Good Crypto, Bad Crypto

The cryptocurrency ecosystem is diverging into an increasingly transparent, well-regulated space and an unregulated crypto underground likely to be exploited for illicit activity and the dark web. Recently, I spoke on a panel that included the chief compliance officer of Bittrex, one of the largest U.S.-based cryptocurrency exchanges, who implied that this divergence will take place in the next several years. But it is happening now.

The good news is that U.S. agencies are closely tracking crypto-related crime and have the authorities they need to confront most of it. For example, anyone under U.S. jurisdiction running a business exchanging “virtual currencies” is considered a money transmitter and must register with Treasury’s Financial Crimes Enforcement Network (FinCen) and follow the same AML guidelines as money service businesses like Western Union and MoneyGram.

In fact, most cryptocurrency exchange businesses are getting more compliant and more bank-accommodating. In recent months, Coinbase has opened up a Barclays bank account in order to hold the fiat currency needed for its European customers to trade crypto. Bittrex recently secured a deal to open accounts with multiple banks. A new Australian exchange called Blockbid is using the same Lexis-Nexis business due-diligence software that large banks use to vet and authenticate customers.

Yet challenges remain, since all countries are not regulating with the same vigor. I conducted a study in collaboration with cryptocurrency analysis firm Elliptic in early 2018 which found that “Bitcoin laundering” in recent years was more prevalent on European exchanges than North American ones. However, a former senior Treasury official mentioned at the same panel event that the U.S. has had trouble regulating conventional money services businesses since well before cryptocurrencies were in the mix. In fact, U.S. Treasury in its 2015 National Money Laundering Risk Assessment stated clearly that while AML policies help curb illicit finance, they do not eliminate it. Treasury acknowledges that some level of money laundering will always occur.

The threat unique to the crypto space is the potential for pseudonymity to evolve into true anonymity. Real anonymity with cryptocurrencies has been pretty thin given the trackable nature of most blockchains and the regulatory requirement for exchanges to implement Know Your Customer (KYC) practices. But this is changing.

The dominant crypto ecosystem is one that is growing in its AML compliance and aversion to total anonymity, driven by highly-capitalized firms and financial institutions. These actors are unlikely to push the aim of absolute privacy espoused by some in the crypto space. But simultaneously growing are “privacy coins” that lack traceable blockchains, as well as new types of crypto exchanges, known as decentralized exchanges. These decentralized exchange (dEX) projects run on software that allows users to trade cryptocurrencies peer-to-peer, typically without dealing with fiat currency. Unlike regular crypto exchanges, most of these platforms do not take custody of users’ tokens and have no need to verify customers’ identities. These innovations are occurring partly because of the cryptocurrency environment’s own limitations over the years. With privacy becoming more difficult to maintain in protocols like Bitcoin and Ethereum, developers have built coins that are almost impossible to track. And many experimental dEXes are springing up as “centralized” exchanges continue to get hacked, with cyber criminals siphoning off tokens held in bulk on these exchanges’ servers. Without centralized servers, dEXes theoretically should reduce the broader hacking threat as they eliminate cryptocurrency honeypots attractive to hackers and shift the responsibility for token security onto individuals.

Together, privacy coins and dEXes are making up a distinct crypto ecosystem that allows for true anonymity in token ownership and transactions. The dominant formal crypto ecosystem is less likely to embrace these innovations because its key players are seeking to increase AML/KYC practices, not hinder them. And while the greater privacy allowed in the more anonymous ecosystem does not automatically equate with illegal activity, its opacity with respect to identity and its seeming incongruence with the current AML regulatory framework effectively makes it an underground ecosystem. The two ecosystems will overlap (one can buy Bitcoin on a major exchange and then trade it for Monero on some dEXes), but the underground one–should it scale–is likely to be the destination for illicit operators in the future. Some dEXes proudly highlight their lack of KYC as a selling point for their platforms.

At the moment, transactions facilitated by dEXes are a drop in the bucket compared to regular exchanges. Decentralized trading platforms are still experimental and do not have the liquidity to support the overall demand for crypto-to-crypto exchanging. As they grow in number and capacity, some dEXs may leave the underground by implementing AML/KYC for its customers. Others will embrace anonymity.

The scaling issue is critical. Many illicit actors might be attracted to cryptocurrencies because of the potential to inconspicuously move hundreds of millions of dollars in value across the globe–whereas moving that much bulk cash across borders may require large vehicles, forged documents and bribed border guards. The catch is that cryptocurrencies–and privacy coins, in particular–have such low liquidity that the likelihood of scaling to the usage of cash is low.

This may not be the case forever. So, a critical regulatory question is: What happens if the underground crypto ecosystem scales so that anyone can move hundreds of millions or even billions of dollars in cryptocurrencies with no chance of discovery? Since the mechanism allowing these value transfers is nothing more than software code written and distributed for free, how could such capability be restricted? And if regulators try to restrict software developers to write code that only fits within national security or AML guidelines, would that be an infringement of free speech as some computer science legal experts have argued?

An effective AML approach to the underground crypto ecosystem can not be formed without answering these questions. To do so, regulators and law enforcement need to talk to those developers in crypto designing these experimental platforms and privacy coins. Not to stop innovation, but to better understand the digital world which is being built. Otherwise, financial authorities may wake up one day prepared only for the crypto ecosystem most likely to cater to licit actors and not the one likely preferred by criminals.

Yaya J. Fanusie is the director of analysis at the Foundation for Defense of Democracies’ Center on Sanctions and Illicit Finance. Follow him on Twitter @signcurve. Follow FDD on Twitter @FDD. FDD is a Washington-based, nonpartisan research institute focusing on national security and foreign policy.