Livia Benisty is the Head of Financial Crime at ComplyAdvantage. Previously, Livia was Head of AML Advisory for Citi’s Trade and Treasury Solutions business in EMEA. She was invited to attend the Financial Action Taskforce RegTech and FinTech Forum earlier this month in Hangzhou, China.
Earlier this month I attended the FATF RegTech / FinTech forum in Hangzhou, China. It preceded the meeting of the Policy Development Group to discuss how to best regulate all things crypto, however at this forum there were three key areas for discussion:
- Cryptocurrencies and how best to regulate them, in particular:
- How to control mixers, tumblers and other tools used to disguise the origin of coins or transactions
- Should regulation focus on fiat to virtual conversion or consider within virtual as well
- Key management services
- Digital ID verification
- Is the use of digital ID at onboarding a benefit; is it a risk mitigant or does it enhance the risk
- Implication for non face-to-face due diligence
- Information sharing and use of ML / AI for that
- Previous guidance from 2017 already allows for information sharing across financial groups
- More information sharing needed
The forum itself was under Chatham House rules so no direct quotes, but here are my three key takeaways from the sessions.
Regulation of cryptocurrencies
Technological expertise focused on the crypto phenomenon is not yet truly integrated into the regulatory framework. Private-public forums like these are the only way forward if we are to have relevant and appropriate regulation. It’s easy to assume that regulators or even FATF have less interest in preserving the very real commercial (and other) benefits that exist with this technology, and are single-mindedly focused on the risks; this was clearly not the case. Regulators and FATF delegates asked insightful questions and raised pertinent points to understand the market and the potential these technologies offer. Similarly within the private sector I saw no desire to skirt regulation or encourage an unregulated market; instead there was a keen desire to educate and inform, a willingness to discuss either how existing guidance could fit the new technology, or how the technology could be shaped to fit in with existing guidance. Most of this was acting in the interests of speed, recognizing that where regulation truly fails is in the time it takes to be implemented, by which point technology, and criminals, have moved on.
I expect the main issues for the regulation to be focused around:
- Anonymity and what the legitimate business case for it might be, if any;
- Similarly for mixers and tumblers (I was asked by three separate regulators what I thought the business case for these were);
- Whether it is sufficient to regulate the conversion from fiat to virtual and vice versa, or if control within virtual conversion is required.
Implication of Privacy and Data Protection on Digital Identity and RegTech firms
Where some may see the use of Digital ID and non face-to-face onboarding as a significant risk, it was frequently mentioned as an enhancement to current process. Knowledge-based authentication largely has failed, and digital onboarding processes can equip firms and law enforcement with richer data.
One private sector representative challenged us to think about a possible implication of data privacy regulation for this industry. Restrictions on what data can be used for, how long it can be retained, and to an extent the ability to be forgotten impact those firms who require training data for machine learning algorithms. There is no question that individuals’ privacy and data must be protected. That said, if the existence of a digital identity can be a risk mitigant, and if Digital ID technology is a useful tool, then discussions around this technology need to occur in conjunction with the issue of privacy and recognizing its potential.
This is obviously in addition to the much more widely discussed issue of sharing information within and across entities. Steps are being taken between public and private sector, and within large institutions across borders, however between different private sector institutions this remains a no-go area in most circumstances. Without that it is difficult to see how we can move the needle in detecting financial crime.
Role of Government as the ultimate source of identity verification
The main internationally recognized authoritative identity system is the passport. However the passport is paper-based, cannot be verified online, was designed specifically for travel, and only applies to a subset of the population (which can lead to exclusion from key vital services, for example finance). Governments and international bodies need to create the ecosystem to allow for the use of Digital ID and the ability to rely on it.
Regardless of the tool presented, some form of government database is usually relied on as the end source for verification of identity. There was a discussion around whether a private sector system could exist that would reach the necessary standard to validate identity of an individual with sufficient assurance. Questions were asked around the place of social media, and how it feeds into someone’s digital identity, but an important point was raised around different use cases, i.e. using social media presence to identify illicit activity vs. using it to identify someone and verify that identity.