Here’s our latest roundup from the Compliance and Legal Teams here at BCB Group, providing insights into the recent news highlights in the worlds of compliance and AML, crypto-focused and beyond.
If you’d like to get in touch with us about any of our products or services, just send us a note, we look forward to hearing from you.
WORLD ECONOMIC FORUM RELEASES POLICY TOOLKIT FOR DEFI REGULATIONS
The World Economic Forum (WEF) recently published a policy “toolkit” for de-centralised finance (DeFi), the first of its kind. The toolkit touches on the background of DeFi, its growth, and key characteristics. The toolkit homes in on both the opportunities and challenges surrounding the implementation of both policy and regulation.
The WEF believes that the emergence of DeFi will call into question the ability of regulators to adapt to “evolving market activity, and how (the regulators) can assert jurisdiction over a set of technologies and stakeholders that is intrinsically borderless and global.” Read the whitepaper here.
The report acknowledges that the DeFi cannot be regulated through traditional AML/CTF controls. With DeFi being a fast-moving space, approaches to anti-money laundering regulation and investor protection policies will also have to keep up and account for the associated nuances. Some of the nuances touched on in the report include the pseudonymous nature of digital assets, privacy enhancing protocols and tools, self-hosted wallets and non-custodial wallet arrangements.
DeFi presents unique AML and CTF concerns which stem primarily from its inherently decentralised nature. A key difficulty arises when attempting to pinpoint a central entity performing the activities that require regulation. In the DeFi landscape, there exist a vast number of different touchpoints from an AML perspective, ranging from the software developers of the smart contracts to token holders. Pinpointing responsibility becomes a near impossible task, and the question of determining who is liable is a crucial challenge that regulators will face.
The WEF joins a growing list of inter-governmental groups who are addressing DeFi. The Financial Action Task Force (FATF) published new draft guidance for decentralised platforms as recently as March this year. Such increased attention is heartening as the borderless nature of DeFi is another critical challenge regulators will face, meaning that global conversation and inter-governmental cooperation is key. However, creating a robust AML framework around decentralised networks of this nature without damaging the aspects of the ecosystem that are so exciting and innovative is likely to be a challenging task.
51 CRYPTO FIRMS WITHDRAW LICENSING APPLICATIONS IN THE UK
A large number of cryptoasset firms’ applications are not meeting the FCA’s criteria for AML/CTF internal controls. It is reported that 51 companies have so far withdrawn their application due to the high bar set by the FCA, and as a result have been forced to cease operation or move to alternative jurisdictions. The scope for re-application is a long process, since firms can no longer apply to the temporary register and must wait until the backlog is cleared and a permanent register established.
This news has emerged at the same time as the FCA’s decision to extend the deadline of the temporary cryptoasset regime by nine months in order to process the overwhelming number of applications they have received. Companies on the FCA temporary cryptoasset register can continue trading until March 2022. At the time of writing, only 5 companies have been approved, two of which belong to the same group.
This combination of events is likely to cause mixed feelings. The extended deadline allows UK-based cryptoasset companies to continue UK operations for longer. However, the lack of guidance issued by the FCA as to what constitutes a ‘good’ application, or as to the level of AML/CTF controls expected from cryptoasset companies that deal with the particular nuances of the cryptoasset industry, has resulted in a considerable level of market uncertainty. The FCA itself makes it clear that acceptance onto the temporary register should not be considered as a comment on the merits of an application, and the slow pace with which the FCA is handling these pending applications likely further adds to this uncertainty.
The FCA have also made it clear that they view the risk to consumers posed by cryptoassets as very high, due to them being speculative investments. We are hopeful that the regime ultimately will help instill confidence that cryptoasset activity in the UK is supported by robust AML/CTF procedures, and positively support innovation in the long run.
Bitcoin mining in Iran is proving a useful method for the regime to avoid economic sanctions and trade embargoes – something that financial institutions engaging in cryptoasset transactions should be both aware of and taking proactive steps to avoid.
Sanctions were imposed on Iran in November 2018 by the United States, following Former President Trump’s decision to withdraw from the Iran nuclear deal. These sanctions were expanded in 2019 and again in 2020 to include the regime’s financial sector. Strapped of cash, Iran has since been looking for means to circumvent the sanctions. Bitcoin mining, it seems, has become one of the methods the regime has chosen to evade them, fuelled in part by Iran’s abundance of natural gas and petroleum which allows the cheap generation of electricity to operate the mining rigs required.
Under the rules of Iran’s cryptoasset mining regime, implemented in 2019, Bitcoin miners in Iran must identify themselves and are required to sell any bitcoin they mine to Iran’s central bank. The central bank is then able to use this bitcoin to pay for imports into the country, thereby circumventing the sanctions imposed on Iran’s financial sector. Financial institutions may be complicit, either through accepting this Bitcoin or by paying transaction fees to Iran-based miners (who Elliptic estimate to make up 4.5% of all Bitcoin miners).
In addition to allowing them to circumvent the economic sanctions imposed by the US, Bitcoin mining also presents other economic opportunities for the regime. In addition to the sale of licences to miners, the energy required to power the computers (600MW according to recent estimates) is sold to the miners by the Iranian government at relatively cheap fees, a major attraction for foreign mining companies, especially from China. This sale of energy provides a new means for the regime to utilise its abundant natural resources without breaching the export embargoes placed on the country. However, the energy required to mine Bitcoin is causing domestic energy shortages and, in response to national pressure to stop the blackouts that have been plaguing Iranian cities in recent months, the Iranian government has imposed a four-month moratorium on domestic crypto mining which is set to end on 22nd September.
This four-month moratorium presents a good opportunity for financial institutions that may have exposure to Iran-based miners to implement effective controls to ensure they are not complicit in Iran’s breach of sanctions. It also calls into question the concept of mined coins being “clean” from a compliance perspective – in an environment where 4.5% of all Bitcoin miners are operating from Iran, this is not an assumption which is safe to make.
ELLIPTIC FOLLOWS THE BITCOIN RANSOMS PAID BY COLONIAL PIPELINE AND OTHER DARKSIDE RANSOMEWARE VICTIMS
On 7th May 2021, the DarkSide ransomware group conducted a cyber-attack on the Colonial Pipeline, which runs along the East Coast of the United States. Although the attack was focussed on the pipeline’s billing system, Colonial Pipeline shut down the entire pipeline to prevent further attacks. The attack led to major fuel shortages across the East Coast. It also led to Colonial Pipeline paying a 75 BTC ransom on 8th May.
Elliptic has demonstrated the ability of its chain-analysis technology to trace tainted cryptoassets, by unveiling the Bitcoin wallet address that was used to receive the crypto-ransom paid by the Colonial Pipeline Company to the DarkSide ransomware group.
With Bitcoin being pseudonymous, there is a basic level of intrinsic anonymity. Despite this, chain-analysis tools demonstrate that although it is sometimes difficult to identify senders and beneficiaries, the movement of illicit funds can be traced across wallet addresses, allowing financial institutions to better understand, and accordingly to prevent, Fin-crime trends and typologies.
Elliptic’s analysis of this wallet address illustrates what can be learned well. Identification of the wallet address that ransom crypto is sent to can reveal whether further attacks have been orchestrated by the same groups. For example, Elliptic’s analysis reveals that ransom crypto for the Colonial Pipeline and the earlier Brenntag ransom payments were sent to the same wallet address. Additionally, analysis can show how the proceeds are laundered. For example, previous analysis of the same DarkSide wallet address shows that funds were sent to smaller exchanges and to the dark-web. Such analysis is useful in identifying actors liable for facilitating the movement of tainted funds and/or crypto.
The identification of the wallet, and its subsequent blacklisting, can also make it harder for such groups to operate. In this specific case, Elliptic’s clients will not be able to receive funds originating from the identified wallet address, nor will they be able to facilitate the cashing-out of Darkside’s acquired funds. This particular case reveals the potential that chain-analysis tools have to root out and restrict bad actors.