This Report explores some of the key legal and regulatory challenges facing the development and adoption of blockchain and distributed ledger technologies. Specifically, the use of cryptotokens as currency, assets, or utility have come under scrutiny in Australia.
While blockchain and distributed ledger technologies promise to solve some significant identity, security, trust, and provenance problems created by the internet, at this time there is still much work to be done in order to reassure regulators and users that some of the use cases for this innovative technology may be legitimate purposes and can be understood. Until then, a cautious reticence will continue to prevail in any conversation about bitcoin, smart contracts, or distributed ledgers.
The 2018 Global Computation Law and Blockchain Festival Sydney (Australia) node convened in March 2018 to discuss blockchain law and policy issues. Attending the event were academics and professionals at the intersection of law, policy, and technology. This Report captures thoughtful analysis of various issues in law, technology, and entrepreneurship. It is derived from a roundtable symposium discussion co-hosted by the University of Technology Sydney Faculty of Law and Sydney Legal Hackers at the University of Technology’s Hatchery on March 18, 2018. Those contributing included academics (from the University of Technology Sydney and University of New South Wales), scientists from the Data61, regulators, policy-makers, legal professionals, entrepreneurs, and students (from the University of Technology Sydney and the University of Sydney), all sharing their knowledge and best practices on specific topics.1
Part 1 of this report deals with legal issues that are of universal interest and for the purposes of enforcement necessarily traverse national borders: Taxation, Securities Law and Australian Anti-Money Laundering and Financial Surveillance.
Part 2 addresses legal topics where policy is generally managed within jurisdiction, including the European Union and federated nation states (for example, Australia and the United States of America): Federal Services Licensing and Chartering; Privacy and Security, Token-related Policy Issues, and Smart Contracts as Legal Contracts. This Part concludes with Observations.
The structure of this Discussion Report was adapted from suggestions provided by the organisers of the 2018 Global Computation Law and Blockchain Festival. It is intended to reflect the discussions held over the weekend of the festival in The Hatchery at the University of Technology Sydney. The topics in this Discussion Report cover tax issues, securities law, Anti-Money Laundering/Financial Surveillance, Privacy & Security, Token-Related Policy Issues, and Smart Contracts as Legal Contracts. It aims to resolve some of the more contentious problems that arise when trying legitimately to use cryptocurrencies, to launch an initial coin offering (“ICO”) or to design smart contracts that may or may not have legal consequences.
This Discussion Report will aslo raise some of the important problems that may arise in the context of a decentralised financial network. For example, anti-money laundering/financial surveillance controls that are traditionally managed by trusted third parties (like banks) need to be automated in a way that still provides accountability and allows for audit control. Meanwhile, smart contracts enable business exchanges conducted on the blockchain that may give rise to legal implications.
The footnoting style adopted in this Discussion Report is the convention recommended by the Australian Guide to Legal Citation (3rd Edition) and the Melbourne University Law Review. For ease of reference, all footnote entries are cited in full, without the use of ibid, op cit and/or above n.
A taxable event is any transaction or occurrence that results in taxes due. All taxpayers, including individuals and corporations, experience taxable events. Capital gains tax (“CGT”) events are the different types of transactions or events that may result in a capital gain or loss. Many CGT events involve a CGT asset—for example, a sale of shares.
1.1 Taxable events
· Taxing cryptocurrencies and tokens as a nation’s tax investments, like stocks and bonds, is reasonable given the large profits and losses that many investors are making, but how can these assets also be used as currencies or payment methods if every trade is a taxable event?
A smarter transaction system may consider making transactions undertaken on a blockchain associated with an Australian Business Number (“ABN”). As each address registered on this ledger will be transacting with one another, it is easily notable if an individual or organisation is transacting with a party which does not have the requisite authority in Australia. In other words, there is a mechanism by which the transaction is de-identified whilst also being linked to the ABN registered.
Under this system, whilst the government may have a list of ABN accounts that are registered, it will not stop people from creating unregistered ABN accounts and undertaking unregistered transactions on the side. This occurs because the transaction system is not exclusive.
Alternatively, in order to regulate standard R-tokens that may then be taken to a specific service or an approved operator, control methods may be built in. As all transfers are delegated to this service, a trade may be suspended if it is not authorised. By using features such as a whitelist, transfers may be approved by operators.
Indeed, registered ledgers have been implemented on a country-wide scale. However, when the technology ecosystem considers creating something that controls a record of transactions, there is the question of what system will be in place to control it. The issue which arises is that so long as a user has some kind of connection with the system, there must be someone to run the system. An example of this is a permission-enacted public system. In this scenario, users must have control, but there exists a system consistent at a national level. However, when any of the systems are out in the public, control is effectively surrendered. Perhaps the solution is a permissioned ledger.
Another issue is the jurisdiction of the transaction. The law does not provide clarity on whether the jurisdiction is identified at the time when the transaction occurs or when the transaction is received or sent. This issue needs to be addressed in order to avoid double taxation.
There is also a problem with taxation itself, as it is considered an old paradigm which faces an emerging paradigm. Effectively, there is competition between cryptocurrencies and legitimate currencies. Ultimately, we must consider a strategy that is compatible with the new system.
1.2 Enforcement of transactional taxes
· Transactional taxes are geographic like the VAT in the EU and state sales tax in the US. If these transactional taxes are applied to cryptocurrency and token transactions how can they be effectively enforced and are there better alternatives if they cannot be effectively enforced?
The Australian Taxation Office (“ATO”) established its policy regarding bitcoin and other virtual currencies in 2014. The majority of this policy was focused on the question of ‘what is bitcoin?’ In all circumstances, bitcoin and other cryptocurrencies in existence at that time were considered to be property, not money. This is set out in a series of rulings published at that time.2 Whilst each ruling is subtly different, there is a process that exists for individuals or organisations who want to comply.
In a determination regarding goods and services tax (“GST”), the ATO found that GST applied to purchases of bitcoin and other virtual currencies. The result was that where bitcoin was used like money, it was effectively taxed twice—once at the time that the digital currency was purchased, and again when it is used to purchase a good or service.
This sparked a senate review into the status of bitcoin and other digital currencies, which ultimately resulted in an amendment to the statute in 2017. Since then, digital currency is to be treated “like money” for the purposes of GST taxation, where it is used like money.
Whilst the peer-to-peer exchange of bitcoin and other digital currencies may give rise to difficulties in applying these taxes, it does not make it impossible. Instead, this simply means that the onus is on the individual to maintain records and to prove its taxation position to the ATO.
In addition, new taxes or new taxation events may be created for ‘tax miners’. In this new model, the miners may tax additional fees as they mine the blocks and act as ‘tax collectors’ for cryptocurrency. The miners may then be taxed by the State, which means that funds flow back to the State. Indeed, the question of which is the correct State arises in such circumstances.
The concept of retaining records of transactions raises questions about the privacy protecting blockchains and cryptocurrencies. In line with GST rulings, the ATO has considered instances where individuals or organisations are establishing cryptocurrencies and participating in exchanges, as well as where cryptocurrencies are used to pay for goods and services.
The ATO empahsises the importance of keeping records to be able to prove an individual or organisation’s position and pay the appropriate level of tax. As with transactions in the old tax system, the ATO will pursue individuals or organisations for failing to pay tax on cryptocurrencies. As a practical example, individuals who drive expensive cars but state that they had zero taxable income that year, are likely to be subject to the ATO’s audit of their affairs.
In short, this is not just a case of tax and a digital world. The reality is that individuals and organisations can get caught irrespective of the legitimacy of a transaction undertaken on the blockchain, and that a lack of records are likely to give rise to taxation issues.
2. Securities Law
In Australia, regulators are fostering innovation whilst protecting consumers. In the case of ‘initial coin offerings’ or ‘token sales’ it is evident from statements provided by the Australian Securities and Investments Commission (“ASIC”) that if a token is being sold, sufficient information must be provided to consumers to ensure that they can conduct appropriate due diligence.3
In regulating initial coin offerings, regulators such as ASIC consider tokens through the prism of securities law and financial product law. Indeed, the legislation which appears to apply to initial coin offerings seems to focus on this.
There is a question regarding whether the current system is sufficiently malleable to account for tokens. Some even suggest that the managed investment scheme model should be replaced with a system that promotes protection but may perhaps better enable innovation.
One important factor to note is that tokens can take many more forms (both regulated and otherwise) than simply securities. Tokens sold in an initial coin offering might provide a particular new asset, provide voting rights for owners of future assets, or perhaps even form the backbone of a blockchain system. In each, the developers and miners have significant control over the structure of the token and its operation. Given this fluidity, it might be argued that regulation cannot keep up.
2.1 Legal character of token sales
· Globally, securities laws demand meaningful and accurate disclosures from those who would seek to raise money from the public on the promise of business profits, i.e., those that issue securities. In the US there is a flexible and judge-administered test that affords regulators leeway to go after non-traditional securities issuance (e.g., some token sales). In Europe, the regulator enumerates a list of investments that it will regulated as securities and it can extend its jurisdiction by adding to that list. With respect to token sales, which approach will grant greater certainty to persons selling tokens?
Australian regulation is fundamentally principles-based and, as far as possible, technology-neutral. This is particularly apparent in the regulation of financial products and financial services in Australia set out in Chapter 7 of the Corporations Act 2001 (Cth) (“Corporations Act”). Instead of setting out each regulated product in prescriptive terms, the Corporations Act includes flexible, general definitions of financial product, derivatives and managed investment schemes, amongst other things. “Financial product” includes facilities through which, or through the acquisition of which, a person does one or more of the following:
· makes a financial investment;4
· manages financial risk;5 or
· makes a non-cash payment.6
Given these general definitions, it may be argued that the Australian requirements are broader than those in the United States (“US”). Here, like any other innovative financial product or system, each token must be assessed to ascertain that it fits (or, indeed, if it fits) into a regulated category. This first principles analysis means that tokens cannot and should not be treated as one separate category of assets.
Whilst not defined by ASIC, it indicated that digital currency would include Bitcoin, Ethereum and Litecoin, indicating that certain tokens will not be regulated products under the current regime.
Unlike the US, however, Australia has strong consumer protection laws and regardless of whether the token is a financial product or not, it will not be “unregulated”. Where a product does not fall under the ambit of financial services law, it will fall under consumer or commercial law. This means that unfair contract terms regimes and principles against engaging in misleading and deceptive conduct, and protections against fraud and pyramid schemes will apply.
Although ASIC is traditionally the securities regulator, it has recently been granted a delegation of power from the Australian Competition and Consumer Commission (“ACCC”) that enables it to, in coordination with the ACCC, take action where there is potential misleading or deceptive conduct. The purpose behind this is to ensure that consumers are protected when dealing with tokens, regardless of the regulated status.
One particular definition must also be mentioned and that is a ‘managed investment scheme’. The managed investment scheme encapsulates many structures which might otherwise fall outside the regulated space. Like the US definition of ‘securities’ this has a purposive test, which is broader than in the US.
A scheme is a managed investment scheme if:
· people contribute money or money’s worth as consideration to acquire rights (interests) to benefits produced by the scheme (whether the rights are actual, prospective or contingent and whether they are enforceable or not);
· any of the contributions are to be pooled, or used in a common enterprise, to produce financial benefits, or benefits consisting of rights or interests in property, for the people (the members) who hold interests in the scheme (whether as contributors to the scheme or as people who have acquired interests from holders);
· the members do not have day-to-day control over the operation of the scheme (whether or not they have the right to be consulted or to give directions); and
· the scheme is not excluded from the definition of a managed investment scheme.7
Instead of including an ‘investment purpose’ test like the US, the Australian management investment scheme looks to how the money is held by the person acquiring it and then the rights received by the persons providing funds.
By no means does this mean that all assets where the seller receives funds or allows a person to speculate are financial products or regulated. Indeed, even where the value is highly speculative, such as artworks, real property, or (even) Beanie Babies, the principle of caveat emptor (buyer beware) still applies. It does however mean that where assets are intangible, there is a real risk that these products will be regulated.
The existing flexibility in the system is robust enough to accommodate new delivery mechanisms for these products. If tokens were treated differently, a separate category of asset may arise. This separate category of asset may allow an individual or organisation to obviate its legal requirements simply by using a different delivery mechanism, namely by means of cryptography and a blockchain. To treat tokens differently would be contrary to the principles-based, technology-neutral regulation which otherwise applies in the Australian context.
2.2 Token sales and securities regulation
· What can be done to improve each approach and offer a clearer line between token projects that need to comply with securities regulation and those that do not?
Beyond the hype, blockchain technology offers some exciting opportunities for those that are involved in raising equity. Publications have addressed some of the general ideas around the regulatory environment in which the blockchain will fit.8 In particular, coverage has explored the limits of the regulatory model in the context of the offering of tokens to the wider public via a token generation event.9
In most token generation event, the issuers are hoping to avoid the expense and delay of an initial public offering (“IPO”). They are looking to tokenise all or some of their businesses to seek a relatively small amount of seed funding without the due diligence, regulatory requirements, time, or fiduciary permissions a traditional IPO would require. To that extent, the existing regulatory model is unlikely to satisfy their needs.
Before looking at what the rules are, it is worth going back to first principles to explore what they should be. What should be the features of regulation seeking to regulate an issuer looking to raise money from the public, particularly where the offer is to non-sophisticated investors?
As a general principle the regulatory model should:
· promote efficiency in the capital formation process i.e., that it should be appropriate and no more onerous than it reasonably needs to be, whilst also being product-neutral. This means that regulation should not drive product design;
· provide investor protection;
· promote disclosure of relevant information;
· protect investors from unfair dealings with insiders who had access to material non-public, price sensitive information;
· reduce the likelihood of omitting important information;
· reduce the possibility of systemic risk; and
· have a reasonable focus on the information needs of the needs of investors.10
Broadly the universe of tokens breaks down into one of three types:11
1. Equity tokens: these offer the promise of using Ethereum-based smart contracts to issue stock or equity tokens. Due to the difficulties with the existing regulatory model, few startups have attempted to conduct equity token sales. Further, very few have established any kind of tradable assets ranging from coins redeemable for precious metals to tokens backed by real estate. However, Delaware recently passed a bill that allows companies to maintain a list of shareholder names on a blockchain rather than conventional methods, which will enable blockchain-based stock trading. The Commonwealth government has received petitions for similar amendments to the Corporations Act.
2. Payment tokens: this is a broad classification and includes tokens that are transferable and can be used as a means of payment. These tokens must comply with money laundering regulations.
3. Utility tokens: these include app coins or app tokens. These tokens provide users with access to a product or service e.g., Filecoin plans to provide a decentralised cloud storage service that will take advantage of unused computer hard drive space. Once launched, token holders will be able to purchase storage space from Filecoin.
Equity and securities tokens are unusual instruments in as much as the benefits they confer will mostly not be known as the token confers a right to future, unknown earnings. This information asymmetry is a problem common in financial markets. Ultimately, this ability to price unknown future value using a market is at the heart of most financial markets. It is for this reason, that this regulation must require a reasonable level of investor focus such that the overriding principle is that issuers must not be misleading or deceptive (as those terms have now come to be understood) in the capital formation process. That risk is made exponentially greater when the rights are ‘hard wired’ into immutable perpetual computer code that is essentially self-executing i.e., smart contracts. Token generation event offering documents must, therefore, be clear, concise and effective, having regard to the investors and the nature of the proposal.12
With that general principle in mind, there is a question of how token generation events should be regulated. Clearly, a model that promotes token generation event issuers circumventing Australian regulatory arrangements will lead to sub-optimal results.
As it stands today a vast majority of token offerings will fall within the gamut of the managed investment scheme rules. As stated in 2.1 Legal character of token sales, a managed investment scheme is deliberately defined widely within the Corporations Act. The provisions were designed to regulate a vast panoply of collective investments. The breadth of these provisions can be seen in the Multiplex decision.13 In Multiplex, the Court held that a litigation funding arrangement constitutes a managed investment scheme.14 The basic indicators of whether an arrangement is a managed investment scheme are as follows:
· people contribute assets (such as digital currency) to obtain an interest in the scheme, say via a token;
· the assets are pooled together with one or more other contributors or used in a common enterprise to produce financial benefits for the contributors (through a smart contract deployed onto the Ethereum networks); and
· the contributors do not have day-to-day control over the operation of the scheme but, at times, may have voting rights or similar rights (again through a token smart contract).
The breadth of the provision is clear and intentional. Whether it is appropriate for a token generation event is another question all together. The managed investment scheme regime was designed in 1993 (about the same time that the Intel Pentium processor was released, and the home of the internet moved from CERN to the US). The collective investment environment, while designed to be flexible, did not contemplate a bundle of rights that has no boundaries, requires no legal structure and can be created by anyone. That is, a self-executing smart contract running on a massive peer-to peer platform running on Gas. An instrument that incorporates computer code that can immutably set the rules, execute on those rules and checks for compliance.
It could however be argued the managed investment scheme model was built around the public unit trust. Indeed, the structure could have gone further and recommended a broader range of legal structures such as corporate vehicles and limited partnerships. A Corporations and Markets Advisory Committee 2012 Report (“CAMAC Report”) outlines some of the existing shortcomings of the current legal framework for Australian managed investment schemes and proposes that schemes should be established as a separate legal entity. The CAMAC Report illustrates that what is needed to develop a genuine and workable alternative to the use of trust or contract-based structures in a managed investment scheme context is a coordinated response from the State.
While the managed investment scheme had its origins in the Corporations and Markets Advisory Committee’s Collective Investments: Other People’s Money, Report No. 65 and recommendation 89 of the Financial System Inquiry Final Report. The ‘collective investment vehicle’ was actually synonymous with a ‘trust’. It was largely, a model designed for a unit trust structure under which property is held by a trustee and turned to account by a management company, with the beneficial interest in the trust fund being divided into units evidenced by certificates held by investors. Indeed, this draws parallels to a token generation event.
While the managed investment scheme has contemplated enterprise schemes where contributions by members are to be ‘used in a common enterprise’,15 an offeror must comply with the applicable managed investment, Australian Financial Service Licensing, anti-hawking and product disclosure provisions if offers or issues are made to other persons. This is with the exception of offers, invitations or issues that are excluded offers, invitations or issues. For example, ASIC Regulatory Guide 80 states at Regulatory Guide 80.30 that: ‘However, a promoter who believes that there are grounds on which we should exercise our discretion may still apply for individual relief. We may grant relief from requirements under the Corporations Act, including the requirement that a managed investment scheme be registered under Ch 5C, on a case-by-case basis in certain circumstances: see Regulatory Guide 51 Applications for relief (RG 51).’
As a foundational consideration, the managed investment scheme regime contemplates a model that included:
· securities being issued by a responsible entity that was a public company with securities dealer’s licence;
· an issuer with material financial and capacity requirements including prescribed minimum capital requirements;
· a constitution that is required to be registered with ASIC and must address certain matters and imposes responsibilities on the responsible entity; and
· the ‘unavoidable overlay of trust law’,16 which means that there is a trust relationship between the issuer and members (perhaps even token holders) even if the parties never contemplated that to be the case.
It, therefore, turns to the question of whether the existing managed investment scheme model satisfies the requirement that the law must not be more onerous than reasonably required. In the token generated event context, most issuers would expect that the rights and obligations that the parties have with respect to each other are intended to be contractual, and not fiduciary.
An ideal managed investment scheme model may incorporate the following characteristics:
· It wouldn’t require the issuer to have an Australian Financial Services Licence. As corporates can issue their own securities without needing an Australian Financial Services Licence, the question arises as to whether it is a necessary or reasonable burden for a token issuer.
· It wouldn’t require a constitution but it might allow the relationship between token holders and issuers to be regulated by a set of terms described in an offering document. This offering document must be freely available to all token holders and must be in accordance with terms which are certified as a true reflection of the smart contract linked to the token and deployed onto the Ethereum network.
· It would provide that a token ‘scheme’ was no longer governed by trust law principles that were not developed in the context of the style offering that are being discussed, i.e., structures used primarily for commercial purposes.
· It might recognise the distinction between payment, utility and asset token generation events and see what lessons could be learned from other ‘quality’ regulators like the Swiss Financial Market Supervisory Authority.17
· It would ‘stand on the shoulders’ of quality regulators and develop a regulatory model that was in step with best practice.18
· It would integrate into the existing regulatory framework concerning investor protection, market manipulation and systemic security.
· It would impose specific disclosure obligations on the issuer and the issuer’s advisers. This may include an obligation to ensure that the issuer disclosed all information which would be reasonably expected by investors and their professional advisors when deciding whether to invest in the token generation event.
· It would provide a mechanism for ASIC to register these disclosure documents and issue stop notices.
There is a great deal of healthy skepticism about the utility of blockchains and the role of cryptocurrencies. This is perhaps best exemplified by Congressman Brad Sherman of California, who recently declared ‘crypto is a crock’ and that all anyone needed was US dollars.19 Nonetheless, token issuers worldwide are looking for an ideal regulatory environment. Perhaps Australia could be this place. With this in mind, ASIC and the Australian industry must collaborate to develop a model that will ensure investors receive the protection they need without stifling innovation and without driving Australian blockchain entrepreneurs to other jurisdictions.
2.3 Laws to protect investors
· Securities laws focus on disclosure to protect investors. Blockchains, by their nature, accomplish disclosure and transparency in new and different ways than reported by the traditional corporate investor prospectus or quarterly profits. Can the old goals of investor protection be better accomplished using these new technologies, and what, if any, compliance requirements (new laws or regulations) need to be adjusted to best enable this transition?
Blockchain technology and initial coin offerings put in question the effectiveness of Australia’s long-standing policy on investor protection, namely continuous disclosure requirements. Given that the majority of Australians most commonly hold on-exchange investments, initial coin offerings either pose a big threat to lay investors or a wealth of opportunity for their higher protection.
Although the nature of blockchain technology may soften the emphasis on investor disclosure, it raises more important questions of risk due to the volatility of the cryptocurrencies market. Part of the reason that investing in cryptocurrencies is often seen as advantageous is that it offers quick gains in short period of time. This is not surprising and may exist due to the high-risk appetite of token investors. With this in mind, regulation should go beyond simply educating investors through continuous disclosure and publicly-available guidelines, and move towards understanding investor sentiment and offering increased protection where nefarious or misleading behaviour is present.
If this customer-orientated approach were to be adopted, the question then becomes: how can the regulatory environment support the ecosystem? Here, it is important to balance adequate protection with the support of innovation. Singapore has now learnt that non-direct regulation imposed at the intermediary level, i.e., cryptocurrency exchanges, may not be sufficient. In saying thus, it has been one of the most favourable environments for cryptocurrencies investment, but also with the most stringent investor protection. Further, Australia is more comparable to Switzerland in terms of the level of investor protection. The Swiss have introduced a new system which focuses on defining tokens into three categories. This has increased the recognition of cryptocurrencies and provided clarity on their regulation. For Australia, initial coin offerings offer vast foreign investment opportunities, and older concepts in investment regulation, like the managed investment schemes, may help inform new ones.
On a practical level, an ideal environment may see regulators imposing rules or industry introduced standards for ‘white papers’. The minimum expectation would be disclosure requirements forcing the author(s) to provide a proof of concept and beta trials.
2.4 Laws to enable and support innovation
· Can the old goals of investor protection be accomplished while also enabling and supporting innovation?
As noted above, regardless of whether tokens are financial products or goods and services, consumer protection principles will apply. Whilst the precise wording and penalties differ slightly between consumer law and financial product regulation, there is no escaping either regime. Similarly, both regimes have extra-territorial application where the intention is that people in Australia will receive the goods or services (financial or otherwise). This traditional mechanism exists so as to ensure that individuals are protected and has not hampered innovation to date.
Although the risk of failure is typically higher with experimental technology, innovation may be assisted by removing certain barriers. However, by reducing barriers to entry, the risks posed by the technology are compounded. This is not to say that rules should not be tweaked to facilitate new products, but that rules should be amended and not simply disregarded through blanket exemptions.
2.5 Summary of findings
Initial coin offerings have fundamentally changed traditional investment models. Often initial coin offerings involve ‘punters’, who are people willing to take a risk, as opposed to astute investors participating in initial coin offerings. This is an opportunity to bring in entirely new funding model and iterate existing systems.
There have been observations that it is difficult for blockchain companies in Australia to raise money. With respect to this, there are two fundamental considerations:
1. Typically, the risk profile of Australian investors is very low when compared to the US.
2. Typically, there is difficulty in the ability of traditional investors to understand recent technological developments.
The view from the ATO and regulators is that regimes do exist as there are consumer protection issues. Regulators must, however, acknowledge that tokens are more malleable than the securities that currently exist.
3. Anti-Money Laundering/Financial Surveillance
Australian Anti-Money Laundering (“AML”) and Counter-Terrorism Funding (“CTF”) legislations and regulators have long relied upon trusted intermediaries such as banks and authorised deposit-taking institutions (“ADIs”) to help prevent the flow of illicit funds in and out of the country. An example is how any transaction over $AUD10,000 automatically becomes a reportable event to the regulating authority, AUSTRAC.
Whether this approach is still applicable to peer-to-peer token transactions conducted peer-to-peer or through cryptocurrencies exchanges was the main question which the symposium explored. Whilst the current position of the financial task-force suggests that the traditional AML and CTF paradigms are applied to transactions involving virtual currency, digital currency and cryptocurrency, there is debate on whether this mechanism is imposing too much compliance and costs on the parties involved. The three aforementioned terms have been defined by the inter-governmental body, Financial Action Task Force (“FATF”):
· “Virtual currency is a digital representation of value that can be digitally traded and functions as (1) a medium of exchange; and/or (2) a unit of account; and/or (3) a store of value, but does not have legal tender status (i.e., when tendered to a creditor, is a valid and legal offer of payment) in any jurisdiction. It is not issued nor guaranteed by any jurisdiction, and fulfils the above functions only by agreement within the community of users of the virtual currency. Virtual currency is distinguished from fiat currency (a.k.a. “real currency,” “real money,” or “national currency”), which is the coin and paper money of a country that is designated as its legal tender; circulates; and is customarily used and accepted as a medium of exchange in the issuing country. It is distinct from e-money, which is a digital representation of fiat currency used to electronically transfer value denominated in fiat currency. E-money is a digital transfer mechanism for fiat currency—i.e., it electronically transfers value that has legal tender status.
· Digital currency can mean a digital representation of either virtual currency (non-fiat) or e-money (fiat) and thus is often used interchangeably with the term “virtual currency”. In this paper to avoid confusion, only the terms “virtual currency” or “e-money” are used.
· Cryptocurrency refers to a math-based, decentralised convertible virtual currency that is protected by cryptography.— i.e., it incorporates principles of cryptography to implement a distributed, decentralised, secure information economy. Cryptocurrency relies on public and private keys to transfer value from one person (individual or entity) to another, and must be cryptographically signed each time it is transferred. The safety, integrity and balance of cryptocurrency ledgers is ensured by a network of mutually distrustful parties (in Bitcoin, referred to as miners) who protect the network in exchange for the opportunity to obtain a randomly distributed fee (in Bitcoin, a small number of newly created bitcoins, called the “block reward” and in some cases, also transaction fees paid by users as a incentive for miners to include their transactions in the next block). Hundreds of cryptocurrency specifications have been defined, mostly derived from Bitcoin, which uses a proof-of-work system to validate transactions and maintain the block chain. While Bitcoin provided the first fully implemented cryptocurrency protocol, there is growing interest in developing alternative, potentially more efficient proof methods, such as systems based on proof-of-stake.”20
However, it was highlighted that many of the intermediaries facilitating the transactions between virtual currency and fiat were already applying forms of AML mechanisms through conducting Know Your Client (“KYC”) checks due to their inherent desire to become ‘legitimate’ businesses.
In light of this point and further points below, two interesting questions were also considered:
1. Is there a need for a creation of a whole new paradigm to tailor for financial surveillance over cryptocurrencies and token transactions, and is there a legal and moral obligation to do so?
2. In situations where these token transactions occur only in a closed universe and are not exchanged into fiat, would financial surveillance still be necessary?
In relation to the first question, it was noted that there are already new regulations coming into effect in Australia that will regulate any cryptocurrency exchange, and in particular, any business converting between digital currency and fiat. However, these intermediaries will not be treated like banks but are likely be treated as remitters. Similar to the traditional AML and CTF system, these remitters will not only have a legal, moral and ethical obligation to report any transactions over a certain threshold, but also any suspicious transactions can be structured in a way to avoid detection and classification as a ‘reportable event’ (e.g., making multiple payments below the $AUD10,000 threshold). Thus, due to these obligations that these remitters are already addressing and maintaining, a whole new paradigm may not be required at this stage.
In relation to the second question, whether or not transactions occur in an open or closed universe does not change the necessity of financial surveillance. Irrespective of whether the technology is new or not, the law will always apply. Thus, surveillance of transactions is needed both in cryptocurrencies and non-cryptocurrencies to address the existing problems of money laundering and terrorism funding.
Further discussions then addressed the current problems with cash and money laundering and terrorism funding. For example, there are the established remittance networks such as Hawala, built on strong cultural conventions and networks for terrorism funding. While cash does not have a tracked address, cryptocurrencies may be tracked by using a framework in which remitters must partake in financial surveillance. This may alleviate existing problems faced by law enforcement.
3.1 Surveillance mechanisms in the absence of regulated financial services providers
· Anti-money-laundering regulators have long relied upon intermediaries (banks and other regulated financial services providers) to engage in financial surveillance on behalf of the government and to stop the flow of illicit funds through the economy. Does this approach still work now that cryptocurrencies and tokens can be traded and transferred peer-to-peer in addition to being transacted through regulated businesses like exchanges?
Conventional AML paradigms rest on jurisdictions’, and regulated entities’, application of the ‘risk-based approach’. The risk-based approach, broadly speaking, requires countries to ensure resources targeted at mitigating money laundering are commensurate with the magnitude of that risk. The risk-based approach also requires a regulated entity itself to identify and mitigate, its money laundering risks as per its unique operational contexts.21
Now, the question of the application of conventional AML paradigms in the context of cryptocurrencies and tokens cannot be given a binary yes/no answer. A more nuanced approach is desirable. On one hand, conventional AML paradigms can be applied by jurisdictions with respect to regulated businesses like cryptocurrency exchanges that can go on to handle transaction volumes comparable to traditional banks and can thus face similar money laundering risks (by virtue of this sheer volume of funds presenting an opportunity for disguising proceeds of crime). On the other hand, conventional AML approaches would arguably be applied by national regulators with great difficulty to cryptocurrency ecosystems.22 This is especially in relation to peer-to-peer cryptocurrency transactions, not least given greater anonymity (or pseudonymity) afforded to counterparties, and the ‘borderless’ nature of these currencies in being transacted over the internet.23
In light of the growing use of decentralised anonymous/pseudonymous cryptocurrencies,24 AML regulators worldwide are grappling with this very question.25 Regulators are aware of the potential for misuse by organised crime of such currencies to launder the proceeds of crime on an industrial scale in the longer term at least.26 They have to recognise the need for existing AML paradigms to be adapted to new technological (the growth of decentralised, cryptographically-enabled currencies) and commercial realities (the potential replacement of the financial system’s traditional ‘gatekeepers’ by new entities like cryptocurrency exchanges).27
Historically, AML regulators such as national Financial Intelligence Units have indeed relied on monolithic, typically financial service institutions to collect financial intelligence as part of the institutions’ application of the risk-based approach.28
There is an argument that the conventional AML approach can work for regulators when applied to cryptocurrencies transacted through regulated businesses that represent the points of interface between the fiat currency and cryptocurrency ecosystems. Such businesses would include cryptocurrency exchanges.29 Criminals, namely money launderers, can use these regulated businesses to ‘place’30 the proceeds of crime (denominated in fiat currency) by converting them to units of a cryptocurrency which may then easily be transferred through its respective ecosystem (i.e., ‘layered’ so as to obfuscate the audit trail associated with the ‘dirty money’).31 This can be argued to mirror when said criminals deposit illicit funds (sometimes through transactions designed to evade the reporting thresholds of AML-regulated entities) in said entities to begin the laundering process.32
As cryptocurrencies go on to become more popular,33 these regulated businesses may thus be ‘the new gatekeepers’ in an AML context, paralleling their replacement of traditional financial institutions in handling everyday economic transactions (becoming the new financial intelligence centres).34 The need to recognise this possibility is reinforced by the FATF35 in its guidance on the application of the risk-based approach in the broader virtual currency context.36 The FATF stressed that traditional AML regulatory paradigms should applied to such businesses that are the mentioned points of interface, like exchanges.37 The guidance even argued how specific FATF Recommendations as to minimising money laundering risks can be applied to such entities, which reinforces the applicability of conventional approaches to the emerging cryptocurrency ecosysyem. In this regard, Australia recently amended its anti-money laundering regime to bring ‘digital currency exchange providers’ into the fold of ‘reporting entities’ under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).38 The motivation for this amendment echoes the policy of the FATF, namely to ‘close a regulatory gap’ in respect of businesses like cryptocurrency exchanges.39 After all, the clients of these businesses already benefit from the degree of anonymity/pseudonymity which is coded into these currencies.40 In this vein, the traditional AML approach certainly has its merits.41
As a side note, AML regulation, if not adapted to suit small, but nimble, fintech, and regtech, startups, can present a barrier to entry in the financial services industry.42 After all, incumbent firms are most likely to have the resources for compliance budgets, versus the startups who may already be stretched in attending to marketing, technical, and financial, issues, apart from regulatory requirements.
Nonetheless, the traditional approach is arguably incomplete in attempting to minimise money laundering risk of cryptocurrencies, namely because such currencies are (largely) freely transferable by users anonymously/pseudonymously over the internet, without the need for ‘gatekeeper’ entities like exchanges.43 So regulators face the following questions:
· Which entity who should be required to hold customer records?
· Which entity who lodges transaction reports with the national Financial Intelligence Unit (that too when these currencies are ‘borderless’)?44
These questions especially arise in relation to currencies that are decentrally-issued, and trustless.45 Users do not rely on a few authority figures (like agents in an hawala network) to maintain the network, but on (depending on the currency) a multitude of independent computers processing their transactions.46 It can also be difficult to identify the primary actors in an ecosystem where identities, and audit trails, can be obscured by advanced cryptography.47
To counter this lack of regulatory visibility, AML regulators may attempt to regulate every single peer-to-peer transaction counterparty, perhaps requiring them to report their transactions to their country’s Financial Intelligence Units. But in the near term, this may be technically, and legally (from an enforcement perspective) unworkable. Financial Intelligence Units must also be cognisant of the reality that criminals can use the services of cryptocurrency exchanges to convert fiat currency to equivalent units of a cryptocurrency.48 But, as has been argued above, applying AML regulation to such exchanges is not a complete solution where criminals, especially cybercriminals executing ransomware attacks (common users of virtual currencies generally),49 already possess cryptocurrency, and can use these currencies’ respective blockchains to ‘layer’ these proceeds of crime. The latter issue is indeed exacerbated in the case of what the RAND Corporation calls ‘Anonymous Coins’, where advanced encryption obscures identities of transaction counterparties, and the audit trail.50 This reinforces the difficulty of financial intelligence collection since the potential sources of such intelligence (the counterparties) can be quite hard to identify in the first place. This issue is becoming more prominent with the growth of the ‘resilient public cyber key terrain’, in which individuals with low cyber sophistication have persistent, assured access to cyber services, regardless of opposition of a highly sophisticated State actor such as a signals intelligence agency.51
Indeed, an analogy can be drawn with the predicament AML regulators themselves find themselves in when they (are trying to) track underground remittance networks. These transfer value without the international transfer of ‘money’ (echoing the transfer of Bitcoin), and experience very little ‘leakage’ of any form of intelligence (such as signals, financial and human information) if all the actors adhere to the networks’ standards of governance.52 While remitters are required under FATF Recommendation 14 to be regulated by AML frameworks,53 and are so by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (“AML/CTF Act”),54 criminals can easily use underground remittance systems (e.g., hawala) to move money around the world. In the same way, the traditional AML approach does not completely solve the peer-to-peer transfer of proceeds of crime within, at times, opaque, cryptographically-secured, networks.55 Especially when there are unlikely to be a concentration of transactions among a few actors (as in the case of hawala agents),56 but direct peer-to-peer transactions.
Still, AML regulators would be advised to do what they can to counter money laundering risk stemming from cryptocurrencies. Applying traditional AML paradigms to businesses like exchanges is certainly a start. After all, Financial Intelligence Units can still identify patterns, and suspicious behaviours, for instance, financial intelligence in relation to the transaction and the customer collected by these businesses, just as they would to track criminal misuse of the conventional financial system through traditional banks.
Policymakers should continue to consider designing a bespoke AML system in the cryptocurrency context (particularly for peer-to-peer transactions) and its idiosyncrasies (for instance, the use of increasingly sophisticated, but more accessible, encryption mechanisms to obscure identities and audit trails).57 This bespoke system would especially counter the opaqueness of peer-to-peer cryptocurrency transactions. It must embody the following principles:
· being technology-agnostic, and focusing on the nature of a technology, rather than its specific applications;
· auditability, and accountability of cryptocurrency ecosystems being a priority for their designers;
· greater resourcing and training of AML regulators;
· cross-border coordination by law enforcement and Financial Intelligence Units, (especially among FATF member states); and
· facilitation of a positive role for the private sector, especially fintech, and regtech, startups who are disrupting the AML/CTF compose landscape.58
· Will this balance shift as decentralised exchanges become more prevalent?
Although digital currencies and tokens are able to be distributed and held on a peer-to-peer basis, these assets are often accessed through centralised systems—be they exchanges, digital wallets or issuing entities. Like our current system, these centralised organisations form a gateway and can be regulated.
The prevalence of centralised organisations in this industry is not new. In 2014/2015, the Australian bitcoin industry was interested in knowing whether it was caught under existing AML/CTF laws and would be required to perform KYC checks and report certain transactions. The industry in fact wanted to be caught by these requirements as it felt that this would give it legitimacy and distance from the taint of the dark web.
Although at the time the regulator was of the view that these organisations were not caught under the existing regime, this has recently changed. From 3 April 2018, those in the business of exchanging digital currency for money or money for digital currency will be caught under the Australian AML/CTF Act and will be required to register with AUSTRAC, like remittance providers, and, amongst other things, perform KYC checks, monitor transactions and report certain matters to AUSTRAC, plus have a compliance program setting out how it will comply with the AML/CTF Act.
Like in traditional systems, it is the gateways which are regulated. Once money is transferred into cash it is almost impossible to trace, but the act of withdrawing cash is monitored. So, too, are transactions involving digital currencies monitored. In neither system can every transaction be monitored; however, increased transparency is always preferable in the case of monitoring to reduce such risks.
It is also arguable as to whether the balance will shift as decentralised exchanges become more common. Applying a conventional approach would be quite futile initially in relation to decentralised exchanges. After all, decentralised exchanges present a challenge for AML regulators similar to that of cryptocurrencies in general: it can be difficult, at least in the short term, to identify the key chokepoints thathold the richest financial intelligence, enhanced by AML compliance measures.
Perhaps in the longer term, however, the approach could be adapted to, as in the case of exchange protocols like 0x, ‘relayers’, who aggregate the buy and sell orders of users wishing to transact in cryptocurrency on certain terms, and thus play a role in bringing counterparties together.59 Each relayer can potentially be an intelligence chokepoint, and regulators could require them to conduct KYC checks on matched counterparties, but prior to processing their trade. Relayers could deploy standardised digital identity systems to do such checks on all users of the databases they host, systems that could apply to all entities handling large volumes of cryptocurrency transactions (like exchanges).
3.2 Is it legal, moral or ethical to demand that platforms conduct financial surveillance?
· Is it constitutional (in the US) or moral/ethical to demand similar financial surveillance from the makers of software or from individuals (in addition to typical intermediaries)?
Now that society is frequently conducting more electronic transactions (whether fiat or in cryptocurrency), this means there is more potential financial intelligence, and monitoring available thereof. This is indeed the case in Australia with respect to fiat currency transactions, with Australians now using credit or debit cards more than cash.60
The culture and jurisdiction in which the financial transaction takes place will dictate the level of surveillance and financial privacy available. Currently, people are still familiar with and have a certain expectation of financial privacy through the means of cash, whilst card and online transactions are becoming easier to monitor. This collection of financial transactions directly, and indirectly, reveals much about us in relation to our credit histories, incomes, preferences for leisure, shopping habits, and our movements generally (inferred through public transport fares/road tolls/fuel payments). This has inevitably fuelled a resistance against constant surveillance from the institutions and government which resonates with the cryptocurrency community. Such desire for financial privacy is also what Satoshi Nakamoto alluded to in the publication of Bitcoin’s whitepaper in 2008. Indeed, it could be argued that the right to privacy is a fundamental one, enshrined under article 17 of the International Covenant on Civil and Political Rights,61 and (in the case of unreasonable searches by the state) the Fourth Amendment to the United States Constitution.
Accordingly, the work behind Zero-knowledge proof technology, including the distinction between Succinct Non-interactive Arguments of Knowledge (“SNARKs”) and Succinct Transparent Arguments of Knowledge (“STARKs”), poses the idea of masking the current data points involved in a blockchain transaction (including the sending address, receiving address and the amount of tokens), which will make the platform more attractive to privacy-focused users. In addition, this will have big implications on privacy, which will further down the track also lead to discussions around the concept of secrecy.
In this regard, from an ethical standpoint at the very least, it could be argued that for Financial Intelligence Units/law enforcement to target the head of the supply chain of financial (surveillance) software in its developers can be considered quite an overreach. To demand the latter to conduct financial surveillance rather than intermediaries, whose conduct is regulated by AML laws, could constitute a morally, and ethically, hazardous delegation of executive power. It therefore raises the question of whether financial surveillance, especially when it breaches our fundamental right to privacy under the International Covenant on Civil and Political Rights,62 should be conducted by only Financial Intelligence Units/law enforcement (their activity being subject to agencies’ own legislation, and sometimes merits review) and by the intermediary regulated by AML laws. After all, the application of these laws to the activity of these entities when conducting financial surveillance could be argued to mitigate said hazards. This is because the mentioned laws are targeted at preserving the public interest and have been made by an elected Parliament (a product of the democratic process). In essence, the question is whether the moral/ethical hazard in demanding the makers of software to conduct financial surveillance is mitigated by being enshrined in an Act of Parliament (such as extending the AML regime to them), that too after meaningful consultation with stakeholders. This step even could be a bulwark against the coersion of financial software providers into weakening their products’ encryption standards to allow Financial Intelligence Units/law enforcement to conduct surveillance on users.
But even then, one should question whether there is a moral/ethical issue with financial surveillance being conducted by the actual developers of software. Such a stance could be based on the argument that morality/ethics-based oppositions to such surveillance are outweighed by the public safety reasoning for financial surveillance. This is especially so if criminals are using such software (e.g., wallet software), but not the services of regulated intermediaries (e.g., traditional banks and cryptocurrency exchanges), thus presenting a financial intelligence gap regulators must plug.63 Such a risk may be enhanced in cases of criminals leveraging the anonymity provided by some cryptocurrencies in peer-to-peer transfers to their associates.64 From a morality lens, it could even be argued that the fundamental right to privacy of a few (criminals using software, but not the services of regulated intermediaries) could be permissibly infringed to protect the fundamental right to life of the many (e.g., law-abiding citizens shot by guns bought with the proceeds of crime). Furthermore, one should remember that it would be quite unusual for a Financial Intelligence Unit/law enforcement agency to, without legislative authority, or warrant, simply coerce a software provider into conducting financial surveillance. Hence, the people, collectively speaking, can hold the instruments of the state accountable through the Parliament, and judges determining the scope of such surveillance. This should alleviate any moral/ethical hazards, and thus outweigh the opposing argument that there are such hazards with demanding the surveillance this question is concerned with.
· Who is liable for the platform—software makers or individuals who run the platform?
Like traditional systems, responsibility can lie with multiple actors simultaneously for the same issue. Responsibility is a matter of fact and degree. Simply because one is not the direct service provider does not mean that it is exempt from all responsibility. Further, certain principles, such as gross negligence or fraud, cannot and should not be contracted out. There is no reason for the insertion of a new technology to interfere with these principles, and their application will depend on the factual scenario.
3.3 How will privacy protect upset the transparency of the bitcoin blockchain?
· Law enforcement has come to rely on the transparency of the bitcoin blockchain in order to catch and convict those who use bitcoin in crimes. Will privacy protecting cryptocurrencies upset this reliance?
Law enforcement has come to rely on said transparency for gathering intelligence to build cases. This was first apparent in the Silk Road cases, among the first US criminal cases prosecuted using evidence from the Bitcoin blockchain. Prosecution was facilitated by the lack of anonymity provided by the Bitcoin blockchain to users: conventional ‘follow the money’ paradigms (albeit with novel technologies mapping out transaction flows, and patterns across the blockchain) could be applied to good effect.65
Indeed, former US federal prosecutor Kathryn Haun recognised that use by criminals of technologies such as mixers, and tumblers—that obfuscate transaction data, and hinder visibility of actors, and their dealings—can erode this evidence base.66 Hence, privacy- protecting cryptocurrencies using such technologies (like Dash) will upset this reliance.67 Such a possibility is especially strong in the case of the growing resilient public cyber key terrain, and in the increasing availability of sophisticated cryptographic tools (originally deployed for cryptocurrencies). This indeed will make it easier for criminals to transact, and even communicate, given the significantly lower risk of detection by law enforcement.68
· How will law enforcement cope and react to the change?
Law enforcement and Financial Intelligence Units are quite likely to adapt to the challenges of privacy-protecting cryptocurrencies in a number of ways. History arguably supports this hypothesis when law enforcement had to adapt to new criminal typologies. In fact, the modern ‘placement-layering-integration’69 model of money laundering is drawn from law enforcement’s adapting to the typologies of the laundering of drug money.70
As an example of such adaptation, one should consider the experience of the United States Drug Enforcement Administration (“DEA”). The DEA was established in 1973 to ‘deal with America’s growing drug problem’ by the early 1970s, and thus create ‘a single unified command’.71 In the 1980s, it had to adapt its counternarcotics operations in light of factors such as the:
· reorganisation, and unprecedented expansion, of transnational narcotrafficking;
· rise of the Colombian Medellin cartel, which ‘was fast becoming the richest and most feared underworld crime syndicate the world had ever encountered’;
· ‘influx of cocaine into the United States’; and
· ‘violence associated with drug trafficking and drug use’.72
Nonetheless over the next decade or so, the DEA, in cooperation with its Colombian counterparts, developed means of investigating and infiltrating the notorious Medellin Cartel before ultimately dismantling it and eliminating its leader, Pablo Escobar.73
And more recently, the FBI’s skilled cyber specialists were able to develop a means of hacking into, and surveilling, the highly encrypted The onion router (“Tor”) network to track users of the Silk Road marketplace and use this intelligence to monitor their transactions on the Bitcoin blockchain.74
Law enforcement is therefore quite likely to leverage its strong partnership with the private sector, especially in the blockchain space. For instance, the Blockchain Alliance brings together prominent American federal regulators (including America’s Financial Intelligence Unit FinCEN) and federal law enrolment agencies, as well as the Australian Federal Police (“AFP”), together with significant members of industry such as firms specialising in blockchain analytics for financial intelligence purposes (e.g., Chainalysis). The Alliance was established as a ‘public-private forum to help combat criminal activity on the blockchain’; to primarily educate such agencies on how blockchain technology can be criminally misused (e.g., using Bitcoin to launder proceeds of crime), and involves a high degree of collaboration between the two groups of actors. This can help law enforcement and Financial Intelligence Units redesign their surveillance and enforcement strategies for blockchain contexts defined by privacy protection, and build relationships with key actors to aid the implementation of said strategies.75
Moreover, law enforcement will also leverage and strengthen its inter-agency coordination, even across borders. Such capacity was especially evident in Australia through Australian law enforcement’s effective use of AUSTRAC’s financial intelligence database to detect and disrupt the commission of predicate offences.76 The Egmont Group of Financial Intelligence Units and the 5 Eyes countries (USA, Canada, Australia, UK, and New Zealand) have worked and continue to work together to detect and disrupt serious organised crime globally. Lauded examples of the 5 Eyes’ cooperation include:
· The conviction in the United States of Altaf Khanani, the world’s most active money launderer, whose clients ranged from Australian motorcycle gangs, significant Latin American drug cartels, and terrorist groups. Australian federal agencies such as AUSTRAC, the AFP, and ACIC, and the American DEA, worked together to: infiltrate Khanani’s global network based on the ancient Islamic remittance system of hawala,77 which is notoriously hard to investigate from an AML perspective;78 and build a case for his prosecution.
· The dismantling of the encrypted communications provider and platform, Phantom Secure, whose clients were organised crime, by Australian, Canadian, and American law enforcement. Phantom Secure marketed bespoke devices for this market to enable criminals’ ‘unrestricted, secure communications beyond the capability of law enforcement interception’. In fact, it is alleged that ‘Phantom Secure was the first encrypted communication platform available on a wholesale scale in Australia’.79 Its takedown by law enforcement is encouraging in an age where organised crime is increasingly able to use sophisticated modes of encryption, regardless of their level of cyber sophistication.
3.4 Can blockchain identity tools offer improved KYC?
· Anti-money laundering regulation is, in large part, predicated on effective customer identification (know your customer or KYC). Can blockchain identity tools offer improved AML compliance?
Blockchain identity tools could be designed to be secure distributed ledgers of KYC information normally collected by an entity regulated for AML purposes (but not shared with fellow regulated entities due to privacy regulations applying to such personal information).80 These could exist as private blockchains, administered by the national Financial Intelligence Unit or federal law enforcement agencies. Other participants (i.e., nodes) granted permission to join such blockchains include:
• government agencies (e.g., Commonwealth Department of Human Services, state agencies that issue identity documents) which originally hold this data, and thus populate the ledger with respect to each citizen; and
• the aforementioned regulated entities.
Hence, such registries can constitute a single source of truth for KYC information compliant with AML requirements for KYC, and customer due diligence and data collection.81 That data, access and additions thereto, would be verified and immutably logged by the mentioned nodes.82 The use of a private blockchain would ensure that only entities vetted for security purposes and governed by strict data security protocols (like government agencies) can participate.83 Perhaps this could be augmented in the future by including a public blockchain component to leverage the large number of nodes for ledger verification purposes on these chains.
It is arguable that these tools offer improved AML compliance. Firstly, when person X seeks to open accounts with multiple institutions regulated for AML purposes (e.g., banks, digital currency exchanges), those institutions can easily query the singular record of person X stored on the blockchain-based identity registry. This KYC process could be automated, making the AML compliance process easier. This saves regulated entities significant compliance costs in no longer having to conduct substantially the same process in relation to the same person.84 In this regard, AML compliance (of which KYC process is a key component) could be conducted by a larger variety of businesses in the cryptocurrency ecosystem, such as the ‘relayers’ for decentralised exchanges or custodial wallet providers.85 This expands visibility for AML regulators, especially Financial Intelligence Units seeking to ensure the establishment of clear audit trails. Secondly, the positive role of blockchain-based registries in AML compliance is enhanced by the fact that the KYC records of citizens would be extremely hard to tamper with,86 when compared to the centralised and siloed (dispersed across multiple regulated entities) storing of KYC information. Reporting entities under the AML/CTF Act could also take confidence in that consumer due diligence checks they conduct would be based on information that is immutably logged.87
On the other hand, one should note that blockchain identity tools are not a KYC panacea, generally speaking.
It could be argued that the mentioned agencies, and participants, should populate and maintain a centralised database of KYC information. This could echo AUSTRAC’s database of financial intelligence, which is made available to all its partner agencies.88 The proposed KYC database could also be incorporated into the tools used by members of the Australian-launched Fintel Alliance. This organisation is a public-private partnership involving Australian agencies like AUSTRAC and is aimed at fighting financial crime through ‘advanced technological solutions… [and] empowering companies and law enforcement to rapidly trial, then implement, global best practice ideas [to achieve its mission] in a trusted environment’.89
Furthermore, securing a blockchain-based solution for KYC information can be problematic (depending on the design). For instance, if each node has a copy of the KYC data, against which it checks every addition thereto, it is a honeypot for hackers who would need only compromise that node to steal citizens’ personal information.90 This data could then be used to commit identity crimes via fraudulently obtained identity documents. In turn, these could be used to launder the proceeds of crime,91 thus striking at the AML/CTF rationale for using blockchain identity tools like distributed KYC ledgers in the first place.
· Do existing laws or regulations need to change to enable that improvement and, if so, how?
In September 2017, the Australian Securities and Investment Commission (“ASIC”) issued some guidance to explain how ICOs will be regulated. ASIC’s guidelines provide a framework for how to operate under Australia’s regulations, while encouraging innovation and the development of new financial business models. Australia’s approach is an amalgam of a suite of regulations that might apply to public and private companies when they launch an initial public offering, raise funds from existing shareholders, or offer financial services.
The many ways that ICOs stage the release of tokens remains organic. Some pre-empt the process by raising venture capital and most publish a white paper to anticipate the launch. Recently, some ICOs have started imposing a lock-up period of 3-12 months, during which time the investors cannot sell their tokens. Making sense of the projects and the rules imposed on the token sales can make it harder for investors to make informed decisions.92