While "blockchain" technology continues to develop by broadening its possible applications to areas other than just crypto-actives, the legislator, aware of the issues at stake, took up the subject in a Report of the parliamentary fact-finding mission on blockchains presented on 12 December 2018. Like all disruptive innovations, blockchains cause upheavals with immediate benefits but also risks in the absence of an appropriate legal framework. Bercy's intelligence unit (Tracfin) had already warned of the risks inherent in crypto-active AML/CFT blockchains (LCB-FT). The draft "Pact" law currently being adopted and the (EU) Directive 2018/843 (5th LCB-FT Directive) attempt to provide sufficiently effective normative solutions.
In order to understand the problems associated with this technology, it is necessary to understand the functioning of block chains, which is intended to be "revolutionary" in that it decentralises user confidence towards technological protocols (I) but which should be put into perspective when the risks associated with cyber attacks (II) and crypto-actives (III) have opened up loopholes that benefit money laundering and the financing of terrorism (III).
I. A technology decentralizing user confidence
Lack of a central supervisory body
In order to grasp the issues related to blockchains, it is still necessary to understand how these technologies are innovative in the processing of information. The Parliamentary Office for the Evaluation of Scientific and Technological Choices defines blockchains as "technologies for storing and transmitting information, enabling the creation of replicated and distributed registers, without a central control body, secured by cryptography, and structured by blocks linked to each other at regular intervals". The most consequential disruptive aspect, the ideological foundation behind the creation of the blockchains, lies in the fact that the process secures the information without necessarily involving a central control body. The database is stored simultaneously on all the computers in the network called "nodes". There is therefore no central server. The validation of the blocks containing the information is multiple and decentralized. Indeed, each "node" adds the block to its own copy of the blockchain. Nevertheless, this absence of a central body must be qualified because it only concerns a minority of the so-called "open" blockchains (Blockchain Bitcoin, Ethereum). Other blockchains, more numerous and less well-known, adapted to the specific needs of users, benefit only authorized persons all bound by common interests. The trust already established among the participants does not in any way require the implementation of a security protocol that has been the subject of a consensus beforehand. The usefulness of these "private" blockchains lies essentially in the optimization and fluidity of information processing. Consequently, the security aspect based on "proof" only partially or not at all concerns this type of "private" blockchains.
Trust based on a protocol consensus
These technologies are "revolutionary" because they were originally built on a protocol consensus that decentralized user confidence from central bodies (central bank for money) to a process of technological certification. Each block is created by "miners" and then validated and stored by a consensus of "nodes". The blocks are time-stamped and irreversibly linked to each other. On the most mature blockchains, such as bitcoins, block validation consists of solving cryptographic puzzles that constitute a "proof of work". The computing power required for this resolution is energy-intensive. It represents a significant cost. For the bitcoin blockchain, there is, as the Report of the Parliamentary Information Mission points out, "a mechanism for gradually increasing the difficulty of the cryptographic problems to be solved according to the number of bitcoins in circulation". Other types of evidence are used, which are less energy-intensive, but their vulnerability nevertheless has an impact on the confidence of the actors, and therefore on the "viability" of the blockchains. The blocks making up a blockchain contain one or more pieces of information. They may relate to financial transactions in crypto-actives as well as to data necessary for the functioning of "smart contracts" which "are above all computer programs supposed to ensure the immutable execution of prior conventional commitments", states the fact-finding mission's report. Theoretically, all information, whatever its nature, can be integrated into a block.
II. The flaws in the blockchains linked to the cyber-attacks
Cyber Attack Scenarios
The blockchains, despite the confidence they inspire, are not infallible. Experience has shown that potential risks impacting directly or indirectly the safety of blockchains cannot be minimized.
Indirect Impact: Ransomwares and Foreign Exchange Platforms
Ransomwares" or ransom software are software that paralyses the operation of crypto-currency exchange platforms and offers the payment of a "ransom" in return for unblocking the platform. Ransomwares do not represent a direct threat to the blockchain as such but they do impact the crypto-currency exchange platforms. In other situations, notably following a cyber attack (several thousand computers were impacted on May 12, 2017) the ransom was collected in Bitcoin (according to the blockchain.fr website in its article "cyber attack ransomware and Bitcoin"). The Bitcoins obtained by the ransomers were extorted from the victims.
Direct impact: The attack of the 51%.
Another risk may result from controlling nodes at "51%" (majority of "nodes"). This is a scenario whose implementation is not to be neglected and these "computer attacks" can call into question the immutability of data and protection against "double spending". One example is the 51% attack: a player can, at least temporarily, validate non-compliant blocks - or even rewrite transactions, as long as he has sufficient computing power" alerts the Report of the fact-finding mission on blockchains. On the most mature blockchains, this takeover would represent a considerable cost due to the necessary "hashpower" computing power, which very few players currently have the means to achieve. But the most vulnerable blockchains, because they are less mature, may be exposed to this type of risk, and the "Gold" bitcoin blockchain was an example of this in May 2018.
Diversity of crypto-actives
Cryptos-actives bring together "crypto-currencies" and "tokens" that need to be carefully defined to better understand their risks. In a decision of 26 April 2018, the Conseil d'Etat considered that cryptocurrencies could be assimilated to intangible movable property, the capital gains of which are subject to the tax regime applicable to this category.
The Tracfin intelligence unit states in its 2016 annual activity report that crypto-money "generally refers to a currency created not by a state or a monetary union but by a group of persons (natural or legal) and intended to record, on a virtual medium, multilateral exchanges of goods or services within that group". There are a multitude of crypto-currencies. The best known, "Bitcoin", meaning "binary information unit" for the "bit" and "coin" for the "corner", was created in 2008. Its market value, which fluctuates according to supply and demand, totals several tens of billions of dollars. In second place among the most highly valued crypto-currencies, "Ether", launched in 2015, has experienced exceptional growth in a very short period of time. It currently represents several billion dollars. Other crypto-currencies exist such as "Ripple", "Litecoin", "Dash", or "Monero" (non-exhaustive list).
The second category of crypto-actives plays a crucial role in the blockchain universe. These are the "token" crypto tokens. These crypto-actives can be acquired as soon as they are issued in the context of fund raising in "Initial coin offering" (ICO) cryptosystems or by trading on an unregulated market afterwards. They can also be acquired in exchange for an activity carried out on a blockchain such as "mining" operations. Tokens may have subjective rights of a different nature: "a right to use a blockchain product or service; a right to vote in a start-up; a copyright; a means of payment; a reputation" (list from Blockchain France.com).
IV. LCB-FT risks in relation to crypto-actives
On KYC requirements
The requirements of the French Monetary and Financial Code (CMF) concerning "Know your customer" (KYC) suffer from a lack of information about the blockchain ecosystem. A priori, it is not necessary to provide identity information in order to create a portfolio of crypto-actives and carry out transactions. Therefore, the absence of information on the person's profile does not allow for a consistency check between the operation and the KYC. The client cannot be classified as sensitive on the basis of his profession, nationality, function (politically exposed personality) or any other determining criteria. This lack of information is the result of the initial spirit of the blockchains, which is to get rid of a central control body. To make up for this deficiency, platforms for exchanging and storing crypto-assets against fiduciary currencies have been made subject to the LCB-FT requirements and consequently to the KYC obligations under Article L.561-2 7°bis of the CMF (the 5th LCB-FT Directive will harmonise this liability of intermediaries in all European Union member countries). From a technical point of view, it is also possible to cross-check data.
On the traceability of crypto-actives by data cross-referencing
As part of an LCB-FT system, traceability makes it possible to know the origin and destination of the funds. Without traceability, the legality of a financial transaction cannot be demonstrated. With the rise of crypto-actives and the possibility of exchanging them in fiduciary currencies, the LCB-FT risks are real. The anonymisation guaranteed by certain blockchains, in "crypto to crypto" exchanges, makes it possible to break the traceability of funds by the opacity that structures them and poses, as seen previously, difficulties concerning KYC requirements. While some blockchains allow traceability by cross-referencing data, others remain totally opaque. Data cross-referencing is carried out between the pseudonym linked to the user's public key (the key enabling him to carry out transactions on a blockchain) when the latter is linked to the identity of a natural person. Knowledge of the person and his public key is required. The internal files of a business, a bank, or an administration, containing information on the customer or the administered, are directly linked to the pseudonym. The 5th LCB-FT directive proposes the implementation of a voluntary self-declaration of users which would allow the address of the crypto-actives to be associated with the identity of the holder.
Laundering Risk Scenario
If crypto-actives from a "traceable" blockchain (Bitcoin, Ethereum) are exchanged for other crypto-actives whose anonymity is guaranteed (Darkcoin or Dash) or in the opposite case, the verification of the legality of the operation becomes more complex. The first scenario may correspond to a "blacking out" operation, where money acquired legally is invested in illegal activities, while the second hypothesis may involve the "laundering" of money resulting from a crime or offence and which is re-injected into the legal economy following an exchange transaction in cash. The Tracfin unit highlighted in its report Trends and Analysis of Money Laundering and Terrorist Financing Risks 2017-2018 on "a major risk arising from the hybridisation between legal tender payment services and crypto-actives is that presented by legal tender payment cards backed by crypto-actives portfolios (so-called BTC2plastic cards)".
Market Abuse Risk Scenario
The offence of price manipulation is punishable under Article L. 465-3-1 of the CMF, which states that "any person who carries out a transaction, places an order or engages in conduct that gives or is likely to give misleading information about the supply, demand or price of a financial instrument or that fixes or is likely to fix the price of a financial instrument at an abnormal or artificial level shall be liable to the penalties provided for in A of I of Article L. 465-1". Excessive fluctuations in the crypto-currencies have drawn attention to possible frauds. In May 2018, an investigation was opened by the US regulator alerted by the falls in the price of Bitcoin and Ethereum. Nevertheless, in France, since cryptoactives are still not considered financial instruments, Article L 465-3-1 of the CMF is not intended to apply.
Illegal practice of the profession of intermediary in banking and payment services
The profession of intermediary in banking operations and payment services is a regulated activity for which certain mandatory formalities, if not complied with, are criminally reprehensible. Registration as an intermediary on a single Register of intermediaries in banking and payment services operations maintained by ORIAS is an obligation. Thus, the activity of brokering crypto-actives on a regular basis is subject, like any other brokerage activity, to prior approval.
Crypto-actives and dark web: the trade of illicit products
These are transactions carried out in crypto-actives on the market places of the "dark web". The Tracfin unit pointed out the risk of anonymity and the lack of traceability allowed by blockchains, which, coupled with the opacity of the dark web, which is only accessible via specific authorisations, is a definite problem. The use of software that makes it possible to mask the IP address and protect sensitive data makes the LCB-FT more complex. The Onion Router" TOR software, originally developed in a US Navy laboratory and later released under a free license, is an example of this. The data is protected by several layers of encryption and runway jammers. This protection is superimposed on opaque blockchains to increase anonymity. Consequently, the acquisition of illicit products on the dark web by crypto-actives on opaque blockchains is a godsend for all kinds of traffic. Nevertheless, this protection allowed by the TOR software is not totally infallible, in that the data circulating between the last "nodes" and the user's terminal would not be protected. Other software can make traceability even more difficult.
ICO Risk Scenario
Fundraising in crypto-actives is a real godsend for innovation. Their ease and speed, due to the absence of constraints and formalities, have made it possible to finance promising projects for the future. However, the lack of a legal framework and harmonisation between the different countries of the European Union also represents a definite risk for investors. Indeed, ICOs are transnational in nature, which makes it more difficult to establish adequate standards. The difficulty therefore lies in distinguishing between serious and abusive bids. Article 26 of the "Pact" law proposes the introduction of a visa for serious offers. A "white list" accessible to potential investors would include ICOs that have been subject to prior control by the Autorité des marchés financiers (AMF). This proposal would allow issuers of tokens to submit their applications on their own initiative and, after validation, to benefit from an AMF "label" that would reassure investors.
The blockchains are nowadays at the centre of many debates. This technology reflects the age of time, the age of mistrust, of the removal of borders and intermediaries. It is constantly questioning experts, public authorities, banking and financial institutions, and anyone who wants to be informed. In terms of LCB-FT risks, the subject is sensitive. From the outset, the blockchain ideology was opposed to any central control body. Technology has made it possible to secure information processing, but the lack of a legal framework leaves the door open to money laundering professionals and the risk of terrorist financing. Even if today, the legislator has taken measures to regulate this virtual economy, only increased vigilance, international cooperation and proportionate technical means will make it possible to reduce the risks of using this "fintech" for money laundering or terrorist financing purposes.
July 19, 2019
For AiYO GROUP
By Malik Bensalem
Regulatory Consultant at AiYO
& Véronique Moussu-Baaj
Head of regulatory at AiYO