The Great Security Debate
or, the Road to Hell is Paved with Good Intentions (and Security Theater)
There will be a hearing in the Senate about crypto and illicit financial activity this Tuesday, where Wally Adeyemo from the Treasury goes to ask for additional powers to combat this alleged scourge. I have written about this before, but because this is essentially catnip to me by mixing together multiple strong interest I have (blockchain, market structure, financial crime, stablecoins, geopolitics, etc.) I cannot resist writing about it again.
More so, this hearing is overwhelmingly likely to be an absolute tire fire and clown show when it comes to accuracy and framing, as all sides will be pushing a political agenda to maximize their narrow concerns. This sort of thing is how you end up with huge amounts of theater that increase, not decrease, the confusion around an issue.
However, I think that’s an exceptionally dangerous thing right now, as I personally believe we stand at a critical point and we are rapidly running out of time to make a decision between two paths.
First, let’s talk about goals. One of the problems with this debate is that people are not being clear about what their goals are, so I am going to set and example by defining what my goals are in making policy recommendations for what the United States should do here. They are:
Minimizing the amount of illicit financial transactions in the world, and
Maximizing the amount of privacy we can have while achieving the first goal, and
Create a system where the United States has primary regulatory control of dollars moving on blockchains
I lay these out because I know there are those in both the regulatory and crypto spaces who may disagree with some of these goals, but I propose that this is the best minimum set of guidelines to actually guide the preferences of US policymakers and legislators as we look at the blockchain space, both domestically and globally.
To that end, I’m going to lay out what I mean, briefly, for each one of these, and then we can talk about how they each relate to the hearing we are about to have.
Minimizing the amount of illicit financial transactions in the world
My friend Adam Zarazinski has spoken about this previously when he testified, but the punch line is that bad actors just want money. Cash? Traditional system? Blockchains? Literally teleporting gold into their house? They don’t care. Anything that works, they will do it. Each illicit financial transaction is just a tool, and these organizations are like bodies with a gravitational pull for illicit funds regardless of the rails. If you shut down one set of rails, they will pivot to another. Therefore, looking at things in isolation is a lot like trying to stop a river by just putting a rock in the middle. It goes around it. You need to build a dam, which is to say we need a comprehensive, platform agnostic solution to the whole problem if we want to achieve anything other than just grandstanding.
Maximizing the amount of privacy we have while achieving the first goal
I am not an absolute privacy maximalist because I understand there are bad people in the world, and if the entire system is in shadow, it gives them a large scope to operate. I don’t think that is a good thing, and my personal view of true privacy maximalists (e.g. all transactions should be private) is that they suffer from the same naivete as many libertarians about what that freedom will actually be used for (Hint: often, not good stuff!) in the real world.
With that said, I also don’t think it should be trivial for the government to get their hands on private transaction data. I think it should be possible in many cases, when there is a legitimate need to investigate criminal acts, but that the current dragnet we have of scooping up huge amounts of financial data from innocent people through third parties is deeply harmful in the long run.
As much as many people don’t like it, how you spend your money is often a form of speech, and there are legitimate reasons to want some of those to be private1.
Therefore, my goal is a system where that information should be available when there is a true need, but getting that information should be difficult and there should be the ability to disclose what happened after the fact so it can be monitored2.
Create a system where the United States has primary regulatory control of dollars moving on blockchains
Note that I do not say the United States has primary regulatory control of blockchains. Why do I not say that? Why, in fact, do I also not include the possibility that we could just outlaw blockchains to stop this whole thing?
The simple fact is that the horse is out of the barn. Standing in front of technological progress and screaming STOP has been an excellent way to get completely run over, historically. Sometimes figuratively, such as when your economy ceases to be competitive, and sometimes literally, such as if you had tried this with a train or automobile.
Blockchains are not going away. There are many non-US jurisdictions3 actively embracing them as the future rails of financial technology to build faster, safer, more transparent platforms.
Secondarily, a goal to have primary US regulation of all blockchains is probably out of reach given how we have already lagged in this space. Had we acted aggressively, during the first Trump administration or the second Obama administration, I think this might have been possible. But instead, we sat on our hands and catered to the same class of incumbents who had caused our problems in 2008 (and used the same regulatory playbook) and as a result, we are where we are now.
There’s too many things outside the United States. Only one of the top 5 or so crypto exchanges by trading volume globally is even located in the United States, thanks to the efforts of the SEC in scaring everyone offshore and ensuring we do not have US regulatory control of the space4.
The good news is that in a global sense, it’s still early. We’ve probably lost the chance to dominate blockchains as we do securities trading, but it’s not too late to have an oligopoly on blockchain regulation where we also primarily control dollar stablecoins.
Therefore, given I believe blockchains are here to stay, I’m falling back on what I think our best achievable option is right now. If you think we can do better and regulate it all, more power to you, but I think we are too late.
Thus, with those goals stated, let’s move on to this hearing.
Nocoiner Arguments Building Bridges Leading to Nowhere
The crypto-skeptics are likely to lead with some combination of the following arguments at the hearing:
Bad people have used blockchains to do bad things, therefore blockchains are bad
We need unique powers to sanction and control blockchains because they present a unique threat
Blockchain entities don’t follow the same rules as banks, and therefore that’s bad and we should make them
All of these are likely to be marshalled for one of the following purposes: either banning blockchains entirely (as Warren’s bill in the Senate essentially does by placing impossible requirements on the technology, similar to saying cars must be made of cheese but also survive a 100mph collision with no damage), or asking for massive increases in power and control that are basically unprecedented in our times.
Let me take a moment to address each of these in turn as well.
Bad people have used blockchains to do bad things, therefore blockchains are bad
This point has been effectively addressed previously in hearings5, but it will be brought up again, so I want to directly take it apart here.
If our standard for something being bad is that even $1 of illicit finance is too much, the first thing we should do is shut6 down7 the legacy banking8 system immediately. Using blockchains as a distraction because they have better detection when 99% plus of the illicit flows are cash or the traditional system would be a little bit like New York City pursuing their Vision Zero traffic safety strategy by banning unicycles. That is not the problem, people! Scapegoating blockchains for the problems of the traditional system is the tactic of someone who wants to misdirect from the failures, either out of shame or to perpetuate them. It is not the tactic of someone serious about solving the actual problem.
Likewise, if our standard is that the current amount of bad activity on blockchains is too much bad activity, wow do we have a lot of things we need to shut down. On the list would be:
Fedwire
ACH
PayPal
Venmo
Cash App
Literally cash itself
All of correspondent banking
etc.
Essentially, any system where money is used will have some degree of wrongdoing. This is the nature of people - some people are bad, and bad people, just like average, mediocre, and good people, use money. The only way to stop that is, ultimately, to ban money.
That’s silly. We need to focus, instead, on hardening our systems. If someone is doing the latter, you may disagree with them but they are being intellectually honest. If they are throwing one specific set of rails under the bus without first describing the magnitude of problems across all rails to demonstrate this one type is actually the nexus of bad activity (spoiler alert: it’s cash), you should have some very deep and serious doubts about their motives and/or capability.
We need unique powers to sanction and control blockchains because they present a unique threat
One of my favorite podcasts is the Dunker Spot9. Why? Because I am a basketball fan, but also someone obsessed with process, and Nekias and Steve are deep thinkers on the process part of basketball. A bit like finance, basketball is a complex system with interdependent parts that are not all stable over time, and interestingly, thinking about basketball can provide a useful mental framework for thinking about other systems.
In specific, when a team loses and Steve and Nekias are dissecting what happened, one of the main questions that is often asked is a version of this:
Do they need to change something, or do they just need to execute the current plan properly?
More than once this has jokingly been called the “do better” adjustment after a bad game.
I would suggest this is where we stand with our current crop of regulators. It is not so much that they need new powers10, but rather, they need to use the powers they already have effectively (especially before being given new ones).
So why do I say this?
First, there is a huge amount of information in the hands of crypto analytics companies, and almost none of it is being effectively used at the Federal level or the state level. I have a client who is working with an independent law firm to start filing civil suits against crypto scammers so they can get court orders to freeze blockchain wallet addresses containing stablecoins because the FBI and DOJ have fumbled it so badly for years they literally gave up.
Second, we have very good information almost instantly on many of the hacks in crypto, yet a shocking number of them remain both completely unprosecuted and more so, freeze or seize orders were never even asked for by US regulators. All the data is there, but here is a visualization of what is being done with it:
Third, we have entire analytics companies devoted to understanding this space, but the amount of airtime they get within the gov’t itself is extremely limited; the combined number of people in the US law enforcement space who are familiar with any of Inca Digital, TRM Labs, or Chainalysis is probably less than 1%, which does not scan if you look at the amount of FUD they continue to spread about bad activity on a blockchain. Focusing on crypto crime in a hearing in that context would be like becoming an expert on crippling inner-city violence and drug problems in inner city Baltimore or Memphis, but also being unaware police departments exist.
Thus, one of the things I truly hope for in this hearing is that people press Treasury on exactly what they (and related Federal agencies) are doing to combat illicit finance. Not just in crypto, but in general. In concrete terms, how many people are working on it, who are they working with in industry, what is the success and failure rate, what tools are they using, and do they need more help, more training, or more compensation for staff?
As coming in, without having made serious efforts to do anything other than a niche office or two, and then asking for sweeping powers is poor conduct. “We can’t do anything (also we never tried)” is not the same as “We tried very hard, here are the exact problems, we need these specific powers”. I am very sympathetic to the latter, to be clear.
But we appear to be doing the former, which is simply not good enough. Right now, I am not of the belief we need new powers for most agencies, because they aren’t even using the current powers to do anything.
If anyone doubts that, please reach out. Happy to put you in touch with people.
Blockchain entities don’t follow the same rules as banks, and therefore that’s bad and we should make them
You get this one a lot from people who believe they are KYC/AML experts, but are often academics in practice. JP Koenig is someone who has espoused this belief, for instance, and it’s one of the best instances of saying technically correct but also completely misleading and actively harmful to discourse.
So what do I mean by this?
One of the arguments you will often hear from skeptics is that blockchain participants don’t follow the same rules as banks and financial services providers, and that especially stablecoins don’t.
To tackle the first part first, that’s often a mistake of classification. If you believe that miners and validators are primarily in the business of providing financial services directly to participants, you would hold this belief about them not fulfilling similar obligations. However, if you look more closely at the role they play, which is basically providing communications infrastructure, you might also realize you’d then have to apply this duty, in traditional markets, to Bloomberg, to internet providers, and perhaps even to the phone company.
I am not sure this is working as intended. Suffice to say, the whole “just make validators collect KYC data” is not a policy that is technologically sound, and that there are parties that should have to collect this data, but all of them are parties that, you know, have a direct relationship with the client. This is not how a validator works.
The second part I find more interesting, because here we run face first into the complexity of the solution.
Specifically, we often hear “same activity, same rules” as something banking regulators want to apply to blockchains, and when they talk about stablecoins, they mean this: because banks KYC everyone who touches a bank deposit, stablecoins should have to KYC everyone who touches a stablecoin.
In a literal sense, it is true that if this analogy holds between stablecoins and bank deposits, Circle (to pick one issuer as an example) should have to KYC everyone who touches USDC.
On the other hand, the analogy does not hold. And this is where things get interesting, and where I am going to segue from this specific point to the greater problem we are facing in this space and why I have said elsewhere that blockchains are the solution to financial crime11, not the source of it.
“For every complex problem, there is an answer that is simple, clear, and wrong.” - HL Mencken
So why aren’t stablecoins just bank deposits? To understand this, we have to understand how the current system works.
I’ve described this elsewhere, so apologies to those reading it again, but let us take a transaction that goes like this:
Person P sends money to Relative R who spends money at Business B who pays out that money to Owner O who sends that money to Hamas, which we will denote as H.
Using Banks
In the current system, let’s say P uses a bank to send to R, R uses a card to pay at B, B uses a bank to send to O, and O uses a bank or cash to send to H.
In fact, let’s get slightly more provocative by saying that Person P used Chase as a bank to send to Relative R using Standard Chartered, both institutions with very solid KYC/AML procedures according to banking regulators compared to some peers.
So, with that said, can this chain happen? Totally. In fact, I’m almost 100% sure it has. Why? How? If banks are obeying the rules that we just described, what the hell just happened here?
It has to do with the definition of bank deposits, and how we think about the reach of an institution. Namely, when JPM sends the money to Standard Chartered, that’s it. It’s no longer a JPM bank deposit, it’s now a Standard Chartered bank deposit.
When StanChart has the money spent from an account and goes through a card processor, it stops being their problem as well. If nobody knows that business is a conduit for money to Hamas, because the last bank in the chain is an evil bank, then nobody upstream has visibility and it’s not their product. Importantly, in this chain, Chase has absolutely zero idea that money that originated with Chase ended at Hamas.
Using Stablecoins
Now, let’s make this Circle’s problem so we can draw the contrast. The transaction is exactly the same as above, only in this case, the sole customer of Circle who does mint/burn is P.
Then, P sends to R, who spends at B, who sends to O, who sends to H. Only, let’s say they use stablecoins, and in fact, the same stablecoin at every step. This reveals a couple of things that work differently than the banking system immediately.
One, Circle can see every step. In fact, if Circle knows the last wallet is Hamas, they can see the entire chain that lead to money that originated in the system with Circle ending up with Hamas! Second, everyone else can see it too. It’s a public blockchain. Third, because Circle has freeze and seize capability, they could in theory stop the money at the final point, and certainly, they would refuse to onboard Hamas and redeem them back into the traditional financial system.
So this is a bit different. We have far more visibility (remember, in the other system, only participants one hop away see the transaction), and while Circle is “involved” at every step because it’s a stablecoin in a literal sense, their involvement is no more than the banks in the same way. Even so, at the final step, unlike the banks in situation one, they can stop the funds.
Same Activity, Same Rules
What does this mean? Once you zoom out to the system level, this means we have one of two options if we want to go with same activity, same rules.
Option 1, which is what most of the stablecoin world is asking for, is that they not have to chase a chain of transactions just like banks don’t do this, and what they want is just that as long as they keep a hard perimeter around mint/redeem and freeze and seize when asked by the government, they are seen as in compliance.
My personal view is this is a good option, but we should additionally add the requirement for monitoring of transactions on-chain by third party wallets so they have to make good faith efforts to interdict bad actors.
Option 2, which nobody discusses but I think is the significantly more hilarious and revealing options, is that JPM should be liable for the money going to Hamas in the first example and should pay a huge fine and have people go to jail over it. Why? If you introduce the money to the system, and then it travels through the system and gets to a bad guy, that’s your responsibility. After all, that’s what we are saying in the stablecoin example if Circle is responsible for this entire chain despite facing only the initial customer. Banks should have the same responsibility! They started it. Here is where banks will tell you this is unreasonable, they don’t have control or visibility over their competitors, this is not a fair interpretation, etc… which, when you pause, sounds a lot like what crypto is being criticized for saying right now, doesn’t it?
However, if stablecoins have this liability, banks should not be able to ditch liability by just having someone swap to a different product at each step, otherwise Circle, Tether, First Digital, PayPal, etc. can just get together to make sure customers swap coins at every step and achieve the same broken outcome.
Either we care about a good system and consistent rules, or we don’t. To be clear, I’m not arguing for the second outcome, but if you believe that’s the correct standard for the stablecoin issuers but not the banks, I have to ask you this question:
Why is it okay for banks to engage in terrorism financing?
Now we will return to where we began, with the hearing. Here is what my hopes would be for an outcome:
We realize that the fact that we can clearly see all of this bad activity on a blockchain actually means it’s a superior, not inferior, tool for detecting illicit finance.
There is a real discussion about what efforts the US gov’t needs to start undertaking to police this activity.
There is also a discussion about how our single most urgent need is legislation, because the way you end up with zero say at this table is forcing every company offshore because you can’t get over yourself and make it impossible to do business onshore. In this outcome, we end up with everyone else controlling the future system, not us.
Finally, we end up with legislation that actually puts crypto and banks on equal footing, meaning they are responsible for bad activity in their space, have to meaningfully interdict it, and over time, flows should be pushed to the system that does a better job of allowing this.
What I am worried about is that we will instead have three hours of grandstanding and furiously distracting from the failings of the current system and the actual problem of terrorism financing in favor of attacking a pet peeve of some senators.
Am I hoping in vain for legislators to return to focusing on good governance, instead of theater and social media hot takes?
Probably.
Here are the core policy recommendations I would make, as a result:
Monitor the System
Affirmative monitoring obligations should be handed to centralized blockchain firms, so that they can use the capabilities they have to freeze funds at the point of entry and exit more effectively. And on-shore firms should not be able to interact with offshore firms not doing this, if we want to build a good web.
Compare the Systems
Treasury should be required to put together reporting on the amount of illicit finance in traditional vs. blockchain systems, and share that data. Both on a total $ value basis, but also % of activity basis. If they can’t get that data, they should be clear about where blind spots are and what we don’t know. We need to know this to do a good job. It’s done partially now but could be much better.
Legalize Stablecoins
We need to pass legislation so that onshore stablecoins are a thing. As soon as possible. As fast as possible. Our worst case scenario is that eurodollar stablecoins or non-dollar stablecoins become the default money, as in that case our tools for addressing financial crime on blockchains will become much weaker, and we’ll have shot ourselves in the foot.
Reward Visibility
Finding illicit crime should be rewarded, not punished. We should have bounties for people to find crime in both traditional and blockchain systems, and then we should mandate more usage of the system where it’s easier to find the crime.
If we do these things, which are quite simple, in the end, we will win. I’m also open to being wrong that blockchains are a better tool for fighting crime, and only by actually testing and monitoring will we be able to determine that.
We should do it, if we care about doing the right thing.
Yes, this also means I am both highly displeased with our current system of surveillance capitalism and would be displeased with a completely permissionless transfer of everything on blockchains system, so I am the sort of pragmatic moderate who makes both endpoints of this debate angry
Notably, financial centers like Singapore, the UAE, and Switzerland seem to have understood this first
I am sympathetic to the narrow argument that the US Treasury might need the authority to sanction specific blockchain protocols or addresses, but I am not sympathetic to prosecuting people purely for deploying code (unless you can demonstrate preexisting malicious intent or direct coordination with criminals)
Couldn't agree more!