The narrative surrounding cryptocurrencies tends to be rather unscientific—even emotional, at times.
On one hand, to supporters, cryptocurrencies are a revolutionary and anarchic tool that challenge the centralised power of governments and the monopoly of mainstream financial institutions.
The general public, on the other hand, all too often seem to embrace the rather unqualified perception that cryptocurrencies are anonymous and inherently dangerous. Some raise concerns that cryptocurrencies are difficult to trace.
But is that actually the case? Cryptocurrencies record transactions on a permanent, immutable ledger, which can offer transparency into financial activity. In reality, most mainstream cryptocurrencies are pseudonymous and become untraceable (or more difficult to trace) only when criminals use devices such as mixers, tumblers and anonymised wallets. The process of tracing and piecing together transactions is possible, although it requires specialised expertise.
So, if not anonymity, then what is the problem?
Our collective understanding of financial crime has evolved and deepened in recent years. High-profile cases have shed unprecedented light on the extent of the problem, as well as its close proximity to our lives.
As one of the many media through which financial crime is perpetrated, cryptocurrencies are in no way unique. Like other ubiquitous structures and technologies, opportunistic criminals have quickly adopted them. Every day, we see cryptocurrencies being exploited by moving illicit profits through decentralised marketplaces to finance human trafficking, terrorist activities, weapons proliferation, fraud, corruption and reputational whitewashing (amongst other constantly evolving schemes, including those looking to take advantage of the COVID-19 pandemic).
As for their perceived anonymity, much of this comes down to the frequent failure, on the part of regulated firms, to conduct adequate due diligence on the parties and transactions concerned, not necessarily because of an inherent ‘design feature’.
To those of us working to fight and prevent financial crime every day, the primary concern is that the ecosystem in which cryptocurrencies operate provides an attractive and often unregulated (or poorly regulated) parallel infrastructure that can be exploited and used to launder the proceeds of illegal activity.
The toxic combination of a deficit of coherent expertise, pervasive lack of industry controls, subversive enablers (such as the dark web and shell companies), and an inconsistent approach to regulation make cryptocurrencies extremely vulnerable to financial crime.
In cases we have seen and investigated, cryptocurrencies are never, on their own, the problem. They exacerbate and add complexity to an already high-risk environment. In other words, behind the firms and individuals that commit financial crime using cryptocurrencies are the same networks of shell and paper companies, the same organised crime groups, the same state-backed actors and the same large-scale corruption schemes that underpin ‘traditional’ financial crime. Cryptocurrencies add a new spin and provide a novel channel. But they are not, inherently, the problem.
What are the key challenges facing regulators and enforcement agencies?
Implementing a coherent framework for regulating and supervising cryptocurrencies is, in itself, a challenge. The simple legal definition is a controversial topic and one on which various regulators have concluded differently.
Even for the jurisdictions that have put in place a legal framework for cryptocurrencies, supervising and enforcing the rules in practice is the harder challenge. It requires extensive familiarity with the technology, deep investigatory expertise, sufficient resources, multi-stakeholder coordination, clear industry guidelines and a strategy for successful regulatory intervention.
That is easier said than done, especially when governments and regulators around the world are still struggling to define the boundaries of responsibilities amongst regulators, financial intelligence units (FIUs), central banks, prosecution services and other law enforcement bodies in relation to ‘traditional’ financial crime.
Perhaps unsurprisingly, amongst the jurisdictions most open to cryptocurrency use (and abuse) are smaller economies that seek to attract crypto-related investment to secure a competitive edge. There’s nothing wrong with that per se, if it were not for the fact that the challenge of fighting financial crime lands already disproportionately on these jurisdictions because of the smaller pool of resources available locally. The addition of yet another layer of complexity in the form of cryptocurrencies makes their task even harder and increases the risk for the financial services ecosystem.
At the other end of the spectrum, bans on cryptocurrencies (such as those in China, Iran and Russia, as well as India’s on-again-off-again approach, as well as the blanket refusal by mainstream institutions to service the crypto industry) are also fostering underground activity. Illicit actors escape these bans by using complex networks of shell and paper companies (a fine tradition of money laundering!), nominee directors and registering entities in jurisdictions with lax supervisory track records. They then deliberately place servers in separate jurisdictions that have weak data governance, making supervision, enforcement and the evidence-gathering process laborious and fraught with red tape.
Is the current regulatory environment making life easy for criminals?
As in numerous other areas (taxation, anyone?), in the absence of a consistent regulatory approach, opportunities for criminals to engage in regulatory arbitrage are abound – demanding increased attention and harmonisation amongst jurisdictions around the world.
To date, the regulatory environment has been fraught with inconsistencies in the terminology and supervisory approach used to regulate cryptocurrencies.
In the absence of adequate cross-regulatory and public-private sector collaboration, bad actors exploit the lack of harmonised regulation and information-sharing as a systemic weakness.
Is the immaturity of the industry’s approach to basic controls the biggest threat?
Many firms find themselves unwittingly drawn into criminal activity because of their weak customer due diligence and transaction monitoring controls.
The tokenistic nature of simple controls such as due diligence and transaction monitoring are a problem in the mainstream financial services world. If well-established, global firms with armies of compliance resources fail in this sense, it is not surprising that smaller and leaner outfits—often motivated by the disruptive nature of the technology (and often driven by ideology)— who are less familiar with the nastiness of financial crime and the onus of being a regulated firm do, too.
Amongst the weaknesses that firms operating in this space often display is also the inability to detect money mules and stolen identities.
High-risk industries, such as gambling, can also provide criminals with an end-to-end safe haven for money laundering. The combination of brick-and-mortar and online gaming shops that offer cryptocurrencies in exchange for playing chips and cash (both physical and electronic), plus the heavy control exercised in the industry by organised crime, increases the risk exponentially—for example, when playing chips are acquired with cryptocurrencies that have been anonymised through a tumbler.
This toxic combination is not a remote threat but a reality for numerous jurisdictions. And it is not a coincidence. Both sectors represent riskier economic activity that certain jurisdictions find it necessary to attract in order to remain competitive, but lack (and often fail to nurture) the depth and strength of expertise to adequately regulate.
So, what can firms do to protect themselves?
More fundamental, perhaps, is the need for firms operating in the crypto space to develop robust control frameworks.
For clarity, buying a ‘KYC system’ that allows remote verification of a customer’s ID does not, alone, constitute robust due diligence.
What does an appropriate control framework look like, then? For one, firms with higher levels of risk exposure (i.e. most of the crypto industry) should protect themselves by integrating financial crime forensics and chain analysis into their existing operations. For firms with greater resources, creating in-house sandboxes is proving to be a valuable testing ground for products and technologies before releasing them for regulatory approval or to the public. The transformative value of the underlying blockchain technology is increasingly pushing larger firms to be more ambitious in their product development and compliance tests.
On the flip side, many small-to-midsize firms in the crypto ecosystem require assistance to enhance even basic Know Your Customer (KYC) and Know Your Transaction (KYT) features. This involves professionalising the compliance function, building cyber resilience, and implementing customer and transactional due diligence procedures, including for ongoing monitoring. Bespoke artificial intelligence and machine learning systems to detect anomalies and automate these processes alongside human expertise has not proven to be out of scope for many industry players, large and small firms alike.
For more traditional financial institutions, the case also exists for developing skills and technologies that might allow them to provide services to the crypto industry. The growing trend of de-risking (in other words, large banks refusing to provide accounts to anyone operating in a high-risk environment) may only be driving cryptocurrencies into darker and unregulated economies. We have seen, for example, perfectly ‘clean’ cryptocurrency operators ending up with bank accounts in financial institutions controlled by organised crime because of their inability to open a bank account with a mainstream institution.
And regulators too?
Yes, regulators also need to act. Not just by designing legal and regulatory frameworks, but by implementing effective and coordinated supervision, as well.
Reconstructing transactions and tracing assets require the specialised technology and knowledge of diverse teams that blend data science, cybersecurity, industry connections and strategic thinking. A case certainly exists to ensure that this robust and consistent expertise is built and maintained.
After all, it seems that cryptocurrencies are here to stay and that it makes sense for all parties involved to become familiar with them. It is up to us to ensure that their utility thrives — just not for the world of criminals and money launderers.
Register for our upcoming webinar on demystifying cryptocurrencies on 1 July here.
To discuss any of the issues in this article, please contact Miles.Harrison@fticonsulting.com or Roma.Poonja@fticonsulting.com.