[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]






 
                 VIRTUAL CURRENCY: FINANCIAL INNOVATION


                   AND NATIONAL SECURITY IMPLICATIONS

=======================================================================

                                HEARING

                               BEFORE THE

                       SUBCOMMITTEE ON TERRORISM

                          AND ILLICIT FINANCE

                                 OF THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              JUNE 8, 2017

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 115-22
                           
                           
                           
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                      



                    U.S. GOVERNMENT PUBLISHING OFFICE
                   
 28-177 PDF                 WASHINGTON : 2018       
____________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001     



                           

                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                    JEB HENSARLING, Texas, Chairman

PATRICK T. McHENRY, North Carolina,  MAXINE WATERS, California, Ranking 
    Vice Chairman                        Member
PETER T. KING, New York              CAROLYN B. MALONEY, New York
EDWARD R. ROYCE, California          NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma             BRAD SHERMAN, California
STEVAN PEARCE, New Mexico            GREGORY W. MEEKS, New York
BILL POSEY, Florida                  MICHAEL E. CAPUANO, Massachusetts
BLAINE LUETKEMEYER, Missouri         WM. LACY CLAY, Missouri
BILL HUIZENGA, Michigan              STEPHEN F. LYNCH, Massachusetts
SEAN P. DUFFY, Wisconsin             DAVID SCOTT, Georgia
STEVE STIVERS, Ohio                  AL GREEN, Texas
RANDY HULTGREN, Illinois             EMANUEL CLEAVER, Missouri
DENNIS A. ROSS, Florida              GWEN MOORE, Wisconsin
ROBERT PITTENGER, North Carolina     KEITH ELLISON, Minnesota
ANN WAGNER, Missouri                 ED PERLMUTTER, Colorado
ANDY BARR, Kentucky                  JAMES A. HIMES, Connecticut
KEITH J. ROTHFUS, Pennsylvania       BILL FOSTER, Illinois
LUKE MESSER, Indiana                 DANIEL T. KILDEE, Michigan
SCOTT TIPTON, Colorado               JOHN K. DELANEY, Maryland
ROGER WILLIAMS, Texas                KYRSTEN SINEMA, Arizona
BRUCE POLIQUIN, Maine                JOYCE BEATTY, Ohio
MIA LOVE, Utah                       DENNY HECK, Washington
FRENCH HILL, Arkansas                JUAN VARGAS, California
TOM EMMER, Minnesota                 JOSH GOTTHEIMER, New Jersey
LEE M. ZELDIN, New York              VICENTE GONZALEZ, Texas
DAVID A. TROTT, Michigan             CHARLIE CRIST, Florida
BARRY LOUDERMILK, Georgia            RUBEN KIHUEN, Nevada
ALEXANDER X. MOONEY, West Virginia
THOMAS MacARTHUR, New Jersey
WARREN DAVIDSON, Ohio
TED BUDD, North Carolina
DAVID KUSTOFF, Tennessee
CLAUDIA TENNEY, New York
TREY HOLLINGSWORTH, Indiana

                  Kirsten Sutton Mork, Staff Director
             Subcommittee on Terrorism and Illicit Finance

                   STEVAN PEARCE, New Mexico Chairman

ROBERT PITTENGER, North Carolina,    ED PERLMUTTER, Colorado, Ranking 
    Vice Chairman                        Member
KEITH J. ROTHFUS, Pennsylvania       CAROLYN B. MALONEY, New York
LUKE MESSER, Indiana                 JAMES A. HIMES, Connecticut
SCOTT TIPTON, Colorado               BILL FOSTER, Illinois
ROGER WILLIAMS, Texas                DANIEL T. KILDEE, Michigan
BRUCE POLIQUIN, Maine                JOHN K. DELANEY, Maryland
MIA LOVE, Utah                       KYRSTEN SINEMA, Arizona
FRENCH HILL, Arkansas                JUAN VARGAS, California
TOM EMMER, Minnesota                 JOSH GOTTHEIMER, New Jersey
LEE M. ZELDIN, New York              RUBEN KIHUEN, Nevada
WARREN DAVIDSON, Ohio                STEPHEN F. LYNCH, Massachusetts
TED BUDD, North Carolina
DAVID KUSTOFF, Tennessee

                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    June 8, 2017.................................................     1
Appendix:
    June 8, 2017.................................................    37

                               WITNESSES
                         Thursday, June 8, 2017

Brito, Jerry, Executive Director, Coin Center....................     5
Dueweke, Scott, President, the Identity and Payments Association.     7
Haun, Kathryn, Lecturer, Stanford Law School, and former 
  Assistant U.S. Attorney, U.S. Department of Justice............     8
Levin, Jonathan, Co-Founder, Chainalysis.........................    11
Wilson, Luke, Vice President, Business Development-
  Investigations, Elliptic.......................................    13

                                APPENDIX

Prepared statements:
    Brito, Jerry.................................................    38
    Dueweke, Scott...............................................    42
    Haun, Kathryn................................................    50
    Levin, Jonathan..............................................    63
    Wilson, Luke.................................................    70

              Additional Material Submitted for the Record

Lynch, Hon. Stephen:
    CNAS report entitled, ``Terrorist Use of Virtual 
      Currencies,'' dated May 2017...............................    71


                      VIRTUAL CURRENCY: FINANCIAL



                        INNOVATION AND NATIONAL



                         SECURITY IMPLICATIONS

                              ----------                              


                         Thursday, June 8, 2017

             U.S. House of Representatives,
                          Subcommittee on Terrorism
                               and Illicit Finance,
                           Committee on Financial Services,
                                                   Washington, D.C.
    The subcommittee met, pursuant to notice, at 10:03 a.m., in 
room 2128, Rayburn House Office Building, Hon. Stevan Pearce 
[chairman of the subcommittee] presiding.
    Members present: Representatives Pearce, Pittenger, 
Rothfus, Messer, Tipton, Williams, Poliquin, Hill, Zeldin, 
Davidson, Budd, Kustoff; Perlmutter, Himes, Foster, Kildee, 
Sinema, Vargas, Gottheimer, Kihuen, and Lynch.
    Ex officio present: Representative Hensarling.
    Chairman Pearce. The Subcommittee on Terrorism and Illicit 
Finance will come to order.
    Without objection, the Chair is authorized to declare a 
recess of the subcommittee at any time.
    Also, without objection, members of the full Financial 
Services Committee who are not members of the Subcommittee on 
Terrorism and Illicit Finance may participate in today's 
hearing.
    Today's hearing is entitled, ``Virtual Currency: Financial 
Innovation and National Security Implications.''
    I now recognize myself for 2 minutes to give an opening 
statement.
    Innovation revolutionizes and simplifies our lives on a 
daily basis. In the past 30 years alone we have seen the 
emergence of the Internet as an open-source accessible 
information tool, the popularization of cell phones, the 
development and wide use of smartphones, faster and faster 
Internet and wireless access, and the list goes on and on.
    For many of us in this room, the millennials excluded--and, 
frankly, based on the number of them in the lines at the Apple 
Store, I think they are even surprised at the existence and the 
evolution of this thing which never would have seemed possible 
in our wildest dreams.
    The implications, of course, of this greater development 
and exploration into the digital age is the inability of 
government and regulatory bodies to keep up with the pace of 
development. Technology in the financial space is no exception, 
and that is what brings us here today.
    From small business lending to virtual wallets, the 
creation of virtual currencies, the fintech space, as it is 
known, is rapidly evolving.
    The benefits are clear. Families in underserved areas are 
finding more choice and options than ever before. People can 
pay for the goods in the store without the need for cards or 
cash. The possibilities of benefits are truly endless.
    The subcommittee kicked off the work in this space last 
week with a briefing on blockchain, one of the major 
innovations driving this development. Today we will continue 
the conversation by examining how virtual currencies 
specifically pose a risk to our national security.
    This will include questions such as: Does the creation of a 
currency that is completely decentralized from a governmental 
structure, administered through the use of peer-to-peer 
sharing, present a new threat to the safety and soundness of 
our banks and to our national security? What, if any, 
regulatory structure exists around these emergency forms of 
currency and technology? Does the notion of online peer-to-peer 
sharing provide an increased veil of secrecy that could be 
exploited by terrorists and illicit actors?
    I thank our witnesses for being here today and I look 
forward to the conversation to come.
    The Chair now recognizes the ranking member of the 
subcommittee, the gentleman from Colorado, Mr. Perlmutter, for 
2 minutes for an opening statement.
    Mr. Perlmutter. Thanks, Mr. Chairman.
    And thanks, to our witnesses, for being here today.
    Obviously, there is considerable interest in virtual 
currencies and cryptotechnologies, not only among speculators 
and traders but because of the promising benefits the 
underlying blockchain ledger technology has to offer. However, 
our subcommittee should remain focused on the national security 
implications, especially since cyber criminals and nation 
states are exploiting cryptocurrencies for illicit purposes.
    Mr. Dueweke notes in his testimony: ``Cyber criminals in 
Eastern Europe, North Korea, China, and Russia certainly are 
taking advantage of evolving technologies to underwrite 
terrorism and exchange ill-gotten gains. In fact, Russia has 
created its own cryptocurrency to support its hackers program 
so that they can cause mayhem around the globe.''
    The reality is criminals today use cash, money service 
businesses, and other means for illicit purposes, but we 
provided law enforcement the regulatory tools to catch the bad 
guys. The question is, does law enforcement have the tools to 
catch the criminals using these new technologies and 
currencies?
    If the United States is to succeed in staying one step 
ahead of the bad guys then we must work with our national 
partners and international partners to adopt global 
methodologies and systems to ensure these new innovations are 
being used for legitimate purposes. The United States and 
Europe remain and maintain a fairly sophisticated Bank Secrecy 
Act and the money-laundering regulatory regime, but the 
question is, will China and Russia follow our lead?
    The rise of new cryptocurrencies threatens to disrupt the 
way banking is philosophically conducted, potentially 
undermining the United States' dominance over money flows.
    With that, I thank you, Mr. Chairman, and I yield back.
    Chairman Pearce. The gentleman yields back.
    The Chair now recognizes Mr. Pittenger for 1 minute.
    Mr. Pittenger. Thank you, Mr. Chairman, and Ranking Member 
Perlmutter, for hosting us today for this cybersecurity 
hearing.
    Cybersecurity is an important and evolving method of 
finance, and it is imperative that this committee fully 
understand how criminal and terrorist networks may use 
blockchain applications to fund illicit behavior. The United 
States must lead by example, with our regulatory and 
investigative structure, to ensure that terrorists cannot use 
cybercurrencies to fund their violent and malicious behavior.
    Far too often, foreign governments have enough trouble 
enacting and enforcing their own CTF-AML laws related to 
traditional financial institutions, so we cannot assume that 
these same governments will have adequate capabilities to track 
and intercept financial anomalies located within blockchain 
applications. This committee must know what it takes, regarding 
both resources and legal authorities, for the U.S. Government 
to confidently enforce our terror financial and money-
laundering laws with cybersecurity applications.
    Thank you again, Mr. Chairman, and Mr. Ranking Member.
    I yield back.
    Chairman Pearce. The gentleman's time has expired.
    The Chair now recognizes the gentlelady from Arizona, Ms. 
Sinema.
    Ms. Sinema. Thank you, Chairman Pearce, and Ranking Member 
Perlmutter.
    I appreciate the witnesses' testimonies and agree that we 
need a government-wide approach to evaluate and address the 
illegitimate uses and potential risks of virtual currency. I 
support a unified national strategy to combat terrorist and 
other illicit finance, and this strategy should include a 
comprehensive discussion of virtual currencies.
    I look forward to hearing how we can most effectively use 
risk-based approaches to identify and mitigate the exploitation 
of virtual currencies by terrorists and criminals while 
allowing for innovation and growth in the fintech sector. In 
fact, how can we best use the innovation and growth within 
fintech to counter terrorist and other illicit finance?
    Thank you again, Chairman Pearce and Ranking Member 
Perlmutter, for your leadership on this issue, and I continue 
to look forward to working with my colleagues on both sides of 
the aisle to keep all types of money out of terrorist hands and 
build on our progress to strengthen America's security.
    Thank you, Mr. Chairman. I yield back.
    Chairman Pearce. The gentlelady's time has expired.
    We now turn to the testimony of our witnesses.
    Mr. Jerry Brito is the executive director of Coin Center, a 
nonprofit research and advocacy center founded in the public 
policy issues facing cryptocurrency technologies such as 
bitcoin. Previously, Mr. Brito directed the Technology Policy 
Program at the Mercatus Center of George Mason University, and 
he serves as an adjunct professor of law at George Mason 
University. Mr. Brito earned his J.D. from George Mason 
University School of Law, and his B.A. from Florida 
International University.
    Mr. Scott Dueweke is the president of the Identity and 
Payments Association. He is also the president of Zebryx 
Consulting, providing public and private sector clients an 
understanding of the risks and rewards of identities and 
alternative payment systems.
    Mr. Dueweke is an expert on identity, the blockchain, and 
alternative payment systems. He has advised financial 
institutions, the U.S. Government, and international law 
enforcement agencies on these matters.
    Mr. Dueweke's experience in the blockchain and its 
underlying technology of public key infrastructure, or PKI, 
began in 1996 with his role as the global marketing manager for 
IBM's PKI group. Mr. Dueweke is a frequent speaker on identity, 
alternative payments, and the dark web at conferences worldwide 
and has been interviewed and quoted by media, including The 
Wall Street Journal, Fox News, Time, and Forbes.
    Ms. Kathryn Haun served as a Federal prosecutor with the 
Department of Justice from 2006 until recently, and was DOJ's 
first ever coordinator for emerging financial technologies. Ms. 
Haun has investigated and prosecuted hundreds of violations of 
Federal criminal law in the United States with a focus on 
transnational and organized crime syndicates, cybercrime, the 
deep web, and digital currency, including a case against the 
former Federal agents investigating the illicit Silk Road 
marketplace.
    Ms. Haun previously worked on national security issues and 
held senior positions at DOJ. Prior to that, she was in a 
private practice in D.C. Ms. Haun has clerked for U.S. Supreme 
Court Justice Anthony Kennedy as an honors graduate of Stanford 
Law School, where she has also taught a class on cybercrime and 
digital currency.
    Mr. Jonathan Levin is co-founder of Chainalysis, which is 
the leading provider of anti-money-laundering software for 
bitcoin. Through formal partnerships with Europol and other 
international law enforcement, Chainalysis' investigative tools 
have been used globally to track, apprehend, and convict money 
launderers and cybercriminals.
    Mr. Levin was previously CEO at Coinometrics, where he led 
a team of data scientists to measure the activity and the 
health of the bitcoin network. Mr. Levin was a postgraduate 
economist at the University of Oxford, where his research 
focused on virtual currencies, creating one of the first 
statistical models of bitcoin transaction fees.
    Mr. Luke Wilson is the vice president of business 
development investigations with Elliptic, where he is primarily 
responsible for law enforcement engagement and investigations. 
Mr. Wilson has a unique skill set and a deep understanding of 
bitcoin and blockchain owing to his 7 years of employment with 
the Cyber and Counterterrorism Division of the Federal Bureau 
of Investigations.
    While at the FBI, Mr. Wilson constructed the first 
interagency task force for investigating illicit uses of 
bitcoin. As a subject matter expert, Mr. Wilson has advised the 
U.S. Government and regulators on digital currencies.
    With his previous employment with the Department of 
Defense, and the Intelligence Committee, I think Mr. Wilson has 
over 17 years of law enforcement and intelligence experience, 
and we appreciate his participation in the hearing today.
    Each of you will now be recognized for 5 minutes to give an 
oral presentation of your testimony. And without objection, 
each of your written statements will be made a part of the 
record.
    Mr. Brito, you are now recognized for 5 minutes.

   STATEMENT OF JERRY BRITO, EXECUTIVE DIRECTOR, COIN CENTER

    Mr. Brito. Mr. Chairman and members of the subcommittee, I 
would like to thank you for the opportunity to speak to you 
today.
    What I would like to do is explain what bitcoin is, and why 
it is a groundbreaking innovation--perhaps as important as the 
Web; and why, like the Web, illicit actors are attracted to it. 
I will then briefly offer some thoughts on what can be done to 
prevent that.
    Before the invention of bitcoin, for two parties to 
transact online always required a third-party intermediary--
someone like PayPal or a bank. Unlike cash in the real world, 
which I can hand to you in person without anyone else between 
us, electronic payments required a third party, trusted by each 
of us, to verify and guarantee the transfer.
    Introduced in 2008, bitcoin overcame a longstanding 
computer science problem and for the first time allowed the 
secure and verifiable transfer of digital assets between 
individuals without the need for third-party intermediaries--
just like cash in the physical world.
    The innovation of peer-to-peer transfers has unlocked an 
incredible array of socially beneficial and economically 
important uses. Not only are fast and inexpensive global money 
transfers and payments now possible, this technology is also 
being used to make possible micro-transactions, copyright 
registries and global rights management system, faster and more 
efficient trade settlements, more secure land title and 
property record systems, Internet of things networks, self-
sovereign identity, and much, much more.
    What gives this technology its innovative potential is 
that, because there are no third-party gatekeepers from which 
to seek access, it is an open and permissionless network--just 
like the Internet.
    When Mark Zuckerberg decided to launch Facebook in his dorm 
room at Harvard he didn't have to first clear it with the 
management of Internet, Inc. He simply wrote the Facebook 
application and launched it on the Web. Like the Internet, it 
is the permissionless, open nature of bitcoin that will foster 
innovation.
    Unfortunately, this also means that like the Internet, it 
is open to bad actors who take advantage of it. Criminals 
certainly use it today, and we have begun to see some nascent 
interest from terrorist groups.
    However, according to a recent report on the potential of 
terrorist use of digital currencies by the Center for a New 
American Security (CNAS), ``Currently there is no more than 
anecdotal evidence that terrorist groups have used virtual 
currencies to support themselves.''
    While the potential is very serious, this, however, means 
that there is time to develop an appropriate response--a 
reasoned response that targets the threat while preserving the 
freedom to innovate.
    The blockchain and digital currency community has been 
working for some time now to face this threat. Almost 2 years 
ago, the Coin Center helped co-found the Blockchain Alliance, a 
public-private forum that serves as an information-sharing 
conduit between law enforcement and industry.
    Today the alliance is composed of 35 industry members, 
including the largest exchanges and digital wallet companies, 
and 36 members from the government, including DOJ, FBI, DHS, 
IRS, Secret Service, Interpol, Europol, and many others. Thanks 
to the cooperative work of the Blockchain Alliance, law 
enforcement today is better equipped than ever to take on this 
emerging threat.
    However, the CNAS report I mentioned earlier found that our 
current regulatory framework impedes law enforcement in the 
private sector from collaborating more nimbly to weed out 
illicit actors. They found, ``One particular challenge in this 
area is the requirement for a virtual currency firm to obtain 
licenses in all states in which it operates and maintain 
compliance consistent with both Federal and applicable state 
standards where they are licensed to operate. With only a 
single Federal registration for virtual currency firms, 
compliance costs would be more manageable for smaller firms and 
regulators would be better able to oversee firms.''
    The Coin Center could not agree more, and to promote a more 
uniform approach Congress should consider the Office of the 
Comptroller of the Currency--encourage him to offer Federal 
fintech charters to custodial digital currency firms. And 
Congress should also consider the creation of a new Federal 
money transmission license to take the place of State-by-State 
licensing.
    As we discuss these questions today, I hope you will keep a 
few things in mind.
    First, this is a technology that, like the Internet--or, 
indeed, like fire--can be used for good or for bad. Its 
inherent nature is neutral.
    Second, this technology can't be put back in the bottle. 
Encouraging its legitimate use gives us more and better 
visibility into the network, while discouraging its use only 
cedes the network to bad actors.
    And finally, while there is substantial criminal use, 
terrorist use, while obviously important to focus on, is still 
nascent and experimental, so there is time to develop a 
considered response.
    Thank you.
    [The prepared statement of Mr. Brito can be found on page 
38 of the appendix.]
    Chairman Pearce. Mr. Dueweke, you are recognized for 5 
minutes.

    STATEMENT OF SCOTT DUEWEKE, PRESIDENT, THE IDENTITY AND 
                      PAYMENTS ASSOCIATION

    Mr. Dueweke. Thank you.
    Esteemed members of the subcommittee, I am honored to be 
testifying before you today on the important topic of virtual 
currencies and their role in enabling terrorism and illicit 
financial transactions. There are four major points I would 
like to make.
    The first: Understanding the promise and peril of virtual 
currencies requires looking well beyond the bright, shiny 
bitcoin. Virtual currencies beyond bitcoin and other 
alternative payment systems create an expansive shadow network.
    China and Russia are beginning to dominate a new global 
digital financial system of which we are not necessarily fully 
members of or aware of. And these new payment systems are 
helping to connect billions of unbanked and underbanked around 
the world, and we should always keep that in mind.
    These billions of people who are using virtual currencies 
and other alternative payment and remittance systems for 
legitimate purposes are transforming economies through their 
use, especially in Asia and Africa. These systems now represent 
a major force for the financial inclusion of the more than 3 
billion unbanked and underbanked around the world. That is an 
important point I hope you will remember as you examine the 
negative uses of these systems. There is a lot of positive 
going on.
    How do we balance the profound benefits of these new 
fintech opportunities against the criminal use of these 
systems? It is critical that the entire scope of this ecosystem 
first be considered--its impact, its uses, its structure--
before making judgments or creating laws and regulations that 
might have broad unintended consequences.
    This ecosystem extends far beyond bitcoin and other 
cryptocurrencies and its roughly $100 billion market value of 
bitcoin today. Other virtual currencies, like the centralized 
Russian and Chinese virtual currencies, far exceed bitcoin, and 
their combined value with remittance systems and mobile payment 
systems exceeds $2 trillion.
    A network of thousands of virtual currency exchangers 
connect these systems into one ecosystem, which should not be 
considered separately, but instead as an ecosystem together 
with the other parts of it.
    Even bitcoin's impact extends far beyond its use as a 
cryptocurrency. For example, as Jerry mentioned, the blockchain 
can be used for many other purposes.
    I am currently working with Saint Luke's University 
Healthcare Network to implement the blockchain to enhance the 
patient experience and to make it more secure and convenient. 
The blockchain is being implemented in financial institutions 
to transfer funds, at the New York Stock Exchange to modernize 
the trading of stocks, and in many other applications. It can 
also be applied to reduce fraud and graft in foreign aid 
programs while increasing its reach and impact while allowing 
full transparency and reduction in the approximately 30 percent 
of foreign aid that is lost to graft and corruption.
    Not all blockchains are created equal, and new, more 
anonymous cryptocurrencies, such as Monero, Dash, and Zcash, 
are beginning to gain market share. These systems now account 
for about 1 percent of all cryptocurrency usage on the dark web 
and are increasing in popularity rapidly.
    As these systems increase in usage, existing blockchain 
analysis tools will be challenged to remain relevant as these 
dark cryptocurrencies are designed to avoid the tracking of 
transactions, whereas bitcoin was designed to be transparent.
    A new consideration of the use of cryptocurrencies by 
nation states includes the Russian Central Bank's announcement 
on June 3rd that they will be creating a national 
cryptocurrency. Considering that a large percentage of global 
criminal hackers are Russian language-speakers and our current 
stress with Russia and the United States and Europe, this 
development should be closely monitored.
    How this cryptocurrency is set up will be telling. Will it 
have a publicly available and verifiable blockchain like 
bitcoin, or will it be a private or permissioned blockchain and 
be opaque to Western observers and regulators?
    If private, it could be used to circumvent KYC and AML and 
be used to support proxy ``patriotic hackers,'' as Vladimir 
Putin referred to them last week. This possibility already 
exists with Russian language centralized systems--especially 
WebMoney.
    Hypothetically, what could these virtual currency systems 
be used for? I am especially referring to these centralized 
systems, not bitcoin as much.
    First, balance of payment transfers between criminal 
organizations such as organized crime and drug cartels; second, 
fund transfers with pariah states; third, transfers with 
terrorists; fourth, enabling kleptocrats to move money from 
their country's coffers offshore--as I have said in the press, 
the next Panama Papers scandal could well be focused on these 
systems instead of traditional banking; and the funding of a 
virtual army of proxy hackers to do their patriotic duty.
    So how do we cope with these daunting challenges on 
managing and balancing these? At the Identity and Payments 
Association we have launched a global nonprofit to create a 
public-private partnership to do precisely that.
    In summation there is a shadow financial system that is 
thriving outside of our control. We need to take strong steps 
to understand, control, and counter it while encouraging the 
growth of these new alternative payment and virtual currency 
systems that are governed by the rule of law.
    Thank you.
    [The prepared statement of Mr. Dueweke can be found on page 
42 of the appendix.]
    Chairman Pearce. Ms. Haun, you are recognized for 5 
minutes.

 STATEMENT OF KATHRYN HAUN, LECTURER, STANFORD LAW SCHOOL, AND 
   FORMER ASSISTANT U.S. ATTORNEY, U.S. DEPARTMENT OF JUSTICE

    Ms. Haun. Thank you.
    Mr. Chairman, Ranking Member Perlmutter, and members of the 
subcommittee, thank you for inviting me to testify on the role 
that financial innovation can play in facilitating but also in 
curtailing illicit finance.
    In a year the market capitalization of bitcoin has gone 
from $6 billion to $40 billion, and the combined market cap of 
all cryptocurrencies now exceeds $90 billion. This number is 
rising every day.
    More people are buying, selling, trading, and transacting 
in these currencies for plenty of legitimate uses. In fact, I 
know small business owners, academics, investors, and even 
government employees who use cryptocurrency, and these aren't 
people engaged in illicit acts. They are looking for ease of 
payments, fewer middlemen, lower fees, and greater privacy.
    But early misuse is a fact of life with emerging 
technologies, and cryptocurrency is no exception. Although we 
now all use the Internet every day, in the beginning it was 
disproportionately used by child pornographers and online 
fraudsters, and it is still today used for good and bad, 
including by terrorists.
    Now, the potential for terrorist use of cryptocurrencies 
exists, as it exists for cash or any other type of asset. To 
date, we have seen only limited instances of terrorists using 
cryptocurrency, but these instances are becoming more frequent.
    It appears that terrorists are not using the registered 
exchanges in the United States but are using the unregistered 
overseas ones that don't allow for U.S. anti-money-laundering, 
or AML, requirements. They are also using anonymous peer-to-
peer exchanges, like LocalBitcoins.com, which operates as a 
sort of Craigslist.
    Now, none of the recent and horrific terrorist attacks have 
relied on cryptocurrencies for the simple reason that these 
attacks are, by and large, low-tech and inexpensive. Automatic 
weapons, trucks, suicide bombs, and plane tickets don't require 
large sums of money.
    With the small amounts necessary to inflict massive harm, 
terrorists overwhelmingly use less traceable means, like cash 
and prepaid cards. We see more use of cryptocurrency in the 
areas of cybercrime, drug trafficking, money laundering, and 
financial fraud. These activities have major national security 
implications, of course. Ransomware is a compelling example 
because it can cripple critical infrastructure--hospitals, 
first responders, public transit systems.
    Last month's WannaCry attack affected over 10,000 
businesses, hospitals, and public agencies in over 153 
countries, and that WannaCry attack wasn't even a very 
sophisticated attack. It is getting far worse, and ransomware's 
preferred currency is bitcoin.
    However, while some features of cryptocurrencies may 
facilitate crimes, other features may thwart them.
    One of the beneficial features of bitcoin is the 
decentralized nature of the blockchain, the technology 
underpinning it. The blockchain is decentralized over millions 
of computers so it is very difficult to hack.
    For a nation state wanting to inflict harm, a cyberattack 
using malware against a major financial institution is a 
centralized target. But if our financial infrastructure ran 
instead on these decentralized systems, millions of computers 
across the world would have to be hacked and they would have to 
be hacked simultaneously.
    And cryptocurrency also helps us solve bad acts. In one 
case I brought as a prosecutor, we used blockchain patterns to 
identify rogue Federal agents on the Silk Road Task Force. In 
another case we solved major hacking and ransomware schemes by 
looking at the movement of bitcoin. Some cases aren't yet 
public, but we would not have solved them had these criminals 
not been using cryptocurrencies because investigators like 
digital footprints, and that is exactly what digital currencies 
provide.
    Of course, we can only follow the money to an individual if 
they used an entity that follows AML laws--money laundering 
laws--since only then can we, as law enforcement, tie it to an 
entity or an actual identity. But many overseas exchanges do 
not require names, let alone identification, to open accounts, 
and this leads to creation of anonymous accounts. Nearly 100 
percent of ransomware campaigns and hacking rings use these 
overseas unregistered exchanges.
    We have gone after some of the exchanges in the United 
States like this with success, but the majority of noncompliant 
exchanges are overseas and this poses formidable legal 
challenges, jurisdictional challenges. Our antiquated Mutual 
Legal Assistance Treaty process, or the MLAT process, takes 
months of bureaucratic maneuvering, and that is in the best-
case scenario when we have cooperative partners on other sides. 
And when we are dealing with an uncooperative country, we might 
not get any evidence at all.
    We need more resources to quickly get at electronic 
evidence overseas, funding more attache positions and better 
systems for processing these MLATs, which are absolutely 
critical to us getting overseas electronic evidence.
    For those entities in uncooperative countries we need more 
statutory authority to go after their business segments that 
rely upon U.S. companies for support: servers; communications; 
software; and banks. Now, there are numerous entities in the 
space with robust AML and compliance programs, and these 
platforms are some of our best partners.
    In fact, the head of an agency in Treasury told me that the 
suspicious activity reports (SARs) that they are seeing out of 
digital currency companies are superior to those from large 
financial institutions despite fewer compliance resources. And 
in over a decade that I spent as a Federal prosecutor, the 
fastest turnaround I ever got on a subpoena was from a digital 
currency company.
    But with broader adoption these companies' compliance 
resources are being stretched. We want them to be spending 
those resources on keeping bad actors off their platforms and 
developing tools to spot fraudulent activity, not addressing 
the vagaries of 50 different State regulatory regimes. The idea 
of a Federal solution to harmonize State laws is an area where 
Congress could help.
    And also an area where Congress could help is we have an 
urgent need for resources to be devoted to this space 
immediately and across- the-board at all agencies. It is simply 
not sufficient to have only a handful of people at each Federal 
agency focused on cryptocurrency when it is affecting so many 
areas that touch upon our national security.
    Thank you very much for inviting me to share my thoughts on 
this topic.
    [The prepared statement of Ms. Haun can be found on page 50 
of the appendix.]
    Chairman Pearce. Thank you.
    Mr. Levin, before you are recognized, I realize now I was 
giving you an extra syllable in the name as I was pronouncing 
it during the introduction, so you can just put it on your 
asset sheet that you are worth more now here.
    I now recognize you for 5 minutes.

      STATEMENT OF JONATHAN LEVIN, CO-FOUNDER, CHAINALYSIS

    Mr. Levin. Thank you, Mr. Chairman, Ranking Member 
Perlmutter, and members of the subcommittee.
    My name is Jonathan Levin and I am one of the co-founders 
of Chainalysis. Chainalysis is the leading provider of 
investigation software and risk management solutions for 
virtual currencies. In this field, we identify illicit use of 
virtual currencies, including terrorist financing. We provide 
tools to private industry and law enforcement to mitigate these 
risks and the activity that poses a risk to our society.
    I wish to divide my briefing into three significant 
sections that I believe are worth considering when looking at 
the risk of virtual currencies: first, the potential for 
virtual currencies; second, the nature of this technology; and 
finally, the current use of virtual currencies.
    The Internet started in the early 1960s but did not enter 
the mainstream until the creation of an easy-to-use consumer 
layer and developer tools that happened in the mid-1990s. Today 
we almost all use the Internet every day prior to entering this 
room and even afterwards.
    The U.S. Government played an instrumental role in 
providing essential layers for private industry to develop 
business models and products for us as consumers to use. 
However, there was no payments layer baked into the Internet.
    This is where the motivation behind bitcoin came in.
    Efforts to curb the demand for this new payment 
infrastructure have not led to success. In February 2017 the 
People's Bank of China put pressure on virtual currency 
exchanges to stop trading. This led to an uptick in peer-to-
peer bitcoin transactions that are out of the purview of the 
state. The transaction volume went from 2.5 million RMB to over 
100 million RMB on these exchanges, and these cannot be 
regulated and it diminishes the oversight of the state.
    Bitcoin and other virtual currencies are decentralized, as 
we have heard, and as such they are censorship-resistant. 
Receiving bitcoin can be done by anyone with basic access to 
computing anywhere in the world.
    There is no need to register or supply anyone with 
identifying information in order to receive bitcoin. There is 
no ability to freeze assets or seize someone's virtual 
currencies without obtaining access to their computer. Virtual 
currencies, in this way, are ultimately bearer instruments, and 
the person in control of a private key is the ultimate owner of 
virtual currency.
    In order to facilitate this system, however, bitcoin makes 
every transaction public. These transactions are recorded in a 
single transaction ledger, the blockchain. However, these 
entries are pseudonymous and do not relate to real-world 
entities.
    Chainalysis analyzes this blockchain to identify which 
transactions have been performed by the same entity and links 
these entities to real-world services such as exchangers, 
merchant processors, and underground marketplaces. This 
blockchain analysis can identify the underlying activity behind 
virtual currency transactions and the on-ramps and off-ramps 
and the connections to the existing financial system.
    Terrorist organizations are not in the business of 
speculating on the price of virtual currencies, but rather, 
they may be interested in using virtual currencies for the 
following use cases: using virtual currencies in cybercriminal 
activities to fund operations; crowdfunding operations from 
sympathizers around the world; and paying for everyday items 
and Internet infrastructure.
    Cybercriminals so far have mainly used bitcoin to buy and 
sell capabilities to launch cyberattacks and extort their 
victims when they do. Their use of bitcoin cannot be attributed 
to anonymity but rather convenience and its ability to move and 
transcend borders.
    There has not been any evidence yet of terrorist 
organizations running any of these criminal enterprises. We 
have heard of the recent ransomware campaign known as 
``WannaCry,'' and that was leveraged by cybercriminals rather 
than terrorist organizations. However, despite ransomware's 
ineffective campaign, some of these criminal enterprises are 
making substantial sums of money, as I allude to in my written 
testimony.
    In July 2016 there was the only verifiable public case of 
crowdfunding known by a terrorist organization. The campaign 
was launched over Twitter and was not very successful and 
raised a total sum of $1,000.
    The nature of virtual currencies meant that Chainalysis was 
able to size the potential threat and also identify the 
ultimate source and destination and connection to the existing 
financial system.
    Terrorists, like any other person, may use bitcoin to pay 
for Internet infrastructure and everyday goods and services. 
There are merchants around the world that accept virtual 
currency, including blue chip companies. Using tools like ours 
at Chainalysis, these purchases can lead to useful leads in 
investigations and uncover the goods and services purchased as 
well as attribute the identity of the individuals.
    The potential for virtual currencies to bring radical new 
business models to the Internet and ways of organizing social 
and economic relations remains large. The pace of change in 
this domain is rapid and the eventual outcomes unpredictable.
    The current use of virtual currencies is mainly financial 
speculation on their eventual impact on the world. The use of 
virtual currencies by terrorist organizations is very limited 
due to lack of awareness and trust placed in virtual 
currencies.
    There is a growing awareness among companies and government 
agencies about the potential threats and their topologies. 
Virtual currencies continue, however, to evolve rapidly. 
Private businesses like ours and the public sector should 
endeavor to mitigate these threats but be cognizant of the 
future potential for this technology.
    Thank you.
    [The prepared statement of Mr. Levin can be found on page 
63 of the appendix.]
    Chairman Pearce. Mr. Wilson, you are now recognized for 5 
minutes.

STATEMENT OF LUKE WILSON, VICE PRESIDENT, BUSINESS DEVELOPMENT-
                    INVESTIGATIONS, ELLIPTIC

    Mr. Wilson. Thank you, Mr. Chairman.
    And thank you, subcommittee members.
    My name is Luke Wilson. I am the vice president of business 
development and investigations for Elliptic.
    Elliptic software is used to identify illicit activity on 
the bitcoin blockchain and we provide our services to the 
leading bitcoin companies and law enforcement agencies 
globally. We are located in London and Arlington, Virginia.
    Today's hearing on, ``Virtual Currency: Financial 
Innovation and National Security Implications'' is a very good 
first step toward understanding this quickly evolving 
technology. My previous employment with the FBI allowed me to 
investigate several crimes that involved bitcoins. My 
experience is that bitcoin is not or should not be alarming to 
investigators or private companies.
    Bitcoin is thought to be anonymous by some criminals. In 
reality, it is far from anonymous, and companies like Elliptic 
have assisted law enforcement and private industries to 
identify who is behind the illicit bitcoin transactions.
    Elliptic's software and expertise has assisted in 
terrorism, ransomware, cyber extortion cases, and illegal arms 
trafficking cases, to name a few. In all of these cases we have 
provided intelligence and leads that help investigators to 
trace bitcoin transactions and identify who is transacting.
    This is all made possible by the record of transactions 
kept on the blockchain. All bitcoin transactions are stored on 
the blockchain, including those performed by criminals. The 
importance of this blockchain record cannot and should not be 
undervalued, as it provides a public and permanent and 
incorruptible record of transactions, the likes of which is not 
available with any other payment method.
    I would really like to go through a couple of cases that I 
helped with when I was in the Bureau.
    As I talk about the firearms case, this was a case that I 
helped with, actually, while at Elliptic. There was a law 
enforcement agency that was looking at an illegal arms 
trafficker. If the illegal arms trafficker did not purchase the 
illegal arms off of a dark market site using bitcoins, this 
individual would never have been placed in handcuffs and put in 
jail. It is because of the bitcoin blockchain that they were 
able to come to Elliptic and we were able to trace those 
transactions and find out where the individual was purchasing 
the firearms, and then now we could tie that back to that 
individual.
    So when I say that we have a way to trace this, this is 
what law enforcement and private industry does. They come and 
talk to a company like Elliptic or Chainalysis.
    My experience in counterterrorism and virtual currencies 
make me well-placed to evaluate the risk by the potential 
terrorist use of bitcoin. My experience is that there have been 
very few verified terrorism cases in which bitcoin was used, 
and that in all of these cases law enforcement was able to 
trace the flows of bitcoin to subjects and possible 
coconspirators.
    While I cannot say what the future holds for terrorist use 
of bitcoin/virtual currencies, I can say that it is very small 
to date and that we have been successful in assisting law 
enforcement and private industries to combat that threat.
    Thank you for your time.
    [The prepared statement of Mr. Wilson can be found on page 
70 of the appendix.]
    Chairman Pearce. I thank each one of you for testifying.
    The Chair now yields himself 5 minutes for questions.
    So, Ms. Haun, I was fascinated by Mr. Levin's comments in 
both his written testimony and his statement that most of the 
protocols and infrastructure are decades old, pioneered by 
academia and the government. And as you talked about the 
additional resources, is it even possible for someone in a 
bureau, someone in an agency to keep up with the fast pace of 
development? So address that if you can.
    Ms. Haun. Sure. Well, I think it is two-fold.
    First it is personnel who require training and being 
brought up- to-speed on these technologies. But second, it is 
the systems, and I think the systems are very important because 
oftentimes we will be getting from these companies that are 
providing us metadata in response, for example, to a search 
warrant or a subpoena, and we on our old systems can't even 
access them. They won't even run that data, and that is a real 
problem.
    I think yes, it is possible, but you have to look at the 
resource question from both personnel and systems resources. 
And I mentioned the same thing with respect to speeding up the 
processing of MLATs: it is not just personnel, it is also just 
the systems themselves.
    Chairman Pearce. Okay. So you bring in personnel today and 
you give them a really deep education and a year from now they 
have been covered up with investigations and keeping up.
    Mr. Levin, are those personnel we bring on today going to 
be able to keep up?
    Mr. Levin. I think that as we look forward to see what 
innovations happen, the incentive needs to be placed on the 
private sector to be able to provide tools and keep up with the 
innovation that happens. And I think that it is our duty to 
provide training and education as part of offering software and 
tools, and that is something that we are actively doing. It 
needs to be regular and it needs to be more frequent than it 
currently is.
    Chairman Pearce. That is kind of my impression, just 
sitting up here being pretty unfamiliar with any technology.
    So do you envision, Mr. Levin, an ability to set up the 
protocol that will give the protections and yet allow access by 
law enforcement to where we don't have to have the resources? 
Because, just as a policymaker I will tell you, I see an 
unending need to hire more personnel, and the personnel we 
hired last year are not going to be very good by next year, and 
the year after completely not up-to-date. And so we just keep 
building that bureaucracy.
    Somewhere we need to get the mobileness to tap into the 
private sector's knowledge, and therefore we leave the law 
enforcement to the law enforcement people, not keeping up with 
technology.
    So if either one of you--Mr. Luke, if you want to jump in 
here on this, too, I really would like a discussion kind of on 
that, and fairly short, I have 2 minutes here.
    Lead off, Mr. Levin, if you would, and then I'll go to Ms. 
Haun and Mr. Wilson. I would really like your input.
    Mr. Levin. I think that one thing that I have seen 
personally in law enforcement is actually the need to not hire 
new people every year and that people need to become subject 
domain experts in order to be able to counter the threats that 
we have, that someone coming in new would need to learn about 
the innovation of this technology and its history and its 
evolution rather than just the latest and greatest new bit of 
technology.
    I think also I have seen several efforts by regulatory 
agencies and oversight agencies to automate processes to 
actually take away personnel from copying down notes off 
printed-out sheets and submit things programmatically that 
would definitely assist in making sure that the government's 
resources are best used.
    Chairman Pearce. Ms. Haun?
    Ms. Haun. Yes. I think it is also a question of shifting 
resources because I was brought into the department as a gang 
and murder prosecutor, and then I switched. So it is not that I 
became useless; I think you have personnel who are capable of 
adapting to new areas.
    I think one of the problems is that the government and a 
lot of the agencies are very siloed. So, for example, we have a 
cyber unit, and only the cyber unit is maybe getting trained on 
these cryptocurrencies or the dark net; but the fact is it 
affects the narcotics unit, it affects the national security 
unit, it affects the white collar unit, the financial fraud 
unit, the public corruption unit.
    So I think you can shift those resources, but it needs to 
be across-the-board.
    At the same time, I do think resources are necessary for 
training not only in government but in the public-private 
partnerships. The Blockchain Alliance goes a long way. They 
have webinars that people can watch. So these are actually free 
resources.
    Chairman Pearce. Okay.
    Mr. Wilson, and pretty briefly, I am out of time here.
    Mr. Wilson. Yes, sir. I agree with Ms. Haun. It is overall 
training. Anything that you can do with regular cash you can do 
with bitcoin or virtual currencies, so there needs to be a 
centralized training.
    And you have a huge--what is a technological gap, as well. 
Some law enforcement agencies and private industry are just now 
figuring out that you can trace these transactions.
    I think those are two big areas.
    I was a counterterrorism agent before I went to the Cyber 
Task Force. I took it upon myself to learn these things and put 
the task force together. So those are just some of the huge 
hurdles that they are facing out there.
    Chairman Pearce. Thank you.
    Thanks to each of you.
    My time has expired, and I recognize Mr. Lynch for 5 
minutes.
    Mr. Lynch. Thank you very much, Mr. Chairman.
    I just want to take a minute to say thank you to you, 
Chairman Pearce, and also Ranking Member Perlmutter, for your 
really forward-leaning approach on this issue.
    And I also want to thank the witnesses because this is not 
the first time we have met and I want to thank you for all the 
energy you have put into trying to get Congress up-to-speed on 
this issue. Usually we are very much behind, but on this issue, 
I think with your help, we are almost up-to-speed.
    Ms. Haun, I also want to thank you for highlighting the 
issue of personnel and resources. I was in Bahrain and Dubai, 
did a little work in the Gulf, and we have one Treasury attache 
who is responsible for, I think, five different countries. And 
he is bouncing back and forth with central bankers and 
totally--he's doing a great job, don't get me wrong, but he's 
totally overstretched, I think, in terms of our resources. So 
that is probably something that we can work on.
    One of the problems I am trying to grapple with is the 
asymmetry here of, you know, three guys in a truck and a bunch 
of steak knives on a bridge in Manchester, and then our sort 
of--our defense out there talking about cybersecurity and 
larger systems. There is, I think, an effort by ISIL and others 
to use this interstitial approach where they hit us where we 
are not protected. And I don't know how we get at that.
    I think this is an emerging issue for us. I know that, Mr. 
Brito, you have said--you described this as anecdotal, some of 
the use by terrorists, but I think we have to be prepared. As 
the use of this becomes more broad, by the general public, then 
I think, certainly, nefarious elements will capitalize, as 
well.
    On the personnel side, in terms of trying to train people 
and the money and the time involved in getting people really 
trained as experts in this, in cybercurrency use and all the 
other issues involved, when we send our young people to West 
Point and to the Naval Academy, they go to school and--excuse 
me?
    The Air Force Academy. Oh yes, yes. The Air Force Academy 
at Colorado Springs, as well. I am just using it as an example, 
not exclusive. But we commit them--they commit for 5 years 
beyond that, and so we--for our investment we get the return.
    Is there a way that we can sort of--do you think it would 
be wise for us to set up some similar system where we have a 
lot of bright people who will be all over this stuff; I think 
it really appeals to some of the skills and ability of our 
young people--create a system like that: scholarships, maybe 
identify a handful of universities who would love to, I think, 
offer this type of instruction and education. Is that something 
that you have seen anywhere in our university systems? MIT, any 
places like that?
    Ms. Haun. I could speak to that.
    I taught a cybercrime and digital currency class at 
Stanford and it was cross-registration from a number of 
departments--law, business school, computer scientists, 
engineers. And I am pleased to say that a number of those 
students actually ended up going to serve across the government 
in national security capacities, and our U.S. attorneys' 
offices. So I think the interest is there still in serving in 
those capacities, albeit in this new, emerging field.
    Mr. Lynch. Yes.
    That is good to hear. I think we just need to do more of 
it.
    On the other side, trying to build a system, an agency 
ourselves, and keep it up-to-speed, we haven't done a very good 
job of that internally with our government. We have legacy 
systems that are a problem.
    I just want your feedback, any of you, wouldn't it be 
better to buy the system in terms--purchase the system on the 
private side and have cutting-edge technology rather than 
trying to construct it ourselves? Because Congress is subject 
to appropriations and, dear Lord, we are terribly slow in 
keeping up. I am just--like your own thoughts on that.
    Anybody?
    Mr. Brito. I agree with you, and I think Mr. Levin and Mr. 
Wilson are being too modest to say that their companies are 
building exactly the system that allows law enforcement, and 
not just law enforcement but digital currency firms and banks 
who deal with these networks, to have greater visibility into 
the network.
    Mr. Lynch. Great.
    I see my time has expired. Mr. Chairman, I would just ask 
unanimous consent to enter into the record this report: 
``Terrorist Use of Virtual Currencies,'' by the Center for a 
New American Security, by Goldman, Maruyama, Rosenberg, 
Saravalle, and Solomon-Strauss.
    Chairman Pearce. Without objection, it is so ordered.
    Mr. Lynch. Thank you.
    Chairman Pearce. The gentleman's time has expired, and just 
by way of kind of updating the subcommittee, after our meeting 
we asked Mr. Budd and Mr. Davidson and Mr. Lynch and Mr. Foster 
to come together and really address this idea of adjusting a 
protocol and the reactiveness of our team, our governmental 
team, to sort of keep up and see if we can think of a new 
approach to this.
    So again, I thank the gentleman. And it looks like we have 
five really good people here that you all can work with.
    I now recognize Mr. Pittenger for 5 minutes.
    Mr. Pittenger. Thank you, Mr. Chairman.
    And again, I thank each of you for your participation with 
us and for the many times that you have come to address us and 
engage in this dialogue.
    Certainly something that, as you pointed out, Ms. Haun, it 
is a growing sphere of engagement by those who seek illicit 
transfer of payments--$90 billion, I had never heard that 
figure before today, and that will certainly continue to 
increase. And I think we have found in the past that those with 
nefarious interests look for--like water going downhill. If 
they get blocked one way they are going to go somewhere else, 
and I think we should be anticipating--not waiting, but 
anticipating that they will enter into this arena in greater 
dimension.
    To that end, I think the points have been well made in 
terms of personnel and training. I would like to get your 
thoughts, just for clarification. If somebody has sophisticated 
cyber training, they have been certified by SAS or some company 
like that, is that a strong foundation for being able to move 
over to address these blockchain types of transactions?
    Ms. Haun. Is that question to me, Mr. Pittenger?
    Mr. Pittenger. Sure, or any of you who would like to 
answer, but just go ahead.
    Ms. Haun. All right.
    I think the answer is it is not necessary. I think it would 
provide a good foundation, but I founded a digital currency 
task force out in San Francisco comprised of numerous agencies 
and none of them had that SAS training. All of them, however, 
were very interested in this new field and they were looking 
for something new in their career; perhaps they had done cartel 
cases before. And so everyone brought something different.
    And actually, the technology, a bit counterintuitively, is 
not that hard to get up to speed on. I really do think that if 
you watch a few webinars, you go to a few training sessions, 
and all of a sudden you really know a lot more than you thought 
possible in a short time.
    Mr. Pittenger. Maybe if I could ask you, then, to that 
point, you question the merits of bringing on new people. Why 
would that be a problem if it could be adapted so easily?
    Ms. Haun. Oh, I don't think there would be any problem with 
bringing on new people. I just, to the chairman's question 
about do all of our existing people become obsolete, I think 
that need not be the case either.
    Mr. Pittenger. Okay.
    Ms. Haun. But certainly, of course, I would always say new 
people--more people are better because we have--dealing with 
criminals--
    Mr. Dueweke. It needs to be the right type of people.
    Ms. Haun. The right type of people, but dealing with 
criminals we have too much business, so yes. Good point.
    Mr. Dueweke. One of the big problems, though, in this whole 
conversation is it is overly focused on understanding the 
blockchain.
    Mr. Pittenger. Okay.
    Mr. Dueweke. That is a component, and it is actually a 
fairly small component of the overall virtual currency threat 
and usage by criminal organizations, et cetera. It is not so 
much a matter of understanding the technology behind the 
blockchain; it is having people who understand global payment 
systems that are on the cutting edge and understand the 
fintech, the mobile payment systems, the blockchain systems. It 
is much larger than just, ``Hey, let's get some smart kids who 
understand the blockchain.''
    You really need to understand the entire payments world, 
and that is what I have seen in a lot of the training that I 
have done within U.S. law enforcement and law enforcement 
around the world. They are just trying to grapple with this one 
piece, the bright, shiny bitcoin, I call it; they really need a 
much broader understanding, and that isn't something that 
necessarily comes easily from quick training.
    And probably what you need to do is foster a better 
relationship, this public-private partnership, so that the 
payment processors, the Coinbases, the First Datas, you have a 
better relationship with them because they are the ones that 
have this knowledge that takes, frankly, decades to really 
understand all of these systems globally, and that is what is 
missing.
    Mr. Pittenger. Yes, sir, Mr. Brito?
    Mr. Brito. I have to agree with Mr. Dueweke. And I think 
part of what is happening in this conversation is that myself, 
Ms. Haun, Mr. Levin, and Mr. Wilson are here because we are 
focused on decentralized digital currencies. Cryptocurrencies 
is another name for that, bitcoin being the number one example. 
It was the first cryptocurrency and it is the largest 
cryptocurrency today.
    That said, what Mr. Dueweke is rightly pointing out is that 
if you think of a pie chart, decentralized cryptocurrencies 
like bitcoin account for a tiny sliver. You have other digital 
currencies that are centralized and, as Mr. Dueweke was 
pointing out, account for a lot of the use by illicit actors.
    Mr. Pittenger. All of your points are well taken. I think 
we really have our work cut out just getting this on the radar 
screen to make sure that people see this venue, and so that we 
can address it in a comprehensive way. I don't think the public 
at large--in fact, I don't think the Congress fully understands 
the depth of opportunity that is there for those who seek an 
illicit transfer of funds.
    Thank you. I yield back.
    Chairman Pearce. The gentleman's time has expired.
    And just sort of in response to Mr. Dueweke, you are 
exactly right, but our hearing today is on virtual currencies 
and so we are trying to get that, and then we had yesterday the 
meeting that was digging into the actions and the patterns of 
actions. We will merge these two together in the future, and 
again, that is our kind of subgroup of four people who are 
tasked with that. But again, a very accurate observation.
    The Chair now recognizes Mr. Kihuen from Nevada for 5 
minutes.
    Mr. Kihuen. Thank you, Mr. Chairman, and Ranking Member 
Perlmutter, for organizing this hearing.
    And thank you, to all of you, for testifying this morning.
    I just have a couple of quick questions, one regarding 
mixing. For my colleagues who might not know, since the 
transactions of some cryptocurrencies that are recorded on the 
blockchain, mixing is a way to launder payments that may be 
connected to tainted sources.
    Ms. Haun, since you prosecuted some of these cases, are you 
worried that mixing might become so sophisticated that it might 
become very hard for law enforcement to track some of these 
transactions for criminal activity?
    Ms. Haun. Yes, I am.
    Right now the technology isn't there to be as sophisticated 
for the mixers and tumblers, we hear them called tumblers. But, 
of course, anything that further anonymizes things make it more 
difficult for law enforcement authorities to kind of follow the 
trial, so I am worried about it.
    We have heard analogies to--Jonathan mentioned earlier it 
is like a mask. Think of it, if you are a person who is going 
in to do some bad acting, and you are wearing a mask, we can't 
see you because you have disguised yourself. But if you wear 
that mask again later, we know it is you.
    The problem with tumblers and mixers are that let's just 
say all of those masks that people are wearing get taken off 
and melted all together and then their different--the masks are 
reconstituted and put on, so then we don't know that it is you 
again. I don't know if that analogy makes sense, but that is 
kind of how we think of them.
    So we do think that is a problem, but I think more of a 
problem right now are the overseas unregulated exchanges. And 
those are in countries that you might guess at, and we simply 
see those nefarious actors using these cryptocurrencies are not 
using these U.S.-regulated exchanges; they are using the ones 
that are overseas.
    Mr. Kihuen. So do you think that we need to put 
restrictions on the mixing?
    Mr. Levin. Yes. If I could also comment, I think that there 
have been--FinCEN refers to services that transmit virtual 
currencies on the behalf of other people, and it is--there is a 
good chance that mixers do come under that jurisdiction, so if 
it is in the United States there are actually some mechanisms 
that law enforcement might be able to use to put pressure on 
those mixers.
    Mr. Brito. If I could add, in some cases you can think of 
completely legitimate regulated exchanges in this country. You 
send money to them. At that point it sort of becomes invisible 
to the software, and then eventually the money goes out. And so 
in some ways you can think of those as mixers, but it is not a 
problem because they are complying with FinCEN guidance and 
with the Bank Secrecy Act.
    So the problem is not so much that there is mixing 
happening, that there is a third party that is keeping funds on 
behalf of a third party; it is that you have mixers that are 
completely unregulated and not subject to--or not complying 
with the BSA regulations, and I suspect, as Ms. Haun was 
saying, that these are overseas, as well.
    Mr. Dueweke. And that is a critical part of this, too, the 
global nature of this and that you have thousands of these 
unregulated exchanges that are not limited to just that one 
segment of virtual currencies being centralized--or 
decentralized, but also the centralized virtual currencies as 
defined by THADP and acting as a mixer, the best way to mix, 
actually, is to go to one of these unregulated exchanges and 
exchange bitcoin for light coin, for dark coin, or for web 
money or one of the other non-cryptocurrency systems, and then 
change it back.
    You are not following that. It is better than a mixer.
    Ms. Haun. And absolutely, as I alluded to in my written 
testimony, 100 percent of ransomware campaigns we have seen 
cashing out through exactly these overseas exchanges, so it is 
a huge problem.
    Mr. Brito. So I would simply put a point on that by saying 
mixing is not a problem. Again, mixing is a technology that is 
neither good nor bad. It is mixing and not complying with the 
BSA that is a problem.
    Ms. Haun. But to your question about could we regulate 
these things--and I appreciate Mr. Levin's comment that in the 
FinCEN guidance it could be construed to regulate--to reach 
mixers or tumblers. I am not so sure that a prosecutor or 
FinCEN would take that aggressive of a view. Maybe they would, 
but certainly if this were included in Section 1960 as 
explicitly clear, that gives--that statutory authority gives 
prosecutors a lot more comfort that, oh, no, this technology is 
absolutely included in a 1960 definition.
    So I think that would be important. FinCEN guidance alone 
is not always enough for us to bring these new cases that are 
the first cases of first impression.
    Mr. Kihuen. Thank you all so much.
    Thank you, Mr. Chairman.
    Thank you, Mr. Ranking Member.
    Chairman Pearce. Thank you. The gentleman's time has 
expired.
    The Chair now recognizes the gentleman from Colorado, Mr. 
Tipton, for 5 minutes.
    Mr. Tipton. Thank you, Mr. Chairman.
    And thank you, panel.
    Ms. Haun, maybe you would like to follow up a little bit on 
the last question when you were talking about the 1960 
regulation. And listening to Mr. Dueweke describing the mixers, 
given all of the complexity that is there, even with that 
authorization, how difficult is it really going to be for law 
enforcement to be able to track this information even with 
authorization?
    I think there was a RAND report that came out of some of 
the criminal activity that is going on--RAND National Defense 
Research Institute--saying that criminals are increasingly 
gaining access to technology and encryption tools that could 
allow them to design their own virtual currencies to circumvent 
the global financial system.
    Given that complexity and just your statement, how 
difficult is it for us really to be on the front end of this 
curve rather than being reactive trying to catch up?
    Ms. Haun. I think, again, and I hate to keep coming back to 
it, but the big problem I see are the unregulated and 
unregistered exchanges. I think we can keep up with more 
resources and more people and more agents knowing what this is.
    I think we can keep up where we have tumblers and mixers or 
virtual currency exchangers in the United States subject to our 
jurisdiction, and we have some choice 1960 prosecutions. I 
think we can keep up.
    Where we have a problem is in getting at that information 
or forcing compliance from these overseas entities. And not 
surprisingly, the bad actors--the terrorists and the massive 
cybercriminals--are not using the registered Coinbases of the 
world that are in San Francisco, that are registered with 
FinCEN.
    So I think that is going to be a problem and we can't keep 
up with those as the matter currently stands.
    Now, one thing I would say is a lot of those businesses or 
ransomware campaigns, et cetera, or even these unregulated 
exchanges, they actually rely on a lot of U.S. companies and a 
lot of presence in the United States. People are always 
surprised by this. They think, ``Why would their servers be in 
the United States? Why would their infrastructure be in the 
United States?''
    We have a reliable source of energy and power. We have 
massive companies, like Amazon Web Services or Google, who 
provide these hosting platforms.
    So these big, unregulated, unregistered exchanges do use 
Google and Gmail; they use Microsoft; they use Amazon. And I 
think we could use some tools in our toolkit--statutory tools--
to more easily chip away at those parts of their businesses 
that touch on the United States.
    Mr. Dueweke. Congressman Tipton, I totally agree. The focus 
should be on the ingress and egress and conversion points. The 
unregistered, as she put it, exchangers around the world are 
the point, but I have a very dim view of us being able to cope 
with them effectively because the barrier to entry for setting 
up an exchange is so low. It doesn't require you to have a 
company. It requires you to have a server and some accounts 
with these different types of payment systems that you want to 
convert from and to. Very low.
    I have done research myself on thousands of these systems, 
rated them for anonymity, et cetera, and they are incredibly 
amorphous. They go up and come down regularly. They will change 
into something else. You won't be able to identify exactly 
where they are or which systems they might be using in the 
background.
    There might be better signals, intelligence-type things, 
that you could use to detect that, but we, I believe, are far, 
far, far behind, as well as law enforcement around the world, 
in coping with this. And these systems do gravitate towards 
areas with a relatively low rule of law, and oftentimes they 
seem to be, according to things I have read and researched, 
many times they are being protected by local political entities 
and law enforcement, and there are many stories that you could 
read about that online.
    I also want to make the point that the position that 
bitcoin is not being used for any terrorist activities might be 
a bit stretched, as well. It is not reported in the United 
States but it is well reported in Europe, including Agence 
France Presse, that four of the automatic weapons that were 
used in the Paris attacks were purchased with bitcoin from an 
online dark market seller in Germany. And that was reported in 
court--open court documents in Stuttgart.
    So I agree it is not a huge problem, but there are examples 
where you have small groups that are using digital currencies, 
including bitcoin, to anonymously buy what they need to carry 
out their heinous attacks.
    Chairman Pearce. The gentleman's time has expired.
    The Chair recognizes the gentleman from Colorado, Mr. 
Perlmutter.
    Mr. Perlmutter. A lot of Coloradans around here.
    I want to follow up on Mr. Tipton's line of questions and 
ask you, Mr. Dueweke, and you, Ms. Haun, and to the rest of the 
panel, okay, when you say an ``unregistered exchange,'' what is 
that?
    And in your testimony, Mr. Dueweke, you talked about a 
number of different things--WebMoney, and Perfect Money, and 
dark money, and Alipay. Do you consider that an exchange or is 
that a medium of transfer, or--help us understand your 
terminology.
    Mr. Dueweke. I teach a 2-day course on this so it is not 
necessarily that easy, but the terminology--and I would be 
happy to provide the committee with a topology, a single-page 
topology that makes sense of these different characteristics.
    When you are talking about the large providers like PayPal, 
WebMoney, Alipay, they do have the ability to act as an 
exchanger as part of their overall digital payment system. And 
certainly with systems like WebMoney, that have been shown by 
other researchers to not be doing strong know-your-customer 
(KYC), they are suspect and are certainly being used for 
criminal activities, and a lot of that is they are not doing 
that good KYC up front.
    However, what Ms. Haun is talking about and I have referred 
to with these other exchangers are entities that set themselves 
up specifically to exchange one virtual currency for another 
virtual currency, or for a fiat currency, or for a mobile money 
system. And all it requires really is a computer, accounts to 
be set up with these different services, and some level of 
liquidity, which oftentimes is one of the limiting factors in 
how effective these exchangers are is how much money they have 
to buy and sell. They might only have $20,000, $30,000 on hand, 
whereas the big ones, of course, like Coinbase, have many 
millions. So--
    Mr. Perlmutter. All right. And they are kind of the fence 
in this thing? Are they fencing the stolen goods?
    Mr. Dueweke. Not so much fencing. It is really--just think 
of a currency exchanger on the street of some country. You 
would go and give money--one type of money and they give you 
another type of money coming back.
    It is that, but in a much larger sense for digital payment 
systems, and the level of anonymity for these unregistered ones 
can be extremely high because typically they are not doing the 
KYC; they are not doing the AML.
    Mr. Perlmutter. They don't care whether it is dirty money 
or not.
    Mr. Dueweke. They don't care--
    Mr. Brito. So to answer your question directly, if I want 
to use bitcoin I need to first acquire some bitcoin.
    Mr. Perlmutter. Right.
    Mr. Brito. Typically the way you do that is you go to an 
exchanger and you give them dollars and they give you bitcoin. 
That exchanger in the United States is a Bank Secrecy Act-
regulated entity and has to register with FinCEN, keep records 
of its customers, and report suspicious activities. So that 
would be a registered exchange.
    And that is who Ms. Haun would go to when she is using Mr. 
Levin's software and finds a bad guy. She can go to an exchange 
and say, ``Who is this person?'' and get the information.
    Overseas we see unregistered exchanges--exchanges who, 
although they are required to, do not comply with the Bank 
Secrecy Act. And so when Ms. Haun requests information from 
them I bet she doesn't hear back from them. That is what an 
unregistered exchange is.
    Ms. Haun. Or--
    Mr. Perlmutter. Go ahead.
    Ms. Haun. Or we hear back from them--in a good case 
scenario I had an MLAT with Japan, for example, where we have 
an attache on the ground, cooperative partners on the other 
side, and that even took at least 6 months in a very high-
profile case to even get that evidence. So that is in a good 
case where we have to go to another country, we can get 
something.
    But I think there is another step beyond that, which is an 
exchange in, say, Russia. Not only could we not go to them, but 
if we go to them we know what we find back is--and we have 
actually found this in returns before and evidence before--is 
the owner of this account is Mickey Mouse who resides at 123 
Main Street. That is actually--
    Mr. Perlmutter. I guess that is what I am worried about, 
that we have some nation states that are actually fostering 
making these exchanges impossible to pierce, to understand, to 
find, whether they are trying to avoid sanctions, whether it is 
North Korea or Russia avoiding sanctions or helping some 
criminal enterprise, or underwriting some terrorist 
organization that is out there doing bad things.
    So I am very concerned about how we stretch this globally 
to get countries that we may be at odds with, like Russia or 
maybe China, to participate. Are we doing that?
    Mr. Dueweke. And that is where this--a public-private 
partnership, having an association where there can be a real 
mercantile reason for them to want to participate, and where 
there is a push from the corporations, the companies themselves 
to want to be part of this. And you have seen this recently in 
Russia with Kiwi and Yandex.Money have started just in the last 
year following AML and KYC while WebMoney hasn't. So part of 
them they want to be integrated in with European payment 
systems; the other one is kind of remaining off on its own.
    But that type of public-private partnership where you can 
get them to work together with other countries and other 
companies I think is key because you are not going to be able 
to do this by dictate from the United States, I don't think.
    Mr. Perlmutter. All right, thank--
    Mr. Wilson. Sir, so this is--
    Mr. Perlmutter. --you for your--
    Mr. Wilson. --normal criminal activity. Criminals are going 
to go where the path of least resistance is. So if I can go 
exchange my bitcoin to an exchanger that is not compliant with 
U.S. laws, that is what I am going to do. That issue there is 
that they are trying to circumvent our AML procedures and they 
are using--I mean, all criminals do that all the time.
    So that is something else that we need to look out for. It 
is further down the line. It is happening, but the bigger issue 
is trying to get these guys trained up to notify, to notice 
this kind of criminal behavior happening.
    Mr. Perlmutter. Okay. Thank you.
    Chairman Pearce. The gentleman's time has expired.
    The Chair now recognizes the gentleman from Texas, Mr. 
Williams.
    Mr. Williams. Thank you, Chairman Pearce.
    And to all the witnesses today, this has been great.
    I want to spend my time this morning focused on money 
laundering, specifically trade-based money laundering, which, 
as you know, is just one method used to launder illicit 
proceeds, and how that relates to virtual currency. According 
to the FATF report of virtual currencies, two major themes have 
developed: one, virtual currencies are the wave of the future 
for payment systems; and two, virtual currencies provide a 
powerful new tool for criminals, terrorist financers, and other 
sanction evaders to move and store illicit funds out of reach 
of the law enforcement or other authorities.
    So let me start with you, Mr. Dueweke. In your testimony 
you spoke about the capability to move unlimited amounts of 
funds completely outside the Western financial system. You also 
mentioned transfers to and from terrorist organizations, 
especially as part of a trade-based money laundering scheme to 
cause the investigators to lose their money trail.
    As we have heard many times during our previous hearing, 
these schemes can be highly complicated, so virtual currencies 
just add another layer. So my question is, can you expand on 
the steps we need to take to help all of the stakeholders 
involved, whether that be local law enforcement or financial 
regulators or private companies--I am a private sector guy--and 
to understand the scope and scale of these schemes?
    Mr. Dueweke. I think the key is education. I have 
participated in some investigations where people have had 
information on different bad actors and had it sitting there 
for a year because they didn't know what WebMoney was. They 
didn't know what these systems were or how they could interact 
with other components of the trade-based money laundering 
schema.
    And all it really takes is one leg of maybe--a lot of these 
trade-based money laundering schemes can include four or five 
different hops, cars for drugs for whatever, and all you need 
is one component to jump in and out of one of these virtual 
currencies, whether they be centralized or decentralized--
probably more likely to be decentralized than centralized like 
bitcoin, or decentralized--I am sorry, more likely to be 
centralized than decentralized because when you are using a 
system like bitcoin, a large transaction is going to stand out 
and it will be tracked by Elliptic or Chainalysis.
    But if you are bringing it in and out of a centralized 
system and perhaps you are working with the Russian mob or 
something like that, it is not going to show up and be detected 
by anybody and it is going to allow you to basically lose the 
trail of investigators that are following it through 
traditional mechanisms.
    So I think the first step has to be education. You have to 
have people start to understand what is possible because when 
we did that in past training there were huge breakthroughs that 
resulted almost immediately because they found that, ``Oh, wow, 
these bad guys were using these systems as part of this and we 
just had no idea what we were looking at.''
    Mr. Williams. Okay.
    Let me switch topics really quickly, Ms. Haun. Section 13 
of the Combating Money Laundering, Terrorist Financing, and 
Counterfeiting Act of 2017, a bill introduced by Senators Chuck 
Grassley and Dianne Feinstein, directs the Department of 
Homeland Security and Customs Border Protection to provide a 
report detailing the strategy to detect prepaid access devices 
and digital currency at border crossings and ports of entry.
    So my question would be, what are your thoughts on this 
bill and what are the pros and cons of including prepaid cards 
regulation--in that regulation?
    Ms. Haun. I think that prepaid cards--we have seen that 
prepaid cards are used by nefarious actors quite a bit, and so 
I think that it is sensible to include prepaid cards, if that 
is your question, in that bill. And I have only just seen 
reporting of it; I haven't yet had an opportunity to read the 
bill itself.
    But I think this is what I was saying about giving--there 
is already some regulatory guidance, but giving statutory--
making the statutes explicit give prosecutors a lot more of a 
path, a clear path to bringing cases. And we saw this with 1960 
where there was a case in Florida where a judge said, ``Well, I 
don't think 1960 includes virtual currency.'' So I think this 
would be getting at remedying something like that.
    Mr. Williams. Okay.
    I have a little bit if time left, so let me come back to 
you, Mr. Dueweke. Can you go into more depth about the Identity 
and Payments Association you launched and what role they can 
play?
    Mr. Dueweke. I had been part of a lot of conferences around 
the world where I had heard story after story about the de-
risking of virtual currency providers, exchangers, remittance 
companies, mobile payment companies that were basically losing 
their bank accounts because banks didn't understand it, et 
cetera.
    And I saw that really what was needed was some sort of 
public-private partnership to take all the regulators, the law 
enforcement around the world that I had been working with in 
training, bring them together with industry members to find a 
common path forward where we could agree on best practices, 
where we could agree on basically a coda like Visa and 
Mastercard have--in fact, I have one of their former V.P.s 
working with me on this--where you basically could set up a 
rule-set where if you follow all of this, you identify a person 
given these steps, you are not going to be liable to 
prosecution, or you will be considered in somewhat of a 
regulatory compliance.
    And that would require this public-private partnership, so 
that is at the heart of what the Identity and Payments 
Association (IDPAY) is intended to provide, because there is 
nothing like that globally. It is all done by individual 
countries, and not very many of them are tackling this topic.
    So because of the global nature of the ecosystem, it needs 
to be tackled globally and it will require some sort of NGO to 
do that.
    Mr. Williams. Okay. Thank you all for being here.
    Chairman Pearce. The gentleman's time has expired.
    The Chair now recognizes Mr. Rothfus for 5 minutes.
    Mr. Rothfus. Thank you, Mr. Chairman.
    Mr. Levin, as we look at other governments hostile to the 
United States developing anonymous weaponized cryptocurrencies 
for use against us by criminal or terror organizations, do you 
have any thoughts on how the U.S. or the international 
community could counter those efforts?
    Mr. Levin. Yes. Thank you very much for the question.
    When I think about what this testimony is about, it is 
about virtual currencies that are truly global and 
decentralized. If the adversary is choosing to account for 
trades within its own organization on some sort of ledger, that 
doesn't really pertain to what Congress or anyone else can do 
about those types of payments.
    What we are talking about is a financial system in which 
everyone in the world can access virtual currencies, as I 
understand it, as bitcoin. And for that the U.S. Government can 
have eyes on those types of transactions and would need to be 
able to have tools in order to understand the purposes and the 
actors that are behind those transactions.
    So I am less worried, actually, about states producing 
their own virtual currencies no matter what technology they use 
because the risk to our society is mostly around being able to 
fund and send value to anyone in the world to carry out acts 
like we have seen in the past.
    Mr. Rothfus. So you are not concerned about any kind of 
internal--
    Mr. Levin. Yes, because those types of systems already 
exist, and while we cannot have eyes on them we have no way to 
put any pressure on those types of systems.
    Mr. Rothfus. If I could ask Ms. Haun, the idea that virtual 
currencies out there, bitcoin, that is going to be an asset 
that perhaps a bad actor is going to have. What would be the 
possibility of using our asset forfeitures procedures to go 
after that virtual currency? Can we do that? How would we do 
that?
    Ms. Haun. Yes. In fact, we have done that and we have used 
exactly that authority.
    So in a case I had we did, we seized those assets under the 
asset forfeiture laws upon a proper, of course, judicial order. 
And right now there are a lot of questions about, how do we 
auction those off? What does the government--now that we own 
these because they have been forfeited, what do we do? What 
does the government do? We are the holders of bitcoin now.
    And there is a series of disparate things that have 
happened. The Marshals Service has auctioned them off, so yes, 
we can do that, and we should do that.
    In fact, in a case against an exchange in the United States 
that my office did involving Ripple Labs in 2013, we brought 
the first-ever enforcement action against a virtual currency 
company. We teamed up with FinCEN to do so, and they had to pay 
and forfeit a $700,000 penalty. They also had to take a number 
of remedial steps so now when they collect customer data, they 
must follow all AML laws, know-your-customers, and they collect 
customer identity.
    But I think that the asset forfeiture laws are an important 
tool as part of this. That is particularly true if we are ever 
to get to some of the overseas exchanges because, of course, 
they have correspondent banking accounts with banks, including 
in the United States. And I would think that would be an 
appropriate case to use those laws.
    Mr. Rothfus. Mr. Brito, do you foresee any widespread 
acceptance of virtual currencies by small to medium-sized 
businesses in the future whereby domestic criminals could 
launder illicit profits into bitcoin or virtual currencies?
    Mr. Brito. It is certainly possible. I think, however, that 
cryptocurrencies like bitcoin really can't compete in the 
developed world with our existing financial system. We have 
credit cards; we have cash; we have access to just our phones 
can pay for things, and you do it really frictionlessly and 
very well.
    Where digital currencies I think are going to really thrive 
is going to be in the developing world where they don't have 
access to those financial systems and there really isn't an 
incentive for networks to go in and develop those networks. So 
I think that is where we will see retail payments take up for 
cryptocurrency.
    In the developed world, where I think cryptocurrency has a 
truly bright future are for really novel uses that our existing 
financial system really can't accommodate--things like micro 
transactions, transactions that maybe are trade settlements of 
sort of other assets.
    Mr. Rothfus. I yield back.
    Chairman Pearce. The Chair now recognizes the gentleman 
from Ohio, Mr. Davidson, for 5 minutes.
    Mr. Davidson. Thank you, Mr. Chairman.
    And thank you, to our guests. I really appreciate the 
information you are giving us and the tools you are helping us 
be equipped with to keep our laws current.
    I am particularly struck by the analogies to the Internet, 
but also it seems to me that some of this stuff with blockchain 
is a little bit like the cell phone. Did criminals gain an 
advantage when they could communicate by cell phone? Well, of 
course they did, but so did the rest of the planet.
    And I think they are going to be just about as hard to 
contain, so those of you who have mentioned that, I think 
people are going to be able to do blockchain transactions of 
all sorts, including in currencies.
    Mr. Wilson, I was particularly struck by your opening 
remarks where you talked about how we can detect the activity. 
And it seems that if we have this ability, which we 
theoretically should, that we would be able to find the missing 
Mt. Gox coins. Why can't we?
    Mr. Wilson. We actually did find those. Chainalysis was the 
official investigators in the Mt. Gox bankruptcy case and the 
destination of those coins is definitely known.
    Mr. Davidson. Okay. Terrific. So what happens to lost coins 
in general? If they are stolen and you find them, what happens 
when people lose them?
    If you lose your credit card, you can cancel it. If you 
lose your key to a car, you can get it re-keyed. What happens 
when you lose cryptocurrency?
    Mr. Brito. It is the same thing that happens when you drop 
a dollar bill into a fire. If you lose a dollar and it is at 
the bottom of the ocean or something bad happened to it, the 
Federal Reserve does not replace it for you. It's the same 
thing with bitcoin. It is gone.
    Mr. Davidson. That's a bad password to lose.
    Mr. Brito. Yes. Correct.
    Mr. Davidson. Okay.
    I guess without compromising trade secrets, how are we 
doing--and I understand that, Mr. Levin and Mr. Wilson, your 
organizations are working to track mixers and other tumblers, 
things like this that are making it hard to find currency. Is 
that accurate?
    Mr. Wilson. Yes, it is. We are tracing those, as well.
    Mr. Davidson. Okay. So these are the most complex things. 
How is this different--so regular currency, foreign exchange is 
regulated in the United States by the Commodity Futures Trading 
Commission. They, rightly or wrongly--in my opinion, wrongly--
restricted the number of people who can trade currencies by 
raising the capital requirements. I think it puts the U.S. at a 
disadvantage in one of the world's most important markets, and 
I am concerned that our regulatory framework with 
cryptocurrency is going to further hinder our ability to do it.
    Can't currency be regulated by one organization, whether it 
is physical or virtual?
    Mr. Levin. I think the answer to that could be yes, and it 
would definitely allow businesses to be more compliant and put 
their efforts into one domain. I think that also if that 
regulator adopts technology that is in line with digital 
currencies like bitcoin, and has tools and automation that will 
definitely allow the United States to have a business 
environment that thrives whilst thwarting bad actors.
    Mr. Brito. Digital currencies are one of the most regulated 
sectors within fintech.
    Mr. Davidson. Yes.
    Mr. Brito. And the reason for that is that they are subject 
to many different regulators and jurisdictions, and so at the 
Federal level you have the IRS, you have the CFPB, you have 
FinCEN, and there have been FTC enforcements. There are many.
    But really the largest sort of barrier is State-by-State 
regulation, because if you are a digital currency exchanger or 
some other kind of custodian for digital currencies, the 
consumer protection regulation today is done at the State 
level. So if you are an exchanger you need to get a license 
from every State in which you do business.
    Mr. Davidson. Right. Yes, so you made that point and it is 
a good one, but why is digital currency so much different than 
foreign exchange? Why would it be--what is necessary to be 
treated differently about this other than you have to have 
different technology?
    Mr. Brito. Because digital currency exchanges are 
considered money transmitters, and money transmitters are 
regulated at the State level.
    Mr. Davidson. So are foreign currency exchangers.
    Mr. Brito. So it is kind of the same thing. You have the--
    Mr. Davidson. Aren't they essentially involved in the same 
business? If I want to convert U.S. dollars to pounds sterling 
or euros or RMB, whatever, you can do that through--
    Mr. Brito. It is similar. The one really different piece is 
that foreign currency is defined in law, whereas digital 
currency is defined as basically the other category. But that 
is as far as money laundering is concerned.
    Mr. Levin. I think also it is different in the sense that 
you can operate very--and this is probably too technical for 
this setting, but there are many different types of business 
models that can exist built on blockchain technology, which may 
not have perfect analogies in the existing financial system 
which require people to actually understand the technology in 
order to regulate it properly.
    Mr. Davidson. All right.
    I look forward to working with you all. My time has 
expired.
    Mr. Chairman, I yield back.
    Chairman Pearce. I thank the gentleman. His time has 
expired.
    The Chair now recognizes Mr. Hill for 5 minutes.
    Mr. Hill. I thank the chairman very much.
    And I appreciate the panel's time. This has been a really 
interesting discussion about a topic that probably needs more 
exposure in Congress across a number of committees.
    Ms. Haun, I was particularly interested in your testimony 
because we have had a lot of talk about the currencies and we 
have had a lot of talk about blockchain, but I am really 
interested in the ways that we have our laws and our 
regulations, our oversight structured in such a way that we do 
a better job in our government of either assessing their need 
for oversight, regulation at the Federal level, or the 
interdiction, capture, and discovery of them.
    So you referenced extensively in your testimony about our 
MLATs around the world between the United States and our allies 
and other countries, and you referenced some, the need to 
modify our MLATs for this particular purpose. Could you go a 
little bit more specific and tell the committee just what 
particularly we ought to amend in our basic MLAT treaty with 
other countries to capture this discovery and prosecution area? 
Thanks.
    Ms. Haun. And I should note that this isn't just a 
problem--I also did a number of cybercrime cases not involving 
cryptocurrency. This MLAT problem is not unique--
    Mr. Hill. Yes, and you can be broad in--
    Ms. Haun. Right. And so it really is a problem. I think if 
you talk to prosecutors across the country who are dealing with 
cybercrime and cryptocurrency cases they will tell you one of 
the biggest problems is the problems of getting MLATs through.
    And it is always--we are in a good position where we have 
an MLAT, because at least then we have a country we can work 
with.
    But the problems are essentially these: the speed--the MLAT 
process was developed decades ago, in the days where you didn't 
even have e-mail. These were done maybe by couriered mail, and 
the problem is that the systems have largely stayed the same.
    And I will just give you an example. I had an MLAT going 
and it was to a receptive country. The actual company in that 
country wanted to give us the data. They would have e-mailed it 
to us right away and it would have let us get the bad guy 
instead of letting that bad guy keep doing bad acts.
    But instead we have to go through the MLAT process, and 
even to get it out of our own country to theirs took 5 months.
    Mr. Hill. So have you seen an effort by the Department of 
State and the Department of Justice to form a task force 
between the two and streamline and make recommendations? And is 
there anything Congress can do particularly on that?
    Ms. Haun. I don't know that it is a State Department issue. 
I think the Office of International Affairs in the Justice 
Department is the entity that handles the MLATs.
    And one of the things is you go from, like, say--I used to 
be in headquarters, though I have been out in San Francisco for 
the last 8 years. I am out in the field; I draft up the MLAT; I 
have to send it back to the OIA attorney. They have five levels 
of review.
    I think it is off with the country, but no, lo and behold, 
it comes back to me so we can fill out a budget form so that we 
can get it translated. In other words, it hasn't even gone to 
our foreign counterparts who are sitting there waiting to turn 
over the evidence to us.
    The budget form is completed and then we have--
    Mr. Hill. The ship is in the dock waiting to transport.
    Ms. Haun. Right. Then we have to go to a certain kind of--
not just any translator. Only certain ones are approved.
    They have a backlog because they have all the government 
contracts, so they are not going to be able to translate ours 
quickly.
    Okay, so you already see the point. The problem is even 
leaving--even a fully baked MLAT to get overseas, it doesn't 
happen for months. And that is in a good case. That is in a 
high-priority case where the department is willing to pay to 
expedite and the rest.
    And the problem with that system, Congressman, is that what 
ends up happening is we even now need to send MLATs to get 
evidence preserved. If a company overseas has a 3-month--as 
some of these telecom companies do--preservation period, if we 
don't get an MLAT request over for 6 months, our evidence is 
just gone.
    So I think part of the problem is internal and the 
processes by which it goes, and I don't want to upset any of my 
colleagues in the Justice Department by suggesting that 
Congress needs to form a task force, but it is something that 
really needs to be looked at, the process in the age of 
cybercrime and in the age where--we are moving to a world where 
more and more evidence in every case is electronic, right, no 
matter the type of case.
    I don't know if that illustrates--
    Mr. Hill. I appreciate your passion on the answer. This has 
come up in previous testimonies in the last Congress, not quite 
with the passion and the direct answer that you have given 
today, and I appreciate your service in criminal prosecutions, 
your service to the people of the United States
    And, Mr. Chairman, thank you for the opportunity to 
question.
    Ms. Haun. Thank you.
    Chairman Pearce. The gentleman's time has expired.
    The Chair now recognizes Mr. Budd for 5 minutes.
    Mr. Budd. Thank you, Mr. Chairman.
    And I thank the panel, as well, for your time.
    I think it was Mr. Brito--you mentioned earlier that you 
would lose--as you lost a dollar bill in a fire, you could lose 
virtual currency. Isn't there some sort of a virtual wallet 
that is recommended or a best practice? And if so, could you--
if that does exist can you explain what that is and how it 
works?
    Mr. Brito. Yes. Sure.
    So there are essentially two ways in which you can hold 
digital currency--kind of the same as cash. You can hold it on 
your person the way you might hold a $100 bill with you, or you 
can deposit it with a custodial institution. So if you deposit 
it with them and they are regulated and you trust them and they 
have good security measures, that is pretty safe.
    If you decide to hold the digital currency yourself it has 
one advantage that a dollar doesn't, which is you can make a 
backup copy. Of course, you have to keep that backup copy safe.
    But that is essentially it. You want to use some good, 
reputable wallet software, something that is open-sourced and 
that has been audited by the community; and you want to make 
sure that you have good backups in safe keeping, in safe places 
and that you never forget your password.
    Mr. Budd. Okay. Very good.
    There was a great interview recently--I think it is a good 
101 for a lot of us in here who are new to this--on The Tim 
Ferriss Show with Nick Szabo. I don't know if he is a 
recognized name in your industry, but it was a great primer 
earlier this week for me.
    I went to Seoul, Korea, last week and to the DMZ, and as we 
looked over into North Korea you could see that there is not 
much of an economy there, and yet it is a country that we have 
seen is very strong in cyber offense, and that is--they have 
doubled down on that, as we know, moving towards a nuclear 
state, as well.
    But with their cyber, what do we see--and this is--I will 
open this up to the whole panel--what do we see a country like 
North Korea doing with illicit uses of virtual currencies?
    Mr. Brito. I have seen media reports that some of the 
ransomware that we have seen attack different private companies 
and public sector organizations could be traced back to North 
Korea.
    Mr. Budd. Right.
    Mr. Brito. And you can imagine that North Korea, if this is 
true, would see ransomware as a revenue-generating activity. Of 
course, if they acquire bitcoin or some other digital currency 
they need to offload that and so they would need to go through 
an exchange. I bet they would go through an unregulated, 
unregistered exchange.
    Mr. Levin. So I have seen the same sort of reports, 
although, as Ms. Haun will know, the attribution in cybercrime 
cases is very, very difficult to attain the identity of people 
who do them. What I have seen is--and I mentioned it in my 
written testimony--ransomware campaigns run in domains that I 
would consider hotbeds potentially for a terrorist activity, 
and it is about making a profit out of this type of activity in 
order to fund operations, so I think that risk does exist.
    We actually have seen that there are very limited exchanges 
in a lot of these places, so we monitor for, is there liquidity 
in those local markets to cash out for virtual currency 
activity? For example, there is no domestic North Korean 
exchange that you can cash virtual currencies into local 
currency; however, there are virtual currency exchanges in 
other parts of the Middle East, although liquidity is fairly 
limited. I know of two exchanges where the joint liquidity in 
their existence has been $2 million.
    Mr. Budd. Wouldn't you say, Mr. Levin, that it would be 
better for a country like North Korea to stay in virtual 
currency rather than egress or come out of it?
    Mr. Levin. I would say the most likely thing that would 
happen is that they would use the virtual currency in order to 
pay for potentially incident infrastructure that actually 
exists, maybe even in the United States or off shore.
    Mr. Budd. And for the panel--I'm sorry, Ms. Haun, did you 
have a comment?
    Ms. Haun. Oh, no. Thank you.
    Mr. Budd. For the whole panel, as well--sorry, I had 
another question there--do you have any idea as to the total 
volume that you would see North Korea doing through virtual 
currencies?
    Mr. Levin. Geographic identification of virtual currency 
transactions is somewhat difficult, especially where there is 
no exchanger present in that local market. So companies like 
mine can identify the services that are providing virtual 
currency services like exchange, like merchant processing, but 
if there are no sort of North Korean exchanges it is very 
difficult for us to be able to assess how much volume is in 
North Korea.
    Mr. Budd. Thank you.
    I yield back.
    Chairman Pearce. The gentleman's time has expired.
    The Chair now recognizes Mr. Lynch for 5 minutes.
    Mr. Lynch. Thank you.
    I know the last time we spoke, we discussed the committee 
members perhaps taking advantage of the webinars or any other 
training opportunities to educate the Members, so committee 
staff will be reaching out to each of you on that.
    Let me give you an extreme example: Somalia: We are having 
problems--a highly insecure environment, very low capacity 
among the government there, a fair amount of corruption. All of 
the banks have basically pulled out of that area. They won't 
even set up ATMs anymore. Al-Shabaab is very active.
    The secure district is actually limited to a small sub-
district in Mogadishu around the airport, and when we fly in it 
is tough to get out of the airport until really recently. And 
again, they get this aversion by regular banks, so remittances 
can't get in there. So we have a real problem.
    How could this system, cryptocurrencies--I know we are sort 
of war-gaming this on the fly, but how could this help in an 
area like that where we have had such--so there is so much 
reputational risk on the part of the banks that they won't go 
in there because of our--ironically, because of our 
antiterrorist financing laws--Bank Secrecy Act and all those. 
So the banks won't go near it because they will say, ``We don't 
want to be prosecuted in case Al-Shabaab gets the resources.''
    Is there an opportunity here that, on payment systems, is 
there some way we might help the people who just want to send 
money back to their families?
    Mr. Dueweke. Absolutely. Yes, and I think that is one of 
the keys cases that drove me to create the Identity and 
Payments Association, where you have a community that is cut 
off from the banking world that is relying on remittance 
systems like Impesa or WorldRemit or a few others, that have 
been impacted by AML and CFT efforts that have cut them off in 
some instances from Somali populations in Minneapolis or 
wherever.
    And while they are relying on those systems now, they are 
prone to disruption, and certainly having an enhanced, in this 
case, cryptocurrency or decentralized virtual currency 
connection point with those systems, if done in concert with 
somebody like WorldRemit who is a very responsible player and 
tries very hard to identify the users of its system, then you 
would have an even more reliable, more transparent component 
where you would have bitcoin or a blockchain-based system be 
able to interface with those last-mile mobile payment 
remittance providers.
    So yes, I think it would be able to extend the secure 
paradigm further out into the Somali populations to allow them 
to get money to those people who need it the most, and do it in 
a responsible, transparent way. But you are going to have to 
have some sort of relationship with a lot of different players 
because there a lot of Somali populations around the world.
    Mr. Brito. And if I can address that, so the--
    Mr. Lynch. Sure.
    Mr. Brito. If I could just say that--
    Mr. Lynch. Please, yes.
    Mr. Brito. --the Charity and Security Network is a 
nonprofit that represents other nonprofits--
    Mr. Lynch. What is the name of it again?
    Mr. Brito. Charity and Security Network.
    Mr. Lynch. Okay.
    Mr. Brito. And they published a report recently that looked 
at exactly the problem you are describing, and it is not just 
conflict areas like Somalia or Syria where they are having 
trouble getting payments in. It is Latin America; it is Europe, 
even.
    And we are actually going to be--the Coin Center will be 
working with the Charity and Security Network to develop a 
pilot program to potentially send grant money from the United 
States to Mexico, to nonprofits in Mexico who are running grant 
programs using bitcoin.
    Mr. Lynch. Wow. That is great.
    Mr. Levin. I could also add--
    Mr. Lynch. Mr. Levin?
    Mr. Levin. --I think the interesting thing about having a 
cryptocurrency on the underlayer of this is that the 
traditional financial system relies, when money goes from a 
bank to a money transmitter and then gets sent to Somalia, the 
bank gets very nervous because it has no ability to have any 
insight into the underlying transaction to the customer's--
their customer's customer.
    What bitcoin allows--and I have actually implemented this 
with Barclay's and Circle Financial, which are two sort of 
well-known fintech companies--is that the bank is actually able 
in real time to know what is the underlying activity of its 
customer, not on an individual who is the identity of the 
person, but potentially what is the exposure to underground 
market activity, or ransomware, or the terrorist financing 
activity that we are interested in.
    So I would like to point to that case, and I'm happy to go 
further in more detail.
    Mr. Lynch. That is great. Thank you.
    My time has expired.
    Chairman Pearce. The gentleman's time has expired, and the 
Chair now recognizes Mr. Pittenger for 5 minutes.
    Mr. Pittenger. Thank you, Mr. Chairman.
    Again, I thank each of you for being here to give us your 
sound advice.
    We are dealing with very sophisticated people, as we have 
found in the past. And this is not a backyard gang of hoodlums. 
They look for every possible avenue to complete their efforts.
    I would like to say that as we consider the 
cryptocurrencies, while they are not well-known to the public 
at large and they are growing, certainly to these folks it is 
on--they are on the radar screen and we, as I said earlier, 
should anticipate that they will be more engaged, more likely 
in--outside of the United States, as you said, where there is--
we don't have the capacity for oversight that we have here.
    I would welcome your involvement, particularly with the 
media. I think you play a role there and I think you could help 
define what you are doing in terms of defensive postures, and 
offensively, and to mitigate this concern.
    I think we need, each of us, to speak to this more to let 
the public and, as well, that the Congress be more adept in 
these concerns. So on your radar screen I hope that you will 
consider a more aggressive outreach to try to work with the 
media and to help tell your story.
    Thank you very much. I yield back.
    Chairman Pearce. The gentleman yields back.
    The Chair yields himself another 5 minutes.
    Mr. Wilson and Mr. Levin, as we discussed the WorldRemit 
and the retroactive nature of it, in the current system can we 
assure the same way that Western Union might be able to assure 
that crypto going into Syria or Somalia could be traced and may 
be stopped before the incident is--discuss that just a bit if 
you can.
    Mr. Levin. Mr. Chairman, so when you send virtual currency 
transactions outwards you may not know the geographic 
distribution of that--where the person you are about to send it 
to, because if you consider bitcoin it is--transfers within 
bitcoin are not sent to routing numbers or account numbers that 
have any real-world identification system. Instead, what you 
need to do is then look after the fact in order to understand 
what is the activity potentially for that transaction.
    If we go back to the analogy of the masks, if you are 
sending it to someone that you have seen before then you might 
know that this is, yes, this bitcoin address does belong to a 
virtual currency exchange in Iran, for example, and you would 
be able to block that at the time of transaction if you are 
sort of an exchange here in the United States. However, if 
someone is using a new virtual currency address, which are 
quite easy to create, there is no way to know that at the time, 
and instead these companies are forced to retrospectively look 
at all of their transactions in order to identify what was the 
activity maybe after the fact.
    Chairman Pearce. Mr. Wilson?
    Mr. Wilson. Exactly what Jonathan said. What we do is after 
the fact look at the transaction and we can tell, again, if 
this is something that is masked. And we have already tagged it 
to be a nefarious exchanger or a nefarious entity we can then 
alert the institution that is making this transaction and say, 
``Hey, this is a possible place that you don't want to send 
money.'' So that is kind of how it works right now.
    Chairman Pearce. Ms. Haun, I would appreciate your 
observation on the same question if you can, because really 
looking at Western Union and their--I guess that they know both 
parties, that we have some understanding of who is on the other 
end, and they have been--will maybe even blacklist entire 
regions because of the risk, but it is not anonymous sites 
either.
    Do you have an observation?
    Ms. Haun. I am not sure. I also know that Western Union has 
actually been paying some hefty fines and I think was just the 
subject of a FinCEN enforcement action about a year ago--
    Mr. Dueweke. $800,000.
    Ms. Haun. $800,000, yes.
    Mr. Dueweke. Or $800 million, I am sorry.
    Ms. Haun. $800 million. That sounds--for not always 
following the things that they are supposed to do under the 
law.
    But I think I agree entirely with what Mr. Wilson and Mr. 
Levin said. I don't have much to add beyond that other than to 
say it is much more difficult where you don't know where this 
is going to unless you have a way of--if they haven't used a 
mixer or a tumbler and they are using the same virtual currency 
address, but they rarely do. The sophisticated people who are 
moving money use sophisticated mechanisms and they create new 
addresses.
    Chairman Pearce. Okay.
    I would like to thank each one of you today for your 
testimony.
    The Chair notes that some Members may have additional 
questions for this panel, which they may wish to submit in 
writing. Without objection, the hearing record will remain open 
for 5 legislative days for Members to submit written questions 
to these witnesses and to place their responses in the record. 
Also, without objection, Members will have 5 legislative days 
to submit extraneous materials to the Chair for inclusion in 
the record.
    I ask our witnesses to respond as promptly as you are able.
    I would mention that I think everyone on the subcommittee 
really appreciates the directness and the depth of your 
analysis and the substance of your answers. I think that all of 
you provided very valuable insights into a field that we must 
be learning a lot more about.
    With that, the hearing is adjourned.
    [Whereupon, at 11:54 a.m., the hearing was adjourned.]

                            A P P E N D I X



                              June 8, 2017
                              
                              
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]