Merchant Crypto Payments: A New National Security Frontier

The Bitcoin logo on a mock coin. (Flickr, https://tinyurl.com/by7pr9uw; CC BY-ND 2.0, https://creativecommons.org/licenses/by-nd/2.0/) Last month, the U.S. Department of the Treasury’s Office of Foreign Asset Control (OFAC), the agency that enforces U.S. sanctions, announced it had reached a half a million dollar settlement with cryptocurrency payment processor firm BitPay, a U.S. company. OFAC had been investigating BitPay for allegedly processing payments to merchants from customers in sanctioned jurisdictions. This announcement got scant public attention, even among cryptocurrency industry watchers, but it is a glimpse into thorny regulatory challenges ahead as large, mainstream corporations are jumping into the crypto space and pushing for more people to use digital assets in commerce. Much of this steady rush into retail crypto activity is occurring without a check of the regulatory blindspots ahead.   The BitPay settlement also points to how illicit actors might adjust their strategies to circumvent anti-money laundering, combatting the financing of terrorism (AML/CFT) and sanctions compliance requirements. As people’s lives become more digital and businesses become more open to cryptocurrencies, U.S. law enforcement and national security personnel may find that illicit financial activity increasingly involves crypto payments. The business model for cryptocurrency payment processors like BitPay is straightforward. These companies provide software allowing retail merchants to accept cryptocurrencies as payment online or in brick-and-mortar establishments. The merchants do not need to handle cryptocurrencies directly. The payment processor owns the software wallets with which customers pay using Bitcoin or some other cryptocurrency, and then the processor converts those funds into regular fiat currency. The processor company then sends those converted funds to the merchant, minus a commission. This financial activity makes the payment processor a money transmitter under U.S. law and obligates it to follow all AML/CFT and sanctions regulations. According to OFAC, BitPay failed in sanctions compliance. While BitPay screened its merchant clients to ensure they were not on the U.S. sanctions list or operating in sanctioned countries, the company for five years did not prevent individuals in sanctioned locations such as Crimea, Cuba, Iran, North Korea, Sudan and Syria from purchasing from U.S. merchants via BitPay’s crypto payment platform. Thus, it enabled customers in these locations to evade sanctions and transact with U.S. businesses. OFAC pursued a settlement instead of a civil prosecution for these violations, acknowledging that BitPay agreed to implement multiple measures to properly screen buyers before processing their crypto payments. The good regulatory news story here is that integrating sanctions compliance measures should not be technically difficult for cryptocurrency payment processors. Systems and processes to block IP addresses from sanctioned jurisdictions and verify customer identification have been standard in conventional payment processing for decades, and they are easily applicable to crypto processors.  But the bad news is that there are aspects of cryptocurrency technology that offer loopholes to these sanctions compliance systems, which illicit actors are likely to exploit. And there are certain types of online merchants that are increasingly likely to prefer crypto payments, which may exacerbate these loopholes. If merchants use payment processors to accept cryptocurrency payments, they can depend on those third-party money transmitter businesses to validate customers. But if a merchant owns a self-custodied crypto wallet to accept payments, there would be no third party involved to screen customers. Self-custodied wallets can be downloaded, managed and operated without a regulated financial institution. However, they are less user friendly and more cumbersome, requiring users to secure an alphanumeric private key, which, if lost or stolen, could make the funds irretrievable. Most online merchants are not in the habit of verifying customer identification documents before making a sale. So, in a peer-to-peer digital payment method, the sanctions screening process is absent. While it is illegal for U.S. businesses to transact financially with someone on OFAC’s sanctions list, most retail businesses are not obligated to do any sort of sanctions compliance. That responsibility falls on the payment processor, whether it is a bank, a credit card company or a firm like BitPay. This means that merchants using self-custodied wallets to accept crypto from customers who also use self-custodied wallets operate within a regulatory loophole where sanctions evasion transactions could occur. There’s no intermediary to screen against the sanctions list. Some regulatory safeguards exist to mitigate this loophole, but they are not airtight. When people purchase cryptocurrencies with fiat currency, they typically must go through a cryptocurrency exchange. In all jurisdictions, these exchanges are supposed to be regulated by financial authorities and exchanges must verify the identities of their users. Any exchanges that want access to U.S. financial institutions, U.S. customers or U.S. dollar transactions must also follow OFAC sanctions guidelines. And if an exchange that does not need direct access to the U.S. dollar wants a bank account, most non-U.S. banks will only service exchanges that comply with U.S. sanctions, given OFAC’s ability to apply secondary sanctions on non-U.S. banks that offer services to designated entities.   So, in theory, individuals in sanctioned jurisdictions are quite restricted in their ability to directly purchase crypto on foreign exchanges, unless those exchanges are in sanctioned countries that do not comply with U.S. sanctions. Alternatively, to get fresh crypto that could be moved to a self-custodied wallet, these individuals may trade through informal, peer-to-peer exchanges often using physical cash, or they may participate in cryptocurrency mining to earn digital tokens when they first come into circulation. This makes large-scale crypto acquisition difficult, which is why North Korea in recent years has tried to gain hundreds of millions of dollars worth of crypto by another, more intensive strategy: cyber-hacking exchanges to steal tokens. The North Korean regime most likely wants to use these stolen cryptocurrencies to finance its operations. But with North Korea under U.S . and United Nations sanctions, cashing out to regular currency is difficult. Exchanges can identify stolen tokens through public blockchain analysis and flag them if a customer tries to trade them for cash. Thus far, North Korea-linked operatives have tried to overcome this hurdle by mounting intricate laundering operations to move hacked tokens with clean wallets and obfuscate the origin of their ill-gotten crypto funds. This is not always successful, so North Korea probably has not been able to use much of its hacked crypto. It would not be surprising for North Korea to seek an alternate way to use stolen crypto to its advantage. Instead of trying to cash out, regime operatives could try to spend it directly on tools and services. Based on the Kim Jong Un regime’s growing ability with cryptocurrency technology, what follows is a hypothetical scenario they would likely try to employ. A North Korean cyber operative located in a nonsanctioned country—probably in Southeast Asia, where cryptocurrency regulations are not very robust —could move stolen crypto into a self-custodied wallet. He or she would not have to provide any personal identification documents to use such a wallet. From there, the operative might establish a fake online persona, setting up a clean email to correspond with external businesses and individuals. The operative could identify online services needed for North Korean cyber operations such as virtual private networks, website domains and additional self-custodied software wallets to hold and launder additional cryptocurrencies.  The operative might then seek online merchants that accept cryptocurrencies for these services. These merchants would probably require only an email as contact information for sales. The operative might analyze the merchant’s cryptocurrency address to assess whether the merchant’s wallet is self-custodied or hosted by a regulated entity such as an exchange or cryptocurrency payment processor. If it’s a self-custodied wallet, the operative would purchase the needed cyber tools, with high confidence that the vendor would not inquire further about the operative’s identity and that no third-party financial institution would evaluate the transaction for any suspicious activity. And because the vendor is a retail merchant and not a regulated money transmitter, it would be under no clear legal obligation to check whether the cryptocurrency it accepts is from criminal sources or a sanctioned individual. This is analogous to how a corner grocery store is not obligated to assess whether the cash it accepts from a customer came from illicit activity or from someone on OFAC’s sanctions list. In this scenario, the North Korean operative would gain tangible value for the stolen cryptocurrencies for as long as the online vendors do no due dili
Merchant Crypto Payments: A New National Security Frontier posted first on http://realempcol.tumblr.com/rss