Financial Regulation International Financial Institutions

Blog Post

June 17, 2021

Financial services and the privacy challenge

By Dante A. Disparte

Ever stop to think about what it takes to open a bank account, establish credit, or take out a loan? At every financial turn over the course of your life (provided you are born in the right country or postal code), the burden of trust and therefore proof is on you as the consumer of financial services to ensure a broad range of service providers know who you are. Along the way, the sum of your good financial conduct accrues potential rewards in the form of highly prized credit scores, which can lower your annual percentage rates (APRs) on loans and raise your potential credit ceiling – or how much money you can spend using revolving debt. The question is, should so much personal information (including your social security number, date of birth, identification, address, and other personal details) be a prerequisite for something as basic as executing a payment?

According to a wide range of global financial crime compliance laws designed to combat illicit finance such as money laundering, terrorist financing, corruption, bribery, and fraud (among other social ills), knowing who you are as a banking or financial services customer is the first layer of trust in today’s financial system. Yet, in exchange for this burden of trust being placed on the end-users of the system, some prohibitively high barriers to entry are being erected for billions of people around the world. As a gating issue, consumers must satisfy stringent know your customer (KYC) requirements, including satisfying identification demands, as well as evidencing ultimate beneficial ownership for businesses, which is a proverbial “follow the money” strategy. This standard, however, negates the reality that more than a billion people around the world are functionally born in the shadows without a nationally issued identification.

While technology alone is not a panacea for these challenges, it has shown us where policy, regulations, and incumbents have failed to perform. Finance should be accessible and equitable – and protect users’ privacy. In many ways, traditional financial institutions have failed to do either, but the growing adoption of digital currencies and blockchain-based payment systems offer insights about how to drive step change improvements in financial access and privacy, while creating potential exponential gains in financial crime compliance.

In completing KYC checks, which are not a one-time event, but rather part of an evolving web of long-term reporting on potentially suspicious transactions based on risk triggers (such as transaction size or geographic destinations), a global compliance obligation is placed on financial services firms, irrespective of their size. The result is a patchwork world, one in which the country in which you are born will be the equivalent of winning or losing a financial inclusion lottery. For some – in Europe, for example – access to open banking laws along with the world’s farthest reaching privacy regulations, the General Data Protection Regulation (GDPR), grants citizens free basic banking, comparatively fast payments, and a presumption of privacy. In other countries, regions, and continents, the same luxuries of providing financial access with a presumption of privacy are not afforded. This creates sporadic access to formal financial services and exacts the highest costs from people who can least afford even basic, low-level financial transactions or services.

This begs the question: is it possible to invert the pyramid of trust in financial services where the barrier of entry is lowered for financial inclusion? Today, trust is borne by the end-user of the financial system creating a web of interconnected and privacy-eroding datasets. Much of this data, as we learned from the Equifax breach of 2015 (the Exxon Valdez of personal information oil spills), is stored in vulnerable, honey pot databases. In most cases, end-users have limited recourse or knowledge that their personal data was used (or is being used) or compromised, a problem which is exacerbated by the fact that while personal information can be stolen, governments often continue the use of unchanging, vulnerable, alphanumeric identifiers such as Social Security numbers. People are often relegated to requesting annual credit reports or, insidiously, buying an identity theft protection service (often offered by the very firms that exposed their data in the first place) to see if any illicit or suspect activity is occurring with their personal information–functionally making them the product in a financial transaction, rather than the customer or beneficiary. Like so many aspects of the financial system, how personal information flows through and informs financial outcomes is an example of privatizing gain, while socializing losses, all while giving people few tools, little recourse and virtually no economic recompense when their privacy is imperiled.

Turning the financial pyramid of trust on its head is not about abandoning financial crimes compliance rules, notwithstanding their checkered performance even with well-regulated banks. Rather, it is about acknowledging that when these rules, such as the fifty-year-old Bank Secrecy Act, were created, a range of exponential technologies such as public blockchains, digital currencies, and financial integrity capabilities did not exist. Collectively, this modern financial instructructure, which is going through an impressive wave of development and open-source innovation, can show that financial inclusion, innovation and integrity are not tradeoffs. In short, an upgrade is needed not only in how financial integrity rules are applied and harmonized, but critically in how open technology standards, akin to what the Internet achieved with information and communication, are brought to bear.

Financial access, innovation, and compliance are not at odds with each other as important goals in maintaining a safe banking and payments system that is globally accessible. Meanwhile, traditional financial institutions using legacy rails often cite the cost of de-risking–the process of satisfying compliance requirements in complex or opaque geographies– as one of the reasons entire continents and regions are functionally cut off from low-cost, high-trust financial services. Insidiously, certain aspects of the rules that were designed to keep people safe, have actually contributed to a yawning financial inclusion gap greater than 1.7 billion people. In all, approximately three billion people around the world are either unbanked or underbanked. Surely, they cannot all be bad actors, nefarious cyber criminals, child traffickers, and terrorists? While many questions are asked about the potential risks posed by extending the perimeter of payments to the world’s unbanked populations, not nearly enough is asked of the risks of doing nothing, let alone the fundamental inequities that are exacerbated by these issues.

Even in entirely decentralized crypto finance, the power of inverting the pyramid of trust (wherein every actor in a system is trusted and financial networks benefit from accounting fidelity down to the micropayment) is evident. This is compounded by the collective witness and transaction validation processes of public blockchains, but perhaps more importantly by the very transparent nature of transaction ledgering, albeit in a privacy-preserving manner. Ironically, even in cases where the exact identity of a bad actor is unknown, transactions between pseudonymous or anonymous wallet addresses are traceable in near real time.

Critically, as shown by the recent retrieval of the Colonial pipeline ransomware payments in bitcoin, law enforcement may be making gains in the interdiction and reversal of illicit money flows with cryptocurrencies. This can help create a dragnet and bring to bear coordinated law enforcement efforts putting the penalty of misdeeds on bad actors, rather than on all the users of a financial network. Increasingly, even in Internet-scale blockchain-based payment networks, cash-in and cash-out points are pushing money flows into well-regulated virtual asset service providers (VAPS), which are important compliance checkpoints. This is a powerful model of inverting the pyramid of trust and a powerful approach for democratizing access to financial services (a human right), while micro-targeting a very high and exacting cost on bad actors. Pushing back against regulatory arbitrage and globally harmonizing standards, can ensure an open Internet of value exists, without increasing illicit activity.

Processes such as global coordination among Financial Intelligence Units (FIUs), which are national financial intelligence authorities that keep their national and global financial systems safe by tracking, tracing, and reporting illicit or suspect activities are already in play. Blocking suspect blockchain wallet addresses, tracking illicit money flows in near real time, and freezing and geo-fencing transactions, among other options, are giving financial ne’er-do-wells few places to hide in increasingly transparent financial networks, without imperiling every user’s personal information along the way. Inverting the pyramid of trust is essential in a world where so many people are on the margins of the formal financial system, itself an enormous source of socio-political risk and destabilization. More than a billion people would not even be able to satisfy prevailing KYC requirements for opening a bank account or accessing the formal economy because of a global identity gap, which conspires with de-risking rules, poverty and other social ills to force people into the financial shadows. This is in tension with human rights, equity and the Sustainable Development Goals (SDGs), which call for universal access to financial services, and lowering poverty-fighting remittance costs from 7 percent to 3 percent.

Combating illicit finance on public blockchains has already scored some major points and–arguably, given the long head start traditional financial services have compared to the eleven-year-old blockchain market–is showing the potential for exponential gains in financial integrity. Notable examples include the comparatively low financial haul of the 2017 WannaCry ransomware attack, in which despite spreading to more than 150 countries over a weekend, the attackers were only able to retrieve between $50,000 and $70,000 payable in bitcoin. The real economic impact came from second order effects of systemic levels of cyber vulnerability, which totaled more than $4 billion globally and demonstrates that with cryptocurrencies and cybercrime, correlation does not equal causality. Following US election interference in 2016 via a coordinated “psy-ops” campaign on the US electorate, Special Counsel and former Director of the Federal Bureau of Investigation Robert Mueller was able to indict eleven Russian nationals largely because bitcoin wallets gave away crucial clues of the sources and uses of money flows. This type of public auditability, which is increasingly available in near real time via analytics and financial integrity companies like Chainalysis and Elliptic, is not available in other often opaque, backward-looking financial networks. Indeed, because of the power of this transparency and collective witness, it may take criminals a century to extricate ill-gotten funds from compromised bitcoin addresses that they acquired in an exploit in 2016.

If a criminal organization wants to launder billions of dollars, they are becoming increasingly less likely to record their illicit gains in a public, permanent transaction ledger. Indeed, according to Chainalysis, 270 wallet addresses account for 55 percent of money laundering in cryptocurrency, which is a number that is liable to decrease as the cost of crime goes up courtesy of network-wide improvements in financial crime compliance and regulatory harmonization. This should not suggest that blockchain-based financial networks and crypto more generally gets a pass as a risk-free sector. To the contrary, there has been a mix of glaring compliance, fraud, technological, and risk management failures over crypto networks’ maiden decade that have exacted billions in lost value and tarnished a nascent industry’s reputation. At the same time, the potential rewards far outweigh the risks of inverting the pyramid of trust in exchange for basic financial access through for example self-hosted digital wallets.

Many global bodies such as the Financial Stability Board (FSB) and the Financial Action Task Force (FATF), have reviewed the risks of extending the use and perimeter of blockchain-based payments extraterritorially. Not nearly enough work has been done, however, in reviewing the risks of doing nothing about a yawning financial inclusion gap, let alone in reviewing the privacy-eroding vulnerabilities of the existing financial system. By this measure, there is much work to be done in building public-private approaches that enshrine the fundamental rights to financial access, privacy, and the presumption of trust in a financial system, which after all is a public good. Public blockchains offer an opportunity to make exponential gains in this access, along with a growing number of tools and best practices that can maximize the penalty on bad actors privatizing losses, while socializing gain. As the future of money and payments is navigated to potentially include centrally issued and managed digital currencies, including by central banks, privacy as a first principle and the free use of money (to the right of lawful) must be carefully guarded.

Based on the current state of play and the increasingly wide adoption of digital currencies and crypto-assets around the world (most largely developed on public blockchains or with open-source technology principles), below are some policy considerations that can harmonize financial crimes compliance, while protecting privacy:

1. Promote the development, use, and acceptance of digital identity, verification, and authentication standards that can preserve privacy, while at the same time ensuring that public blockchain-based financial services offer no place for bad actors to thrive. In extreme cases, law enforcement can compel positive identification, freeze or retrieve transactions, or block suspicious wallet addresses, working in unison with regulated virtual asset service providers (or VASPs in regulatory parlance) around the world to mitigate illicit money flows.
   
2. Leverage the use of witness nodes and the veritable “looking class” public blockchains afford at the aggregate level for on-chain transactions, which can yield crucial insights on money flows, patterns, financial structuring, and geographic money movement. This aggregate data can improve the signal to noise ratio aiding FIUs, law enforcement, and compliant actors to bring collective resources to bear on combating illicit financing.
   
3. Continue standardizing the use and deployment of blockchain analytics tools, which act as the veritable tripwire, smoke detector, and early alert system that illicit activity may be underway or has occurred, while reinforcing global capabilities in tracking, tracing and retrieving illicit money flows on-chain and in near real time. These capabilities are only improving and are being upgraded to support multiple public blockchains. Comparatively, the same transparency and auditability is not available in closed looped and opaque money movement systems.
   
4. Together with digital identity and authentication standards, stepladder or electronic KYC requirements should be leveraged as a path to lift people out of the opaque and risk-prone informal economy, which contributes to a range of socio-political ills. Broadening public-private partnerships between regulated financial institutions, VASPs, NGOs, and multilateral agencies can extend the perimeter of payments and financial access, without materially increasing financial or privacy risk.
   
5. Leverage public-blockchain based payments for the creation of corruption resistant aid, relief and remittance corridors to ensure taxpayer and donor proceeds do not inadvertently contribute to unintended consequences such as corruption, bribery, and fraud, especially in complex environments. Examples include the recently announced White House initiative to mobilize money to the Northern Triangle states in Central America is emblematic of this use case and can not only help fight poverty, but also help create broader economic security, which mitigates mass migration.
   
6. Harmonize risk reporting standards and destigmatize threat information sharing among and between VASPs, exchanges, traditional financial institutions, and national FIUs, without classifying every potential contact point in digital value exchange as a VASP. This would have unintended consequences of raising the cost of compliance, while not improving risk reporting or the signal to noise ratio. In effect, if every contact point in a cryptocurrency transaction becomes a VASP, it risks the sector going back into the shadows of the decentralized internet, rather than promoting and harmonizing financial crime compliance around the world.
   
7. Improve risk management and authentication at cash-in and cash-out points, particularly with potentially risky geographies, transactions, or patterns. Cash-in and cash-out points (often referred to as fiat on and off ramps) offer important risk control points that can reduce fundamental costs of cross-border payments among other digital currency use cases without sacrificing compliance standards. Data already shows how cryptocurrency flows skew to trusted VASPs, exchanges, and digital wallet providers for these vital real-world bridges. Global coordination on these control points, among bodies like FATF and national FIUs, can maximize barriers to exit for bad actors, while liberalizing financial access for everyone else.

Dante Alighieri Disparte is the Chief Strategy Officer and Head of Global Policy at Circle, a leading digital financial services firm and the principal architect of USDC. He is also a member of the Federal Emergency Management Agency’s National Advisory Council and Founder and Chairman of Risk Cooperative. He serves on the World Economic Forum’s Digital Currency Governance Consortium.