By Miles Harrison, FTI Consulting
The narrative surrounding cryptocurrencies tends to be rather unscientific — even emotional, at times.
To supporters, cryptocurrencies are revolutionary and anarchic tools that challenge the centralised power of governments and mainstream financial institutions.
On the other hand, many believe that cryptocurrencies are inherently dangerous. We also hear concerns that cryptocurrencies are difficult to trace.
But what lessons can we draw from investigating the illicit use of cryptocurrencies? Cryptocurrencies record transactions on a permanent, immutable ledger, which can offer transparency into economic activity. In reality, most cryptocurrencies are pseudonymous and become untraceable (or more difficult to trace) when criminals use devices such as mixers, tumblers and anonymised wallets. The process of tracing and piecing together transactions is possible, although it requires specialised expertise.
Identifying the problem
Our collective understanding of financial crime has evolved and deepened in recent years. From the Panama Papers to the Baltic money laundering scandals, high-profile cases have shed unprecedented light on the extent of the problem, as well as its proximity to our lives.
Cryptocurrencies are a novel technology, but as one of many media through which financial crime is perpetrated, they are in no way unique. From fiat currency to Bitcoin, opportunistic criminals merely identify weaknesses in the system—especially insufficient regulatory oversight and weak financial crime prevention frameworks—to take advantage of jurisdictions and firms alike.
To those of us working to prevent financial crime, the primary concern is that the ecosystem in which cryptocurrencies operate attracts criminals seeking to exploit the lack of robust financial crime controls and the promise of an unregulated (or poorly regulated) parallel financial infrastructure.
Illicit actors are highly attuned to the weaknesses in the cryptocurrency ecosystem and are quick to exploit them. Every day, we see cryptocurrencies being used to launder proceeds through decentralised marketplaces to finance bribery, corruption, fraud, human trafficking, reputational whitewashing, terrorist activities and weapons proliferation (amongst other constantly evolving schemes, including those looking to take advantage of the COVID-19 pandemic).
However, in many cases we have seen and investigated, cryptocurrencies are not, on their own, the problem. Instead, they exacerbate and add complexity to an already high-risk environment. Behind the firms and individuals that commit financial crime using cryptocurrencies are the same large-scale corruption schemes, the same state-backed actors, the same organised crime rackets, the same malicious cyber activity and the same networks of shell and paper companies that underpin ‘traditional’ financial crime.
Cryptocurrency schemes rely on these subversive enablers—from the dark web to mixers—not because of an inherent technological feature, but because criminals make use of convenient opportunities to obfuscate the economic chain that links their proceeds to the underlying crimes.
Much of this nefarious activity comes down to an inconsistent approach to regulation and the frequent failure by regulated firms to conduct adequate due diligence on the parties and transactions concerned. Along with a deficit of adequate expertise, this toxic combination makes cryptocurrencies extremely vulnerable to financial crime.
Challenges facing regulators
Many jurisdictions find that implementing a coherent framework for regulating and supervising cryptocurrencies is, in itself, a challenge. The legal classification is a controversial topic and regulators have adopted various definitions.
For jurisdictions that have designed a legal framework for cryptocurrencies, supervising and enforcing the rules in practice is the harder challenge. It requires extensive familiarity with the technology, deep investigatory expertise, sufficient resources, multi-stakeholder coordination, clear industry guidelines and a strategy for successful regulatory intervention.
That is easier said than done, especially as governments around the world often struggle to define the boundaries of responsibility between regulators, financial intelligence units (FIUs), central banks, prosecution services and other law enforcement bodies in relation to ‘traditional’ financial crime.
In our work with regulators and the public sector, we have found that the intra-jurisdictional and cross-border infrastructure is not yet prepared to supervise the risks posed by cryptocurrencies. Perhaps unsurprisingly, the jurisdictions most open to cryptocurrency use (and abuse) are smaller economies that seek to attract crypto-related investment. There’s nothing wrong with securing a competitive edge per se, but it ignores the fact that fighting financial crime already lands disproportionately on these countries and territories because of a smaller pool of resources available locally. The addition of yet another layer of complexity in the form of cryptocurrencies makes their task even harder and increases the risk for the financial system as a whole.
At the other end of the spectrum, cryptocurrency bans (e.g. in China and Russia) and blanket refusals by mainstream institutions to service the industry also foster underground activity. Illicit actors escape these bans by incorporating complex networks of shell and paper companies using nominee directors and jurisdictions with lax supervisory track records. They then deliberately place servers and other assets in separate jurisdictions that have weak data governance, making the task of supervision, enforcement and evidence-gathering laborious and fraught with red tape.
As with other areas of transnational economic governance (taxation, anyone?), opportunities to engage in regulatory arbitrage abound. In the absence of increased attention, knowledge-building and public-private collaboration, criminals and other bad actors will continue to exploit the lack of coordinated regulation and information-sharing as a systemic weakness.
The industry’s immature controls
Despite high-profile examples of crypto firms wilfully engaging in financial crime (BTC-e, Quadriga), many legitimate operators are exposed to criminal activity because of weak customer due diligence and transaction monitoring controls.
If well-established, global financial services firms with armies of compliance resources fail to establish more than tokenistic compliance controls, it is not surprising that smaller and leaner crypto outfits—often motivated by the disruptive nature of the technology—who are less familiar with the nastiness of financial crime and the responsibilities of being a regulated firm do, too.
Amongst the weaknesses that crypto firms often display is the inability to detect money mules and fraudulent identities. In one instance, we unravelled a scheme run by a string of politically-connected individuals who used simple pseudonyms to extort a journalist. The perpetrators then requested a ransom payment in Bitcoin to be transferred to a crypto wallet provider incorporated in an offshore jurisdiction that lacked appropriate due diligence controls to identify the illicit coins.
Weak controls are so widespread that no one area of society is immune. Problematic crypto-exchanges facilitate large-scale money laundering by organised crime and cyber espionage groups that engage in election manipulation and human trafficking. Even for exchanges that purport to have some semblance of financial crime controls, they are usually not sophisticated enough to detect funds moving through the common stages of money laundering let alone those integrated and layered into the system using anonymising devices.
A common typology that we encounter in this space links third-party payment service providers (PSPs) with crypto exchanges and other electronic money institutions. Crypto exchanges direct users to deposit and withdraw funds via PSPs and therefore avoid collecting customer due diligence information. The exchanges and their PSP partners are controlled by a vast network of shell and paper companies, making it nearly impossible to identify beneficial ownership—although we have employed sophisticated intelligence-gathering methods to expose these networks on multiple occasions.
The gambling industry can also provide criminals with an end-to-end safe haven for money laundering. Financial crime risks increase exponentially when brick-and-mortar and online gaming shops offer cryptocurrencies in exchange for playing chips and cash (both physical and electronic)—particularly given the heavy control exercised in the industry by organised crime. We have come across gaming firms that are completely oblivious to the risk of playing chips being acquired with cryptocurrencies that are anonymised, for instance, through a tumbler.
This toxic combination is not a remote threat but a reality for numerous jurisdictions. And it is not a coincidence. Both sectors represent riskier economic activity that certain jurisdictions find it necessary to attract in order to remain competitive but lack (and often fail to nurture) the depth and strength of expertise to adequately regulate.
What can firms do to protect their operations?
Arguably, the most fundamental step for firms operating in the cryptocurrency space is the need to implement robust control frameworks.
To be clear, buying an off-the-shelf ‘KYC system’ that enables remote verification of a customer’s ID does not constitute robust due diligence.
What does an appropriate control framework look like, then? Firms with higher risk exposure (i.e. most of the crypto industry) should protect themselves by integrating financial crime forensics and chain analysis into their existing operations. For firms with greater resources, creating in-house sandboxes is proving to be a valuable testing ground for products and technologies before releasing them for regulatory approval or to the public. The transformative value of the underlying blockchain technology is increasingly pushing larger firms to be more ambitious in their product development and compliance tests.
On the flip side, many small-to-midsize firms in the crypto ecosystem require assistance to enhance even basic Know Your Customer (KYC) and Know Your Transaction (KYT) features. This includes professionalising the compliance function, building cyber resilience and implementing customer and transactional due diligence procedures, including for ongoing monitoring. Bespoke artificial intelligence and machine learning systems to detect anomalies and automate these processes alongside human expertise have not proven to be out of scope for many industry players, large and small firms alike.
For traditional financial institutions, cultivating the necessary skills and technologies to extend services to the crypto industry in a safe and responsible manner is a promising development, since the tendency to de-risk only drives cryptocurrencies into darker, unregulated economies. We have seen perfectly ‘clean’ cryptocurrency operators end up with bank accounts in financial institutions controlled by organised crime because of their inability to open an account with a mainstream institution.
What about regulators?
Yes, regulators also need to act—not just by designing a legal framework, but by backing it up with coordinated and effective supervision.
Reconstructing transactions and tracing assets require the specialised technology and knowledge of diverse teams that blend data science, cybersecurity, industry connections and strategic thinking. A case certainly exists to ensure that robust and consistent expertise is built and maintained.
After all, cryptocurrencies are here to stay and it makes most sense for all parties involved to become familiar with them. It is up to us to ensure that their utility thrives — just not for the world of criminals and money launderers.