June 17, 2021
Financial services and the privacy challenge
Ever stop to think about what it takes to open a bank account, establish credit, or take out a loan? At every ﬁnancial turn over the course of your life (provided you are born in the right country or postal code), the burden of trust and therefore proof is on you as the consumer of ﬁnancial services to ensure a broad range of service providers know who you are. Along the way, the sum of your good ﬁnancial conduct accrues potential rewards in the form of highly prized credit scores, which can lower your annual percentage rates (APRs) on loans and raise your potential credit ceiling – or how much money you can spend using revolving debt. The question is, should so much personal information (including your social security number, date of birth, identiﬁcation, address, and other personal details) be a prerequisite for something as basic as executing a payment?
According to a wide range of global ﬁnancial crime compliance laws designed to combat illicit ﬁnance such as money laundering, terrorist ﬁnancing, corruption, bribery, and fraud (among other social ills), knowing who you are as a banking or ﬁnancial services customer is the ﬁrst layer of trust in today’s ﬁnancial system. Yet, in exchange for this burden of trust being placed on the end-users of the system, some prohibitively high barriers to entry are being erected for billions of people around the world. As a gating issue, consumers must satisfy stringent know your customer (KYC) requirements, including satisfying identiﬁcation demands, as well as evidencing ultimate beneﬁcial ownership for businesses, which is a proverbial “follow the money” strategy. This standard, however, negates the reality that more than a billion people around the world are functionally born in the shadows without a nationally issued identiﬁcation.
While technology alone is not a panacea for these challenges, it has shown us where policy, regulations, and incumbents have failed to perform. Finance should be accessible and equitable – and protect users’ privacy. In many ways, traditional ﬁnancial institutions have failed to do either, but the growing adoption of digital currencies and blockchain-based payment systems oﬀer insights about how to drive step change improvements in ﬁnancial access and privacy, while creating potential exponential gains in ﬁnancial crime compliance.
In completing KYC checks, which are not a one-time event, but rather part of an evolving web of long-term reporting on potentially suspicious transactions based on risk triggers (such as transaction size or geographic destinations), a global compliance obligation is placed on ﬁnancial services ﬁrms, irrespective of their size. The result is a patchwork world, one in which the country in which you are born will be the equivalent of winning or losing a ﬁnancial inclusion lottery. For some – in Europe, for example – access to open banking laws along with the world’s farthest reaching privacy regulations, the General Data Protection Regulation (GDPR), grants citizens free basic banking, comparatively fast payments, and a presumption of privacy. In other countries, regions, and continents, the same luxuries of providing ﬁnancial access with a presumption of privacy are not aﬀorded. This creates sporadic access to formal ﬁnancial services and exacts the highest costs from people who can least aﬀord even basic, low-level ﬁnancial transactions or services.
This begs the question: is it possible to invert the pyramid of trust in ﬁnancial services where the barrier of entry is lowered for ﬁnancial inclusion? Today, trust is borne by the end-user of the ﬁnancial system creating a web of interconnected and privacy-eroding datasets. Much of this data, as we learned from the Equifax breach of 2015 (the Exxon Valdez of personal information oil spills), is stored in vulnerable, honey pot databases. In most cases, end-users have limited recourse or knowledge that their personal data was used (or is being used) or compromised, a problem which is exacerbated by the fact that while personal information can be stolen, governments often continue the use of unchanging, vulnerable, alphanumeric identiﬁers such as Social Security numbers. People are often relegated to requesting annual credit reports or, insidiously, buying an identity theft protection service (often oﬀered by the very ﬁrms that exposed their data in the ﬁrst place) to see if any illicit or suspect activity is occurring with their personal information–functionally making them the product in a ﬁnancial transaction, rather than the customer or beneﬁciary. Like so many aspects of the ﬁnancial system, how personal information ﬂows through and informs ﬁnancial outcomes is an example of privatizing gain, while socializing losses, all while giving people few tools, little recourse and virtually no economic recompense when their privacy is imperiled.
Turning the ﬁnancial pyramid of trust on its head is not about abandoning ﬁnancial crimes compliance rules, notwithstanding their checkered performance even with well-regulated banks. Rather, it is about acknowledging that when these rules, such as the ﬁfty-year-old Bank Secrecy Act, were created, a range of exponential technologies such as public blockchains, digital currencies, and ﬁnancial integrity capabilities did not exist. Collectively, this modern ﬁnancial instructructure, which is going through an impressive wave of development and open-source innovation, can show that ﬁnancial inclusion, innovation and integrity are not tradeoﬀs. In short, an upgrade is needed not only in how ﬁnancial integrity rules are applied and harmonized, but critically in how open technology standards, akin to what the Internet achieved with information and communication, are brought to bear.
Financial access, innovation, and compliance are not at odds with each other as important goals in maintaining a safe banking and payments system that is globally accessible. Meanwhile, traditional ﬁnancial institutions using legacy rails often cite the cost of de-risking–the process of satisfying compliance requirements in complex or opaque geographies– as one of the reasons entire continents and regions are functionally cut oﬀ from low-cost, high-trust ﬁnancial services. Insidiously, certain aspects of the rules that were designed to keep people safe, have actually contributed to a yawning ﬁnancial inclusion gap greater than 1.7 billion people. In all, approximately three billion people around the world are either unbanked or underbanked. Surely, they cannot all be bad actors, nefarious cyber criminals, child traﬃckers, and terrorists? While many questions are asked about the potential risks posed by extending the perimeter of payments to the world’s unbanked populations, not nearly enough is asked of the risks of doing nothing, let alone the fundamental inequities that are exacerbated by these issues.
Even in entirely decentralized crypto ﬁnance, the power of inverting the pyramid of trust (wherein every actor in a system is trusted and ﬁnancial networks beneﬁt from accounting ﬁdelity down to the micropayment) is evident. This is compounded by the collective witness and transaction validation processes of public blockchains, but perhaps more importantly by the very transparent nature of transaction ledgering, albeit in a privacy-preserving manner. Ironically, even in cases where the exact identity of a bad actor is unknown, transactions between pseudonymous or anonymous wallet addresses are traceable in near real time.
Critically, as shown by the recent retrieval of the Colonial pipeline ransomware payments in bitcoin, law enforcement may be making gains in the interdiction and reversal of illicit money ﬂows with cryptocurrencies. This can help create a dragnet and bring to bear coordinated law enforcement eﬀorts putting the penalty of misdeeds on bad actors, rather than on all the users of a ﬁnancial network. Increasingly, even in Internet-scale blockchain-based payment networks, cash-in and cash-out points are pushing money ﬂows into well-regulated virtual asset service providers (VAPS), which are important compliance checkpoints. This is a powerful model of inverting the pyramid of trust and a powerful approach for democratizing access to ﬁnancial services (a human right), while micro-targeting a very high and exacting cost on bad actors. Pushing back against regulatory arbitrage and globally harmonizing standards, can ensure an open Internet of value exists, without increasing illicit activity.
Processes such as global coordination among Financial Intelligence Units (FIUs), which are national ﬁnancial intelligence authorities that keep their national and global ﬁnancial systems safe by tracking, tracing, and reporting illicit or suspect activities are already in play. Blocking suspect blockchain wallet addresses, tracking illicit money ﬂows in near real time, and freezing and geo-fencing transactions, among other options, are giving ﬁnancial ne’er-do-wells few places to hide in increasingly transparent ﬁnancial networks, without imperiling every user’s personal information along the way. Inverting the pyramid of trust is essential in a world where so many people are on the margins of the formal ﬁnancial system, itself an enormous source of socio-political risk and destabilization. More than a billion people would not even be able to satisfy prevailing KYC requirements for opening a bank account or accessing the formal economy because of a global identity gap, which conspires with de-risking rules, poverty and other social ills to force people into the ﬁnancial shadows. This is in tension with human rights, equity and the Sustainable Development Goals (SDGs), which call for universal access to ﬁnancial services, and lowering poverty-ﬁghting remittance costs from 7 percent to 3 percent.
Combating illicit ﬁnance on public blockchains has already scored some major points and–arguably, given the long head start traditional ﬁnancial services have compared to the eleven-year-old blockchain market–is showing the potential for exponential gains in ﬁnancial integrity. Notable examples include the comparatively low ﬁnancial haul of the 2017 WannaCry ransomware attack, in which despite spreading to more than 150 countries over a weekend, the attackers were only able to retrieve between $50,000 and $70,000 payable in bitcoin. The real economic impact came from second order eﬀects of systemic levels of cyber vulnerability, which totaled more than $4 billion globally and demonstrates that with cryptocurrencies and cybercrime, correlation does not equal causality. Following US election interference in 2016 via a coordinated “psy-ops” campaign on the US electorate, Special Counsel and former Director of the Federal Bureau of Investigation Robert Mueller was able to indict eleven Russian nationals largely because bitcoin wallets gave away crucial clues of the sources and uses of money ﬂows. This type of public auditability, which is increasingly available in near real time via analytics and ﬁnancial integrity companies like Chainalysis and Elliptic, is not available in other often opaque, backward-looking ﬁnancial networks. Indeed, because of the power of this transparency and collective witness, it may take criminals a century to extricate ill-gotten funds from compromised bitcoin addresses that they acquired in an exploit in 2016.
If a criminal organization wants to launder billions of dollars, they are becoming increasingly less likely to record their illicit gains in a public, permanent transaction ledger. Indeed, according to Chainalysis, 270 wallet addresses account for 55 percent of money laundering in cryptocurrency, which is a number that is liable to decrease as the cost of crime goes up courtesy of network-wide improvements in ﬁnancial crime compliance and regulatory harmonization. This should not suggest that blockchain-based ﬁnancial networks and crypto more generally gets a pass as a risk-free sector. To the contrary, there has been a mix of glaring compliance, fraud, technological, and risk management failures over crypto networks’ maiden decade that have exacted billions in lost value and tarnished a nascent industry’s reputation. At the same time, the potential rewards far outweigh the risks of inverting the pyramid of trust in exchange for basic ﬁnancial access through for example self-hosted digital wallets.
Many global bodies such as the Financial Stability Board (FSB) and the Financial Action Task Force (FATF), have reviewed the risks of extending the use and perimeter of blockchain-based payments extraterritorially. Not nearly enough work has been done, however, in reviewing the risks of doing nothing about a yawning ﬁnancial inclusion gap, let alone in reviewing the privacy-eroding vulnerabilities of the existing ﬁnancial system. By this measure, there is much work to be done in building public-private approaches that enshrine the fundamental rights to ﬁnancial access, privacy, and the presumption of trust in a ﬁnancial system, which after all is a public good. Public blockchains oﬀer an opportunity to make exponential gains in this access, along with a growing number of tools and best practices that can maximize the penalty on bad actors privatizing losses, while socializing gain. As the future of money and payments is navigated to potentially include centrally issued and managed digital currencies, including by central banks, privacy as a ﬁrst principle and the free use of money (to the right of lawful) must be carefully guarded.
Based on the current state of play and the increasingly wide adoption of digital currencies and crypto-assets around the world (most largely developed on public blockchains or with open-source technology principles), below are some policy considerations that can harmonize ﬁnancial crimes compliance, while protecting privacy:
- Promote the development, use, and acceptance of digital identity, veriﬁcation, and authentication standards that can preserve privacy, while at the same time ensuring that public blockchain-based ﬁnancial services oﬀer no place for bad actors to thrive. In extreme cases, law enforcement can compel positive identiﬁcation, freeze or retrieve transactions, or block suspicious wallet addresses, working in unison with regulated virtual asset service providers (or VASPs in regulatory parlance) around the world to mitigate illicit money ﬂows.
- Leverage the use of witness nodes and the veritable “looking class” public blockchains aﬀord at the aggregate level for on-chain transactions, which can yield crucial insights on money ﬂows, patterns, ﬁnancial structuring, and geographic money movement. This aggregate data can improve the signal to noise ratio aiding FIUs, law enforcement, and compliant actors to bring collective resources to bear on combating illicit ﬁnancing.
- Continue standardizing the use and deployment of blockchain analytics tools, which act as the veritable tripwire, smoke detector, and early alert system that illicit activity may be underway or has occurred, while reinforcing global capabilities in tracking, tracing and retrieving illicit money ﬂows on-chain and in near real time. These capabilities are only improving and are being upgraded to support multiple public blockchains. Comparatively, the same transparency and auditability is not available in closed looped and opaque money movement systems.
- Together with digital identity and authentication standards, stepladder or electronic KYC requirements should be leveraged as a path to lift people out of the opaque and risk-prone informal economy, which contributes to a range of socio-political ills. Broadening public-private partnerships between regulated ﬁnancial institutions, VASPs, NGOs, and multilateral agencies can extend the perimeter of payments and ﬁnancial access, without materially increasing ﬁnancial or privacy risk.
- Leverage public-blockchain based payments for the creation of corruption resistant aid, relief and remittance corridors to ensure taxpayer and donor proceeds do not inadvertently contribute to unintended consequences such as corruption, bribery, and fraud, especially in complex environments. Examples include the recently announced White House initiative to mobilize money to the Northern Triangle states in Central America is emblematic of this use case and can not only help ﬁght poverty, but also help create broader economic security, which mitigates mass migration.
- Harmonize risk reporting standards and destigmatize threat information sharing among and between VASPs, exchanges, traditional ﬁnancial institutions, and national FIUs, without classifying every potential contact point in digital value exchange as a VASP. This would have unintended consequences of raising the cost of compliance, while not improving risk reporting or the signal to noise ratio. In eﬀect, if every contact point in a cryptocurrency transaction becomes a VASP, it risks the sector going back into the shadows of the decentralized internet, rather than promoting and harmonizing ﬁnancial crime compliance around the world.
- Improve risk management and authentication at cash-in and cash-out points, particularly with potentially risky geographies, transactions, or patterns. Cash-in and cash-out points (often referred to as ﬁat on and oﬀ ramps) oﬀer important risk control points that can reduce fundamental costs of cross-border payments among other digital currency use cases without sacriﬁcing compliance standards. Data already shows how cryptocurrency ﬂows skew to trusted VASPs, exchanges, and digital wallet providers for these vital real-world bridges. Global coordination on these control points, among bodies like FATF and national FIUs, can maximize barriers to exit for bad actors, while liberalizing ﬁnancial access for everyone else.
Dante Alighieri Disparte is the Chief Strategy Oﬃcer and Head of Global Policy at Circle, a leading digital ﬁnancial services ﬁrm and the principal architect of USDC. He is also a member of the Federal Emergency Management Agency’s National Advisory Council and Founder and Chairman of Risk Cooperative. He serves on the World Economic Forum’s Digital Currency Governance Consortium.
At the intersection of economics, finance, and foreign policy, the GeoEconomics Center is a translation hub with the goal of helping shape a better global economic future.