Fintech ?? Food - August 14th 2022
Hey everyone???, thanks for coming back to Brainfood, where I take the week's biggest events and try to get under the skin of what's happening in Fintech. If you're reading this and haven't signed up, join the 19,322 others by clicking below, and to the regular readers, thank you.???
Thanks for reading Fintech Brain Food ??! Subscribe for free to receive new posts and support my work ?.
----------
Hey Fintech Nerds ??
In the week Disney+ overtook Netflix, Ethereum all but completed its merge, and we cheered for inflation running at 8.5% YoY; the thing that got me most curious was the sanctioning of DeFi project Tornado Cash. This is the first time a government has sanctioned software, which could have countless unintended consequences. I unpack in this week's Rant and go down a rabbit hole of what would give us actually good AML.
Coinbase had a bit of a sucky Q2 set of results, but don't write it off just yet, and Reddit launched its community token on Eth L2 Arbitrum. These seemingly unrelated events all feel like a sign of the times. Where the headlines for Crypto are still negative, but the building is quietly happening.
The big story in Fintech was the CFPB coming after Hello Digits in a?strongly worded release?that accused them of lying about "not going into overdrafts," among other offenses, and must pay substantial damages. Digits had an "auto savings" sweep, which would take any money left after bills were paid and “sweep” into savings. For some customers, this went wrong and ended up being overdrawn. But as Ohad?points out, 2000 customers have not been reimbursed a total of $68k (or $34 each), and the CFPB is beating its chest pretty hard on this one.?I grant you, that promising not to make interest on customer deposits and then making interest on customer deposits isn’t great, but it’s not exactly mortgage miss selling.
It makes you wonder why making an example of Fintech companies is so important. I mean those darn pesky Fintech companies are trying to SAVE their customers’ money automatically. How dare they! ?? Don't get me wrong; I'm not wanting to trivialize being overdrawn and the consequences that can have on the lowest income. But c'mon. But this regulation by performance art, making an example of a Fintech company, just doesn’t sit right (and yes, I get that regulators have done that to banks for decades too). But this looks more like appeasing the bank lobby than it does punishment fitting the crime. To me, anyway.
Fintech companies are in their awkward teenage phase and should get called out when they make mistakes. But the market needs innovation. I understand the desire of banks for a “level playing field.” But there are times like this when the punishment doesn’t fit the crime.
---------
Weekly Rant ??
Why can't we have privacy and prevent money laundering?
(Or, why a God Mode in Financial Services is amazing and terrifying).
This week the?US Treasury sanctioned a Crypto service called Tornado Cash (TC). Tornado Cash (TC) aimed to bring users enhanced privacy when using web3 but has been accused of laundering more than $455 million for North Korea's?Lazarus Group. Lazarus is believed to be behind ransomware attacks like Wannacry, Sony Pictures, and recently the Axie Infinity, Ronin wallet hack.
But mixers aren't all bad. Vitalik Buterin used TC to donate to Ukraine, as did many wealthy individuals in Crypto. And, perhaps more importantly, many wealthy individuals who are privately sympathetic to Ukraine but couldn't show public support (e.g., Russian Nationals)
The Crypto technology that helps you donate to Ukraine in privacy, even if you live in Russia, also allows the North Koreans to hide stolen gains to fund their military effort.
What is Tornado cash?
In most Crypto transactions, every transaction a wallet performs is a public record (and be searched using services like Etherscan). Imagine if every coffee you bought, uber you rode, or purchase made was a public record? It could be a privacy risk.
It is a privacy risk, especially for the wealthy or individuals in war-torn regions or hostile governments. TC is a "mixing service" that mixes 10s of Crypto transactions into a single transaction to give a degree of privacy to the sender and recipient.?
TC is also not just a mixing service; it's a decentralized mixing service. A centralized mixing service is a privately owned service that takes your coins and sends back other coins for a fee. A decentralized service is software (a smart contract) that pools together multiple transaction inputs from multiple wallets and creates multiple outputs to multiple wallets.?
Imagine 30 inputs on the left-hand side, a black box in the middle, and 30 outputs on the other, but it's unclear who sent what to who.
Why is the US Treasury sanctioning Tornado Cash??
In June, $100m was stolen from the Harmony Blockchain using its Horizon bridge. Harmony is an L1 Blockchain (think Solana, ETH, BTC), and the Horizon bridge is a tool used to "bridge" assets from other chains (so take your USDC on Eth and bridge it to Harmony).
A week later, this attack was linked to North Korea's Lazarus group. Lazarus Group was also suspected of being behind the Axie Infinity Ronin hack that saw $540m stolen from user wallets.?
It would appear that the attackers at Lazarus were then able to use Tornado Cash to funnel the proceeds of those hacks to their benefit. If a bank, Fintech company, or centralized crypto exchange enabled these funds to be sent to North Korea, they'd be in breach of the US Sanctions on North Korea.?
North Korea is a pariah nation, developing Nuclear weapons, and $640m is now available for their Government and military to continue being bonkers. I'm reasonably sure nobody believes that's a good thing.
Now imagine if Crypto and DeFi scale to the size of the existing global financial system. If we still have hacks and mixers used the same way by adversaries, things could go sideways quickly.
As Ryan put it ??
We must prevent these hacks and this source of funding for a pariah state.
On some level, I don't blame the US Treasury for trying to find a choke point and prevent these types of attacks from being successful.?
Was this the right approach?
Or did they start down the slippery slope to a privacy hellscape?
It now also appears that the Dutch authorities have arrested a man suspected to be a developer of Tornado Cash. I must stress it’s unclear what the charges are, but if the arrest is simply for creating software, this is an alarming development.
The authorities appear to be scapegoating entirely the wrong people for the right reasons. I don’t think anyone wants North Korea to be able to hack and scam consumers and get away with it.
But we don’t solve that by arresting developers building privacy tools.
The message sent by authorities isn’t: “We will go after the right targets.” (Which I think they intended)
The message is, “We will go after easy targets and don’t care if it’s effective or who gets hurt in the process.”
The clampdown on any form of encryption is misguided, and the criminalization of software engineers is even more so. This damages the moral authority of the West to be the guardian of citizens online. Short term, they may not care because the goal is to go after the Lazarus group. But this is like arresting the bridge builders to stop a car thief. It’s a gross overreaction.
Consequently, I fear Crypto, which had been increasingly dollar-based and looking to be regulated, could sweep in the opposite direction.
These actions, far from restricting North Korea, will likely motivate developers to create new tools precisely because the enforcement method is so rage-inducingly stupid and ineffective.
If we want to stop scams and hacks, there are better ways.
But to get to those we need to unpack:
1. How are the sanctions applied, and what is the impact?
So the @USTreasury opened up #ethereum's @etherscan, took all addresses they have labeled as @TornadoCash and put them in a sanction list: etherscan.io/accounts/label… Source: home.treasury.gov/policy-issues/…
The US Treasury used?Etherescan, a "block explorer," a tool to view transactions on the public Ethereum network. The US Treasury has added Etherescan identified wallets associated with Tornado Cash to a sanctions list.?
All US incorporated entities, branches, and subsidiaries must comply with sanctions (and realistically, any business wanting to operate in dollars).?
This includes VASPs (like Coinbase and FTX), Stablecoins like USDC, and even infrastructure providers.
When you play this out.?
In theory, all they did was add a bunch of wallet addresses to their sanctioned entities list. But the reality is the US Treasury sanctioned a smart contract and, in doing so, treated software like a legal person.?
This is the first time in history a government has sanctioned software.
And there are massive consequences.
The problem is that computer code is neither a natural person nor a legal entity. Code is speech (per?Bernstein vs DOJ). Sanctions law is also?strict. If an American person or entity transacts with a sanctioned entity, they can be sentenced to 30 years in federal prison. (As for the arrest in the Netherlands, code is not speech there, which may have opened the door to the developer's arrest).
In theory, Vitalik may be implicated in a sanctions violation because he used Tornado Cash to donate money to Ukraine in privacy. Instead of sanctioning the Lazarus Group and its wallets, the US Treasury has gone after a tool the hackers used.
The move already has unintended consequences.
A troll is currently sending tiny amounts of Eth to 1000s of wallets via Tornado Cash.
Someone is out dusting a bunch of wallets from Tornado with 0.1 ETH lmaaaaooooo etherscan.io/txsInternal?a=…
Is every single one of those individuals who has now used TC subject to sanctions too??
It’s starting to appear that way ??
2. How could we solve the state-sponsored hacking problem more effectively?
We know AML?is ineffective.
Banks make up?7 of the world's top 10?most penalized companies by regulators. And yet, criminals continue to launder?trillions?through the existing financial system.
If you look at the problem in terms of pure data, fining banks and expecting them to have a process for due diligence isn't working. But the Treasury isn't worried about criminals; it's concerned about nation-states.
And Crypto is quite effective at detecting money laundering, possibly too effective. Per Chainalysis data, illicit activity is at least 10x lower in DeFi than TradFi (standing at around 0.15% of all transactions, vs. UN estimates of 1 to 2% of GDP in TradFi).
And that's a problem.
Remember the global, public, transparent record? That makes building analytics and tracing money launderers much better in DeFi compared to TradFi
If AML rules can be applied to Crypto and DeFi, they'd be highly effective.?
But we'd also sacrifice privacy for good.?
And I think that’s why the Tornado Cash Sanctions and arrest got under my skin so much.
I believe privacy is a fundamental human right.
3. We need a better privacy and AML conversation.
Perhaps we can start with a definition of privacy.
In political circles, privacy is about corporate overreach on the left, and on the right, it's about free speech and de-platforming, but the target is the same. Big Tech companies.?
The conversation about privacy in Government relates to?privacy from Big Tech companies?who use consumer data to target ads, but also enabled adversarial nations to weaponize social media to spread misinformation.
Europe decided to attack the problem with bureaucracy in the form of the General Data Protection Regulation (GDPR).
GDPR defines privacy as:
the measure of control that people have over who can access their personal information
And personal information is any data that can clearly be associated with someone (so anonymized data doesn't count).?
GDPR, however well-intentioned, has been ineffective.?
领英推荐
We now have cookie consent forms everywhere, and Big Tech continues to hoover up more data than ever. The consumer, in theory, has a "right to be forgotten" that they can seldom execute. They have a right to data portability that platforms make nearly impossible to use.
The privacy "conversation" happening in Washington will likely draw substantially on GDPR. European Bureaucracy often has a first-mover advantage in this sense. The regulatory world is small, after all.
The GDPR differs substantially from the dictionary definitions of privacy, which are:
A state in which one is not observed or disturbed by other people.
The state of being free from public attention.
Interestingly, neither of these talks about freedom from government attention. Yet I think that’s something a lot of people consider a part of being free.
Consider how in the West, we recoil in horror when we hear about Chinese state espionage on their own people. Or, stories of the Statsi the secret police that spied on the population in former East Germany and ruled with fear, psychological oppression, and informants.
Privacy of data and transaction privacy feels like a fundamental human right, provided I haven’t used it to harm another person or entity.
In the United States, software and money are defined (and protected) as speech and should be private, but that doesn't apply evenly to data.
Some data is bad. For example. Do we want child pornography to be protected as free speech??So data as speech might not be a good solution.
But what if data was property??
(Funnily enough, the EU Commission is now?considering moving that way). Property broadly conveys several rights:
1. The right to exclusive possession;
2. The right to personal use and enjoyment;
3. The right to manage use by others;
4. The right to the income from use by others;
5. The right to the capital value, including alienation, consumption, waste, or destruction;
6. The right to security (that is, immunity from expropriation);
7. The power of transmissibility by gift, devise, or descent;
8. The lack of any term on these rights;
9. The duty to refrain from using the object in ways that harm others;
10. The liability to execution for repayment of debts; and
11. Residual rights on the reversion of lapsed ownership rights held by others
That feels like a pretty good starting point for personal data (anonymized or not).
Of course, the problem with this is a practical one. Each of us has hundreds of gigabytes of personal data held by the Big Tech firms, and expecting them to start paying us for access is unrealistic.
But in web3, why couldn't we model data as property? It's sort of already happening. Wallets have sovereign control over assets (like NFTs), and in the United Kingdom, the supreme court ruled that NFTs are property.
If my identity is stored as an NFT in a web3 wallet. Then do I own my identity? Yes, I think you do.
And what's more, you can permission access to the elements of data in your identity quite trivially (check out?PFPid.xyz?or Burrata for how that might work).
(Before the DIDs crowd @'s me, I know decentralized identifiers might be a better solution)).
The point is, if data is property, like all property, it should not be searchable without a warrant and not seized without due process.
We know all web3 wallets and their relative NFTs are, in fact,?already?searchable. Remember, the US Treasury found the wallets related to Tornado Cash from Etherescan. But an NFT can contain an encrypted payload, and data can be stored on services like Arweave to remain private. Using the infrastructure to own and control data is possible without it being public by default.?
This leads us nicely to AML.
4. We need a first principles rethink of AML.
The IMF provides a handy definition of the goals of the current system (not exhaustive, emphasis mine)
Protecting the integrity and stability of the international financial system, cutting off the resources available to terrorists, and making it?more difficult?for those engaged in crime to profit from their criminal activities
As a market observer, if I were to re-order and re-word the above, it would look like this:
Under number 3 is everything we don't like as a society, child pornography, human trafficking, arms dealing, and corruption. And having rules to stop that is a fundamentally food thing.
The goals are good ?
The problem is how we try to implement AML policy.
The introduction of AML policy turned any entity that stores or moves money into an arm of the state. Banks, FI's, and even a tiny Fintech company are effectively on the hook to be the police of money. Spot the bad guys and report them to law enforcement.
How do you spot the bad guy??
Requiring any individual or entity trying to move more than $1,000 with you to disclose their legal identity to that organization through the Know Your Customer (KYC) process. If money gets laundered, the Bank, FI, or Fintech company should spot that happening, see if their customer did wrong, and report it to law enforcement.?
But it's not that simple.
If we did have a God Mode, we could spot suspicious activity trivially. AML professionals call this "follow the money."?
Crypto has half a God Mode. ???
Crypto wallets are pseudonymous. They don't require an identity attached to a wallet to use the Blockchain network.
However, Blockchain networks create a single global record of every transaction with thousands of redundant copies that are impossible to edit. It's the perfect audit trail. Crypto forensics businesses like Chainalysis, Elliptic, and TRM labs do exactly that. They allow organizations and law enforcement to "see" activity patterns (in many cases visually).
Assuming law enforcement spots a cluster of bad activity, they can follow that activity to a logical endpoint. The criminal will try to take the proceeds of crime and cash them out or use them to buy something. At that point, they'd need a legal identity and could be subject to law enforcement.
That's happening today.?
A lot.?
Law enforcement has been so effective at taking down darknet markets because they had this amazing God Mode functionality that does not exist in the current financial system.?
In 2015 I worked with an AML team at a bank that described having "system envy," having seen how easy it was to detect money laundering in Crypto.?
But what works for the law works for the naughty folks too.
As we saw, an attacker is sending tiny fractions of Ethereum to wallets with known celebrities and individuals attached to them (doxxed wallets).?
As soon as an identity is attached to a wallet, it becomes a privacy nightmare.
If we want to get much better at preventing criminals and rogue nations from benefiting from crime, we also need to get much better at protecting consumer privacy. And the tech allows this.
Remember, PFPid.xyz? If my identity can follow my wallet but doesn't reveal my personal data by default, it's apparent that wallet 0x35875389?has an identity?without revealing whose identity that is.?
Remember that NFTs are?assets with functionality?and legos. (In fact, as are all Crypto tokens). So we could create an identity NFT that can have its data revealed if
5. Building in the Petri Dish.
Look, I get that this is a bit fanciful (to expect the Government to use web3 anytime soon when it's busy trying to sanction software).
But my goal was to prove we have the technology to prevent bad things and live in real privacy.
We just need to question some long-standing assumptions.
And maybe this entirely new, parallel global financial system is the perfect petri dish for doing just that?
ST.
---------
4 Fintech Companies ??
1.?Guava?- Banking for Black Entrepreneurs
2.?Solid?- A BaaS platform?
3.?Tenet?- Trade on real-world events
4.?Outgo?- the Fintech for Freight Management
--------
Things to know ??
------
Good Reads ??
That's all, folks. ??
Remember, if you're enjoying this content, please do tell all your fintech friends to check it out and hit the subscribe button :)
General Counsel l Financial Services l Banking I Risk Management I Litigation Management I Regulatory and Compliance Expertise
2 年In the US, AML/BSA requires the ability to trace, and more importantly, to report. While the desire to enable private donations is noble, so is protecting nation states from bad actors.?If TC could for example, maintain a user’s privacy to the public but privately be able to monitor transactions and report suspicious activity to the government, it seems like much would be forgiven. Also, something to consider, the US government typically doesn’t sanction as a first step. I suspect there may have been discussions that we are not privity to which included asking TC to find a way to become compliant and it declined. ?Does it have to? I wonder if it Is possible to work with another company like Chainalysis on the back end to maintain records – that are not made public – that would allow compliance and still enable privacy.
Director - Regulatory and Compliance Consultant - Payments, Fintech en Blockchain
2 年Good rant on privacy. I fully share the concerns there and have put the topic in perspective from a central bank / market regulation perspective in this thread. It may look as if the power battle between intrusive policing/pro-active regulation and more detached market regulation (only correct things in security, stability and efficiency of pauments when they go wrong) has been lost but we still have UN guiding principles and human rights charters to pushback. See https://threadreaderapp.com/thread/1558761681613905922.html
Founder | Stablecoins | Forbes 30 Social Entrepreneur
2 年KYC verified through NFT-gated commerce is the future. Great logic, and great write up.
Delivering Global ID Verification Partnerships for Fintechs, RegTechs, Finance & Compliance platforms
2 年Top read Simon Taylor. Be great if AML gets easier! One for you Darnell W.