LexisNexis | The MENA Business Law Review: Financial Crime Challenges as We Enter Internet 3.0
It is likely that history will define the opening years of the 2020s by reference to the seismic global impact of the COVID-19 pandemic. It introduced and accelerated change in how we operate, do business and live, from new working patterns to an increased sense of focus on health and relationships. Perhaps one of its most significant lega cies will be the acceleration of technological innovation, particularly the mainstream emergence of "Web 3.0" and its subsequent impact in areas such as trade, commerce, and the exchange of digital assets. For many, the future of financial engagement is now the present and exciting and innovative steps are being taken to develop financial services technology for the benefit of all. However, with great strides come new risks and there remain those willing to take advantage of a sparsely regulated but potentially lucrative new financial landscape. The intention of this article is to provide an overview of some of the key finan cial crime risks emerging within the Web 3.0 sphere, to highlight what business should be looking out for and what steps the UAE is taking to address it.
Where Are We and How Did We Get Here?
The launch of the world wide web in the late 1990s consisted of a collection of read-only static web pages providing infor mation and content on the internet for users to search for and digest. This was subsequently referred to colloquially as Web 1.0. In the early 2000s, the internet developed to increase user interaction enabling individuals and businesses to interact socially in communities as well as trade and provide services online - Web 2.0. The development of internet banking, e-commerce and electronic payments accelerated globalisation in so far as it enabled businesses to trade and reach audiences globally in a manner and at a speed not previously possible.
Cue the 2020s and the latest stage of internet innovation, an uncompleted web iteration based around the ideas of decentralisation, peer-to-peer lending, and transparency-or Web 3.0 to tech buffs. Central to this is the "blockchain", the distributed ledger technology used by cryptocurrency (inter changeable digital currencies utilising cryptography able to be used in much the same way as traditional fiat currency). Cryptocurrency can now be used to purchase a cup of coffee, trade with counterparties across the globe, and invest in innovative early-stage startups. Other features of Web 3.0 include the emergence of digital assets such as non-fungible tokens (NFTs), which are, in basic terms, unique digital representations (often but not exclusively of a tangible real-world asset) that can be owned and traded online using cryptocurrency.
Underlying the concept of Web 3.0 is a niche financial economy based on the premise of decentralised finance (DeFi), a crypto-asset ecosystem which enables participants to replicate many of the traditional financial services such as credit services and investment products, only without the reliance on centralised intermediaries such as banks or third parties. The unregulated and decentralised nature of the DeFi ecosystem brings with it its own risks and challenges from a security perspective.
More broadly, profits from cryptocurrency speculation are being converted into mainstream government issued fiat currency, such as dollars or sterling, and used to purchase real-world assets such as property and art.
Together, this crypto economy will become a significant part of the real economy in a very short time. We are already seeing the trade in terms of transaction volume on a scale comparable with the equities markets - the total market capitalization of crypto assets increasing from USD 20 billion in January 2017 to more than USD 3 trillion in November 2021.1 At a basic level this demonstrates a broad appeal beyond specialist tech-savvy institutional investors. As crypto moves to the mainstream we are entering a period of consolidation and the setting of regulatory standards for the industry.
This new digital mechanism for assigning, buying, selling and transferring assets brings with it novel issues in respect of financial crime risk and security, while also mirroring some of the same vulnerabilities of the real economy. We will now look at some of the key areas of risk and how the UAE is approaching them.
Financial Crime in Web 3.0
Money Laundering – AML/KYC
According to the 2022 Crypto Crime Report produced by Chainalysis, money laundering remains the key criminal activity underpinning cryptocurrency-related financial crime, particularly so with those platforms involved in DeFi projects. In the UAE, the Dubai Financial Services Authority has recently highlighted fraud and money laundering among key risk factors when buying crypto assets and advises potential investors and consumers to undertake due diligence and exercise caution before entering a transaction.
The prevalence of money laundering (the process of transferring the proceeds of illegal conduct into legitimate assets and currency) within the crypto economy is no surprise given the anonymity of blockchain technology. In theory, cybercriminals can transfer and hide the proceeds of crime away from the authorities until eventually converting it into cash. However, the transparency and permanence of the blockchain technology enables the movement of cryptocurrency to be traced and the owners of addresses identified. That said, the sheer volume of transactions taking place on the blockchain means (much like the real economy) that businesses need to implement their own measures to mitigate risk by reducing their exposure to money laundering and other financial crime. The challenge will be in adapting traditional anti-money laundering (AML) and know your customer (KYC) procedures to take into account exposure to the crypto economy.
The real economy tenets of AML/KYC revolve around the twin issues of identity and source of funds. These are usually dealt with by the production of identity documents, bank statements and payslips. If a company has reason to suspect the legitimacy of the transaction based upon its review of these documents and the individuals concerned, then reports can be made to the relevant authorities with the potential for the asset or transaction to be frozen and seized. Traditional “red flags” include individuals exposed to political connections, sanctioned countries, terrorist financing, or the inherent nature of the business from which the funds are derived. These factors remain applicable to crypto-related risk assessments.
AML/KYC in Web 3.0
New risk factors derive from the peculiarities of the crypto economy which itself centres around a set of novel concepts. For example, to send and receive crypto transactions access to a crypto wallet is required. A crypto wallet is an application or physical device program which stores the public keys (the wallet address) and the private keys required to send and receive crypto transactions. These wallets are either hosted on a dedicated cryptocurrency exchange, or privately by individuals who in such circumstances effectively become their own bank. Either way, a business conducting a crypto-related risk assessment should be looking behind the transaction to identify the owner of the relevant wallet. This requires a specialist approach, adjusted depending on the type of wallet being dealt with and the risk appetite of each company.
As transactions from private wallets are set up by individuals with little to no KYC, they are particularly challenging from a risk assessment perspective and many organisations consider them inherently high-risk. However, steps can be taken to mitigate the risk. As the blockchain makes available publicly the history of the wallet, this information can be reviewed to identify potential risk factors and red flags. To this end, Blockchain Monitoring Providers (BMPs) have been established to provide sophisticated analysis enabling the wallets to be risk scored. For example, a BMP can investigate whether a specific transaction may have been routed through high-risk addresses such as those associated with ransomware attacks and the darknet. Such a history should ring alarm bells for any company reviewing the transaction. However, other factors may mitigate the risk of the same transaction, such as whether it passed through a public cryptocurrency exchange (see below).
In contrast to private wallets, most of the cryptocurrency exchanges implement high levels of due diligence and KYC before registering their user and employ dedicated compliance officers to monitor transactions. Any deemed suspicious can be reported to the authorities for onward tracing or recording for future investigation. On the face of it, funds flowing from or through these exchanges will provide a business with a degree of assurance regarding the identity of its owner.
It is worth noting that blockchain monitoring is an evolving process as not all wallet addresses are known to BMPs and only some of the main blockchains are covered. As a result, a risk assessment policy may mandate that the company only transact on blockchains monitored by reputable BMPs.
Considering whether this information changes the risk assessment of a transaction will ultimately remain the purview of each company dependent on its risk appetite. However, the more detail a company can gather about who it is transacting with, even in the decentralised crypto world, the more informed a decision on risk will be. In this sense, some things never change.
Even if not trading directly in cryptocurrency, businesses may increasingly find themselves involved in transactions where the source of real economy funds are derived from cryptocurrency profits. To what extent businesses are exposing themselves to money laundering and should be required trace the source into the blockchain is an issue that will surely evolve if cryptocurrency such as Bitcoin continues to deliver large (if erratic) growth for investors. A related problem is currently being considered by banks, who face the challenge of conducting traditional AML/KYC account-opening procedures for applicants whose declared source of (often quite large) wealth is cryptocurrency trading profits. An example of how this issue entering the mainstream can be seen in Dubai, where real estate developers announced in April 2022 that they would accept payment in Bitcoin and Ethereum. The UAE Government moved swiftly by introducing reporting requirements to make sure that digital assets are covered by the region’s anti-money laundering and anti-terrorism funding rules. This means that real estate agents, brokers and law offices must notify the UAE’s Financial Intelligence Unit (FIU) of any real estate transactions where payment is made in cash, in cryptocurrency, or in money earned from a virtual asset. While this cautious approach is sensible in principle, the practical effect of reporting any real estate deal involving cryptocurrency or derived from cryptocurrency remains to be seen. It would not be surprising to see similar reporting requirements expanded into the sale of other high assets such as artwork, supercars and yachts.
For each business, the challenge will be in putting in place effective procedures that enable them to be satisfied of the identity of the transacting party and the legitimacy of the source of funds being used. How this is done will develop over time and may involve collaboration with the cryptocurrency exchange they are dealing with. As in the real economy, much will depend on the company’s risk appetite which is itself dependent on the nature of the business and its exposure to cryptocurrency.
“New” Financial Crime?
The low barrier to entry is one reason that cryptocurrency is as popular with retail investors as institutional ones—all one needs is access to the internet. This combined with the pandemic accelerating the growth of digital economies has meant that more people are digitally connected and utilising cyber-space for their work and finances than ever before. Unfortunately, if not predictably, this mix has been exploited to the benefit of a new wave of cyber criminals specialising in crypto-related fraud.
The Chainalysis 2022 Crypto Crime Report found that cryptocurrency-based crime hit an all-time high globally in 2021, with illicit addresses receiving USD 14 billion over the course of the year, an increase of 79% from USD 7.8 billion in 2020. This figure must be placed in the context of Chainalysis’s assessment that overall transaction volume grew 567% in the same period.
However, digging down into the types of crime being committed in the crypto economy, one question that arises is how much of this illicit conduct is a “new” type of financial crime, and how much is a familiar crime dressed in new clothing. A recent study conducted by the Dawes Centre for Financial Crime in London identified a distinction between cyber-enabled fraud and cyber-dependent fraud. The former is the use of cyber technology to “magnify the scale and reach of offences that could also be committed offline”, while crypto-dependent offences were defined as those considered only able to be committed using modern cyber technology. The distinction is more than academic as businesses exposed to the risk of crypto-related fraud need an understanding of what it is they are dealing with in order to properly assess the risk-managements procedures they have in place to prevent it. Assuming the same old cyber-related risks apply would be a brave approach in the context of a technology and criminals moving at a faster pace and in more jurisdictions than ever before.
Examples of cyber-enabled fraud include ponzi schemes, in which high returns are promised in return for investments in digital assets, and wash trading (market manipulation) where digital assets (i.e., NFTs) are bought and sold simultaneously by the same individual in order to artificially inflate the price of the asset. In every financial product traded, there also remains the inherent opportunity for insider trading, where those closely connected to a crypto token or asset can trade with information not otherwise publicly available. A high-profile example of this occurred in July 2022 when the United States Department of Justice (DOJ) charged three individuals with conspiracy to commit insider trading in cryptocurrency. The DOJ alleged that one of the charged individuals, a former Coinbase employee, tipped-off his brother and a friend regarding crypto assets that were going to be listed on Coinbase Exchange. With the growing number of exchanges in the MENA region, this is something the authorities will no doubt be examining closely. Other examples of popular crypto cyber-enabled fraud include:
Rug-pull: a developing form of scamming, in which fraudsters market a new crypto-related investment project, usually in the form of a new crypto token, enticing investment to ramp up the price before withdrawing all of the coins, leaving the asset’s value (and investors’ money) to drop to zero. Sophisticated businesses or individual investors may be able to utilise blockchain monitoring providers (see above) to track the history of the asset’s price rise to see who lay behind the price escalation.
Theft: as the adoption of cryptocurrency grows at an astonishing rate, hackers are operating at pace to hijack wallets—it should be noted that of the USD 3.2 billion worth of cryptocurrency stolen in 2021, 72% was stolen from the less regulated DeFi protocols. Despite efforts by exchanges to maintain security around the wallets on their platforms, cryptocurrency experts are increasingly advising individual investors and businesses with significant investments in cryptocurrency to rely on the use of “cold” wallets to secure their cryptocurrency, effectively storing their coins or tokens offline, away from prying hacks.
Crypto-ransomware: perhaps the least subtle of all crypto-related frauds, ransomware is a malware that enables a harmful program with the ability to lock and encrypt files stored on a computer for the purpose of allowing those responsible to extort cryptocurrency. Ransomware attacks have been described as the “defining criminal typology in the virtual asset world”, and are often used to target critical infrastructure. The Middle East has seen a rise in ransomware attacks since the onset of the pandemic. In the UAE, a recent study suggests that 77% of UAE organisations have suffered at least one ransomware attack in the last 24 months.
In contrast, “new” crypto-dependent crimes are those that can only be committed using modern cyber technology. An example of this is crypto-mining fraud, where specialist malware is embedded on a victim’s computer, enabling the attacker to use the victim’s computational resources to mine cryptocurrencies. Another example includes cybercriminals developing technology to impersonate legitimate wallet and exchange services to steal money from victims. These can come in the form of fraudulent cryptocurrency investment apps or even a fraudulent cryptocurrency, such as the scam which sought to claim it was Dubai’s official cryptocurrency in order to phish data and money from crypto investors. We are likely to see more of these types of crypto-dependent crimes as the technology develops and as long as the demand for cryptocurrency as an asset class remains strong.
UAE and Crypto-Related Financial Crime
The growth in the Middle East of businesses derived from Web 3.0 technology is astounding, with a 30% growth rate in the FinTech sector in 2021 as but one example. This rapid growth is not solely due to the impact of the global pandemic and changing consumer habits but is as a result of a mix of government-backed support and friendly regulations in the region.
These efforts have been combined with policies intended to stem the tide of crypto-related financial crime. The UAE has been at the forefront of these developments, implementing recommendations from the Financial Action Task Force (FATF), an international monitor of AML standards. The
UAE’s approach is being led by the specially formed UAE Cybersecurity Council, created in November 2020 to oversee the Emirates’ implementation of a strategy to build a secure cyber infrastructure. In June 2022, the Council signed multiple collaboration agreements with external service providers including Huawei, Amazon Web Services (AWS), and Deloitte. In what has been described as a “service-centric model” these agreements will lead to the outsourcing of cyber security operations to specialists and allow businesses to focus on their core objectives and targets.
Criminal legislation has also been revised within the UAE to incorporate the risk of cyber-related financial crime. On 2 January 2022, Federal Decree-Law No. 34/2021 Concerning the Fight Against Rumours and Cybercrime (the “Cybercrime Law”) came into effect. The Cybercrime Law includes a number of offences prevalent in crypto-asset fraud, from hacking and compromising information systems to the unauthorised obtaining of passwords, to the fabrication of websites, mail and electronic accounts. The Cybercrime Law also criminalises acts related to unlicensed cryptocurrency trading, and behaviour that promotes or encourages the unlicensed dealing in cryptocurrency not officially recognised in the UAE.
In addition, to help combat the rise in crypto fraud, on 22 August 2021, the Dubai Courts announced the establishment of a specialist criminal court focused on combatting money laundering. This was followed in October 2021 by the Dubai Police launching a specialist Virtual Asset Crime department to investigate crypto fraud and announcing that it will be collaborating with a cryptocurrency trading platform and other industry experts to fight crime within the space.
Furthermore, the UAE’s civil courts may be able to assist victims of fraud. The DIFC and ADGM Courts have the full arsenal of interim measures available to common law courts, including freezing and proprietary injunctions and asset disclosure orders. These interim measures have been successfully used in other common law jurisdictions and, provided the jurisdictional requirements of the UAE’s common law courts are met, it is likely that similar measures could be wielded by the DIFC and ADGM under their existing laws and court rules. The UAE’s Onshore Courts may also be able to make orders in support of claims by fraud victims, notable in the form of the precautionary attachment, which is similar to a freezing order in the common law courts and can be easily notified to banks and other financial institutions under existing processes.
As the world enters this new age of financial services technology, there is much to be learned about how best to monitor and protect ourselves against financial crime. This short article can only focus on a small selection of issues concerning financial crime within the crypto economy and the UAE’s response to them. It is hoped that this provides an insight to businesses and individuals about the risks deriving from Web 3.0, so that all can be better prepared.
This article was first published by The MENA Business Law Review (LexisNexis), No. 03/2022.