Crypto Compliance - Make Due Diligence Fun Again

Risk management for cryptocurrencies: How do I play it safe?

The most important aspect to be considered when internalising blockchain transactions is that most are pseudo-anonymous transactions. The transactions are by design not linked to a person or identity. Public addresses are used for transactions - alphanumeric strings publicly recorded on the blockchain. The identities behind such addresses are vastly unknown.

There are four types of private information that can be leaked in a cryptocurrency transaction: the sender, the receiver, the amount transacted and the IP address. If all four are successfully hidden from any third-party observer, then the transaction is perfectly private. Yet, how can be ensured that those new digital assets are deemed to be safe by means of provenance, meaning a check for inherent risks? What should risk management be looking for? What is the right due diligence framework?

Anonymity of cryptocurrencies

With the following table, an overview of the privacy spectrum of selected cryptocurrencies is provided:

As a starter, the majors Ethereum and Bitcoin need to be considered first. Ethereum’s base layer is by default less private than Bitcoin’s, because it uses an account-based model instead of an UTXO-based model. This means that a single address is reused over many different transactions instead of a new address for each transaction. Going further down the spectrum, there are ETH Mixers, Monero (XMR) and Zcash (ZEC).

Ethereum «Mixers» and Bitcoin’s «CoinJoins» are kind of a «lost in the crowd» privacy function. Here, users can deposit fixed amounts of a given asset into a smart contract, wait until enough users have made similar-sized deposits to build a large anonymity set, and then withdraw their original amount to a new address with no link to the original.

Monero transactions use three primitives to obscure the sender, receiver and amount: ring signatures, stealth addresses and «Ring Confidential Transactions» (RingCT). Ring signatures allow the sender to sign a transaction with n-number users’ keys, obscuring which key is theirs. Stealth addresses allow the receiver to use a one-time address for each transaction, hiding their true public key.

Zcash goes one step further by employing the zero knowledge encryption technology. Every time a perfectly private transaction is created, the sender must compute an exact series of computational steps in order to generate the proof which a miner can verify in zero knowledge.

Giving preference to the risk-based approach

The use of this variety of cryptocurrencies poses a number of intersecting challenges, but nevertheless it does not change the nature of the task: monitoring the source, destination and value of funds through accounts is an essential and one of the most difficult tasks of ongoing due diligence when dealing with cryptocurrencies. What was deemed unthinkable some years ago became reality. Now «intangibles» of a parallel virtual world increasingly become more tangible, by the virtue of tokenisation and securitisation – they become an asset with a traceable history of transactions. New opportunities and risks emerge likewise from that.

Regardless of the new risks that arise with the adaptation of cryptocurrencies, a prudent case by case, risk-based approach enforced by professionals will not impose any harm, but more so strengthen the organisations.

07.05.2020