26.09.2019 | The pitfalls of cryptocurrency risk assessment

The US sanctions agency OFAC’s ground-breaking inclusion of bitcoin addresses in sanctions lists highlights the challenges of determining risk in digital currencies.

Click here to read the Alaco article in Investment Week. 

 

Last month, the US Office of Foreign Assets Control (OFAC), employing the so-called Foreign Narcotics Kingpin Designation Act, sanctioned three Chinese nationals for their role in an international drug trafficking ring.

In of itself, the move is not unusual. But looking beyond the headlines, OFAC's press release contains some intriguing information.

According to the agency, the Chinese group had laundered much of its drug proceeds via digital currency, mainly bitcoin.

In response, OFAC included 11 bitcoin addresses allegedly tied to the Chinese nationals as personal identifiers in its Specially Designated Nationals (SDN) list.

Strictly speaking, the addresses themselves have not been sanctioned; their inclusion in SDN lists is simply designed to assist those in the digital currency community in "identifying transactions and funds that must be blocked", according to a US Treasury statement. In effect, however, this is a form of blacklisting.

It marks the second time in a matter of months that OFAC has undertaken such a move. In November 2018, the agency broke new sanctioning ground when it added two digital currency addresses to the personal identifiers of sanctioned individuals.

The addresses were allegedly under the control of two Iranian nationals accused by US authorities of orchestrating a long-running global cyber-attack. 

The moves appear to signal a new era of sanctioning activity which, while welcome, raises questions around the parameters of risk in digital currencies.

If misjudged, efforts to define appropriate and reasonable risk assessment could inadvertently halt the emergence of cryptocurrencies as a mainstream transactional tool.

In both cases, OFAC confined their SDN listings to a small number of addresses despite indications that it could have cast the net far wider.

A cursory look at the bitcoin blockchain, for example, will tell you that there were many other addresses possibly under the control of the Iranians and used in connection with their alleged scam.

For one member of the alleged Chinese drug gang there may have been more than 30 bitcoin addresses under his general control.

Should these have been blacklisted too? OFAC probably took the view there was insufficient evidence that the other addresses linked to both groups were directly involved in any illegality.

In its designation notice from November 2018, OFAC does not define what constitutes a safe degree of separation from a sanctioned address.

Observers have suggested the agency is working on the basis that any criminal interaction with an address may be capable of tainting that address.

Such a qualification, if true, allows OFAC to avoid the potentially awkward problem of having to identify and blacklist all addresses linked to sanctioned individuals.

What these two cases highlight are the challenges facing those attempting to police digital currencies. Blockchain offers so much transactional data and the potential to conduct ever-deeper investigations, but in doing so it stretches and blurs the parameters of risk.

With regulators providing limited guidance, companies operating in the digital currency ecosystem have sought to implement their own metrics to identify, define and score potential risks.

Much of this work has been undertaken with traffic light scoring systems, which, though informative in some respects, confuse in others.

For example, addresses that have received funds that have previously passed through a dark web marketplace are marked down on scoring metrics simply because of their proximity to illegitimate activities.

Similarly, addresses transacting through LocalBitcoins.com, a popular peer-to-peer payment service buffeted by allegations of its use by money launderers, have also been penalised no matter how legitimate their use.

The obvious danger is that such assessments of risk are too simplistic and potentially never-ending. This conundrum begs the obvious but broader question of how far back in the chain of digital currency transactions one should go to assess counterparty risk.

Just because one can review transactions on blockchain ad infinitum does not necessarily mean that better conclusions can be drawn.

On the contrary, with so much data available on the public ledger, there is the temptation to indulge in data analysis overkill, with little certainty that any information gleaned is relevant.

Ultimately this could stifle innovation in the sector, a potential death knell for digital assets and their wider adoption.

In understanding these concerns, OFAC's apparent approach to risk makes sense: that the sanctioning of cryptocurrency addresses should be limited to cases where there is clear supporting evidence of their being implicated in criminal conduct.

Given the potential for blockchain technology to slow or confuse compliance decision-making, the sector would do well to heed OFAC's approach.