In Conversation with Malcolm Wright:
The importance of financial crime prevention and cryptoasset compliance
Malcolm Wright, Chief Compliance Officer at Diginex chairs the Global Digital Finance AML|CTF|KYC Working Group who led the Global Digital Finance response to the Financial Action Task Force (FATF) Interpretative Note issued in February, which consulted on Virtual Asset Service Providers and mitigating the risks of money laundering and terrorist financing.
Wright, a veteran of the financial services world, has spent a decade working on KYC and compliance issues, and now spends his time at the intersection of KYC and digital assets. He sat down with Nicolaas Koster, Product Manager at ConsenSys to discuss digital asset KYC & AML and the recent guidance from the Financial Action Task Force (FATF).
Koster: Some people may not be familiar with the concept of Know-Your-Customer (KYC). What it is and why is it important?
Wright: KYC is essentially about answering the question “Who are you?” then validating that “You are you”. It is a fundamental question a bank must ask before bringing a customer on board.
Governments around the world have mandated a series of rules to prevent criminals and terrorists from gaining access to the financial system. As financial technology evolves, regulators update the rules to ensure they are still fit for purpose. And that’s where an industry body like GDF comes in: to provide an industry viewpoint to policy-makers from those at the front face of technological and compliance innovation emerging through digital assets.
Koster: I think there is a misconception held by some in the space that it is fruitless to perform KYC on digital assets because they hard to trace. There is no name attached to a Bitcoin address, for example.
Wright: This is certainly a misconception. Whilst it is true to say there is no name attached to a Bitcoin address the industry is still able to protect the ecosystem from illicit activity. Exchanges and providers of services intersecting the physical and digital worlds are the gatekeepers to protecting the ecosystem from financial crime. Done well, KYC and AML can help mitigate the risk of illicit activity involving digital assets — perhaps even further than traditional financial institutions.
Industry bodies such as Global Digital Finance are helping the industry by setting global standards for best practices. I currently lead the working group developing the AML code of conduct principles and a detailed best practice guide that will provide a guide for digital asset firms on how to implement a strong KYC and AML regime. These draft principles are available for public consultation input now until 31 August 2019. Implementing a common industry approach will make it more difficult for criminals to exploit weak points in the ecosystem.
Koster: The KYC-AML questions around digital assets seems to have been around since the inception of the technology itself. FinCEN released guidance in 2013 for exchanges and other users of digital assets and they recently published an update. Have we reached another inflection point in how regulators are approaching the technology? What are some of the most notable events happening right now in the regulatory sphere?
Wright: The Financial Action Task Force (FATF), the global body assigned responsibility for standards-setting in AML, recently adopted principles to protect digital assets from being used for illicit activity. The recommendations were announced in February 2019 with one point open to industry consultation; a process that concluded early-May with a public sector consultative forum where the industry was invited to Vienna to provide feedback to the FATF.
The industry was keen to address two key areas; first, that it is wholly supportive of efforts to prevent this new financial ecosystem from being used for illicit purposes but second, that one of the recommendations being made to implement the ‘travel rule’ for virtual asset transactions could have a significant impact on the digital asset industry and could result in unintended consequences.
The Financial Action Task Force (FATF) ratified this recommendations on 21 June 2019. Virtual Asset Service Providers are now challenged with finding a solution to comply with the guidance.
Another regulatory challenge involves the classification of tokens and there is increased awareness from regulators that clear guidance is required, alongside additional legislation in some cases.
The regulatory approach has included revised or reissued guidance, and in some cases enforcement actions focussed on where consumer (or utility tokens) are actually financial asset (or security) tokens. In this regard, digital asset firms should take care when considering the classification of a token, not only in the jurisdiction of where the firm is based but also where their customers may be and whether a consumer token is actually a financial asset token in everything but name.
Koster: Standard vocabulary seems to persist as a challenge. One person’s “virtual assets” are another person’s “digital assets”. Aren’t they all just the same thing, with slight variations?
Wright: Let me give you an example: whereas FATF refers to “virtual assets”, the parliament of the European Union recently released an updated version of its 5th Anti-Money Laundering Directive referring to “virtual currencies”. The UK Treasury, in its interpretation of the EU’s directive, asked the industry within their consultation whether “cryptoassets” encompass non-currencies like security tokens or utility tokens.
The lack of standardisation of definitions causes confusion. Regulators are defining terms and their meaning on a national and intra-agency level, which can lead to regulatory arbitrage; where the regulation differs from country to country and illicit actors seek to take advantage of the weakest regulatory standard.
The Cambridge Centre for Alternative Finance recently published a Global Cryptoasset Regulatory Landscape Study in which they surveyed 23 jurisdictions and found that over time terminology has evolved, but still remains broadly unharmonised amongst policy makers.
Global Digital Finance produced a Taxonomy that gives us standard language to use, but we still have a way to go before we all, regulators and industry alike, use the same words that imply the same meaning.
Koster: It seems like one of the positive features of public blockchains that is often overlooked is the traceability of transactions. Do you agree?
Wright: Indeed, if you look at the Binance hack, you will have noticed that the transaction analysis firms Elliptic, Chainalysis, Ciphertrace, and Coinfirm were all able to track the stolen tokens in real time. Binance also took proactive steps to alert the industry. We currently know, for example, that the coins are sitting in just a handful of addresses. This is something that cannot be done in the traditional banking sector, and certainly not in real time.
The missing component though is real-time wallet identification; in the case of Binance we do not know who owns these wallets or where they are located. Global Digital Finance proposed in its response to the FATF consultation a solution that could provide a mechanism for identification, and that could
then provide a global rapid response to benefit both law enforcement efforts and digital asset firms.
Koster: But shouldn’t ordinary users be worried if their data gets placed on the blockchain that it is visible for everyone to see?
Wright: There are legitimate privacy concerns associated with storing personal information on blockchains, and within the GDF’s Working Group, we unanimously recommend against storing private data on the blockchain. Hogan Lovells, a fellow GDF Patron Member, produced a fantastic paper in September 2017 titled ‘A Guide to Blockchain and Data Protection’ which is well worth reading to understand just how complex this issue is; for example, even hashing of data on the blockchain may be insufficient protection.
Ultimately, data privacy must be technology agnostic; GDPR is GDPR whether you are using blockchain or not and it represents the rights of over half a billion people. With other nations now introducing similar privacy legislation, ignoring this now and creating an immutable ledger one hopes to fix later would not be a prudent approach.
Koster: From a KYC standpoint, are we ready for digital assets to go mainstream? If not, what will it take for us to get there?
Wright: Yes in some ways we are ready, but not fully. Today, I still see too many digital asset firms that lack the necessary compliance skillset or awareness to be considered as legitimate.
At Diginex, my mandate is to make compliance front and centre of everything we do. We believe an uncompromising approach to compliance requires real-world compliance experience combined with an understanding of the technologies being used.
Digital firms need to embrace that KYC is no longer optional; understanding what good looks like should be imperative to every cryptoasset firm and they need to employ qualified staff and build appropriate policies and procedures to prevent financial crime.
Although it sounds like a pitch for GDF (which, yes, a little it is!) joining Global Digital Finance and engaging in the work the AML working group is undertaking provides valuable exposure to defining and implementing best practice with some of the top firms globally.
Diginex creates distributed ledger technology solutions that make digital assets more accessible, business processes more efficient, and societies more secure. We accomplish this by bringing together financial services professionals, blockchain developers, and strategy consultants united by the belief in the transformative potential of blockchain technology.
ConsenSys is solving real-world problems with Ethereum blockchain solutions for organizations of all sizes, from the local community to the global enterprise.
