The problem

The cryptocurrency market is small and immature compared with markets for traditional stocks and bonds, but the criminals trying to profit from it are among the most sophisticated in the world—and they are reaping bigger and bigger rewards. “Unfortunately, we keep seeing the criminal numbers go up and up and up,” says Dave Jevans, CEO of blockchain analytics firm CipherTrace, which is developing an anti-money-laundering product for exchanges. According to a new report published by the company, thieves and scammers took an estimated $4.26 billion from cryptocurrency exchanges, investors, and users in the first half of 2019. “All of that stuff has to be laundered out,” Jevans says.

What draws criminals to cryptocurrency is the capacity for anonymous, peer-to-peer value transfer. Technically, most cryptocurrency systems are pseudonymous—users are identified publicly, but only by a string of random numbers and letters. Since every transaction is recorded on a public ledger, criminals resort to a range of tactics, including using multiple addresses and exchanges, to cover their tracks as they move ill-gotten money around.

In regulated jurisdictions like the US, Japan, and EU, exchanges—the bridges between the traditional financial system and the cryptocurrency world—are already required to verify the identities of their users, a process commonly called “know your customer.” But many exchanges around the world have lax policies that allow people to move money or cash out without identifying themselves.

The “travel rule”

In June the Financial Action Task Force (FATF; pronounced “fat F”) published a much anticipated, technically nonbinding guidance detailing expectations of how its 37 member jurisdictions should regulate their respective “virtual asset” marketplaces. Here’s the contentious part: whenever a user of one exchange sends cryptocurrency worth more than 1,000 dollars or euros to a user of a different exchange, the originating exchange must “immediately and securely” share identifying information about both the sender and the intended recipient with the beneficiary exchange. That information should also be made available to “appropriate authorities on request.”

Besides deterring would-be money launderers, this makes it possible to blacklist certain individuals who are subject to economic sanctions, as well as entities like terrorist organizations. It’s essentially a crypto version of a US banking regulation commonly called the “travel rule,” which imposes a similar requirement on traditional financial institutions (though the threshold is $3,000). In the US, crypto exchanges have always been subject to this rule, according to a recent guidance from the Treasury Department’s Financial Crimes Enforcement Network. The agency just hasn’t started enforcing it yet.

Not so nonbinding

Since the Group of Seven (G7) and influential members of the G20 plan to apply the policy, it really is binding, says Jesse Spiro, global head of policy at Chainalysis, a blockchain analytics firm. In particular, the US, which held FATF’s rotating presidency from July of 2018 until last month (China now holds that responsibility), is pushing the issue. Secretary of Commerce Steve Mnuchin has called FATF’s standards “binding to all countries.”

A global anti-money-laundering system?

In July, Reuters reported that as part of an effort to combat money laundering, Japan’s government is “leading a global push” to set up for cryptocurrency exchanges a system like SWIFT, the international messaging protocol that banks use for bank-to-bank payments. Last week, a report from Nikkei suggested that 15 governments are planning to create a system for collecting and sharing personal data on cryptocurrency users.

But several people familiar with the FATF-led international discussions around cryptocurrency regulation told MIT Technology Review that these reports don’t have it quite right. There doesn’t appear to be a government-led global cryptocurrency surveillance system in the works—at least not yet. And it’s likely that whatever does eventually emerge won’t look much like SWIFT. Exchanges are still early in the process of figuring out what systems and technologies to use to securely handle sensitive data, Spiro says, and how to do it in a way that complies with a range of local privacy rules. “There are a lot of balls in the air,” he says.

A line in the sand

“Regulators have made clear that the old way of transacting, where you have pseudonymous transfers—that’s not going to scale,” says Yaya Fanusie, a blockchain consultant and researcher who used to be an economic and counterterrorism analyst for the Central Intelligence Agency. Some users may leave compliant exchanges for others that choose not to share personal information, or seek out more decentralized methods of exchange that are harder to police.

But Fanusie says such a community will have to remain niche. He says mainstream financial institutions, which many think could drive the next phase of cryptocurrency adoption, will be more comfortable adopting the technology knowing that money laundering controls are in place. “I would describe the crypto space as being at a crossroads,” says Fanusie. Over the next year are so, we will see the industry “trying to figure out how it wants to position itself, and if it wants to scale.”

This story has been edited to reflect that China now holds the FATF presidency.