Amy Bell on Compliance in the Cryptocurrency Space.
Full video and transcript below.
On April 10th, Mattereum hosted the third Internet of Agreements® (IoA) conference at the Google Campus in London. IoA® is a vision for global supply chains and logistics, integrating national laws and regulation with international commerce through the application of technology such as blockchains and smart contracts.
Amy Bell of Teal Compliance started with an overview of Anti–Money-Laundering (AML), Know Your Customer (KYC), and Customer Due Diligence (CDD), stressing how they are related but different things.
Rob Knight, Mattereum Co-Founder, then opened a discussion on the various types of regulatory compliance in the cryptocurrency space and considerations for customers and firms operating within the industry. Rob’s question on the compatibility of the anonymous/pseudonymous features that have come to define cryptocurrencies with the existing regulatory landscape led to consideration of criminal activities involving these assets and how bad actors will continue to find new ways to maintain secrecy. When Rob proposed a hypothetical scenario of someone unknowingly transacting with a criminal with cryptocurrency, Amy traced where liability lies between the parties, unpacking the notion of “adequate consideration” in financial transactions. The rest of the discussion covered the reach of regulation, the responsibility of the customer versus the service provider, and to what extent the pace of innovation will affect compliance overall.
Rob: I’m Rob Knight, Co-Founder of Mattereum — you may remember me from such things as the keynote this morning. Joining me on stage is Amy Bell of Teal Compliance, and Amy is going to explain to us essentially the wonderful world of money laundering — not how to do money laundering… well, maybe how to, that would be quite useful — specifically, how to prevent people using your products and services for money laundering purposes, and what your regulatory and compliance requirements in that respect actually are. Amy, if you could just start by giving a background to yourself and your experience in this area, that would be great.
Amy: Perfect — thank you very much. I’m Amy Bell, I’m not a techie person at all, I’m a solicitor — don’t hold that against me, I’m recovering every day — and I’m quite interested in this space, anti-money laundering is my thing. I am the current Chair of the Law Society’s Money Laundering Task Force, which sounds more exciting than it actually is, but what it means is that I represent all of the legal profession in England and Wales, sometimes the whole country: Home Office, Treasury, Europe, FATF… We heard about FATF before and their role in influencing what certainly the UK but actually the global markets have to do in relation to anti-money laundering.
I’m also here with another hat. My business partner Sally, who is at the back, and I have a separate business called Teal Legal, and we are trying to look at legal processes, starting with conveyancing actually and trying to look at how tech can improve that journey. If anyone has bought a house, you will know it’s been an absolute nightmare, and the solicitor didn’t tell you anything and it took much longer than you could possibly imagine, and actually we’re hoping to find some solutions through that.
Rob: Excellent. Coming to this as a tech person, the moment you get into financial services, fintech, these regulated environments, you get hit by this barrage of three-letter acronyms, and I’m sure it must feel much the same going in the opposite direction as well. We hear these terms KYC and AML. Can you just give a brief overview of what these things actually mean, strictly speaking?
Amy: No problem. Anti-money laundering is the prevention of money laundering, and it’s often twinned with KYC, knowing your client, and also partnered with CDD, which is customer due diligence, and these are all separate things actually. The theory is that if we do CDD, customer due diligence, we will get to know our client is part of the calculation — it’s not the whole thing, but it’s part of getting to know our client — and if we get to know our client, then we should be able to spot markers for money laundering, and therefore prevent money laundering, to contribute to anti-money laundering. That’s how they all fit together.
CDD in its purest sense is actually legally much more than identity. When we hear CDD, and I think from what I’ve heard today is we go straight to identity and certainly that’s a very important part of it, and that has two aspects really. The first one is that you identify the person who is your client and you verify their identity by reference, currently to documentation or some other independently held data that confirms that that person is who they say they are, so that’s CDD identity. But CDD is actually a lot wider than that, and the secret to preventing money laundering lies actually in the proper application of CDD outside of identity. Identity is the first part, but after that you get into understanding the purpose and nature of the transaction — why are people doing what they’re doing, where’s the money coming from — and it’s actually that, folks, that disrupts money laundering, because baddies live somewhere. Just knowing their identity doesn’t on its own disrupt money laundering; understanding why they’re doing what they’re doing and the way that they’ve structured themselves, particularly in terms of secrecy, around complex business structures or trusts, understanding that and taking the time to work that out with your client is how you will disrupt money laundering. As I said, the things are kind of interchangeable though.
Rob: Is this normally pursued through… People have the notion of the traditional bank manager relationship, where the bank manager would know who you are and somebody would be able to ask questions about what you were doing. Your bank manager would say, “That’s very strange, a £100,000 transaction in an account that normally only does £5,000 worth of transactions in a month…” One can obviously imagine the historical way that those things were being done, but I presume now this is a very much done automatically, there are systems in place to use machine learning and all kinds of wonderful things to detect strange or unusual patterns. Is that how things tend to get done, or is it much more still human instinct and intuition and a sense of what’s right or wrong?
Amy: A bit of both, actually — it depends which sector you’re in. Anti-money laundering and the law around anti-money laundering, the obligation to comply with anti-money laundering is a lot wider than the financial sector. Obviously the financial sector is at the heart of preventing money laundering, because you can’t really launder money unless you’ve made money, you can’t do that without a financial transaction.
But, there are a whole load of other players in the game outside of financial services: solicitors, accountants, estate agents, high-value dealers, all of these people also have a KYC and a CDD obligation. So whilst the banks do invest very heavily in tech, fintech, regtech, to start to apply some logic to these transactions, their monitoring systems is the IT, the big red light flashing that says, “Go and look at this odd transaction,” that’s very much happening in the financial services space, but the rest of the regulated sector nowhere near, absolutely nowhere near. Sally is a conveyancer by trade, and when she started in the law 20 years ago, she went to do a completion: when you buy your house, you take your money, you give the money to the person who is selling the house, they gave you the title deeds, that’s basically how you do it; 20 years ago Sally had to go and do that in person, cross the road with the cheque, get the title deeds, hope the cheque would cash… And we’re not that much further on from that, if I’m honest; we don’t release the keys until we know the money has hit the bank account of the seller, but it’s in no way systematised.
In order for those regulated sectors to spot money laundering, they actually have to eyeball the stuff: look at bank statements, look at passports… We are still literally looking at passports and deciding whether we think they’re fake or not in the rest of the sector.
Rob: How does that situation get changed by the advent of things like cryptocurrencies? Particularly because in the initial case cryptocurrencies have been described very much as anonymous or pseudonymous systems, where you don’t know necessarily who you’re interacting with by design;; in fact, there is not necessarily any register anywhere that links a specific individual to a Bitcoin address or an Ether address. Does that system present a challenge, or do you think we’re going to have to layer on the same kind of sets of checks that we have in the traditional banking and traditional finance system into cryptocurrencies as well?
Amy: Undoubtedly. How does stuff change in the AML world? We heard FATF, the Financial Action Task Force, mentioned before, they’re a global organisation that set the standards for prevention of money laundering, they issue recommendations to countries that dictate really to the country what measures they have to put in place to prevent money laundering. These are global standards; I accept that the way that they’re interpreted and implemented across the globe can vary. For example, if you want to go and buy a house from a solicitor, you are going to have to do KYC and CDD, but if you want to buy a property in America, you might not have to do it in the same way, and Australia is the same, different processes in place.
FATF go and inspect countries’ compliance. The UK is in the middle of such an inspection at the moment, the inspector has just been on the ground, looking at effectiveness in financial services in the professional services, and they were given an effectiveness rating, and if they think they were not effective will say that and will require us to do certain things to become effective. These are the people that we have to get on board with this, developing technologies, they’re the people who are pulling the strings, really.
AML is an incredibly political space. Anti-money laundering legislation is not necessarily always focused on just AML risk, as in the traditional AML risk of somebody who sells drugs and needs to launder their cash. Actually, anti-money laundering is any sort: criminal property, which is used in anti-money laundering, criminal property comes from any crime at all. What we’re seeing with the Paradise Papers and the Panama Papers, what we’re seeing in there is tax avoidance or tax evasion, and very much the direction of travel in the current legislative thinking is to reduce the risk of people being able to hide their ownership through already established structures, like trusts or very complex business structures where you can’t find who the person is behind it. If you marry that with new technology that brings anonymity, it’s not going to go down well, frankly.
Now, interestingly, the government have to produce a national risk assessment. Europe has to produce a supranational risk assessment of the risks of money laundering, and we had the most recent one in October ’17, where they have started to consider… Well, they started in ’15 to consider digital currencies and the risk. They have in fact said that they consider the risk of money laundering with digital currencies currently to be low, but they say that that may be because law enforcement have intelligence gaps on the ways in which criminals might use it. Just because it’s low at the moment doesn’t mean it will remain low; certainly there are concerns about cross-border movement of funds, or movement of funds in a way that can’t be monitored, or people taking advantage of different regulatory regimes across the world that they can take advantage from, because it’s not constrained by the domestic issues.
Rob: So if I’m running a business using the blockchain and using cryptocurrencies, and I want to accept payments in Bitcoin or payments in Ether, somebody turns up with a certain quantity of Bitcoin and they complete a purchase. Should I be worried, or is there anything that I need to be concerned by in that situation?
Amy: In my day job I get calls all the time from lawyers at the moment who have got people, not quite the same situation, but got people who have benefited/profited from the increasing value of Bitcoin: they’ve sold it, they’ve got the cash back out, they want to buy some property, invest that money, this windfall that they’ve got… And the whole market is very nervous about it, that’s why they’re ringing me, saying, “Oh god, they’ve used Bitcoin! Should I be really worried?” And frankly, in the national risk assessment, one of the things that they point to is these currencies being the currency of choice for criminals, cybercriminals in particular. So it’s going to be that activity I think that drives it.
To answer your question, if someone turns up and wants to use it, the technical legal answer is it depends what your knowledge or suspicion is of those funds. Just to give you a real-life example which you can then extrapolate to that, it works the same way — and for the purpose of the tape, they’re absolutely not — but if Vinay for example was a drug dealer… [laughter] and Rob wanted to buy his house, in Rob’s hands Rob’s cash that he’s got that he’s going to buy the house with is clean. Because Vinay is a drug dealer… He’s not, but…
Vinay: Arms dealer!
Amy: Arms dealer — we’ll have arms dealer, alright. But if he was, his house would be, because he bought it using the profits of his illegal activity, his house would be criminal property. Everyone with me so far?
Rob: So it started off as my house…
Amy: No, you want to buy his house. You’ve got a whole pot of cash, whether you’ve got it in Bitcoin or not doesn’t matter. He’s got a house, his house is dirty money, but your cash is clean. You’re going to give your cash to Vinay, and he’s going to give you the deeds to his house. Now, after that transaction, in your hands the house that was dirty is now clean, and in Vinay’s house the cash that was clean is now dirty. That’s how the law operates, this is called adequate consideration. Now, provided that you don’t know or suspect that Vinay is an arms dealer and you’re helping him liquidate his asset, as long as you don’t know or suspect that, then you’ll be fine, you can have the house, they can’t take the house off you; if you’re in on it with him, then they can.
To answer your question, if someone comes along to you with something that could have been used by criminals, taking advantage of the anonymity to be able to loan the cash, if they come to you, you’ve got to ask yourself, “Do I know or suspect that they’ve actually been up to no good and that’s why they’ve got this cash?” I don’t think that we’re in a place where we think automatically anyone who’s got Bitcoin would be in that category.
Rob: So as long as I don’t have reason to suspect that the cash is proceeds of crime, then it’s reasonable for me to enter into an honest transaction with that person.
Amy: And receive the funds, because they’d be clean with you.
Rob: So if I receive funds in return for goods, the goods now become the proceeds of crime.
Rob: Because the taint sort of transfers at that point from the money to the goods, because that’s the thing that’s being held by the criminal.
Amy: Exactly, yeah.
Rob: That’s a fairly simple transaction, somebody is simply buying goods, party A buys goods from party B. In an example where you’re issuing a digital asset, let’s say a digital token, or you’re creating something that is a transferrable right… Let’s say the criminal turns up and wants to buy some digital tokens from me. At that point, I am facilitating that activity, and I’m expecting that they’ll buy the tokens from me and then sell the tokens onto another third party. Because I’m facilitating multiple people engaging in that activity, do I have a different level of responsibility? Am I now responsible for protecting the people who are in that trade group that I’m facilitating?
Amy: Again, it’s an important point to unpack the difference between what your obligations are to do due diligence and your obligations are to not get involved in money laundering, they are two separate things. Currently, you’ll know that in many places they have started requiring due diligence in terms of the operation of the exchanges or the issuing, and there’s a piece of legislation, which is on its way in the UK and across the rest of the EU, which is known as the Fifth Money Laundering Directive — it’s not technically right, but that’s what they call it — if you see 5MLD anywhere, that’s this stuff. This is bringing digital currencies into a category of activity that needs to be regulated, and so the regulation actually is what drives the KYC and the CDD activity. So if you are dealing with something which is regulated, you must do the due diligence activity that we talked about before, you must understand the identity, you must understand the purpose and nature, so that’s coming, where people who are dealing in those currencies will need to do that.
However, the Proceeds of Crime Act exists outside of that, the offences in the Proceeds of Crime Act. The one we’ve just talked about there, if you know or suspect that what you’re buying is a drug dealer’s house and you’re helping him to do that is an offence under the Proceeds of Crime Act, and there it doesn’t matter whether you know who they are or not; you’re just involved in money laundering
Again, to answer your question, the responsibility will be coming that you will have to know something about the person that you’re dealing with, to the same standard as you would if you were opening a bank account for them, buying a house for them. But the risk management of “Do I think that they’re using this for crime?” that already exists on you, because the offences already exist.
Rob: In the introductory presentation this morning I talked about the idea of the Internet of Agreements, and a new wave of businesses that are getting involved in moving on from just traditional retail, buying and selling goods, moving into some of these more regulated areas like insurance. We’ve seen examples earlier today already of banking, various aspects of financial services, lending of money, managing supply chains, where the sums of money involved are very much larger than we’d see in a typical ecommerce transaction. It would seem that a lot of these very small, early-stage startup companies, in the ecommerce space thee compliance requirements are fairly minimal, but if you want to get into these kinds of businesses, you do actually need to really take these kinds of things very, very seriously.
Amy: I’ve been reflecting on it today and thinking about what kinds of things you would want to know, and it seems to me that if you’re building solutions for people, you’ve got to think about who is going to use them. That’s why I kind of outlined that the bank of people that have to be concerned about identity, about CDD and KYC is quite a large number of people.
The other thing to say about that is that in ecommerce it’s relatively straightforward, you have a buyer and you have a seller. If you were to take something like conveyancing, there are actually four lots of regulative people in that activity to enable one seller and one buyer to interact: there’s a solicitor, there’s a bank, there’s an estate agent, sometimes a financial advisor, and then on the other side there’s also an estate agent, maybe the estate agent will have to due diligence both parties, and a solicitor on the other side. So there’s loads of people there that have got to solve this problem, and one thing I think we should be mindful of is we solved the problem for say the bank, and the bank is like, “Yeah, got it, we know who that person is, I’m very happy to lend, I’m quite happy to give them a mortgage,” it doesn’t necessarily mean that that solution will be adopted by any of the other players in the market in the activity, and that, folks, is I think around risk appetite.
In those kinds of transactions, when we’re looking at transactions that have these different entities in them, I think we have to recognise when building those solutions that the risk appetite is dramatically different between the banks and the rest of the players that you might come across. Also their spend; banks spend, just in the UK alone, around… I think it’s around £5 billion in anti-money laundering compliance, one billion of which is reporting, and the rest of it is CDD. For them it’s worth investing in cracking this nut, whereas solicitors, estate agents, other part in the chain, they’re still, as I say, asking for a passport and a utility bill,, and they’re allowed to do that.
The other thing you should think about legislation is whilst you might be able to build solutions, the regulator has got to allow the… unless it’s too risky, but the most manual, basic way of doing it, because otherwise you take a whole chunk of the market out because they can’t invest in the tech. So when we’re looking at solutions, I think anything more than an ecommerce buyer and seller, you got all the regulator people that are involved in there, you’ve got to recognise that if you build something that the banks will use, it won’t necessarily mean that the other sectors will use it as well.
Rob: Why would that be?
Amy: Because they won’t trust it. The law says you are allowed to trust somebody else’s due diligence, it’s catered for in the law, but currently the law, at least in the UK, the law… you remain criminally liable, if the person you’re relying on gets it wrong. If I’m a solicitor and I’m told… Sally and I are working on this concept of KYC once, that if you’re going to buy a house, you should just do your ID once and passport it across everybody else; that’ll only work if we can get all the players bought into being confident about the process. And it would be quite helpful if we could convince the government to release people from their criminal liability if it goes wrong, but I’m working on that.
Rob: That sounds like something where a regulatory change could be potentially very helpful, or at least encouragement of that kind of behaviour, where it becomes easier for people to have comfort in the fact that the due diligence has been performed once to a very high standard, rather than everybody potentially being liable for it and as a result having to redo the same process.
Amy: But, the flipside of that is, unfortunately… I’m there, we’re definitely there and we’re definitely pursuing that as an option, because the customer journey is a nightmare for anyone who’s involved in these processes; if you’ve been involved in that process, it adds time and cost unnecessarily. The flipside of that is you would get law enforcement who says, “Actually, we quite like all these people thinking about it individually, from their own lens, in their own separate way.” I’m not saying that’s the right answer; I’m just saying that would be the flipside argument to why do we not just make it one person’s job and everyone else hang off it — that’s why the criminal sanction is still there.
Rob: Even in the environment where it’s necessary for multiple parties to check and to investigate this kind of information, do you see a benefit to digital standards or to increased portability of the information? Even if at the end of the day that still needs to be investigated by each party, the ability to accurately pull up the information about somebody using an identity system of some kind would be the kind of thing that would at least speed that process up.
Amy: From my point of view, there’s a lot of weaknesses in the system. You can go and buy a fake passport, if you know which pub to go in, for 50 quid, and if somebody is relying on that — I’ll give you a list later [laughter] — if somebody is relying on that, that’s not foolproof, is it? I’ve long been an advocate of… In regtech we’re still quite basic. Electronic verification, pulling data from different data sources and saying, “We think this is who they say they are,” solves one problem, but it doesn’t solve the problem that if you go to someone and say, “I’m Amy Bell and she lives at this address,” then the electronic verification will come back and say, “Yes, Amy Bell lives at that address,” and you assume that is me — there’s loads of different things to unpack there.
But, there has to be a better way. I mean, the world has moved on, and the criminals will and have thought of ways around where we currently are. The regulators should be supportive of this; the challenge is very, very strong lobbying from some people who don’t want to embrace this, because there’s lots of… Even in the legal sector, most firms will do things in a certain way, and then we’ll have the big firms who will completely write their own rulebook and do things completely differently, and who will need complete flexibility and autonomy. Just having a standard won’t work for them; they’ll want to have this risk-based approach, where they can make commercial decisions rather than legal ones.
Rob: It sounds like it’s a fast-moving space in the sense that the regulations are changing, they’re evolving over time, new technologies appearing. If you were to take out the crystal ball and look five years into the future, what kind of things do you think would change, based on the current trajectory of both the technology and the regulation? Do you think there’s a big thing that’s going to be very different about how we do this in the future compared to how we do it now?
Amy: No. [laughter]
Rob: I’ve got to say, I really appreciate that answer. Because I was attempting to set you up with some future prognostications, but I think that’s…
Amy: Just because of the inertia of change in this sector. As I said, only 20 years ago… 20 years ago I got my first email account and I got a mobile phone and I could text, and yet Sally was still crossing the road with a cheque. It will only move at a pace of the slowest denominator and adopter, in the AML space anyway. I think that it depends on the politics. In the UK in particular, it is very important to us to remain relevant, especially in a post-Brexit world, when we don’t necessarily have the same influence that we might have had previously. So I do think that in the UK there will be government interest in promoting these things, but the adoption of it and changing the way everyone does it I think is a slow burn, unfortunately.
Rob: Thank you very much, Amy — that was extremely interesting! [applause]
All materials from the conference: http://internetofagreements.com/identity/
Join the telegram https://t.me/mattereum