Episode 2 - Demystifying cryptocurrencies

AH: Yeah, absolutely. Thanks, Rachael. I'm a director at the School of International Financial Services, a specialist training provider across areas such as governance, risk, compliance and financial crime prevention. My background is a mixture of regulatory compliance and cryptocurrency or, more broadly, virtual assets.

In terms of the topic today, we're going to have a look at what cryptocurrencies are, we're going to consider some of the different risk vectors for servicing cryptocurrency clients and for businesses that may be already exposed to cryptocurrency or looking at exploring what their exposure to cryptocurrency and cryptocurrency clients might look like.

AH: When we talk about cryptocurrencies, we're generally talking about some form of digital representation of value that can be transferred on a peer-to-peer basis through the use of blockchain technology. Generally, when we're looking at cryptocurrencies, we are looking at the concepts of decentralisation and disintermediation.

So, if we think about our traditional payment systems, so the use of financial institutions like banks or credit card companies, we always tend to rely on a scentralised intermediary to process – to intermediate – that transaction for us. So, if we're sending funds to our utility company, or to a friend for a dinner we had the other evening, we're likely going to be using a bank or an electronic money institution, something like Revolute, to transfer those funds. Now, cryptocurrencies are built on this concept of replacing those intermediaries, removing the intermediation, and replacing it with technology, effectively a network of computers and the use of computer code and encryption to allow parties to transfer value from place A to place B, party A to party B, without the use of any scentralised intermediary.

AH: The key thing to grasp about what goes on with hacks and the loss of crypto assets is to first understand how the ownership of crypto assets works and how it’s governed. The way that crypto-asset ownership works, and in fact, how all of the transactions work, is through the use of public and private key cryptography. Public key and private key cryptography is the same technology that secures most of our digital worlds. When we log into a social media site, or when we log into a banking platform, we are using a form of public and private key cryptography: the use of a username and password. It's that same type of technology that governs the ownership of crypto assets. We have a public key, which is effectively a string of letters and numbers, which is stamped or recorded in the publicly available ledger information that is the blockchain. We then have a corresponding private key, which denotes ownership of what's recorded there publicly on the blockchain.

These private keys are really the important part of cryptocurrency ownership because whoever has access to the private key can digitally sign a transaction, not dissimilar to signing a cheque. That's what sauthorises the transfer of value over the network of computers, over the peer-to-peer network. You'll hear numerous stories of people who have lost their private keys and are unable to recover cryptocurrency or where a computer hacker has gained access to somebody's private keys. In the intro to cryptocurrencies, I mentioned [the concepts of] ‘sdecentralised’ and ‘disintermediated’: the whole premise is we don't rely on any scentralised intermediary. That means there's nobody to go to if you lose your private key: there's no bank you can go to, to reverse a transaction or to regain access. The whole premise of cryptocurrency is that users self-custody their own assets; they are responsible for their own assets. And as a result of that, there's a big risk there that you lose them or somebody else gains access to them.

A lot of the hacks [happen when] a scentralised party is reintroduced into the ecosystem. If you take something like a cryptocurrency exchange, effectively, what you do when you use a cryptocurrency exchange is you trust that provider to store your private keys for you, you’re effectively storing them to handle your assets. The risk here is that your access to that exchange platform is merely secured using an email address and a password. It's fairly straightforward to compromise email addresses and passwords: the majority of us will probably have been included in some form of data leak. And most of us tend to have bad password hygiene: we recycle the same passwords, making it easy enough for a cyber attacker to guess them. The other risk vector is that you're trusting that this exchange, this third party who you're using to reintermediate your transactions, you're trusting that their technological infrastructure, all of their back end and their cybersecurity controls, are absolutely solid. Because if they're not, and someone gains access that way, they've got access to your private keys, and again, off they go with your crypto assets.

AH: It's a good question, and there's a lot of disagreement, I'd say, in the space, around what this should look like. The way people store private keys is in something called a wallet. And you can distinguish wallets between whether they are cold or hot, or whether they are custodial, or noncustodial. The differentiation between cold and hot is whether that private key is connected to the internet. If it's hosted on an online platform and you can log into details, then it's a hot wallet.

If you store it offline, which historically used to literally be writing down a private key on a piece of paper, [it’s a cold wallet]. More recently, we've got some more sophisticated devices, which are like USB drives, they’re what we call ‘private hardware security modules’. These USB-type keys are able to store the private key in a way where it's air-gapped from the internet. And that's generally seen as the most secure method, but it doesn't work for everyone and everything. For individuals, it might be suitable. But for institutions, you can start to look at the types of investment funds; they need access to their digital assets online, and they need to be able to actively trade them. The cold storage infrastructure to safely handle assets where they’re air-gapped from the internet is catching up but isn't yet fully there. You wouldn't be able to apply, in most cases, the same governance controls we're used to applying to things like company bank accounts or client bank accounts to handling virtual assets or crypto assets.

AH: There were some notable exceptions of early works in relation to cryptocurrency, but putting those to one side, it's generally accepted that the birth of cryptocurrency was as a result of the introduction of Bitcoin in 2009 by the anonymous or pseudonymous person, Satoshi Nakamoto. And the white paper and thesis around Bitcoin was this idea to create a digital currency that was outside of the control of governments and central bank monetary policy. And that could be exchanged in a trustless way without having to use a centralised and regulated intermediary and instead rely on computer codes to create that trustless method of exchange. For a good number of years, I’d say a good eight, nine, ten years following the introduction of Bitcoin, that's all we really had in the cryptocurrency space, it was just further iterations of cryptocurrencies, coins, which were designed as some method to transfer value between different parties.

What we then started to get was a shift into more sophisticated applications of the same concepts and the same technology. So, we saw these similar concepts of decentralisation, of disintermediation, the use of blockchain technology, but now applied to other areas of financial services beyond just payments, which cryptocurrencies like Bitcoin were focused on. And that is what we have with ‘DeFi’ or sdecentralised finance. It's the provision of all the different financial services that we currently have in modern economies but using the principles of peer-to-peer basis and disintermediation.

We have loads of things going on in the DeFi space, there are borrowing or lending protocols whereby you can lock some of your cryptocurrency assets into a smart contract as collateral and then borrow against them up to 50, 75 per cent loan-to-value (LTV) in certain instances. You then have someone on the other end of that who is depositing their cryptocurrencies into these smart contracts and in exchange is receiving an interest rate for depositing those funds there for them to be lent out to someone else. But again, it's all on a peer-to-peer basis using the blockchain and smart contracts as the method to do this rather than an intermediary.

We have things in insurance, you can go and insure the risk of a cryptocurrency protocol or smart contract failing. You can insure the risk of a cryptocurrency exchange being hacked, and your cryptocurrency being stolen. And again, it's all about that balanced side of the book, there’s someone on the other end who is prepared to insure against that risk, deposit funds into a protocol and receive some premium in exchange to that.

Then we've got sdecentralised exchanges, which are probably by far the biggest element of sdecentralised finance. These are taking your cryptocurrency exchanges, which up until date have been centralised, you have a company who you go and on-board with and you open an account, and then you can then trade it in their order book. And it's switching that out to fully decentralised, there is no central party, it is all computer coded, all smart contracts. And people can now exchange from one cryptocurrency like Bitcoin into another one like Ethereum, or into another one like Solana, using these smart contracts without using any scentralised intermediary to facilitate those transactions. So that's what we're looking at with DeFi.

AH: Yeah, fully. The design of these solutions and the initial premise of cryptocurrency was to reduce those risks that intermediaries mitigate through the use of computer code. And, to a large extent, a lot of these protocols do this. But you've always got the risk that the computer code fails, and we see it happen. We talk about smart contract failure, which is where the computer code that has been developed is in some way exploited, and in many cases, tens if not hundreds of millions of dollars can be stolen or redirected somewhere else, because the coding that was developed wasn't absolutely watertight, or it wasn't audited. There is definitely risk there.

The high-quality DeFi protocols will conduct audits, they will engage an external computer code auditor effectively to review their smart contracts and certify them as secure. Really, as an industry standard, that should be happening on a regular basis, every three if not every six months. But by and large that isn't the norm. If I was to put an arbitrary figure on it, you might be looking at 20 per cent of DeFi protocols [that] currently undergo that process. You see new ones popping up all the time, and they don't necessarily have the funding, or the network, or the expertise to go through that full auditing process to try and reduce the risk of failure.

AH: NFT stands for non-fungible token and to grasp them, it's worth running over the concept of fungibility. The concept of fungibility is effectively whether something is the same, or if it's exchangeable for the same. Let's say you and I have got two £10 notes, we put them into a hat, we scrunch them around a bit, at the end of it, you don't really care which £10 note you got back, because £10 notes are fungible: they're all worth £10. Or you can go and exchange them elsewhere for goods and services, it doesn't matter which note it is that we got out of the two. And the same applies to cryptocurrencies: you couldn't care less which Bitcoins or which Ethereum tokens you had, because they are all fungible, they're all worth the same value.

We then have things which can be semi-fungible. This is where they share some of the same feature, but then they have some elements that are unique. A good example of this is something like a concert ticket: everyone with a ticket to the concert will get access, so that element of the ticket is fungible. But some of the tickets might be seated, some of them might be standing, some might be standard access, some might be VIP access, and therefore there is a degree of non-fungibility in that element.

Lastly, we come around to things which are fully non-fungible, things which are unique; they have entirely unique attributes, and you would care whether you got one over the other because they're entirely different. Primarily, what we're seeing with NFTs at the moment is the use of them in digital artwork or in digital collectables. Now, this is the sort of stuff that you'll have seen being auctioned off and sold for hundreds of thousands, millions of pounds, in many cases. What we have here are, generally speaking, algorithmically generated artworks. An algorithm is used to combine a number of different attributes with varying rarities. A common one you may have come across is something called the Bored Ape Yacht Club, it’s probably up there as the, if not one of two or three of the most well-known NFT art collections, and it's certainly the most expensive, you're looking at hundreds of thousands of dollars and collections of them have been auctioned off at Christie's and other auction houses for tens of millions of pounds. Effectively they are just pictures of cartoon apes. And they all have different attributes on them. Some are wearing glasses, some wearing hats, and the rarity of each of those attributes to the degree determines the value of them. Some of them will be a particular-coloured ape, and there might only be 2 per cent of those apes available in the entire collection, and because of that the market perceives them to be of higher value. What we have with NFTs in their current state is a combination of the art world – people investing in and collecting pieces of art – with what we have in the collectables world with things like baseball cards and the rarity of them making them more valuable, or equally more recently, things like people collecting sneakers again, for those same reasons.

That's what we have at the moment in the NFT space. I think we're likely to see more. I've worked with a couple of clients who are looking at trying to take event tickets onto the blockchain using NFTs to represent those tickets and to verify their authenticity. This is a key part of NFTs, that we can verify through the blockchain the authenticity of that digital artwork or that item. So, I think there's more to come with the NFTs, but at the moment, we are primarily focused as a sector around pictures of cartoon animals, it appears.

AH: I think there's two elements there. It's worth considering the history of cryptocurrencies here to a degree. When we first had the introduction of cryptocurrencies with the birth of Bitcoin, the early adopters of crypto and particularly Bitcoin were primarily split into a few different groups.

You had what I would call the anti-establishment sort, these were people who wanted to have a form of currency which was outside the control of central bank policy and of governments and something that they could hold and own themselves without using the financial sector.

You then had the techies or the technologists, these were people who were interested, excited perhaps even, in the technology and what could be achieved in the future by using blockchain and by being able to transfer value over the internet in a trustless way, in a way that's never been seen before.

You then had a third category, and as happens with anything, you will always find parties who will find features of something attractive and abuse those to meet their illicit or criminal aims. And that was exactly the same with cryptocurrencies: immediately organised crime groups – drug dealers, in particular, cybercriminals – all saw the ability to now send funds anywhere around the world on a peer-to-peer basis, in a way which, at the time, was entirely unregulated, wasn't even on the radar of regulators at this point of time, really.

In those early days, the total number of transactions was dwarfed quite heavily by criminal actors. There was the existence of something called ‘Dark Net marketplaces’, which were effectively an Amazon or an eBay that existed on a certain part of the internet called the Dark Web, where people could buy and sell almost any illegal good and service you can imagine. Initially [it was] very much focused on drugs, people would buy cannabis and cocaine and other drugs online, and the payment mechanism there was Bitcoin. Because that was very much connected with the early days of cryptocurrency, there’s always been this focus on money laundering risk in cryptocurrency.

It all comes down to the perceived anonymity of crypto assets in that the information recorded on the blockchain is something called a public key or an address, and that's not tied to any real-world identity. Because of that, it allows people to transact in a way that can often be seen as anonymous. In terms of whether it's a big problem to date, it's certainly a problem. I don't think it's anywhere near as substantial a problem as it historically was. By virtue of the blockchain being publicly available, it's possible to interrogate historic data, and you can connect quite easily the addresses of things like dark net marketplaces, or the addresses of people on sanctions lists, two different crypto transactions. You can quite easily build a picture using artificial intelligence tools and blockchain analytics tools of the risk profile of a particular cryptocurrency wallet address.

As a result of all that, cryptocurrency money laundering and cryptocurrency-related financial crime, based on the data, most reports will put as between 1 and 2 per cent. Now, if we contrast that with traditional markets, although it's an estimate, the generally accepted rule is that we're looking at somewhere between 3 and 5 per cent of global gross domestic product is some form of illicit transaction. So arguably, [there’s] less money laundering and financial crime in crypto assets than traditional [assets], but that doesn't by any means take away from the fact that it is a risk vector. And it is a particularly big risk vector, because the space evolves at such a pace, that the risk profile can change substantially over a period of six months. We spoke about DeFi before, and centralised cryptocurrency exchanges in most places in the world are now regulated, but decentralised finance tends, in most jurisdictions, to fall outside the scope of regulation. So, whilst we are seeing know your customer (KYC) [procedures being carried out] when you use a centralised party, peer-to-peer transactions, or the use of DeFi, doesn't touch the world of due diligence and KYC, and that there is a huge risk vector around people being able to use it to transfer illicit gains, or illicit proceeds.

AH: Yeah, totally. It all comes down to what controls are in place to identify people and to screen transactions. The only place that comes from is regulation. It all depends on what the regulatory or legal requirements are in certain jurisdictions. In most places, you take the UK and the EU as an example, most crypto providers are subject to the same anti-money laundering (AML) requirements as financial institutions. They need to identify the customer. They need to understand the purpose and nature of the relationship. They need to screen for transactions, and they need to search for them against sanctions databases. Through routes like that, there isn't really an avenue [for avoiding sanctions or money laundering].

However, as we've said, there are things like decentralised finance, there is the ability to transfer on a peer-to-peer basis. It's areas like that where cryptocurrencies and even NFTs could 100% be being used, and no doubt are to some degree, being used to circumvent sanctions. It all really comes down to, where's the weakest link in the chain. That will tend to be around lack of regulation in a particular jurisdiction, or jurisdictions whereby the sanctions don't apply. And that's how you can then off-ramp it.

AH: I think it's definitely catching up and, to some degree, has caught up. It all depends on what areas of regulation we're looking at. So, look back at 2016 to 2017: most crypto operators, whether they be exchanges, or custodians of some form, in most places around the world, weren't subject to anti-money laundering regulations. It took governments to proactively legislate to bring them in scope or to introduce specific laws. As a result of that, financial crime risk, money laundering risk, terrorist financing risk, was much greater at that point versus what we have now, which is in the majority of the world, bar let's say that a handful of jurisdictions, crypto activities are subject to some form of money laundering regulations. You have to identify the client; you have to screen the transactions in the same way as you would if you were a financial institution.

Now, the challenge is that the technology and the industry evolve at such a rapid pace. There are different types of regulation around the world that are due to be introduced, or have been introduced, over the last couple of years. And they are in touch with an industry of 2018 or 2019, not what's currently happening now. A lot of regulation around AML didn't consider aspects of decentralised finance, because it wasn't really a thing at the time. And regulators and governments are always going to have this challenge of trying to keep pace with the industry and the innovation, striking the right balance between protecting financial systems from financial crime and meeting their other regulatory objectives, and trying not to stifle innovation.

I think that's one area which is fairly underdeveloped at the moment around things like consumer protection. We've had a lot of regulation around financial crime and anti-money laundering, not so much focused around investment, business and securities, and consumer protection. That's where I think we really need to see regulation catch up to box-off that element of protection.

AH: I think it depends [on] what exactly it is the company that they’re acting as company secretary [for] is doing. A lot of businesses are now looking at accepting payments in cryptocurrency. There's, therefore, a concern around how those assets are managed, whether they are being screened, what controls we have internally, and what internal governance processes we have to manage transferring and storing those crypto assets.

I think a lot of that sits quite nicely with the skill set and knowledge and experience of company secretaries. With research, training and education, it could become a really good skill set to support that.

I guess you've then got company secretaries of companies which are servicing clients, which themselves might have cryptocurrency risk. Again, a lot of the same stuff applies there. It's all going to be around what is the risk exposure. I break that down into operational risk exposure: do we end up losing assets? Can somebody embezzle assets? What can we do to make sure they're protected? And then broader regulatory and financial crime prevention exposure. In terms of, is there a risk that what we currently do, in the way we currently operate, could be abused by criminals by virtue of the features of cryptocurrency that they can go and exploit?

AH: Yeah, I think there is. If you look into the technology space, the majority of the developers, even a lot of the lawyers and accountants that we frequently use in the crypto web free space, all take payment in cryptocurrency, and a lot of those firms pay their employees in cryptocurrency. I think there certainly will be broader demand across other sectors, just not right now. The barriers to entry at the moment are quite high, it's fairly challenging and complex. And I don't think in its current state, there are any advantages for the common user over receiving [pay] in crypto versus having the money just credited into their bank accounts. I think as those barriers reduce, as it becomes easier, more user-friendly to access, if you can get to a point where you can use cryptocurrencies without even really having to talk about what they are or how the technology works, then we're probably at a good position to start seeing broader mass adoption and things like people wanting salary paid in crypto.

AH: So, I think it's all about keeping up to date with what's going on in the space. Recognising that you are not a technologist, but you should still be making sure that you have a decent understanding and awareness of what cryptocurrencies are, what blockchain technology is, and put some thought through to how it might be used, or how it could impact your business and your industry. Make sure you are there and able to contribute in a meaningful way, as and when, or if the business decides to start looking at crypto assets in whatever capacity that might be.

AH: I think a lot of it comes down to whether you are or can appeal to a different demographic. I think particularly a younger generation, younger than even I, see cryptocurrencies and blockchain-based solutions more as the norm, rather than an alternative to an existing system.

I think it will be recognising, depending on the business model, if that's a target market, or begins to become a target market over the coming years, then we probably need to start thinking now about how we service them. And in order to service them, we're going to have to make sure that all of our governance and risk management frameworks are in place, and it's probably going to take a lot of work because unless it's a well-trodden path that the cryptocurrency sector has already been looking at, you're probably looking at doing something fairly new and fairly innovative and trying to devise solutions that don't currently exist.

AH: My absolute pleasure. Thank you. Thank you.