Crypto-assets are “highly speculative assets that have enabled fascinating and reprehensible business and money laundering activities”. Christine Lagarde stated this at a conference organised by Reuters on 13 January.
The innovation of crypto-assets in the context of money laundering and terrorist financing was the subject of intense controversy for over a decade now. While some argue that crypto-assets do not raise any more risk than legal tender, others consider that they are primarily used to commit money laundering and terrorist financing offences.
In french legal terms, money laundering is the fraudulent justification of the origin of assets or income of the perpetrator of a crime or an offence. In France, this offence is punishable by five years imprisonment and a fine of 375,000 euros (under Article 324-1 of the French Penal Code). Terrorist financing is considered a terrorist act under Article 421-2-2 of the Penal Code and is similar to financing a terrorist organisation by providing, collecting or managing funds, securities or property. This offence is punishable by ten years imprisonment and a fine of 225 000 euros (under Article 421-5 of the Penal Code).
Although the statistics have decreased compared to 2019, cryptographic crime still amounted to 1.9 billion dollars in 2020. It, therefore, seems appropriate to understand, in an objective manner, the risks caused by digital assets in terms of money laundering and terrorist financing.
The anti-money laundering and anti-terrorist financing risks generated by crypto-assets.
A moderate risk in principle: the use of crypto-assets is not the privileged tool of criminals.
In 2019, the French Treasury published a “National analysis of money laundering and terrorist financing risks in France” and considered that the risks regarding the digital assets sector were moderate. Indeed, although these assets can be used for illicit purposes, their use is not favoured by criminals because of their volatile nature, their complex use, and the possibility of being traced by the authorities thanks to the traceability of transactions executed on blockchain networks.
Moreover, the use of crypto-assets for illicit purposes has declined steadily for several years. It is “clearly overestimated”, according to former CIA Deputy Director Michael Morell, due to the rise of strict regulations aimed at limiting the commission of money laundering or terrorist financing infractions. Thus, among the total transactions made in crypto-assets, their illicit use fell from 1.1% in 2019 to 0.34% in 2020.
It should also be noted that Bitcoin transactions (and most other crypto-assets) are not anonymous but pseudonymous.
To make a transaction, each Bitcoin holder uses his public address. Suppose the identity of Bitcoin holders is not explicitly disclosed. In that case, this address allows law enforcement authorities to link the offence of money laundering and/or terrorist financing with the identity of criminals.
For example, in the Silk Road case, authorities searched into the Bitcoin blockchain transactions involving the Bitcoin addresses found in the Silk Road wallet and those on Ross Ulbricht’s computer to establish the link between the offence and the offender.
A risk increased by decentralisation and the use of tools that enhance anonymity.
Most of the money laundering and terrorist financing carried out through crypto-assets is facilitated by using tools that enhance the anonymity of criminals or offenders. There are many such tools, and while they cannot be exhaustively listed, decentralised exchange platforms, mixers and anonymous crypto-assets remain the most well-known and risky money laundering tools to date (all things considered).
- Decentralised exchange platforms (DEX)
DEXs (decentralised exchanges) are peer-to-peer (P2P) digital asset exchange services programmed directly on the blockchain. Unlike centralised exchange platforms (such as Binance, Coinbase or Coinhouse), decentralised exchange platforms allow transactions to occur without a central intermediary. DEXs do not identify their clients (they are not currently subject to AML/CFT regulations in Europe) and do not store their funds.
The lack of KYC is an inherent compliance weakness of DEXs, and regulators are beginning to look for a solution to bring them within the scope of regulation. To date, there is no consensus on the regulation of DEX. Some argue that these platforms should not be regulated due to their decentralised nature, while others favour a legal framework for DEX.
However, although DEXs, due to the lack of control over their users, raise an absolute AML/CFT risk, they are not the preferred tool of criminals and only represent a small part of the $2,000 billion used to launder funds worldwide.
- Mixing services (mixers or tumblers)
Mixing services and AML/CFT schemes share conflicting interests. For the most part, mixers are employed by users who are not engaged in any illicit activity and who simply wish to enhance the anonymity features of Bitcoin (and other similar crypto-assets) and protect their privacy. However, cybercriminals can also be used to launder their ill-gotten gains from illicit activities before exchanging them for fiat currencies.
As more and more exchange platforms implement the FATF requirements (using transactional analysis tools such as Chainalysis, Crystal, Elliptic or Scorechain), darknet users are trying to avoid the risk of exposure of their activity by these services. There are different types of mixers:
- Centralised: based on commercial websites (such as blender.io, cryptomixer.io or chipmixer.com) that collect your tokens and send you back different tokens for a mixing fee between 0.5 and 4%. This type of service implies trust in the platform operator, who can potentially steal funds from their users at the time of shuffling.
- Decentralised: which operate using smart contracts embedded in a programmable blockchain (the Tornado Cash mixer is a protocol directly embedded on Ethereum).
However, despite the apparent risks posed by these services (due to the confidentiality they confer on their users), the use of mixers for money laundering or terrorist financing is not necessarily the preferred method for criminals. A recent study suggests that mixers account for a marginal amount of illicit Bitcoin laundering. Much of these illegal mixing activities take place through a very small number of mixers, often decentralised. In addition, the anonymity conferred by mixers is sometimes relatively limited. Many scenarios could affect the confidentiality of the service (website attack for centralised mixers, smart contract coding error for decentralised mixers, decryption of the mixing algorithm and others). Anonymous crypto-assets appear to be more ” trustworthy ” techniques for guaranteeing anonymity and therefore raise significant risks in the fight against money laundering and the financing of terrorism.
- Anonymous crypto-assets (Anonymity Enhanced Cryptocurrencies and privacy coins)
Some crypto-assets, such as Monero, ZCash, Dash and Grin, allow the anonymity of the parties involved in a crypto-asset transaction to be enhanced. There are two categories of anonymous crypto-assets with varying degrees of privacy.
Privacy coins, such as Monero, ensure total anonymity for their users. Monero (XMR) was created in 2014; it is the best known anonymous crypto-asset in the ecosystem, with a market capitalisation of over six billion euros in April 2021. Monero anonymises the value of the transactions sent, notably thanks to a system of ring signatures.
To make transactions completely anonymous, the cryptographic techniques used by Monero are complex. First, the confidential ring transaction hides the amount of Monero transferred. Then, it allows mixing the public keys of users to hide the address of the sender. Finally, stealth addresses are used to anonymise a recipient’s address. Due to the level of anonymity conferred by privacy coins and the resulting risk of BC-FT, some states such as South Korea aim to completely ban the use of these anonymous assets on their territory by the end of 2021.
Anonymity enhanced cryptocurrencies such as Zcash provide optional anonymity to their users. The ZCash blockchain distinguishes between private transactions (Z addresses) and transparent transactions (T addresses). The ZCASH T and Z addresses allow four types of transactions with varying degrees of privacy.
To ensure this confidentiality, Zcash uses the cryptographic method known as “zk-SNARKs” (zero-knowledge Succinct Non-Interactive Argument of Knowledge), which makes it possible to prove possession of the private key without revealing this information, and without any interaction between the parties to the transaction is necessary.
The legal framework for crypto-assets in terms of the fight against money laundering and terrorist financing.
A regulatory framework inspired by the traditional AML/CFT regulations.
Many countries, including France, have recognised the importance of implementing anti-money laundering and combating the financing of terrorism (AML/CFT) regulations for digital assets. However, these regulations, inspired by the framework applicable to the traditional financial system, sometimes seem poorly adapted to crypto-assets and blockchain technology opportunities for tracing the authors of a criminal offence.
- At the international scale ;
The Financial Action Task Force (FATF) is an inter-state body established in 1989 to prevent money laundering and terrorist financing. The FATF is not a regulator but makes recommendations recognised as the international standard to be applied in all member countries. In 2019, the FATF adopted amendments to its Guidelines to explicitly specify that they use to financial activities involving virtual assets and also added two new definitions to the glossary, namely “virtual asset” (VA) and “virtual asset service provider” (VASP). The amended FATF Recommendation 15 requires VASPs to regulate anti-money laundering and anti-terrorist financing purposes licensed or registered and subject to effective monitoring or supervision systems.
In March, FATF and VACG (Virtual assets contact group) conducted a public consultation on the amendment of the FATF guidelines on virtual assets. This draft revised guidance aims to address the diversity of risks associated with digital assets and digital asset services providers (DASPs) and, for purposes, in particular, the risks associated with decentralised exchange platforms (DEX), peer-to-peer transactions and non-hosted (i.e. directly controlled by the asset holders) portfolios.
The proposed revised Guidance would significantly broaden the scope of application of the VASP by considering that all persons (legal or natural) involved in the development, deployment, use or governance of an application enabling the transfer of digital assets would be subject to AML/CFT obligations. The final version of this Guidance has not been published at this stage (June 2021).
- At the European scale ;
The Fifth EU Anti-Money Laundering Directive, known as AMLD5 of 30 May 2018, requires reporting entities to comply with AML/CFT obligations. This directive extended the scope of the AML/CFT rules to “virtual currencies”. The Directive considers crypto-asset exchange platforms and wallet providers as entities subject to AML/CFT. In practical terms, these actors will be required to carry out extensive KYC and CDD procedures when establishing a business relationship. Article 1 of the Directive defines a wallet provider as an entity that provides services to protect private cryptographic keys on behalf of its customers to hold and store virtual currencies. This definition allows covering a significant part of the centralised services provided on crypto-assets.
On 26 August 2020, the European Commission had launched a public consultation to gather views from interested parties on the harmonisation of AML/CFT regulation in Europe and the new areas to which the EU rules should be extended. The elements drawn from this public consultation could be enshrined in the Sixth Anti-Money Laundering Directive (AMLD6). In this context, the services subject to AML/CFT arrangements could be extended.
- At the national scale ;
The PACTE law of May 22nd 2019, introduced a specific regime for digital asset service providers (PSAN) and token issuers to regulate the development of activities related to blockchain technology. Most PSAN (except the services referred at 5° of Article L. 54-10-2 of the Monetary and Financial Code) are thus subject to a registration obligation and may, optionally, be approved by the Autorité des Marchés Financiers (AMF).
Through the PACTE law, France has chosen to extend the scope of the AMLD5 to digital assets. As a result, token issuers and service providers will have to implement systems to identify customer-related risks (KYC). PSAN, subject to the registration requirement, will be required to implement an AML/CFT framework (Articles L. 561-1 of the Monetary and Financial Code). In particular, they will have to carry out thorough identification procedures when establishing a business relationship with them. In practice, this means collecting and verifying a customer’s means of identification (both individuals and businesses) – including identity cards or passports, telephone numbers, physical address, e-mail address and even more if the AML/CFT scoring is essential.
Finally, registered PSAN will have to freeze assets and report suspicions to TracFin (the intelligence agency responsible for collecting, analysing and enhancing the suspicious transaction says that regulated professionals are required to report to the agency) in case of high exposure to BC-FT risk.
The limits of a regulation that is not adapted to crypto-asset transactions
- The shortcomings of the AML/CFT regulations applicable to digital assets.
Currently, the AML/CFT regulations applicable to digital asset activities can be improved in many aspects. This is evidenced by the fact that some actors have difficulty complying with the requirements to obtain a registration or an authorisation.
The measures taken by the various authorities (national, European or international) doesn’t always seem to be adapted to the risks caused by the crypto-asset sector.
At the national level, the impossibility for PSAN to use all reliable means of identification to fulfil the identification obligations at the time of entry into a relationship complicates the implementation of compliance rules. Moreover, NSPs are often forced to carry out additional due diligence measures for their customers’ activities without other signals (suspicion of BC-FT, PEP customer, etc.) corroborating the need to put these measures in place.
Finally, concerning the freezing of assets, the blockchain does not make it possible to oppose the execution of a transaction once it has been validated. On this point, it seems necessary to adapt asset freezing obligations to the specificities of digital assets.
At the international level, the FATF draft guidance would extend the application of AML/CFT regulations to decentralised finance. However, the current AML/CFT regulation would be difficult to apply to these actors thoroughly and would probably require new mechanisms for analysing and preventing AML/CFT risks.
- The value of transactional analysis tools in the monitoring of digital asset flows.
The use of transactional analysis tools on the blockchain (OAT) has gradually developed thanks to the transcription of each transaction on digital assets in a public register. These tools can positively improve the understanding of BC-FT risks for activities involving digital assets.
In addition to the information collected on these public registers (so-called “on-chain” information such as public addresses, transaction dates, transaction amounts, etc.), transactional analysis tools retrieve a variety of external data (so-called “off-chain” data) to conclude the risks posed by transactions in digital assets.
As part of the AML/CFT measures implemented by the players (particularly those subject to Articles L. 561-2 et seq. of the Monetary and Financial Code), transactional analysis is one method that can be used to reduce the risk associated with transactions involving digital assets. It allows a risk score to be assigned to each transaction or group of transactions and due diligence to be adjusted to the level of risk identified. In some cases, providers may refuse a specific entry or transaction. Transactional analysis may also lead to Tracfin reports or asset freezes.
However, anonymisation tools (AEC and mixers) sometimes make transactional analysis by these tools complex or even impossible. But suppose the use of these tools makes the destination and origin of funds untraceable. In that case, it should be noted that some AECs can at least determine whether a user has mixed his crypto-assets at a given time (without knowing the reasons for such a transaction, nor the destination).
In digital asset markets, such as art or real estate, money laundering and terrorist financing risks exist.This risk has been diminishing for several years now as regulation has developed, and technology has become more sophisticated. However, current anti-money laundering and anti-terrorist financing policy sometimes places inappropriate, disproportionate, and therefore ineffective, obligations on the players. These constraints sometimes hinder their development to the benefit of other companies established in more favourable legislations.
From this perspective, the interest in using the opportunities offered by blockchain technologies (traceable, auditable and programmable) is obvious. They should be used to develop an anti-money laundering, and anti-terrorist financing system adapted to the actors of the crypto-asset industry and the risks they carry.