Cryptocurrency was invented in the late 1990’s yet coins such as Bitcoin, Ethereum, and Litecoin have only existed for merely a decade. Despite Bitcoin being the early front runner in the crypto world, there had been plenty of attempts at creating a centralized online currency with specific ledgers protected by encryptions. When Bitcoin took the world by storm by reaching $10,000 in 2017, it became clear to the public that billions of dollars were flowing into the crytpocoin market.
Despite these coins representing a tangible financial worth, the technology behind the coins remains all the more impressive. If you have been following the investing, banking, or technology world in the past decade, you may be familiar with the concept of blockchain. blockchain is known as the backbone or definitively, the transaction keeping technology behind the world renowned Bitcoin. “Block” and “Chain” represent digital information (the “block”) stored in a public database (the “chain”). The Bitcoin blockchain is regarded as the original blockchain as it is the first real implementation of the new technology known as distributed ledger technology or DLT. From a more technical perspective, a DLT is a decentralized database that is managed by various participants. There is no central authority that acts as an arbitrator or monitor. As a distributed log of records, there is greater transparency – making fraud and manipulation more difficult – and is more complicated to hack the system.
Cryptocurrencies function just like cash – all that’s different is their entirely virtual nature. What makes investing and managing in digital currency so thrilling is also what makes it so risky. Because any form of digital currency is completely decentralized, there is no governing body or admin to oversee its initial formation, movement, and management. Cryptocurrencies function just like cash – all that’s different is their entirely virtual nature. These digital currencies use peer-to-peer payment technology which ultimately remove the long-time players from the equation. Governments, Central banks, mints, financial institutions and regulators, and established transaction networks such as SWIFT, NACHA and existing card platforms are out of the picture and are figuring out how to adapt.
Due to the unorganized and unknown nature of digital currency, one thing has become perfectly clear: criminals already know how to coordinate their attacks to include these platforms wherever and whenever the opportunity arises. The CEO of Sensato Cybersecurity Solutions, John Gomez stated, “The world of cryptocurrency is the wild West. The amount of attacks being propagated against crypto exchanges and systems is mind-boggling. We have seen attacks by North Korea, terrorist groups and nation’s states, who can use the fruits of the attack to fund their operations. Unfortunately, there is no governing body so there is no requirement for security audits, assessments or controls when it comes to these systems.” Financial institutions need to remain vigilant and be agile to stay ahead of bad actors and ensure they remain relevant in an increasingly virtual, mobile and hyper-connected world.
The business potential for virtual and cryptocurrencies is unprecedented. Yet, attacks are becoming more and more commonly aimed at bitcoin wallets and the compromise of private keys. Bitcoin transaction volumes are now approaching 200,000 per day. Although still small compared with the hundreds of millions of conventional transactions in the world every day, there is clear opportunity for people and businesses to participate in this new and disruptive gold rush. However, on the other side, cryptocurrency has plenty of unknown factors that makes it nearly impossible for even the most careful investors to do proper due diligence.
Cryptocurrency is a confusing concept and it shows as most people are unaware of the perplexities it contains. From a cybersecurity standpoint, this confusion makes people more susceptible to phishing attacks meaning individuals are asked to share details about their personal finances leading to bad actors gaining sensitive information. That said, there have been specific types of malware created specifically to steal bitcoin and any of the 200 other cryptocurrencies currently in circulation. This malware simultaneously grows and adapts along with Bitcoin’s value. Financial Institutions need to remain vigilant and be agile to stay ahead of bad actors and ensure they stay relevant in an increasingly virtual, mobile and hyper-connected world.
Transaction volumes have been growing at breakneck speed, and the demand from all sides is increasing. There are plenty of black market outlets, but there also many legitimate commerce sectors that are embracing new cryptocurrencies, even if the methods might fall into something of a grey market. For example, a clothing retailer might accept bitcoins for a sale that it then trades with a technology vendor for new PCs or software. In the process, it immediately turns stock into value to cover the business cost. But here’s where it gets a bit grey. It might be able to do this without paying taxes. Even the property sector, which comes with many Anti-Money Laundering (AML) risks, is embracing cryptocurrency for payments. Significant sums are changing hands, and AML departments need to be concerned.
For retailers, cryptocurrency could be an offensive move to push into new markets. For others, it’s a defensive play to protect market or mind share, particularly with millennial’s and “digital natives.”
The following kinds of operations are fertile ground for cryptocurrency:
- Financial Institutions that accept bitcoin deposits
- Investment funds, including dedicated bitcoin hedge funds
- Property agencies
- Clothing and music retailers
- Art dealers
- Restaurants and coffee shops
- Charities and advocacy groups
How to protect your Financial Institution
In order for financial institutions to accurately access the risk of crypto, they must be knowledgeable of their counter-parties and not just bitcoin exchanges. This includes corporate customers that accept bitcoins as a material source of revenue. These institutions will start leaning towards an influx of IT/Security employees to assist in monitoring the volatile crypto market. This means monitoring the coin from its initial mining, to each time it changes hands, as well as following each destination it appears. The anonymity of bitcoin transactions is a key consideration, and there are a variety of digital tools criminals use to disguise the participants further and the net trade from point A to point B. As a result, transparency and monitoring at the entry and exit is the key to a secure assessment/transaction.
Many financial institutions adhere to the recommendations of the European Banking Authority, are waiting for a comprehensive regulatory framework. Others follow the guidance of the New York State Department of Financial Services, which provides sensible protections for financial institutions and their customers and clear requirements for virtual currency business.
There are a few essential takeaways that financial institutions should take to heart:
- Implement risk models associated with bitcoin and other cryptocurrency entities, spanning direct and indirect exposure to fraud and cyber risk
- Conduct ongoing monitoring of bitcoin regulation and best practice requirements in all relevant jurisdictions. Such a monitoring program should include:
- Vigilance on counter-parties regarding corporate customers accepting business from bitcoin entities and financial counter-parties or intermediaries accepting bitcoin deposits
- Monitoring of funds flows through customers and counter-parties
- Evaluate cyber threat readiness of corporate business accepting bitcoins
- Monitor public lists of licensed bitcoin exchanges, which will help recognize unlicensed exchanges, and help in identification of Beneficial Ownership
- For example, determine whether these counter-parties perform risk assessment of the public bitcoin Ledger (i.e. perform risk assessments on the source [history] or destinations of bitcoins held by depositors)
- Undertake risk media monitoring of bitcoin entities, beneficial owners and corporate customers accepting bitcoin
Customer Due Diligence is another key aspect of the compliance challenge. Because of the ability to easily convert between virtual and fiat currency, an obvious focal point for laundering, bitcoin exchanges are high risk. Even when there is a clear understanding of the nature of the business and the associated risk, the beneficial ownership of the exchange is a key consideration. For financial institutions, bitcoin and the underlying blockchain technology carry a mix of opportunity and risk.
Crypto in a Nutshell
Cryptocurrency and the enabling distributed ledger technology (DLT) that comes with it are potential game changers, not just in payments and transaction banking, but across a growing set of market instruments including lending, securities and trade finance.
Bitcoin, the best known, and most widely accepted, of the 200 currently available cryptocurrencies is still only regulated in a small group of countries. It is an international business opportunity but it is also a systemic target for criminals both online and offline and continues to pose complex risks for any who wish to embrace its undoubted opportunity. Cases such as Liberty Reserve and The Silk Road and others have given us clear direction on how this narrative can evolve without adequate safeguards. They also demonstrate how risk can rapidly move from one means of exchange to another, and potentially from one cryptocurrency to another in the future.
These cases expose the vulnerability of the financial system to misuse, particularly at the point of exchange. They show how small risks on the financial system, can quickly evolve to material risks, as organized criminals appropriate and launder billions of dollars through the financial network, and countless borders, with astonishing speed and ease.
Financial institutions need to prepare and protect themselves against both direct and indirect vulnerabilities. By understanding the fraud and cyber risks associated with cryptocurrency and by monitoring the evolving guidance, registers (for example of licensed bitcoin businesses), and attack vectors. By integrated monitoring of social and risk media in relation to the activity of their own account holders – a financial institution can more effectively mitigate cryptocurrency risk.
Prevention is better than cure, and in some cases discretion may yet remain the better part of valor.