The Colonial pipe-line ransomware attack earlier this year, and the FBI’s laudable success in recovering a large portion of the ransom paid, kept the focus on yo-yoing crypto currencies – whose year so far has been in Chaucer’s words, “Now up, now doun as boket in a welle”.
This time the focus was not on their volatile market value, but on their use by criminals, particularly cyber criminals. The FBI have very rightly decided that a key tactic in the fight against cybercrime has to be to make sure it does not pay.
As the Economist noted in one of its June 21 editions,
Governments should police the boundary between the orthodox financial system and the shadowy world of digital finance. Ransoms are often paid in cryptocurrencies. It must be made harder to recycle money from these into ordinary bank accounts without proof that the money has a legitimate source. Likewise with cryptocurrency exchanges, which should face the same obligations as established financial institutions.
But none of this is new. Ever since upstart tech companies started chipping away at highly regulated activities, previously the preserve of banks, their main competitive advantage has been the lower regulatory bar. This has opened the door wide to ransomware attackers and other financial criminals.
At a recent conference on crypto currencies it was revealed only thirty something countries had any sort of registration regime for crypto asset enterprises – the UK being one of them. Given that Bitcoin has been around since 2009, and given the explosive growth of crypto and digital finance over the past decade, you might ask why regulation is taking so long to close the gaps.
Whatever the reasons it is not for lack of appreciation. Governments and regulators have been discussing the problem with the private sector for some time. A big step forward was taken in late 2018 when FATF clarified virtual assets fell within its remit. But all the thinking and consultation is being outpaced by technological and marketplace developments. Add to this the need to corral all the globe’s jurisdictions to have any chance of having an effective response, and the scale of the challenges starts to become apparent.
A key facet of the approach has been private/public partnerships (PPP). This is exemplified by the FCA’s “sandbox” approach. However, relying too heavily upon private and industry co-operation has its dangers – not least the time it takes to get consensus. Although regulators often point to buy-in for regulation by institutional investors in crypto assets, fundamentally private interest objectives can never be fully congruent with the public interest.
Complexities arising from new technologies also necessitate a “whole infrastructure approach” – meaning (inter alia) defining jurisdictions, responsibilities, re-codifying rules and laws, and creating channels for enforcement, often across national borders. Again that takes time.
The man in the street might reasonably ask, if it takes this long to fix issues in the financial world, would it not have been better to prevent rather than cure ? Most laymen would be unaware of the common law principle that if a product or activity is not expressly forbidden, then it is allowed. Nevertheless, given our better understanding of the damage to ordinary lives these products can facilitate it is to be hoped we can find a better way of dealing with financial innovation.
The FCA in the UK provides a salutary lesson for other regulators. In January 2020 the FCA decided to get its hands round crypto assets (one of the first regulators to do so). Unfortunately its decision to register firms dealing in crypto assets has not been an unqualified success. Only five firms were set to meet the regulatory standards by 9th July of this year, so the FCA has been forced to extend the deadline to March 2022, and set up a temporary register instead (Temporary Registration Regime – TRR).
Theoretically registered crypto asset firms in the UK needed to be compliant with money laundering laws and regulations. But the temporary register, which contains over eighty entities, is by definition for those who are not. Thus the overwhelming majority of crypto financial products and enterprises in the UK are very probably blind to any financial malfeasance they could potentially be facilitating.
If that was the only concern we might be able to shrug it off with a dose of pragmatism, but it is not the only concern. An even bigger concern is only a small proportion of the non-compliers on the temporary list are solely engaged in crypto assets.
Most firms in the TRR fit the broad definition of fin-tech, or digital finance, in that they offer a range of on-line financial services and products – including credit cards, on-line payments, currency exchange, consumer lending, market trading and broker facilities, and e-wallets. Although it is impossible to be sure that any or all these products services are as deficient as crypto assets when it comes to meeting regulatory standards, an across-the-board deficiency would be a fair assumption.
My look last year at one on-line payment service provider, widely used by cyber sex participants (https://www.thesearchgroup.com/talking-points/page/2/), exposed the sort of deficiencies digital finance suffers from. Fatal flaws with identifying transacting parties, relationships with dubious customers, and little in the way of KYC were the most obvious. All this provided a gateway into the mainstream banking system. Remember what the Economist said about recycling digital money into ordinary bank accounts !
Another area of concern for the digital outfit in question was its regulatory status. Even if it was “regulated” as it claimed, in five jurisdictions, the regulation had made little impact on its financial crime compliance and other deficiencies. Then there was the question of the other 195 jurisdictions it served, where it must be inferred there was no regulatory registration (or possibly oversight). The issue who regulates what and where is as much an unanswered question for digital finance as for cyber currencies.
Lastly, one has to fret about any regulator’s ability to police all this. Notwithstanding digital finance’s supposed benefits (namely, financial inclusion, financial justice, reduced corruption and so forth) there will be a cost. There may be good estimates such costs, but if there are these not widely published. Accordingly can the public be sure regulatory and enforcement agencies will be funded and resourced appropriately to combat threats that (as we have seen with Colonial) can affect their lives – albeit indirectly.
The World Economic Forum (WEF) makes the same points as the Economist, but even more specifically (see its May 2021 publication, “5 urgent actions in the fightback against ransomware”). It states that …“Governments must …… ensure exchanges, kiosks and over-the-counter trading desks comply with existing regulations, including know your customer, anti-money laundering, and combatting financing of terrorism laws”.
The fact that most governments have not enforced existing regulations yet has allowed a sector to propagate that (if left unsupervised) is ultimately as much a threat to laissez faire administrations as it is to the rest of us.
Until the Economist and WEF get their wishes it is not just the investment “community” in jeopardy, but critical infrastructure and much more besides. A crypto currency and digital finance issue is now also a cyber security issue, national or otherwise.
Don’t go away FBI !
The author leads TSG’s Advisory Services. He has spent many years in law enforcement and banking specialising in financial crime risk and compliance. TSG is a Research (including due diligence) specialist, also offering Ethics Compliance and Advisory services to its clients. TSG offers expertise in Eastern Europe, as well as East Asia.