September 2020 FATF Red Flags. Flagging common security practices in the Cryptocurrency World.

The FATF, a multinational financial policy-making organization headquartered in France whose goal is “to protect the global financial system against money laundering, terrorist financing and the financing of proliferation of weapons of mass destruction.” has now published in their new September 2020 report. A new list of items that financial providers should consider red flags when dealing with cryptocurrency. Several of these ”red flags” can be considered completely common normal practices and even encouraged for increased security in the cryptocurrency world.

Privacy preserving cryptocurrencies as well as mixer and tumbling services have been targeted for a while now and have been dubbed “high risk”. However, some of the newer “red flags” are simply direct attacks on regular cryptocurrency users with a not-so-subtle undertone of the need of VASPs (Virtual Asset Providers) to be in full control of your assets or provide full oversight as we will see later.

Hardware Wallets and "Decentralized Wallets"

The most eye catching red flag is certainly the use of hardware wallets and “decentralized wallets as the FATF calls them, which is aggravated in the context cross-border movement.

Curiously, using a hardware wallet is a practice encouraged by most cryptocurrency users due to its ease of use and security it provides. Similarly, the Europol has pointed out the use of hardware wallets by criminals in their IOCTA 2020 report. It’s hard to estimate the exact percentage of hardware wallet or “decentralized wallet” users but common sense should dictate that it’s a high percentage of all users. The case study for this is Case #7 in the report where criminals:

"sought payment not only in fiat currency but also in the form of VAs (Bitcoin, EX-codes, EXMO-cheques)"
wherein “decentralized wallets” were used, pretty much like any other cryptocurrency user would. It’s a weak argument against the use of “decentralized wallets” after which the FATF publication completes with the following idea:

"the use of a hardware or paper wallet may be legitimate as a way to secure VAs against thefts. Again, the presence of these indicators should be considered in the context of other characteristics about the customer and relationship, or a logical business explanation."

Priming the correlation of hardware wallets and “decentralized wallets” with crime to only be completed with a weak warning about a legitimate use while at the same time completely ignoring that a large percentage of users are in that category is just absurd.

The use of P2P exchanges and peer-to-peer technology and marketplaces.

We are most familiar with localbitcoin and localcryptos as a P2P way of exchanging money between two interested parties. Unfortunately, it has been labeled as a red flag specially in the case where large volumes is offered and banks are used and higher fees are present, curious aggravating issues as these are mostly the conditions for most P2P transactions on these sites. Once again, the vast majority of P2P exchange users would fulfill this definition.
The problem with this loose definition is, not only fiat-to-crypto and crypto-to-fiat can be interpreted as P2P exchanges, instead it’s any cryptocurrency exchange happening is “unlicensed exchanges” which could as well include the definition of the emerging field of decentralized finance. Until further clarification, this report could be used to target DeFi unfortunately.
The Europol’s IOCTA report also goes as far as to include OpenBazaar's software as high risk.

The use of VPNs when accessing an exchange:

"Users entering the VASP platform using an IP address associated with a darknet or other similar software that allows anonymous communication, including encrypted emails and VPNs."
Equating the use of VPNs with darknet software is just inaccurate. As of today and according to VPNMentor, the use of VPNs a average between 18% to 30% worldwide, with countries such as Indonesia and India going as high as 40% and 38% respectively. It’s quite obvious to point out that 20% to 30% of all internet user have nothing to do with any darknet activity.

Targeting users with a red flag for the use of such a common technology is one of the most disconnected arguments coming from this report.

Privacy Cryptocurrencies

"Moving a VA that operates on a public, transparent blockchain, such as Bitcoin, to a centralised exchange and then immediately trading it for an AEC or privacy coin."
This type of transaction, is common among traders and many cryptocurrency users unfortunately. Mainly because there are a large percentage of exchange users that do not keep cryptocurrency for longer periods of time and also like privacy coins like Monero and Zcash.

This can’t be used as an argument for a red flag because, on the other hand, Gemini has recently engaged in the acceptance of Zcash shielded transactions showing regulators that they can be used for increased security and still comply with KYC/AML regulations.

The focus of regulation and criminal prosecution should not be commonly used practices, rather, the focus should be on illicit funds and their sources, after all, most blockchains are public so following illicit funds would be more fruitful and less invasive than flagging common security practices.

The result, once again, is that regular law abiding citizens will get unjustly punished and limited in their financial liberty in the name of blind regulation in a field like cryptocurrencies where financial crime is . “an ineffective strategy because of its complexity and high risk”

Published by: Saxemberg on Oct. 7, 2020