Regulatory Tech Sprints

Recently American Banker lauded an effort to hold industry “tech sprints” to combat financial crime, particularly money-laundering.   These have indeed been showing up with more regularity, and hopefully will have an impact on the prevention of financial crime.  Some code developed for such competitions is likely unworkable, but will foster ideas.

One such sprint was held in the UK back in July, was focused around privacy-enhancing technologies — often blockchains built around revealing only specific details needed to facilitate transactions.  While the effort seems to be around preventing identity theft, it doesn’t seem like this will prevent the bulk of money-laundering.

In the US, various laws (or lack thereof) make money laundering relatively simple.  The lack of oversight of shell corporations, for example, or strict beneficial ownership or corporate transparency laws.  Acts proposed in Congress since the early 2000’s have languished in committee.

Trade finance is another huge hole in money-laundering investigations, since most banks don’t have the big data teams in place to correlate the letters of credit with international shipping documents and insurance papers, and OFAC lists on things like vessel names cause so many false positives (imagine doing word searches on free-form party text fields for words like “TOUR 2” or “JASMINE” — either of which could show up in customer names for companies, and obviously the latter of which could cause a hit on individuals) that it’s hard to imagine banks keep looking at them.

On the smaller end of the scale, low-level drug dealers can always launder funds with gift cards.  Signs restricting sales of gift cards to five or ten per customer have become common in drug stores in some areas, but even the presence of such signs means anyone wanting to launder money knows they simply need to visit multiple stores (or find one with more… let’s say, flexible… cashiers).

Can tech sprints solve these problems, or are they going to look into technically interesting issues of limited impact?

Electroneum: the benefits of a moderated blockchain, and the drawbacks

Electroneum is billed as the first AML/KYC-compliant blockchain, and the reason for this and a host of other boasts is due to the moderated nature of the chain.  It’s closer to what we all want for cryptocurrencies.   It eliminates the 51% attack possible on many cryptocurrencies, as well as block-stuffing attacks.  While this still leaves a host of other attacks as possible weaknesses, it remains a step in the right direction.

The moderated nature of the coin means that it can reduce anonymity and prevent some of the scams weaknesses of other cryptos.

The problem that ETN will face is, I believe, similar to what Facebook’s Libra  — the fact that it’s moderated by an NGO means that governments cannot control it, and this will make them inclined to refuse to treat it as valid currency.  Like self-driving cars, any electronic currency will have to show itself FAR superior to current currencies to be able to gain real traction (pun semi-intended ;)).  And if governments and banks can’t control it, then they will do everything in their power to keep it from gaining ground.

Another problem that will face ETN is one that doesn’t affect Libra.  The price of the ETN isn’t backed by a basket of real fiat the way Libra is, so it will likely have significant price swings.

One use case ETN has in mind is serving the millions of unbanked globally.  It’s a laudable goal, and if it works, may help those in developing nations significantly.  At the same time, given that it’s not going to be restricted from use by anyone, one wonders if it will also become just a new means to exploit the ultra-poor.

 

Cryptocurrency and AML

Spanish police say that Bitcoin ATMs have exposed a gap in Europe’s anti-money laundering regulation scheme.

The article claims that the Spanish Supreme Court determined this week that bitcoin are “not money” — at least for the purpose of determining the value of restitution.  This seems like a reasonable result:  when you’re receiving recompense for value you gave, you don’t deserve extra money just because the value of whatever you contributed went up.

However, the fact that this opens a potential doorway to money-laundering points out the gap not only in Spanish law, but in a large number of money-laundering schemes.  Trade-Based Money Laundering: The Next Frontier in International Money Laundering Enforcement, a book by renowned financial crime expert John Cassara, he consistently refers to both money-laundering and value transfer.  Value transfer can be accomplished in a number of ways without transferring money directly.  One could argue that bitcoin “looks like” money to us, but value transfer can be done with things that don’t look like money, such as large shipments of goods (that happen to be sold at an unconscionably low — or high — price).  Cryptocurrency, of course, if determined to be “not money” for purposes other than just legal judgements, would make transfer of value far easier and more anonymous.

AML regulators really need to aggressively tackle these holes allowing for value transfer, given the amount of laundering it likely represents and the potential increase of this in the future.  When combined with shell corporations and limited beneficial ownership disclosures, it represents a significant threat to world security.

 

Will XRP cryptocurrency deal make it FATF-compliant?

The XRP cryptocurrency may be on the cusp of becoming compliant with FATF rules due to a deal between regtech firm Coinfirm and XRP’s largest holder, Ripple.  This would be a huge win for both Ripple and Coinfirm, as Ripple would see the cryptocurrency gain legitimacy that would set it apart from other digital coinage, and Coinfirm would be apotheosized in its status as a regtech firm.

The question is:  will it work?

The scheme would allow Coinfirm to record and publish some information:

• whether the cryptocurrency has been processed by technology called a “mixer,” designed to launder cryptocurrency by privately exchanging funds from multiple counterparties
• information on clustering, when small amounts of currency are sent via many different addresses to disguise the size of large transactions; and
• whether or not the funds come from a known theft or hack.

This seems like a relatively small amount to give up, as the actual identities of where the coin is stored will not be revealed.  Essentially it can reveal information like “whether or not an address is owned by an exchange that allows anonymous trading, and whether or not the entity that owns the address is registered in a country deemed high risk.”

The FATF recommendations call for being able to trace and seize proceeds used in terrorist financing, for which knowing the names of the parties is typically deemed necessary.  XRP would keep the identities of the parties unknown, making it impossible to carry out the functions that the FATF requires.  According to the recommendations:

“Such [confiscation] l l.p. Pmeasures should include the authority to:

• a) identify, trace and evaluate property that is subject to confiscation;
• (b) carry out provisional measures, such as freezing and seizing, to prevent any dealing, transfer or disposal of such property;
• (c) take steps that will prevent or void actions that prejudice the country’s ability to freeze or seize or recover property that is subject to confiscation; and
• (d) take any appropriate investigative measures.

Geographic risk certainly IS a factor that’s looked at by banks when determining whether a transaction should raise an internal alert (alerts are then examined by compliance or operations personnel to determine if a Suspicious Activity Report (SAR) should be filed).  However, it’s far from the only factor, and suggesting that counterparty risk is covered completely by whether or not a site allows anonymous trading is stretching things a bit.

There’s strong interest in cryptocurrency and a lot of people would like to see digital currencies work.  The governments who set up the FATF, though, will have concerns not only about AML and terrorist financing, but also taxes.  Retaining the anonymity of ownership and transfer will allow for quite a bit of tax evasion.  The article mentions that countries will be able to opt out of the FATF, but doing so in order to allow anonymous currencies could result in their losing revenue as well as losing some of the confidence of the international community.  Whatever country did this would probably see its risk rating go up in all the other developed countries.

Kuskowski seems to think that a general risk rating, provided by his firm using his firm’s calculations, ought to be sufficient to allay concerns of money-laundering.  Pawel, while I commend your efforts to increase the use of cryptocurrency and raise your firm’s regtech credibility, I think this effort will not — and should not — succeed in its current form.  At the very least, you would need to be able to assure financial firms that the ones involved in the transaction were not on any OFAC, sanctions, or PEP lists.

The Looming Problem of ID

Back in 2005, I was employed by a large asset manager to manage a project for their compliance department which involved daily reporting on our positional ownership in securities across all affiliates.  This was because once we crossed a 5% threshold we would have reporting obligations.  Since it was a global firm, there were about a dozen affiliates and subsidiaries and we needed information from all of them.  The project was known as “beneficial ownership”.

A few people questioned why such a project was necessary.  “Isn’t there software that will just calculate it for you?”  While the project would be a bit easier today than it was then, it still would require someone to manage.

It became crystallized in my mind at the time that corporate ownership was very difficult information to come about.  With many of the subsidiaries, there would have been no way to trace ownership back to the parent company.  And similarly today, there’s little way to trace coporate ownership back to the actual owners in many cases, and this is done for all sorts of legitimate, semi-legitimate, and illegitimate reasons.

However, it’s best for the illegitimate ones.

Bills to correct this have come up before Congress several times.  The ABA has produced an article about the most recent attempt  by Rep. Carolyn Mahoney (D), termed H.R. 2513 — 116th Congress: Corporate Transparency Act of 2019.

The ABA article takes a dim view of the legislation, starting it’s article:

“The House Financial Services Committee approved … that would impose burdensome and intrusive regulations on millions of small businesses and their lawyers.”

Okay, I find it a bit hard to believe that lawyers are so upset about the millions of dollars they’ll have to make with this regulation.

“would require small companies and their lawyers to disclose detailed information about the businesses’ beneficial owners”

Specifically, the bill would require the beneficial owners’ name, date of birth, current address, and driver’s license or non-expired passport number.  Honestly this is a little less detailed than I’d like from such a scheme.  Names are non-unique and flexible and virtually useless to identify anyone in a large system, addresses can be shared (and faked pretty easily), and only the driver’s license or passport number is likely to be unique. And since the beneficial owners are theoretically providing this information in other reports to government authorities, it’s not really an increase in risk or a huge increase in paperwork.

“the bill’s burdensome beneficial ownership reporting requirements are unnecessary and duplicative because the federal government already has other, more effective tools to fight money laundering and terrorist financing”

This borders on insulting the intelligence of anyone who’s worked in anti-money laundering.  The ABA article claims that the CDD requirements established last year requiring banks to collect beneficial ownership information for entities that establish new accounts obviates the need for this regulation.  However, this ignores existing accounts that can be used for money laundering.  Further, the existing regulation only requires that a “responsible party” be identified.

And seriously, has the ABA ever looked at the data quality of bank data?  They really expect this field, which will be optional in some cases and likely rarely used for any purpose other than informational, to be filled out reliably and accurately?  Having been around bank data for the better part of two decades, I would assure them there are flaws.

I fear there’s a deeper motivation for official legal wariness of a bill that increases transparency, and it has to do with money.  Too many clients probably DO want to hide their identities behind shell corporations. Sometimes the reasons are relatively innocuous, like the lottery winner who doesn’t want to be hounded incessantly or the celebrity who wants to buy a home without it making the newspaper.  Other times, though, the motivations are less benign.  But lawyers make money from all of them, regardless.

Partnered Risk: A skeptical approach

A recent article notes that partnerships between startup fintech firms and banks is increasing, and expected to increase by 82% over the next three to five years.

One reason partnerships make sense for banks is a compliance perspective — even though in many cases banks aren’t entirely relieved of compliance duties by partnering, they can certainly mitigate some of the risk by doing so.  If things go wrong, they can at least somewhat credibly point to their partner to take the blame, even if only in part.  And that’s even without a specific agreement in place to allocate such risk.  With clear agreements where the bank has much stronger negotiating power, the fintechs might be persuaded to take on more of the risk than they should.  If huge fines hit the startup first, the startup can either pay, negotiate, or declare bankruptcy.  While the charges may then be assessed against the bank, that could take time, and time is money for banks.

Of course, as the article points out, it’s also to fintech firms’ competitive advantage to offer a robust compliance programs of their own.  Or, at least give the appearance of having such a program, that banks can rely on when they deal with regulators such as the OCC.

Instant SWIFT

Swift will be testing real-time cross-border payments across Europe through the Eurosystem’s Target Instant Payment Settlement (Tips) after a successful trial run of real-time payments in Australia in 2018.

How does this threaten the local payments markets?  Well, the most obvious potential conflicts is with SEPA Inst, an instant payment version of SEPA (Single Euro Payment Area).  The advantage SEPA will likely retain over SWIFT is lower fees.  However, since SEPA is limited to payment only in Euros, these fees might balloon due to the local currency fee that banks are allowed to charge.

In addition, the greater globalization of SWIFT makes it easier for banks to standardize on it.  Even European regional banks that might benefit from aspects of SEPA payments might opt to use the SWIFT network if they have ambitions to expand.

Then, there’s the question of what occurs when the UK exits the EU.  They could (and in my opinion, likely will) remain a part of the EEA, which means they could continue to access the Tips network and therefore transact SEPA and SEPA Inst payments.  On the other hand, if they separated entirely, then payments to and from the UK could no longer use SEPA.  Given that after the UK’s exit, other countries may follow suit, it makes sense that SWIFT represents a more reliable choice.

Trade-based money laundering

The American banker, in an article by Peter Skinner and Matthew Schwartz, drew an unsettling and vaguely implied obligation on banks recently.

The “new” issue, they describe, is trade-based money laundering. It’s unlikely the techniques are really very new at all, since exchanging money for goods is a fairly common element of the layering phase of money laundering schemes (albeit the typical examples are boats and cars–one shot items rather than an ongoing business).  The problem isn’t in being aware of these techniques,  it’s in the relative intractability of attempting to detect them.

Let’s take their sample case — Vikram Datta’s perfume peso exchange (a case similar to the recent fashion house black market peso exchange caught in L.A. — in fact, that case also involved the Sinaloa drug cartel).  Skinner, who was the lead prosecutor on the case, implies that Datta was convicted based on wiretapped phone conversations with his bank.

Backing up a step, why was he having this conversation with his bank at all?  Well, the article notes that his deposits were unusual — but looking at the records of the case, it clearly wasn’t the unusual deposits that tipped anyone off.  Datta was pointed out by his association with Ajay and Ankar Gupta, perfume merchants who had previously been caught for money-laundering.

So what should have happened, in Skinner”s mind?  He suggests the

bank should “leverage all of the information available to them to determine whether their customers’ bank transactions are consistent with their businesses.”  In a particularly chilling statement, Skinner goes on to state, ” If they fail to do so, they may find themselves forced to justify that failure to regulators and law enforcement investigators.”

Skinner doesn’t go on to say what those ominous suggestions actually mean, perhaps because the implications very quickly become unworkable.  The bank taking Datta’s deposits would not know the reasonable price, profit margin, or sales volume of Datta’s perfume.  They would be very unlikely to have the invoices from the sales or purchases (though if they did — perhaps because of loans secured by accounts receivable — does Skinner seriously suggest that it’s incumbent on banks to not only match these up to transactions but also to determine what’s reasonable for all industries?).

Perhaps Skinner is unaware of what banks already do to monitor their client’s activities, their patterns of deposits and withdrawals, and the financial products they use.  If that’s the case, though, he should really avoid making such open-ended statements.

Test post

testing, testing