Crypto AML: new methods for new technology

Crypto AML: new methods for new technology

👍 Yes, AML measures can be implemented in the crypto finance.

🙅‍♀️ No, not in the way traditional finance expects it to.

Crypto compliance has become a polemical subject triggering an array of comments:

🔹 from the ignorant “If you like money laundering, criminal activity, anonymity, you’ll like cryptocurrencies”, recently declared by the CEO of Crédit Mutuel, one of France’s top-5 banks,

🔹 to the more nuanced “The primary vulnerability that illicit actors exploit stems from non-compliance by DeFi services with AML/CFT and sanctions obligations”, as mentioned in the recent US Treasury report,

🔹 or else the naive – albeit unsurprising  – proposal coming from Banque de France to impose the KYC (know your customer) obligation on DeFi companies.

There’s one thing that traditional finance actors totally miss, though.

Trying to force the KYC system used in traditional finance on the crypto world is a lot like forcing a squared peg into a round hole.

The banking system and the blockchain are so fundamentally different, that such an approach is doomed.

Instead, it would be much more efficient to use crypto-native AML solutions that leverage blockchain’s transparency and, together with advanced data science tools, help to fight the bad guys.

Good news: such solutions already exist, and many crypto firms already use them to mitigate the dirty money risks.

On-chain analytics

The traditional KYC system was created for the opaque and siloed banking world, and it cannot be used in the transparent and borderless crypto space: besides the obvious security concern (you won’t like to have your transactions publicly linked to your real-world identity), there’s also the major issue of purpose. Crypto was created to be accessible to everyone, everywhere, and decentralized protocols just don’t make much sense if they are KYC-gated. This concerns the DeFi, of course, but also other DApps, with which users interact by connecting their wallet.

Simply put: KYC cannot be forced on web3. So how do we make sure the bad guys don’t use it?

Enters on-chain analytics 🧑‍💻

Contrary to what some uninformed bank CEOs may think, the appropriate crypto compliance mechanisms are already being developed and implemented across the industry, notably thanks to the specialist firms such as Chainalysis, Elliptic, Scorechain…

⚙️ These mechanisms are not the same as the ones used in the banking system. Instead of collecting users’ passport data and physical addresses, on-chain analytics digs into the users’ on-chain history.

The blockchain’s transparency enables all kinds of advanced analytics to investigate crypto addresses and their links to known criminal entities, such as darknet market clusters, hacker collectives, scams, OFAC sanctions list, etc.

What’s more, on-chain analytics firms can investigate whether a wallet has to do with a certain behavior type, such as peeling chain (a technique used to launder large amounts of crypto by funding a long series of small transactions), mixing patterns (using services that blend the cryptocurrencies of many users together to obfuscate the origins and owners of the funds), and many others.

These methods have proven themselves useful on numerous occasions, some of the recent ones including:

👮 London Metropolitan Police investigation into the international drugs supply. Using on-chain analytics, the policemen tracked and traced crypto funds of a darknet vendor, identifying their assets, which led to a suspect, whose devices revealed other transactions, which led to a whole criminal network being uncovered, together with its suppliers (Chainalysis).

🇺🇦 War in Ukraine. Elliptic revealed how the on-chain analytics tools helped identify millions of russia-related crypto addresses, which, with the help of international sanctions and Ukrainian law enforcement, were prevented from cashing out and financing the war. In light of this data, Crédit Mutuel CEO’s words about crypto helping the russian militia group Wagner sound particularly moronic: crypto donations to Ukraine outweigh those sent to russia 44:1 (our recap here).

Crypto AML for CeFi

CeFi, or centralized finance, is operating within both the blockchain and the banking systems, which means it must implement both on-chain AML tools and traditional KYC identifying users’ passport data.

On-chain analytics can help centralized players to identify:

🔸 the receiving exposure (crypto sent to the exchange from a suspicious address). The funds can then be blocked, while the receiving account holder is being checked;

🔸 the sending exposure (crypto sent from the exchange’s address to a suspicious address). This often happens when legit users get hacked, and the transfer can be blocked as well.

When the transfers are not crypto, but fiat, the traditional KYC protocols kick in.

Things get more complicated entering the decentralized territory.

Crypto AML for DeFi

Decentralized services do not (and cannot) control neither their users, nor their funds. Users connect their own wallets, which trigger the smart contracts associated with the service.

This makes it impossible for DeFi to implement KYC, but some people in Banque de France think that they could force the providers of the front end (the interface – a website or an app – that helps to use the service) to do so.

Indeed, while the smart contracts that compose DeFi protocols can be accessed by anyone, anywhere, not everyone has the set of skills to use them without interface. This means that people who are obliged to pass by a website (which is most of us) could theoretically be obliged by the website to submit their data.

We’re not sure whether this is a technically sound idea. What is clear though is that the two main reasons mentioned before – security and the very disintermediated purpose of DeFi – won’t make this idea practically sound.

So while the US Treasury report points out that “DeFi services engaged in covered activity under the Bank Secrecy Act have AML/CFT obligations”, the intelligent thing here would be to stop forcing a squared peg into a round hole and elaborate AML rules specific to the blockchain. The rules that will be based not on revealing the users’ true identity, but on analyzing their crypto addresses’ activity.

Another possible way for the new crypto AML would be through DID, or decentralized identity. A zero-knowledge system whereby users could access a service proving that they are legit, but without revealing their personal data. After all, the purpose of the American Bank Secrecy Act (and its international versions) is to detect and prevent money laundering, not to install a global surveillance system.

Isn’t it ? 😉

What’s next?

We’re now at a very interesting point in the crypto industry development. Regulators from different countries send mixed signals, torn between the powerful lobbies of the old world, and the fear of missing out on the life-changing innovation.

AML is a key topic, which is for the moment used almost exclusively by the crypto opponents. Showing the alternative, both blockchain-appropriate and effective, is crucial for the whole crypto industry.

It is time to change the mindset and accept new tools for the new tech.