About the authors
Michael Imeson, Chartered MCSI, is a contributing editor at The Banker magazine and chair of the CISI Fintech Forum.
Andrew Pimlott is a partner, head of financial services, data and technology, EMEIA, at Ankura Global Consulting.
The dramatic fall in the price of leading cryptocurrencies in early December 2021, which saw bitcoin lose around a fifth of its value, was a stark reminder that the cryptoasset world is a risky one. Prices are highly volatile, with asset bubbles forming rapidly and then bursting. Cryptocurrencies are not much use as a medium of exchange as they are not widely accepted by banks and retailers. However, they are accepted by growing numbers of criminals and terrorists to collect ransomware payments, launder money and finance illegal activities.
Aside from the ‘bad things’ about cryptoassets there are, of course, some ‘good things’ about them, otherwise they would not be so popular. They are used as an alternative to traditional currencies, though their acceptance is limited and the transaction process is usually slow; they are electronic, so there is no need to carry bank notes with the attendant risk of them being lost or stolen; and they are bought as investments in the hope they will rise in value.
This last is the main reason why people have been acquiring cryptoassets in ever greater numbers. According to Swiss private bank EFG, “in the five years to 31 December 2020, the S&P 500 index of large cap US equities compounded at an annualised growth rate of 14.5% (in USD, net dividends reinvested); over the same period the price of bitcoin in USD compounded at an annualised growth rate of 131.5%”.
Cryptocurrencies are issued by private sector organisations but their attractions are so great that governments are looking at public sector versions and the feasibility of central bank digital currencies (CBDCs) which will be fiat money.
A group of seven central banks – including the European Central Bank, Bank of England, Sweden’s Riksbank and the Bank of Japan – along with the Bank for International Settlements, in September 2021 announced they are working together to explore the possibilities. China’s central bank is already trialling a digital yuan with millions of people across several provinces and it may be the first to fully launch.
Despite their many positive attributes, this article deals with only the negative elements of cryptoassets. As they have grown in popularity, crypto investors, issuers, exchanges, custodians, regulators and law firms are finding it difficult to keep pace with the associated market, legal, regulatory, security and other risks. They are increasingly relying on specialist crypto consultants to assist in various areas – see section below on 'how crypto consultants can help'.
What exactly are cryptoassets?
Before elaborating on the risks, first some definitions. The UK financial regulator, the FCA, defines cryptoassets as “cryptographically secured digital representations of value or contractual rights that use some type of distributed ledger technology (DLT) and can be transferred, stored or traded electronically”. Regulators, banks and other organisations now tend to use the term ‘cryptoassets’ rather than cryptocurrencies, because bitcoin, ethereum and others are overwhelmingly used as assets to invest in rather than currencies to transact with, and are not issued or backed by a central bank.
Many people have moved further along the terminological journey and call them ‘digital assets’ because they are underpinned by several technologies – chief of which is DLT – not just cryptography. Central bankers prefer ‘digital’ to ‘crypto’ because if and when they issue their own digital currency it will be fiat money and they will want to distance it from less stable, privately issued cryptocurrencies.
There are two main risks associated with cryptoassets: market risk, the likelihood of asset values rising and falling sharply; and financial crime risk, the possibility of the assets being used by criminals and terrorists to finance their activities and launder money.
The 20% fall in bitcoin’s price in the first weekend of December illustrates how volatile the market for these assets can be. On December 3 2021 it was worth US$57,000, and the next day it was US$45,000. Other popular coins, including ethereum, fell by similar amounts. The sell-off was caused partly by a volatile week in traditional markets and jitters by big institutional investors who have been moving into crypto. At the time of writing (27 January) bitcoin had fallen further to US$36,500, according to CoinMarketCap.
There have been other big falls in recent years attributed to reasons specific to the crypto market. In May 2021, for example, cryptocurrencies lost nearly half of their value in a week, caused by the Chinese clamping down on cryptoasset trading and Elon Musk saying his car firm Tesla would stop accepting payments in bitcoin.
As for financial crime risk, cryptocurrency-based crime hit a new all-time high in 2021, according to blockchain data platform Chainalysis. Organisations involved in illicit activity received US$14bn in cryptocurrency over the course of the year, up from US$7.8bn in 2020. About US$3.2bn of that was outright theft, of which 72% was stolen from decentralised finance (DeFi) networks.
Cryptocurrency-based crime hit a new all-time high in 2021 Some of the illicit transactions were ransom payments. Ransomware has become the biggest threat to critical national infrastructure than any other form of cyber attack. Criminal gangs are finding it increasingly easy to disrupt organisations’ IT systems, steal data, and then demand large payments, often in difficult-to-trace cryptocurrencies, to put things back to normal. 2021’s victims include Ireland’s health service, Colonial Pipeline in the US, Brazilian meat company JBS and French insurer AXA. Company bosses often feel they have no choice but to pay the ransom, even if it means breaking money laundering and sanctions laws, and encouraging more ransom attacks. Furthermore, there is every possibility that restored data, including sensitive personal data, may have already been copied and sold on the Dark Web.
In 2020, at least US$350m in crypto ransoms was paid out to hacker gangs, such as DarkSide, the group that shut down the Colonial Pipeline, according to the Financial Times. These virtual payments are turned into hard cash on crypto exchanges. As exchanges have become more heavily regulated and subject to tougher anti-money laundering (AML) and know your customer (KYC) rules, criminals are turning to ‘Treasure Men’ listed on the Dark Web who use methods as simple as leaving bundles of cash behind a bush or buried in the ground, or exchanging bitcoins for prepaid debit cards or gift vouchers, according to the FT.
The regulatory response to crypto risks
Official attitudes to crytpoassets vary widely from country to country, ranging from total or near-total bans, to positive encouragement. It all depends on how much of a threat governments believe they pose to investors, financial market stability and society at large. China is at one extreme. In May 2021, the People’s Bank of China banned domestic financial institutions from providing cryptocurrency transaction services. Then in September it went a step further when the Bank, along with other government agencies, declared it illegal for overseas cryptocurrency exchanges to provide online services to Chinese residents.
At the other end of the spectrum are countries like the UK where the issuance and trading of cryptoassets is allowed. Some types come under FCA regulation, such as ‘security tokens’ (digital contracts for a fraction of a traditional asset like real estate or company shares), ‘emoney tokens’ (electronic money) and derivative contracts that reference cryptoassets.
FCA to bancryptoasset businesses not on its register by 31 March 2022 However, ‘exchange tokens’, such as bitcoin and other cryptocurrencies, are not regulated by the FCA – except for AML and counter terrorist financing (CTF) purposes under regulations introduced in January 2020. The FCA had been due to ban cryptoasset businesses not on its register under these regulations from January 2021, but the approval process has been taking time, so the deadline has been delayed until 31 March 2022.
Somewhere in the middle of the regulatory approach to cryptoassets is the US. Executives from six leading cryptoasset companies appearing before the House of Representatives Committee on Financial Services in December 2021 said they believed that the regulations were too strict compared with other Western nations. Brian Brooks, CEO of bitcoin miner Bitfury, and a former Acting Comptroller of the Currency, advocated lighter touch controls. He said the regulations were driving legitimate crypto activity to Canada, Germany, the UK and Singapore to the detriment of the US financial sector.
Action by law enforcers
It has been argued that ransomware attacks would be less of a problem if the perpetrators were not paid in cryptocurrencies, which make it harder for law enforcement agencies to track the recipients. However, the application of KYC and AML regulations to crypto businesses in many jurisdictions, such as the UK mentioned above, has made it easier for crime investigators to trace recipients.
Besides, cryptocurrencies were already traceable through the blockchain they reside in, though it is admittedly more difficult to find the real identities and intents of the originators and receivers. That they can be traced, and even recovered, was dramatically proved by the US Department of Justice in June 2021 when it announced it had seized 63.7 bitcoins valued at US$2.3m of the 75 bitcoins paid by Colonial Pipeline following the ransomware attack on it a month earlier.
The DoJ said that “by reviewing the bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the ‘private key’, or the rough equivalent of a password, needed to access assets accessible from the specific bitcoin address”.
How central banks would limit CBDC risk
HM Treasury and the Bank of England announced in November 2021 that they would be launching a consultation on the case for creating a central bank digital currency (CBDC). If a ‘britcoin’ ever became a reality, what could be done to stop people and businesses, especially in times of financial market uncertainty, moving large amounts of money from conventional bank accounts to a Bank of England account where it would be safer because it is backed by the government? This would be an obvious danger to the commercial viability, and perhaps even the very existence, of traditional banks.
There is an easy way around the problem. It would be to limit how many digital pounds any one individual or organisation could have. This is precisely what Charles Roxburgh, Second Permanent Secretary at HM Treasury, said when he gave evidence to the House of Lords Economic Affairs Committee, which is looking into the implications of a britcoin.
How crypto consultants can help
Amid all this complexity and risk, it is not surprising that members of the cryptoasset community – investors, investment managers, issuers, exchanges, custodians, technology providers, and law firms – can get bogged down in the operational and legal details. Many of them rely on consultants to help them with a range of essential matters – creating and maintaining digital assets, blockchain technology, cryptography, cyber security, incident response, ransom payment negotiations, asset tracing and recovery, forensic accounting, investigations, AML and CFT monitoring, regulatory compliance and more.
Financial regulators struggling to keep up with the pace of change are also turning to external advisers for assistance. The FCA has put out to tender a £500,000 contract to appoint a consultancy firm to provide a platform to analyse blockchain data and train staff to spot criminal transactions conducted over decentralised financial networks. The contract will run for two years from March 2022.
There is no denying that cryptoassets are hugely popular with investors and interest in them will continue to grow. They are here to stay, despite the efforts of some jurisdictions to heavily restrict or even ban them. The creation of CBDCs will only fuel interest, not detract from it, because they are two different animals. Cryptoassets are primarily investment instruments whereas CBDCs will be central bank money used as a means of payment, unit of account and store of value.
As the market evolves, more effort must be made to ensure it becomes safer in two key respects: for investors, in terms of price volatility, transparency, integrity and security, and for the wider financial system in terms of reducing its attraction to money launderers, terrorists and criminals.
Views expressed in this article are those of the authors alone and do not necessarily represent the views of the CISI.