Wednesday, October 2, 2024

A glass half-full take on Caucasus sanctions evasion

Ed Conway of Sky News recently published a very good investigation on sanctions evasion being carried out through the Caucasus. He visits the Lars border crossing between Georgia and Russia to document how smugglers are openly moving British and German luxury cars into Russia, in contravention of sanctions on Russian luxury car imports.

In a subsequent interview, Conway describes this as the the "most depressing" bit of journalism he has ever worked on. He agrees with his host that the west's sanctions are "performative," in that they are simply there to make Western voters feel good, but in reality achieve very little. He concludes: "The toughest sanctions regime in history, is anything but..."

For anyone who supports Ukraine's cause, this is all difficult to watch. However, I think that Conway has arrived at a glass half-empty interpretation of the details of his own reporting. What follows is my glass-half-full take on Conway's visit to the Caucasus. What I'm hoping to convey  using the details from his video  is that we (i.e. the West) are doing ok. Yep, we could be doing better (and hopefully will), but let's take heart at what we've achieved to date.

Conway tracks two new Range Rovers being smuggled from Tbilisi, Georgia's capital, northwards to the Lars border crossing with Russia. Prior to Conway making contact with them, the Range Rovers have already been on a circuitous trek. Manufactured in Solihull, UK in 2024, we learn that the vehicles were originally shipped by Jaguar Land Rover to a dealer in a country that does not share a border with Russia, so not Georgia, but perhaps Turkey or the Emirates. Thus the first leg of their journey would have involved a long trip in a container ship or RORO cargo ship from England to Dubai or Istanbul.

In the second leg, the smugglers who acquired the car in Turkey or UAE paid for it to be shipped to Georgia, either by boat or overland.

In the third leg, which is the only leg that Conway observes, two single trucks can be seen transporting each Range Rover through Georgia to the Lars border crossing along a skinny winding road. The Range Rovers are deposited in a parking lot next to a "forlorn" cafe on the Georgia side of the border (the parking lot appears to have no security), and after a few days a new driver is paid to take the car to the Russia side and leave it there. 

The parking lot where sanctioned luxury cars are stored at the Georgia-Russia border

Now the fourth leg begins. Another driver is contracted to bring the vehicle to its final destination in Russia. This last leg is no small trip, with the biggest Russian markets, Moscow and Saint Petersburg, at a distance of 1,800 km and 2,500 km respectively from the border.  

These successive legs add up to an arduous trip. The shipping bill is likely quite large. To boot, along each leg of this journey additional paper work must be completed, insurance purchased, border officials bribed, storage fees paid, transit license plates acquired, and taxes levied. It is Western sanctions that have imposed this haphazard shipping burden and jungle of administration on Russia's trade in Range Rovers.

But compared to what? Understanding the burden we've imposed on Russia requires that we compare the current state of affairs to the one that was taken away; namely, the highly-developed patterns of trade that existed before sanctions were deployed in 2022. As economists like to say, it's the opportunity cost, or the value of the next-best alternative, that represents the true burden of the sanctions on Russia.

What Russia has lost is the full expertise and capital of Western logistics being brought to bear on the problem of bringing Range Rovers as cheaply and rapidly as possible from Jaguar Land Rover manufacturing plants to Russian buyers. This involved Range Rovers being loaded en masse into highly-efficient RORO cargo ships in the UK and sent  not along a circuitous route passing through the Suez Canal or around the Cape of Good Hope  but by the shortest passage possible, the Baltic Sea.

In the pre-sanctions era, vehicles destined for Russian buyers were unloaded at the Port of Saint Petersburg, Russia's second-largest city, or next door at the massive Port of Ust-Luga. So the goods passed through customs just once, rather than multiple times. These two Baltic ports are purpose-built for handling large amounts of vehicles as efficiently as possible. From there the Range Rovers were transferred to their final Russian destination not piece-meal, as appears to be the case with the Lars crossing  but in batches via dedicated rail infrastructure and multi-level car haulers. 

Illicit Range Rovers being transported one-by-one via flat bed truck to the Georgia-Russia border


Thanks to sanctions, Russia's first-choice trade route  optimized over many years of trial and error no longer exists. It's been replaced by an improvised Rube Goldberg trade route involving two much longer sea journeys followed by a crappy single-lane road wending its way through the mountains of Georgia to a border crossing that was never designed to handle large volumes of trade. Once across the border, the contraband cars must be on-shipped using rail or road infrastructure that pales in comparison to the significant economies of scale that characterize the Saint Petersburg/Moscow hub. This is plainly an awful fix.

There's another new cost that needs to be factored in, too: the risk of being caught. Given that it is likely that the dealer in the Emirates or Turkey is part of the sanctions evasion conspiracy, they run the risk of having their dealership status being revoked should Jaguar Land Rover catch them. The dealer will therefore only sell to Russians or other Russian-linked third-parties if the price offered is a high one, enough to compensate them for the risk of losing their franchise.

This extra risk premium, combined with all the additional transportation and intermediation costs listed above, gets embedded into the final all-in price that folks in Moscow will have to pay for a new Range Rover. How high is this price? Certainly much higher than before sanctions were applied. Stephanie Baker, author of Punishing Putin, found in her reporting that western cars in Moscow showrooms were being sold for twice as much as in the U.S. The Times describes luxury Bentleys selling in Moscow for about £400,000 plus £50,000 in VATthe same model costs just £250,000 in the UK.

Think of this extra price wedge as a sanctions tax on rich Russian car buyers. So yes, cars are squeaking through the West's sanctions blockade, as Conway's reporting reveals, but let's not forget that this comes at a big cost.

A 2,000 km drive from Tbilisi to Moscow

The sanctions tax includes another component. A car is not just a one-time purchase. It represents a commitment to make long chain of repairs and tune-ups over its lifetime. Since the new Range Rovers in Conway's video are illicit, they won't qualify for any dealership support. The warranty is probably void, too. Telematic upgrades provided by Jaguar Land Rover servers in the UK have likely been turned off. Furthermore, since Jaguar Land Rover no longer sends parts to the Russian market, all replacement parts will have to be smuggled over the border, the cost of ongoing car servicing ballooning.

So in the end, voters in the West can take at least some pride from what western sanctions have achieved. By sanctioning luxury cars, we've forced Russian elites to divert more of their finite wealth to paying for circuitous, awkward, and risky pathways into Russia. This means these elites have less left over for other things.

Now, that doesn't mean western voters can relax, and Conway's reporting is good fodder for galvanizing voters to ask their representatives for further action. While sanctions have made the pathway for Range Rovers and other goods into Russia a long and winding one, we need to keep making it even longer and more awkward.

For instance, Conway's video teaches us that there is just one way road connecting Russia to Georgia. What a fantastic chokepoint for western sanctions to target! By working more closely with Georgian authorities, the U.S. and its allies may be able to induce them to add a number of frictions to the Lars border crossing, thus forcing car smugglers to divert contraband vehicles to even more roundabout trade routes, the end result being Russian elites paying an ever higher price.

Saturday, September 14, 2024

How should money laundering laws apply to DeFi?


Everyone agrees that money laundering laws apply to DeFi. The question is: how to apply them?

DeFi, or decentralized finance, is an emerging segment of the broader financial industry that delivers traditional financial services, say like trading or lending, using a novel type of databaseblockchains.

These blockchains allow people to create financial robots, or bots, that the public can engage with in order to get financial services. And not just any sort of bot. These are autonomous, unstoppable, non-upgradeable financial bots. They operate independently of humans; once its creator sets it free, the bot never needs the intervention of its creatoror anyone elseever again. The bot is unstoppable; once its code is live, it can't be erased, upgraded, or altered. The bot is incapable of deviating from its original code; it is forever locked in place.

(Most financial services provided on blockchains don't quite meet the strict standard described above. These "fake" DeFi bots are upgradeable and are driven by a human operator or team behind the scenes. The application of money laundering laws to fake DeFi bots is straight-forward. What I'm addressing in this post is the true DeFi bots, the ones that are autonomous, unstoppable, and non-upgradeable.)

Historically we haven't received our financial services from autonomous, unstoppable non-upgradeable agents. We've always gotten them from brick and mortar institutions like banks and brokerages. These institutions are run by human executives and employees who rely on a fairly malleable set of machine aids, like websites and Excel spreadsheets and SQL databases.

The application of money laundering law to banks and other financial institutions is well understood. If a bank consciously allows dirty money onto its platform, we punish the bank and the folks who run it. This follows from 18 U.S. Code § 1956, which says that anyone who knowingly conducts a transaction involving dirty money, and does so in a way to conceal its origin or disguise its control, can be punished with up to twenty years in jail for money laundering.

Here's the question: when financial services are provided through the mediation of autonomous, unstoppable, non-upgradeable bots, and not human-operated banks and brokerages, who does society punish when dirty funds are processed? What DeFi party is liable under 18 U.S. Code § 1956?

The bot itself is nonpunishable. It simply keeps on ticking. It's not a human and can't learn from punishment. So that's a dead-end.

There is no human operator or governor to punish (at least, not in the case of pure DeFi bots). The bot is 100% autonomous, operating without the aid of a human behind the scenes.

What about the creator? I've argued in a previous post on a particular DeFi bot, Tornado Cash, that it makes a lot of sense to hold the creators of unstoppable non-upgradeable financial bots accountable for money laundering, even if those creators are no longer involved with the bot in any way. To protect themselves from being charged with money laundering, creators will choose at the very outset to equip their financial bots with a means for screening out dirty funds, thus complying with the law. I'll let you read that post yourself.

There's another option. In a recent exchange with a member of congress, a DeFi lobbyist suggests that the users of unstoppable non-upgradeable financial botsnot the creatorsbe held liable for their own bad conduct. Here's the clip:

This is an interesting solution. Let's work out how money laundering law spreads into DeFi if a user-pays-the-price strategy is adopted.

Say that criminals regularly place dirty funds with a certain DeFi bot, perhaps a decentralized exchange (like Uniswap), in order to clean them, and this is a widely-known fact. Next, let's look at what happens when a user with licit crypto submits their funds to the same bot. By consciously allowing their clean funds to be commingled with dirty funds and swapped for them, these licit users have themselves become bad actors. After all, helping criminally-derived funds make a getaway is a crime: we call it money laundering.

Under this user-pays-the-price scenario, DeFi becomes radioactive. Anyone interacting with an unstoppable, non-upgradeable financial bot is playing with fire, since a potential money laundering charge is just around the corner.

In an effort to reduce the odds that they face a money laundering charge, users may try to shop around for bots that have been coded with filters for screening out bad actors. Creators may try to compete with each other to attract users by providing genuinely compliant bots.

The upshot is that whether society decides to makes creators of financial bots liable for money laundering, or users liable, the end result may very well be the same. Bots will be built with anti-crime devices, thus falling in line with society's money laundering laws. That's a good result.

However, for pragmatic reasons my preference is to hold creators liable rather than users. My mental model of a prototypical retail user of financial services is a frazzled individual who doesn't have the bandwidth or knowledge to grasp exactly what they are doing with their money, because their time is divided between their family, jobs, education, church, hobbies, and other important things. What an awful burden to put on these people: "Oh, by the way, be careful where you get your financial services online, because you might be caught laundering money for the mob." Indeed, one of the advantages of dealing with a traditional bank is that a licit user needn't worry about this hazard.

Creators, on the other hand, are far fewer in number than users, are likely to be financially savvy, and probably have far more time to devote to the intricacies of financial law. And so the creator class will be better able to bear the burden of being targeted with the burden of a potential money laundering charge, and instigating the necessary compliance.

So if we had to choose who to be liable for the bad conduct flowing through unstoppable non-upgradeable financial bots, I say target creators, if possible, and not users. We all agree that money laundering laws apply to DeFithe end goal being bots that exclude criminalsbut placing the liability on users is an an inefficient and unfair way of extracting compliance.

Friday, August 9, 2024

Stablecoins – a digital version of Swiss bearer savings books


Before anti-money laundering laws arrived in Switzerland, anyone could walk into a Swiss bank and open an account without showing any ID. The bank would then issue you something called a bearer savings book, otherwise known as inhabersparheften or livrets d'épargne au porteur. Ownership of the savings book was considered by the bank to be proof of ownership of the underlying funds in the account. The person who opened the account could keep the book or, if they wanted to, pass it on to someone else without notifying the bank, at which point this second person was now entitled to the underlying funds, who could pass the book on to a third person, etc.

In essence, Swiss banks were issuing their very own version of cash.

As time passed and society's awareness of money laundering grew, usage of Swiss bearer savings books accounts was circumscribed by law. In 1977, banks were required for the first time to identify the initial customer to open the account. Also, anyone who wanted to withdraw over CHF 25,000 had to be identified by the bank. But the savings books still enjoyed a significant degree of anonymity. After account opening and prior to withdrawal, books could continue to circulate without identity checks.

In 2003, the issuance of new bearer savings books was prohibited by the Swiss government. Banks were now required to cancel existing savings books when they were presented to a bank's physical desk. Existing bearer savings books could continue to circulate anonymously from hand to hand, like cash, but thanks to steady cancellations they represented just 0.002% of the total assets held in Swiss bank accounts by 2019.

And so ended the Swiss bearer savings book. In the meantime, however, a similar financial instrument has arrived: the stablecoin.

To get some stablecoins, you need to deposit funds with the issuer, which will identify you upon deposit, but after that the stablecoins are free to circulate in the wild without any sort of checks. You can send them to a friend, and she can send them to a relative overseas, and that relative can transfer them to a drug dealer, and none of these subsequent owners need to show their IDs to the issuer. Stablecoin issuers, much like Swiss banks that once issued bearer savings books, often have no idea who they are dealing with.

So if Swiss bearer savings books have long been prohibited, why are stablecoins allowed to proliferate?

This is exactly the point made last month by FINMA, Switzerland's financial regulator, when it indicated that it will no longer tolerate the anonymous transfer of stablecoins. New guidance states that the identity of anyone holding a stablecoin must be "adequately verified by the issuing institution." So not only yourself, but your friend, her relative, and the drug dealer in the above transaction chain will be required to provide their ID.

To justify its new policy, FINMA appeals to the idea of technological neutrality. My take on technological neutrality is that just because a financial productin this case a payments productappears on a novel medium, or substrate (i.e. a blockchain) doesn't mean it is exempt from the same rules that already apply to equivalent products like bank savings books, which are issued on older substrates. Same function, same regulations.

Up till now, stablecoin issuers like Tether have tried to dodge these identification requirements with the legal fiction that only primary holders of stablecoins (i.e. those who originally deposited funds to get stablecoins) are their customers, and so it is only to this batch of holders that they have a due diligence obligation. Secondary, tertiary, and subsequent holders are not "customers", and so the issuers say they don't need to identify them.

But FINMA isn't buying this argument, and rightly so. All holders, not just primary ones, have a "permanent business relationship" with the issuer, says FINMA, and so everyone must be identified. You can certainly understand why FINMA wants to get ahead of this problem. If regular Swiss banks all see that stablecoins are enjoying special treatment, then they'll all join in on the party by switching over to the new substrate.

FINMA's guidance may not seem like a big deal. There are only two Swiss franc stablecoins to which it applies, and they are both tiny. Bitcoin Suisse's XCHF has under 1 million CHF in circulation, and Centi's CCHF doesn't appear to have much more. (Facebook may have run into an earlier informal version of this rule when FINMA assessed initial versions of its Libra stablecoin.)

But as a respected part of the global regulatory fabric, FINMA could very well be copied by other regulators. More importantly, FINMA is a member of the  Financial Action Task Force, or FATF, an umbrella organization representing the anti-money laundering authorities of 38 major nations. FATF promotes global anti-money laundering standards by blacklisting countries that fail to adopt them. If FINMA's policy on stablecoins is indicative of an emerging FATF approach to stablecoins, then expect it to spread.

The shocking thing to me is that it has taken this long for a major global regulator to issue a concrete ruling on the issue of stablecoin anonymity. It's about time. Standard anti-money laundering practice requires financial institutions to verify who is using their platform. Stablecoin issuers shouldn't get a free ride.

Wednesday, July 31, 2024

China is slowly joining the economic war against Russia

I recently shared a chart on Twitter showing Chinese exports of ball bearings to Russia. Here it is:


Having accelerated after Putin's invasion of Ukraine to a run-rate of around US$5-7 million per month in 2023, Chinese ball bearing exports to Russia have been ratcheted down to the $2-3 million level in 2024, about where they stood prior to the invasion.

What's going on here? As Russia's closest ally, shouldn't China be sending Putin all the ball bearings he  wants? Russian tanks are being destroyed every day and ball bearings are a crucial component for building replacements.

Before answering this question, we need a bit of background.

We can think of the economic response to Russia's illegal invasion of Ukraine as progressing in two stages. The first stage of the economic war involved a coalition of liberal democracies (U.S., the EU, Canada, Japan, Switzerland, South Korea, Norway, the UK, and more) reducing their own economic linkages to Russia. Europe drastically scaled down its imports of Russian natural gas. Imports of Russian crude oil into Japan and Germany were slashed to bare bone levels. Western corporations like Coke and John Deere decamped. And the U.S. made an effort to cut down on exports of military goods and so-called dual-use items, which have both commercial and military applications. Ball bearings fall into this category, since they are useful not only for civilian vehicles but also artillery and tanks.

The second stage of the economic war has only recently ramped up, and involves the coalition exerting its influence on non-coalition countries like Turkey, United Arab Emirates, China and India in order to get them to cut down on their economic linkages with Russia.

A key component of this next stage are the U.S. secondary sanctions that were introduced in December 2023 by the U.S. Treasury's Office of Foreign Assets Control ("OFAC"). I've written about them here, here and here

In short, if OFAC catches a foreign bank in Shanghai, Delhi, or Dubai facilitating transactions involving Russia's military-industrial complex, including dual-use goods, then that bank risks being cut off from the U.S. banking system. Because the U.S. banking system is so vital, foreign banks prefer to cease all offending Russian trade. This effectively stops Turkish or Chinese ball bearing manufacturers (as well as any other businesses that deals in dual-use goods) from dealing with Russian buyers, since these manufacturers are reliant on their local banks for cross-border payments.

Along with OFAC's introduction of secondary sanctions, there has also been a big step-up in U.S. export controls, which are overseen by a different agency, the U.S. Department of Commerce's Bureau of Industry and Security ("BIS"). The BIS maintains a list of U.S.-produced dual-use items. American and foreign entities are required to get a license from the BIS before exporting, reexporting, or importing certain items on its list.

In March 2024, the BIS broadened the criteria that triggers a licensing requirement. The criteria now includes any involvement of entities listed under fourteen different OFAC sanctions programs, the majority of which are linked to Russia and Ukraine. So for example, if a Hong Kong-based wholesaler intends to re-export a BIS-listed item to a country like Armenia, or transfer that item within Hong Kong, and they fail to realize that the recipient is an actor on one of OFAC's Russia-related sanctions list, then that Hong Kong wholesaler has now violated U.S. export controls. To prevent violations, intermediaries like our Hong Kong wholesale must sharpen their screening requirements.

These new rules, which have been described as a BIS "force multiplier" of OFAC's sanctions program, are intended to assert influence over a broad cross-section of dealers that specialize in indirectly re-exporting goods to Russia. These indirect routes often proceed through a labyrinth of pit-stops in jurisdictions like UAE, Hong Kong, and Kyrgyzstan.

Back to ball bearings. How is the second stage of the economic war progressing? The chart at the top of the page suggests the new measures may be working. Recall too that in February I wrote a post tracking what seemed to be some initial anecdotal indications of success. In the rest of this article I want to use another four or five months of data to provide a more complete picture of how China's interactions with Russia have being affected.

China is crucial to Russia because it has a become a key source of goods destined for the battlefield. According to a report from the KSE Institute, some 44% all Russian parts destined for the Ukraine battlefield were linked to producers in coalition nations, primarily the U.S. These include parts that have been branded by American stalwarts like Intel and Analog Devices. Mainland Chinese producers accounted for 47% of battlefield goods (see chart below). However, progressing further down the value chain to country of dispatch, around 56% of all battlefield partsincluding the U.S.-produced onesget to Russia by way of China, and another 22% via Hong Kong, a special administrative region of China. Together, almost 80% of Russia's battlefield parts are dispatched from these two Chinese sources.

Source: KSE Institute

In other words, not only is China producing its own battlefield goods destined for Russia, but it is also responsible for the final re-routing to Russia of most U.S. produced battlefield goods, at least in the period starting in January 2023 and ending that October.

The items that make up the battlefield goods cited by the KSE Institute are derived from the coalition's Common High Priority List, which includes 50 dual-use items that Russia seeks to procure for its weapons programs, one of which is ball bearings. For the rest of this article I will focus my analysis on the four most important goods on the Common High Priority list: Tier 1 items. Tier 1 items consist of microelectronic circuits (processors, memories, amplifiers, and other circuits) that the BIS says play a "critical role" in the production of advanced Russian precision-guided weapons systems. Russia lacks the ability to produce these items and is reliant on a limited number of global manufacturers, according to the BIS, which only amplifies their importance to Russia.

The chart below shows Chinese exports of Tier 1 items to Russia as reported by China's customs authority. Prior to Russia's invasion of Ukraine, these exports typically came in at around $5 million per month. Post-invasion, they rose to a range of $10 million to $34 million per month, suggesting significant military diversion. 


With the arrival of secondary sanctions in December, monthly Tier 1 exports have fallen below the pre-invasion watermark of $5 million.

The above customs data does not include Hong Kong, which along with mainland China has become a major Chinese source of Tier 1 exports to Russia. To provide a more complete picture, the chart below adds Hong Kong customs data to the mainland customs data. Running between $25-$60 million during most of the war, Tier 1 exports to Russia from the Chinese mainland and Hong Kong have collapsed to sub-$15 million levels this summer, lower than at any point in 2021.


That's quite a big plunge, and certainly suggests that the coalition measures are working with respect to China. Skeptical readers may suggest that China has stopped exporting Tier 1 items directly to Russia only to re-route them via third party nations. According to this theory, the $40-$50 million decline in monthly Chinese exports is being made up by a $40-50 million rise in Chinese exports to, say, Kazakhstan, which eventually make their way to Russia.

Below, I've plotted all Tier 1 exports from the Chinese mainland and Hong Kong to a group of Russian neighbours that includes Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, and Uzbekistan.


China's Tier 1 exports to Russia's neighbours rose after the invasion, suggesting significant diversion of exports to Russia, and in March 2024 hit $7 million, their second-highest level over the entire 2021-2024 period. However, over the last three months Tier 1 exports to Russia's neighbours have plunged below even pre-invasion levels.

So no, the theory that third-parties have replaced direct China-Russia trade is not borne out in  the data.

In sum, a variety of U.S. economic tools including secondary sanctions, bolstered export controls, and other types of moral suasion seem to be prying China out of the arms of Russia and into the coalition's effort to economically strangle the Russian war machine.

But there's more to be done. China's exports of high priority goods like circuits and ball bearings have fallen in 2024, but they haven't yet hit zero. That will require more pressure on the Chinese government as well as enforcement against Chinese and Hong Kong companies that violate sanctions and/or exchange controls, as well as against intermediaries in third-party nations like Kazakhstan. To further tighten the screws, the coalition will need to constantly broaden the range of economic activity between China and Russia that it deems off-limits. For now, the coalition says that it is perfectly fine for Chinese companies to export cars and vacuum cleaners to Russia, but there may be a time at which that permissiveness will have to change.

In fact, one of the coalition's biggest escalations in the sanctions war occurred in June, with the U.S. secondary sanctions program being extended to include Russian banks. (I wrote about this here.) In effect, Russian financial institutions are now off-limits for Chinese banks (and banks elsewhere, too), unless these Chinese banks want to lose their access to the U.S. banking system. This blacklisting of Russian banks will make it very difficult for Chinese exporters to continue doing business with their now-unbanked Russian counterparts, further eating into the trade relationship between the two nations.

The trade data in the above charts does not yet include the effects of the extension of sanctions to Russia's banks, but I suspect the effects will be significant.

Welcome to the economic war against Russia, China. We hope you continue to do your part. 

Thursday, July 25, 2024

Bitcoin as a tool of U.S. economic statecraft

Riot Platform's Rockdale, Texas facility, North America’s largest Bitcoin mining farm by developed capacity [source]

Can a network that has been marketed as being resistant to government power be harnessed by the U.S. administrative state in order to attain its foreign policy goals?

Sam Lyman, an executive at Riot Platforms, a bitcoin miner, opens the door to the topic by suggesting that bitcoin can become a tool of U.S. economic statecraft, and the way to do so is by having the U.S. government buy a strategic reserve of the stuff.

I agree that bitcoin can be used as a tool of U.S. economic statecraft, but disagree on how. There's absolutely no need for the U.S. government to buy any bitcoin in order to lever the Bitcoin network for foreign policy purposes. Buying bitcoins would only waste scarce resources, driving up the price to the benefit a select few speculators. No, the U.S. already has the means to lever the bitcoin network, and that's by leaning on the U.S. private sector's dominance of bitcoin mining, of which Lyman's own Riot Platforms is a big player (see photo at top).

The U.S. controls 38% of all bitcoin mining capacity, a big share of that being in Texas. Mining is a word people use in place of "maintaining the network." When a bitcoin transaction is made, miners are the folks who verify and process it, a number of miners often banding together to form pools for that purpose. Without miners, the bitcoin network ceases to function. 

How to lever the Texas bitcoin mining nexus for the purposes of statecraft? In short, the mining nexus must be brought on par with its bigger cousin, the New York banking nexus, which the U.S. government already harnesses to further its foreign policy goals.

Any American banker that deals with a foreign individual or entity that has been designated, or sanctioned, by the U.S. government risks a penalty, either monetary or jail time. Sanctioned individuals are generally folks living overseas who are deemed to be in conflict with the U.S. foreign policy interests. And so U.S. banks, the largest nexus of which is based in New York, try to avoid punishment by cutting sanctioned names off from their banking platforms, thereby exporting American foreign policy to the rest of the world.

By requiring Texas's bitcoin miners (or the pools of which they are members) to abide by the same standard as banks, don't deal with bitcoin users who are deemed detrimental to U.S. foreign policy goals or you will be punished, the Bitcoin network would likewise become a platform for extending American foreign policy goals to the rest of the world. This would oblige Texas miners to comb over sanctions list and offboard blacklisted individuals, just like bankers currently do. With 38% of the world's mining capability in Texas and a few other states, that's a sizable amount of U.S. influence.

But that's only the beginning. There are ways to further upgrade bitcoin's capability as a tool of sanctions-based statecraft. When the U.S. sanctions program was still in its infancy, the punishment for breaking U.S. sanctions was generally limited to Americans individuals and entities. Over the last decade or two the U.S. has been extending punishment extraterritorially to foreigners, by arguing that when a foreigner "causes" an unsuspecting U.S. entity to process sanctioned transactions, then the foreigner is themself criminally liable under U.S. law for sanctions evasion.

An example may help. A decade ago a large Turkish bank called Halkbank processed transactions for sanctioned Iranians. Nothing illegal about that. A Turkish bank isn't under U.S. jurisdiction, and thus it can deal with any customer the Turkish government allows it to, even one that has been blacklisted by the U.S. What got Halkbank in trouble with the Department of Justice is that the transactions it processed passed through, or transited, the bank's correspondent accounts in New York. The fact that it had "caused" its New York banker to provide financial services to sanctioned Iranians (see the language below) was enough for Halkbank to be criminally indicted in New York for sanctions evasion.


The crime of causing others to violate sanctions [source]


The same framework could be extended to Texas bitcoin miners.

For instance, if a Turkish crypto exchange were to send some bitcoins to a sanctioned Russian, and this transfer was processed by a Texas mining farm or pool, say Riot Platform's Rockdale facility, that would now give the U.S. government the hook it needs to charge the Turkish exchange with sanctions violation. By "causing" Riot to process a prohibited transaction, the Turkish exchange is itself criminally liable under U.S. law. To avoid that possibility, the Turkish exchange may choose to proactively adopt the U.S. government's sanctions list, thus acting as a vessel for conveying U.S. policy on Turkish soil.

The threat of punishing foreign actors for "causing" U.S. entities (whether those be miners or bankers) to process sanctioned transactions acts as a force-multiplier of U.S. foreign policy goals. Not only do U.S. financial institutions export policy, as was traditionally the case, but now foreign institutions are nudged into importing it, too.

To sum up, if folks like Lyman were genuinely serious about harnessing bitcoin as a tool of U.S. foreign policy, they'd be calling for the U.S. government to apply to miners the same sanctions standards that currently apply to regular financial entities like banks. That they aren't calling for this, and instead want the U.S. government to buy bitcoin, suggests they are motivated by a higher price for bitcoin and their own corporate profits, not actual statecraft. 

Thursday, July 11, 2024

Your finances are being snooped on. Here's how


We all have a pretty good idea that our finances are being snooped on, but most of us aren't quite able to articulate how. We know that we're being snooped on by two groups, corporations and the government. This post will focus on how the government surveils our transactions, because democratic governments generally (but certainly not always!) tell us ahead of time what information they will gather, and how the data will be used.

Governments snoop on law abiding citizens' financial data for good reasons  they are trying to trace the money in order to catch bad guys. The government has been given the power to collect this information without having to ask a judge for approval, say by requesting a search warrant. 

I think there is a degree of acceptance among citizens that some amount of warrantless financial snooping is okay, because it reduces crime. But as the intensity of surveillance increases it eventually reaches creepy territory, at which point most of us would prefer the brakes be applied.

Where is this line? I'm a committed comparativist. To get a good sense of how one is snooped on, and whether it has passed over the line to being creepy, one needs a reference point. So in this blog post, I'll compare how two groups of citizens  Americans and Canadians are being surveiled by their respective governments, so that both groups can better understand, by reference to each other, where they stand.

The first section focuses on the inflows of personal financial data from citizens to the government. The second section will focus on the outflows of data from the government to law enforcement.

***How citizens' personal financial data flows into the government***

Both the U.S and Canadian governments collect large amounts of financial data about their citizens. They do so by requiring banks and other financial institutions to record information about their customers and submit reports to the government about their customers' transactions when certain triggers have been met.

First, let's touch on the total amount of data being hoovered up. On this count, Canada far exceeds the U.S. In the 2022-23 reporting period, Canadian financial institutions submitted a total of 36 million reports to the government containing information about Canadians' financial transactions. That's almost one report per Canadian every year. 

Meanwhile, U.S. institutions sent 27.5 million reports to their government about Americans' financial dealings in 2023, a rate of around 0.1 report for every American, which is ten-times less intensive than in Canada. So based purely on the quantity of data collected, Canada seems to be closer to the "it's getting uncomfortable" level than the U.S. (See table below).

What accounts for this big difference in reporting intensity? In short, it's due entirely to cross-border wire transfers. In Canada, every electronic fund transfer leaving or arriving in Canada must be reported by banks to the government if it sums up to $10,000 or more. So if you've sent an $11,500 wire transfer from your Bank of Montreal account to your son or daughter who lives in London or Paris, congratulations, your name is in a Canadian government database. Or if you run a business and have received a $15,000 digital payment from a U.S. company for services rendered, your corporate data is sitting somewhere in an Ottawa government server.

If you're an American making a foreign wire transfer, your information will not get sent to a government database. The U.S. authorities do not require financial institutions to submit personal information on digital cross-border flows. (Mind you, they have been trying for some time to get the ability to collect this data.)

In the 2022-23 financial year, 27 million of these cross-border wire reports were submitted by Canadian banks, accounting for the lion's share of all 36 million reports submitted to the Canadian government that year.

Apart from cross-border transaction reporting, the nature of Canadian and U.S. eavesdropping is broadly similar.

Let's start with cash transaction reports, or CTRs. When a Canadian goes to their bank and deposits $10,000 or more in cash, the bank will generate a report that it sends to the Canadian government. U.S. banks report deposits and withdrawals of $10,000 in cash to the US government.

So if you're selling a used car and the buyer pays you $12,000 in banknotes, and you deposit that to your bank account, you're now in a government database, whether that be in Canada or the U.S.

Canadian banks generated 8 million CTRs in 2022-23 whereas U.S. banks generated 20.8 million in 2023. Pound for pound, Canadian banks submit more cash transaction reports to their government than U.S. banks, around 0.21 per Canadian compared to 0.06 per American. I'm not sure why. The threshold for reporting a cash transaction in Canada is lower in the U.S. (CAD$10,000 is worth around US$7,300) which may explain some of the difference? Dunno.

With CTRs and cross-border wire transfers, the invasiveness is kept relatively low thanks to the objective criteria that triggers a filing. Exceed the $10,000 threshold and at least you know ahead of time that your information is going to be recorded. A law-abiding citizen who is uncomfortable having their finances being collected by the government can choose to avoid sending cross-border payments or dealing in large amounts of cash. But this objectivity doesn't exist with the next type of report: those related to suspicious activities. 

On both sides of the border, financial institutions must submit reports about transactions deemed suspicious to their respective governments. If you've made a transaction that a bank deems to be suspicious, you'll never know that you've landed in a government database. That's because banks are prohibited from notifying their customers that their activity has been snitched on.  

The determination of what qualifies as suspicious involves a fair amount of subjectivity. Canada requires that financial institutions have a reasonable grounds to suspect that a transactions is linked to terrorism or money laundering before reporting it. That means that mere hunch won't cut it  a Canadian banker must be able to articulate a clear reason for suspicion. Mind you, there's no penalty for banks that fail to attach a specific reason to a report, so the reasonable grounds to suspect standard is often ignored. 

We know that many of these hunch-based reports end up in the government's database. Over the years the Office of the Privacy Commissioner of Canada has collected a list of reports that failed to reach the reasonable grounds to suspect standard, including one case in which some individuals were suspected simply because they had Middle Eastern passports:

From the Office of the Privacy Commissioner's 2017 audit of FINTRAC [source]

My reading of the U.S. requirements for reporting a suspicious transaction suggest a looser standard than in Canada. While U.S. bankers are encouraged to provide a specific red flag in their CTRs, the implementing regulations say they can still file a report if they merely "suspect" a transaction to be associated with money laundering or terrorism, which is a lower standard then the requirement to have a "reason to suspect."

In Canada, there is no size threshold for suspicious activity reporting: even a $50 payment can be reported by a bank. By contrast, the U.S. has set a $5,000 threshold before a suspicious action report must be filed. (When suspicious activity reports were first introduced to the U.S. in 1994, the government floated the idea of not including a threshold at all, as Canada would later do in 2001, but retreated because this would impose a "burden of reporting.")

This difference in thresholds suggests Canada should have a much higher intensity of suspicious transaction reporting than the U.S. Not so. Canadian banks generated 560,858 suspicious transaction reports in 2022-23, around 1.4 reports for every 100 Canadians. Compare this to the 4.6 million reports filed by U.S. banks in 2023, which also comes out to 1.4 reports per 100 Americans. So even though bankers in the U.S. are required to ignore small suspicious transactions below $5,000, they more than make up for it by reporting a larger proportion of transactions than Canadian bankers do. I can only guess why, but this may be due to the looser standard for suspicion, discussed above.

There are several other types of transactions that must be reported to the government, including large virtual currency reports in Canada and foreign bank and financial accounts reports (FBAR) in the U.S., but the volume of this sort of reporting isn't as significant as the other types already discussed, so I won't touch on them.

So to briefly sum up, pound for pound a Canadian is more likely to appear in their government's financial database than an American is. This is because Canadian financial institutions collect personal information linked to cross-border wire transfers the U.S. doesn't. The most privacy-invasive reports are suspicious ones. Compared to Canadian banks, U.S. banks are more trigger-happy when it comes to deeming a given transaction as suspicious, but the US$5,000 floor on reporting suspicious transactions somewhat mitigates this eagerness. 

Having dealt with what sorts of data flow in to the government, let's talk about what happens next with the data.    

***How personal financial data flows from the government to law enforcement***

The personal financial data accumulated by the two governments are managed by each nation's respective financial intelligent unit, or FIU. In Canada, this institution is known as the Financial Transactions and Reports Analysis Centre of Canada, or FINTRAC. In the U.S., the body that collects personal financial data is known as the Financial Crime Enforcement Network, or FinCEN.

It's here with the management of harvested financial data that the policies of the two countries really start to diverge.

To begin with, let's start with the length of time that data can be kept. In the U.S., FinCEN holds data indefinitely, so its database is forever growing. Canada allows FINTRAC to keep data for at least ten years and up to fifteen years, but after that FINTRAC must destroy any identifying information if it was not disclosed to law enforcement. Since most of FINTRAC's data is not disclosed, that means large amounts of data fall out of FINTRAC's database every year, and thus the amount of personal information collected grows at a slower rate than FinCEN's data hoard.

The differences between the two countries grows even wider when it comes to the question of who has access to citizens' financial data. In brief, U.S. law enforcement is granted broad access to the raw data whereas Canadian law enforcement's ability to see the data is strictly limited.

472 different U.S. law enforcement agencies at the Federal, state, and local levels have the ability to directly query FinCEN's database of CTRs, suspicious activity reports, and more. This amounts to around 14,000 law enforcement officers who can search through the personal financial data of American citizens. In 2023, these 14,000 users conducted 2.3 million searches using FinCEN's query tool.

FinCEN's data can also be downloaded in bulk form to the in-house servers of eleven different federal agencies, including the FBI, ICE, and the IRS. Bulk access (also known as Agency Integrated Access) means that the FBI, ICE, IRS, and eight other agencies don't need to use FinCEN's query tool. This bulk data can be access by another 35,000 agents. Alas, FinCEN doesn't track how many in-house searches were conducted by these agents in 2023, but I'd guess it's in the tens if not hundreds of millions.

By contrast, Canadian law enforcement agencies do not get direct access to FINTRAC's financial data trove. Instead, FINTRAC employs an internal force of a few hundred data analysts to parse the database for clues that suggest participation in money laundering or terrorist financing. Only when FINTRAC employees have attained a reasonable grounds to suspect that a pattern of transactions has crossed the line can they pass a report on to a Canadian law enforcement body, such as the RCMP or municipal police. This report is known as a financial intelligence disclosure and includes information like the name of the transactor, their address, telephone number, criminal record, and more.

FINTRAC submitted 2,085 of these disclosures to law enforcement in 2022-2023.

So to step back for a moment, tens of thousands of U.S. law enforcement officials conduct tens of millions of searches through Americans' personal financial data to get leads. In Canada, this same database can only be accessed a small number of FinCEN FINTRAC analysts, who selectively push a few thousand reports out to Canadian law enforcement each year. 

That's quite the contrast. Put differently, unlike their U.S. equivalents the RCMP, Sûreté du Québec, Ontario Police Police, and other policy agencies do not have the power to pull personal financial data willy-nilly from the government's database. This means far fewer eyeballs on Canadian financial records. As far as protecting the financial privacy of citizens, the Canadian access model does a better job. The U.S. access model is friendlier to law enforcement and stopping crime.

A disadvantage (or advantage, depending on your tolerance for being watched) of the American system is it allows the 11 agencies with bulk access to create "data cocktails"  personal financial data downloaded from FinCEN spiked with their own data sources  in order to better investigate suspects. For instance, according to a 2009 report from the Government Accountability Office, the FBI incorporates bulk FinCEN suspicious activity reports into its Investigative Data Warehouse along with 50 other data sets from different sources. The IRS's Reveal System, portrayed below, ingests FinCEN reports along with tax data to conduct more complex investigations.

The IRS's Reveal System, which ingests FinCEN CTRs along with other non-FinCEN data [source]

I don't know if the FBI and IRS data cocktails still exist, and in what form, but they certainly give a flavor of what sorts of broad access law enforcement can get to personal financial records in the U.S.

By contrast, Canadian law doesn't allow for U.S.-style data cocktails. An agency like the RCMP can't mix FINTRAC's store of personal financial data with their own bespoke data sources because the RCMP is prohibited from pulling raw CTRs, cross-border wire transfer reports, and suspicious transaction reports out of FINTRAC. Only FINTRAC gets to determine what information gets pushed out to the RCMP.

This firewall isn't accidental. As Horst Intscher, a former director of FINTRAC explains, a degree of privacy protection was purposefully built into FINTRAC's original design: "Because of the very broad range of information that the [Proceeds of Crime (Money Laundering) and Terrorist Financing Act] makes it possible for us to receive from reporting entities, it was determined at the original passage of the legislation that protections had to be built, so it would not be construed that there was a flow-through of massive amounts of personal information directed to law enforcement agencies."

In other words, FINTRAC was designed to prevent the likes of the RCMP from creating an FBI-style Investigative Data Warehouse. 

However, the wall imposed between Canadian law enforcement and FINTRAC does have a degree of porosity, enough to provide law enforcement with an indirect way for pulling data out of FINTRAC. If the RCMP is investigating a suspected money launderer, it can submit information about the suspect to FINTRAC in the form of a voluntary information record. For example, it might say that "Joe Blow and his sister-in-law Martha are the subjects of an investigation for drug trafficking and money laundering, and we just thought you should know that." This new data becomes part of FINTRAC's database, against which FINTRAC's agents will check all other data. If the agents spot a match, and it meets the bar for a "reasonable grounds for suspicion", then they must send the RCMP a disclosure containing the relevant personal financial information.  

In 2022-23 FINTRAC received 2,550 voluntary information records from Canada’s law enforcement and national security agencies (including from members of the public), a large number of these eventually boomeranging back to law enforcement in the form of a disclosure. How many? The head of FINTRAC once claimed that "65% to 70%" of FINTRAC's ultimate disclosures to law enforcement are triggered by voluntary information submitted by law enforcement, which hints at how porous the wall is.

----

That sums up my comparison of the inflows and outflows of personal financial data to the U.S. and Canadian governments. This is just a cursory analysis. There are all sorts of other vectors across which to compare the scope of the two nations' data collection efforts that I haven't explored. I've focused on the factors that I think are the most important.

Readers from other countries may be curious to find out about their own FIUs to determine where they stand relative to Canada and the U.S. If so, leave your findings in the comments. My Australian readers, for instance, may be interested to note that their government collects far more private information than the U.S. and Canada combined. AUSTRAC, the Australian FIU, collected 192 million transaction reports in 2023, an astonishing 7 reports per Australian!  This is because AUSTRAC receives information on all cross-border wires, with no lower threshold.

At the outset of this article I suggested that many of us would tolerate some loss of privacy in order to make it easier for the police to catch criminals. A few of us will accept a large loss. Others will not tolerate even the smallest infringement on privacy. An individual's line in the sand is very much a personal matter. I'm going to leave it to the reader to decide which country (if either) approaches the right balance. Is Canada too lax relative to the U.S.? Does the firewall we've erected between the cops and the trove of financial information give criminals free rein? Or does the U.S. not sufficiently respect privacy? Should the FBI and its sister agencies lose some of their unfettered access to Americans' personal financial data?

Monday, June 17, 2024

The intensifying effort to isolate Russia's banks


Last week the U.S. government expanded the coverage of its Russian secondary sanctions program to encompass most of Russia's banks. It's a very big step, one that has been long-awaited by sanctions watchers, and will likely have significant repercussions for Russia and its trading partners. Here's a quick explainer.

Stepping back, we can think about the U.S.'s sanctions war on the Putin regime as an effort proceeding in two acts. The first involved a "casual" round of primary sanctions beginning as far back as 2014 when the Russians invaded Crimean. Then the heavy round began in December 2023, almost nine years later, with the arrival of secondary sanctions.

Pound for pound, U.S. secondary sanctions are far more impactful than primary sanctions. Primary sanctions cut off American entities from dealing with designated Russian targets but allow non-American actors to step into the breach and take their place. This merely shifts or displaces trade routes, creating a nuisance rather than reducing trade outright.

Secondary sanctions like those introduced last December aim to curb this displacement effect by extending prohibitions on dealing with Russia to non-U.S. actors, in particular foreign banks. The gist of secondary sanctions is: "If we can't deal with them, then neither can you!"

Why do non-American actors in third-party nations like China and Turkey bother complying with U.S. secondary sanctions on Russia? The U.S. wields an incredible amount of influence by threatening to cut third-parties off from the U.S. economy should their ties to Russia be maintained. The importance of accessing the U.S., in particular its financial system, far outweighs lost Russian business, prompting quick compliance.

So what exactly happened last week? Let's first re-explore what occurred in December 2023.

If you recall from my previous article, the December secondary sanctions targeted foreign banks. Their aim was to prevent bankers in places like India, Turkey, China and everywhere else from interacting with Russia, but only with respect to a narrow range of transaction types  those linked to the Russia's military-industrial complex.

More specifically, a Chinese or Turkish bank could continue to deal with Russian customers as long as the transaction in question involved goods like cars or dishwashers. The novelty is that they were now prohibited from conducting any transactions with Russia that involved weapons, military equipment, and dual-use goods, on pain of losing access to the crucial U.S. financial system.

In addition to a flat-out prohibition on military-industrial goods, the U.S. Treasury also compiled a blacklist of around 1,200 or so Russian individuals and entities that support Russia's military-industrial complex by working in allied sectors such technology, construction, aerospace or the manufacturing sectors. The December order stipulated that if caught dealing with any of these 1,200 or so names, a foreign bank could be cut off from the U.S. banking system. Russian individuals and businesses who were not on said military-industrial complex list, however, could still be served by foreign banks, even if they had been otherwise sanctioned. (Remember, primary sanctions only apply to U.S. actors.)

As I wrote back in February, anecdotal data from the first two months of secondary sanctions suggest that they are having an effect. Below I've updated the chart from an earlier tweet showing Turkish exports to Russia, which continues to trend downwards (note the 12-month moving average.)


In a recent article, The Bell assessed customs statistics and found that since the start of 2024, imports from some countries are down a third in some countries compared to 2023, notably Turkey (-33.8%) and Kazakhstan (-24.5%).

Source: The Bell


Which finally gets us to last week's announcement.

The scope of the secondary sanctions has been dramatically widened by adding around 3,000 or so additional names to the original 1,200 or so individuals and entities involved in Russia's military-industrial complex, for a total list that is now 4,500 long, according to FT. The reasoning for this extension is that now that Russian is a war economy, pretty much everyone is contributing to the war effort. 

The most important of the additions to the list are Russia's banks. The Treasury's press release drove home this point by specifically drawing attention to the branches of Russian bank in New Delhi, Beijing and Shanghai that are now are off limits.

Going forward, any bank in China or India that interacts with a Russian bank, say Sberbank, now risks losing its crucial connection to the U.S. This is huge! The majority of global trade is conducted by banks in one country interacting with banks in another on behalf of their respective customers. If Russian banks are cut off from this global network, that's tantamount to severing the entire Russian economy from the international economy. With their bankers now isolated, Russian firms won't be able to buy or sell stuff overseas, nor repatriate funds to pay their local employees.

I'm still trying to get my mind around the enormity of this. Russia has become the top destination for Chinese auto exports, for instance, and those purchases require getting a Russian bank and a Chinese bank to interact with each other. How on earth will Russia import Chinese cars without the intermediation of Russian banks? Or appliances, or smartphones?

There are two significant exemptions to the secondary sanctions coverage: agricultural products and  crude oil. What this means is that while a bank in India can no longer deal with a Russian bank like Sberbank, that prohibition ends if they want to conduct transactions with Sberbank that involve grain or oil. Since Russia's economy is so reliant on its oil exports, this exemption is a gaping hole in the sanctions wall that Ukraine's allies are trying to build.

How will Russia and its trading partners react?

A few sacrificial banks

To keep trade flowing between Russia and trading partners like China, it may be necessary for China to serve up a sacrificial bank or two to the U.S. sanctions regime. Who to sacrifice? A small bank with little to no U.S. business is a prime candidate. Such a bank may be able to afford being cut-off from the U.S. financial system in order to ensure that its mostly Russian-linked clientele can keep making bank-to-bank payments.

An example of a willing-to-be-sanctioned financial institution is the Bank of Kunlun, a small Chinese bank which continued to facilitate Iranian transactions even after secondary sanctions were levied on Iran in late 2011. The U.S. government reacted the following year as it had threatened that it would: it cut the Bank of Kunlun off from the U.S. financial system, a state of affairs that continues to this day. Kunlun remains the only bank in the world on the U.S.'s CAPTA (Correspondent Account or Payable-Through Account) list; a register of financial institutions which cannot get a U.S. bank connection.

An appearance on the CAPTA list hasn't stopped the Bank of Kunlun from doing business, however. According to the Atlantic Council, Kunlun has become one of the main connection for so-called Chinese "teapots" small independent refineries  to buy oil from Iran. Apparently, one of its flagship products is "Yi Lu Tong," which means "Iran Connect." Of course, the Bank of Kunlun can't do a shred of U.S. business, which severely limits its clientele.

In any case, the Bank of Kunlun, or something like it, could end up being the linchpin of Russian sanctions avoidance.

AML-dodging stablecoins

Another alternative option for Russian trade will be to turn to U.S. dollar stablecoins like USDC and Tether. Stablecoins are blockchain-based payments platforms that offer balances pegged to national currencies, usually the U.S. dollar. Unlike banks, which do due diligence on their customers, stablecoin issuers will allow anyone to use their platforms, no questions asked. This feature offers Russian firms a reliable non-bank payments option for settling purchases of Chinese or Turkish products.

Stablecoins are not a new route for Russians keen to evade the long-arm of U.S. sanctions. I wrote last year about how intermediaries linked to a sanctioned Russian oligarch purchased oil from Venezuela's sanctioned state-owned oil company using Tether stablecoins, or USDT. "No worries, no stress," says the Russian to his Venezuelan contact. "USDT works quick like SMS."

"...quick like SMS" [link]

More recently, a Russian sanctions evader describes how he uses Tether to "break up the connection" between buyers like Kalashnikov and sellers in Hong Kong, making it harder for US authorities to trace the transactions. "USDT is a key step in the chain." 

Turning to the U.S., what might its next steps be in the sanctions war?

Extend the secondary sanctions to oil

Sanctions are a cat and mouse game. As Russia inevitably finds ways to adapt to last week's actions, the U.S. will have to find alternatives to keep up the pressure on the Putin regime. A prime candidate for the next ratcheting up of secondary sanctions will be to extend their reach to Russia's oil industry.

The U.S., EU, and other coalition countries are currently trying to cap Russian oil prices at $60 in order to reduce Russia's revenue base, with mixed success. One option would be bring the rest of the world into the price cap effort in order to make it more effective. A simple upgrade to the secondary sanctions regime would allow for this. Foreign banks would still be able to conduct transactions with Russian banks that involve oil, but only if these banks have verified that those purchases have been made at a price of $60 or lower. Any international bank caught breaking the price cap would risk losing its financial connection to the U.S.

Locked up in escrow

Another way to tighten the noose on Russia would be to modify the secondary sanctions program to impede the ability of Russian oil exporters to repatriate or easily utilize the funds they receive for oil sold abroad. 

How would this work? As before, foreign banks in, say, India would still be allowed to conduct oil transactions with Russian banks at prices not exceeding $60, subject to a new sanctions feature stipulating that all oil proceeds must be confined to escrow accounts in the buying nation, in this case India. If Putin does wish to use the funds in Indian escrow accounts to make purchases, they can only be used to buy Indian products. If an Indian bank fails to keep oil proceeds "locked up" in India, and lets them escape by wiring them back to Russia or a third party like Dubai, then it could face the threat of losing its U.S. banking access.

If implemented, this locking restriction would dramatically reduce Putin's ability to repurpose oil revenues. Stuck in foreign banks with only a limited menu of local goods to buy (and likely earning sub-market interest rates), Russian resources would languish, illiquid and uncompensated.

This sort of restriction isn't a new idea. It was successfully tried out on Iran beginning in 2013 in the form of the notorious Section 504 of the Iran Threat Reduction and Syria Human Rights Act (TRA), once described as a bit of sanctions warfare that was "so well constructed and creative that in some respects it can be considered… beautiful." I wrote about it eleven years ago. It's time to dust it off.

Monday, June 10, 2024

"I didn't launder the cash, your honor. The robot did."

Crypto enthusiasts protest the trial of Alexey Pertsev

As the multiple Tornado Cash legal cases wend their way through courts in the Netherlands and the U.S., we continue to learn how society's money laundering laws will be applied to some of the more unique financial entities being created on the new technological medium of blockchains.

Last month Alexey Pertsev, a co-creator and co-administrator of privacy platform Tornado Cash, was found guilty of money laundering by a Dutch court. (The full decision translated into English is here). Meanwhile, Roman Storm and Roman Semenov, Pertsev's colleagues, are under indictment in the U.S. for engaging in money laundering, among other charges. Separately, Tornado Cash continues to be sanctioned by the U.S. Treasury.

In general, I think a guilty verdict is the right decision. It would have been dangerous to find Pertsev innocent, since to do so would have given all sorts of hardened money launderers  the mob, drug lords, and terrorist networks  the perfect techno-legal loophole for avoiding future money laundering charge. Shifts in the underlying technology used for disguising dirty money should not be enough to turn a crime into a non-crime.

Before I get into my reasoning, here's some context for people who are new to the issue of Tornado Cash.

Tornado Cash was introduced by Pertsev, Storm, and Semenov in 2019 as a means for crypto users to enjoy privacy, but it wasn't long before thieves and hackers began to regularly deposit large amounts of stolen crypto into the utility to be obfuscated. This was plain as day to anyone who was watching. Blockchains are radically transparent (that's why privacy tools like Tornado are needed) which meant that everyone could watch in real-time as criminal trails converged on Tornado Cash. 

Court cases in both the U.S. and the Netherlands reveal that Pertsev and his colleagues were well-aware that illicit activity passing through Tornado, yet they continued to work on the utility anyways. This is important because possessing a "knowing" state-of-mind is a key ingredient to being found guilty of money laundering. If he had had no idea that the money being disguised was dirty, Pertsev could not have been charged in the first place.

Criminals were not the only users of Tornado. Licit actors who wanted privacy also deposited funds into the entity, including Ethereum co-creator Vitalik Buterin. But the presence of good transactions amongst the bad ones doesn't dilute the seriousness of the alleged crime. All it takes to trigger a money laundering charge is a few dirty transactions. "C'mon! 82% of the money was licit!" is no alibi.

Tornado Cash is by no means the crypto economy's first privacy platform. The original generation of privacy tools, so called "mixers" or "tumblers," began to emerge in the early 2010s with the likes of ChipMixer, Helix, Bitcoin Fog, Sinbad, and Blender. Anyone who required anonymity could send their bitcoins to the platform owner, who would proceed to commingle, or "mix," all incoming bitcoins in a single address under their control, thus rendering them untraceable. After some time had passed, the platform owner manually re-sent the now obfuscated bitcoins to their original sender, less a fee.

Like Tornado Cash, the first generation of privacy utilities was used by both criminals and regular folks seeking privacy. None of these original mixers have had happy endings. The owners of Bitcoin Fog and Helix, Roman Sterlingov and Larry Harmon, were both found guilty of money laundering and are currently serving jail sentences. Minh Nguyen, the administrator of ChipMixer, has been indicted for money laundering and is on the FBI's most wanted cyber list. Blender and Sinbad have both been sanctioned by the U.S. government.

Source

By any legal standard, these bad endings were well-deserved. They may have been technological novelties, but ChipMixer, Helix, Bitcoin Fog, Sinbad, and Blender were very much text-book examples of money laundering. The owners of these entities knew that some of the transactions they were participating in involved proceeds derived from criminal sources, yet despite this knowledge they proceeded to disguise them anyways. The only thing new about Helix and the other first generation mixers was the medium they were disguising  bitcoin instead of cash or deposits.

And so professional mixers like Harmon and Nguyen join a long line of traditional money launderers  dirty bankers, drug cash couriers, crooked remittance shop owners, and hawala operators. The law shouldn't be fooled by technological novelty, and in the case of the first generation of mixers, it wasn't.

That these were textbook cases of money laundering isn't disputed by the crypto community. Crypto advocates are a vocal bunch, and while they have loudly voiced their complaints about the legal action taken against Tornado Cash, they have for the most part quietly accepted the punishments meted out to the first generation privacy platforms. A legal fundraiser to support the Tornado Cash accused, for instance, has raised hundreds of thousands of dollars; there have been no equivalent efforts to raise a legal defence for Harmon, Sterlingov, or Nguyen. Crypto lobbyists have gone to war for Tornado Cash by launching court appeals and filing amicus briefs in its support. But when it comes to defending the Bitcoin Fog or Helix operators, or challenging the government's sanctioning of Sinbad and Blender  crickets.

The Tornado Cash legal cases have been more controversial than those of the first generation mixers thanks to a technical innovation in Tornado's construction. Most of us would consider this to be a relatively obscure change, but crypto enthusiasts see it as a defining one.

Harmon and his counterparts controlled their platforms outright, taking possession of the dirty crypto before manually sending it back to criminals in disguised form. Not so Tornado Cash. When it was built, a layer of automation was inserted between Tornado Cash's users and Pertsev and his colleagues.

Instead of sending their crypto to wallets controlled by the trio, as users did with Helix, crypto was now deposited by users into a set of automated pools. These pools were not managed on an ongoing basis by Pertsev and his colleagues. Rather, they were built using fully automated code on the Ethereum blockchain. Originally co-created by Pertsev in 2019, this code was frozen in time by the designers in early 2020, at which point it could no longer be upgraded or changed by anyone, even Pertsev. To this day the pools continue to operate, even though the Tornado Cash creators are either jailed or under indictment.
 
Other parts of the Tornado Cash platform are not so set-in-stone and remained under the control of Pertsev and his colleagues throughout. This includes the main website by which users accessed the automated pools, which was regularly upgraded over time, as well as the relayer service. (A relayer is a way to guarantee the privacy of Tornado Cash users). Pertsev and his colleagues profited from their ongoing control over the website and relayers.

The lawyers for Pertsev, Storm, and Semenov have argued that this layer of automated code exonerates the trio of money laundering. After all, if they no longer control what the utility is doing, then how can they be said to be operating a money laundering enterprise? The lawyers also argue that as writers of code, Pertsev, Storm, and Semenov are protected by speech laws, much like an author who has written a book. It is the code-is-speech claim that has particularity riled up the crypto community.

I don't like the idea of someone being sent to jail, but I think it's a good thing that the Dutch court chose not to accept these arguments.

Using go-betweens is a time-tested criminal strategy for distancing oneself from the crime. In more conventional money laundering operations, this strategy might involve separating the leader of a cash laundering operation from the actual dirty cash with a layer of underlings. In the age of crypto, no need to use living human underlings; just insert a buffer of unliving code.  

But the law shouldn't be fooled by artificial distances between a launderer and dirty money, whether those intervening layers be living people or code.

Allowing a buffer of automated code to absolve folks like Pertsev of money laundering would make it much easier to be a professional money launderer. Bad actors like Harmon and Sterlingov who have already been deemed by the courts to be criminals would suddenly have the perfect techno-legal loophole at their disposal if they decide to reengage in crypto laundering once their jail terms are up. Instead of manually running their operations as before, Harmon an Sterlingov could insert a mute layer of automated code between them and their illicit clients, their criminal mixing no longer being a crime.

But this would be an absurd state of affairs. A simple technological change to the way a criminal mixer administers their back office shouldn't convert them into a non-criminal.

The danger of the "it was the code that did it" defence extends beyond the crypto economy. In the much-larger traditional economy, laundering physical cash is a relatively common criminal profession. Take the fictional example of Marty Byrde, the star of Ozark. If the Tornado Cash defence were to be accepted in a court of law, then Byrde need only program a set of self-operating cash-handling robots to do most of his tasks for him, and he can get away scot-free. "I don't exercise any control over the packages of cash, your honor. The robots did!"

Or take the example of drug cash couriers, who run the risk of being convicted for money laundering when they move cash across the U.S.-Mexico border. Taking a cue from Tornado Cash, if a courier were to deploy an autonomous fleet of AI-powered drones instead, then when charged with a money laundering offence he or she need only invoke the now-standard defence: "it was the drones who controlled the cash, not me."

Taken to an extreme, the Tornado Cash defence means that money laundering effectively ceases to exist as a crime. All the culpability shifts onto the undead intermediaries, which can't be punished. This eclipsing of money laundering laws would be unfortunate. Professional money laundering is a key sector within the broader criminal economy, greasing the wheels for the entire enterprise. Without any legal defences against launderers, we are all much more vulnerable to crime-in-general.

In what follows, I want to provide a historical example of how the law should act when confronted with the changing tactics and technologies of money launderers.

Money laundering is a relatively new crime, but it has a much older predecessor in the crime of fencing, also known as receiving. The laws against fencing and money laundering are similar, the idea being to punish not the original criminals but the third-parties who knowingly participate in the crime by accepting dirty proceeds.

Any thief runs a big risk of being caught with stolen goods. At some point in the middle ages, specialized intermediaries, or fences, emerged to absorb this risk by accepting stolen property from professional thieves and redistributing it. Thieves could now offload their goods much quicker, thereby achieving a degree of safe harbor. For their part the fences themselves were safe from prosecution. After all, they hadn't committed the original theft, and accepting stolen property was not a crime.

The addition of specialized wholesalers to the thievery production process helped drive a rise in the incidence of theft, according to historian Rictor Norton. To close this loophole, fencing was criminalized in England in 1692. For the first time, a third-party who knowingly accepted stolen goods could be punished as an accessory to the original theft. The business of reselling hot property, risk-free until then, suddenly became much more dangerous.

The illegal fencing market quickly evolved new tactics. Enter Jonathan Wild, an incredibly successful launderer of stolen goods who, by the mid 1710s, is said to have been the "undisputed leader in the fencing business of London," according to marketing professor Ronald Hill. Wild evaded the 1692 anti-fencing law by never himself handling stolen property. Instead, he acted as an early version of Craigslist, but for stolen objects. He arm-twisted all of London's thieves to secretly report any robbery immediately to him, asking them to retain possession until he contacted them. At the same time, the unfortunate victims of those thefts were encouraged to approach Wild with requests to help locate their missing property.

Once Wild knew who was at both ends of a theft, he would pay the thief and tell him to return the goods to the victim using an anonymous porter. The happy victim got their stolen goods back, paying Wild a large reward for his troubles.

With Wild running circles around the law, Parliament passed an additional anti-fencing law in 1718 that punished anyone who took a reward under the pretence of helping a victim of theft, without actually prosecuting the original felon. In 1725, Wild was apprehended, tried, and condemned to death on the basis of this statute. 

A gallows ticket to view the hanging of Jonathan Wild (Wikipedia)

Now, a death sentence is extreme. But this is a good example of the law staying hip to both the changing technology of theft and its evolving division of labour. As the profession began to be subdivided into specialist thieves and an emerging class of allied wholesalers of stolen goods, lawmakers recognized that wholesaling was really just an appendage of theft, and thus fencing was criminalized. Later on, when fences like Wild adapted with new methods, the law kept up by finding additional means to reach fencing operations.

With Tornado Cash, we are at a "Jonathan Wild" stage of the modern money laundering profession's development. Control of dirty proceeds is being shifted to autonomous intermediaries so that the perpetrators can avoid prosecution. Much like how the law adapted in the 1700s to encompass Wild's tactics of distancing himself from dirty property, it will have to do the same with money launderers who use crypto code, autonomous robots, or AI drones to dissociate themselves. While I don't enjoy the idea of anyone spending time in jail, finding Pertsev guilty is part of that process.

Unlike Jonathan Wild, who was a criminal mastermind, Alexey Pertsev and colleagues seem to have bungled into the crime partly out of an ideological commitment to crypto ethics, the wider community unhelpfully egging him on. That doesn't mean he's not guilty, but it does suggest a lighter sentence than the 64-month one he received might be appropriate.

I've been arguing throughout this article that money laundering law should extend to innovative financial entities created on blockchains, such as Tornado Cash. I want to close by pushing back on this a bit.

A guilty verdict for Pertsev and his colleagues should not be tantamount to a ban the creation of autonomous financial institutions, particularly those focused on privacy. If a coder wants to create an open privacy mechanism for crypto, promote it, and financially profit from it, I think that he or she should have the right to do so, subject to the following condition. The code needs to include a component that screens out dirty crypto  and this filter shouldn't be a sham attempt, it has to be a genuine effort.  

While I think the law got it right in this instance, shame on lawmakers and law enforcement if they don't accommodate future generations of code-based entities (and their creators) that actually do make good faith efforts to freeze out dirty money.