Embed Size (px)
Citation preview
Facing the AML challenges and seizing
the opportunities of bitcoin and the
blockchain
Who am I?
● Diacle - legal/compliance one-stop-shop for
blockchain/digital currency businesses. London/New
York
● Coinstructors - pluri-disciplinary digital currency/asset
development services
● UK Digital Currency Association - director/co-founder
● Global bitcoin regulatory information - merkletree.io
● Blockchain hackathons - hackco.in
What are we talking about?
● What is bitcoin?
o decentralised
o trustless P2P payment system
● Digital currency
o decentralised or distributed (meaning more
controlled)
o Issuer or no issuer of the currency
● Blockchain technology
o Using attributes from bitcoin applying it to different
use cases outside of currency such as file storage
Bitcoin is here to stay
● Bitcoin will be here to stay
● 2009 and still counting - online money and still hasn’t been hacked
● Ignore or engage with bitcoin?
● Your business opportunities are probably not with
bitcoin but more with blockchain technology or your
own digital currency● Take on a bitcoin business as a client or invest in
one like BBVA. Learn about the technology in practice.
● Join the UKDCA. Engage with the industry.
Agenda
Facing the challenges of bitcoinIf you are looking to engage with bitcoin businesses, we will
look at how to do so safely through the assessment of a bitcoin business’ AML controls● AML - FATF risk based approach
Purpose of talk:
● identify the risks● list the available appropriate measures that you
would expect to see in a bitcoin business
Agenda
Seizing the opportunities from the blockchain
● transaction compliance
● digital currency fights internet/card fraud
● decentralised ID
● ‘ultra’-compliance using digital currency
● becoming an issuer
Regulatory framework
● UK bitcoin exchanges unregulated by HMRC for AML
unless exchange involved in fiat to fiat conversions/
payments
● UK bitcoin processors outside of regulation too
● UKDCA working with HM Treasury/FCA/ HMRC on a
regulatory stance for the above to fall within Payment Services and Money Laundering Regulations 2007
Regulatory framework
● Current stance unregulated but most apply customer due diligence and monitoring to their Exchange
o Reporting requirements in Proceeds of Crime Act
2002/ Terrorism Act
● Money Laundering Regulations 2007 - we assume that
a bitcoin business should be/or will be regulated for
this discussion, thus CDD, training, record keeping and ongoing monitoring is a requirement
Risk 1: bearer instrument
● Bitcoin is a bearer instrument like casho possession equals ownership
● You don’t know if your identified customer is depositing
bitcoins with you or if a third party is● In contrast: when you put cash in a bank account any
transaction thereafter is associated with you individually
Dealing with that risk
● A Bitcoin Exchange conducts CDD on their customers
● They know
o who the customer iso where they live
● When the customer deposits bitcoin with the Exchange
the Exchange can find out the geolocation of that bitcoin transaction
● Mismatch of geolocation of transaction and customer’s residence = red flag
XBT geolocation
● Every transaction from a person is sent via the internet● This means the IP address of a person is revealed● Research in Luxembourg - 60% accuracy in being able
to identify the IP address of a bitcoin transaction
● Based on an IP address there is a 90% probability of determining the country of the sender/ a city 50-80% accuracy
● This is valuable intelligence for an Exchange
XBT geolocation - how?
● “When you are connected to every node then the first node to inform you of a transaction is the source of it” Dan Kaminsky
● Access to intelligence:
o Need to operate around 100 nodes to be able to pick up IP addresses
● If transaction coming from a different location then
probability transaction not from your customer
Risk 2: identifying tainted funds
● Cash transaction has no historyo could be a drug deal … no idea
● Bitcoin is different
o Every transaction is held on a public ledger since 2009
● How can we analyse the blockchain intelligently?
● Extracting intelligence for ongoing monitoring and CDD
Blacklisting
Blacklist addresses
● Blacklisted ‘venue’ address - Silk Road
● Blacklisted ‘event’ address - hack of an Exchange
Example:
● Bitstamp hack - 19,000 bitcoins stolen
● That address is being monitored by people on Reddit to
see where the bitcoin is going
Natural effect from blacklisting
● Difficult thereafter in moving proceeds from crime
● “The UCSD study found evidence that some criminals, at least, do know Bitcoin’s privacy is limited. In late 2012, one sophisticated thief stole 3,257 bitcoins –today worth over $400,000 – by spreading malware that transferred money from users of Bitcoin without their knowledge. Almost a year later, most of the stolen coins have gone nowhere, suggesting that the person who took them is struggling to cash out without revealing himself” Sarah Meiklejohn
Blacklisting both ways
● Monitoring blacklisted addresso Any incoming transactions to an Exchange from
blacklisted event or venue address = red flag
o Any outgoing transactions to a blacklisted venue =
red flag
● Retrospective blacklistingo Running a new blacklisted address against your
customer’s transaction history
Bitcoin record keeping
● Record keeping for Exchanges must be robust
● Need to record:
o All outbound addresses for customers
o All inbound addresses for customers
o Or lock the addresses customers can use
Monitoring
● Systematic correlation worko Association of addresses with entities
o Researcher Sarah Meiklejohn has mapped 1.8 million addresses to 2,197 entities
● Using this data can give a fuller picture of origin of funds
● Data not used as determinative but indicativeo analysis of data helps comply with objective test in
identifying suspicious activity in MLR
Limitation
Use of mixers● Not necessarily indicative of suspicious activity● Why? Use of mixers preserves financial privacy of
bitcoin user on the blockchain
● Is of course used for money laundering too
Bona fide● May be a series of transactions with bona fide
purchasers in between
Conclusion of AML part
● As you can see there are already appropriate measures in bitcoin to address AML risk
● Of course a lot of these systems will be automatedmuch like identity verification
● Under MLR2007 required to “determine the extent of customer due diligence measures on a risk-sensitive basis depending on the type of customer, business relationship, product or transaction”
Feedback from law enforcement
Jennifer Shasky Calvery, head of the US Treasury
Department’s Financial Crimes Enforcement Network
(FinCEN): “When I put my financial intelligence unit hat on
and we’re trying to trace funds of criminal and other illicit
actors, the reporting that we’re getting from some of the
bitcoin exchangers is quite good,” Calvery said. “They use that technology mind to provide some really good reporting and do work that is incredibly helpful for law enforcement and FinCEN in terms of trying to trace
money.”
Seizing the opportunities..
● Transactional compliance
● Card fraud
● ID fraud
● Bribery
● Ultra-compliance
● Becoming an issuer - Bank of England report
Transaction compliance
● Lloyds Bank Plc - fined by NY District Attorney for
stripping information from transactions involving
sanctioned countries.
● Current financial system runs through correspondent banks and layers of intermediaries
● FATF Recommendation 16 - information regarding the originator and the beneficiary should be includedwith a wire transfer throughout the payment. This transaction information should be cross-checked against sanctions lists. Patriot Act and use of dollars.
Peer-to-peer transactions
● What if you could have direct peer-to-peer settlement?
Ripple system● P2P transaction system
● Bank is the gateway to the Ripple network
● Issues Ripple Dollars to sender after CDD
● Sender sends to ultimate beneficiary - cuts out all intermediaries
● Beneficiary redeems Ripple Dollars for real dollars with
same Bank or another Bank that trusts the ‘issuer’
● P2P settlement avoids information stripping possibilities
Card fraud
● UK Payments Council
o card/internet fraud by criminal gangs “main emerging threat”
● Bitcoin as the solution● Internet/card fraud - criminal steals power of making
future payments. With bitcoin the criminal just steals the
cash. Slight limitation factor on consequences.
● Bitcoin and merchant anonymised payment. No need to reveal identity of sender. Reduces identify theft.
● Surveys showing that bitcoin safer than mobile wallets.
Identity Fraud
● NFA identity fraud cost UK adults £1.2 billion 2011
● In 2011 FSA at the time fined Zurich over £2m for the
loss of 46,000 customer records’ confidential details/
£3m was fined to HSBC
● Re-think identity and centralisation of data. Can the
blockchain help?
● Tokenisation of ID - notaries provide tokens as
confirmation of notarised documents. Tokens unlock
services without divulging personal information.
Bribery Act Compliance
● Extra-territorial effect of the Bribery Act - crime
committed anywhere in the world if deemed to be a
crime in the UK and person has close connection here
● Compliance regarding gift monitoring
● Digital currency and a decentralised blockchain can be
used to seamlessly trace the movement of funds within an organisation
Ultra-compliance
● Disbursement of funds by World Bank through a digital
currency. Assessment of client for safeguards against corruption.
● Remote lock of an address through multi-signature control if recipient address blacklisted or through a smart contract that will automatically monitor sanction lists. Funds frozen by issuer. Effective asset recovery.
● Bona fide purchasers affected by freezing order will
be able to revert to issuer to have replacement tokens.
Becoming an issuer
● Digital currency generally shifting from challenge to opportunity
● Bank of England meeting with UKDCA last year
● Report on central bank as issuer of digital currencies
o What effect on banking business model?
o What effect on existing payment systems?
● There is a tipping point in the movement from the
discussions surrounding bitcoin (the monetary unit) to
that of the blockchain - enhance financial infrastructure
The opportunity - the unbanked
● Access to the unbanked market (2.5 billion adults) which is being targeted by mobile operators
● HSBC/RBS/LLOYDS .. coin could reach all markets
● Implementation cost effective● Highly secure. Distributed ledger across all HSBC
branches (a server in each branch) to process the
transactions
Conclusion
● Bitcoin is here to stay
● Engage with industry:
o join UKDCA
o provide a bank account to a bitcoin business - EBA
endorses this approach
o understand ‘appropriate measures’ in a bitcoin
business in practice. We have explained some of the
tools available for that.
● Start using the technology - issue your own coin for the
unbanked
