KYC/AML, Trade, and Blockchain

One odd thing that I’ve found is that I hate talking to regulators about AML/KYC since it always turns into an exercise about what forms to fill out and what’s of bureaucracy to undertake.  The fun conversations I’ve had are with cops and ex-cops, since they are interested in doing something real (i.e. catching bad guys) rather than fake (pushing papers).

So I had a conversation with some ex-cops about AML/KYC and what the cops really care about, and after that conversation, a lot of things started to make sense, and this all impacts the use of blockchain both in AML/KYC and trade finance.

One of the most surprising things that I learned is that cops really don’t care that much about large volumes of anonymous money flowing from place to place.  It turns out that is it trivially easy to move money secretly between two points, and for the most part, the cops don’t care unless someone forces them to care.  The way that most money in the world gets moved is by fraudulent trade invoices.  I send USD 10 million to Oman using a letter of credit to buy bitumen for Vietnam.  All that gets processed by the bank.  It turns out that no one checks to see if in fact anyone is moving bitumen, and anything that ends up in Oman is probably ending up in Iran.

I was aware that this was the favorite way of moving money between Hong Kong and Mainland China.  I sell 100,000 USD worth of USB drives, someone sends me USD 100,000,  I claim to then buy 100,000 USD worth chips for my USB drives.  At no point does anyone check or really care if there are in fact USB drives.

This means that efforts to more accurate track invoices in blockchain are doomed.  Since a lot of the trade orders are fake, no one wants it to be tracked, and they want everything to be on easily forgeable paper.  People might lose a few million on fake documents, but it turns out that if you add up all of the worlds imports and all of the worlds exports, the numbers are off by almost 1 trillion USD.  Unless we are shipping stuff to Mars, I’d say that this gives you an idea of how much “fake” and anonymous money flows there are.

And for the most part, law enforcement does not care about this.

So why do they force you to show your passport and residence information if they don’t care about anonymous trade flows.  It’s because they care about something else, and once the ex-cop told me what it was, then everything sort of made sense.

OK, you are selling street drugs.  You actually are not going to be moving thousands of dollars.  The people that are coming up to you to buy drugs are doing to give you small paper denominations.  These numbers add up, but you have a lot of small bills, that you need to put somewhere, and if you show up at a bank with a bag of small bills, people are going to be suspicious.  You *could* try to run your money through a legitimate business (i.e. Walter White’s car wash), but that’s still quite hard, and note that your standard AML/KYC process isn’t going to stop Walter White from moving his meth money through the car wash.

However, what you can do is something called smurfing.  What you do is to have Jesse Pinkman get one hundred of his friends to open a lot of bank accounts.  You then deposit small amounts of cash into each account, and then all that money gets moved to a central account (i.e. they buy car washes).  That’s what the AML/KYC is to prevent.  Having large numbers of accounts that are controlled by one person.

So the way of preventing smurfing involves making it time consuming to open an account.  If you can open an account, once per second, then you can create a large number of accounts.  So the goal to prevent smurfing is to both make sure that you do not have large numbers of accounts controlled by one person.  This involves doing some minimum checks on the person opening the account, but also involves making the process of opening an account time consuming.

It becomes a gold mine for a drug smuggler, if he can get access to a corporate account from a small business.  Once you hacked a corporate account, then you can put all sorts of small transactions through that corporate’s account.  The interesting thing is that SME’s aren’t going to notice that they’ve been hacked, because the hacker makes sure that they don’t take any money.  One you have a corporate account, you then have the payroll details of hundreds of people and you have the ability to hack the companies computers and send out payments through the company’s suppliers.  If you are a company, you aren’t going to complain since you aren’t losing any money (and you certainly aren’t going to complain, if it turns out if the hacker is nice and leaves you with a small tip every month).  You are going to assume that all of this is a banking error, until someone realizes that you’ve been laundering massive amounts of money.  At that point the regulators won’t fine you, but they bank will be in trouble,

This has several implications for blockchain:

1. The goal of making it easier to open an account runs counter to goal of AML.  The purpose of the rules to avoid smurfing is to insure that someone can’t open and control hundreds of bank accounts.  Having someone present proof of residence and identity documents, even if they are bogus, does that, because if you want to open several dozen accounts with bogus documents, you are going to have to do enough work so it’s not worth it.
2. Shipping companies and banks are going to do heavy pushback against making forgery proof shipping documents.  The fact that much of the money that goes through trade flows is in fact anonymous transfers of funds is something that is an open secret.  It would be trivial for the banks and authorities to stop this (i.e. have the bank do random checks to see if the items on the bills of lading were in fact shipped), but no one wants to stop these flows.

But once you sort of understand what is going on a lot of things start making sense.  Why is it that you have to provide the same docs to ten different banks.  The answer is that the system doesn’t want you to create ten accounts at ten different banks.  It also explains why banks are so scared of corporate accounts.  It’s not that they are afraid that the owners of corporate accounts are bad people who are drug runners or terrorists.  It’s that they are afraid that some hacker will hack into the companies computers, use the company to move money, and then the bank will get in trouble, so their goal then is to make it painful for any company to open account.

However, once people start talking to each other you can think of some creative solutions.  For example, I know of someone that is doing KYC cybersecurity, and if they purpose is to make it “hard” to open a bank account, you can make it fun.  Rather than requiring someone to put lots of ID, you have them play a video game for half an hour to prove they are human.  By playing a video game before letting you open an account, you end up making it harder to do smurfing, but you make it fun.