Crypto crimes and the risk of anonymity

I have written before that governments will never allow anonymous digital currencies and my comments attracted a certain amount of controversy. And I understand why. But to those who say that uncensorable, untraceable digital cash would be a shield against dictators, a force for the oppressed and a boon to free man everywhere… I say be careful what you wish for. The issue of anonymity in payments is complex and crucial and it deserves informed calm strategic thinking because digital currency touches on so many aspects of society.

One obvious and important aspect is crime. Would digital currency change crime? If I hire thugs to lure a cryptobaron to a hotel room and then beat him up to get $1m in bitcoins from him (as actually happened in Japan), is that a crypto-crime or just boring old extortion? If I use Craigslist to lure a HODLer to a street corner and then pull a gun on him and force him to transfer his bitcoins to me (as actually happened in New York), is that a crypto-crime or just boring old mugging? If I get hold of someone’s login details and transfer their cryptocurrency to myself (as has just happened in Springfield), is that a crypto-crime or just boring old fraud? If I kidnap the CEO of a cryptocurrency exchange and then release him after the payment of a $1 million bitcoin ransom is that, as the Ukrainian interior minister said at the time “bitcoin kidnapping” or just boring old extortion?

Holmes

Cash or charge? (CC-BY-ND 4.0)
NFT available direct from the artist at TheOfficeMuse (CC-BY-ND 4.0)

 These are just crimes, surely? And not very good ones at that, because they are recorded in perpetuity on an immutable public ledger. Personally, if I were to kidnap a cryptocurrency exchange CEO I would ask for the ransom to be paid in some more privacy-protecting cryptocurrency, because as I explained in the FT some years ago, Bitcoin is not a very good choice for this sort of cyber-criminality. It’s just not anonymous enough for really decent crimes or the darkest darknets. Hence my scepticism about claims that Bitcoin’s long term value will be determined by it’s use for crime.

Untraceable

But what if there were an actually untraceable cryptocurrency out there and it wasn’t up to governments to allow it or not? Would an aspiring cryptocriminal mastermind be able to use it for something more innovative than the physically-demanding felony of kidnapping? I’m sure the Mafia would be delighted to have anonymous digital cash to zip around the world, but what would they use it for? Might they come up with some dastardly enterprise that is not a virtual shadow of a crime that has been around since year zero, but a wholly new crime for the virtual world? What if they could find one with the potential to take over from drug dealing (currently approximately 40% of organised crime revenues) as the best option for the criminal entrepreneur?

Ransomware is one interesting candidate. It is certainly a major problem. Criminals seize control of organisations’ computer networks, encrypting their data and demanding payment to deliver the decryption keys. Companies paralyzed by the attacks paid hackers an average of more than $300K in 2020 (triple the average of the year before). A cyber security survey last year revealed that more than two-thirds of organisations in the United States had experienced a ransomware attack and had paid a ransom as a result! That’s a pretty decent business for criminals and it certainly was a driver for Bitcoin, although ransomware operators have been moving away from it for some time.

(Once again demonstrating the impending explicit pricing of privacy, the Sodinokibi payment website last year began charging 10% more for Bitcoin ransoms compared to the more private Monero cryptocurrency.)

On the whole, given the basic nature of most organisation’s cyber-defences (more than half of all ransomware attacks stem from spam e-mails), one might expect the ransomware rewards to continue to grow. Apart from anything else, the ransomware raiders are reinvesting their profits in increasingly efficient operations, making for even bigger and bolder attacks.

Assasinate and Win

So, ransomware. But what about a more sinister candidate for large-scale criminality though? Is it time for the “assassination market”? It’s not a new idea. A few years ago, Andy Greenberg wrote a great piece about this here on Forbes. He was exploring the specific case of “Kuwabatake Sanjuro” who had set up a Bitcoin-powered market for political assassinations, but in general an assassination market is a form prediction market where any party can place a bet on the date of death of a given individual, and collect a payoff if they “guess” the date accurately. This would incentivise the assassination of individuals because the assassin, knowing when the action would take place, could profit by making an accurate bet on the time of the subject’s death.

This idea originated, to the best of my knowledge, with Jim Bell. Way back in 1995 he set it out in an essay on “assassination politics“. I suppose it was inevitable that advent of digital cash would stimulate thought experiments in this area and it was interesting to me then (and now) because it showed the potential for innovation around digital money even in the field of criminality.

Here’s how the market works and why the incentive works, as I explained in my book “Before Babylon, Beyond Bitcoin“. Someone runs a public book on the anticipated death dates of public figures. If I hate some tech CEO (for example), I place a bet on when they will die. When the CEO dies, whoever had the closest guess to their date and time of death wins all of the money staked, less a cut for the house. Let’s say I bet $5 (using anonymous digital cash through the TOR network) that a specific tech CEO is going to die at 9am on April Fool’s Day 2022. Other people hate this person too and they put down bets as well. The more hated the person is, the more bets there will be.

April Fool’s Day 2020 comes around. There’s now ten million dollars staked on this particularly CEO dying at 9am. I pay a hit man five million dollars to murder the CEO. Hurrah! I’ve won the bet, so I get the ten million dollars sent to me in anonymous digital cash and give half to the hit man. No-one can pin the crime on me because I paid the hitman in untraceable anonymous digital cash as well.

I’m just the lucky winner of the lottery.

But better than that is that if I can get enough bets put on someone, then I don’t even have to take the risk of hiring the hitman. If I use some anonymous bots or friendly tolls to coordinate a social media campaign to get a million people to put a $5 bet on the date of the tech CEOs death, then some enterprising hit man will make their own bet and kill them. If the general public had bet five million bucks on 31st March and some enterprising cryptopsycho had murdered the CEO themselves the day before, then it would only have cost me a $5, and I would have regarded that as $5 well spent, as would (presumably) everyone else who bet $5!

(This is an edited version of an article first published on Forbes, 14th April 2021.)

The CBDC privacy paradox

It seems to meet that there is something of a paradox around cash, digital cash and anonymity. The average consumer wants anonymity for their own payments because they are not crooks (and their purchasing decisions are no-one’s business except theirs and the merchant’s). On the other hand, the average consumer (not to mention the average law enforcement agent) doesn’t want anonymity for terrorists, lobbyists or fraudsters.

The Bank of England’s fintech director Tom Mutton said in a speech that privacy was “a non-negotiable” for a retail CBDC. Meanwhile, the Bank of Canada (just to pick one recent example) published a a staff analytical note on the risks associated with CBDCs stating that central banks should mitigate risks such as anonymity present in digital currencies. Note the formulation of anonymity as a “risk”. With stricter rules on the holding and exchange of cryptocurrencies coming into place around the globe. Just to give one example, South Korea’s Financial Services Commission has announced new rules to come into force in 2022, banning all anonymous digital currencies “that possess a high-risk of money laundering” (which, as far as I can see, is all anonymous digital currencies).

There is a payments privacy paradox, and cryptocurrency brings it into sharp relief. Good people should be allowed anonymous cash, but bad people should not. Click To Tweet

How can we resolve this? Well, I think that we can, if we spend a little time to think about what anonymity and privacy actually mean.

The Clinton Paradox

This is a special case of a more general paradox. Let me explain and illustrate. A few years ago, I was invited me along to “an event” in London to enjoy a morning of serious thinking about some key issues in information security. They had some pretty impressive speakers as I recall: Mike Lynch, the founder of Autonomy, was one of them. Alec Ross, who was Senior Advisor for Innovation and Technology to the Secretary of State Hilary Clinton, gave the keynote address on “ The promise and peril of our networked world ”. Alec was a good speaker, as you’d expect from someone with a background in diplomacy, and he gave some entertaining and illustrative examples of using security to help defeat Mexican drug cartels and Syrian assassins. He also spent part of the talk warning against an over-reaction to “Snowden” leading to a web Balakanisation that helps no-one.

A decade back, I wrote about what I called the  “Clinton Paradox”. This came about because I read a piece by Bob Gourley. the former CTO of the U.S. Defense Intelligence Agency, who framed a fundamental and important question about the future identity infrastructure when analysing Hillary Clinton’s noted speech on Internet freedom.

We must have ways to protect anonymity of good people, but not allow anonymity of bad people.

Mrs. Clinton had said that we need an infrastructure that stops crime but allows free assembly. I have no idea how to square that circle, except to say that prevention and detection of crime ought to be feasible even with anonymity, which is the most obvious and basic way to protect free speech, free assembly and whistleblowers: it means doing more police work, naturally, but it can be done. By comparison, “knee jerk” reactions, attempting to force the physical world’s limited and simplistic identity model into cyberspace, will certainly have unintended consequences. Hence, I had suggested, it might be better to develop an infrastructure that uses a persistent pseudonymous identity. I was looking to mobile operators to do this, because they had a mechanism to interact face-t0-face (they had retail shops at the time) and remotely, as well as access to tamper-resistant secure hardware (ie, the SIM) for key storage and authentication. It never happened, of course.

Why am I remembering this. Well, I challenged Alec about the Clinton Paradox —slightly mischievously, to be honest, because I suspected he may have had a hand in the speech that I referred to in that blog post—and he said that people should be free to access the internet but not free to break the law, which is a politician’s non-answer (if “the law” could be written out in predicate calculus, he might have had a point, but until then…). He said that he thought that citizens should be able to communicate in private even if that means that they can send each other unauthorised copies of “Game of Thrones” as well as battle plans for Syrian insurgents.

I think I probably agree, but the key here is the use of the phrase “in private”. I wonder if he meant “anonymously”? I’m a technologist, so “anonymous” and “private” mean entirely different things and each can be implemented in a variety of ways.

The Payments Paradox

How will the Bank of Canada mitigate the risk of anonymity and South Korea maintain a ban on “privacy coins” when faced with a Bank of England digital currency that has non-negotiable privacy? Well, the way to resolve this apparent paradox is to note the distinction above between privacy and anonymity.

In the world of cryptography and cryptocurrency, anonymity is unconditional: it means that it is computationally infeasible to discover the link between a person in the real world and value online. Privacy is conditional: it means that the link is hidden by some third party (eg, a bank) and not disclosed unless certain criteria are met.

Showmethemoney

You can own these cartoons!
NFTs available from the artist Helen Holmes at
TheOfficeMuse
(CC-BY-ND 4.0)

Surveying the landscape as of now, I think we can see these concepts bounding an expanding privacy spectrum. There will undoubtedly be anonymous cryptocurrencies out there, but I think it is fair to observe that they will incur high transaction costs. At the other end of the spectrum, the drive for techfins and embedded finance will mean even less privacy (for the obvious reason, as discussed before, that their payment business models around around data). One might argue, with some justification I think, that central banks are better positioned than banks or other intermediaries when it comes to safeguarding data, because a central bank has no profit motive to exploit payments data.

(I could go further and argue that if the central bank were to place transaction data into some form of data trust that would facilitate data sharing to the benefit of citizens, we might see some real disruption in the retail payments space. In a data trust, structure, data stewards and guardians would look after the data or data rights of groups of individuals with a legal duty to act in the interest of the data subjects or their representatives. In 2017, the UK government first proposed them as a way to make larger data sets available for training artificial intelligence and a European Commission proposal in early 2020 floated data trusts as a way to make more data available for research and innovation. And in July 2020, India’s government came out with a plan that prominently featured them as a mechanism to give communities greater control over their data.)

Digital Currency, Digital Privacy

As The Economist once noted on the topic of central bank digital currency, people might well be “uncomfortable with accounts that give governments detailed information about transactions, particularly if they hasten the decline of good old anonymous cash”. And, indeed, I am. But the corollary, that anonymous digital currency should be allowed because anonymous physical cash is allowed, is plain wrong.

No-one, not the Bank of England nor any other regulator, central bank, financial institution, law enforcement agency, legislator or, for that matter, sane citizen of any democracy, wants anonymous digital currency whether from the central bank or anyone else. The idea of giving criminals and corrupt politicians, child pornographers and conmen a free pass with payments is throughly unappealing. On the other hand, the Bank of England and all responsible legislators should demand privacy.

I think the way forward is obvious, and relies on distinguishing between the currency and the wallets that it is stored in. Some years ago, when head of the IMF, Christine Lagarde spoke about CBDCs, noting that digital currencies “could be issued one-for-one for dollars, or a stable basket of currencies”. Why that speech was reported in some outlets as being somewhat supportive of cryptocurrencies was puzzling, especially since in this speech she specifically said she remained unconvinced about the “trust = technology” (“code is law”) view of cryptocurrencies. But the key point of that speech about digital fiat that I want to highlight is that she said

Central banks might design digital currency so that users’ identities would be authenticated through customer due diligence procedures and transactions recorded. But identities would not be disclosed to third parties or governments unless required by law.

As a fan of practical pseudonymity as a means to raise the bar on both privacy and security, I am very much in favour of exploring this line of thinking. Technology gives us ways to deliver appropriate levels of privacy into this kind of transactional system and to do it securely and efficiently within a democratic framework. In particular, new cryptographic technology gives us the apparently paradoxical ability to keep private data on a shared or public ledger, which I think will form the basis on new financial institutions (the “glass bank” that I am fond of using as the key image) that work in new kinds of markets.

So, if I send ten digital dollars from my digital wallet to your digital wallet, that’s no-one business but ours. If, however, law enforcement agencies obtain a warrant to require the wallet providers to disclose the identity of the owners, then that information should be readily available. There is no paradox around privacy in payments, but there is an imperative for practical pseudonymity.

[An edited version of this article first appeared on Forbes, 6th April 2021.]

Digital Identity Is a National Security Issue – War on the Rocks

xxx

the U.S. government sees digital identity as a back-burner issue. The United States needs to start treating identity as core to national securit

From Digital Identity Is a National Security Issue – War on the Rocks.

xxx

xxx

The federal government should create a Digital Identity Center to work with the private sector and state and local governments to rapidly identify and support new digital identity technologies. Doing so would strengthen America’s cyber security posture and advance the country’s counter-intelligence interests. The center should be arm’s length to the government, allowing for independence, global exposure, and flexibility to meet new challenges. Within the federal community, those entrusted with leadership positions should make use of such a center to adopt an entrepreneur’s mindset.

From Digital Identity Is a National Security Issue – War on the Rocks.

xxx

Separating the sheepcoins from the goatcoins

Some people mine Bitcoin for profits but some some people mine it for politics. The operator of a Bitcoin mining pool (a group of miners who work together to share the profits) quoted in CoinDesk recently said that some are investing not to convert electricity into cash but for other reasons “such as to avoid capital controls or avoid sanctions”. Indeed. And this has some serious implications. The Foundation for Defense of Democracies (FDD), a Washington think tank, summarised the emerging situation rather well in their position paper “Crypto Rogues“. They noted that “blockchain technology may be the innovation that enables U.S. adversaries for the first time to operate entire economies outside the U.S.-led financial system”. Now, while this may be technically slightly inaccurate (there are ways to create anonymous transactions without a blockchain and, indeed, the Swiss central bank has just published a working paper describing how to do so) it again flags up that the widespread availability of decentralised financial services threatens to bypass the existing infrastructure.

Iran provides an obvious example. They have every incentive to want to try new approaches to skirt the long arm of American law. The country already published a new set of regulations designed to funnel Bitcoin mined by Iranians to the state so that the country can use them to pay for imports. When the Iranian regime, for example, set up a venture to explore Bitcoin payments with a Swedish startup, the Swedish banks refused it a bank account because they themselves did not want to become subject to secondary sanctions. As America’s Treasury Secretary Mnuchin said at the time (talking about Iran), “If you want to participate in the dollar system you abide by US sanctions”.

On the other side of the world, North Korea has been developing a digital currency of its own. According to Alejandro Cao de Benós, President of the Korean Friendship Association, the Democratic People’s Republic of Korea intends to go down the Facebook route by creating an asset-backed digital currency rather than a digital fiat currency and then use some sort of blockchain with “Ethereum-style smart contracts” to do business and avoid sanctions. The regime sees this as a way to enforce deals it makes with foreign counterparties by developing a “token based on something with physical value” (eg, gold) in order to create a stable mechanism for payments in international trade between the regime and “other companies/individuals” (although it will not be available to individuals in the DPRK, who will be stuck with the Korean Won).

Across the Pacific in Venezuela, a country often mentioned by Bitcoin enthusiasts as a living case study of the benefits of decentralised cryptocurrency in the fight against tyranny, we find more mining going on: a video posted on Instagram by the 61st Battalion of the 6th Corps of Engineers of the Venezuelan Army shows military buildings converted into giant cryptocurrency mining centres and a warehouse that appears to be full of specialist Bitcoin mining equipment is labelled the “Center for the Production of Digital Assets”.

(I noted with interest that they do not appear to be mining “The Petro”, the digital currency of the revolution which according to the Bolivarian Council of Mayors’ recent “National Tax Harmonization Agreement” may soon be required for the payment of taxes.)

What… Whatible?

It seems to me that Bitcoin is a pretty poor choice for sanction-busting shenanigans though. Not only is the record of transactions public, but the Bitcoin value is not fungible. This matters. Remember that 2014 IRS Ruling about Bitcoins being a commodity, so that traders would have to track the buying and selling price of each individual Bitcoin in order to assess their tax liability? No? Here’s a reminder : “the real lesson from the IRS Bitcoin ruling is that for a currency-or any payment system-to work, its units must be completely fungible”.

Fungible (from the Latin “to enjoy” via Medieval Latin phrases such as “fungi vice”, meaning “to take the place of”) is one of my favourite adjectives. It means that all tokens are the same and can be substituted one for another. You owe me a quarter. It doesn’t matter _which_ quarter that you give me. Any will do. Any quarter can substitute for any other quarter because they are all the same. The same is true of the Pounds in my bank account, but it isn’t true of bitcoins. They are all different and their history can be tracked through the blockchain which is, as we are often reminded, and immutable public record of all transactions.

As my good friend Marc Hochstein observed about this some time ago, blockchain’s openness could turn out to be a bug for law-abiding citizens. Click To Tweet

The lack of fungibility has major implications for criminals, but also for the rest of us.  In England, the High Court (in the decision of AA v Persons Unknown & Ors, Re Bitcoin [2019]) has already ruled that crypto assets such as bitcoins are a form of property capable of being the subject of injunction. You can see what is going to happen: cryptographic exchanges will be required to identity who owns stolen coins and the owner will then be the subject of legal action to recover them. This owner might be entirely innocent about the origin of the coins and will say that they didn’t know that the bitcoins they bought are the proceeds of a ransonware attack and may ask to the keep them. But, J.P. Koning points out, that’s not how property law works. Even if you accidentally come into possession of stolen property then a judge can still force you to give it back to the rightful owner.

Launderette

You can own these cartoons!
NFTs available from the artist Helen Holmes from at
TheOfficeMuse (CC-BY-ND 4.0)

The UK has been experimenting with the “Unexplained Wealth Order” as a way to combat crime and corruption through the traditional money and finance system, but how would this translate to the world of cryptocurrency? Well, perhaps it doesn’t need to. In the world of Bitcoin, smart criminals may well try to use “mixers” or “tumblrs” that jumble together bitcoins to obfuscate their origin but I don’t think this will help in the long run. Apart from anything else, future consumers might want to know the provenance of their money, an idea explored by the artist Nitipak Samsen a decade ago in the Future of Money Design Awards. Check out the brilliant video he made here.

Have you ever wondered where the money in your pocket had come from? Who was the previous owner? Who was the owner before that? Might it be a famous celebrity?… Smart banknotes work by presenting a readable history of ownership on the note itself, an innovation designed to prevent money laundering

This might work in some interesting ways. People might pay a premium for coins that have an interesting past! Maybe coins that were used by a celebrity to buy drugs or were used to bribe a politician, coins that belonged to a murderer, that kind of thing, might be worth more than coins that belonged to boring people like me.

Clean Money

In the mundane world of dollar, dollar bills we have the concept of “money laundering” to describe what happens when dirty money is mixed with clean money (surely every one of us has touched banknotes that have been involved in some criminal activity!). But this doesn’t work for bitcoins. The “tainted” money stays tainted. Ross Anderson, Ilia Shumailov and Mansoor Ahmed from the Cambridge University Computer Laboratory wrote a terrific paper on this theme a couple of years ago. In “Making Bitcoin Legal” they pose some interesting questions about what to do with tainted cryptocurrency asking, for example, “If an identified customer says ‘Hi, what will you give me for UTXO x?’ and the exchange replies, ‘Sorry, 22% of that was stolen in a robbery last Tuesday, so we’ll only give you 78%’ does the customer then have to turn over the crime proceeds?”. Their idea of a public “taintchain” is an interesting way forward.  This would be a mechanism to make stolen coins visible, in which case they might display a futuristic Gresham’s Law dynamic as good coins drive out bad ones!

Whether by taintchain or some other mechanism, it’s actually pretty each to track dirty bitcoins. You can see where this might lead: if law enforcement agencies go to the biggest miners in the world and tell them that if they continue to confirm easily identifiable mixing transaction outputs, they will be accused of money laundering? This is not difficult to imagine, which suggests to me that Bitcoin’s lack of fungibility has far-reaching implications.

These implications have not gone unnoticed in the United States. Two of the largest Bitcoin mining companies there, Marathon Patent Inc. and DMG Blockchain Solutions Inc. (which together account for about a one-twelfth the power of the Bitcoin networks), recently joined forces to create the Digital Currency Miners of North America (DCMNA). This not-for-profit trade association has come up with pretty interesting idea: their miners will only process transactions that comply with American laws, thus extending the benevolent embrace of the U.S. Government into cryptocurrency. The idea (known as “clean mining“) is that instead of selecting transactions on the basis of which ones will bring the biggest fees, they will mine transactions based on the wallets that they come from.

Along the same lines, the “celebrity investor” (as described by CNBC) Kevin O’Leary announced that he will only buy bitcoins mined sustainably in countries that use clean energy. What’s more, he also said that he will not buy “blood coin” mined in China. Mr. O’Leary was quoted as saying that he sees “two kinds of coin”, which reinforces the point about fungibility and money and suggests to me, at least, that we could well see a strange and interesting twist in the world of cryptocurrency that has no analog in the analogue world of notes and coins: black and white money, or clean and dirty money, or light and dark money (an idea that goes back to the earliest days of cryptocurrency) in which some bitcoins will be worth more than others! Maybe a year or two from now, exchanges will be quoted two BTC-USD pairs: clean BTC at $100,000 and dirty BTC at $75,000. This doesn’t happen for GBP-USD or JPY-GBP, which confirms my feeling that whatever Bitcoin is, it isn’t currency.

[An edited version of this article first appeared on Forbes, 28th February 2021.]

Challenger banks or challenger monies?

When Jamie Dimon, the CEO of JP Morgan Chase, said that his bank should be “scared s***less” about fintech competitors, he identified the fintechs PayPal, Square, Stripe, Ant Financial and the techfins Amazon, Apple and Google as companies that the bank would need to compete with. Since he’s already forgotten more about banking than I will ever learn, I am certain that he is correct. What was interesting to me about this list was, though, that none of the organisations listed as keeping him awake at night began as banks or bank spin-offs.

As I wrote in my first ever column on Forbes, when people talked about “challengers” they should be talking about Microsoft not Monzo. The “challenger banks” are just banks and as my good friend Alessandro Hatami wrote at the time, neither the challengers nor the incumbent banks, despite spending heavily on their own technology, have transformed the financial services sector. But perhaps the real challengers will.

Where are the real challengers then? Mr. Dimon singled out payments as a specific hill for banks to die on. This is because the business models of the future depend on data, and payments are the overwhelming majority of interactions between a bank and its customers. When storming this redoubt (and the walls were breached this week with the news that ChasePay is being shut down) the techfins don’t care about the money, because the margins on payments are going down, but the data. I was quoted in The Economist talking about this impending reshaping of the retail financial services sector a couple of years ago, pointing out that financial products are heavily regulated, as they should be, which is why Big Tech is uninterested are in them. They are more than happy to have banks, for example, do this boring, expensive and risky work with all of the compliance headaches that come with it.

The techfins want the banks to do the manufacturing while they take over the distribution. Click To Tweet

This is an obvious strategy with major implications because if the techfins get between the consumers and their banks, then the banks will end up having to give away margin but, far more seriously, data. BofA Securities, amongst others, have pointed out that there is a “huge and valuable prize for private-sector players” from outside the banking sector if they can get in this business: the “treasure trove” of customer data that is not being fully exploited by the banks.

Plumbers

You might argue that the banks deserve nothing more than being turned into low margin plumbing to support more innovative and efficient techfin plays on top. Nydia Remolina at the Singapore Management University wrote an interesting paper on this last year (saying “financial institutions have access to enormous amounts of data, but due to multiple constraints this data is not yet sufficiently converted into useful insights”) putting forward a “data operating model” to link open banking, cloud computing, machine learning and AI to support digital transformation. I think this model is interesting because the ability for machines obtain insight and take action makes for a very different kind of fully-digital financial services sector based on the movement of data, not money.

Similarly, Dara Hizveren of Garanti BBVA, writing in the most recent Journal of Digital Banking, notes the opportunity for banks to try and build new business on such a model. The idea of “data banks” that manage personal information (and the consents associated with it) is hardly new, but as Dara highlights, the pressures of open banking and competition from Big Tech means that for commercial banks the natural extension of asset management businesses into personal data (the most valuable asset of all) is a priority.

I think we can already see how fintech firms, and particularly data-driven lenders, are demonstrating that this new business model, using payment data (in the form of transaction histories obtained through open banking) as a substitute for conventional credit scores, might be important not only to the sector but to economic recovery itself.

The UK actually looks pretty good in this regard. With a competitive fintech sector and open banking already in place, access to the transaction data has become energy for innovation. I know this at first hand because I was fortunate to be asked to be one of the judges for the Open Banking Innovation Awards for SMEs and I have to say I was pretty impressed by the businesses already taking advantage of this combination of new regulation and new technology. A couple of good examples are Fluidly, which plugs into accounting packages and bank accounts and uses machine learning to intelligently manage SME cashflow, and Swoop which integrates through open banking to simplify access to all kinds of SME finance. More recently Liberis, which provides cash advances to SMEs secure against their payment card transactions and repayments set as an agreed fraction of those transactions struck me as a good idea or all involved, and as I sat down to write these paragraphs I noted that another new player Fintern (with a team from Bank of America and HSBC, among others) opening for business using open banking-led affordability testing to make lending decisions.

Challengers

These are great businesses, but are they keeping Jamie tossing and turning in the small hours? I’m not sure. If they get big enough, he can buy them. We need to look further afield to find the non-banks that are his real nightmares and I think India might give us an indication of which way the wind is blowing. Ram Rastogi, who I always listen to on such matters, notes that Amazon in India is not only launching a digital banking platform to compete with the incumbent banks but is also applying for a licence to run a payments system as well. The Reserve Bank of India has invited companies to create new umbrella entities (NUEs) to build payments networks that offer an alternative to the bank-owned not-for-profit National Payments Council of India (NPCI) and Amazon are doing so in a consortium with Axis Bank and ICICI Bank. Amazon are not the only ones in this game, of course. Facebook and Google are linking with local players Infibeam and Reliance Industries to set up a competing network.

Bezos buck

You can own these cartoons!
NFTs available from the artist Helen Holmes from at
TheOfficeMuse (CC-BY-ND 4.0)

With the bank and the payment network, Amazon will be able offer their sellers a full service, ranging from current accounts and deposits to business loans and payments management, all through their own interface. The customers will never have to go near a conventional bank, a payments application or anything else. Not only are they launching their own banking system in India, they are apparently looking to launch their own money in Mexico. One of the behemoth’s job postings described the product as enabling customers to “convert their cash in to digital currency using which customers can enjoy online services including shopping for goods and/or services like Prime Video”.

It’s one thing to have your own bank. It’s another thing to have your own payment network. It’s another thing still to have your own money. I know nothing about running a bank, but if I was in charge of one then the thing to keep me awake at night is Jeff Bezos’ face on money!

(An edited version of this article first appeared in Forbes, 16th March 2021.)

Objects-as-a-Service (OaaS) and why things need identities

Ann Cairns, Executive Vice Chair at MasterCard, said back in 2018 that it could be the year when (thanks to the incredible speed with which new technologies are adopted) physical wallets could soon be a thing of the past as the world wakes up to wearables. Ann said, correctly, that wearable devices are getting a “new lease of life by becoming payment enabled” and noted forecasts predicting that two-thirds of wearables would have payment functionality by 2020. This didn’t quite happen, for reasons I will return to shortly, but as a baseline note her point that five years ago the global sales of smart wearables were already at $416 billion.

In 2019, Mastercard highlighted that wearables are about fashion as well as function. They pointed out that as the technology that powers wearables gets smarter, fashion brands rather than technologists (or payments geeks) are driving the evolution of the market. Even then, one in five adults in the USA were already wearing a smart watch or fitness strap and they expected the wearable tech market to reach something like $30 billion in 2020.

Wearables Market 2020

Global wearables markets 2020 (Source: IDG, 12/20).

In 2020, as these figures from IDG show, the wearables market (dominated by Apple) continued to grow and is expected to maintain a double-digit rate of growth through 2024. In the US, the wearable device most frequently used for payments is the smartwatch (more than mobile phones or contactless cards). Interestingly, recent research shows that college graduates are more frequent users of smart watches for payments than non-college graduates and that they use their wearables to pay more than 200 times a year, almost double the usage of mobile phones and 50% more than cards.

The market for wearables that can do interesting things (eg, payments) is going to grow more than that though, because the growth of cheap passive wearables (ie, wearables that don’t need batteries, just as contactless cards don’t need batteries) will grow faster because of the new, smaller and more cost-effective chips arriving from suppliers such as Infineon. I wasn’t surprised, therefore, to see an excellent presentation from Discover at the Women in Payments 2021 summit saying that…

Discover Wearables

So what has prevented this market from developing even faster? Well, the process of taking an “empty” microchip and loading secure credentials into it so that it can be used for payments, identity, provenance and other high value applications (the process of what card people call “personalisation”) is complex and costly. Imagine that you are running a pop festival and you want to provide rings or wristbands or badges or whatever than can be used to gain entry, to pay for drinks, to identify someone in an emergency. Taking 20,000 wristbands and loading credentials into them and then making sure each wristband gets to the right person is a logistical challenge hence the technology tends to be applied at the high end of the market. There are companies that make some beautiful wearables that can be used in this way. I love the stuff that Tovi Sorga has and I think this illustrates that Mastercard point about the role of fashion. Amex, to give another example, have just released a Prada leather bracelet with a contactless chip in it for their Centurion cardholders.

Getting the right bracelet with the right payment card into the hand of the right cardholder is complicated though. The logistics are a challenge because the devices must be “personalised” when they are ordered and then correct distributed. As a way of reducing the logistics costs, though, suppose there was a decentralised way to do the personalisation needed to turn nice wearables into secure, smart objects? Imagine that the pop festival organiser sends you a wristband and then you use your own mobile phone to load one of your payment cards into the wristband? Or you use the (eg) Discover app on your phone to create a prepaid card valid for a week and load $100 onto so that you can leave your phone in your pocket while you enjoy the show? Well, this is what Digiseq, a UK start up has done. And this is only one of the reasons why I was flattered to be asked to become their Non-Executive Chair as they go into their next fund-raising round. Amongst their achievements already is the launch of KBC wearables in Belgium, including the Rosan Diamond key fobs that proved popular last year, creating a Lucozade bottle that you could use to pay for travel in London and putting chips into the Golden Globe awards so that their authenticity and provenance could be validated.

Provenance is Forever

Provenance is important. I wrote about it more than a decade ago using the example of luxury goods such as watches and asking how you would tell a fake Rolex from a real one. It’s a much more complicated problem than it seems at first. Suppose an RFID chip is used to implement an ID in luxury goods, authentic parts, original art and so on. If I see a Gucci handbag on sale in a shop, I will be able to wave my phone over it and obtain the ID.  My mobile phone can decode the number and then tell me that the handbag is Gucci product 999, serial number 888. This information is, by itself, of little use to me. I could go onto the Gucci-lovers website and find out that product 999 is a particular kind of handbag, but nothing more: I may know that the tag is ‘valid’, but that doesn’t tell me much about the bag. For all I know, a bunch of tags might have been taken off real products and attached to fake products.

To know if something is real or not, I need more data. If I wanted to know if the handbag were real or fake, then I would need to obtain its provenance as well as its product details. The provenance might be distributed quite widely. The retailer’s database would know from which distributor the bag came; the distributor’s database would know from which factory the bag came and Gucci’s database should know all of this. I would need access to these data to get the data I would need to decide whether the bag is real or fake.

The key to the business model is not the product itself but the provenance, so delivering a service means linking the personalisation and the provenance under the control of the brands. This is where Digiseq is going. In January, one of the world’s leading chip manufacturers Infineon Technologies AG announced that they will be working Digiseq on their  SECORA™ Blockchain NFC technology to deliver secured identity data. This is an advanced solution that connects the digital data recorded on blockchain to physical items, allowing for just this comprehensive verification of the identity of items, thereby eliminating the challenge of product substitution and heightening supply chain transparency.

cheap chips can turn almost anything into a smart object and with the right provenance service in place turn those smart objects into objects-as-a-service (OaaS). Click To Tweet

The ability for brands to choose whether to give customers high end wearables for select markets or to push into the mass market with wearables that customers can personalise themselves, using the mobile phones to add/remove payment cards, access codes or identities at any time, is a game changer. But it is only the beginning. The secure microchips that are inside the Prada bracelet or the Golden Globes can be inside everything from smart watches to luxury handbags, from aircraft parts to bottles of whiskey. These inexpensive RFID chips turn almost anything into a smart object, and with the appropriate back-end provenance system in place, they can turn those smart objects into objects-as-a-service (OaaS).

Objects-as-a-Service are going to be… well, huge. If you want to learn a little more about this incredible new market and the opportunities that it presents, come and join me at the Digiseq webinar on 22nd April 2021 at 9am UK time. Sign up here.

Monet laundering and a new kind of market

You’ve probably read something about the latest crypto-craze. My good friend Lawrence Wintermeyer wrote a great piece about it here, describing how an anonymous guild of “art digitalists” bought an original Bansky and then set fire to it after digitizing the piece into a non-fungible token (NFT) they sold for $400,000.

NFTs really hit the headlines when the artist Mike Winkelmann (“Beeple”) sold an NFT of a JPEG he had created for $69m at Christies. It’s a lot to pay for nothing since, as my good friend David Gerard eloquently notes, Christie’s 33 page conditions of sale make it clear that the buyer did not obtain copyright or indeed any other rights to the file. The $69m is for nothing more than an albeit uncloneable receipt for the artwork. Not that the buyer minded, because he runs a crypto fund that invests in NFTs and issues tokens that are shares in the portfolio. Beeple owned 2% of these tokens, which went up in value from $0.36 per token to $23 after the Christie’s sale. Nice.

Now, you may think (as I did) that this is more interesting as a piece of performance art about the manipulation of cryptomarkets than a window into a new world that decentralises auction houses out of existence, but it is undeniably interesting. That’s because, trivially-copyable artworks to one side, NFTs could deliver radically more efficient markets.

Slugsy

Slugsy (CC-BY-ND 4.0)
NFT available direct from the artist at TheOfficeMuse (CC-BY-ND 4.0)

To see why, let’s first remind ourselves of what tokens are. Tokens are a cryptographically-secured digital asset (that is, they cannot be counterfeited or duplicated). As I explained in my book Before Babylon, Beyond Bitcoin a few years ago, although tokens are not specific to Ethereum they took off with the development of the ERC-20 standard back in 2015. ERC-20 defined a way to create a standard form of token using consensus applications on the Ethereum blockchain. Such tokens are a simply structured data exchanged between these applications, a practical implementation of digital bearer claims on assets with no clearing or settlement involved in their exchange (and hence a more efficient marketplace for their trading), thus creating a means to make the transfer of fungible value secure without a central authority.

I have written before that fungibility is a critical defining characteristic of money and one of the reasons why Bitcoin isn’t. Click To Tweet

All of the dollars in the world are the same, and any dollar can substitute for any other dollar. But all of the Bitcoins in the world are not the same. Similarly, my excellent stalls ticket to see the mighty Hawkwind play at the London Palladium is unique. So… how do you know that that ticket belongs to me? Right now there are event promoters, and ticketing agencies and credit card acquirers and databases and barcodes to try to figure that out. However, if I am a bad boy and sell a ticket that is nothing more than an e-mailed barcode to two other people and they both show up to watch a band, neither the venue nor the band nor other fans nor anyone else can tell which barcode is authentic and which is a copy.  But what if the ticket isn’t a barcode, but a non-fungible digital asset stored in my digital wallet? An NFT?

Now, non-fungible digital assets are fun and markets for them existed before Bitcoin, the blockchain and Enterprise Shared Ledgers (ESLs). Consider the obvious example of people playing massively-multiplayer games (MMGs) such as World of Warcraft and the like. People buy sell digital assets all the time (one of the first blog posts that I ever wrote was about the mining of digital gold in these games, and that was back in 2006!). If I want a magic sword or a laser cannon or a nicer hat for my avatar, I can buy it with real money. If you could copy magic swords to infinity, then they would have no value. So the number of magic swords is limited, and thus a market arises. So who says who the magic sword belongs to? If I pay you some real dollars for a non-existent virtual sword, who transfers title? Well, in the case of the games, it is obvious: it’s Blizzard or CCP Games or whoever else is in the middle, running the game.

New technology means that I can sell you the magic sword without having anyone in the middle. On Ethereum, for example, there are now a number of different ERC token standards, most notably ERC-721 that defines non-fungible digital assets. ERC-721 hit the headlines (well, for people like me anyway) back in 2017 when CryptoKitties took off. This is game on Ethereum that allows players to purchase, collect, breed and sell virtual cats and it became so popular that caused such congestion on the Ethereum network that is slowed in down significantly. The point is though that we can now exchange unique digital assets in a fully decentralised manner.

I remain unconvinced that buying digital receipts for trivially-cloneable artworks is a sound long-term investment strategy, although I am given to understand that much of the art market is more about money-laundering than Monet (Monet laundering! Why didn’t I think of this headline before!). However, that is not to say that there is no future for NFTs. On the contrary, some of these art market experiments are breaking ground for a new way of working that I think will indeed transform some markets.

Real Connections

These digital assets will very often be a means to control of things in the real world without having anyone in the middle either. Some years ago I asked if shared ledgers and such like might be a way to tackle the issue of “ID for the Internet of Things” (#IDIoT). I said at the time that I had a suspicion that there might be something there. My reason for thinking that was that there is a relationship between digital assets and things, because blockchains and tokens deliver a virtual representations of things in the mundane that, as with their physical counterparts, cannot be duplicated. If we can link the digital asset of a Rolex watch to a physical Rolex watch, we can do some very interesting things.

(As it happens, I am the non-executive Chairman of Digiseq, a UK startup that does this using tamper-resistant microchips).

What all of this means is that we can use the new technologies of cryptoasset trading (the world of decentralised finance, or “defi”) to develop efficient markets in scarce resources, markets that will hinge on the ability to maintain and prove the provenance of real-world objects, whether these are magic swords or designer handbags.

The opportunities for new and disruptive businesses here are real and substantial. Here’s an example, continuing the music theme. A band is going to play a concert. There are 10,000 seats in the venue and 100,000 members of their fan club. So the band randomly distribute the tickets to the members of the fan club who pay $50 each for them (this is all managed through smart contracts). And that’s it. Now, the members of the fan club can decide whether to go to the concert, whether to buy some more tickets for friends, whether to give their ticket to charity or whatever. They can put their tickets onto eBay and the market will clear itself. The tickets cannot be counterfeited or copied for the same reason that a Bitcoin cannot be counterfeited or copies: each of these cryptographic assets belongs to only one cryptographic key (“wallet”) at one time, and whoever has control of that key has control of the ticket.

Not your keys, not your Kings of Leon, as the kids might say.

(An edited version of this piece was first posted on Forbes, 7th March 2021.)

Bitcoins stay dirty, no matter how much you launder them

Some people mine Bitcoin for profits but some some people mine it for politics. The operator of a Bitcoin mining pool (a group of miners who work together to share the profits) quoted in CoinDesk recently says that some are investing not to convert electricity into cash but for other reasons “such as to avoid capital controls or avoid sanctions”. Indeed. And this has some serious implications. The Foundation for Defense of Democracies (FDD), a Washington think tank, summarised the emerging situation rather well in their position paper “Crypto Rogues“. They noted that “blockchain technology may be the innovation that enables U.S. adversaries for the first time to operate entire economies outside the U.S.-led financial system”. Now, while this may be technically slightly inaccurate (there are ways to create anonymous transactions without a blockchain and, indeed, the Swiss central bank has just published a working paper describing how to do so) it again flags up that the widespread availability of decentralised financial services threatens to bypass the existing infrastructure.

Iran provides an obvious example. They have every incentive to want to try new approaches to skirt the long arm of American law. The country already published a new set of regulations designed to funnel Bitcoin mined by Iranians to the state so that the country can use them to pay for imports. When the Iranian regime, for example, set up a venture to explore Bitcoin payments with a Swedish startup, the Swedish banks refused it a bank account because they themselves did not want to become subject to secondary sanctions. As America’s Treasury Secretary Mnuchin said at the time (talking about Iran), “If you want to participate in the dollar system you abide by US sanctions”.

On the other side of the world, North Korea has been developing a digital currency of its own. According to Alejandro Cao de Benós, President of the Korean Friendship Association, the Democratic People’s Republic of Korea intends to go down the Facebook route by creating an asset-backed digital currency rather than a digital fiat currency and then use some sort of blockchain with “Ethereum-style smart contracts” to do business and avoid sanctions. The regime sees this as a way to enforce deals it makes with foreign counterparties by developing a “token based on something with physical value” (eg, gold) in order to create a stable mechanism for payments in international trade between the regime and “other companies/individuals” (although it will not be available to individuals in the DPRK, who will be stuck with the Korean Won).

Across the Pacific in Venezuela, a country often mentioned by Bitcoin enthusiasts as a living case study of the benefits of decentralised cryptocurrency in the fight against tyranny, we find more mining going on: a video posted on Instagram by the 61st Battalion of the 6th Corps of Engineers of the Venezuelan Army shows military buildings converted into giant cryptocurrency mining centres and a warehouse that appears to be full of specialist Bitcoin mining equipment is labelled the “Center for the Production of Digital Assets”.

(I noted with interest that they do not appear to be mining “The Petro”, the digital currency of the revolution which according to the Bolivarian Council of Mayors’ recent “National Tax Harmonization Agreement” may soon be required for the payment of taxes.)

What… Whatible?

It seems to me that Bitcoin is a pretty poor choice for sanction-busting shenanigans though. Not only is the record of transactions public, but the Bitcoin value is not fungible. This matters. Remember that 2014 IRS Ruling about Bitcoins being a commodity, so that traders would have to track the buying and selling price of each individual Bitcoin in order to assess their tax liability? No? Here’s a reminder : “the real lesson from the IRS Bitcoin ruling is that for a currency-or any payment system-to work, its units must be completely fungible”.

Fungible (from the Latin “to enjoy” via Medieval Latin phrases such as “fungi vice”, meaning “to take the place of”) is one of my favourite adjectives. It means that all tokens are the same and can be substituted one for another. You owe me a quarter. It doesn’t matter _which_ quarter that you give me. Any will do. Any quarter can substitute for any other quarter because they are all the same. The same is true of the Pounds in my bank account, but it isn’t true of bitcoins. They are all different and their history can be tracked through the blockchain which is, as we are often reminded, and immutable public record of all transactions. 

The lack of fungibility has major implications for criminals, but also for the rest of us. As my good friend Marc Hochstein observed about this some time ago, blockchain’s openness could turn out to be a bug for law-abiding citizens. In England, the High Court (in the decision of AA v Persons Unknown & Ors, Re Bitcoin [2019]) has already ruled that crypto assets such as bitcoins are a form of property capable of being the subject of injunction. You can see what is going to happen: cryptographic exchanges will be required to identity who owns stolen coins and the owner will then be the subject of legal action to recover them. This owner might be entirely innocent about the origin of the coins and will say that they didn’t know that the bitcoins they bought are the proceeds of a ransonware attack and may ask to the keep them. But, J.P. Koning points out, that’s not how property law works. Even if you accidentally come into possession of stolen property then a judge can still force you to give it back to the rightful owner.

Launderette

with kind permission of TheOfficeMuse (CC-BY-ND 4.0)

The UK has been experimenting with the “Unexplained Wealth Order” as a way to combat crime and corruption through the traditional money and finance system, but how would this translate to the world of cryptocurrency? Well, perhaps it doesn’t need to. In the world of Bitcoin, smart criminals may well try to use “mixers” or “tumblrs” that jumble together bitcoins to obfuscate their origin but I don’t think this will help in the long run. Apart from anything else, future consumers might want to know the provenance of their money, an idea explored by the artist Nitipak Samsen a decade ago in the Future of Money Design Awards. Check out the brilliant video he made here.

Have you ever wondered where the money in your pocket had come from? Who was the previous owner? Who was the owner before that? Might it be a famous celebrity?… Smart banknotes work by presenting a readable history of ownership on the note itself, an innovation designed to prevent money laundering

This might work in some interesting ways. People might pay a premium for coins that have an interesting past! Maybe coins that were used by a celebrity to buy drugs or were used to bribe a politician, coins that belonged to a murderer, that kind of thing, might be worth more than coins that belonged to boring people like me.

Clean Money

In the mundane world of dollar, dollar bills we have the concept of “money laundering” to describe what happens when dirty money is mixed with clean money (surely every one of us has touched banknotes that have been involved in some criminal activity!). But this doesn’t work for bitcoins. The “tainted” money stays tainted. Ross Anderson, Ilia Shumailov and Mansoor Ahmed from the Cambridge University Computer Laboratory wrote a terrific paper on this theme a couple of years ago. In “Making Bitcoin Legal” they pose some interesting questions about what to do with tainted cryptocurrency asking, for example, “If an identified customer says ‘Hi, what will you give me for UTXO x?’ and the exchange replies, ‘Sorry, 22% of that was stolen in a robbery last Tuesday, so we’ll only give you 78%’ does the customer then have to turn over the crime proceeds?”. Their idea of a public “taintchain” is an interesting way forward.  This would be a mechanism to make stolen coins visible, in which case they might display a futuristic Gresham’s Law dynamic as good coins drive out bad ones!

Whether by taintchain or some other mechanism, it’s actually pretty each to track dirty bitcoins. You can see where this might lead: if law enforcement agencies go to the biggest miners in the world and tell them that if they continue to confirm easily identifiable mixing transaction outputs, they will be accused of money laundering? This is not difficult to imagine, which suggests to me that Bitcoin’s lack of fungibility has far-reaching implications.

These implications have not gone unnoticed in the United States. Two of the largest Bitcoin mining companies there, Marathon Patent Inc. and DMG Blockchain Solutions Inc. (which together account for about a one-twelfth the power of the Bitcoin networks), recently joined forces to create the Digital Currency Miners of North America (DCMNA). This not-for-profit trade association has come up with pretty interesting idea: their miners will only process transactions that comply with American laws, thus extending the benevolent embrace of the U.S. Government into cryptocurrency. The idea (known as “clean mining“) is that instead of selecting transactions on the basis of which ones will bring the biggest fees, they will mine transactions based on the wallets that they come from.

We could well see a strange and interesting twist in the world of cryptocurrency that has no analog in the analogue world of notes and coins: black and white money, or clean and dirty money, or light and dark money (an idea that goes back to the earliest days of cryptocurrency) in which some bitcoins will be worth more than others! Maybe a year or two from now, exchanges will be quoted two BTC-USD pairs: clean BTC at $100,000 and dirty BTC at $75,000. This doesn’t happen for GBP-USD or JPY-GBP, which confirms my feeling that whatever Bitcoin is, it isn’t currency.

[An edited version of this article first appeared on Forbes, 28th February 2021.]

Right now we need embedded health as much as embedded finance

Embedded finance is great and I love having apps on my phone that take care of the interface to the tedious world of banks and money so that I don’t have to deal with them. But embedded finance doesn’t get me out of the house. And it can’t get me in to watch Manchester City again. It can’t get me on a plane to Singapore. Perhaps to get the post-COVID economy moving again, embedded health APIs will be more important than embedded finance APIs!

What’s the point of having all sorts of clever instant credit, credit transfer and buy on credit mechanisms that I can use to buy a new shirt if I am not allowed to go to meetings? Why bother with fancy QR code contact-free dining experiences if I am not allowed into a restaurant? How do I benefit from sophisticated electronic tickets dropped directly into my phone when there is nowhere to go on the train? What is needed to ease the economy back on track in the recurring pandemic, new normal world is the ability to show a vaccination record as well as a plane ticket and a negative test result along with a restaurant booking.

In fact, so pressing is this need that I might go so far as to predict that the virus shock may well mean a quantum leap in strategy in the world of digital identity: what if it is not finance or government, as most of us had assumed, but travel and hospitality that drives digital identity into the mass market?

Barman

with kind permission of TheOfficeMuse (CC-BY-ND 4.0)

It is actually pretty easy to imagine the customer journey with embedded health. I go online to buy ticket to see Hawkwind in concert at the London Palladium in May but in order to check out I must first present a certificate to show that I have been vaccinated against COVID-19 (I’m afraid that the Hawkwind fan demographic renders this necessary) and a certificate to show that I have been vaccinated against Yellow Fever or whatever else the London Palladium demands from would-be patrons. I present the digital certificates and go about my day.

That is quite easy to draw as some boxes and arrows mapping out a customer experience journey on a whiteboard, but what has to happen to make it a reality? That’s where things become a little more complex.

Vaccine Passports

There are some well understood issues around identification and authentication but to my mind these are largely solved. There are plenty of companies that can do digital onboarding pretty efficiently (indeed, I am an advisor to the board of one of them, Au10tix) and there are plenty of companies that can do authentication: If I could have used “sign in with Apple at the London Palladium”, I undoubtedly would have. What’s missing, and where there has to be some progress to bring that smooth customer experience into being, is the standardisation of the creation, presentation and verification of the health-related data.

(Just to divert for a moment to be specific about language: I use claim to mean the process of presenting a credential to be verified and I use credential to mean some attribute that has been attested to by somebody that the verifier can trust. By trust, of course, I mean “can sue for large amounts of money if the data turns out to be incorrect”.)

If a theatre, or more likely a theatre’s merchant services processor (MSP), wants me to show that I have been vaccinated then both the claim process and the claim data have to be in some sort of standard format. Otherwise we will end up in bubbles and make no real progress. It is clear that something has to be done. Ursula von der Leyen, the president of European Commission, recently said that a “Digital Green Pass” would provide proof of inoculation, test results of those not inoculate and antibody status of those who had had the disease. This is inevitable, frankly, in one form or another. But how exactly would it work?

There are some great companies out there who are already working hard to make the transport and display of results as easy as possible.Yoti, for example, have been involved in a number of trials using FRANKD. This is a rapid Point of Care Covid-19 RT-LAMP. People scan a unique QR code on their FRANKD test bag to add their identity to the test. After a testing swab is taken, results are processed and delivered straight to the individuals’ Yoti app within 30 minutes. To scale up, though, we need standards that identity providers can use to interoperate with service providers of all kinds. This is why the foundation of the Vaccination Credential Initiative (VCI) is so important.

VCI is a coalition of public and private partners including Microsoft, Salesforce, Oracle, The Commons Project Foundation, Mayo Clinic and many others working to enable digital access to vaccination records using the open, interoperable SMART Health Cards specification, based on the W3C Verifiable Credential (VC) and HL7 FHIR standards. FHIR stands for Fast Healthcare Interoperability Resources, a standards framework created by Health Level Seven International (HL7) , a not-for-profit, ANSI-accredited organisation developing standards for the exchange, integration, sharing and retrieval of electronic health information. The idea, essentially, is to group a set of FHIR content resources (eg, immunisation or observation) for presentation in the form of a verifiable credential.

The New York Times showed a mock-up (from The Commons Project) of what a digital vaccine credential might look like in practice, using a pretty straightforward QR code interface that passengers are already familiar with for check in.

Travel

Waiting for a globally-interoperable set of standards won’t help to boost the economy today, so it seems to me that it makes sense to link sector-specific identities together with sector-specific credentials that can be later bridged at the back-end. The obvious place to start implementing something like the EU’s Digital Green Pass is in the travel sector and the obvious people to co-ordinate this are the International Air Transport Association (IATA) and, indeed, the COVID-driven need for a such credentials has led IATA and British Airways’ parent company, International Airlines Group (IAG), to starting work together in this direction.

I hope they chose to use open standards for their Travel Pass Initiative (TPI). TPI brings together four interoperable “modules” that combine to deliver a practical solution to get people moving again. These modules are:

  • A up-to-date list of requirements for travel (ie, what vaccines or tests are necessary for travel on specific routes) so that travellers know what they need to do to travel;
  • A registry of health centres that can carry out vaccinations and tests that travellers need;
  • A contactless travel app for travellers so that they can find out what the travel requirements are, where they can get the tests and vaccines and store the results;
  • An application for labs to report results.

Singapore Airlines has been the first carrier to adopt the new standard and begin verification based on the IATA TPI framework. Passengers who receive a negative test or vaccine will be given either a digital or paper QR code to take to the airport. Emirates will implement the first phase in Dubai in April and will use the app for the validation of COVID-19 PCR tests before departure. Using the app, which will automagically post details to the check in system, passengers travelling from Dubai will be able to share their test status directly with the airline before reaching the airport. 

So if this works for getting on planes… why not use the same registries and APIs to power applications for restaurants and pubs to get the economy moving again? I’d be more than happy to be required to show my test status to get into the Etihad to watch the mighty Manchester City via a Travel Pass app, or my British Airways app, or my Man City app or whatever other convenient application was accessing standardised VCI vaccination and test records through the IATA API. And if IATA and VCI together create a global standardised platform then the opportunity for fintechs to exploit the combination of embedded health and embedded finance together in apps will be enormous.

(An edited version of this piece appeared on Forbes, 25th January 2021.)

Tulips, steam and decentralised finance

When we are thinking about where the worlds of Bitcoin and cryptocurrencies, “smart” “contracts” and decentralised finance (defi) will go, it can be helpful to find historical analogies that can provide a shared narrative to facilitate communications between stakeholders and provide foundations for strategic planning. But it’s important to find the right analogies and, even more importantly, to derive the right lessons from them.

For example: people discussing Bitcoin will often refer to the famous “tulip bubble” in 17th century Holland. But if you study this episode, what you discover is not a mass market mania but speculation by a small group of rich people who could well afford to lose money. And you will also see the creation of a regulated futures market that played a role in the financial revolution that contributed to a Dutch golden age which meant that balances at the Bank of Amsterdam became a pan-European currency and, as noted in an interesting paper from the Atlanta Fed last year, the florin (the unit of account for those balances) played a role “not unlike that of the U.S. dollar today”.

FOMO

with kind permission of TheOfficeMuse (CC-BY-ND 4.0)

As I am very interested in learning from a) history and b) smart people, I set up a room to discuss the topic on Clubhouse. (I have to say this transformed my view of Clubhouse, because I was blown away by the quality of the discussion that ensued and how much I learned in such a short time. Truly, arguing with smart people is by far and away the fastest way to acquire actual knowledge!)

Cryptocurrencies are more like railway shares in Victorian Britain than tulips in the Dutch Golden Age. Click To Tweet

Aside from tulips, another well-known “bubble”, Britain’s 19th century railway mania, was the subject of some discussion in the room. This particular example is worth studying because I agree with Nouriel Roubini and Preston Byrne’s observation that that the cryptocurrency mania of today “is not unlike the railway mania at the dawn of the industrial revolution in the mid-19th century”. If you want to read more about this, I wrote a detailed article about it a couple of years ago and, in fact, noted the incredible scale of the mania in Financial World magazine a decade back: The first railway service in the world started running between Liverpool and Manchester in 1830 and less than twenty years later the London & North Western railway had become the Apple of its day, the biggest company in the world. This boom in turn led to a colossal crash in 1866, which then led to a revolution in accounting and auditing.

My good friend Maya Zahavi drew the parallel between railway mania driving the introduction of accounting standards that led to new global capital markets in Victorian times (which in turn led to new kinds of regulation and institutions) and that world of defi: The world of financial services, including lending, exchanges, investment and more that are built on shared ledgers and smart contracts. I think she is right. I have long held the view that while cryptocurrencies themselves may or may not have a future as money, the evolution of digital assets that are secured by the underlying networks (“tokens”) points towards new services, markets and institutions that may well lead to a better financial sector.

This view, that digital assets (“tokens”) are where the next generation of financial services will be forged, was reinforced in a new paper published in the Federal Reserve Bank of St. Louis Review. In it, Fabian Shar explores the evolution of markets based on tokens that sit on blockchains of one form or another. He looks at three models for “promise-based” tokens: off-chain collateral, on-chain collateral, and no collateral.

  • Off-chain collateral means that the underlying assets are stored with an escrow service, for example, a commercial bank. There are already several examples of off-chain collateralised stablecoins. The most popular ones are USDT and USDC which both USD-backed* ERC-20 tokens on the Ethereum blockchain.
  • On-chain collateral means that the assets are locked on the blockchain (in a smart contract).
  • Algorithmic tokens that are not backed by collateral at all, but whose value is maintained by algorithmic market interaction. This was, incidentally,  the original meaning of the word “stablecoins” that has now been hijacked by imprecision)

The trading of these tokens, if it were to take place in the existing market infrastructures, would be interesting enough. But to Maya’s point, this is not where we are going. We are heading into the defi era where there is an impending explosion of business models, institutional arrangements and transaction complexity which, when it settles, will leave us in a new financial world. I strongly agree with the view of Jay Clayton (when chairman of the U.S. Securities and Exchange Commission) that “everything will be tokenised” and the obvious corollary to this that everything will be decentralised. It is not the underlying cryptocurrencies that will be the money of the future but the that they support. As the St. Louis Fed’s paper concludes, and as I wrote in Forbes back in January, defi may potentially contribute to a more robust and transparent financial infrastructure.

In the long run (and the lessons from history are clear), I think this will be much more important and lead to much greater structural change (and therefore opportunities) than cryptocurrencies. We can already see the world of tokens entering the mainstream: Dapper Labs (the company behind the famous token game CryptoKitties) is as I write raising $250 million at a $2 billion valuation and Celo, a defi alternative to Facebook’s Diem, has just raised $20 million from (amongst others) noted Silicon Valley investors Andreessen Horowitz.

There are good reasons to welcome these pointers to the emerging paradigm. While defi is now mainly used for speculation between tokens of many varieties, in the longer term it offers the promise of much reduced costs in financial intermediation by both removing middlemen and automating them, it opens up the possibilities for new financial instruments better suited to the new economy (instruments built for bots to trade, not for people to understand). It also, and most importantly (for reasons discussed before), offers a more transparent market with accountability as part of the infrastructure. Don’t be put off by the Wild West of defi as it stands now, begin your scenario planning for defi as it will (inevitably) become.

*Does not constitute financial advice.

[An edited version of this article was first posted at Forbes, 15th February 2021.]