Open Banking Is Heading Stateside

The Biden Executive Order on promoting competition contains a number of very interesting provisions. Some of them, such as the initiative to require airlines to refund fees to passengers who get bad wifi or whose baggage is lost, seem unlikely (from my inexpert perspective, at least) to strike a blow against sclerotic corporatism and re-energise late state capitalism to the benefit of all throughout society. On the other hand, some provisions, such as the “right to repair”, might have very signification implications for everything from tractors to iPhones.

The main reason I am interested in the bill, though, it is that is contains a very specific provision on banking that could mean structural change in the US’ financial services sector. This is the provision that calls for the Director of the Consumer Financial Protection Bureau (CFPB) to facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions and use new and innovative products in ways “consistent with the pro-competition objectives stated in section 1021 of the Dodd-Frank Act”.

The Biden Executive Order calls for the portability of consumer financial transaction data. Good. Click To Tweet

(The decade old Dodd-Frank law actually gave consumers the right to access their own financial data but the CFPB has not yet defined that standards that would enable, although it did start the rule making process last year.)

Now, the US already has a form of open banking. There are companies such as Plaid and Yodlee who share customer data with banks and fintechs. But these are through bilateral agreements. For example, Plaid just reached an agreement with Capital One to stop screen scraping and use Capital One’s APIs. But this is by agreement. Under the new provisions, the banks will be required to provide mandatory API access. Now, this means all sorts of standards and such like because the CFPB will have to balance competing requirements from the various stakeholders to make sure that it gets it right on (eg) privacy. This will take some time, but it is coming, and it a good thing.

I could not agree more with the economist Tyler Cowen who commented plainly that the portability of bank account information is of significant benefit to the stakeholders and I am sympathetic to those (generally more progressive) voices calling for a maximalist interpretation of the data portability provisions. If you could move from one bank to another at the press of a button, and take all of your data with you, that would certainly encourage competition from new players.

Tinder
Swiping.
NFT available direct from the artist at TheOfficeMuse (CC-BY-ND 4.0)

But how to achieve this? The obvious way forward would be to introduce open banking along the lines now familiar in many other jurisdictions: mandate that all financial institutions about a certain size implement a common set of APIs with a prescribed set of basic functions so that consumers can give permission to other regulated organisations to have access to their data.

The API Opportunity

Banks should respond to this challenge by seeing it as an opportunity to provide new products and services that are not simply a passthrough of the current financial products and services. If we use the simple layering of manufacturing, packaging and distribution of financial services to look at dynamics while assuming that banks want something more than low-margin manufacturing (but will find it hard to compete with distributors as the embedded finance bandwagon rolls on) then we must conclude that they should take packaging seriously.

To do this, they could focus on the APIs themselves and opt to invest in this layer to find new sources of revenue, better returns than pure manufacturing and, and this should not be underestimated, ways to remain relevant to the spectrum of distributors in the new economy. I’ll give an example of this later, but first let us resort to the traditional tool of the jobbing consultant and make a two-by-two matrix.

On the horizontal axis we distinguish between the APIs that are mandatory (in a regulated open banking regime, or table stakes in a market-driven regime) and non-mandatory or optional APIs that might be the basis of a more competitive approach.

On the vertical access we distinguish between APIs that are related to making transactions (these are what are generally referred to as “write” APIs) and APIs that are related to information gathering (these are what are generally referred to as “read” APIs).

Api 2x2

It doesn’t take a very detailed analysis to realise that focusing on the quality and grade of service for the mandatory APIs (in order to make the bank platform more attractive to distributors) makes more sense than trying to invent new ones and then trying to persuade regulators to make them mandatory. When it comes to non-mandatory APIs, on the other hand, it makes sense to invest in creating new APIs that customers will want to the point whether they will even pay for them.

If we focus our efforts on the APIs that relate to information that is not directly related to the financial products, I think we can see the outlines of competitive strategy around those non-mandatory read APIs and an obvious element of that strategy rests on identity, authentication and authorisation services. In other words, a digital identity strategy might provide a means for banks to stay part of transactions in the modern economy.

The UK Lesson

Just to illustrate how the open banking sector might evolve, take a look at the trajectory in the UK, where although only the largest banks were required to implement open banking (the “CMA9”, as they are called, because it was the Competition and Markets Authority that set the mandate) there are now some .

Investment is flowing in. Yapily (who I use almost daily, because they connect my Quickbooks to my bank accounts and credit cards) just raised $51m for European expansion and another of the main open banking “packagers”, TrueLayer raised a $70 million Series D earlier this year. At the time, the CEO of TrueLayer observed that they were redefining how people transact online, saying that “We’re building an Open Banking network that brings together payments, data and identity” and (my emphasis).

Incidentally, I note with interest that in the UK what we used to refer to as the non-mandatory APIs have now been labelled “premium” APIs in recognition of the underlying strategic drive. Thus while I agree with the point often made by banks that open banking does not present them with a level playing field (whether they deserve a level playing field or not is another topic entirely), I seems to me that it also presents them with a great opportunities.

Finally, another area where the lessons learned from the UK can be very valuable in America is the scope of the provisions themselves. The UK’s “mid-term” report on “Consumer Priorities for Open Banking” set out just why it is that open banking by itself delivers quite limited benefits for consumers. What is needed is open finance, a view expressed by the US Center for Financial Services Innovation (now the Financial Health Network) in their report on “How Industry Executives View Financial Health”. Again, to use a UK example, open banking is a first step. Nationwide (one of the CMA9) has partnered with another of the packagers, OpenWrks, to pull together information from different accounts and sources to build a more complete picture of the financial circumstances of customers facing financial hardship and therefore find better ways to support them.

The US should take on board these positive visions in response to the Biden executive order to create a financial sector that takes a more complete view of a customer’s situation and provides services that increase the overall financial health customers. I’ve written here in Forbes before about the strong narrative that this can provide for a next generation of fintechs: to stop providing financial services and start providing financial health, to force banks and other manufacturers and to innovate and compete, and to give an accessible vision to the pro-competition drive in the administration.

(This is an edited version of an article that first appeared on Forbes, 20th July 2021.)

Brazilian stripe adventure

The news that the magnetic stripe is going to start disappearing from our credit cards, and only a decade or so after I began questioning the need for it to be on any of my cards at all, brings so many memories of my life in payments to the fore that there has been a tear in my eye all morning.

For many years I had a lot of fun complaining about America’s attachment to the magnetic stripe and chronicled the transition through to chip cards, contactless and mobile phones. That transition still has some way to go, incidentally, because unlike most of the world where, to all intents and purposes, all in person card payments are made using chips, as of last year only around three quarters of US transactions were executed in this 21st-century mode.

For many years I had a lot of fun complaining about America's attachment to the magnetic stripe *wipes away tear* Click To Tweet

I’ll find a few key chip and stripe stories to post out on social media over the next day or two just in case any chroniclers of the payments industry are collecting anecdotes, but for now I’ll just focus on one true story that was brought to mind by a comment from my old friend Charles Arthur who was asking about the use of stripe and chip cards in developing countries.

A few years ago, and already a few years after I had been enjoying the fact that Kazakhstan was migrating to chip and pin when Kansas wasn’t, I had to go to São Paulo for a few days to work with some of the Brazilian banks. I can’t remember why, exactly ,but I think it was something to do with mobile payments. Anyway, when it came time for me to leave I found a taxi and set off for the airport.

While pottering along the freeway I remembered that I didn’t have any cash with me, because I never do, and so I wanted to know if the taxi could take payment by card. I took out my wallet and gestured at a credit card and looked quizzically at the driver. The driver signalled and turned off of the freeway onto some side roads. After a few minutes of driving through a retail area, which is mainly shoe shops as I recall, we turned off again onto some smaller roads and went into a distinctly shady part of town.

At this point I began to panic slightly.

Cursing my stupidity for waving around a wallet full of cards and naturally assuming that I was about to be robbed, I began to calmly assemble my tactics. I figured that so long as I could retain my passport then things would be okay. After all, credit cards could be replaced by the banks (as indeed they often were at though at that time) and the computer belonged to the company not me, so whatever. I surreptitiously removed my passport from my jacket pocket and hoping that the driver would not notice, slid it down my leg and into one of my socks where I hoped it would remain throughout my impending ordeal.

The car pulled up at a shack that looked for all the world like a bandit headquarters from Mad Max and the driver shouted something to the unseen denizens. I thought for a moment about trying to make a run for it but realised I wouldn’t really get very far and would likely only inflame the situation, so I stayed put to await the inevitable. Sure enough, a young man dressed in jeans and some sort of football shirt came out from behind the shack and jogged towards the car with something metallic in his hand.

He reached the car and pulled open the door and thrust toward me, glinting in the sunlight… a chip and pin terminal.

I put the card in, punched in my pin, waited for my receipt and continued to the airport.

I’m reasonably well travelled and in the last few years I’ve been to countries ranging from El Salvador to the Ivory Coast and from Bulgaria to Krzygstan and I can honestly say that I have no memory of using a magnetic stripe terminal anywhere except in the USA. I’m pretty sure that the last time I ever used a card to pay with the magnetic stripe ever was in a coffee shop in a hotel in Las Vegas. I remember this because I had to go back to my room and get my passport so that they could write the passport number on the receipt.

IMG 4778

Ah, those were the days.

Crypto is new instruments and institutions, not new money

Speaking at the Paris Fintech Forum in June 2021, Francois Villeroy de Galhau, the Governor of the Bank of France, said that there is no such thing as a cryptocurrency, only crypto-assets. I understand what he means. Brett Scott, who is always thoughtful about such things, wrote making a similar point. He said that just as a child trading an action figure for a football (or whatever) “does not undermine the Federal Reserve (which issues dollars that both are priced in)” so “swapping a dollar-priced Bitcoin collectible for dollar-priced goods does not fundamentally alter the structure of the monetary system”.

Collectibles

NFT available direct from the artist at TheOfficeMuse (CC-BY-ND 4.0)

I have to say, I agree with them. While some people (quite rightly, in my opinion) saw Bitcoin as more of a protest movement than a viable alternative to the Bretton Woods world and while other people saw it as a replacement for a rotten the international money and financial system, I’ve been pretty consistent in my view that Bitcoin (to take the obvious example) is not money but a new form of digital asset that might, in certain circumstances, exhibit money-like characteristics.

In the very early days of Bitcoin, I met a number of people who saw crypto-assets as the basis for an alternative system of money and finance, a kind of trustless base layer for a universal “internet of value” that would sweep away the sclerotic institutions of global corporatism and unleash a new wave of capitalism. These people often talked about a new gold standard, although I’m not sure why, because society had long ago decided that a gold standard was not the best way to run modern economies. I don’t see any evidence that this alternative system is emerging. On social media we see what Concoda calls “ a non-stop stream of ‘freedom porn’” yet in reality the crypto-asset markets are thin, opaque and manipulated.

So if it is not money, what is it for?

Crypto Choices

In other words, why do people buy and sell crypto? I have often wondered whether most people dabbling in the leading cryptocurrencies see it as a protest movemement, an alternative financial system, digital gold or something else and now the question has been answered. The Bank for International Settlements (BIS) Monetary and Economic Department have just published a working paper (no. 951) Raphael Auer and David Tercero-Lucas called “Distrust or Speculation? The Socioeconomic Drivers of U.S. Cryptocurrency Investments”, which is a fascinating analysis of the market drivers in that space. What they find, using data from the U.S. Survey of Consumer Payment Choice, is that there no evidence at all that (despite the cacophony on Twitter and the ranting observed at cryptocurrency gatherings) cryptocurrency investors are motivated by distrust in fiat currencies or regulated finance. None. In fact crypto investors (speculators?) are no different to the general population with respect to security concerns over cash and commercial banking services.

Ultimately, then, people trade crypto-assets because (as David Gerard has consistently observed) “number go up”. This is essentially a post-modern digitally-turbocharged version of the greater fool theory that all you need to profit from an investment is to find someone willing to buy the asset at an even higher price, no matter whether the asset is worthless or not. A friend of mine, who recently made tens of thousands of pounds from buying and then selling a single NFT told me (I paraphrase) “maybe someone understands this, but I don’t”.

Future Markets

The crypto-asset market just like any other market. This is an important and serious conclusion of the BIS work, which implies that since the objectives of investors are the same as those for other asset classes, so should be the regulation. Cryptocurrencies are not sought as an alternative to fiat currencies or regulated finance, but instead are a “niche digital speculation object”. Quite. This is why I have always been much more interested in the world of digital assets, tokens and decentralised finance than the cryptocurrencies themselves. From this perspective, I can see that Circle (going public through a SPAC with a $4.5 billion valuation) makes sense: they provide the market with a token, the USDC “stablecoin”, that can be used in decentralised finance markets to execute trades through smart contracts. This has real utility and a window into a future of markets in which bots engage in complex trades around instruments that are too complicated for human traders to understand!

The crypto-asset market just like any other market. Click To Tweet

Unfortunately, the last time we let human traders loose on instruments they didn’t understand (mortgage-backed securities) they blew up the financial system. So what’s to stop the bots from doing the same? Well, it may be that we can make bots follow rules, whereas we can’t make human traders behave ethically no matter what the sanctions. I was interested to read in the BIS report that one “promising option” for supervisory and regulatory agencies to pursue is what the authors refer to as “embedded supervision”. In other words, embedding the supervisory framework for the trading of digital assets in the smart contracts themselves. This is a useful confirmation of the applicability of “ambient accountability” — a concept set out in detail in a paper by Richard Brown (now CTO of R3), Salome Parulava (then with Consult Hyperion) and me in our 2016 paper for the Journal of Payments Strategy and Systems — and reinforces the value of my “glass bank” metaphor for a more transparent and stable financial system.

Just to be clear, by the way, I am not saying that because as crypto-assets aren’t currencies they are not useful. Quite the contrary. In this respect I agree with the economist Tyler Cowen, who said in a recent podcast that “I don’t think of crypto as a currency. I think of it as a new set of institutions”. If these institutions can reduce the costs of financial intermediation (largely by reducing the costs of regulation, compliance and auditing) then they will make a very significant contribution to improving the lives of all.

(An edited version of this article first appeared on Forbes, 12th July 2021.)

Factories or supermarkets: post-pandemic banking

As we move into the inter-pandemic period, there is an interesting discussion to be had about whether the changes induced by the COVID-19 crisis are short- or long-term and to what extent those changes are an acceleration of existing trends (as I think they are, largely) or new directions for the sector. Ron Shevlin wrote an excellent piece in Forbes highlighting one element of strategic change, saying that “the new normal marks the end of fintech experimentation”. He went on to point out, somewhat harshly, that banks have used fintech partnerships as a way of convincing themselves that they are innovating rather than actually doing anything transformational.

I completely agree. I gave some seminars to bank management on the impact of technology on the business a couple of years ago, and to set up a narrative to help the executives frame my approach, I said that I thought the “fintech era” would run through to 2020 when it would be overtaken as the shared paradigm. My prediction, which I stand by, is that we are leaving the fintech era and entering the open banking era. The virus may have accelerated the transition between the eras, but it was coming anyway.

TGB Banking Eras gs

In the open banking era, fintechs will not vanish, but they will innovate and operate in a different way. They will not need to partner with incumbents, since they can use open banking infrastructure to get access to their customers’ data that the banks have, and their costs to market should be reduced through the use of standard interfaces. This means that the fintechs will be able to focus on the customer journey and user experience to bring new products and services into the market.

So what, then, should the banks focus on? At this year’s (sadly virtual) Paris Fintech Forum I hosted an interesting discussion with Simon Paris, the CEO of Finastra. Simon rather kindly reminded me of my predictions about what we now call open banking in the Centre for the Study of Financial Innovation (CSFI) report on “The Internet and Financial Services” back in 1997.

(As an aside, I remember that when the CSFI held a twenty year reunion to discuss this seminal report, it was interesting to see just how much of the report was spot on about the impact of the internet but I was spectacularly wrong about one particular point: I thought that digital TV as well as mobile would become a commerce channel. What actually happened, of course, was that the mobile became a permanent second stream for commerce.)

Anyway, Simon and I were discussing the split between the manufacturing and distribution of financial service, so I thought it might be useful to post my short and high-level recap of the strategies available to banks across this split.

Factory Reset

The techfins are the technology companies who embed financial services to make their own products more attractive but whose business model does not depend on margin in those financial services (as that Economist article noted “Amazon wants payments in-house so users never leave its app”.). The fintechs are companies who embed technology to make their own products more attractive and whose business model depends on margin in those financial services such as one of my favourite companies, Wise).

The techfins (as opposed to the fintechs) are more than happy to have banks, for example, do the boring, expensive and risky work with all of the compliance headaches that come with it. What Big Tech wants is the distribution side of the business, as shown in this old diagram of mine. They have no legacy infrastructure (eg, branches) so their costs are lower and the provision of financial services will keep customers within their low-cost ecosystems. If you use the Google checking account and Google pay then Google will have a very accurate picture of your finances. A very accurate picture indeed.

Open Banking Basic Options Updated Colour Picture

The business model here is very clear. What Big Tech wants isn’t your money (the margins on payments are going down) but your data and just as Big Tech has made ecosystems impervious to competition, so it could cross-subsidise (with data as well as with money) its financial services products to raise such a barrier to competition that no newcomer will be able to spend enough to gain traction. Hence the evolution of bank-as-a-platform for other financial services organisations to bank-as-a-service (BaaS) that Simon and I were discussing: it will be non-financial distributors who get the products into the hands of the people. Kids opening their Next bank accounts will neither know nor care that the actual account is provided by Barclays.

That’s why I have bored audience senseless repeatedly telling them that when people talk about “challengers”, they should be talking about Microsoft and Nike not Monzo and N16. If Big Tech takes over consumer relationships, banks will end up having to give away margin but, far more seriously and far more unrecoverably, data. As Andrei Brasoveanu of Accel said, if Big Tech gets hold of the distribution side of the financial services business, then the manufacturers of financial services products will be “utilities, providing low-margin financial plumbing”. Well, that’s the lucky ones. The unlucky ones will be wiped out in a wave of manufacturing supply-chain consolidation and factory closures.

[This is an edited version of an article that was first published on Forbes, 26th June 2020.]

Voter ID the British way

The Prime Minister, Alexander Boris de Pfeffel Johnson, once wrote about ID cards that if he were ever asked to produce one as “evidence that I am who I say I am” that would take it out of his wallet and “physically eat it”. Now, however, he has announced that he intends to introduce mandatory voter ID for elections. Since Britain doesn’t have an ID card, or a functioning digital identity infrastructure, he will thankfully be spared the indignity of eating an ID card (or, presumably, his phone) at the polling station. What’s more, since Britain doesn’t have a problem with voters being impersonated at the polling station in the first place*, it doesn’t matter.

If you are wondering why it is that Britain is about to demand an ID that people do not have in order to solve a problem that does not exist.. well, it’s security theatre that will keep everyone happy. A rigorous ID requirement would be problematic, because a quarter of the British electorate lack either of the principal photo ID documents, a passport or a driving licence. Hence when you go to vote you will produce either some photo ID document (eg, a Portuguese fishing licence or a British passport) that the chap at the polling station cannot conceivable verify (in Britain polling stations are manned by cheerful local volunteers, not ex-Israeli airport security counterfeit document detection experts) or some random non-photo ID document from a peculiarly English assortment of possibilities including your local library card (these are notoriously difficult to forge, of course)

To me this represents a wonderful, pragmatic British compromise — a countermeasure that doesn’t work to a problem that doesn’t exist— that avoids dealing with the real problem: the electoral fraud that does not happen at the polling booth. The main source of such fraud in the UK is not personation at the polling station but fraudulently-completed postal ballots, a situation that led one British judge to call it “a system that would disgrace a banana republic”. As far as I can understand it from reading the various reports, including the source reports on electoral fraud in the UK, the main problem is that postal votes are being completed by third parties, sometimes in bulk. No proof of identity is going to make any difference to this and so long as we allow people to continue voting by post I can’t see how the situation will improve. It is not beyond the wit of man to come up with alternatives to the postal vote. But that’s not what is being proposed. The UK government is not currently proposing an app or any other kind of electronic voting here, it is merely proposing to add a basic test of identity at the ballot box.

(This is a subject of some interest to me. My home town of Woking, one of the few places in England where people have been jailed recently for electoral fraud, was part of the government’s original voter ID pilot scheme which trialled different types of identification, including formal correspondence such as a utilities bill. I should explain here for foreign readers that in the UK we see the British Gas quarterly bill as a uniquely trusted document.)

The real way forward is, of course, not about using gas bills or indeed special-purpose election ID cards only for the purposes of voting, or a national identity scheme that Mr. Johnson dreads, but a general-purpose National Entitlement Scheme (NES). This sort of thing has been put forward for decades by informed industry observers (eg, me) but I think it now has added momentum because of the combination of technological evolution in the field of identification, authentication and (in particular) authorisation as well as the pandemic pressure to manage vaccination certificates and test results. Much as a person should be able to demonstrate that they have been vaccinated without giving away personal details so should be allowed to vote without disclosing their identity.

The key technology enabler here is that of the “verifiable credential” (VC) and the ability to create and present credentials that demonstrate proofs rather than data. This is often explained through the canonical example of proving to a bar that you are over 21 without providing a date of birth or age. As The Economist explained recently, individuals can be identified to (for example) a smartphone app much in the same way as for online banking, authenticated against their smartphone using biometrics and then when seeking entrance to a “COVID-secure” venue the app can respond to the venue’s requests for credentials (such as a valid test certificate) with a simple “yes” or “no” and nothing else. The individual’s name, age, address, the date of their vaccination and the like would not be transmitted from the app.

It seems a pretty small step to present the credential ENTITLED_TO_VOTE using a similar mechanism at the polling station. Or, indeed, anywhere else.

* There was precisely one conviction for “personation” fraud in the UK in 2019.

Lotteries and lolly

Do we really want anonymity in payment systems or not? It’s a really complicated subject. If anyone tells me that they think payments should be completely anonymous, or completely not anonymous, I suspect that they haven’t thought it through. Even those who are tasked with thinking about this sort of thing are not sure. A few years ago, the US Government Accountability Office published a report on “Emerging Regulatory, Law Enforcement, and Consumer Protection Challenges” (May 2014) and the first of its conclusions was that virtual currency systems “may” provide greater anonymity than traditional payment systems.

They “may”, or they may not. It’s a question of design. The design I want is privacy-enhancing pseudonymity, but that’s just one way of doing things, so I am always keen to gather illustrative use cases. It was while I was writing a piece about assassination lotteries that I remembered the very interesting use of lottery winnings. I was alerted to this by Don Thibeau a couple of years go. He pointed me in the direction of a story about the winner of a HALF A BILLION DOLLAR lottery prize in the United States who was involved in a court case (as Jane Doe) to remain anonymous because she didn’t want everyone to know about it. You can understand why this might lead to problems. Very serious problems, such as when November 2015, Craigory Burch Jr. matched all five numbers in the Georgia Fantasy 5 drawing and won a $434,272 jackpot only to be murdered in his home by seven masked men who kicked in his front door.

Anonymity is Hard

Apart from trying to avoid home invasion and murder, there might be all sorts of reasons that a lottery winner might like to keep her good fortune to herself. Would she really be anonymous though? After all, the money would have to go into a bank account, so not only would lottery officials know who she is but people at the bank would know who she is, and so on. Being anonymous is really difficult in an infrastructure that has no anonymity. Which leads on to an interesting question: if we are designing the identity system of the future, should it allow for this kind of anonymity? It turns out that New Hampshire actually allows people to form anonymous trusts and these trusts can buy lottery tickets. Again, though, would the trust members really be anonymous? The money would have to go somewhere…

You could of course construct the lottery to be completely anonymous from the beginning by using a variant of the cryptographic blinding invented by David Chaum for Digicash. That is, you buy a lottery ticket, fill out the numbers and add your ZCash, Monero or whatever address and then submit it with a blinding factor. The lottery signs the ticket to confirm your numbers and sends it back, at which point you divided out the blinding factor to give yourself a completely anonymous, but completely valid, lottery ticket.

If that ticket wins the lottery, the money can be sent to the cryptocurrency address in the ticket without the lottery owner or anyone else having the slightest idea who it belongs.

Lottery

NFT available direct from the artist at TheOfficeMuse (CC-BY-ND 4.0)

So is this a use case for anonymous cryptocurrency then? Well, no. Here’s the thing: would you want lottery winnings to go to anonymous people? How would you know that the lottery is fair? How would you know that the lottery operator isn’t rigging it and sending all of the winnings to their family? How do you know that the lottery organiser didn’t win and send the money to themselves? There must be a way to audit, and this of course again points away from anonymity.

I understand the genuine concerns of informed observers. I read in Reason magazine (“Cash means freedom”) a while back: “Cash—the familiar, anonymous paper money and metallic coins that most of us grew up using—isn’t just convenient, it’s also a powerful shield for our autonomy and our privacy”. But it really isn’t. Privacy is being taken away because of social media, people wearing cam-shades and ubiquitous drones, not because of debit cards. I empathise with those people who are as concerned with privacy (as I am), people who worry (with good reason) that there might be an inevitable tendency for a government to want to trespass on the pseudonymous infrastructure in the name of money laundering or terrorism, but that’s a problem that needs to be dealt with by society, not by technology.

Between the rock of total surveillance and the hard place of total chaos, it remains difficult to make the case for digital cash, and central bank digital currency in particular, to be anonymous. We must choose the least worst option: privacy, not anonymity. I agree with Michael Casey’s argument in the Cato Journal that a privacy-enhancing digital Dollar would be very appealing on a global scale in contrast to digital currencies subject to continual state surveillance. He says that if the United States were to treat money “less as a means of controlling everyone and more as a field of opportunity for creative startups” then it would bring substantial benefits which, if central banks think (as I suspect they do) that one of the main drivers for a digital currency is as a platform for new products and services, will add to America’s comparative advantage.

(An edited version of this article first appeared on Forbes, 28th May 2021.)

Marketing, micropayments and irony

I found an article called “Why the subscription economy has yet to hit its peak” on Marketing Week. It looked interesting and relevant to the topic of this article, so I clicked on it to read it and was confronted with two subscription options (£7 per week or £18 per week for the “ultimate” package) neither of which I was remotely interested in. I don’t want another subscription to anything. I already have a subscription to the Wall Street Journal, The Economist and MIT Technology Review (and Tabletop Gaming, which is excellent) and I don’t read even a fraction of that content.

If I had the option of paying £1 to read the Marketing Week article, then I would have cheerfully paid it, but without that option neither of us was satisfied: I didn’t get to read the article and they didn’t get my money.

If I could click on one button marked “Pay £1” and then start reading the article, I would do. If I have to click on button marked “Pay” and then type in my credit card details and my personal information and the amount etc etc they I wouldn’t, especially if I had to pay £2 in order to cover the transactions fees imposed by the platform, the acquirer, the scheme and the issuer. I have the £1, and I want to pay, but I can’t. I can go into a store a buy a pack of gum for £1 and pay in a couple of seconds with my contactless card, but I can’t do the same online.

This is hardly a new idea. The noted venture capitalist Marc Andreessen knows more about the web than I will ever do, and back in 2012 he told a Wired magazine conference in New York that “we should have built payments in the browser”. They got half way, because buried in your browser in addition to the familiar error 404 for page not found there is also error 402 for page requires payment. But no payment mechanism was provided and I note that the Collisons (the brothers behind Stripe) were quoted arguing that this is the reason that the web went from being an open environment and opportunity for all to an “oligopoly controlled by five companies now worth more than $3 trillion”.

A couple of years ago, Mance Harmon wrote here in Forbes that “today’s business models were not designed to protect consumers” and talked about the problems of trying to build micropayments on top of the legacy infrastructure. He was right: but what will stimulate the demand for micropayments and what technologies can be used to satisfy that demand? And not only for magazines with an established brand – what about the content creators trying to connect with their audience directly?

Amber Case says that micropayments could become “a new financial interface”, one where creators and consumers are both able to participate in the web economy”, and I agree. The idea of a web based on content rather than advertising is very appealing indeed. But to get there, I think we need a mechanism that is one button that sends a fixed tip (let’s say $1) to the creator of content. But I just don’t see how we can make that happen by building yet another layer on top of the legacy payment network.

Some people will talk about so-called “level 2” solutions built on top of cryptocurrencies and who knows, they may be right in the long term, but not now. Mr. Andressen said years ago that a “fascinating use case for Bitcoin is micropayments”. Observing that it was not cost-effective to run small payments through the existing payments infrastructure, he thought that Bitcoin’s divisibility would make it easy to send a thousandth of penny to anyone in the world for near-free.

A decade on, and we now have Twitter’s “Tip Jar” which does not use Bitcoin or digital currency some clever blockchain application that none of us had thought of before, but adds another layer on top of the creaking payment system to create a means to send someone a buck while simultaneously giving away your Paypal address and paying a transaction fee of one-third. Tip Jar simply sends you to a third-party payment platform (right now PayPal, Venmo, Cash App, Patreon and Bandcamp).

What could deliver the ideal form of micropayments? I’m experimenting with a few different models myself, running a subscription service on Substack and piloting a couple of online content micropayment schemes (including one from a Y Combinator startup that will go live on the 15Mb Ltd. web site shortly) but I’m not sure that any of these are the perfect solution (maybe there isn’t one – maybe it depends on the channel and content) but I have to say I am enjoying the renewed focus on the micropayments opportunity now.

 

TipsHands in the Tip Jar.
NFT available direct from the artist at TheOfficeMuse (CC-BY-ND 4.0)

We are long overdue a working micropayments infrastructure to deliver a different kind of internet, one based on content not advertising. It seems to me that there is now a chance that it will be central bank digital currency of one form or another. Not Bitcoin, not a tip system built on top of Paypal built on top of credit cards built on top of bank accounts built on top of central bank digital money. If Twitter has access to my CBDC wallet, then it can simply transfer £1 from my wallet to the creator’s wallet with the pseudonymity integral to a well-designed CBDC. I never get to see any of the creator’s personal information (unless they want me to) and the creator never gets to see any of my personal information (unless I want them to).

The micropayments dream from the earliest days of the internet may be about to be realised and I am sure that the implications of this are much, much more than helping a few Tik Tok teens get paid for whatever it is they do on Tik Tok.

(This is an edited version of an article first published on Forbes, 16th May 2021.)

The war on money laundering is going the way of the war on (some) drugs

In a study published last year by financial-crime expert Ronald Pol, he concluded that the global AML system could be “the world’s least effective policy experiment”. Personally, I would have guessed that that accolade belonged to the global war on (some) drugs, but perhaps Ronald has a point. He notes that the compliance costs for banks and other businesses could be more than 100 times higher than the amount of laundered loot seized.

Urine

Cash or charge? (CC-BY-ND 4.0)
NFT available direct from the artist at TheOfficeMuse (CC-BY-ND 4.0)

These comments remind me of those of Rob Wainwright, then Director of Europol, when talking about the great success of the continent’s $20 billion per annum anti-money laundering regime. He said that “professional money launderers are running billions of illegal drug and other criminal profits through the banking system with a 99 percent success rate”. This concurs with the figure given in The Economist. Although we are only intercepting a miserable one percent of the dirty money, the costs that the regime impose on the finance sector are staggering. Yet these enormous costs achieve nothing. The Money Laundering/Terrorist Financing (ML/TF) regime is, according to the Journal of Financial Crime 25(2), “almost completely ineffective in disrupting illicit finances and serious crime”

The Money Laundering/Terrorist Financing (ML/TF) regime is almost completely ineffective in disrupting illicit finances and serious crime Click To Tweet.

Direction of Travel

It’s going to get worse, of course. In the UK, many organisations are not yet compliant with the EU’s Fifth Anti-Money Laundering Directive (5MLD) and there is a Sixth Anti-Money Laundering Directive (6MLD) on the way. And the reach of the Financial Action Task Force (FATF) is being extended into cryptospace, so there’s no way to get round the bureaucracy. A couple of years ago FATF extended their recommendations to include cryptocurrency exchanges and wallet providers (together referred to as Virtual Asset Service Providers, or “VASPs”). This meant that all countries should apply anti-money laundering and anti-terrorist financing controls to these businesses: that is, customer due diligence (CDD), suspicious activity reports (SAR) and, importantly, the “Travel Rule” that aims to prevent money laundering by identifying the parties to a transaction when value over a certain amount are transferred.

The decision to apply the same travel rule on VASPs as on traditional financial institutions was greeted with some dismay in the cryptocurrency world, because it meant that service providers must collect and exchange customer information during transactions. The technically non-binding guidance on how member jurisdictions should regulate their ‘virtual asset’ marketplace included the contentious detail that whenever a user of one exchange sends cryptocurrency worth more than 1,000 dollars or euros to a user of a different exchange, the originating exchange must send identifying information about both the sender and the intended recipient to the beneficiary exchange. The information must also be recorded and made available to “appropriate authorities on request”.

However, when speaking at the “V20 Virtual Asset Service Providers Summit” in 2020, Carole House from the Financial Crimes Enforcement Network (FinCEN) said that they want to see this threshold reduced to $250 for any transfers that go outside the US because their analysis of SARs filed from 2016 and 2019 showed the mean and median dollar values to be $509 and $255 respectively. Almost all the transactions began or ended outside the U.S.

Note that the information demand is quite extensive. According to the FATF Interpretive Note to Recommendation 16, the information should include name and account number of the originator and benefactor, the originator’s (physical) address, national identity number (or something similar) or date and place of birth. In essence, this means that counterparty’s personal information will sent around the web. Simon Lelieveldt, a former Head of Department on Banking Supervision at the Dutch Central Bank, is very well-informed and level-headed about such things, and even he called this a “disproportional silly measure by regulators who don’t understand blockchain technology”, which may be a little harsh even if not too far from the truth.

Surely the extension of the travel rule signals that it is time for a rethink. We need to begin with the fact that live in a world of data science, machine learning and artificial intelligence (AI) and understand that we cannot tackle crimes such as money laundering without machine brains to help us. This line of AI-centric thinking can be more disruptive than might seem at first glance because it suggests an alternative vision of regulation where we do away with a lot of the expensive barriers to entry to the financial system, those pot holes for criminals but chasms for legitimate users and instead use machine brains to police what is happening inside the system.

AML Isn’t Working

In other words, instead of trying to prevent criminals for getting in to the system, we should instead let them in and monitor what they are up to. If we force them to continue using cash, then we have no idea what they are up to! Whereas if we can persuade them to use electronic transactions of some kind, particularly those that leave an immutable record of criminality, then we would would actually be better off! Since cash cannot be tracked around the economy, we (society) have put in place a whole bunch of complicated and expensive rules about accounting for cash when it enters the financial system. But suppose there wasn’t any cash. Suppose there was only Bitcoin. In that case, as I pointed out some time ago, you wouldn’t need anti-money laundering (AML) regulations at all because you would be able to follow every coin around the blockchain!

Many observers, and Bitcoin fans in particular, say that this is nonsense because there are a variety of ways to jumble up and otherwise obfuscate the sources of value in transactions on the Bitcoin network. I never saw this as a realistic barrier to criminals though, and I noted that a simple rule that required banks to investigate any coins that had originated in anonymous wallets (or mixers) would be sufficient to stop the large-scale use. Also, you will remember that U.S. Department of Justice (DoJ) has already shown its intentions. You will remember they indicted Larry Harmon for creating the Bitcoin mixer “Helix” (in addition, Fincen fined him $60m last year) and have just arrested Roman Sterlingov, the alleged operator of Bitcoin Fog, a custodial bitcoin mixer that it says processed over 1.2 million BTC.

We erect (expensive) KYC barriers and then force institutions to conduct (expensive) AML operations, using computers and laser beams to emulate handwritten index cards and suspicious transaction reports (STRs). But as I have suggested before, suppose that KYC barriers were a lot lower so that more transactions entered the financial system. And suppose the transaction data was fed, perhaps in a pseudonymised form, to a central AML factory, where AI and big data, rather than clerks and STR forms, formed the front line rather than the (duplicated) ranks of footsoldiers in every institution. In this approach, the more data fed in then the more effective the factory would be at learning and spotting the bad boys at work. Network analysis, pattern analysis and other techniques would be very effective because of analysis of transactions occurring over time and involving a set of (not obviously) related real-world entities.

They have already taken a step towards this is in the Netherlands, where ABN Amro, ING, Rabobank, Triodos Bank and de Volksbank formed a consortium (Transaction Monitoring Netherlands, TMNL) to share data and identify unusual patterns in payments traffic that the individual banks cannot spot for themselves. Let’s hope they are successful, because estimates suggest that €16 billion of criminal money is laundered in the Netherlands each year from activities including drugs, human trafficking, child pornography and extortion.

British Opportunity

Michael Harris, director of financial crime compliance at LexisNexis Risk Solutions, commented that the release of the FinCEN files highlighted the “myriad issues” with the UK Anti-money laundering (AML) system – an ineffective suspicious activity report (SAR) regime, the poor use of data and technology and a legal system that inhibits information sharing and a culture that allows companies to hide their beneficial owners through offshore registered entities. There are other related negative impacts too: I remember a discussion with the then-Treasury minister Andrea Leadsom at techUK back in 2015, during which she noted that CDD is itself a friction against a more competitive financial services sector because it serves to create a moat around the larger incumbents.

I think that UKplc should rethink compliance for competitive advantage. As part of a post Brexit project to boost British invisibles, we should take jurisdictional competition seriously and create a compliance regime built on new technology not and industrial age mishmash of shaky identification documentation and millions of suspicious transaction reports. It is time for some new thinking. Omar Magana wrote a very good piece of this for the Chartwell “Compass” magazine. He asked whether “the enforcement of a regulation that was created over 20 years ago for a fast-evolving industry, may not be the best approach”. Note that he is not arguing against regulation, he is arguing (as I do) for a form of regulation more appropriate for our age (for which I use the umbrella term “Digital Due Diligence”, or DDD) using artificial intelligence and machine learning to track, trace and connect the dots to find the bad actors. If you look at the work of Chainalysis and others

The benefits to the wider economy are obvious – more access to financial services as well as more interdiction of actual money launderers, terrorists, corrupt politicians and tax evaders. We all know that COVID-19 is accelerating the evolution of digital onboarding, and that’s great. But we need to move to the next level: DDD! Now that we live in a world where digital identity is becoming a thing (both for people and for organisations) it’s time to plan for a faster, more cost-effective and more transparent approach that is based on the world we are actually living in.

(This is an edited version of an article first published on Forbes, 3rd May 2021.)

Crypto crimes and the risk of anonymity

I have written before that governments will never allow anonymous digital currencies and my comments attracted a certain amount of controversy. And I understand why. But to those who say that uncensorable, untraceable digital cash would be a shield against dictators, a force for the oppressed and a boon to free man everywhere… I say be careful what you wish for. The issue of anonymity in payments is complex and crucial and it deserves informed calm strategic thinking because digital currency touches on so many aspects of society.

One obvious and important aspect is crime. Would digital currency change crime? If I hire thugs to lure a cryptobaron to a hotel room and then beat him up to get $1m in bitcoins from him (as actually happened in Japan), is that a crypto-crime or just boring old extortion? If I use Craigslist to lure a HODLer to a street corner and then pull a gun on him and force him to transfer his bitcoins to me (as actually happened in New York), is that a crypto-crime or just boring old mugging? If I get hold of someone’s login details and transfer their cryptocurrency to myself (as has just happened in Springfield), is that a crypto-crime or just boring old fraud? If I kidnap the CEO of a cryptocurrency exchange and then release him after the payment of a $1 million bitcoin ransom is that, as the Ukrainian interior minister said at the time “bitcoin kidnapping” or just boring old extortion?

Holmes

Cash or charge? (CC-BY-ND 4.0)
NFT available direct from the artist at TheOfficeMuse (CC-BY-ND 4.0)

 These are just crimes, surely? And not very good ones at that, because they are recorded in perpetuity on an immutable public ledger. Personally, if I were to kidnap a cryptocurrency exchange CEO I would ask for the ransom to be paid in some more privacy-protecting cryptocurrency, because as I explained in the FT some years ago, Bitcoin is not a very good choice for this sort of cyber-criminality. It’s just not anonymous enough for really decent crimes or the darkest darknets. Hence my scepticism about claims that Bitcoin’s long term value will be determined by it’s use for crime.

Untraceable

But what if there were an actually untraceable cryptocurrency out there and it wasn’t up to governments to allow it or not? Would an aspiring cryptocriminal mastermind be able to use it for something more innovative than the physically-demanding felony of kidnapping? I’m sure the Mafia would be delighted to have anonymous digital cash to zip around the world, but what would they use it for? Might they come up with some dastardly enterprise that is not a virtual shadow of a crime that has been around since year zero, but a wholly new crime for the virtual world? What if they could find one with the potential to take over from drug dealing (currently approximately 40% of organised crime revenues) as the best option for the criminal entrepreneur?

Ransomware is one interesting candidate. It is certainly a major problem. Criminals seize control of organisations’ computer networks, encrypting their data and demanding payment to deliver the decryption keys. Companies paralyzed by the attacks paid hackers an average of more than $300K in 2020 (triple the average of the year before). A cyber security survey last year revealed that more than two-thirds of organisations in the United States had experienced a ransomware attack and had paid a ransom as a result! That’s a pretty decent business for criminals and it certainly was a driver for Bitcoin, although ransomware operators have been moving away from it for some time.

(Once again demonstrating the impending explicit pricing of privacy, the Sodinokibi payment website last year began charging 10% more for Bitcoin ransoms compared to the more private Monero cryptocurrency.)

On the whole, given the basic nature of most organisation’s cyber-defences (more than half of all ransomware attacks stem from spam e-mails), one might expect the ransomware rewards to continue to grow. Apart from anything else, the ransomware raiders are reinvesting their profits in increasingly efficient operations, making for even bigger and bolder attacks.

Assasinate and Win

So, ransomware. But what about a more sinister candidate for large-scale criminality though? Is it time for the “assassination market”? It’s not a new idea. A few years ago, Andy Greenberg wrote a great piece about this here on Forbes. He was exploring the specific case of “Kuwabatake Sanjuro” who had set up a Bitcoin-powered market for political assassinations, but in general an assassination market is a form prediction market where any party can place a bet on the date of death of a given individual, and collect a payoff if they “guess” the date accurately. This would incentivise the assassination of individuals because the assassin, knowing when the action would take place, could profit by making an accurate bet on the time of the subject’s death.

This idea originated, to the best of my knowledge, with Jim Bell. Way back in 1995 he set it out in an essay on “assassination politics“. I suppose it was inevitable that advent of digital cash would stimulate thought experiments in this area and it was interesting to me then (and now) because it showed the potential for innovation around digital money even in the field of criminality.

Here’s how the market works and why the incentive works, as I explained in my book “Before Babylon, Beyond Bitcoin“. Someone runs a public book on the anticipated death dates of public figures. If I hate some tech CEO (for example), I place a bet on when they will die. When the CEO dies, whoever had the closest guess to their date and time of death wins all of the money staked, less a cut for the house. Let’s say I bet $5 (using anonymous digital cash through the TOR network) that a specific tech CEO is going to die at 9am on April Fool’s Day 2022. Other people hate this person too and they put down bets as well. The more hated the person is, the more bets there will be.

April Fool’s Day 2020 comes around. There’s now ten million dollars staked on this particularly CEO dying at 9am. I pay a hit man five million dollars to murder the CEO. Hurrah! I’ve won the bet, so I get the ten million dollars sent to me in anonymous digital cash and give half to the hit man. No-one can pin the crime on me because I paid the hitman in untraceable anonymous digital cash as well.

I’m just the lucky winner of the lottery.

But better than that is that if I can get enough bets put on someone, then I don’t even have to take the risk of hiring the hitman. If I use some anonymous bots or friendly tolls to coordinate a social media campaign to get a million people to put a $5 bet on the date of the tech CEOs death, then some enterprising hit man will make their own bet and kill them. If the general public had bet five million bucks on 31st March and some enterprising cryptopsycho had murdered the CEO themselves the day before, then it would only have cost me a $5, and I would have regarded that as $5 well spent, as would (presumably) everyone else who bet $5!

(This is an edited version of an article first published on Forbes, 14th April 2021.)

The CBDC privacy paradox

It seems to meet that there is something of a paradox around cash, digital cash and anonymity. The average consumer wants anonymity for their own payments because they are not crooks (and their purchasing decisions are no-one’s business except theirs and the merchant’s). On the other hand, the average consumer (not to mention the average law enforcement agent) doesn’t want anonymity for terrorists, lobbyists or fraudsters.

The Bank of England’s fintech director Tom Mutton said in a speech that privacy was “a non-negotiable” for a retail CBDC. Meanwhile, the Bank of Canada (just to pick one recent example) published a a staff analytical note on the risks associated with CBDCs stating that central banks should mitigate risks such as anonymity present in digital currencies. Note the formulation of anonymity as a “risk”. With stricter rules on the holding and exchange of cryptocurrencies coming into place around the globe. Just to give one example, South Korea’s Financial Services Commission has announced new rules to come into force in 2022, banning all anonymous digital currencies “that possess a high-risk of money laundering” (which, as far as I can see, is all anonymous digital currencies).

There is a payments privacy paradox, and cryptocurrency brings it into sharp relief. Good people should be allowed anonymous cash, but bad people should not. Click To Tweet

How can we resolve this? Well, I think that we can, if we spend a little time to think about what anonymity and privacy actually mean.

The Clinton Paradox

This is a special case of a more general paradox. Let me explain and illustrate. A few years ago, I was invited me along to “an event” in London to enjoy a morning of serious thinking about some key issues in information security. They had some pretty impressive speakers as I recall: Mike Lynch, the founder of Autonomy, was one of them. Alec Ross, who was Senior Advisor for Innovation and Technology to the Secretary of State Hilary Clinton, gave the keynote address on “ The promise and peril of our networked world ”. Alec was a good speaker, as you’d expect from someone with a background in diplomacy, and he gave some entertaining and illustrative examples of using security to help defeat Mexican drug cartels and Syrian assassins. He also spent part of the talk warning against an over-reaction to “Snowden” leading to a web Balakanisation that helps no-one.

A decade back, I wrote about what I called the  “Clinton Paradox”. This came about because I read a piece by Bob Gourley. the former CTO of the U.S. Defense Intelligence Agency, who framed a fundamental and important question about the future identity infrastructure when analysing Hillary Clinton’s noted speech on Internet freedom.

We must have ways to protect anonymity of good people, but not allow anonymity of bad people.

Mrs. Clinton had said that we need an infrastructure that stops crime but allows free assembly. I have no idea how to square that circle, except to say that prevention and detection of crime ought to be feasible even with anonymity, which is the most obvious and basic way to protect free speech, free assembly and whistleblowers: it means doing more police work, naturally, but it can be done. By comparison, “knee jerk” reactions, attempting to force the physical world’s limited and simplistic identity model into cyberspace, will certainly have unintended consequences. Hence, I had suggested, it might be better to develop an infrastructure that uses a persistent pseudonymous identity. I was looking to mobile operators to do this, because they had a mechanism to interact face-t0-face (they had retail shops at the time) and remotely, as well as access to tamper-resistant secure hardware (ie, the SIM) for key storage and authentication. It never happened, of course.

Why am I remembering this. Well, I challenged Alec about the Clinton Paradox —slightly mischievously, to be honest, because I suspected he may have had a hand in the speech that I referred to in that blog post—and he said that people should be free to access the internet but not free to break the law, which is a politician’s non-answer (if “the law” could be written out in predicate calculus, he might have had a point, but until then…). He said that he thought that citizens should be able to communicate in private even if that means that they can send each other unauthorised copies of “Game of Thrones” as well as battle plans for Syrian insurgents.

I think I probably agree, but the key here is the use of the phrase “in private”. I wonder if he meant “anonymously”? I’m a technologist, so “anonymous” and “private” mean entirely different things and each can be implemented in a variety of ways.

The Payments Paradox

How will the Bank of Canada mitigate the risk of anonymity and South Korea maintain a ban on “privacy coins” when faced with a Bank of England digital currency that has non-negotiable privacy? Well, the way to resolve this apparent paradox is to note the distinction above between privacy and anonymity.

In the world of cryptography and cryptocurrency, anonymity is unconditional: it means that it is computationally infeasible to discover the link between a person in the real world and value online. Privacy is conditional: it means that the link is hidden by some third party (eg, a bank) and not disclosed unless certain criteria are met.

Showmethemoney

You can own these cartoons!
NFTs available from the artist Helen Holmes at
TheOfficeMuse
(CC-BY-ND 4.0)

Surveying the landscape as of now, I think we can see these concepts bounding an expanding privacy spectrum. There will undoubtedly be anonymous cryptocurrencies out there, but I think it is fair to observe that they will incur high transaction costs. At the other end of the spectrum, the drive for techfins and embedded finance will mean even less privacy (for the obvious reason, as discussed before, that their payment business models around around data). One might argue, with some justification I think, that central banks are better positioned than banks or other intermediaries when it comes to safeguarding data, because a central bank has no profit motive to exploit payments data.

(I could go further and argue that if the central bank were to place transaction data into some form of data trust that would facilitate data sharing to the benefit of citizens, we might see some real disruption in the retail payments space. In a data trust, structure, data stewards and guardians would look after the data or data rights of groups of individuals with a legal duty to act in the interest of the data subjects or their representatives. In 2017, the UK government first proposed them as a way to make larger data sets available for training artificial intelligence and a European Commission proposal in early 2020 floated data trusts as a way to make more data available for research and innovation. And in July 2020, India’s government came out with a plan that prominently featured them as a mechanism to give communities greater control over their data.)

Digital Currency, Digital Privacy

As The Economist once noted on the topic of central bank digital currency, people might well be “uncomfortable with accounts that give governments detailed information about transactions, particularly if they hasten the decline of good old anonymous cash”. And, indeed, I am. But the corollary, that anonymous digital currency should be allowed because anonymous physical cash is allowed, is plain wrong.

No-one, not the Bank of England nor any other regulator, central bank, financial institution, law enforcement agency, legislator or, for that matter, sane citizen of any democracy, wants anonymous digital currency whether from the central bank or anyone else. The idea of giving criminals and corrupt politicians, child pornographers and conmen a free pass with payments is throughly unappealing. On the other hand, the Bank of England and all responsible legislators should demand privacy.

I think the way forward is obvious, and relies on distinguishing between the currency and the wallets that it is stored in. Some years ago, when head of the IMF, Christine Lagarde spoke about CBDCs, noting that digital currencies “could be issued one-for-one for dollars, or a stable basket of currencies”. Why that speech was reported in some outlets as being somewhat supportive of cryptocurrencies was puzzling, especially since in this speech she specifically said she remained unconvinced about the “trust = technology” (“code is law”) view of cryptocurrencies. But the key point of that speech about digital fiat that I want to highlight is that she said

Central banks might design digital currency so that users’ identities would be authenticated through customer due diligence procedures and transactions recorded. But identities would not be disclosed to third parties or governments unless required by law.

As a fan of practical pseudonymity as a means to raise the bar on both privacy and security, I am very much in favour of exploring this line of thinking. Technology gives us ways to deliver appropriate levels of privacy into this kind of transactional system and to do it securely and efficiently within a democratic framework. In particular, new cryptographic technology gives us the apparently paradoxical ability to keep private data on a shared or public ledger, which I think will form the basis on new financial institutions (the “glass bank” that I am fond of using as the key image) that work in new kinds of markets.

So, if I send ten digital dollars from my digital wallet to your digital wallet, that’s no-one business but ours. If, however, law enforcement agencies obtain a warrant to require the wallet providers to disclose the identity of the owners, then that information should be readily available. There is no paradox around privacy in payments, but there is an imperative for practical pseudonymity.

[An edited version of this article first appeared on Forbes, 6th April 2021.]