Ensuring Responsible Development of Digital Assets; Request for Comment

In September, the U.S. Treasury Department filed a Request for Comment (RFC) seeking feedback on the illicit finance and national security risks posed by digital assets. The filing was pursuant to the President's executive order on crypto and seeks guidance across key categories including illicit finance risks, regulation and supervision, global implementation, private sector engagement and a central bank digital currency.

On Thursday, TRM responded to the RFC focusing on illicit finance risks and the ways in which the native properties of public blockchains can enable compliance professionals, law enforcement, regulators, supervisors, and other government agency officials to more readily identify risks and more effectively and efficiently detect and investigate financial crime.

The full response is published here:

Executive Summary

The same qualities that make digital assets a force for good - decentralized, permissionless, cross border value transfer at the speed of the internet - also make them attractive to illicit actors who seek to move funds across the globe at unprecedented speed and scale.

The native properties of public blockchains — data that is Transparent, Traceable, Public, Permanent, Private, and Programmable — can however, enable compliance professionals, law enforcement, regulators, supervisors, and other government agency officials to more readily identify risks and more effectively and efficiently detect and investigate financial crime.

While there are emerging illicit finance risks in digital asset space such as decentralized finance (DeFi) hacks, NFT rug pulls, shell VASPs and programmatic money laundering - blockchain intelligence technologies also continue to innovate, increasing our ability to thwart these activities and proactively seek out bad actors.

Below, in our response to the Request for Comment (RFC), TRM provides insights into the illicit finance risks of digital assets and the opportunities to mitigate these risks by leveraging the unique qualities of blockchains. We argue that by enabling the use of analytics we can achieve a step change in how illicit finance is countered in the digital asset environment.

The RFC process highlights the importance of public-private partnerships in a space in which the private sector can offer tools, training and other expertise to help law enforcement, regulators, and policy makers move more quickly in achieving their aims.  These tools also help compliance professionals – from small DeFi protocols and NFT marketplaces to large centralized exchanges – to monitor transactions and screen wallet addresses to effectively meet and exceed their compliance obligations.

The RFC asks questions across four categories. TRM addresses these questions in two sections. The first section discusses the emerging illicit finance risks and outlines how we can leverage the unique qualities of blockchains to mitigate those risks. In the second section we consider the opportunities for AML/CFT supervision presented by digital assets. We conclude by offering three recommendations which will enable law enforcement, regulators and financial crime professionals to mitigate the various risks to the digital asset ecosystem.

Recommendations:

• Ensure that policymakers, regulators, supervisors and law enforcement have the necessary training and tools to effectively identify and mitigate illicit finance risk in digital assets.
• Enhance public-private partnerships with real time information exchange to equip the private sector with the data they need to combat financial crime, whilst sharing information with supervisors to enable data-led supervision
• Uplift cybersecurity expectations and capabilities across the industry to make it more difficult to attack the digital asset infrastructure and profit from malicious activity.

Illicit Finance Risks

The first section of the RFC seeks information related to illicit finance risks associated with digital assets. Although there is general consensus within the industry that illicit finance makes up no more than 2% of digital asset activity it is important to track how illicit actors are using this technology. In our analysis, it is clear that illicit activity falls into four main categories:

1. Crypto-enabled crime - where criminals target digital assets for theft or exploitation. For example hacks of DeFi protocols and ransomware;
2. Money laundering - using digital assets and blockchain technologies, such as mixers, to launder funds from illicit activity that has occurred on or off chain;
3. Illicit payments - using digital assets to finance illicit services or activities. For example terrorist financing and sanctions evasion; and,
4. Illicit commerce - the use of digital assets to buy illicit goods and services. For example narcotics on darknet marketplaces.

When examining how best to combat illicit activity involving digital assets, it is useful to consider mitigating activities through the lens of these four categories, as each requires a tailored approach to make them less profitable.

Below we set out the emerging illicit finance risks we see from our analysis of blockchain activity as relates to DeFi, ransomware, mixers and NFTs. We also put forward best practices for mitigating these emerging risks.

Hacks against DeFi-related projects

Hacks have become a part of everyday life in the digital asset ecosystem, and particularly within the decentralized finance space. According to TRM analysis, over $3.1 billion has been stolen in cryptocurrency hacks in 2022, with hacks against DeFi-related projects accounting for roughly 95% of the total amount stolen. The average DeFi hack was more than four times larger than the average non-DeFi hack and of the ten largest cryptocurrency hacks so far in 2022, all ten were against DeFi targets.

Between January and August 2022, there was a DeFi hack approximately every three and a half days. Hacks are also getting bigger, in comparison to 2021, in the first half of 2022 the average hack size was $27 million, double that of the previous year.

Increasingly, we see cross-chain bridges exploited within these hacks. Cross-chain bridges enable the transfer of assets from one blockchain to another and are viewed as an essential innovation in web3 as they allow previously isolated blockchains to share information with each other, driving critical interoperability. Today, there are over 100 blockchain bridges in existence.

The explosive growth of cross-chain bridges has made cross-chain transfers much faster and easier. The use of cross-chain bridges experienced a greater than 90% growth surge during the end of 2021, and currently, more than $9 billion dollars worth of cryptocurrency is locked in the liquidity of Ethereum bridges alone.

Threat actors have capitalized on this shift by adopting ‘chain-hopping’ as an obfuscation technique when laundering hacked or stolen funds. Bridge exploits - hacks of the bridges themselves - alone roughly amount to $2 billion for 2022, and that doesn't include illicit funds from other criminal activity that has moved across bridges, making ‘chain hopping’ one of the fastest-growing money laundering typologies in digital assets.

Chain-hopping is an effective money laundering technique as it makes it harder for services like centralized exchanges to detect whether incoming funds are tied to an exploit or other illicit activity, which they would normally freeze or report to law enforcement.

Case study

After gaining control of the funds on those chains, the attacker used at least four cross-chain bridges to move the stolen cryptocurrency to the Ethereum blockchain.

In this case, TRM enabled investigators to trace through bridges at the click of a button and to visualize the movement of funds from one blockchain to another in a single, seamless graph. The ability to trace cross-chain flows in a matter of minutes — versus the days and weeks required by manual cross-chain tracing techniques — is key for investigators because it greatly improves the chances that stolen funds can be traced to and frozen by an intermediary before being cashed out and it frees up resources of law enforcement.

Mitigating the illicit finance risks in DeFi

To mitigate the risks to DeFi protocols and wider crypto-enabled crime we must take a two-stage approach. First, hacks can only be stopped by improving cyber security at DeFi protocols and other cryptocurrency businesses. Improving cyber security can be done by continued emphasis on public-private coordination to ensure cryptocurrency businesses are engaging in cybersecurity best practices. In doing so, they will make themselves less vulnerable to hacks.

Second, we must make these hacks and crypto-enabled crime less profitable by increasing friction in the money laundering process. To do so it is important for investigators to be able to trace flows of funds not just within blockchains but across blockchains. Now, as rapid chain-hopping through bridges and other automated services has gained popularity among illicit actors, TRM enables automated tracing across bridges and cross-chain services.

Criminal typologies will continue to evolve however, and continuously tuning our response to crypto-enabled crime will rely on effective data sharing amongst the industry to keep pace with criminals.

The illicit finance risk of ransomware

Since the 2021 attack on Colonial Pipeline, ransomware – a type of malicious software that cybercriminals use to block a victim from accessing their own data – has become a focus for both policy makers and businesses globally.

Ransomware is growing, in part, due to the growing commoditization of ransomware-as-a-service (RaaS) tools that are used to execute ransomware attacks. TRM’s data reveals that darknet forums that specialize in selling cybercrime-related services such as bulletproof hosting, exploits-as-a-service, botnets-as-a-service, or compromised attacks have received $11 million in cryptocurrency payments between January and September 2022.

Case Study

TRM analysis of ransom payments in 2022 suggests small-sized businesses are being targeted the most. A ransomware attack is a costly event that results in significant financial losses. Financial losses can be categorized as direct such as ransom payments or indirect losses such as data and infrastructure recovery cost, business interruption and legal expenses to mitigate reputational damage and potential lawsuits. Based on TRM analysis of on-chain ransomware payments, nearly 57% of ransom payments made in the first three quarters of 2022 were under $1 million suggesting that small-sized businesses were targeted the most. We also observe that approximately 37% of payments fall between the $1 million to $5 million range, with about 6% of ransom payments being higher than $5 million.

While ransom demand amounts vary and depend on factors such as company size and the sensitivity of stolen data, annual revenue is likely to play a central role for actors when determining a ransom demand. According to TRM’s analysis of the ransomware ecosystem and negotiation tactics, we estimate the average ransom demand is about 2% of a victim’s annual revenue.

Mitigating the risk of ransomware

There are a number of efforts ongoing in the public and private sectors aimed at mitigating the risk of ransomware attacks. For example, the FBI and Treasury are leading an effort to build an Illicit Virtual Asset Notification (IVAN) information sharing partnership and supporting platform to improve timelines of detection and disruption of ransomware and other illicit virtual currency payment flows. While public-private information sharing is critical, cross-border cooperation is paramount as illicit actors move large amounts of funds globally. Here, the U.S.-led International Counter Ransomware Initiative is an important forum for building that cooperation.

As above, it is important to address the cyber security deficiencies that leave businesses vulnerable to attack. When attacks do happen however, it is important to create effective incident response capabilities to respond to events as they unfold. TRM has a globally-distributed Crypto Incident Response team sourced from former law enforcement officers that provides investigative assistance from case initiation through to case closure. Investigators assist victim businesses in tracing stolen funds (leading in some cases to asset recovery) and connect victims to a global network of law enforcement agencies, cybersecurity firms and specialized law firms. This is perhaps a model for industry best practices.

Illicit financing risk of mixers

Decentralized mixer protocols, or anonymization services, pool cryptocurrency from multiple users to obfuscate transactions by masking the origins of the funds. Mixing services are used by both legitimate actors who want to maintain the anonymity of their funds, and by criminals who use mixers to launder money and obfuscate the origin of illicit proceeds by mixing them with legal ones.

At TRM we have seen cybercriminals and nation state actors like North Korea use mixers to obfuscate the movement of funds during money laundering.

Case Study

In response OFAC used blockchain intelligence to trace the stolen funds through the mixing services, sanctioning both the blockchain addresses to which the funds moved to, and the mixing services that North Korean cybercriminals utilized to launder the funds – this included the centralized bitcoin mixer blender.io and decentralized Ethereum mixer Tornado Cash.  These rapid sanctions designations were only possible because of the transparent nature of public blockchains which allowed OFAC to identify the entities and addresses associated with the money laundering techniques used.

Mitigating the illicit finance uses of mixers

Although mixers have many legitimate uses, mitigating illicit exploitation of these services is important when they are being used to launder money by criminal or nation state groups. One way of mitigating the money laundering risk of mixers is by deterring criminals from using these services in the first place by being able to trace through them. TRM has the unique capability to trace through many on-chain mixing services making them less attractive for illicit use.

A second way to mitigate the illicit use of mixers is to block bad actors from using them. In recent months sanctions have been placed on several mixing services. Sanctions have a considerable deterrent effect on the use of mixers by all users and given the transparent nature of blockchain we are able to accurately measure this impact. According to TRM analysis, total monthly deposits into Tornado Cash decreased by 68% in the month after it was sanctioned. In the wake of sanctions we have also seen a movement by the crypto industry, including DeFi protocols, to implement sanctions screening on their front ends or user interfaces to block sanctioned actors whilst maintaining access to legitimate users.

To further refine the blocking of illicit actors it is becoming increasingly important to geolocate incoming transactions. Blockchain intelligence allows cryptocurrency businesses to better geolocate incoming activity to filter out or ‘geo-fence’ sanctioned jurisdictions from interacting with mixers and DeFi protocols.

How sanctions are being implemented in DeFi today

1. whether an address appears on a sanctions list or is associated with an entity on the sanctions list (”ownership risk”)
2. whether an address has transacted with a sanctioned address (”counterparty risk”)
3. whether an address has received funds from or sent funds through multiple “hops” to a sanctioned address (”indirect risk”).

Illicit finance risks of NFTs

The use cases for Non Fungible Tokens (NFTs) continue to develop. First used for digital collectibles and art, a broader understanding that NFTs can be used to transfer and hold ownership of any tokenized asset has now emerged. This understanding and the properties of NFTs such as ease of transfer and subjectivity of their value can make them attractive to illicit actors who are looking to launder funds or scam victims. As with DeFi, we have seen several illicit finance typologies emerge in the NFT space.

One such money laundering typology is NFT Wash Trading. Traditionally, wash trading has referred to a trader buying and selling a security for the explicit purpose of misleading the market and manipulating prices. Sometimes, a trader and a broker are colluding together, and other times an investor is acting as both the buyer and the seller. Either way, the goal is to quickly make money or potentially use the washing as a mechanism for money laundering.

NFT wash trading is a concern for legitimate investors, collectors, and the general public because of inflated price comparisons and statistical outliers that reduce the integrity of the market.

Case study

In late 2021, someone bought a CryptoPunk NFT from themself with borrowed money and repaid the loan in the same transaction. The purchase price was over 124k ETH, which was worth $532M at the time. Prior to the wash trading/flash loan, the same CryptoPunk had been trading for closer to $300-400K. The anomaly was so large that it led to a Tweet from the NFT creator stating that bids like these could not be accepted and that enhanced filtering would be created to avoid wash trading in the future.

Mitigating NFT Wash Trading

The most effective way to mitigate NFT wash trading is to make it difficult for illicit actors to sell NFTs involved in such schemes to unsuspecting parties. Blockchain intelligence allows buyers to conduct risk assessments of NFTs by identifying any outliers or other suspicious activity in the transaction history of the NFT. Using both on and off-chain data, investors can assess the token and creator provenance, as well as current ownership of an NFT. The buyer can look at whether the current owner has an

unusually tight transaction network or if the NFT appears to have been traded amongst the owner with discrepancies in the bid, sale and floor price. The same blockchain technology that is being used to manipulate the market can provide a wealth of historical data that can provide unique insight into the integrity of an NFT. This is impossible in the traditional art, antiquities and collectible markets today in which provenance is often opaque.

In addition, we are seeing more and more NFT issuers and marketplaces use blockchain intelligence to monitor transactions and screen wallet addresses to ensure that they are not sending an NFT to an illicit actor and mitigating their risk of sanctions exposure.

Frauds and scams involving NFTs

Frauds and scams have also become a prominent feature of the NFT landscape. One such scam is the rug pull. Rug pulls are malicious maneuvers involving digital assets where crypto developers either abandon a project and run away with investors’ funds or use social engineering to gain access to a victim’s assets.

Case study

One particularly insidious scam is the ‘drainware smart contract’ which is a form of phishing that prompts users to sign a contract, usually under the pretense of a legitimate transfer of NFT or token ownership, which then grants control of the user’s entire wallet to the attacker.

The attacker then phishes the victim through emails, messaging apps, pop-ups on Discord, Telegram, in-wallet ads through MetaMask or uses fake or impersonation websites and accounts. In the end, the victim is always asked to either provide private keys or sign approval contracts. These attacks are successful because buyers and sellers are under pressure to act fast to collect valuable NFTs. In this case, the attacker prompted the victim to initiate a peer-to-peer trade by signing the drainware smart contract. The attacker then launders their illicit proceeds using mixers or other obfuscation techniques discussed above. ‍

NFT Discord hacks are another form of scam that utilizes NFTs. ****Discord, the social media platform widely-used by popular NFT projects, has been targeted over the last year with increasing frequency by attackers for hacks and scams.

In June 2022, phishing attacks linked to NFT minting scams deployed through compromised Discord accounts increased by 55% in comparison to the previous month. ****Analysis of on-chain and off-chain data suggests many of the Discord compromises targeting NFT projects show similar patterns of behavior, with hackers using an array of tactics to scam Discord users.These techniques include using sophisticated social engineering, such as phishing and fraudulent accounts pretending to be an administrator and exploiting bots, such as the Mee6 bot, to allow admins to automatically give and remove roles and send messages to the community. In some instances, the attackers even updated administrator settings to ban Discord moderators from interfering with the hackers’ operations.

Case study

Potential buyers started biting around 8:15 am EST, clicking on the fraudulent link and taking steps to connect their wallets in order to send the required minting fee in ETH. Instead, the ETH went straight to the fraudster’s address, and the transactions compromised victims’ wallets, executing fraudulent transfers of NFTs to the attackers’ wallets. After the victims’ wallets were compromised, NFTs from each compromised account were moved into a single wallet tied to the phishing link. In total, from a single exploit, the attackers acquired a diverse portfolio from 18 valuable NFT projects including Bored Ape Yacht Club, Mutant Ape Yacht Club, OthersideMeta, and MekaVerse.

Mitigating the risk of NFT scams and frauds

There is plenty that users can do to mitigate their risk of falling victim to a scam or fraud involving NFTs. The onus for this should be on the user but the digital asset ecosystem and the government can do more to support users in protecting themselves against such attacks. Users should practice strong cyber security and be aware of the red flags that could indicate fraudulent activity including unfamiliar contract calls, use a separate wallet to engage with NFT drops, view the history of an NFT before purchase, turn off Discord DMs and ensure the safety of private keys. To help users the Financial Crimes Enforcement Network (FinCEN), working with partners, should continue to provide updated best practices and red flags for engaging with the NFT ecosystem.

Private sector initiatives – Chainabuse

In addition to what users can do to protect against frauds and scams the industry can also do more to protect users. The public nature of blockchains enables greater information-sharing between consumers and the industry, enabling them to act together to protect the ecosystem from scams, hacks, and fraud. Through crypto fraud-reporting tools like Chainabuse.com,which is operated by TRM Labs, members of the public can increase visibility of notable schemes and limit further victims by reporting the scams they come across.

Since its launch the Chainabuse platform has received over 240,000 reports of wallet addresses and URLs that are linked to frauds and scams involving cryptocurrencies. These reports allow Chainabuse to crowdsource a network-community driven reliable multi-chain real-time database of scams in web3 worldwide. In doing so, a resource is created where users can quickly check addresses and entities they interact with to understand whether they might be exposed to illicit activity.

AML/CFT Regulation and Supervision

Digital assets and blockchain based technologies allow for the more efficient and effective combating of financial crime due to their inherent qualities. The native properties of public blockchains — data that is Transparent, Traceable, Public, Permanent, Private, and Programmable — enable compliance professionals, law enforcement, regulators, supervisors, and other government agency officials to more readily identify, investigate and mitigate financial crime risks.  Blockchain intelligence tools are a key part of this, enabling entities to exploit these inherent characteristics.

Following the previous section on illicit finance risks and what is currently being done to mitigate them, this section will consider what opportunities the inherent characteristics of blockchain hold for AML/CFT compliance, regulation and supervision and put forward how supervisors and regulators can further enhance their activities by making best use of these characteristics.

Transparent

Information about illicit funds moving through the financial sector currently resides on thousands of private corporate servers located in the U.S. and overseas. To combat financial crime, governments rely on financial institutions having adequate internal systems and data to report instances of fraud, money laundering, terrorist financing, and financial crime to regulators and law enforcement via Suspicious Activity Reports (SARs) or ad hoc notifications.

The nature of public blockchains as open and distributed ledgers means that each transaction is verified and logged in a shared, immutable record, along with the timestamp of the transaction and the blockchain addresses involved. This data from the public blockchain is transparent, enabling the financial industry and government agencies to monitor trends in financial crime, market abuse, and financial stability in real-time and conduct more effective sectoral risk assessments.

The transparency of blockchain-based transactions provides visibility into illicit transaction volume that would otherwise be unattainable. For instance, the U.S. Department of Justice’s press release on the disruption of the darknet market Hydra Market asserts that the market received approximately $5.2 billion in cryptocurrency for the purchase of illicit goods and services, such as illegal drugs, stolen financial information, fraudulent identification documents, and money laundering services - a fact that is only obtainable because of the transparent nature of the blockchain.

Case study

Today, regulated entities are making use of this transparency to understand flows on blockchains, what suspicious activity could look like, informing risk assessments and transaction monitoring rules.

As financial institutions look to engage with entities facilitating crypto-related business (e.g. a crypto exchange), the transparent nature of blockchain data, coupled with blockchain intelligence, allows for unprecedented visibility on controls. For instance, a review of the entity’s anti-money laundering policies and procedures can be analyzed against the actual amount of illicit activity being facilitated on-chain.

This analysis enables traditional financial institutions to partner, transact with and manage the funds of crypto entities with acceptable levels of risk management. Similarly, crypto entities looking to get access to public markets and banking services are encouraged to strengthen their internal controls, knowing that institutions will have a more transparent view into their risk levels. In essence, blockchain intelligence greatly enhances the effectiveness of enhanced due diligence controls across the finance industry.

Traceable

For anti-money laundering compliance specialists and auditors working in traditional finance, cumbersome manual investigation is required to verify Source of Wealth and Source of Funds for a single customer, often requiring collecting information from independent sources such as company registries, banks, accountants, and lawyers. For government investigators, it can take months or even years to follow the trail of a sophisticated criminal, oftentimes requiring subpoenas across multiple service providers in various jurisdictions and necessitating that law enforcement go through the cumbersome Mutual Legal Assistance Treaty (MLAT) process to seek foreign law enforcement assistance to obtain evidence.

Because blockchains provide an immutable audit trail of every transaction, understanding the ultimate source and destination of funds, particularly across jurisdictions, is substantially easier, faster, and more reliable compared to tracing funds through traditional financing mechanisms. Blockchain intelligence software can transform the alphanumeric characters on the blockchain to a visual representation of the flow of funds, allowing compliance specialists and law enforcement to “follow the money” around the world in real-time, accelerating investigation time.

The traceability of blockchain transactions also enables more advanced capabilities to detect suspicious activity. In traditional finance, compliance departments typically only view transactions for which there is a direct counterparty in order to measure risk. The consequence is that transaction monitoring rules are limited to behavioral patterns such as transaction type, amount, or velocity. With blockchain transactions, virtual asset exchanges can detect incoming deposits of proceeds from a ransomware attack, even if the funds moved through multiple transactions before being deposited.

Case Study

Banks across the country routinely ask high risk customers such as Russian oligarchs, politically exposed persons, or individuals who have claimed to make their wealth from cash intensive businesses how their wealth was obtained, and how the bank accounts will be funded. As noted in previous reports by Treasury, which outlined Russian oligarchs’ ability to launder funds into the U.S. financial system, it is not uncommon in traditional finance for these actors to provide false or misleading information about their wealth and funding mechanisms. Financial institutions are thus left to rely on the word of the high risk client's own lawyers or accountants about the legitimacy of their wealth. Armed with blockchain intelligence, and wherever there may be evidence that wealth is tied to blockchain-based assets, institutions are now able to ask for and verify in real time, wallet addresses, asset locations and narratives to substantiate what the prospective client may be telling them, and thus more easily deny relationships and block funding that stem from illicit sources.

Public

Unlike transaction and customer data held by companies or financial institutions, public blockchains are distributed and not managed by a central authority. Thus, anyone — including law enforcement officials and regulators — can access, identify, and trace

blockchain transactions without a SAR, subpoena, search warrant, MLAT, or on-site examination because that information is free and publicly accessible, independent of a third-party. In court, prosecutors are then able to present the blockchain as an objective “eyewitness” on a single transaction rather than rely on a witness, such as a law enforcement investigator.

Case study

The public nature of blockchains enables greater information-sharing between consumers, enabling them to protect themselves from scams, hacks, and fraud. Through crypto fraud-reporting tools like Chainabuse.com (mentioned above), members of the public can increase visibility of notable schemes and limit further victims.

Permanent

Storing transaction records for long periods of time is costly, cumbersome, and may be prohibited under local law. Consequently, records are often missing, creating hurdles for financial crime investigations. In contrast, transactions are permanently recorded on the blockchain, which allows institutions, auditors, and government investigators greater ability to “follow the money,” even if the transaction is several years old.

Case study

Private

As more consumers, businesses, and governments transact on blockchains, it becomes even more important to enable financial privacy on blockchains, in order to protect consumer privacy, prevent corporate and nation-state espionage, reduce the risk of data breaches, and protect national security all the while meeting compliance obligations.

It bears emphasizing that privacy and blockchains are not incompatible. In many ways, blockchain-based technologies – by minimizing the need to store personal data in one centralized repository, by empowering individuals to assert control over who accesses their data, and by allowing individuals to determine for what purposes their data will be used – are more privacy-protective than the status quo.

At present, within the industry, Privacy-Enhancing Technologies (PETs) like zero-knowledge proofs are being deployed at the protocol, middleware, and application layers to advance data protection and privacy goals. PETs can be used to make information on blockchains private, such as transaction details or data on blockchain-based computer programs. Notably, PETs can be configured to make information selectively visible depending on certain conditions and policies, such as whether the requester is authorized to view the data.

Programmable

Blockchain provides a new opportunity to increase access to the financial system by reducing the cost of providing financial services, helping countries meet their financial inclusion goals. One way this is being achieved is by integrating automated KYC/AML controls at the protocol, smart contract, and application layer of blockchain technologies.

Blockchain-based “digital passports” could allow individuals and entities to store proof of KYC verification directly on the blockchain, a “win-win” for all parties—customers, institutions, and government—involved in transactions. Customers would seamlessly access financial services and minimize the distribution of sensitive personal information to new financial intermediaries. Developers could program automated approvals or denials directly into smart contracts and protocols to prevent sanctioned or other high-risk addresses from interacting with their services.

The unique qualities of blockchains allow for enhanced regulatory oversight

As discussed above, the BSA framework currently requires banks and other Money Service Businesses ("MSBs") to register with FinCEN, to maintain an AML program, and to file suspicious activity reports ("SARs") when suspicious activity arises. This means that FinCEN must rely on intermediary financial institutions, with oversight only over the transactions they directly administer, to identify risky behaviors and to submit a report that is actionable and valuable to law enforcement officials.

Blockchain technology has the potential to disrupt the siloed, end-user generated, one-way communication of SARs. Depending on the circumstances, a transaction could even be blocked, or held in escrow, before it is carried out based on identity information provided by regulators.

Regulators are not restricted to accessing only transaction data, but could also access profiles on digital entities, custodians, and stablecoin issuers, among others. Oversight can be conducted across multiple blockchains, revealing the percentage of trade linked to high-risk activities. Collection of data directly from the blockchain is precisely the sort of risk- based and agile regulatory practice that would increase efficiency and effectiveness for managing financial crime risk.

In October 2021, the Financial Action Task Force ("FATF") issued guidance encouraging regulators to use blockchain intelligence to identify persons operating without a license or registration. It further recommended enhanced due diligence with respect to certain virtual asset service providers, including those engaged in cross-border correspondent relationships, leading to more effective implementation of risk-based controls. FATF highlights the fact that certain jurisdictions, including the United States, already use blockchain analytics in their supervision of regulated entities.

A revised regulatory approach using blockchain intelligence would benefit both regulators and digital asset providers. The availability of raw blockchain data, unprecedented both in quantity and quality, gives regulators the ability to instantly access relevant information without the lag time or filtering mechanism inherent in relying on intermediaries to submit SARs.

In turn, providers would be freed from some of the burden of subjectively assessing if and when to submit a SAR. Automated monitoring combined with direct access for regulators reduces the inefficiencies of manual monitoring of low-risk transactions and entities and increases the likelihood that high-risk activities will be flagged, tracked, and easily investigated by the relevant authorities - creating gains for the overall effectiveness of anti-financial crime efforts.

Recommendations

TRM welcomes this opportunity to comment on how to ensure the responsible development of digital assets. Digital assets hold a huge amount of potential for our society, economy and for how we fight financial crime in the future. The collaborative approach taken by Treasury in this process is very positive and we look forward to continuing to work with government partners as the ecosystem develops.

Throughout this comment we have made several recommendations for how responsible adoption of digital assets can be ensured. These can be summarized into three main recommendations.

• Ensure that policymakers, regulators, supervisors and law enforcement have the necessary training and tools to effectively identify and mitigate illicit finance risk in digital assets. While it is possible to enhance the current regulatory and supervisory practices by utilizing blockchain intelligence tools, it is paramount that these tools, and training, be made readily available to regulators and investigators both in the U.S. and, to the extent possible, in jurisdictions that can benefit from capacity building.
• Enhance public private partnerships (PPPs) with real time information exchange to equip the private sector with the data they need to combat financial crime and the information supervisors need to conduct real time supervision. For PPPs to be effective it is essential that a broad range of stakeholders are included and participate. The United States Treasury should map the digital asset ecosystem to ensure that it includes a good representation of the industry in its PPPs and review information sharing mechanisms to ensure that they are fit for purpose in the digital asset age. Finally, criminals who exploit digital assets are based across the world, to create an international response to this problem domestic PPPs should aspire to collaborate with PPPs in allied nations.
• Uplift cybersecurity expectations and capabilities across the industry to make it more difficult to attack the digital asset infrastructure and profit from malicious activity. Users must be upskilled in cybersecurity practices for the digital asset ecosystem. The private sector who operate in the digital asset space should have processes in place to respond to cybersecurity events when they occur including incident response and when attacks do occur, government agencies should be able to share appropriate information on them with blockchain intelligence firms to help stop future attacks.

‍