20181106 - The blockchain and what financial crime risk officers need to know

20181106 - The blockchain and what financial crime risk officers need to know

Nigel Morris-Cotterill

The near-Messianic fascination with all things "blockchain" introduces a risk for financial crime risk officers. While the blockchain, as a part of a suite of technologies that work together can provide certain forms of security, there is a flip-side. The same security protocols can obscure information that FCROs would ordinarily expect to have as part of their routine KYC data.

What do FCROs/ MLROs / AML Risk Officers need to know?

On its own, "the blockchain" or "a blockchain" (never, correctly, referred to as "blockchain") has no independent use. It is a technology which provides a foundation upon which other things are built.

The blockchain is a very simple concept, so long as you don't try to dig too deeply into the technology behind it.

The blockchain goes hand-in-hand with something that now appears to have an outdated name: the distributed ledger. That name arises because the first significant use of the technology was to underpin the virtual (crypto-) currency bitcoin.

In bitcoin and similar uses, the distributed ledger is exactly what it says it is: an accounting ledger that records deposits, payments and balances but which is kept and controlled not from a single location but is distributed across all subscribers. That, itself requires an explanation: every subscriber to the system has a copy of the ledger.

That does not mean that every holder of a virtual currency has a copy of the ledger (think about it: you can have a wallet on your phone and there's no way that could hold a copy of the entire ledger). But that holder does have a verifiable record of each of their individual transactions (like a bank statement) and their wallet stores the value.

So, next, where is that value? It's in the wallet. Where is the wallet? Well, that's not on the user's phone, either. All they have is an "app" which may or may not be secure which accesses the wallet that the provider hosts.

But users can host their own wallets e.g. on a USB device, hardware, PC, etc if they have enough storage.

One of the fictions about e.g. bitcoin is that it's anonymous. It isn't and there have been both prosecutions and asset forfeiture orders to prove it. While there are anonymising techniques, which regulators have struggled with, those techniques are nothing new: they are essentially simple frauds.

The distributed ledger is at the heart of all blockchain applications. But distributed ledgers do not need the blockchain. The blockchain is the mechanism by which aledger is distributed. I hear you. "Huh?" you sigh aloud.

So, let's have a bit of very simplified techy stuff. The blockchain is exactly what it says on the tin: it's a chain of blocks of data. The blocks of data are, simply, data records and you already know what they are. Built properly, the blocks provide data integrity (which is not the same as security although many people confuse the two).

The distributed ledger is simply a database: what is novel is that it is not a single active copy held in a central repository and "shared" but that it copies of it are held in many locations and constantly checked to verify and updated to record transactions.

The data integrity issue is easy to understand: because a transaction is checked against all copies of the ledger it verifies balances and parties (or at least it verifies the parties as they have identified themselves to the system) and if everything is in order, the transaction is authenticated. What happens next depends on the rules of the individual exchange effecting the transaction.

Some make instant updates; some provide a short time for cancellation or amendment. Whenever the transaction is confirmed, the transaction is fed into the system that then "tells" all copies of the ledger that two accounts have been modified - one by paying out, one by paying in. And if that sounds like basic book-keeping, that's exactly what it is.

That record is then locked. You can't rub it out, you can't press delete, you can't over-write it. It's there for as long as the blockchain doesn't break or disappear and, in theory at least, that's not possible.

It's possible. Wallets can be stolen or lost, hard-disks containing tokens can end up in a rubbish tip (seriously, it happened), exchanges can be hacked or closed by any one of a variety of enforcement agencies or regulators in any one of hundreds of countries. Also, it is naive to assume that any cryptography is secure against hackers: so far, in the history of the world, no security has been totally safe against attacks of one sort or another. The only question is whether the costs of attack and the risks of capture of people or assets outweigh the potential gains. This is why exchanges rather than accounts are the preferred target. As someone once said (and no, it almost certainly not the one you are thinking of), people rob banks "because that's where the money is." In the case of crypto-currency exchanges, just like banks these days, there is no money but there is data and the data can be converted into money.

So, you might reasonably ask, what's all the fuss about the blockchain?

That's easy: the first is it's fashionable. You can't read a newspaper, open LinkedIn or turn on the TV without someone telling you that the blockchain is going to change your life. So let's be clear about one thing: it isn't but the cult of blockchain fanatics might. There is, genuine experts say, nothing that the blockchain can do that you can't do by some other means. Last year the fashion was FinTech. It was expected that this year would be the year of RegTech (it hasn't been). In an article published on 31 October, 2018 called "Is FOMO making enterprises unnecessarily leap into blockchain?" (FOMO is "Fear Of Missing Out") Asha McLean reported for zdnet on a report by Gartner, which produces highly regarded reports on a wide range of topics. David Furlonger of Gartner said that many organisations did not need to do anything involving the blockchain and that many who were jumping aboard the bandwagon were doing so through fear of missing out rather than for any viable commercial reason. He said ""I think that it's still not appropriate for the vast amount of enterprises to consider blockchain technology in its current level of maturity" and referred to a high level of "noise."

That's the view I've been arguing in relation to FinTech, RegTech and all things techy for a very long time. Let others jump aboard and take the inevitable risks and failures. Wait until it's understood and until the wrinkles are ironed out. It's been the same ever since the fascination with computerised counter-money laundering systems and I'm still arguing that it's the people not the machine that matter. Incredibly, we are now seeing people arguing that the blockchain will greatly improve the success rate of counter-money laundering monitoring and risk management systems.

I argue that we need less systems not more, that the biggest reason for failure is not lack of data but lack of compatible data. The blockchain does not help to gather data from diverse sources and it does not help to cross-match it. In fact, the blockchain does not do any form of data analysis. None. Nada. So all those people that are saying "the blockchain will make your organisation less at risk from money laundering" are throwing out a buzzword to trap you. It's that simple, it's that brutal.