That thing about bitcoin, crypto currencies and money laundering
From time to time on twitter — and yesterday in context of that Windows XP ransomware / NHS thing — I get in an argument about how crypto-currencies will revolutionise the whole world of finance — and maybe they will. But in my experience proponents’ arguments stop at the level of How can they possibly stop an internationally distributed currency run by no-one in particular? The answer is, easily, at least once it starts getting traction so that it would matter on an international scale.
Firstly as a starter: I have been told that Bitcoin is already important, after all it has $30bn of market cap. First point to note, US$ M1 is $3tn, give or take. So even on a pretty narrow measure, BTC is 1% of US$ — and BTC is (a) international, and (b) probably a not insignificant supply of the coins is inaccessible by now. Now this is of course a stock and we are interested in flows, and whilst I don’t have the numbers I am pretty certain that the ratio of flows is even more lopsided — especially once you take out some spurious stuff like mixers (and Satoshi dice? are Satoshi dice still a thing?). This is to say: the reason that there are no controls in place is not because it is impossible to control, but mostly because it thus far is not significant enough to matter.
So how will states control Bitcoin and other crypto currencies if need be? The answer is of course like any other assets that can serve as a means of exchange, using the anti-money laundering and anti-terrorist finance regulation that is in place globally, and in what follows I’ll discuss how that works.
Globally there is a thing called the Financial Action Task Force (FATF) and they run a shiny website, explaining who they are: an organisation of 35 large countries that coordinate on money laundering matters and that ensure that equivalent legislation is in place in all of them. In the EU, this legislation is mostly contained in the Anti Money Laundering Directive (AMLD 4) 2015/849. So without further ado, let’s dive into those regulations.
Firstly: To whom do those regulations apply? The short answer is: essentially everyone active in financial services, plus everyone outside financial services (!) handling cash amounts of over €10,000 (aggregated over multiple related transactions) for the purchase of goods. So if your business is selling gold, or real estate, or art — as soon as your item is of moderately substantial value, you are covered. As an aside: technically the regulation only mentions goods so I guess if you flip bitcoins for €10,000+ in cash you are currently technically fine, but this is not really relevant for what follows.
The key article here is Article 11 (my highlights):
Member States shall ensure that obliged entities apply customer due diligence measures in the following circumstances:
(a) when establishing a business relationship;
(b) when carrying out an occasional transaction that:
(i) amounts to EUR 15 000 or more, whether that transaction is carried out in a single operation or in several operations which appear to be linked; or
(ii) constitutes a transfer of funds, as defined in point (9) of Article 3 of Regulation (EU) 2015/847 of the European Parliament and of the Council ( 1 ), exceeding EUR 1 000;
(c) in the case of persons trading in goods, when carrying out occasional transactions in cash amounting to EUR 10 000 or more, whether the transaction is carried out in a single operation or in several operations which appear to be linked;
(d) for providers of gambling services, upon the collection of winnings, the wagering of a stake, or both, when carrying out transactions amounting to EUR 2 000 or more, whether the transaction is carried out in a single operation or in several operations which appear to be linked;
(e) when there is a suspicion of money laundering or terrorist financing, regardless of any derogation, exemption or threshold;
(f) when there are doubts about the veracity or adequacy of previously obtained customer identification data.
What customer due diligence measures are is detailed in Article 13.1:
Customer due diligence measures shall comprise:
(a) identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source;
(b) identifying the beneficial owner and taking reasonable measures to verify that person’s identity so that the obliged entity is satisfied that it knows who the beneficial owner is, including, as regards legal persons, trusts, companies, foundations and similar legal arrangements, taking reasonable measures to understand the ownership and control structure of the customer;
(c) assessing and, as appropriate, obtaining information on the purpose and intended nature of the business relationship;
(d) conducting ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the obliged entity’s knowledge of the customer, the business and risk profile, including where necessary the source of funds and ensuring that the documents, data or information held are kept up-to-date. When performing the measures referred to in points (a) and (b) of the first subparagraph, obliged entities shall also verify that any person purporting to act on behalf of the customer is so authorised and identify and verify the identity of that person.
So essentially, whenever someone comes to you with a large pile of cash to buy stuff — or comes repeatedly with not quite that large piles of cash — you have to go through some pretty long process to ascertain that this money has been received lawfully.
Now interestingly this directive does not define cash, so I guess technically those provision would not apply if you’d pay in gold (there is a small provision regarding bearer securities in Article 10), even though it would be difficult to argue that paragraph (e) — suspicion of money laundering — would not apply in this case.
Anyway, those paragraphs — suitably amended — are all you need to ensure that crypto currencies can not be used to shelter proceeds of crime:
- Ensure that everyone who is exchanging crypto into electronic fiat is appropriately regulated and supervised; this is easy to achieve as they’ll need bank accounts, and unless they submit to regulation they will not get those
- Ensure that the rules in Article 11 above also apply to all purchases made with crypto currencies or other digital assets
For good measure one might also want to ensure that exchanging cash into crypto and vice versa is covered, but this is not quite essential, as it is the equivalent of changing say USD into EUR — both are without the boundaries of the controlled financial system.
Now you might say “That’s all nice and well, but what if I establish my crypto exchange in a country that has not signed up to those AML regulations?”. First point to make here is good luck to you if your intention is to launder a significant amount of money through a dodgy jurisdiction if you lack the extra-judicial clout of enforcing claims if something goes wrong in a system with a weak judiciary. More importantly, there is the concept of a high-risk country in the legislation (Art 9.1):
Third-country jurisdictions which have strategic deficiencies in their national AML/CFT regimes that pose significant threats to the financial system of the Union (‘high-risk third countries’) shall be identified in order to protect the proper functioning of the internal market.
Once a country is in the dog-house, any financial institutions dealing with funds coming from there must apply what is called enhanced customer due diligence (Art 18):
When dealing with natural persons or legal entities established in the third countries identified by the Commission as high-risk third countries, Member States shall require obliged entities to apply enhanced customer due diligence measures to manage and mitigate those risks appropriately.
Implications
So what are the implications of this for crypto currencies? To name but a few:
- Buying expensive stuff (>€10,000) in crypto will always be a pain, as the seller will have to perform customer due diligence on you; when you pay via bank card they can rely on the bank having done their due diligence on you
- Crypto-to-fiat exchanges for mainstream customers will need to be located within a regulated institutions, and will need to perform the usual customer and transaction due diligence
- Being able to prove where you got your crypto cash can be a good thing
