AML Compliance After the Blockchain Twitter Hack: How “SAR” Down the Rabbit Hole to Go?

This week’s hack of numerous high-profile Twitter accounts raises important questions for fintech companies and their anti-money laundering compliance teams about the obligation to trace and report information to the U.S. government. In this case, the takeover of noteworthy Twitter accounts by hackers aiming to steal Bitcoin from unsuspecting individuals occurred in the public sphere. FinCEN issued an Alert yesterday emphasizing its expectations for financial institutions in connection with the hack. How far, then, must a blockchain-based financial institution’s compliance team go in analyzing an external event like this to determine if it has a connection to the illicit event, or a related obligation to file a Suspicious Activity Report or take other action?

Bitcoin transactions, of course, occur on a public blockchain, or distributed ledger. Although identities of users are not transparent, the actual movement of funds through the transmission of encrypted “keys,” is visible to those who access or search the blockchain. Unlike traditional banking activity, the public transparency inherent in the blockchain grants everyone, including law enforcement and regulators, access to the transactions of the suspected hacker(s), the transactions of the hacker’s counterparties, and those of additional counterparties down the line.

With regulators’ intense focus on cryptocurrency, and a 30 to 60 day timeframe for the filing of a SAR, the clock is ticking for blockchain-based financial institutions to review customer transactions, identify red flags, investigate activity, verify traceability, and draft and submit appropriate SARs. It is arguably the case, however, that regulators are expecting significantly more from blockchain-based financial institutions in conducting transaction analytics than has previously been asked of traditional financial institutions. There may be reason to question these expectations.

A Notorious Hack

On July 15, hackers targeted high-profile Twitter accounts including those of former president Barack Obama, Bill Gates, Elon Musk, and Kanye West. They then posted fraudulent messages offering to double payments made to specific Bitcoin addresses including:

• bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh; and
• bc1q0kznuxzk6d82e27p7gplwl68zkv40swyy4d24x

Because of the visibility of transactions on the public blockchain, blockchain analytics companies, exchangers, and news publications have rushed to monitor the primary addresses involved in the scam, reportedly identifying almost 400 transactions sending approximately $120,000 worth of bitcoin to the hacker(s’) digital wallets. Reports of blockchain analytics have also indicated that the scammers may have sent their own money to at least one fraudulent wallet address in an attempt to further legitimize the scam.

What do the Regulators Expect?

Under the Bank Secrecy Act, FinCEN requires financial institutions such as cryptocurrency exchanges to report suspicious transactions to the government that involve amounts over certain thresholds ($2,000 for money services businesses and $5,000 for state-chartered trust companies). Financial institutions are required to file these SARs within 30 days from the date of initial detection of facts that constitute the basis for filing a SAR. In an advisory issued in May of last year, FinCEN identified a number of red flags it believes the blockchain-based financial services industry should be tracking as suspicious, including instances where a customer transacts with wallet addresses linked to extortion, ransomware, or other illicit activity.

Add Specific Blockchain Addresses to Your Monitoring

After this week’s events, blockchain-based financial institutions may want to take a number of steps to satisfy regulators’ expectations. These include adding filters and conducting transaction reviews for customers conducting direct transactions with the primary and secondary addresses listed above as recipients of the fraudulent payments. The same is true for other specific blockchain wallets identified in public news reports or by the government, in indictments or enforcement actions, as involved in misconduct.

Document A Way Forward

Blockchain-based financial institutions should also develop and document deliberate and reasonable policies addressing the amount and categories of public ledger information they will review for their own compliance investigations, and apply these policies consistently, including to this week’s Twitter hack. FinCEN does not specify when a SAR must be filed, but will judge a financial institution’s policies against standards of reasonableness. So, in developing these policies, blockchain-based financial institutions should aim to:

• Establish distinct policies for varying degrees of counterparty connection, and document reasoning for alert generation and investigation rules that correspond accordingly;
• Consider establishing clear rules for further investigation in instances of indirect exposure to known or suspected illicit addresses, including those based on:
• Transaction dollar thresholds;
• Percentage of customer’s account value indirectly exposed to illicit addresses;
• Number of transactions with indirect exposure; and
• Ratio of transactions with indirect exposure to non-indirect exposure.
• Determine if and when reliance on advanced analytics, like cluster analysis, would be appropriate. Given the notoriety of large, publically known hacks, blockchain-based financial institutions may receive less regulatory scrutiny where they can demonstrate that they were proactive.
• Periodically validate any established thresholds with below-the-line testing and false-positive analysis to further calibrate your rules.

But Are Regulators’ Expectations A Bridge Too Far . . . ?

Finally, it’s worth noting that for the traditional banking system regulatory expectations would likely end at the customer’s first-level counterparty, as a bank’s visibility into its customers’ transactions typically ends at the first transaction outside of their institution. With publically available blockchain ledgers, on the other hand, it is possible through the blockchain itself to trace funds down multiple degrees of counterparties.

For example, in its enforcement action against BTC-e, FinCEN specifically cited BTC-e for processing and failing to file SARs on over 40 percent of all bitcoin transactions related to the ransomware scheme known as “Locky.” This determination was reportedly made based on after-the-fact advanced analytics, including cluster analysis and micropayment tracing. Although BTC-e’s core BSA violations were more egregious and fundamental than the “Locky” connection, FinCEN’s inclusion of these indirect transactions as a violation reflects an expectation that blockchain-based financial institutions look beyond first and second-degree counterparties.

This expectation, which amounts to a requirement to know not just your customer’s customer, but also even further downstream customers, is in contradiction to well-established expectations for the traditional financial industry. And, to the extent it incorporates a requirement that extensive third-party blockchain analytics services are mandatory and their results definitive, it inserts significant room for argument.