How can we mitigate cryptocurrency risks with a data-driven compliance strategy?

Many people are concerned about the risks associated with cryptocurrencies. Indeed, they are regularly suspected of financing activities linked to financial crime or even terrorism. However, these accusations come up against a factual reality: the pseudonymity—not the anonymity—of blockchains.

It is indeed possible to trace with certainty all transactions in digital assets carried out on a blockchain. Admittedly, decoding users’ public keys to attach a name to them is a long and difficult task, but it is entirely feasible, as the Silk Road[1] case proved in 2014 (detail part 1).

Furthermore, legitimate economic activities also benefit from the relative transparency of blockchains, which makes it possible to understand and analyse the movement of funds through Bitcoin (BTC), Ethereum (ETH), and other major cryptocurrencies.

For example, data related to transactions between public addresses recorded on blockchain is a valuable aid in uncovering criminal activities.

Transparency, a major tool for analysing blockchain data

The fundamentals of transparency applied to blockchain technology

Although blockchain data may vary depending on the blockchain in question, they all have a common structure based on asymmetric cryptography, i.e. they all require the use of a private key and a public key. The private key is known only to its holder and is used to authenticate and validate the transactions carried out on the blockchain in question. However, for the analysis of blockchain data, the private key is not important, as the goal is to identify the author of transactions, and not their authentication.

The public key represents the visible address of the holder of a crypto asset wallet. This key allows the holder to receive cryptocurrencies from anyone who has their contact details. To make a somewhat simplistic comparison, this corresponds to the bank account number of the holder of a digital asset wallet.

Chainalysis, an American company founded in 2014, specialises in analysing the movements linked to these public keys. Its services are used by judicial authorities in many countries for investigative and compliance purposes, in order to trace certain blockchain-related activities and potential illicit cryptocurrency transactions.

However, contrary to what many might think, the rate of illicit transactions in cryptocurrencies is extremely low. Chainalysis, for example, was able to determine that for Bitcoin alone, the rate was 6% in 2019 compared to less than 2% in 2020 and 2021. If the rate is objectively low, that’s still about ten billion dollars. The reason is simple: the Bitcoin blockchain is not anonymous and any transaction can be tracked afterwards.

Analysis of blockchain data for criminal investigations

Contrary to what is still widely believed, the analysis of blockchain data is not a complex task, provided that one is trained and has the right tools. Thus, it is quite possible to dismantle criminal networks on these blockchains.

The typical example is the Silk Road case. What makes it special? The sale of prohibited products (drugs, firearms) paid for in Bitcoin, which at the time seemed more anonymous than the dollar. However, an in-depth and complex analysis of the data from the Bitcoin blockchain enabled the FBI to get hold of its founder Ross Ulbricht and shut down the platform for good.

Silk Road is the perfect example of the pseudonymity conferred by the blockchain. When data analysis tools are implemented, this feature allows a true traceability of cryptocurrency movements. In contrast, cash transactions are truly anonymous, if those involved in the exchange so desire. Indeed, there is no traceability in the use of banknotes, but only in their origin thanks to the serial numbers.

Another case—which is not purely criminal—involves Mt. Gox, the former dominant cryptocurrency trading platform, which was declared bankrupt following a major hack in 2014.

Willem van den Brandeler, account manager at Chainalysis, explains that the platform was able to track a large portion of the suspicious transactions related to its hack and found that they all led to BTC-e, a Russian platform that the FBI was able to seize in 2017.

Breaking pseudonymity, the gateway to blockchain data transparency

How can a company like Chainalysis identify the individual behind a pseudonymous public address? Willem van den Brandeler explains that the algorithm designed by the company allows addresses to be linked to entities. For example, address X comes from exchange platform Y. In other words, Chainalysis can break the pseudonymity—which is a prerequisite for the analysis of blockchain data—and reveal the identity of the individual who made the payment.

How can we establish a risk-based approach to cryptocurrencies?

A general approach to risk management in cryptocurrencies

The Covid-19 pandemic has led to a sharp increase in scams and cyberattacks linked to cryptocurrency. This phenomenon is primarily related to the pandemic itself, as the majority of the population was confined and thus used very little cash, favouring instead online payments, sometimes in cryptocurrencies.

Nevertheless, Willem van den Brandeler points out, the attack techniques used during the pandemic are identical to those of the pre-pandemic scams, namely deception, extortion, and phishing. The vast majority of these scams use cryptocurrencies as a means of payment.

In order to establish an approach to cryptocurrency risk management, it is first necessary to identify the different types of risk associated with the use of cryptocurrencies. Joosep Vahtras, Compliance Advisory Lead at Chainalysis, believes that there is firstly an external risk: you have to know how to select those companies related to cryptocurrencies that are reliable and trusted. Then there is an internal risk, namely whether it is actually important to work with and/or around cryptocurrencies within an entity.

Working with a registered or licensed exchange platform and investment funds dedicated to blockchain projects is perfectly feasible. On the other hand, it is best to avoid unregistered platforms, as well as providers of cryptocurrency payment methods operating in peer-to-peer mode of the decentralised finance type. The reason is simple: the more transparent and, above all, regulation-compliant the partner’s activity is, the lower the risk. And though decentralised finance is entirely consistent with the blockchain principle, it operates outside of any regulation.

If in doubt, an organisation may also conduct a thorough investigation of a payment service provider to check its probity. Knowledge of its structure, of the products and services it offers, and of the jurisdictions to which it is subject is essential. In case of doubt, a questionnaire can be sent to the potential client to ensure their integrity. It is important to know how the company behaves in case of doubt about transactions and regarding the fight against money laundering.

A detailed approach to risk management in cryptocurrencies

According to Joosep Vahtras, there are certain warning signs that should be taken into account before engaging in any cooperation with a potential client operating in the cryptocurrency sector. Some are obvious, such as the suspicion of financing illegal activities, or sanctions imposed by certain jurisdictions. Others are much less obvious. One example is the practice of blending—a kind of digital scrambling designed to disguise the origin or destination of cryptocurrencies.

It is then necessary to determine the risk threshold to which one is exposed. Three approaches can be considered. The first is the approach based on the amount traded in “traditional currency” equivalent: for example, any transaction below USD 2,000 is not considered risky. The second approach is the percentage threshold approach, on a case-by-case basis. The third approach is the number or frequency of transactions.

The last two approaches are more abstract, and the risk tolerance threshold differs according to the type of company. So a transaction may be considered risky according to one approach, but not according to another. For example, 10,000 transactions at USD 1,000 might be considered risky according to the third approach, but not according to the first.

In other words, the risk threshold can be difficult to measure. It depends on the openness to the world of cryptocurrencies and the risk approach chosen. However, we can note that the second and third approaches are not clearly defined. From how many transactions is the risk considered significant? What percentage threshold should be used? It is almost impossible to answer these questions without a concrete approach.

Security is also essential to determine whether the potential client is applying the right measures to avoid cyberattacks. It is possible to examine the documentation provided by the entity in question, especially when it has been provided in the past to obtain an authorisation licence issued by an authority. This is notably the case for the registration as a digital asset service provider (DASP) issued by the French AMF (Autorité des marchés financiers – Financial Markets Regulator) and ACPR (Autorité de contrôle prudentiel et de résolution – Prudential Supervision and Resolution Authority).

The risk-based approach to cryptocurrencies is therefore essentially a case-by-case one. While some criteria are general, the majority are client-specific, or failing that, industry-specific. For example, the risk approach used may be different for one entity compared to another. Similarly, registration with a competent authority is a criterion that may be sufficient for some, due to the confidence conferred by that authority.