• Fintech Brainfood
  • Posts
  • Fintech 🧠 Food - August 14th 2022 - Tornado Cash is the battleground for privacy vs AML.

Fintech 🧠 Food - August 14th 2022 - Tornado Cash is the battleground for privacy vs AML.

Hey everyone 👋, thanks for coming back to Brainfood, where I take the week's biggest events and try to get under the skin of what's happening in Fintech. If you're reading this and haven't signed up, join the 19,322 others by clicking below, and to the regular readers, thank you. 🙏

Hey Fintech Nerds 👋

In the week Disney+ overtook Netflix, Ethereum all but completed its merge, and we cheered for inflation running at 8.5% YoY; the thing that got me most curious was the sanctioning of DeFi project Tornado Cash. This is the first time a government has sanctioned software, which could have countless unintended consequences. I unpack in this week's Rant and go down a rabbit hole of what would give us actually good AML.

Coinbase had a bit of a sucky Q2 set of results, but don't write it off just yet, and Reddit launched its community token on Eth L2 Arbitrum. These seemingly unrelated events all feel like a sign of the times. Where the headlines for Crypto are still negative, but the building is quietly happening.

The big story in Fintech was the CFPB coming after Hello Digits in a strongly worded release that accused them of lying about "not going into overdrafts," among other offenses, and must pay substantial damages. Digits had an "auto savings" sweep, which would take any money left after bills were paid and “sweep” into savings. For some customers, this went wrong and ended up being overdrawn. But as Ohad points out, 2000 customers have not been reimbursed a total of $68k (or $34 each), and the CFPB is beating its chest pretty hard on this one. I grant you, that promising not to make interest on customer deposits and then making interest on customer deposits isn’t great, but it’s not exactly mortgage miss selling.

It makes you wonder why making an example of Fintech companies is so important. I mean those darn pesky Fintech companies are trying to SAVE their customers’ money automatically. How dare they! 🙄 Don't get me wrong; I'm not wanting to trivialize being overdrawn and the consequences that can have on the lowest income. But c'mon. But this regulation by performance art, making an example of a Fintech company, just doesn’t sit right (and yes, I get that regulators have done that to banks for decades too). But this looks more like appeasing the bank lobby than it does punishment fitting the crime. To me, anyway.

Fintech companies are in their awkward teenage phase and should get called out when they make mistakes. But the market needs innovation. I understand the desire of banks for a “level playing field.” But there are times like this when the punishment doesn’t fit the crime.

Weekly Rant 📣

Why can't we have privacy and prevent money laundering?

(Or, why a God Mode in Financial Services is amazing and terrifying).

This week the US Treasury sanctioned a Crypto service called Tornado Cash (TC). Tornado Cash (TC) aimed to bring users enhanced privacy when using web3 but has been accused of laundering more than $455 million for North Korea's Lazarus Group. Lazarus is believed to be behind ransomware attacks like Wannacry, Sony Pictures, and recently the Axie Infinity, Ronin wallet hack.

But mixers aren't all bad. Vitalik Buterin used TC to donate to Ukraine, as did many wealthy individuals in Crypto. And, perhaps more importantly, many wealthy individuals who are privately sympathetic to Ukraine but couldn't show public support (e.g., Russian Nationals)

The Crypto technology that helps you donate to Ukraine in privacy, even if you live in Russia, also allows the North Koreans to hide stolen gains to fund their military effort.

What is Tornado cash?

In most Crypto transactions, every transaction a wallet performs is a public record (and be searched using services like Etherscan). Imagine if every coffee you bought, uber you rode, or purchase made was a public record? It could be a privacy risk.

It is a privacy risk, especially for the wealthy or individuals in war-torn regions or hostile governments. TC is a "mixing service" that mixes 10s of Crypto transactions into a single transaction to give a degree of privacy to the sender and recipient. 

TC is also not just a mixing service; it's a decentralized mixing service. A centralized mixing service is a privately owned service that takes your coins and sends back other coins for a fee. A decentralized service is software (a smart contract) that pools together multiple transaction inputs from multiple wallets and creates multiple outputs to multiple wallets. 

Imagine 30 inputs on the left-hand side, a black box in the middle, and 30 outputs on the other, but it's unclear who sent what to who.

Why is the US Treasury sanctioning Tornado Cash? 

In June, $100m was stolen from the Harmony Blockchain using its Horizon bridge. Harmony is an L1 Blockchain (think Solana, ETH, BTC), and the Horizon bridge is a tool used to "bridge" assets from other chains (so take your USDC on Eth and bridge it to Harmony).

A week later, this attack was linked to North Korea's Lazarus group. Lazarus Group was also suspected of being behind the Axie Infinity Ronin hack that saw $540m stolen from user wallets. 

It would appear that the attackers at Lazarus were then able to use Tornado Cash to funnel the proceeds of those hacks to their benefit. If a bank, Fintech company, or centralized crypto exchange enabled these funds to be sent to North Korea, they'd be in breach of the US Sanctions on North Korea. 

North Korea is a pariah nation, developing Nuclear weapons, and $640m is now available for their Government and military to continue being bonkers. I'm reasonably sure nobody believes that's a good thing.

Now imagine if Crypto and DeFi scale to the size of the existing global financial system. If we still have hacks and mixers used the same way by adversaries, things could go sideways quickly.

As Ryan put it 👇

We must prevent these hacks and this source of funding for a pariah state.

On some level, I don't blame the US Treasury for trying to find a choke point and prevent these types of attacks from being successful. 

Was this the right approach?

Or did they start down the slippery slope to a privacy hellscape?

It now also appears that the Dutch authorities have arrested a man suspected to be a developer of Tornado Cash. I must stress it’s unclear what the charges are, but if the arrest is simply for creating software, this is an alarming development.

The authorities appear to be scapegoating entirely the wrong people for the right reasons. I don’t think anyone wants North Korea to be able to hack and scam consumers and get away with it.

But we don’t solve that by arresting developers building privacy tools.

The message sent by authorities isn’t: “We will go after the right targets.” (Which I think they intended)

The message is, “We will go after easy targets and don’t care if it’s effective or who gets hurt in the process.”

The clampdown on any form of encryption is misguided, and the criminalization of software engineers is even more so. This damages the moral authority of the West to be the guardian of citizens online. Short term, they may not care because the goal is to go after the Lazarus group. But this is like arresting the bridge builders to stop a car thief. It’s a gross overreaction.

Consequently, I fear Crypto, which had been increasingly dollar-based and looking to be regulated, could sweep in the opposite direction.

These actions, far from restricting North Korea, will likely motivate developers to create new tools precisely because the enforcement method is so rage-inducingly stupid and ineffective.

If we want to stop scams and hacks, there are better ways.

But to get to those we need to unpack:

  1. How are the sanctions been applied, and what are their consequences?

  2. Is there a better way to stop state-sponsored hacks than arresting developers and sanctioning wallets?

  3. The need for better privacy vs. AML conversation

  4. The need for first principles rethink of AML implementations

  5. Treating DeFi as the petri dish for upgrading AML and privacy

1. How are the sanctions applied, and what is the impact?

The US Treasury used Etherescan, a "block explorer," a tool to view transactions on the public Ethereum network. The US Treasury has added Etherescan identified wallets associated with Tornado Cash to a sanctions list. 

All US incorporated entities, branches, and subsidiaries must comply with sanctions (and realistically, any business wanting to operate in dollars). 

This includes VASPs (like Coinbase and FTX), Stablecoins like USDC, and even infrastructure providers.

When you play this out. 

  • Circle and Coinbase, the issuers of USDC, must ensure nobody can use their open, permissionless token with Tornado Cash. 

  • Infura, the infrastructure API used by Metamask, UniSwap, and Brave to access Ethereum, must block Tornado Cash. This means most users of Metamask (unless they set up a different node) will now be blocked by default.

In theory, all they did was add a bunch of wallet addresses to their sanctioned entities list. But the reality is the US Treasury sanctioned a smart contract and, in doing so, treated software like a legal person

This is the first time in history a government has sanctioned software.

And there are massive consequences.

The problem is that computer code is neither a natural person nor a legal entity. Code is speech (per Bernstein vs DOJ). Sanctions law is also strict. If an American person or entity transacts with a sanctioned entity, they can be sentenced to 30 years in federal prison. (As for the arrest in the Netherlands, code is not speech there, which may have opened the door to the developer's arrest).

In theory, Vitalik may be implicated in a sanctions violation because he used Tornado Cash to donate money to Ukraine in privacy. Instead of sanctioning the Lazarus Group and its wallets, the US Treasury has gone after a tool the hackers used.

The move already has unintended consequences.

A troll is currently sending tiny amounts of Eth to 1000s of wallets via Tornado Cash.

Is every single one of those individuals who has now used TC subject to sanctions too? 

It’s starting to appear that way 👇

2. How could we solve the state-sponsored hacking problem more effectively?

We know AML is ineffective.

Banks make up 7 of the world's top 10 most penalized companies by regulators. And yet, criminals continue to launder trillions through the existing financial system.

If you look at the problem in terms of pure data, fining banks and expecting them to have a process for due diligence isn't working. But the Treasury isn't worried about criminals; it's concerned about nation-states.

And Crypto is quite effective at detecting money laundering, possibly too effective. Per Chainalysis data, illicit activity is at least 10x lower in DeFi than TradFi (standing at around 0.15% of all transactions, vs. UN estimates of 1 to 2% of GDP in TradFi).

And that's a problem.

Remember the global, public, transparent record? That makes building analytics and tracing money launderers much better in DeFi compared to TradFi

If AML rules can be applied to Crypto and DeFi, they'd be highly effective. 

But we'd also sacrifice privacy for good. 

And I think that’s why the Tornado Cash Sanctions and arrest got under my skin so much.

I believe privacy is a fundamental human right.

3. We need a better privacy and AML conversation.

Perhaps we can start with a definition of privacy.

In political circles, privacy is about corporate overreach on the left, and on the right, it's about free speech and de-platforming, but the target is the same. Big Tech companies. 

The conversation about privacy in Government relates to privacy from Big Tech companies who use consumer data to target ads, but also enabled adversarial nations to weaponize social media to spread misinformation.

Europe decided to attack the problem with bureaucracy in the form of the General Data Protection Regulation (GDPR).

GDPR defines privacy as:

the measure of control that people have over who can access their personal information

And personal information is any data that can clearly be associated with someone (so anonymized data doesn't count). 

GDPR, however well-intentioned, has been ineffective. 

We now have cookie consent forms everywhere, and Big Tech continues to hoover up more data than ever. The consumer, in theory, has a "right to be forgotten" that they can seldom execute. They have a right to data portability that platforms make nearly impossible to use.

The privacy "conversation" happening in Washington will likely draw substantially on GDPR. European Bureaucracy often has a first-mover advantage in this sense. The regulatory world is small, after all.

The GDPR differs substantially from the dictionary definitions of privacy, which are:

A state in which one is not observed or disturbed by other people.

The state of being free from public attention.

Interestingly, neither of these talks about freedom from government attention. Yet I think that’s something a lot of people consider a part of being free.

Consider how in the West, we recoil in horror when we hear about Chinese state espionage on their own people. Or, stories of the Statsi the secret police that spied on the population in former East Germany and ruled with fear, psychological oppression, and informants.

Privacy of data and transaction privacy feels like a fundamental human right, provided I haven’t used it to harm another person or entity.

In the United States, software and money are defined (and protected) as speech and should be private, but that doesn't apply evenly to data.

Some data is bad. For example. Do we want child pornography to be protected as free speech? So data as speech might not be a good solution.

But what if data was property? 

(Funnily enough, the EU Commission is now considering moving that way). Property broadly conveys several rights:

1. The right to exclusive possession;

2. The right to personal use and enjoyment;

3. The right to manage use by others;

4. The right to the income from use by others;

5. The right to the capital value, including alienation, consumption, waste, or destruction;

6. The right to security (that is, immunity from expropriation);

7. The power of transmissibility by gift, devise, or descent;

8. The lack of any term on these rights;

9. The duty to refrain from using the object in ways that harm others;

10. The liability to execution for repayment of debts; and

11. Residual rights on the reversion of lapsed ownership rights held by others

That feels like a pretty good starting point for personal data (anonymized or not).

Of course, the problem with this is a practical one. Each of us has hundreds of gigabytes of personal data held by the Big Tech firms, and expecting them to start paying us for access is unrealistic.

But in web3, why couldn't we model data as property? It's sort of already happening. Wallets have sovereign control over assets (like NFTs), and in the United Kingdom, the supreme court ruled that NFTs are property.

If my identity is stored as an NFT in a web3 wallet. Then do I own my identity? Yes, I think you do.

And what's more, you can permission access to the elements of data in your identity quite trivially (check out PFPid.xyz or Burrata for how that might work).

(Before the DIDs crowd @'s me, I know decentralized identifiers might be a better solution)).

The point is, if data is property, like all property, it should not be searchable without a warrant and not seized without due process.

We know all web3 wallets and their relative NFTs are, in fact, already searchable. Remember, the US Treasury found the wallets related to Tornado Cash from Etherescan. But an NFT can contain an encrypted payload, and data can be stored on services like Arweave to remain private. Using the infrastructure to own and control data is possible without it being public by default. 

This leads us nicely to AML.

4. We need a first principles rethink of AML.

The IMF provides a handy definition of the goals of the current system (not exhaustive, emphasis mine)

Protecting the integrity and stability of the international financial system, cutting off the resources available to terrorists, and making it more difficult for those engaged in crime to profit from their criminal activities

As a market observer, if I were to re-order and re-word the above, it would look like this:

  1. Ensure security by cutting off funds from rogue nation states (Russia, Iran, North Korea) and Terrorists.

  2. Ensure the financial system doesn't explode from instability or get attacked by adversaries.

  3. Make it harder to profit from being a criminal.

Under number 3 is everything we don't like as a society, child pornography, human trafficking, arms dealing, and corruption. And having rules to stop that is a fundamentally food thing.

The goals are good ✅

The problem is how we try to implement AML policy.

The introduction of AML policy turned any entity that stores or moves money into an arm of the state. Banks, FI's, and even a tiny Fintech company are effectively on the hook to be the police of money. Spot the bad guys and report them to law enforcement.

How do you spot the bad guy? 

Requiring any individual or entity trying to move more than $1,000 with you to disclose their legal identity to that organization through the Know Your Customer (KYC) process. If money gets laundered, the Bank, FI, or Fintech company should spot that happening, see if their customer did wrong, and report it to law enforcement. 

But it's not that simple.

  • 90+% of fraud can come from properly KYC'd customers using their real identities. Money mules are people who work with criminals to help them move money through the system. KYC alone isn't an effective tool.

  • Criminals use complex holding company structures to hide their true identities. A company in Panama might own a trust in Malta that owns a company in the Caribbean that owns a Delaware C-Corp. The US-based entity might get a bank account and move money in the US banking system, but it could benefit a foreign national. In theory, FIs must perform customer due diligence to prevent this, but it's tough. Because:

  • The existing financial system has no God Mode. There's no database of which person owns which accounts globally. Various attempts to create "KYC registries" by SWIFT have ultimately failed to gain industry adoption. The industry collaborates and shares data to prevent fraud, but these efforts are often national and for small groups (e.g., the top 20 banks in the US). 

If we did have a God Mode, we could spot suspicious activity trivially. AML professionals call this "follow the money." 

Crypto has half a God Mode. 😇➗

Crypto wallets are pseudonymous. They don't require an identity attached to a wallet to use the Blockchain network.

However, Blockchain networks create a single global record of every transaction with thousands of redundant copies that are impossible to edit. It's the perfect audit trail. Crypto forensics businesses like Chainalysis, Elliptic, and TRM labs do exactly that. They allow organizations and law enforcement to "see" activity patterns (in many cases visually).

Assuming law enforcement spots a cluster of bad activity, they can follow that activity to a logical endpoint. The criminal will try to take the proceeds of crime and cash them out or use them to buy something. At that point, they'd need a legal identity and could be subject to law enforcement.

That's happening today. 

A lot. 

Law enforcement has been so effective at taking down darknet markets because they had this amazing God Mode functionality that does not exist in the current financial system. 

In 2015 I worked with an AML team at a bank that described having "system envy," having seen how easy it was to detect money laundering in Crypto. 

But what works for the law works for the naughty folks too.

As we saw, an attacker is sending tiny fractions of Ethereum to wallets with known celebrities and individuals attached to them (doxxed wallets). 

As soon as an identity is attached to a wallet, it becomes a privacy nightmare.

If we want to get much better at preventing criminals and rogue nations from benefiting from crime, we also need to get much better at protecting consumer privacy. And the tech allows this.

Remember, PFPid.xyz? If my identity can follow my wallet but doesn't reveal my personal data by default, it's apparent that wallet 0x35875389 has an identity without revealing whose identity that is. 

Remember that NFTs are assets with functionality and legos. (In fact, as are all Crypto tokens). So we could create an identity NFT that can have its data revealed if

  1. The user permissions it

  2. The user permissions an agent to reveal that data (e.g., a Bank)

  3. The wallet is implicated in suspicious activity, and a 3rd party wallet (e.g., the US Department of Justice wallet) signs a transaction to reveal that data and can provide an on-chain proof of its warrant.

5. Building in the Petri Dish.

Look, I get that this is a bit fanciful (to expect the Government to use web3 anytime soon when it's busy trying to sanction software).

But my goal was to prove we have the technology to prevent bad things and live in real privacy.

We just need to question some long-standing assumptions.

And maybe this entirely new, parallel global financial system is the perfect petri dish for doing just that?


4 Fintech Companies 💸

1. Guava - Banking for Black Entrepreneurs

  • Guava provides a small business account with no fees, ATM access, and a community of entrepreneurs to connect with. Guava aims to move into lending, especially for rural areas that lack access to financial institutions. 

  • 🤔 Black women are more likely to start a business than white men, according to HBS, suggesting a funding issue with sustaining a business. Being an entrepreneur requires self-funding and pushing the personally available capital as far as possible, but becoming a mature business needs money to maintain and scale the business. Black-owned companies are less likely to receive lending than their white-owned counterparts. This lending gap is also a commercial opportunity left on the table by traditional lenders. 

2. Solid - A BaaS platform 

  • Solid provides checking, cards, and payment capabilities to Fintech and non-bank companies that want to distribute financial products. Offering simple APIs, SDKs, and a dashboard, Solid is pre-integrated into "partner banks." 

  • 🤔 Solid has been around for 3 years and has some interesting customers (Sivo, Dapi), but BaaS is so incredibly crowded. Without astonishing growth, it's hard to stand out from that crowd. Being an also-ran in this race might mean getting acquired if you have good customers or tech. But make no mistake, BaaS is a race, and the fastest at executing will win.

3. Tenet - Trade on real-world events

  • Tenet has a simple premise. Select an event, predict an outcome, and if you're correct, you win a share of the profit pool with others who predicted the same result. Players can then withdraw immediately through UPI. 

  • 🤔 Isn't this just gambling? In Crypto, they call these "prediction markets" because it's truly peer-to-peer, and no middleman is setting the price. Tenet says all trades require an opposing trade to "match" and build an order book. But, there are services like Sporting Index that do exactly this today (which is classified as a Gambling company) 🤷‍♂️. I don't think this is what Angela meant when she said every company will be a Fintech company. Still, interesting to observe the attempted glow-up. Last thought, instant withdrawal from gambling = a high risk of fraud. Fraudsters will often happily lose money in a casino to take out "winnings" that they can cash in as clean money to the banking system.

4. Outgo - the Fintech for Freight Management

  • Smaller trucking and freight businesses can use Outgo for "FDIC insured" accounts, debit card spending, invoicing, and invoice factoring. Outgo has innovative financing features like selecting invoices with the lowest rate to finance or allowing customers to spend on credit using the debit card without a factoring fee. 

  • 🤔 Freight companies need to spend to deliver the goods today but often don't get paid until delivery is complete, and this creates a cash flow gap they fill with invoice financing (factoring). Traditional factoring for small businesses is a blunt instrument where all invoices must be financed. Regional banks often lack the sophisticated tech and processes to only factor cashflow gaps. So small companies end up paying for loans they don't need, and invoice finance becomes a drug they can't get off. I like how well thought out this product is; it's very customer-centric and trying to help their business grow. Bringing tech to finance.

Things to know 👀

  • Reddit has launched community points to its 400m monthly active users. Points are designed to incentivize engagement and better content and reward creators with "tips." Points can also be used to buy special perks, including special memberships and rewards. Points are ERC20 tokens on the Arbitrum blockchain.

  • 🤔 This could lead to a new form of creator content monetization. Creator content monetization typically involves subscriptions or ad-supported. Crypto has seen much more experimentation on platforms like Mirror, which include buying limited edition NFTs for written creative work or token launches. "Tipping" was also popular on the precursor platform Steemit, which had its own network and internal economy. It would be lovely to have an alternative in a world where everything is a subscription and a paywall. The internet sucks lately.

  • 🤔 Reddit is the home of the real internet, not the corporate one. It's a natural home for experimentation. Instagram feels like the heir to America Online (AOL), and their NFTs and market take rate fit that corporate-controlled model.

  • 🤔 L2s and Arbitrum have some mojo. Gradually then suddenly, the scaling issues of Ethereum are being attacked.

  • 🤔 This is a great partnership for FTX. Coinbase had been the default consumer on-ramp for the last two Crypto cycles. FTX Pay becoming an on-ramp to such a massive internet property is a big move

  • Coinbase reported $808m of Q2 revenue, a decline of 64% YoY. Retail transactions accounted for $616.2m. Coinbase reported a Q2 loss of $1.1bn vs. a $1.59bn profit from a year earlier. The loss was made in part by an impairment charge as the value of its Crypto held declined dramatically (from $1bn to $428m). Coinbase announced it would remove 18% of its headcount in response to market conditions.

  • 🤔 Coinbase is the defacto consumer on-ramp into Crypto, and it lives or dies by the market. It sorely needs to diversify but hasn't found its second act. Retail activity is down, but this will force Coinbase to focus. Much of their cost is headcount. Coinbase risked trying to be all things to all people. It signed a huge deal with Blackrock Alladin, and Blackrock is offering Spot Bitcoin exposure to institutions. If Coinbase is the on-ramp for consumers AND institutions, that's a great, focused, lower headcount strategy.

  • 🤔 The regulatory headwinds are no joke, but Coinbase is a survivor. We saw the same after the 2017 bubble; the regulators came. New York made a Bit License. Some companies don't operate there, but big companies like Coinbase do. I can't see a world where Coinbase goes away. Maybe it gets acquired, but I'd be shocked. 

  • 🤔 Don't forget about the Ethereum merge. Ethereum is moving from Proof of Work, the intense energy form of mining used by Bitcoin, towards Proof of Stake. Ethereum launched the beacon chain (AKA, ETH 2.0) on the 1st of December 2020 and will now "merge" the main Ethereum chain (the home of your NFTs and Stablecoins) with Beacon. When that completes, instead of new coins being "mined" by miners with specialist hardware and large energy budgets, users can "stake" their coins to help secure and run the network. But staking is quite complex. 

  • 🤔 The Ethereum Merge could benefit Coinbase significantly. Because staking is complex, using Coinbase is easy, and users could potentially earn a return on their existing Ethereum by "staking" them. If Coinbase facilitates this, it could charge a fee for generating this return as a significant new source of income.

Good Reads 📚

  • Ron shares some surprising data about consumer subscriptions to Fintech services, like 40% of consumers pay to receive a Fintech service (rising to 47% in Gen Z). Consumers like that the subscription is transparent and avoids "hidden fees." Typically subscribers are also more engaged and deposit higher balances. This represents a $13.3bn revenue pool today.

  • 🤔 The original "subscription economy" of early Netflix and Spotify took hold by giving the sense of overwhelming value for an incredibly low price. That doesn't feel to be the same with Fintech subscriptions. Early Netflix had all of the movies, and Spotify had all of the music, and it competed with trying to own those entire catalogs, which could cost $1000s. I don't think Fintech subscriptions have reached that feel yet, where the consumer feels like I just have to pay that.

  • 🤔 Subscriptions today are everywhere, from grooming to household essentials to subscribing to an entire service for one piece of content (Netflix for Stranger Things, Paramount+ for Halo, etc.) Perhaps this is the opportunity for Fintech companies to offer something compelling and unique that nobody else does. 

  • 🤔 Fintech subscription features today are nice to have, like consolidated open banking or managing your other subscriptions (like Spotify, etc.). But I'd love to see someone aggregate these features into a sort of financial services auto-pilot or co-pilot. Prompt to create a rainy day fund, prompt to sweep end-of-month cash into that, when it's full, prompt to build savings, and on payday, prompt to invest a progressively higher percentage per month. All of these triggers are sitting there, waiting to be fired. The hard part is making them contextual to a user.

Tweets of the week 🕊

That's all, folks. 👋

Remember, if you're enjoying this content, please do tell all your fintech friends to check it out and hit the subscribe button :)