No doubt you’ve heard that virtual currencies such as bitcoin are vulnerable to the risk of money laundering and terrorism financing. Does this mean that financial companies should avoid the underlying technology – blockchain altogether?
People can use virtual currencies to make payments and receive funds while retaining complete anonymity. It makes it possible to conceal where the money comes from and where it’s going, which can be taken advantage of by people wishing to launder money or finance terrorism. For some time, the use of virtual currencies has been associated with heightened money laundering and terrorism financing risk due to the previously mentioned user anonymity, lack of clarity regarding who is responsible for complying with regulations to combat money laundering and terrorism financing, and the absence of a central regulatory authority (source).
Lately, however, the focus has shifted towards looking at how the underlying technology – blockchain – can be used to make various work processes at financial companies more efficient, including efforts to tackle money laundering and terrorism financing. In this article we will comment on how blockchain technology could be used to facilitate efforts to combat money laundering and terrorism financing.
What is blockchain technology?
In order to understand what blockchain technology is, we need to relate it to traditional data technology and ledgers. These days, many financial companies use traditional centralised ledgers that are accessible only to designated users and controlled by one or more system administrators who regulate access to the ledger and the data that is contained in the ledger. A centralised ledger enables data to be shared between known users who have access to the ledger.
A distributed ledger is a decentralised ledger that is accessible and collectively controlled by several users. The distributed ledger can either be public or private. Public ledgers are completely decentralised and open to all. Everyone can read transactions, carry out transactions and participate in verification and validation of transactions. The most widely known public ledgers are Bitcoin and Etherum.
In private ledgers, transactions are validated instead by trusted parties, e.g. banks and public authorities. In a private ledger, access to the information in the blockchain can also be restricted to certain users.
A blockchain is a type of distributed ledger that provides a digitally signed timestamp of data that is merged as a block with linking that is digitally signed, making it difficult to corrupt the data in the chain . A blockchain can, for example, contain transactions, assets or identity data .
It is the public ledgers that are most vulnerable to the risk of money laundering and terrorism financing, partly due to the fact that they allow anonymity. The benefits of blockchain technology that we describe below can insteadprimarily be applied to the private ledgers that can be set up between a network of financial operators, and where users’ identities can be verified.
What are the problems associated with current processes for combating money laundering and terrorism financing?
According to UNODC (United Nations Office on Drugs and Crime), money laundering is estimated to amount to roughly 2–5% of global GDP annually (source). It is hard to find an equivalent statistic for the monetary extent of terrorism financing. However, according to FATF (Financial Action Task Force), terrorism financing is a growing problem . Although terrorism financing does not involve such substantial amounts of money, the consequences of the terrorist acts being financed can be devastating for a society. Money laundering and terrorism financing are therefore serious social and global problems. Current methods to combat money laundering and terrorism financing are also a heavy drain on resources for financial companies, and in many cases ineffective. After Finansinspektionen imposed sanctions on Nordea and Handelsbanken in 2015, and following Swedens implementation of the fourth Anti-Money Laundering Directive, in our experience many financial companies have strengthened their functions dealing with money laundering and terrorism financing, particularly the major banks. This is also confirmed in Finansinspektionen’s money laundering report Erfarenheter från penningtvättstillsynen 2016–2017.
Despite the fact that financial companies have stepped up their efforts over the past few years, in its report Finansinspektionen concludes that work needs to be further developed. According to Finansinspektionen, the entire chain of measures need to be linked together in order for them to be effective . This is exactly what companies find difficult to achieve based on current conditions, in which they are dependent on work done in several different systems in order to be able to verify information and manual procedures. The result is that many companies often find it hard to maintain an adequate level of internal governance and control as regards efforts to combat money laundering and terrorism financing.
How can blockchain technology potentially improve efforts to combat money laundering and terrorism financing?
Know Your Customer (KYC)
Currently, banks and other financial companies normally collect KYC data themselves from their own customers. This means that an individual who is a customer of several banks must submit the same information several times, and the banks must allocate resources to collecting the information from the same customer. If a financial company has entrusted a third party with the task of carrying out KYC measures for the company’s customers, the company needs to receive that information immediately. This can involve technical challenges due to companies having different system environments.
Blockchain technology allows financial companies to share KYC data with other parties in the blockchain. Admittedly this is nothing new for blockchain technology, but the technology provides both greater efficiency and security. For example, blockchain technology can be used to trace additions and amendments, and deletions of documentation, and to share such information between participants. The possibility of sharing KYC data also enables different financial companies to use the same information . This cuts costs relating to the collection of KYC information, both with regard to initial KYC measures and ongoing monitoring, as only one of the participants needs to collect the information. Blockchain technology can also provide comfort in that the KYC information is accurate, complete and instantly available. This is because blockchain technology greatly diminishes the risk of duplicate information, thereby facilitating validation of the documentation (source). For ongoing monitoring, blockchain allows greater opportunities to access a reliable history as regards KYC data.
If several financial companies participate in a blockchain network, transaction monitoring can be made more efficient. Blockchain allows opportunities to replace paper trails with digital tracking, which is easier to control. If the customer is assigned a digital identity in the blockchain network, tracking transactions is made easier and the costs associated with efforts to combat money laundering and terrorism financing are reduced . “Digital identity” means that documentation concerning a person’s identity is created in the blockchain. The documentation may include both traditional identity data such as address, phone number and a copies of identity documentation, but can also comprise e.g. biometric data and documentation that has been verified by a third party such as a university, public authority, employer and financial companies .
General risk assessment
Having insufficient quality of their underlying data is a common problem when companies set up their general assessment of the risk of being used for money laundering and terrorism financing. The risk assessment is an extremely important strategic document, as it constitutes the basis for decisions regarding the measures to combat money laundering and terrorism financing, and therefore informs management’s decisions about where the company should allocate its resources and how various measures should be designed to combat money laundering and terrorism financing effectively. If the quality of the underlying data is inadequate, the conclusions that are drawn about what measures are appropriate may be misinformed. If blockchain technology generates more reliable data from KYC and transaction monitoring, this will also produce a more reliable risk assessment and help streamline work to combat money laundering and terrorism financing overall. Blockchain should also increase opportunities to “link the entire chain of measures”, in line with Finansinspektionen’s ambition for the work of financial companies in this area.
Companies that are subject to the Swedish Money Laundering Regulation are obliged to report suspicious transactions to the police without delay. The companies must also report a number of details about their work to combat money laundering and terrorism financing on an annual basis, e.g. information about the company’s risk assessment, KYC measures and monitoring and reporting to Finansinspektionen. It’s important that the reports are accurate and submitted on time to avoid any risk of sanctions. These requirements create challenges for companies, because they are dependent on manual procedures and data in different systems. Relying on manual procedures and different systems for things like reporting always poses a risk in terms of duplication and incorrect data, which makes it difficult to produce accurate and timely reports. Using blockchain technology could allow authorities access to the data in the blockchain via the automatic creation of reports in real time, while significantly reducing the risk of duplication of, and inaccurate data (source).
Although blockchain technology offers many advantages in relation to combatting money laundering and terrorism financing, there are also numerous challenges. One such challenge is that although only one participant in the network carries out the KYC measures, all the other participants who use that information as part of their work remain fully responsible in relation to Finansinspektionen for the accuracy and comprehensiveness of the information about their own customers. The risks associated with this responsibility for KYC data would be particularly significant if the network were open to financial companies established in jurisdictions that lack effective systems for tackling money laundering or terrorism financing.
Every financial company is also obliged to make its own assessment of its customers with regard to money laundering and terrorism financing risk and take appropriate measures to manage the risk. This means, for example, that for the same customer, the initial KYC measures may need to be more thorough, and that ongoing monitoring may need to be carried out more often and more extensively for some companies in the network than for others, which makes it harder to have a collective approach within the network.
As far as customer privacy is concerned, a great deal of different data can be registered in the blockchain, e.g. identity data, contact details, transaction information, biometric data, etc. It is vital that the financial companies that participate in the network comply with stringent security and confidentiality requirements in order to prevent unauthorised access and other personal data breaches. In addition, authorised access to data needs to be adapted in order to prevent any breach of the rules stipulated in Sweden’s Anti-Money Laundering Act regarding duty of confidentiality, the rules in the Banking and Financing Business Act on banking confidentiality or GDPR rules on data protection by design and default . This means that the participants in the network should in principle only have access to the information that they need about their customers that relates to the customers’ relationship and transactions with the company.
There are further challenges from a personal data perspective, including requirements for data minimisation, storage limitation, the right to erasure and establishment of personal data responsibility. Requirements regarding data minimisation and storage limitation mean that companies may not process more data about a natural person than is necessary, and such data may not be stored for any longer than is necessary. Since the amount of data that a financial company (personal data controller) needs to have about its customers varies from company to company, the amount of essential information that companies have to collect also varies based on the assessment of customer risk each company carries out. The storage limitation requirement is also linked to each personal data controller and how long they require information about their customers, which varies depending on the length of the business relationship. When it is no longer needed, the data must be deleted.
The right to erasure of personal data according to GDPR is not absolute, and there is a degree of uncertainty about what erasure actually means. However, the right to erasure applies, for example, when the personal data is no longer required, or if a customer withdraws their consent to processing. One of blockchain’s design features is that the transaction documentation cannot be amended or deleted entirely. A subsequent transaction may invalidate the first transaction, but the first transaction will remain in the chain. Furthermore, authorisation for the participant to view certain information in the blockchain may be restricted, but the information is still there. Since there is no actual deletion of the data in the blockchain, processing in the chain can make it difficult to satisfy GDPR deletion requirements.
It also needs to be established when a company that is part of the network is a personal data controller and when it is acting as a data processor, since this affects companies’ rights and obligations to the data subjects and in relation to GDPR.
In addition, a blockchain network may result in difficulties determining which country’s law should be applied in different situations, if the various participants and customers are based in different countries around the world (source).
To summarise, blockchain technology offers considerable potential in terms of work to combat money laundering and terrorism financing. At the same time there are many challenges that need to be managed with regard to how the blockchain is set up, including to ensure effective protection for customers’ privacy and compliance with the relevant regulations.
 IOSCO, Research Report on Financial Technologies (Fintech), February 2017, p. 48.
 FCA, Discussion paper on distributed ledger technology, DP 17/3, p. 10.
 FATF, Annual Report 2016-2017, p. 10.
 FI-tillsyn, Erfarenheter från penningtvättstillsynen 2016–2017, Issue 1, 12 April 2018, p. 3.
 FCA, Discussion paper on distributed ledger technology, DP 17/3, p. 14.
 FCA, Discussion paper on distributed ledger technology, DP 17/3, p. 16.
 IOSCO, Research Report on Financial Technologies (Fintech), February 2017, p. 57.