Some in the A cryptocurrency (or crypto currency) is a digital asset des... More community were caught off guard when the global financial watchdog, the Financial Action Task Force (FATF), recently endorsed much tougher guidelines for monitoring and transferring virtual assets. Its “Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (VASPs)” recommends a new set of rules that would require VASPs to transmit sender and receiver information with crypto assets transfers similar to how banks share wire information under the BSA. With a deadline for compliance set for June 2020, this information sharing requirement presents an enormous technical and business challenge for exchanges and other VASP as well as banks that knowingly or unknowingly facilitate cryptocurrency.
In response, CipherTrace held the first ever Cryptocurrency Travel Rule Compliance Conference and Hackathon in San Francisco on November 5 and 6, 2019. The event focused on industry collaboration to develop open solutions that cryptocurrency exchanges, hedge funds, blockchains and banks urgently need to comply with both the FATF and BSA Travel Rules. For those that were unable to attend, here are the key takeaways from the conference.
FinCEN Gets Serious About Enforcement
While the FATF’s new regulation and upcoming compliance deadline has dominated the news, many cryptocurrency exchanges, banks, and other financial institution did not understand that FinCEN had already declared that the Bank Secrecy Act (BSA) funds Travel Rule also applies to virtual assets and is already in effect. In a keynote address at the Conference, FinCEN Cyber and Emerging Tech Policy Specialist, Carol House, reminded cryptocurrency MSBs that the BSA travel rule has applied to crypto assets since 2011, and that FinCEN is serious about enforcement. “Let’s be clear upfront on an issue that I think there’s been some confusion around how that impacts a culture of compliance. The so called FATF travel rule that’s in discussion here and in other places—many call it the FATF travel rule—has been a regulatory obligation for businesses in the United States dealing in virtual currency since 2011. Our delegated examiners at the IRS have been examining and issuing citations for noncompliance with these requirements since they began conducting examinations on virtual currency businesses as of 2014,” emphasized House. She also cited Ripple and BTC-e among several examples of enforcement actions.
House also reminded the crowd that crypto exchanges are, in fact, financial institutions. This means, whether you’re a virtual currency exchanger or a bank, both entities are bound by BSA obligations like the funds Travel Rule, which, in addition to the information sharing requirement, requires the party initiating a transfer of fiat or CVCs to know the entity on the other side of the transaction. This applies to VASP-to-VASP or bank-to-VASP transactions and vice versa.
House made it clear that compliance with both FinCEN and FATF Travel Rules require a financial institution to know when their counterparty is a financial institution. But she questioned if financial institutions fully understood these obligations, saying: “It would be interesting to know how many financial institutions operating in this space are able to identify a recipient as a financial institution on the basis of its wallet reference number, or the other information that it currently has available to it.”
To highlight the global impact of regulations such as the FATF’s Travel Rule, Homeland Security Investigations Supervisory Special Agent, Lee Brown, educated attendees on the rise of professional money launderers and their abuse of jurisdictions with little to no crypto AML regulations. Global standards for cryptocurrency transactions like the Travel Rule could help to mitigate the success criminal groups like these can have around the world. According to Supervisory Special Agent Brown, money laundering naturally migrates to jurisdictions with weak AML regimes. This emphasizes the importance of FATF’s new regulations creating a consistent international framework when it comes to crypto, helping to mitigate criminal use of jurisdictional arbitrage to find the path of least resistance for money laundering.
In his keynote address, Supervisory Special Agent Brown, stated that the root of all his investigations—whether it be terrorism, human trafficking, narcotic trafficking, or any other national security risk—is always money laundering. He states, “HSI looks at everything from narcotics, counter proliferation investigations, human trafficking, etc. But At the root of it is always money laundering. At the root of it is that all these illicit actors want to gain some profit and in order to spend that profit they need to make sure that law enforcement doesn’t get wind of it…” Sophisticated criminal organizations, whether they be cartels, terrorist organizations, or the like, are going to go to professional money laundering networks, whose main goal is to obfuscate beneficial owner information. Regulations like the Travel Rule are meant to prevent this obfuscation from happening.
Privacy Coins and Compliance
Both the FATF and BSA requirements for virtual assets and virtual asset service providers go beyond simply sharing PII to include a risk-based approach, and exchanges were quick to react with several exchanges already banned the coins well before the start of the conference in anticipation for compliance. This caused a need for privacy coin developers to fully understand their true obligations under the new regulations and advocate to exchanges their path to compliance.
Ryan Taylor, CEO at DASH Core Group Inc., explained, “We tend to treat cryptocurrencies very binary—they’re either privacy coins or they’re not. What does that actually mean? In the case of Dash, we were the first to implement a feature that was proposed by Bitcoin is a digital currency (also called crypto-currency) ... More at the time called CoinJoin. It’s a wallet level technique that allows any transparent A blockchain—the technology underlying bitcoin and other c... More to enhance the user privacy. Since Dash did it in 2014, Bitcoin did it in 2015. Then they added off-chain transactions with Lightning. Does that now make bitcoin a privacy coin? It should, if Dash is one. I think we need to go beyond this binary treatment, look at the actual technology, how can we adapt to it, are there ways to deal with it.”
The panel reiterated that FATF and FinCEN are not advocating an outright ban on privacy coins as long as controls are in place to mitigate the risks associated with their anonymity enhanced features, similar to how many exchanges already have procedures to mitigate risks resulting from bitcoin associated with anonymizing services, such as mixers.
The Growing Trend of Hidden Crypto in Banks
As more mainstream consumer and institutional investors embrace cryptocurrencies, it becomes increasingly difficult for traditional financial institutions to avoid interactions with the crypto economy. The Banker’s Perspective panel underlined this unavoidable path by highlighting the growing trend of hidden crypto businesses operating in banks.
Recounting her time working as Senior AML Investigator at a bank, Erin O’Laughlin explained the trend of covert crypto payments she and her colleagues saw, and how vital training was to properly recognizing these crypto transactions, expressing “the investigator has to learn how to look at the ACH transactions going out. You see an ACH transaction going out, you’ll know that’s a virtual currency exchanger if you do your homework. And that’s the problem, because training [on cryptocurrency] is not on the list of priority skills for an AML investigator inside a bank.”
What Does Travel Rule Compliance Look Like?
With pending compliance coming at the industry like a freight train, and many of the key players it influenced in the room, the conference ended with an overview of what compliance with the Travel Rule should look like for it to be accepted by the crypto community. A solution’s acceptance would depend greatly on the technology and governance model upon which it is built, and any solution must solve the obvious conundrum — how to share personally identifiable information, technically known as PII, while not violating the expectations of cryptocurrency users for privacy. Issues brought up were scalability, interoperability within different jurisdictions, and the urgency created by FATF’s upcoming deadline.
CipherTrace CEO Dave Jevans concluded the conference by explaining various proposed solutions and the issues that encompassed them, as well as presented his thoughts on TRISA—the Travel Rule Information Sharing Architecture.
According to Jevans, modifying all the blockchains to be travel rule compliant vis-a-vis hard forks wouldn’t work because, at the time of the conference, there are already over 1600 currencies and every single one would have to be modified to be compliant. A separate system that could overlay and work with any blockchain would be the more practical choice. Additionally, a centralized service, similar to banks and the SWIFT system would be more susceptible to hacks, power outages, and DDoS, according to Jevans. Taking out a cryptocurrency SWIFT system has the potential to halt all crypto trading through exchanges for the time of the attack. Lastly, any solution controlled by private entities introduced interoperability issues, privacy chokepoints, jurisdictional issues, and payment walls.
Instead, Jevans proposed the Travel Rule Information Sharing Architecture (TRISA), which CipherTrace developed and gave to the community as open source and is built upon security and cryptography technologies that have been proven for years in securing e-commerce, banking, and sensitive government communications. TRISA is provided free of charge as an open source architecture and software. The solution has the following characteristic that the VASP community requires. It is Open source, decentralized, scalable and confidential.
Crypto Comes of Age
For better or worse, the enormous challenges presented by Travel Rule compliance may be just the catalyst that takes cryptocurrency to the state of ‘respectability’ required for broad adoption. It will force VASPs to find a workable solution that gets bad actors off of crypto asset platforms while preserving the confidentiality of user data. This next-generation crypto compliance regime could create fungible and trusted virtual assets that are supported by regulators. This more mature approach to confidential, trusted, and decentralized exchange of virtual assets has the potential to create a multi-trillion-dollar crypto economy.