By David Nordell
Only a short while after writing an article here, The EU proposes to limit virtual currency transactions: but will this help?, I realised that the story was more complex than I had originally described, and indeed points to yet another example of the regulatory confusion from which the European Commission typically suffers. As a result, I have added my analysis of how the Commission's new proposals for fighting terror finance and money laundering, as well as some of its other regulations, may actually cause much more harm than good. The changes are nearly all at the end.
One of the most popular methods for financial regulators worldwide to try to prevent or restrict terror funding and money laundering is to limit the use of cash in the economy, since it is so difficult to track cash. The EU’s Third Money Laundering Directive (3MLD) requires financial institutions to carry out additional Know Your Customer checks on anyone carrying out transactions of more than 15,000 Euros, and the Fourth Money Laundering Directive, due to come into force later this year, reduces this trigger amount to 10,000 Euros.
There is indeed logic behind these cash limits: although most terror attacks cost far less money to plan and execute than the hundreds of thousands of dollars needed for the 9/11 attack in the United States, buying the arms and ammunitions used in the Bataclan attacks in Paris, and that at Brussels airport, from black-market weapons dealers in Belgium costs real money; and in principle, making it more difficult for terrorists to move large sums of cash -- since of course black-market weapons are purchased either with cash or drugs -- should make these weapons more difficult to obtain. Several years ago, the UK’s Serious and Organised Crime Agency, now rebranded as the National Crime Agency, discovered through detailed intelligence work that criminal and terrorist groups based in the UK were smuggling very large sums of money, in the region of one million Euros at a time, to continental Europe by changing the sterling-denominated proceeds of other crimes into 500-Euro notes, the largest denomination available in Europe, and stuffing as many of them as possible into jumbo-sized breakfast cereal boxes that wouldn’t arouse suspicion at the border. SOCA’s response was to have the Bank of England order banks and foreign exchange businesses to stop using the 500-Euro note, thus cutting off this money laundering channel at a stroke.
Of course, it can be argued that some attacks, like the most recent ones in Nice and Paris last year, basically cost the attackers nothing more than the bus or metro fares to reach the point where they could steal or hijack the trucks they used to mow down their victims. But it’s simply folly to assume that preventing the financial of terrorism can prevent all terrorist activity, the more so since we have barely seen the beginning of cyber terrorism, something that needs no more weapons than the laptop computer or electronic notepad that almost everybody own anyway. But the underlying principle of the EU’s AML Directives, and of similar regulations in other jurisdictions, to make it more difficult for criminals and terrorists to move money around in untraceable cash remains a good one, even though it’s almost impossible to enforce it effectively.
The problem, however, is that it’s not only cash that is basically untraceable. Two years ago, I commented in these pages that the rapid development of modern financial technology, especially the growth of virtual currencies, which are basically designed to be untraceable, perhaps encourages financial crime. And finally, after a completely unreasonable delay, the European Commission has responded to this very real threat by publishing on 23rd January a regulatory impact assessment for ’Proposal for an EU initiative on restrictions on payments in cash’that included proposals to restrict virtual currencies such as Bitcoin, so that the same reporting requirements that apply to cash transactions entering and leaving the EU should also apply to virtual currencies. The proposal very reasonably says: .’In view of the development of cryptocurrencies and the existence of other means of payments ensuring anonymity, an option could be to extend the restrictions to cash payments to all payments ensuring anonymity (cryptocurrencies, payment in kinds, etc.).’
This proposal is certainly well intended, and on first glance ought to be an effective curb on using virtual money to pay for at least the larger terror attacks. But is it likely to work? No more than the restrictions on cash actually work: any half-professional money launderer or terror financier simply splits the money up into as many smaller transactions as are necessary to be well below the reporting limits, and reassembles the total sum at the other end, where it is needed; and so it will be with Bitcoins or whatever other virtual money. And in any case, there is no technical proposal yet for how to actually detect much larger sums in Bitcoins from travelling across the Internet from and to any arbitrary end points, let alone interdict them.
Cyber criminals (including terrorist groups) carrying out ransomware atacks, whether on personal or corporate computers or on more sophisticated and valuable infrastructure systems, almost invariably demand that the ransom the victims have to pay to get back the data that has been encrypted by the malicious software -- sometimes worth a lot more than 15,000 or 10,000 Euros -- should be transferred in Bitcoins, because they are confident that the money will arrive undetected and without any risk of their identities being uncovered. So why does the European Commission imagine that this new regulatory tweak is going to make the slightest difference to the fight against terror finance and money laundering, when what really counts is much better, but inevitably much more demanding, intelligence work?
But the real problem that the Commission has created is this: if a cyber-criminal or -terrorist carries out a ransomware attack on, say, a financial institution or hospital, or a shipping company, and demands a million Euros in Bitcoin, or perhaps much more, as ransom for the restoration of its critical data, or for the renewed functioning of critical computer systems, the proposed new regulatory restriction may make it a criminal offence for the victim to pay the ransom as demanded, in Bitcoin. Is it conceivable that an insurance company will refuse to pay to get back data that may be worth billions, or that a medical centre will refuse to pay to restore critical data that may be necessary to save lives, on the grounds that they would be breaking financial regulations and perhaps risking the imprisonment of a senior executive? (Technically, paying such a ransom could probably be regarded in today's over-regulated world as a money laundering offence to begin with, since it is transferring the proceeds of crime, but the victim organisation would at least have the legal defence of duress.) On top of that, after May 2018, the EU's own General Data Protection Regulation will impose draconic fines for breaches of personal data held by any business, not only resident in the EU but even doing business there: these fines are large enough, up to the larger of 20mn Euro or 4 percent of global turnover, that they could bankrupt many companies. The more or less obvious result is that many cyber attacks will be carried out in order to simply blackmail companies: pay us, or we will release the personal data you hold on your clients, or patients, or whoever.
Yes, it is certainly possible to create some kind of legal process to request permission of the authorities, just as the current Suspicious Activity Report regime makes it possible for law enforcement authorities to permit payment from frozen funds. But since ransomware usually works on the basis that the victime only has 24 or 48 hours to pay up, otherwise the data remains irreversibly encrypted forever, such a process would almost certainly be useless.
The solution to this regulatory minefield might be for the eventual regulations to say explicitly that the payment of ransom, whether for a human kidnap victim or for kidnapped data or systems is not an offence, whether made in Bitcoin, cash or uncut diamonds. But this in itself would constitute a moral hazard, as it would incentivise criminals and terrorists to carry out such attacks. The bottom line is that the European Union, in its enthusiasm to protect society from all kinds of risks and vulnerabilities by creating mountains of regulations, has made the problem worse.