their industry.
3.Creating a culture of compliance
The complexity and rapid development of digital currencies makes it especially crucial for regulators to establish strong working relationships with industry actors. This may be easier said than done; in the past the relationship between parts of the digital currency industry and government regulators has been at times fractious, suspicious and even adversarial.
Digital currency creators should be encouraged to consider how to prevent the misuse of their technologies even from early design phases. Extending the current AML/CTF frameworks will force the digital currency community to start thinking more seriously about these issues than many have in the past, but the cultural shift is likely to need to go much deeper than that.
“Creating a culture of compliance matters because these questions [of illicit uses of digital currencies] need to be addressed by the folks who are creating them,” says Fanusie. “Those who are innovating have to start educating themselves, have to start talking to regulators – not to stifle innovation but just to realise that there’s a good purpose for having AML regulations.”
4.Decentralisation poses challenges and opportunities
The decentralised nature of digital currencies poses a challenge for regulators used to operating in traditional, highly centralised financial systems. There is no central authority which has ultimate control over bitcoin or other digital currencies. This decentralisation is further compounded by the highly international and multi-jurisdictional nature of digital currencies.
Creating an effective regulatory model which can cope with decentralisation may require a shift in regulators’ mindset as much as a shift in their methods.
“The [traditional] financial system works through a centralised model, so we’re thinking about a centralised approach,” says Fanusie.
“We go after centralised nodes like digital currency exchanges for regulation because that’s what we know, that’s how the financial system has been built.”
“The crypto industry is not confined. By its nature it is global, and it’s borderless, so we have to be thinking about solutions which are going to be above and beyond our bordered, traditional jurisdictional approaches. I think what regulators should be thinking about is, as well as folks in industry, are there decentralised ways to support compliance?” Fanusie says.
5.The ‘digital’ matters just as much as the ‘currency’
Although financial regulators naturally have a tendency to focus on the ‘currency’ part of digital currencies and to reach for financial solutions to problems, the digital nature of the system is just as important. Fanusie thinks that there are valuable lessons which regulators could learn from the cyber and information security industries.
“It’s not a perfect metaphor, but in cybersecurity you have technical experts who understand that illicit actors are going to use the technology for nefarious purposes. That’s why the industry has developed white hat hackers, and created financial incentives to reward people who find bugs and illicit actors as a central part of the cyber-security industry. So why aren’t we talking about doing the same thing in cryptocurrencies?”
A handful of digital currency-based bug bounty programs already exist, including for Ethereum and Coinbase. Systematising and formalising bug bounties for digital currencies would require close cooperation between industry and regulators to establish both incentives and ground rules, but it could be one tool for responding to the challenges of decentralised, multi-jurisdictional risk monitoring.
Other techniques from the cybersecurity field, such as penetration testing and vulnerability assessments, could also potentially be adapted for useful purposes in the digital currencies space.
– By Elise Thomas
Melbourne-based Elise Thomas has a background in international affairs and a strong interest in financial crime, data and technology issues.
You can claim CPD minutes for this content, by signing up to our CPD WalletFREE CPD Wallet