CYBERSECURITY laws in the blockchain space are a big grey area for businesses such as crypto exchanges. 2018 gave us a record year of exchange hacks with losses running into billions of dollars - IBM's 2019 X-Force Threat Intelligence Index found that cryptojacking rose 450 per cent in the fourth quarter of 2018, placing crypto-based attacks at the forefront of cybersecurity threats.
While blockchain technology itself is highly secure, the applications that run on blockchain may not always be. Although individuals transacting in cryptocurrency remain fully responsible for securing their own digital assets, businesses need to take proactive steps to bolster cybersecurity capabilities to not only increase customer confidence, but also become compliant with new government regulations.
One of the biggest questions faced by most businesses today is how the implementation of cybersecurity solutions can influence and relate to their compliance status.
Compliance laws in the financial space aim to protect the assets of consumers and businesses alike. Banks and financial institutions, and an increasing number of payment services now require identity verification before proceeding with any transactions. This due diligence, or "Know Your Customer" (KYC), is strictly enforced by the US government as well as a growing number of European and Asian governments, with failure to comply resulting in hefty fines and penalties.
Despite the perceived inconvenience associated with KYC, increased compliance does make the digital and financial landscape safer, given the hefty cost and repercussions of a security breach - with the average cost of a data breach reaching US$3.9 million and rising. However, some legislators still feel that KYC alone is not sufficient and are already discussing even stricter regulation frameworks, such as laws to fight money laundering and terrorism financing, where cybersecurity is playing an increasingly important role.
The cybersecurity industry is increasingly involved in fighting money laundering in partnership with their governments. Apart from larger-scale involvement on a national level, private entities and companies also engage cybersecurity providers to safeguard their reputation as well as their customers' digital assets.
Money laundering is nothing new. The Financial Action Task Force (FATF), headquartered in Paris, was established with 16 member countries in 1989 to combat money laundering. Following the Sept 11, 2001 terror attacks, the FATF expanded its mandate to include terrorism financing. With increasing interest in anti-money laundering laws (AML) and laws that combat terrorism financing (CTF), the FATF grew to 37 members by 2016, with Singapore joining in 1992.
The purpose of the FATF is not just to combat money laundering, but also foster international cooperation in investigations and prosecutions and give authorities greater power to confiscate assets obtained through illegal means. To that end, the FATF established a financial intelligence unit to implement customer due diligence in identity verification, record-keeping, and suspicious activity reporting (SAR) requirements for banks, financial institutions and certain types of non-financial businesses.
Cryptocurrency exchanges are starting to fall under these stringent requirements. Are they prepared to comply? One might argue that they aren't overly concerned with dubious activity such as wash trading, and that their customers are fully responsible for their own asset security. However, regulatory bodies such as the FATF may soon define wash trading as a form of money laundering.
Before we move on to how to regulate or outlaw wash trading under AML laws, we must first define what "wash trading" really is and what it is used for. In the financial markets, a wash trade is a form of market manipulation in which an investor simultaneously sells and buys the same financial instruments. While this can be used to boost liquidity of a particular asset, it's basically a loophole to create misleading, artificial activity in the marketplace.
Wash traders on cryptocurrency exchanges use the same tactic to artificially boost the value of a token, and then dump it on the market for profit, causing losses to other investors. These aren't just isolated incidents brought on by a few bad actors. According to the Blockchain Transparency Institute, wash trading affects about 67 per cent of total cryptocurrency trade volume.
Although illegal under US law, there are no known international regulations against wash trading. Despite being seen as an unsavoury practice, there still needs to be a clear regulatory framework for cryptocurrencies before wash trading can be outlawed internationally, beyond just the US. Unfortunately, with history as an indicator, we may have to wait a long time before seeing new regulations emerge against wash trading.
However, the good news is that there's a new way to "unravel" wash trading and expose the perpetrators behind it. Because hackers typically wash-trade stolen coins to cover their tracks, having tools which track where these tokens go to, as well as where they come from, can help pinpoint where the stolen assets originated from and where they went. Sentinel Protocol, a cybersecurity company using blockchain technology, recently rolled out a new Crypto Analysis Transaction Virtualisation (CATV) tool which can trace stolen cryptocurrencies.
CYBERSECURITY AND DATA BREACHES
First, we need strong policies and clear procedures to implement a framework of compliance and anti-money laundering. With bad actors increasingly skirting around cybersecurity laws in today's fragmented regulatory landscape, this highlights a dire need for a more robust regulation framework within the cryptocurrency space.
Second, there must be increased investment in comprehensive fraud prevention systems in the financial space. Examples of such prevention systems within the cryptocurrency space include the CATV tool as well as Sentinel Protocol's Threat Reputation Database containing crowdsourced threat intelligence data placed on the blockchain. Used together, these new cybersecurity solutions will reduce operational risks for banks, financial institutions, enterprise businesses and cryptocurrency exchanges, all of which need to boost compliance and due diligence under new and evolving AML/CTF laws.
- The writer is Head of Operations at Uppsala Security