[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
VIRTUAL CURRENCY: FINANCIAL INNOVATION
AND NATIONAL SECURITY IMPLICATIONS
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON TERRORISM
AND ILLICIT FINANCE
OF THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
JUNE 8, 2017
__________
Printed for the use of the Committee on Financial Services
Serial No. 115-22
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
28-177 PDF WASHINGTON : 2018
____________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001
HOUSE COMMITTEE ON FINANCIAL SERVICES
JEB HENSARLING, Texas, Chairman
PATRICK T. McHENRY, North Carolina, MAXINE WATERS, California, Ranking
Vice Chairman Member
PETER T. KING, New York CAROLYN B. MALONEY, New York
EDWARD R. ROYCE, California NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma BRAD SHERMAN, California
STEVAN PEARCE, New Mexico GREGORY W. MEEKS, New York
BILL POSEY, Florida MICHAEL E. CAPUANO, Massachusetts
BLAINE LUETKEMEYER, Missouri WM. LACY CLAY, Missouri
BILL HUIZENGA, Michigan STEPHEN F. LYNCH, Massachusetts
SEAN P. DUFFY, Wisconsin DAVID SCOTT, Georgia
STEVE STIVERS, Ohio AL GREEN, Texas
RANDY HULTGREN, Illinois EMANUEL CLEAVER, Missouri
DENNIS A. ROSS, Florida GWEN MOORE, Wisconsin
ROBERT PITTENGER, North Carolina KEITH ELLISON, Minnesota
ANN WAGNER, Missouri ED PERLMUTTER, Colorado
ANDY BARR, Kentucky JAMES A. HIMES, Connecticut
KEITH J. ROTHFUS, Pennsylvania BILL FOSTER, Illinois
LUKE MESSER, Indiana DANIEL T. KILDEE, Michigan
SCOTT TIPTON, Colorado JOHN K. DELANEY, Maryland
ROGER WILLIAMS, Texas KYRSTEN SINEMA, Arizona
BRUCE POLIQUIN, Maine JOYCE BEATTY, Ohio
MIA LOVE, Utah DENNY HECK, Washington
FRENCH HILL, Arkansas JUAN VARGAS, California
TOM EMMER, Minnesota JOSH GOTTHEIMER, New Jersey
LEE M. ZELDIN, New York VICENTE GONZALEZ, Texas
DAVID A. TROTT, Michigan CHARLIE CRIST, Florida
BARRY LOUDERMILK, Georgia RUBEN KIHUEN, Nevada
ALEXANDER X. MOONEY, West Virginia
THOMAS MacARTHUR, New Jersey
WARREN DAVIDSON, Ohio
TED BUDD, North Carolina
DAVID KUSTOFF, Tennessee
CLAUDIA TENNEY, New York
TREY HOLLINGSWORTH, Indiana
Kirsten Sutton Mork, Staff Director
Subcommittee on Terrorism and Illicit Finance
STEVAN PEARCE, New Mexico Chairman
ROBERT PITTENGER, North Carolina, ED PERLMUTTER, Colorado, Ranking
Vice Chairman Member
KEITH J. ROTHFUS, Pennsylvania CAROLYN B. MALONEY, New York
LUKE MESSER, Indiana JAMES A. HIMES, Connecticut
SCOTT TIPTON, Colorado BILL FOSTER, Illinois
ROGER WILLIAMS, Texas DANIEL T. KILDEE, Michigan
BRUCE POLIQUIN, Maine JOHN K. DELANEY, Maryland
MIA LOVE, Utah KYRSTEN SINEMA, Arizona
FRENCH HILL, Arkansas JUAN VARGAS, California
TOM EMMER, Minnesota JOSH GOTTHEIMER, New Jersey
LEE M. ZELDIN, New York RUBEN KIHUEN, Nevada
WARREN DAVIDSON, Ohio STEPHEN F. LYNCH, Massachusetts
TED BUDD, North Carolina
DAVID KUSTOFF, Tennessee
C O N T E N T S
----------
Page
Hearing held on:
June 8, 2017................................................. 1
Appendix:
June 8, 2017................................................. 37
WITNESSES
Thursday, June 8, 2017
Brito, Jerry, Executive Director, Coin Center.................... 5
Dueweke, Scott, President, the Identity and Payments Association. 7
Haun, Kathryn, Lecturer, Stanford Law School, and former
Assistant U.S. Attorney, U.S. Department of Justice............ 8
Levin, Jonathan, Co-Founder, Chainalysis......................... 11
Wilson, Luke, Vice President, Business Development-
Investigations, Elliptic....................................... 13
APPENDIX
Prepared statements:
Brito, Jerry................................................. 38
Dueweke, Scott............................................... 42
Haun, Kathryn................................................ 50
Levin, Jonathan.............................................. 63
Wilson, Luke................................................. 70
Additional Material Submitted for the Record
Lynch, Hon. Stephen:
CNAS report entitled, ``Terrorist Use of Virtual
Currencies,'' dated May 2017............................... 71
VIRTUAL CURRENCY: FINANCIAL
INNOVATION AND NATIONAL
SECURITY IMPLICATIONS
----------
Thursday, June 8, 2017
U.S. House of Representatives,
Subcommittee on Terrorism
and Illicit Finance,
Committee on Financial Services,
Washington, D.C.
The subcommittee met, pursuant to notice, at 10:03 a.m., in
room 2128, Rayburn House Office Building, Hon. Stevan Pearce
[chairman of the subcommittee] presiding.
Members present: Representatives Pearce, Pittenger,
Rothfus, Messer, Tipton, Williams, Poliquin, Hill, Zeldin,
Davidson, Budd, Kustoff; Perlmutter, Himes, Foster, Kildee,
Sinema, Vargas, Gottheimer, Kihuen, and Lynch.
Ex officio present: Representative Hensarling.
Chairman Pearce. The Subcommittee on Terrorism and Illicit
Finance will come to order.
Without objection, the Chair is authorized to declare a
recess of the subcommittee at any time.
Also, without objection, members of the full Financial
Services Committee who are not members of the Subcommittee on
Terrorism and Illicit Finance may participate in today's
hearing.
Today's hearing is entitled, ``Virtual Currency: Financial
Innovation and National Security Implications.''
I now recognize myself for 2 minutes to give an opening
statement.
Innovation revolutionizes and simplifies our lives on a
daily basis. In the past 30 years alone we have seen the
emergence of the Internet as an open-source accessible
information tool, the popularization of cell phones, the
development and wide use of smartphones, faster and faster
Internet and wireless access, and the list goes on and on.
For many of us in this room, the millennials excluded--and,
frankly, based on the number of them in the lines at the Apple
Store, I think they are even surprised at the existence and the
evolution of this thing which never would have seemed possible
in our wildest dreams.
The implications, of course, of this greater development
and exploration into the digital age is the inability of
government and regulatory bodies to keep up with the pace of
development. Technology in the financial space is no exception,
and that is what brings us here today.
From small business lending to virtual wallets, the
creation of virtual currencies, the fintech space, as it is
known, is rapidly evolving.
The benefits are clear. Families in underserved areas are
finding more choice and options than ever before. People can
pay for the goods in the store without the need for cards or
cash. The possibilities of benefits are truly endless.
The subcommittee kicked off the work in this space last
week with a briefing on blockchain, one of the major
innovations driving this development. Today we will continue
the conversation by examining how virtual currencies
specifically pose a risk to our national security.
This will include questions such as: Does the creation of a
currency that is completely decentralized from a governmental
structure, administered through the use of peer-to-peer
sharing, present a new threat to the safety and soundness of
our banks and to our national security? What, if any,
regulatory structure exists around these emergency forms of
currency and technology? Does the notion of online peer-to-peer
sharing provide an increased veil of secrecy that could be
exploited by terrorists and illicit actors?
I thank our witnesses for being here today and I look
forward to the conversation to come.
The Chair now recognizes the ranking member of the
subcommittee, the gentleman from Colorado, Mr. Perlmutter, for
2 minutes for an opening statement.
Mr. Perlmutter. Thanks, Mr. Chairman.
And thanks, to our witnesses, for being here today.
Obviously, there is considerable interest in virtual
currencies and cryptotechnologies, not only among speculators
and traders but because of the promising benefits the
underlying blockchain ledger technology has to offer. However,
our subcommittee should remain focused on the national security
implications, especially since cyber criminals and nation
states are exploiting cryptocurrencies for illicit purposes.
Mr. Dueweke notes in his testimony: ``Cyber criminals in
Eastern Europe, North Korea, China, and Russia certainly are
taking advantage of evolving technologies to underwrite
terrorism and exchange ill-gotten gains. In fact, Russia has
created its own cryptocurrency to support its hackers program
so that they can cause mayhem around the globe.''
The reality is criminals today use cash, money service
businesses, and other means for illicit purposes, but we
provided law enforcement the regulatory tools to catch the bad
guys. The question is, does law enforcement have the tools to
catch the criminals using these new technologies and
currencies?
If the United States is to succeed in staying one step
ahead of the bad guys then we must work with our national
partners and international partners to adopt global
methodologies and systems to ensure these new innovations are
being used for legitimate purposes. The United States and
Europe remain and maintain a fairly sophisticated Bank Secrecy
Act and the money-laundering regulatory regime, but the
question is, will China and Russia follow our lead?
The rise of new cryptocurrencies threatens to disrupt the
way banking is philosophically conducted, potentially
undermining the United States' dominance over money flows.
With that, I thank you, Mr. Chairman, and I yield back.
Chairman Pearce. The gentleman yields back.
The Chair now recognizes Mr. Pittenger for 1 minute.
Mr. Pittenger. Thank you, Mr. Chairman, and Ranking Member
Perlmutter, for hosting us today for this cybersecurity
hearing.
Cybersecurity is an important and evolving method of
finance, and it is imperative that this committee fully
understand how criminal and terrorist networks may use
blockchain applications to fund illicit behavior. The United
States must lead by example, with our regulatory and
investigative structure, to ensure that terrorists cannot use
cybercurrencies to fund their violent and malicious behavior.
Far too often, foreign governments have enough trouble
enacting and enforcing their own CTF-AML laws related to
traditional financial institutions, so we cannot assume that
these same governments will have adequate capabilities to track
and intercept financial anomalies located within blockchain
applications. This committee must know what it takes, regarding
both resources and legal authorities, for the U.S. Government
to confidently enforce our terror financial and money-
laundering laws with cybersecurity applications.
Thank you again, Mr. Chairman, and Mr. Ranking Member.
I yield back.
Chairman Pearce. The gentleman's time has expired.
The Chair now recognizes the gentlelady from Arizona, Ms.
Sinema.
Ms. Sinema. Thank you, Chairman Pearce, and Ranking Member
Perlmutter.
I appreciate the witnesses' testimonies and agree that we
need a government-wide approach to evaluate and address the
illegitimate uses and potential risks of virtual currency. I
support a unified national strategy to combat terrorist and
other illicit finance, and this strategy should include a
comprehensive discussion of virtual currencies.
I look forward to hearing how we can most effectively use
risk-based approaches to identify and mitigate the exploitation
of virtual currencies by terrorists and criminals while
allowing for innovation and growth in the fintech sector. In
fact, how can we best use the innovation and growth within
fintech to counter terrorist and other illicit finance?
Thank you again, Chairman Pearce and Ranking Member
Perlmutter, for your leadership on this issue, and I continue
to look forward to working with my colleagues on both sides of
the aisle to keep all types of money out of terrorist hands and
build on our progress to strengthen America's security.
Thank you, Mr. Chairman. I yield back.
Chairman Pearce. The gentlelady's time has expired.
We now turn to the testimony of our witnesses.
Mr. Jerry Brito is the executive director of Coin Center, a
nonprofit research and advocacy center founded in the public
policy issues facing cryptocurrency technologies such as
bitcoin. Previously, Mr. Brito directed the Technology Policy
Program at the Mercatus Center of George Mason University, and
he serves as an adjunct professor of law at George Mason
University. Mr. Brito earned his J.D. from George Mason
University School of Law, and his B.A. from Florida
International University.
Mr. Scott Dueweke is the president of the Identity and
Payments Association. He is also the president of Zebryx
Consulting, providing public and private sector clients an
understanding of the risks and rewards of identities and
alternative payment systems.
Mr. Dueweke is an expert on identity, the blockchain, and
alternative payment systems. He has advised financial
institutions, the U.S. Government, and international law
enforcement agencies on these matters.
Mr. Dueweke's experience in the blockchain and its
underlying technology of public key infrastructure, or PKI,
began in 1996 with his role as the global marketing manager for
IBM's PKI group. Mr. Dueweke is a frequent speaker on identity,
alternative payments, and the dark web at conferences worldwide
and has been interviewed and quoted by media, including The
Wall Street Journal, Fox News, Time, and Forbes.
Ms. Kathryn Haun served as a Federal prosecutor with the
Department of Justice from 2006 until recently, and was DOJ's
first ever coordinator for emerging financial technologies. Ms.
Haun has investigated and prosecuted hundreds of violations of
Federal criminal law in the United States with a focus on
transnational and organized crime syndicates, cybercrime, the
deep web, and digital currency, including a case against the
former Federal agents investigating the illicit Silk Road
marketplace.
Ms. Haun previously worked on national security issues and
held senior positions at DOJ. Prior to that, she was in a
private practice in D.C. Ms. Haun has clerked for U.S. Supreme
Court Justice Anthony Kennedy as an honors graduate of Stanford
Law School, where she has also taught a class on cybercrime and
digital currency.
Mr. Jonathan Levin is co-founder of Chainalysis, which is
the leading provider of anti-money-laundering software for
bitcoin. Through formal partnerships with Europol and other
international law enforcement, Chainalysis' investigative tools
have been used globally to track, apprehend, and convict money
launderers and cybercriminals.
Mr. Levin was previously CEO at Coinometrics, where he led
a team of data scientists to measure the activity and the
health of the bitcoin network. Mr. Levin was a postgraduate
economist at the University of Oxford, where his research
focused on virtual currencies, creating one of the first
statistical models of bitcoin transaction fees.
Mr. Luke Wilson is the vice president of business
development investigations with Elliptic, where he is primarily
responsible for law enforcement engagement and investigations.
Mr. Wilson has a unique skill set and a deep understanding of
bitcoin and blockchain owing to his 7 years of employment with
the Cyber and Counterterrorism Division of the Federal Bureau
of Investigations.
While at the FBI, Mr. Wilson constructed the first
interagency task force for investigating illicit uses of
bitcoin. As a subject matter expert, Mr. Wilson has advised the
U.S. Government and regulators on digital currencies.
With his previous employment with the Department of
Defense, and the Intelligence Committee, I think Mr. Wilson has
over 17 years of law enforcement and intelligence experience,
and we appreciate his participation in the hearing today.
Each of you will now be recognized for 5 minutes to give an
oral presentation of your testimony. And without objection,
each of your written statements will be made a part of the
record.
Mr. Brito, you are now recognized for 5 minutes.
STATEMENT OF JERRY BRITO, EXECUTIVE DIRECTOR, COIN CENTER
Mr. Brito. Mr. Chairman and members of the subcommittee, I
would like to thank you for the opportunity to speak to you
today.
What I would like to do is explain what bitcoin is, and why
it is a groundbreaking innovation--perhaps as important as the
Web; and why, like the Web, illicit actors are attracted to it.
I will then briefly offer some thoughts on what can be done to
prevent that.
Before the invention of bitcoin, for two parties to
transact online always required a third-party intermediary--
someone like PayPal or a bank. Unlike cash in the real world,
which I can hand to you in person without anyone else between
us, electronic payments required a third party, trusted by each
of us, to verify and guarantee the transfer.
Introduced in 2008, bitcoin overcame a longstanding
computer science problem and for the first time allowed the
secure and verifiable transfer of digital assets between
individuals without the need for third-party intermediaries--
just like cash in the physical world.
The innovation of peer-to-peer transfers has unlocked an
incredible array of socially beneficial and economically
important uses. Not only are fast and inexpensive global money
transfers and payments now possible, this technology is also
being used to make possible micro-transactions, copyright
registries and global rights management system, faster and more
efficient trade settlements, more secure land title and
property record systems, Internet of things networks, self-
sovereign identity, and much, much more.
What gives this technology its innovative potential is
that, because there are no third-party gatekeepers from which
to seek access, it is an open and permissionless network--just
like the Internet.
When Mark Zuckerberg decided to launch Facebook in his dorm
room at Harvard he didn't have to first clear it with the
management of Internet, Inc. He simply wrote the Facebook
application and launched it on the Web. Like the Internet, it
is the permissionless, open nature of bitcoin that will foster
innovation.
Unfortunately, this also means that like the Internet, it
is open to bad actors who take advantage of it. Criminals
certainly use it today, and we have begun to see some nascent
interest from terrorist groups.
However, according to a recent report on the potential of
terrorist use of digital currencies by the Center for a New
American Security (CNAS), ``Currently there is no more than
anecdotal evidence that terrorist groups have used virtual
currencies to support themselves.''
While the potential is very serious, this, however, means
that there is time to develop an appropriate response--a
reasoned response that targets the threat while preserving the
freedom to innovate.
The blockchain and digital currency community has been
working for some time now to face this threat. Almost 2 years
ago, the Coin Center helped co-found the Blockchain Alliance, a
public-private forum that serves as an information-sharing
conduit between law enforcement and industry.
Today the alliance is composed of 35 industry members,
including the largest exchanges and digital wallet companies,
and 36 members from the government, including DOJ, FBI, DHS,
IRS, Secret Service, Interpol, Europol, and many others. Thanks
to the cooperative work of the Blockchain Alliance, law
enforcement today is better equipped than ever to take on this
emerging threat.
However, the CNAS report I mentioned earlier found that our
current regulatory framework impedes law enforcement in the
private sector from collaborating more nimbly to weed out
illicit actors. They found, ``One particular challenge in this
area is the requirement for a virtual currency firm to obtain
licenses in all states in which it operates and maintain
compliance consistent with both Federal and applicable state
standards where they are licensed to operate. With only a
single Federal registration for virtual currency firms,
compliance costs would be more manageable for smaller firms and
regulators would be better able to oversee firms.''
The Coin Center could not agree more, and to promote a more
uniform approach Congress should consider the Office of the
Comptroller of the Currency--encourage him to offer Federal
fintech charters to custodial digital currency firms. And
Congress should also consider the creation of a new Federal
money transmission license to take the place of State-by-State
licensing.
As we discuss these questions today, I hope you will keep a
few things in mind.
First, this is a technology that, like the Internet--or,
indeed, like fire--can be used for good or for bad. Its
inherent nature is neutral.
Second, this technology can't be put back in the bottle.
Encouraging its legitimate use gives us more and better
visibility into the network, while discouraging its use only
cedes the network to bad actors.
And finally, while there is substantial criminal use,
terrorist use, while obviously important to focus on, is still
nascent and experimental, so there is time to develop a
considered response.
Thank you.
[The prepared statement of Mr. Brito can be found on page
38 of the appendix.]
Chairman Pearce. Mr. Dueweke, you are recognized for 5
minutes.
STATEMENT OF SCOTT DUEWEKE, PRESIDENT, THE IDENTITY AND
PAYMENTS ASSOCIATION
Mr. Dueweke. Thank you.
Esteemed members of the subcommittee, I am honored to be
testifying before you today on the important topic of virtual
currencies and their role in enabling terrorism and illicit
financial transactions. There are four major points I would
like to make.
The first: Understanding the promise and peril of virtual
currencies requires looking well beyond the bright, shiny
bitcoin. Virtual currencies beyond bitcoin and other
alternative payment systems create an expansive shadow network.
China and Russia are beginning to dominate a new global
digital financial system of which we are not necessarily fully
members of or aware of. And these new payment systems are
helping to connect billions of unbanked and underbanked around
the world, and we should always keep that in mind.
These billions of people who are using virtual currencies
and other alternative payment and remittance systems for
legitimate purposes are transforming economies through their
use, especially in Asia and Africa. These systems now represent
a major force for the financial inclusion of the more than 3
billion unbanked and underbanked around the world. That is an
important point I hope you will remember as you examine the
negative uses of these systems. There is a lot of positive
going on.
How do we balance the profound benefits of these new
fintech opportunities against the criminal use of these
systems? It is critical that the entire scope of this ecosystem
first be considered--its impact, its uses, its structure--
before making judgments or creating laws and regulations that
might have broad unintended consequences.
This ecosystem extends far beyond bitcoin and other
cryptocurrencies and its roughly $100 billion market value of
bitcoin today. Other virtual currencies, like the centralized
Russian and Chinese virtual currencies, far exceed bitcoin, and
their combined value with remittance systems and mobile payment
systems exceeds $2 trillion.
A network of thousands of virtual currency exchangers
connect these systems into one ecosystem, which should not be
considered separately, but instead as an ecosystem together
with the other parts of it.
Even bitcoin's impact extends far beyond its use as a
cryptocurrency. For example, as Jerry mentioned, the blockchain
can be used for many other purposes.
I am currently working with Saint Luke's University
Healthcare Network to implement the blockchain to enhance the
patient experience and to make it more secure and convenient.
The blockchain is being implemented in financial institutions
to transfer funds, at the New York Stock Exchange to modernize
the trading of stocks, and in many other applications. It can
also be applied to reduce fraud and graft in foreign aid
programs while increasing its reach and impact while allowing
full transparency and reduction in the approximately 30 percent
of foreign aid that is lost to graft and corruption.
Not all blockchains are created equal, and new, more
anonymous cryptocurrencies, such as Monero, Dash, and Zcash,
are beginning to gain market share. These systems now account
for about 1 percent of all cryptocurrency usage on the dark web
and are increasing in popularity rapidly.
As these systems increase in usage, existing blockchain
analysis tools will be challenged to remain relevant as these
dark cryptocurrencies are designed to avoid the tracking of
transactions, whereas bitcoin was designed to be transparent.
A new consideration of the use of cryptocurrencies by
nation states includes the Russian Central Bank's announcement
on June 3rd that they will be creating a national
cryptocurrency. Considering that a large percentage of global
criminal hackers are Russian language-speakers and our current
stress with Russia and the United States and Europe, this
development should be closely monitored.
How this cryptocurrency is set up will be telling. Will it
have a publicly available and verifiable blockchain like
bitcoin, or will it be a private or permissioned blockchain and
be opaque to Western observers and regulators?
If private, it could be used to circumvent KYC and AML and
be used to support proxy ``patriotic hackers,'' as Vladimir
Putin referred to them last week. This possibility already
exists with Russian language centralized systems--especially
WebMoney.
Hypothetically, what could these virtual currency systems
be used for? I am especially referring to these centralized
systems, not bitcoin as much.
First, balance of payment transfers between criminal
organizations such as organized crime and drug cartels; second,
fund transfers with pariah states; third, transfers with
terrorists; fourth, enabling kleptocrats to move money from
their country's coffers offshore--as I have said in the press,
the next Panama Papers scandal could well be focused on these
systems instead of traditional banking; and the funding of a
virtual army of proxy hackers to do their patriotic duty.
So how do we cope with these daunting challenges on
managing and balancing these? At the Identity and Payments
Association we have launched a global nonprofit to create a
public-private partnership to do precisely that.
In summation there is a shadow financial system that is
thriving outside of our control. We need to take strong steps
to understand, control, and counter it while encouraging the
growth of these new alternative payment and virtual currency
systems that are governed by the rule of law.
Thank you.
[The prepared statement of Mr. Dueweke can be found on page
42 of the appendix.]
Chairman Pearce. Ms. Haun, you are recognized for 5
minutes.
STATEMENT OF KATHRYN HAUN, LECTURER, STANFORD LAW SCHOOL, AND
FORMER ASSISTANT U.S. ATTORNEY, U.S. DEPARTMENT OF JUSTICE
Ms. Haun. Thank you.
Mr. Chairman, Ranking Member Perlmutter, and members of the
subcommittee, thank you for inviting me to testify on the role
that financial innovation can play in facilitating but also in
curtailing illicit finance.
In a year the market capitalization of bitcoin has gone
from $6 billion to $40 billion, and the combined market cap of
all cryptocurrencies now exceeds $90 billion. This number is
rising every day.
More people are buying, selling, trading, and transacting
in these currencies for plenty of legitimate uses. In fact, I
know small business owners, academics, investors, and even
government employees who use cryptocurrency, and these aren't
people engaged in illicit acts. They are looking for ease of
payments, fewer middlemen, lower fees, and greater privacy.
But early misuse is a fact of life with emerging
technologies, and cryptocurrency is no exception. Although we
now all use the Internet every day, in the beginning it was
disproportionately used by child pornographers and online
fraudsters, and it is still today used for good and bad,
including by terrorists.
Now, the potential for terrorist use of cryptocurrencies
exists, as it exists for cash or any other type of asset. To
date, we have seen only limited instances of terrorists using
cryptocurrency, but these instances are becoming more frequent.
It appears that terrorists are not using the registered
exchanges in the United States but are using the unregistered
overseas ones that don't allow for U.S. anti-money-laundering,
or AML, requirements. They are also using anonymous peer-to-
peer exchanges, like LocalBitcoins.com, which operates as a
sort of Craigslist.
Now, none of the recent and horrific terrorist attacks have
relied on cryptocurrencies for the simple reason that these
attacks are, by and large, low-tech and inexpensive. Automatic
weapons, trucks, suicide bombs, and plane tickets don't require
large sums of money.
With the small amounts necessary to inflict massive harm,
terrorists overwhelmingly use less traceable means, like cash
and prepaid cards. We see more use of cryptocurrency in the
areas of cybercrime, drug trafficking, money laundering, and
financial fraud. These activities have major national security
implications, of course. Ransomware is a compelling example
because it can cripple critical infrastructure--hospitals,
first responders, public transit systems.
Last month's WannaCry attack affected over 10,000
businesses, hospitals, and public agencies in over 153
countries, and that WannaCry attack wasn't even a very
sophisticated attack. It is getting far worse, and ransomware's
preferred currency is bitcoin.
However, while some features of cryptocurrencies may
facilitate crimes, other features may thwart them.
One of the beneficial features of bitcoin is the
decentralized nature of the blockchain, the technology
underpinning it. The blockchain is decentralized over millions
of computers so it is very difficult to hack.
For a nation state wanting to inflict harm, a cyberattack
using malware against a major financial institution is a
centralized target. But if our financial infrastructure ran
instead on these decentralized systems, millions of computers
across the world would have to be hacked and they would have to
be hacked simultaneously.
And cryptocurrency also helps us solve bad acts. In one
case I brought as a prosecutor, we used blockchain patterns to
identify rogue Federal agents on the Silk Road Task Force. In
another case we solved major hacking and ransomware schemes by
looking at the movement of bitcoin. Some cases aren't yet
public, but we would not have solved them had these criminals
not been using cryptocurrencies because investigators like
digital footprints, and that is exactly what digital currencies
provide.
Of course, we can only follow the money to an individual if
they used an entity that follows AML laws--money laundering
laws--since only then can we, as law enforcement, tie it to an
entity or an actual identity. But many overseas exchanges do
not require names, let alone identification, to open accounts,
and this leads to creation of anonymous accounts. Nearly 100
percent of ransomware campaigns and hacking rings use these
overseas unregistered exchanges.
We have gone after some of the exchanges in the United
States like this with success, but the majority of noncompliant
exchanges are overseas and this poses formidable legal
challenges, jurisdictional challenges. Our antiquated Mutual
Legal Assistance Treaty process, or the MLAT process, takes
months of bureaucratic maneuvering, and that is in the best-
case scenario when we have cooperative partners on other sides.
And when we are dealing with an uncooperative country, we might
not get any evidence at all.
We need more resources to quickly get at electronic
evidence overseas, funding more attache positions and better
systems for processing these MLATs, which are absolutely
critical to us getting overseas electronic evidence.
For those entities in uncooperative countries we need more
statutory authority to go after their business segments that
rely upon U.S. companies for support: servers; communications;
software; and banks. Now, there are numerous entities in the
space with robust AML and compliance programs, and these
platforms are some of our best partners.
In fact, the head of an agency in Treasury told me that the
suspicious activity reports (SARs) that they are seeing out of
digital currency companies are superior to those from large
financial institutions despite fewer compliance resources. And
in over a decade that I spent as a Federal prosecutor, the
fastest turnaround I ever got on a subpoena was from a digital
currency company.
But with broader adoption these companies' compliance
resources are being stretched. We want them to be spending
those resources on keeping bad actors off their platforms and
developing tools to spot fraudulent activity, not addressing
the vagaries of 50 different State regulatory regimes. The idea
of a Federal solution to harmonize State laws is an area where
Congress could help.
And also an area where Congress could help is we have an
urgent need for resources to be devoted to this space
immediately and across- the-board at all agencies. It is simply
not sufficient to have only a handful of people at each Federal
agency focused on cryptocurrency when it is affecting so many
areas that touch upon our national security.
Thank you very much for inviting me to share my thoughts on
this topic.
[The prepared statement of Ms. Haun can be found on page 50
of the appendix.]
Chairman Pearce. Thank you.
Mr. Levin, before you are recognized, I realize now I was
giving you an extra syllable in the name as I was pronouncing
it during the introduction, so you can just put it on your
asset sheet that you are worth more now here.
I now recognize you for 5 minutes.
STATEMENT OF JONATHAN LEVIN, CO-FOUNDER, CHAINALYSIS
Mr. Levin. Thank you, Mr. Chairman, Ranking Member
Perlmutter, and members of the subcommittee.
My name is Jonathan Levin and I am one of the co-founders
of Chainalysis. Chainalysis is the leading provider of
investigation software and risk management solutions for
virtual currencies. In this field, we identify illicit use of
virtual currencies, including terrorist financing. We provide
tools to private industry and law enforcement to mitigate these
risks and the activity that poses a risk to our society.
I wish to divide my briefing into three significant
sections that I believe are worth considering when looking at
the risk of virtual currencies: first, the potential for
virtual currencies; second, the nature of this technology; and
finally, the current use of virtual currencies.
The Internet started in the early 1960s but did not enter
the mainstream until the creation of an easy-to-use consumer
layer and developer tools that happened in the mid-1990s. Today
we almost all use the Internet every day prior to entering this
room and even afterwards.
The U.S. Government played an instrumental role in
providing essential layers for private industry to develop
business models and products for us as consumers to use.
However, there was no payments layer baked into the Internet.
This is where the motivation behind bitcoin came in.
Efforts to curb the demand for this new payment
infrastructure have not led to success. In February 2017 the
People's Bank of China put pressure on virtual currency
exchanges to stop trading. This led to an uptick in peer-to-
peer bitcoin transactions that are out of the purview of the
state. The transaction volume went from 2.5 million RMB to over
100 million RMB on these exchanges, and these cannot be
regulated and it diminishes the oversight of the state.
Bitcoin and other virtual currencies are decentralized, as
we have heard, and as such they are censorship-resistant.
Receiving bitcoin can be done by anyone with basic access to
computing anywhere in the world.
There is no need to register or supply anyone with
identifying information in order to receive bitcoin. There is
no ability to freeze assets or seize someone's virtual
currencies without obtaining access to their computer. Virtual
currencies, in this way, are ultimately bearer instruments, and
the person in control of a private key is the ultimate owner of
virtual currency.
In order to facilitate this system, however, bitcoin makes
every transaction public. These transactions are recorded in a
single transaction ledger, the blockchain. However, these
entries are pseudonymous and do not relate to real-world
entities.
Chainalysis analyzes this blockchain to identify which
transactions have been performed by the same entity and links
these entities to real-world services such as exchangers,
merchant processors, and underground marketplaces. This
blockchain analysis can identify the underlying activity behind
virtual currency transactions and the on-ramps and off-ramps
and the connections to the existing financial system.
Terrorist organizations are not in the business of
speculating on the price of virtual currencies, but rather,
they may be interested in using virtual currencies for the
following use cases: using virtual currencies in cybercriminal
activities to fund operations; crowdfunding operations from
sympathizers around the world; and paying for everyday items
and Internet infrastructure.
Cybercriminals so far have mainly used bitcoin to buy and
sell capabilities to launch cyberattacks and extort their
victims when they do. Their use of bitcoin cannot be attributed
to anonymity but rather convenience and its ability to move and
transcend borders.
There has not been any evidence yet of terrorist
organizations running any of these criminal enterprises. We
have heard of the recent ransomware campaign known as
``WannaCry,'' and that was leveraged by cybercriminals rather
than terrorist organizations. However, despite ransomware's
ineffective campaign, some of these criminal enterprises are
making substantial sums of money, as I allude to in my written
testimony.
In July 2016 there was the only verifiable public case of
crowdfunding known by a terrorist organization. The campaign
was launched over Twitter and was not very successful and
raised a total sum of $1,000.
The nature of virtual currencies meant that Chainalysis was
able to size the potential threat and also identify the
ultimate source and destination and connection to the existing
financial system.
Terrorists, like any other person, may use bitcoin to pay
for Internet infrastructure and everyday goods and services.
There are merchants around the world that accept virtual
currency, including blue chip companies. Using tools like ours
at Chainalysis, these purchases can lead to useful leads in
investigations and uncover the goods and services purchased as
well as attribute the identity of the individuals.
The potential for virtual currencies to bring radical new
business models to the Internet and ways of organizing social
and economic relations remains large. The pace of change in
this domain is rapid and the eventual outcomes unpredictable.
The current use of virtual currencies is mainly financial
speculation on their eventual impact on the world. The use of
virtual currencies by terrorist organizations is very limited
due to lack of awareness and trust placed in virtual
currencies.
There is a growing awareness among companies and government
agencies about the potential threats and their topologies.
Virtual currencies continue, however, to evolve rapidly.
Private businesses like ours and the public sector should
endeavor to mitigate these threats but be cognizant of the
future potential for this technology.
Thank you.
[The prepared statement of Mr. Levin can be found on page
63 of the appendix.]
Chairman Pearce. Mr. Wilson, you are now recognized for 5
minutes.
STATEMENT OF LUKE WILSON, VICE PRESIDENT, BUSINESS DEVELOPMENT-
INVESTIGATIONS, ELLIPTIC
Mr. Wilson. Thank you, Mr. Chairman.
And thank you, subcommittee members.
My name is Luke Wilson. I am the vice president of business
development and investigations for Elliptic.
Elliptic software is used to identify illicit activity on
the bitcoin blockchain and we provide our services to the
leading bitcoin companies and law enforcement agencies
globally. We are located in London and Arlington, Virginia.
Today's hearing on, ``Virtual Currency: Financial
Innovation and National Security Implications'' is a very good
first step toward understanding this quickly evolving
technology. My previous employment with the FBI allowed me to
investigate several crimes that involved bitcoins. My
experience is that bitcoin is not or should not be alarming to
investigators or private companies.
Bitcoin is thought to be anonymous by some criminals. In
reality, it is far from anonymous, and companies like Elliptic
have assisted law enforcement and private industries to
identify who is behind the illicit bitcoin transactions.
Elliptic's software and expertise has assisted in
terrorism, ransomware, cyber extortion cases, and illegal arms
trafficking cases, to name a few. In all of these cases we have
provided intelligence and leads that help investigators to
trace bitcoin transactions and identify who is transacting.
This is all made possible by the record of transactions
kept on the blockchain. All bitcoin transactions are stored on
the blockchain, including those performed by criminals. The
importance of this blockchain record cannot and should not be
undervalued, as it provides a public and permanent and
incorruptible record of transactions, the likes of which is not
available with any other payment method.
I would really like to go through a couple of cases that I
helped with when I was in the Bureau.
As I talk about the firearms case, this was a case that I
helped with, actually, while at Elliptic. There was a law
enforcement agency that was looking at an illegal arms
trafficker. If the illegal arms trafficker did not purchase the
illegal arms off of a dark market site using bitcoins, this
individual would never have been placed in handcuffs and put in
jail. It is because of the bitcoin blockchain that they were
able to come to Elliptic and we were able to trace those
transactions and find out where the individual was purchasing
the firearms, and then now we could tie that back to that
individual.
So when I say that we have a way to trace this, this is
what law enforcement and private industry does. They come and
talk to a company like Elliptic or Chainalysis.
My experience in counterterrorism and virtual currencies
make me well-placed to evaluate the risk by the potential
terrorist use of bitcoin. My experience is that there have been
very few verified terrorism cases in which bitcoin was used,
and that in all of these cases law enforcement was able to
trace the flows of bitcoin to subjects and possible
coconspirators.
While I cannot say what the future holds for terrorist use
of bitcoin/virtual currencies, I can say that it is very small
to date and that we have been successful in assisting law
enforcement and private industries to combat that threat.
Thank you for your time.
[The prepared statement of Mr. Wilson can be found on page
70 of the appendix.]
Chairman Pearce. I thank each one of you for testifying.
The Chair now yields himself 5 minutes for questions.
So, Ms. Haun, I was fascinated by Mr. Levin's comments in
both his written testimony and his statement that most of the
protocols and infrastructure are decades old, pioneered by
academia and the government. And as you talked about the
additional resources, is it even possible for someone in a
bureau, someone in an agency to keep up with the fast pace of
development? So address that if you can.
Ms. Haun. Sure. Well, I think it is two-fold.
First it is personnel who require training and being
brought up- to-speed on these technologies. But second, it is
the systems, and I think the systems are very important because
oftentimes we will be getting from these companies that are
providing us metadata in response, for example, to a search
warrant or a subpoena, and we on our old systems can't even
access them. They won't even run that data, and that is a real
problem.
I think yes, it is possible, but you have to look at the
resource question from both personnel and systems resources.
And I mentioned the same thing with respect to speeding up the
processing of MLATs: it is not just personnel, it is also just
the systems themselves.
Chairman Pearce. Okay. So you bring in personnel today and
you give them a really deep education and a year from now they
have been covered up with investigations and keeping up.
Mr. Levin, are those personnel we bring on today going to
be able to keep up?
Mr. Levin. I think that as we look forward to see what
innovations happen, the incentive needs to be placed on the
private sector to be able to provide tools and keep up with the
innovation that happens. And I think that it is our duty to
provide training and education as part of offering software and
tools, and that is something that we are actively doing. It
needs to be regular and it needs to be more frequent than it
currently is.
Chairman Pearce. That is kind of my impression, just
sitting up here being pretty unfamiliar with any technology.
So do you envision, Mr. Levin, an ability to set up the
protocol that will give the protections and yet allow access by
law enforcement to where we don't have to have the resources?
Because, just as a policymaker I will tell you, I see an
unending need to hire more personnel, and the personnel we
hired last year are not going to be very good by next year, and
the year after completely not up-to-date. And so we just keep
building that bureaucracy.
Somewhere we need to get the mobileness to tap into the
private sector's knowledge, and therefore we leave the law
enforcement to the law enforcement people, not keeping up with
technology.
So if either one of you--Mr. Luke, if you want to jump in
here on this, too, I really would like a discussion kind of on
that, and fairly short, I have 2 minutes here.
Lead off, Mr. Levin, if you would, and then I'll go to Ms.
Haun and Mr. Wilson. I would really like your input.
Mr. Levin. I think that one thing that I have seen
personally in law enforcement is actually the need to not hire
new people every year and that people need to become subject
domain experts in order to be able to counter the threats that
we have, that someone coming in new would need to learn about
the innovation of this technology and its history and its
evolution rather than just the latest and greatest new bit of
technology.
I think also I have seen several efforts by regulatory
agencies and oversight agencies to automate processes to
actually take away personnel from copying down notes off
printed-out sheets and submit things programmatically that
would definitely assist in making sure that the government's
resources are best used.
Chairman Pearce. Ms. Haun?
Ms. Haun. Yes. I think it is also a question of shifting
resources because I was brought into the department as a gang
and murder prosecutor, and then I switched. So it is not that I
became useless; I think you have personnel who are capable of
adapting to new areas.
I think one of the problems is that the government and a
lot of the agencies are very siloed. So, for example, we have a
cyber unit, and only the cyber unit is maybe getting trained on
these cryptocurrencies or the dark net; but the fact is it
affects the narcotics unit, it affects the national security
unit, it affects the white collar unit, the financial fraud
unit, the public corruption unit.
So I think you can shift those resources, but it needs to
be across-the-board.
At the same time, I do think resources are necessary for
training not only in government but in the public-private
partnerships. The Blockchain Alliance goes a long way. They
have webinars that people can watch. So these are actually free
resources.
Chairman Pearce. Okay.
Mr. Wilson, and pretty briefly, I am out of time here.
Mr. Wilson. Yes, sir. I agree with Ms. Haun. It is overall
training. Anything that you can do with regular cash you can do
with bitcoin or virtual currencies, so there needs to be a
centralized training.
And you have a huge--what is a technological gap, as well.
Some law enforcement agencies and private industry are just now
figuring out that you can trace these transactions.
I think those are two big areas.
I was a counterterrorism agent before I went to the Cyber
Task Force. I took it upon myself to learn these things and put
the task force together. So those are just some of the huge
hurdles that they are facing out there.
Chairman Pearce. Thank you.
Thanks to each of you.
My time has expired, and I recognize Mr. Lynch for 5
minutes.
Mr. Lynch. Thank you very much, Mr. Chairman.
I just want to take a minute to say thank you to you,
Chairman Pearce, and also Ranking Member Perlmutter, for your
really forward-leaning approach on this issue.
And I also want to thank the witnesses because this is not
the first time we have met and I want to thank you for all the
energy you have put into trying to get Congress up-to-speed on
this issue. Usually we are very much behind, but on this issue,
I think with your help, we are almost up-to-speed.
Ms. Haun, I also want to thank you for highlighting the
issue of personnel and resources. I was in Bahrain and Dubai,
did a little work in the Gulf, and we have one Treasury attache
who is responsible for, I think, five different countries. And
he is bouncing back and forth with central bankers and
totally--he's doing a great job, don't get me wrong, but he's
totally overstretched, I think, in terms of our resources. So
that is probably something that we can work on.
One of the problems I am trying to grapple with is the
asymmetry here of, you know, three guys in a truck and a bunch
of steak knives on a bridge in Manchester, and then our sort
of--our defense out there talking about cybersecurity and
larger systems. There is, I think, an effort by ISIL and others
to use this interstitial approach where they hit us where we
are not protected. And I don't know how we get at that.
I think this is an emerging issue for us. I know that, Mr.
Brito, you have said--you described this as anecdotal, some of
the use by terrorists, but I think we have to be prepared. As
the use of this becomes more broad, by the general public, then
I think, certainly, nefarious elements will capitalize, as
well.
On the personnel side, in terms of trying to train people
and the money and the time involved in getting people really
trained as experts in this, in cybercurrency use and all the
other issues involved, when we send our young people to West
Point and to the Naval Academy, they go to school and--excuse
me?
The Air Force Academy. Oh yes, yes. The Air Force Academy
at Colorado Springs, as well. I am just using it as an example,
not exclusive. But we commit them--they commit for 5 years
beyond that, and so we--for our investment we get the return.
Is there a way that we can sort of--do you think it would
be wise for us to set up some similar system where we have a
lot of bright people who will be all over this stuff; I think
it really appeals to some of the skills and ability of our
young people--create a system like that: scholarships, maybe
identify a handful of universities who would love to, I think,
offer this type of instruction and education. Is that something
that you have seen anywhere in our university systems? MIT, any
places like that?
Ms. Haun. I could speak to that.
I taught a cybercrime and digital currency class at
Stanford and it was cross-registration from a number of
departments--law, business school, computer scientists,
engineers. And I am pleased to say that a number of those
students actually ended up going to serve across the government
in national security capacities, and our U.S. attorneys'
offices. So I think the interest is there still in serving in
those capacities, albeit in this new, emerging field.
Mr. Lynch. Yes.
That is good to hear. I think we just need to do more of
it.
On the other side, trying to build a system, an agency
ourselves, and keep it up-to-speed, we haven't done a very good
job of that internally with our government. We have legacy
systems that are a problem.
I just want your feedback, any of you, wouldn't it be
better to buy the system in terms--purchase the system on the
private side and have cutting-edge technology rather than
trying to construct it ourselves? Because Congress is subject
to appropriations and, dear Lord, we are terribly slow in
keeping up. I am just--like your own thoughts on that.
Anybody?
Mr. Brito. I agree with you, and I think Mr. Levin and Mr.
Wilson are being too modest to say that their companies are
building exactly the system that allows law enforcement, and
not just law enforcement but digital currency firms and banks
who deal with these networks, to have greater visibility into
the network.
Mr. Lynch. Great.
I see my time has expired. Mr. Chairman, I would just ask
unanimous consent to enter into the record this report:
``Terrorist Use of Virtual Currencies,'' by the Center for a
New American Security, by Goldman, Maruyama, Rosenberg,
Saravalle, and Solomon-Strauss.
Chairman Pearce. Without objection, it is so ordered.
Mr. Lynch. Thank you.
Chairman Pearce. The gentleman's time has expired, and just
by way of kind of updating the subcommittee, after our meeting
we asked Mr. Budd and Mr. Davidson and Mr. Lynch and Mr. Foster
to come together and really address this idea of adjusting a
protocol and the reactiveness of our team, our governmental
team, to sort of keep up and see if we can think of a new
approach to this.
So again, I thank the gentleman. And it looks like we have
five really good people here that you all can work with.
I now recognize Mr. Pittenger for 5 minutes.
Mr. Pittenger. Thank you, Mr. Chairman.
And again, I thank each of you for your participation with
us and for the many times that you have come to address us and
engage in this dialogue.
Certainly something that, as you pointed out, Ms. Haun, it
is a growing sphere of engagement by those who seek illicit
transfer of payments--$90 billion, I had never heard that
figure before today, and that will certainly continue to
increase. And I think we have found in the past that those with
nefarious interests look for--like water going downhill. If
they get blocked one way they are going to go somewhere else,
and I think we should be anticipating--not waiting, but
anticipating that they will enter into this arena in greater
dimension.
To that end, I think the points have been well made in
terms of personnel and training. I would like to get your
thoughts, just for clarification. If somebody has sophisticated
cyber training, they have been certified by SAS or some company
like that, is that a strong foundation for being able to move
over to address these blockchain types of transactions?
Ms. Haun. Is that question to me, Mr. Pittenger?
Mr. Pittenger. Sure, or any of you who would like to
answer, but just go ahead.
Ms. Haun. All right.
I think the answer is it is not necessary. I think it would
provide a good foundation, but I founded a digital currency
task force out in San Francisco comprised of numerous agencies
and none of them had that SAS training. All of them, however,
were very interested in this new field and they were looking
for something new in their career; perhaps they had done cartel
cases before. And so everyone brought something different.
And actually, the technology, a bit counterintuitively, is
not that hard to get up to speed on. I really do think that if
you watch a few webinars, you go to a few training sessions,
and all of a sudden you really know a lot more than you thought
possible in a short time.
Mr. Pittenger. Maybe if I could ask you, then, to that
point, you question the merits of bringing on new people. Why
would that be a problem if it could be adapted so easily?
Ms. Haun. Oh, I don't think there would be any problem with
bringing on new people. I just, to the chairman's question
about do all of our existing people become obsolete, I think
that need not be the case either.
Mr. Pittenger. Okay.
Ms. Haun. But certainly, of course, I would always say new
people--more people are better because we have--dealing with
criminals--
Mr. Dueweke. It needs to be the right type of people.
Ms. Haun. The right type of people, but dealing with
criminals we have too much business, so yes. Good point.
Mr. Dueweke. One of the big problems, though, in this whole
conversation is it is overly focused on understanding the
blockchain.
Mr. Pittenger. Okay.
Mr. Dueweke. That is a component, and it is actually a
fairly small component of the overall virtual currency threat
and usage by criminal organizations, et cetera. It is not so
much a matter of understanding the technology behind the
blockchain; it is having people who understand global payment
systems that are on the cutting edge and understand the
fintech, the mobile payment systems, the blockchain systems. It
is much larger than just, ``Hey, let's get some smart kids who
understand the blockchain.''
You really need to understand the entire payments world,
and that is what I have seen in a lot of the training that I
have done within U.S. law enforcement and law enforcement
around the world. They are just trying to grapple with this one
piece, the bright, shiny bitcoin, I call it; they really need a
much broader understanding, and that isn't something that
necessarily comes easily from quick training.
And probably what you need to do is foster a better
relationship, this public-private partnership, so that the
payment processors, the Coinbases, the First Datas, you have a
better relationship with them because they are the ones that
have this knowledge that takes, frankly, decades to really
understand all of these systems globally, and that is what is
missing.
Mr. Pittenger. Yes, sir, Mr. Brito?
Mr. Brito. I have to agree with Mr. Dueweke. And I think
part of what is happening in this conversation is that myself,
Ms. Haun, Mr. Levin, and Mr. Wilson are here because we are
focused on decentralized digital currencies. Cryptocurrencies
is another name for that, bitcoin being the number one example.
It was the first cryptocurrency and it is the largest
cryptocurrency today.
That said, what Mr. Dueweke is rightly pointing out is that
if you think of a pie chart, decentralized cryptocurrencies
like bitcoin account for a tiny sliver. You have other digital
currencies that are centralized and, as Mr. Dueweke was
pointing out, account for a lot of the use by illicit actors.
Mr. Pittenger. All of your points are well taken. I think
we really have our work cut out just getting this on the radar
screen to make sure that people see this venue, and so that we
can address it in a comprehensive way. I don't think the public
at large--in fact, I don't think the Congress fully understands
the depth of opportunity that is there for those who seek an
illicit transfer of funds.
Thank you. I yield back.
Chairman Pearce. The gentleman's time has expired.
And just sort of in response to Mr. Dueweke, you are
exactly right, but our hearing today is on virtual currencies
and so we are trying to get that, and then we had yesterday the
meeting that was digging into the actions and the patterns of
actions. We will merge these two together in the future, and
again, that is our kind of subgroup of four people who are
tasked with that. But again, a very accurate observation.
The Chair now recognizes Mr. Kihuen from Nevada for 5
minutes.
Mr. Kihuen. Thank you, Mr. Chairman, and Ranking Member
Perlmutter, for organizing this hearing.
And thank you, to all of you, for testifying this morning.
I just have a couple of quick questions, one regarding
mixing. For my colleagues who might not know, since the
transactions of some cryptocurrencies that are recorded on the
blockchain, mixing is a way to launder payments that may be
connected to tainted sources.
Ms. Haun, since you prosecuted some of these cases, are you
worried that mixing might become so sophisticated that it might
become very hard for law enforcement to track some of these
transactions for criminal activity?
Ms. Haun. Yes, I am.
Right now the technology isn't there to be as sophisticated
for the mixers and tumblers, we hear them called tumblers. But,
of course, anything that further anonymizes things make it more
difficult for law enforcement authorities to kind of follow the
trial, so I am worried about it.
We have heard analogies to--Jonathan mentioned earlier it
is like a mask. Think of it, if you are a person who is going
in to do some bad acting, and you are wearing a mask, we can't
see you because you have disguised yourself. But if you wear
that mask again later, we know it is you.
The problem with tumblers and mixers are that let's just
say all of those masks that people are wearing get taken off
and melted all together and then their different--the masks are
reconstituted and put on, so then we don't know that it is you
again. I don't know if that analogy makes sense, but that is
kind of how we think of them.
So we do think that is a problem, but I think more of a
problem right now are the overseas unregulated exchanges. And
those are in countries that you might guess at, and we simply
see those nefarious actors using these cryptocurrencies are not
using these U.S.-regulated exchanges; they are using the ones
that are overseas.
Mr. Kihuen. So do you think that we need to put
restrictions on the mixing?
Mr. Levin. Yes. If I could also comment, I think that there
have been--FinCEN refers to services that transmit virtual
currencies on the behalf of other people, and it is--there is a
good chance that mixers do come under that jurisdiction, so if
it is in the United States there are actually some mechanisms
that law enforcement might be able to use to put pressure on
those mixers.
Mr. Brito. If I could add, in some cases you can think of
completely legitimate regulated exchanges in this country. You
send money to them. At that point it sort of becomes invisible
to the software, and then eventually the money goes out. And so
in some ways you can think of those as mixers, but it is not a
problem because they are complying with FinCEN guidance and
with the Bank Secrecy Act.
So the problem is not so much that there is mixing
happening, that there is a third party that is keeping funds on
behalf of a third party; it is that you have mixers that are
completely unregulated and not subject to--or not complying
with the BSA regulations, and I suspect, as Ms. Haun was
saying, that these are overseas, as well.
Mr. Dueweke. And that is a critical part of this, too, the
global nature of this and that you have thousands of these
unregulated exchanges that are not limited to just that one
segment of virtual currencies being centralized--or
decentralized, but also the centralized virtual currencies as
defined by THADP and acting as a mixer, the best way to mix,
actually, is to go to one of these unregulated exchanges and
exchange bitcoin for light coin, for dark coin, or for web
money or one of the other non-cryptocurrency systems, and then
change it back.
You are not following that. It is better than a mixer.
Ms. Haun. And absolutely, as I alluded to in my written
testimony, 100 percent of ransomware campaigns we have seen
cashing out through exactly these overseas exchanges, so it is
a huge problem.
Mr. Brito. So I would simply put a point on that by saying
mixing is not a problem. Again, mixing is a technology that is
neither good nor bad. It is mixing and not complying with the
BSA that is a problem.
Ms. Haun. But to your question about could we regulate
these things--and I appreciate Mr. Levin's comment that in the
FinCEN guidance it could be construed to regulate--to reach
mixers or tumblers. I am not so sure that a prosecutor or
FinCEN would take that aggressive of a view. Maybe they would,
but certainly if this were included in Section 1960 as
explicitly clear, that gives--that statutory authority gives
prosecutors a lot more comfort that, oh, no, this technology is
absolutely included in a 1960 definition.
So I think that would be important. FinCEN guidance alone
is not always enough for us to bring these new cases that are
the first cases of first impression.
Mr. Kihuen. Thank you all so much.
Thank you, Mr. Chairman.
Thank you, Mr. Ranking Member.
Chairman Pearce. Thank you. The gentleman's time has
expired.
The Chair now recognizes the gentleman from Colorado, Mr.
Tipton, for 5 minutes.
Mr. Tipton. Thank you, Mr. Chairman.
And thank you, panel.
Ms. Haun, maybe you would like to follow up a little bit on
the last question when you were talking about the 1960
regulation. And listening to Mr. Dueweke describing the mixers,
given all of the complexity that is there, even with that
authorization, how difficult is it really going to be for law
enforcement to be able to track this information even with
authorization?
I think there was a RAND report that came out of some of
the criminal activity that is going on--RAND National Defense
Research Institute--saying that criminals are increasingly
gaining access to technology and encryption tools that could
allow them to design their own virtual currencies to circumvent
the global financial system.
Given that complexity and just your statement, how
difficult is it for us really to be on the front end of this
curve rather than being reactive trying to catch up?
Ms. Haun. I think, again, and I hate to keep coming back to
it, but the big problem I see are the unregulated and
unregistered exchanges. I think we can keep up with more
resources and more people and more agents knowing what this is.
I think we can keep up where we have tumblers and mixers or
virtual currency exchangers in the United States subject to our
jurisdiction, and we have some choice 1960 prosecutions. I
think we can keep up.
Where we have a problem is in getting at that information
or forcing compliance from these overseas entities. And not
surprisingly, the bad actors--the terrorists and the massive
cybercriminals--are not using the registered Coinbases of the
world that are in San Francisco, that are registered with
FinCEN.
So I think that is going to be a problem and we can't keep
up with those as the matter currently stands.
Now, one thing I would say is a lot of those businesses or
ransomware campaigns, et cetera, or even these unregulated
exchanges, they actually rely on a lot of U.S. companies and a
lot of presence in the United States. People are always
surprised by this. They think, ``Why would their servers be in
the United States? Why would their infrastructure be in the
United States?''
We have a reliable source of energy and power. We have
massive companies, like Amazon Web Services or Google, who
provide these hosting platforms.
So these big, unregulated, unregistered exchanges do use
Google and Gmail; they use Microsoft; they use Amazon. And I
think we could use some tools in our toolkit--statutory tools--
to more easily chip away at those parts of their businesses
that touch on the United States.
Mr. Dueweke. Congressman Tipton, I totally agree. The focus
should be on the ingress and egress and conversion points. The
unregistered, as she put it, exchangers around the world are
the point, but I have a very dim view of us being able to cope
with them effectively because the barrier to entry for setting
up an exchange is so low. It doesn't require you to have a
company. It requires you to have a server and some accounts
with these different types of payment systems that you want to
convert from and to. Very low.
I have done research myself on thousands of these systems,
rated them for anonymity, et cetera, and they are incredibly
amorphous. They go up and come down regularly. They will change
into something else. You won't be able to identify exactly
where they are or which systems they might be using in the
background.
There might be better signals, intelligence-type things,
that you could use to detect that, but we, I believe, are far,
far, far behind, as well as law enforcement around the world,
in coping with this. And these systems do gravitate towards
areas with a relatively low rule of law, and oftentimes they
seem to be, according to things I have read and researched,
many times they are being protected by local political entities
and law enforcement, and there are many stories that you could
read about that online.
I also want to make the point that the position that
bitcoin is not being used for any terrorist activities might be
a bit stretched, as well. It is not reported in the United
States but it is well reported in Europe, including Agence
France Presse, that four of the automatic weapons that were
used in the Paris attacks were purchased with bitcoin from an
online dark market seller in Germany. And that was reported in
court--open court documents in Stuttgart.
So I agree it is not a huge problem, but there are examples
where you have small groups that are using digital currencies,
including bitcoin, to anonymously buy what they need to carry
out their heinous attacks.
Chairman Pearce. The gentleman's time has expired.
The Chair recognizes the gentleman from Colorado, Mr.
Perlmutter.
Mr. Perlmutter. A lot of Coloradans around here.
I want to follow up on Mr. Tipton's line of questions and
ask you, Mr. Dueweke, and you, Ms. Haun, and to the rest of the
panel, okay, when you say an ``unregistered exchange,'' what is
that?
And in your testimony, Mr. Dueweke, you talked about a
number of different things--WebMoney, and Perfect Money, and
dark money, and Alipay. Do you consider that an exchange or is
that a medium of transfer, or--help us understand your
terminology.
Mr. Dueweke. I teach a 2-day course on this so it is not
necessarily that easy, but the terminology--and I would be
happy to provide the committee with a topology, a single-page
topology that makes sense of these different characteristics.
When you are talking about the large providers like PayPal,
WebMoney, Alipay, they do have the ability to act as an
exchanger as part of their overall digital payment system. And
certainly with systems like WebMoney, that have been shown by
other researchers to not be doing strong know-your-customer
(KYC), they are suspect and are certainly being used for
criminal activities, and a lot of that is they are not doing
that good KYC up front.
However, what Ms. Haun is talking about and I have referred
to with these other exchangers are entities that set themselves
up specifically to exchange one virtual currency for another
virtual currency, or for a fiat currency, or for a mobile money
system. And all it requires really is a computer, accounts to
be set up with these different services, and some level of
liquidity, which oftentimes is one of the limiting factors in
how effective these exchangers are is how much money they have
to buy and sell. They might only have $20,000, $30,000 on hand,
whereas the big ones, of course, like Coinbase, have many
millions. So--
Mr. Perlmutter. All right. And they are kind of the fence
in this thing? Are they fencing the stolen goods?
Mr. Dueweke. Not so much fencing. It is really--just think
of a currency exchanger on the street of some country. You
would go and give money--one type of money and they give you
another type of money coming back.
It is that, but in a much larger sense for digital payment
systems, and the level of anonymity for these unregistered ones
can be extremely high because typically they are not doing the
KYC; they are not doing the AML.
Mr. Perlmutter. They don't care whether it is dirty money
or not.
Mr. Dueweke. They don't care--
Mr. Brito. So to answer your question directly, if I want
to use bitcoin I need to first acquire some bitcoin.
Mr. Perlmutter. Right.
Mr. Brito. Typically the way you do that is you go to an
exchanger and you give them dollars and they give you bitcoin.
That exchanger in the United States is a Bank Secrecy Act-
regulated entity and has to register with FinCEN, keep records
of its customers, and report suspicious activities. So that
would be a registered exchange.
And that is who Ms. Haun would go to when she is using Mr.
Levin's software and finds a bad guy. She can go to an exchange
and say, ``Who is this person?'' and get the information.
Overseas we see unregistered exchanges--exchanges who,
although they are required to, do not comply with the Bank
Secrecy Act. And so when Ms. Haun requests information from
them I bet she doesn't hear back from them. That is what an
unregistered exchange is.
Ms. Haun. Or--
Mr. Perlmutter. Go ahead.
Ms. Haun. Or we hear back from them--in a good case
scenario I had an MLAT with Japan, for example, where we have
an attache on the ground, cooperative partners on the other
side, and that even took at least 6 months in a very high-
profile case to even get that evidence. So that is in a good
case where we have to go to another country, we can get
something.
But I think there is another step beyond that, which is an
exchange in, say, Russia. Not only could we not go to them, but
if we go to them we know what we find back is--and we have
actually found this in returns before and evidence before--is
the owner of this account is Mickey Mouse who resides at 123
Main Street. That is actually--
Mr. Perlmutter. I guess that is what I am worried about,
that we have some nation states that are actually fostering
making these exchanges impossible to pierce, to understand, to
find, whether they are trying to avoid sanctions, whether it is
North Korea or Russia avoiding sanctions or helping some
criminal enterprise, or underwriting some terrorist
organization that is out there doing bad things.
So I am very concerned about how we stretch this globally
to get countries that we may be at odds with, like Russia or
maybe China, to participate. Are we doing that?
Mr. Dueweke. And that is where this--a public-private
partnership, having an association where there can be a real
mercantile reason for them to want to participate, and where
there is a push from the corporations, the companies themselves
to want to be part of this. And you have seen this recently in
Russia with Kiwi and Yandex.Money have started just in the last
year following AML and KYC while WebMoney hasn't. So part of
them they want to be integrated in with European payment
systems; the other one is kind of remaining off on its own.
But that type of public-private partnership where you can
get them to work together with other countries and other
companies I think is key because you are not going to be able
to do this by dictate from the United States, I don't think.
Mr. Perlmutter. All right, thank--
Mr. Wilson. Sir, so this is--
Mr. Perlmutter. --you for your--
Mr. Wilson. --normal criminal activity. Criminals are going
to go where the path of least resistance is. So if I can go
exchange my bitcoin to an exchanger that is not compliant with
U.S. laws, that is what I am going to do. That issue there is
that they are trying to circumvent our AML procedures and they
are using--I mean, all criminals do that all the time.
So that is something else that we need to look out for. It
is further down the line. It is happening, but the bigger issue
is trying to get these guys trained up to notify, to notice
this kind of criminal behavior happening.
Mr. Perlmutter. Okay. Thank you.
Chairman Pearce. The gentleman's time has expired.
The Chair now recognizes the gentleman from Texas, Mr.
Williams.
Mr. Williams. Thank you, Chairman Pearce.
And to all the witnesses today, this has been great.
I want to spend my time this morning focused on money
laundering, specifically trade-based money laundering, which,
as you know, is just one method used to launder illicit
proceeds, and how that relates to virtual currency. According
to the FATF report of virtual currencies, two major themes have
developed: one, virtual currencies are the wave of the future
for payment systems; and two, virtual currencies provide a
powerful new tool for criminals, terrorist financers, and other
sanction evaders to move and store illicit funds out of reach
of the law enforcement or other authorities.
So let me start with you, Mr. Dueweke. In your testimony
you spoke about the capability to move unlimited amounts of
funds completely outside the Western financial system. You also
mentioned transfers to and from terrorist organizations,
especially as part of a trade-based money laundering scheme to
cause the investigators to lose their money trail.
As we have heard many times during our previous hearing,
these schemes can be highly complicated, so virtual currencies
just add another layer. So my question is, can you expand on
the steps we need to take to help all of the stakeholders
involved, whether that be local law enforcement or financial
regulators or private companies--I am a private sector guy--and
to understand the scope and scale of these schemes?
Mr. Dueweke. I think the key is education. I have
participated in some investigations where people have had
information on different bad actors and had it sitting there
for a year because they didn't know what WebMoney was. They
didn't know what these systems were or how they could interact
with other components of the trade-based money laundering
schema.
And all it really takes is one leg of maybe--a lot of these
trade-based money laundering schemes can include four or five
different hops, cars for drugs for whatever, and all you need
is one component to jump in and out of one of these virtual
currencies, whether they be centralized or decentralized--
probably more likely to be decentralized than centralized like
bitcoin, or decentralized--I am sorry, more likely to be
centralized than decentralized because when you are using a
system like bitcoin, a large transaction is going to stand out
and it will be tracked by Elliptic or Chainalysis.
But if you are bringing it in and out of a centralized
system and perhaps you are working with the Russian mob or
something like that, it is not going to show up and be detected
by anybody and it is going to allow you to basically lose the
trail of investigators that are following it through
traditional mechanisms.
So I think the first step has to be education. You have to
have people start to understand what is possible because when
we did that in past training there were huge breakthroughs that
resulted almost immediately because they found that, ``Oh, wow,
these bad guys were using these systems as part of this and we
just had no idea what we were looking at.''
Mr. Williams. Okay.
Let me switch topics really quickly, Ms. Haun. Section 13
of the Combating Money Laundering, Terrorist Financing, and
Counterfeiting Act of 2017, a bill introduced by Senators Chuck
Grassley and Dianne Feinstein, directs the Department of
Homeland Security and Customs Border Protection to provide a
report detailing the strategy to detect prepaid access devices
and digital currency at border crossings and ports of entry.
So my question would be, what are your thoughts on this
bill and what are the pros and cons of including prepaid cards
regulation--in that regulation?
Ms. Haun. I think that prepaid cards--we have seen that
prepaid cards are used by nefarious actors quite a bit, and so
I think that it is sensible to include prepaid cards, if that
is your question, in that bill. And I have only just seen
reporting of it; I haven't yet had an opportunity to read the
bill itself.
But I think this is what I was saying about giving--there
is already some regulatory guidance, but giving statutory--
making the statutes explicit give prosecutors a lot more of a
path, a clear path to bringing cases. And we saw this with 1960
where there was a case in Florida where a judge said, ``Well, I
don't think 1960 includes virtual currency.'' So I think this
would be getting at remedying something like that.
Mr. Williams. Okay.
I have a little bit if time left, so let me come back to
you, Mr. Dueweke. Can you go into more depth about the Identity
and Payments Association you launched and what role they can
play?
Mr. Dueweke. I had been part of a lot of conferences around
the world where I had heard story after story about the de-
risking of virtual currency providers, exchangers, remittance
companies, mobile payment companies that were basically losing
their bank accounts because banks didn't understand it, et
cetera.
And I saw that really what was needed was some sort of
public-private partnership to take all the regulators, the law
enforcement around the world that I had been working with in
training, bring them together with industry members to find a
common path forward where we could agree on best practices,
where we could agree on basically a coda like Visa and
Mastercard have--in fact, I have one of their former V.P.s
working with me on this--where you basically could set up a
rule-set where if you follow all of this, you identify a person
given these steps, you are not going to be liable to
prosecution, or you will be considered in somewhat of a
regulatory compliance.
And that would require this public-private partnership, so
that is at the heart of what the Identity and Payments
Association (IDPAY) is intended to provide, because there is
nothing like that globally. It is all done by individual
countries, and not very many of them are tackling this topic.
So because of the global nature of the ecosystem, it needs
to be tackled globally and it will require some sort of NGO to
do that.
Mr. Williams. Okay. Thank you all for being here.
Chairman Pearce. The gentleman's time has expired.
The Chair now recognizes Mr. Rothfus for 5 minutes.
Mr. Rothfus. Thank you, Mr. Chairman.
Mr. Levin, as we look at other governments hostile to the
United States developing anonymous weaponized cryptocurrencies
for use against us by criminal or terror organizations, do you
have any thoughts on how the U.S. or the international
community could counter those efforts?
Mr. Levin. Yes. Thank you very much for the question.
When I think about what this testimony is about, it is
about virtual currencies that are truly global and
decentralized. If the adversary is choosing to account for
trades within its own organization on some sort of ledger, that
doesn't really pertain to what Congress or anyone else can do
about those types of payments.
What we are talking about is a financial system in which
everyone in the world can access virtual currencies, as I
understand it, as bitcoin. And for that the U.S. Government can
have eyes on those types of transactions and would need to be
able to have tools in order to understand the purposes and the
actors that are behind those transactions.
So I am less worried, actually, about states producing
their own virtual currencies no matter what technology they use
because the risk to our society is mostly around being able to
fund and send value to anyone in the world to carry out acts
like we have seen in the past.
Mr. Rothfus. So you are not concerned about any kind of
internal--
Mr. Levin. Yes, because those types of systems already
exist, and while we cannot have eyes on them we have no way to
put any pressure on those types of systems.
Mr. Rothfus. If I could ask Ms. Haun, the idea that virtual
currencies out there, bitcoin, that is going to be an asset
that perhaps a bad actor is going to have. What would be the
possibility of using our asset forfeitures procedures to go
after that virtual currency? Can we do that? How would we do
that?
Ms. Haun. Yes. In fact, we have done that and we have used
exactly that authority.
So in a case I had we did, we seized those assets under the
asset forfeiture laws upon a proper, of course, judicial order.
And right now there are a lot of questions about, how do we
auction those off? What does the government--now that we own
these because they have been forfeited, what do we do? What
does the government do? We are the holders of bitcoin now.
And there is a series of disparate things that have
happened. The Marshals Service has auctioned them off, so yes,
we can do that, and we should do that.
In fact, in a case against an exchange in the United States
that my office did involving Ripple Labs in 2013, we brought
the first-ever enforcement action against a virtual currency
company. We teamed up with FinCEN to do so, and they had to pay
and forfeit a $700,000 penalty. They also had to take a number
of remedial steps so now when they collect customer data, they
must follow all AML laws, know-your-customers, and they collect
customer identity.
But I think that the asset forfeiture laws are an important
tool as part of this. That is particularly true if we are ever
to get to some of the overseas exchanges because, of course,
they have correspondent banking accounts with banks, including
in the United States. And I would think that would be an
appropriate case to use those laws.
Mr. Rothfus. Mr. Brito, do you foresee any widespread
acceptance of virtual currencies by small to medium-sized
businesses in the future whereby domestic criminals could
launder illicit profits into bitcoin or virtual currencies?
Mr. Brito. It is certainly possible. I think, however, that
cryptocurrencies like bitcoin really can't compete in the
developed world with our existing financial system. We have
credit cards; we have cash; we have access to just our phones
can pay for things, and you do it really frictionlessly and
very well.
Where digital currencies I think are going to really thrive
is going to be in the developing world where they don't have
access to those financial systems and there really isn't an
incentive for networks to go in and develop those networks. So
I think that is where we will see retail payments take up for
cryptocurrency.
In the developed world, where I think cryptocurrency has a
truly bright future are for really novel uses that our existing
financial system really can't accommodate--things like micro
transactions, transactions that maybe are trade settlements of
sort of other assets.
Mr. Rothfus. I yield back.
Chairman Pearce. The Chair now recognizes the gentleman
from Ohio, Mr. Davidson, for 5 minutes.
Mr. Davidson. Thank you, Mr. Chairman.
And thank you, to our guests. I really appreciate the
information you are giving us and the tools you are helping us
be equipped with to keep our laws current.
I am particularly struck by the analogies to the Internet,
but also it seems to me that some of this stuff with blockchain
is a little bit like the cell phone. Did criminals gain an
advantage when they could communicate by cell phone? Well, of
course they did, but so did the rest of the planet.
And I think they are going to be just about as hard to
contain, so those of you who have mentioned that, I think
people are going to be able to do blockchain transactions of
all sorts, including in currencies.
Mr. Wilson, I was particularly struck by your opening
remarks where you talked about how we can detect the activity.
And it seems that if we have this ability, which we
theoretically should, that we would be able to find the missing
Mt. Gox coins. Why can't we?
Mr. Wilson. We actually did find those. Chainalysis was the
official investigators in the Mt. Gox bankruptcy case and the
destination of those coins is definitely known.
Mr. Davidson. Okay. Terrific. So what happens to lost coins
in general? If they are stolen and you find them, what happens
when people lose them?
If you lose your credit card, you can cancel it. If you
lose your key to a car, you can get it re-keyed. What happens
when you lose cryptocurrency?
Mr. Brito. It is the same thing that happens when you drop
a dollar bill into a fire. If you lose a dollar and it is at
the bottom of the ocean or something bad happened to it, the
Federal Reserve does not replace it for you. It's the same
thing with bitcoin. It is gone.
Mr. Davidson. That's a bad password to lose.
Mr. Brito. Yes. Correct.
Mr. Davidson. Okay.
I guess without compromising trade secrets, how are we
doing--and I understand that, Mr. Levin and Mr. Wilson, your
organizations are working to track mixers and other tumblers,
things like this that are making it hard to find currency. Is
that accurate?
Mr. Wilson. Yes, it is. We are tracing those, as well.
Mr. Davidson. Okay. So these are the most complex things.
How is this different--so regular currency, foreign exchange is
regulated in the United States by the Commodity Futures Trading
Commission. They, rightly or wrongly--in my opinion, wrongly--
restricted the number of people who can trade currencies by
raising the capital requirements. I think it puts the U.S. at a
disadvantage in one of the world's most important markets, and
I am concerned that our regulatory framework with
cryptocurrency is going to further hinder our ability to do it.
Can't currency be regulated by one organization, whether it
is physical or virtual?
Mr. Levin. I think the answer to that could be yes, and it
would definitely allow businesses to be more compliant and put
their efforts into one domain. I think that also if that
regulator adopts technology that is in line with digital
currencies like bitcoin, and has tools and automation that will
definitely allow the United States to have a business
environment that thrives whilst thwarting bad actors.
Mr. Brito. Digital currencies are one of the most regulated
sectors within fintech.
Mr. Davidson. Yes.
Mr. Brito. And the reason for that is that they are subject
to many different regulators and jurisdictions, and so at the
Federal level you have the IRS, you have the CFPB, you have
FinCEN, and there have been FTC enforcements. There are many.
But really the largest sort of barrier is State-by-State
regulation, because if you are a digital currency exchanger or
some other kind of custodian for digital currencies, the
consumer protection regulation today is done at the State
level. So if you are an exchanger you need to get a license
from every State in which you do business.
Mr. Davidson. Right. Yes, so you made that point and it is
a good one, but why is digital currency so much different than
foreign exchange? Why would it be--what is necessary to be
treated differently about this other than you have to have
different technology?
Mr. Brito. Because digital currency exchanges are
considered money transmitters, and money transmitters are
regulated at the State level.
Mr. Davidson. So are foreign currency exchangers.
Mr. Brito. So it is kind of the same thing. You have the--
Mr. Davidson. Aren't they essentially involved in the same
business? If I want to convert U.S. dollars to pounds sterling
or euros or RMB, whatever, you can do that through--
Mr. Brito. It is similar. The one really different piece is
that foreign currency is defined in law, whereas digital
currency is defined as basically the other category. But that
is as far as money laundering is concerned.
Mr. Levin. I think also it is different in the sense that
you can operate very--and this is probably too technical for
this setting, but there are many different types of business
models that can exist built on blockchain technology, which may
not have perfect analogies in the existing financial system
which require people to actually understand the technology in
order to regulate it properly.
Mr. Davidson. All right.
I look forward to working with you all. My time has
expired.
Mr. Chairman, I yield back.
Chairman Pearce. I thank the gentleman. His time has
expired.
The Chair now recognizes Mr. Hill for 5 minutes.
Mr. Hill. I thank the chairman very much.
And I appreciate the panel's time. This has been a really
interesting discussion about a topic that probably needs more
exposure in Congress across a number of committees.
Ms. Haun, I was particularly interested in your testimony
because we have had a lot of talk about the currencies and we
have had a lot of talk about blockchain, but I am really
interested in the ways that we have our laws and our
regulations, our oversight structured in such a way that we do
a better job in our government of either assessing their need
for oversight, regulation at the Federal level, or the
interdiction, capture, and discovery of them.
So you referenced extensively in your testimony about our
MLATs around the world between the United States and our allies
and other countries, and you referenced some, the need to
modify our MLATs for this particular purpose. Could you go a
little bit more specific and tell the committee just what
particularly we ought to amend in our basic MLAT treaty with
other countries to capture this discovery and prosecution area?
Thanks.
Ms. Haun. And I should note that this isn't just a
problem--I also did a number of cybercrime cases not involving
cryptocurrency. This MLAT problem is not unique--
Mr. Hill. Yes, and you can be broad in--
Ms. Haun. Right. And so it really is a problem. I think if
you talk to prosecutors across the country who are dealing with
cybercrime and cryptocurrency cases they will tell you one of
the biggest problems is the problems of getting MLATs through.
And it is always--we are in a good position where we have
an MLAT, because at least then we have a country we can work
with.
But the problems are essentially these: the speed--the MLAT
process was developed decades ago, in the days where you didn't
even have e-mail. These were done maybe by couriered mail, and
the problem is that the systems have largely stayed the same.
And I will just give you an example. I had an MLAT going
and it was to a receptive country. The actual company in that
country wanted to give us the data. They would have e-mailed it
to us right away and it would have let us get the bad guy
instead of letting that bad guy keep doing bad acts.
But instead we have to go through the MLAT process, and
even to get it out of our own country to theirs took 5 months.
Mr. Hill. So have you seen an effort by the Department of
State and the Department of Justice to form a task force
between the two and streamline and make recommendations? And is
there anything Congress can do particularly on that?
Ms. Haun. I don't know that it is a State Department issue.
I think the Office of International Affairs in the Justice
Department is the entity that handles the MLATs.
And one of the things is you go from, like, say--I used to
be in headquarters, though I have been out in San Francisco for
the last 8 years. I am out in the field; I draft up the MLAT; I
have to send it back to the OIA attorney. They have five levels
of review.
I think it is off with the country, but no, lo and behold,
it comes back to me so we can fill out a budget form so that we
can get it translated. In other words, it hasn't even gone to
our foreign counterparts who are sitting there waiting to turn
over the evidence to us.
The budget form is completed and then we have--
Mr. Hill. The ship is in the dock waiting to transport.
Ms. Haun. Right. Then we have to go to a certain kind of--
not just any translator. Only certain ones are approved.
They have a backlog because they have all the government
contracts, so they are not going to be able to translate ours
quickly.
Okay, so you already see the point. The problem is even
leaving--even a fully baked MLAT to get overseas, it doesn't
happen for months. And that is in a good case. That is in a
high-priority case where the department is willing to pay to
expedite and the rest.
And the problem with that system, Congressman, is that what
ends up happening is we even now need to send MLATs to get
evidence preserved. If a company overseas has a 3-month--as
some of these telecom companies do--preservation period, if we
don't get an MLAT request over for 6 months, our evidence is
just gone.
So I think part of the problem is internal and the
processes by which it goes, and I don't want to upset any of my
colleagues in the Justice Department by suggesting that
Congress needs to form a task force, but it is something that
really needs to be looked at, the process in the age of
cybercrime and in the age where--we are moving to a world where
more and more evidence in every case is electronic, right, no
matter the type of case.
I don't know if that illustrates--
Mr. Hill. I appreciate your passion on the answer. This has
come up in previous testimonies in the last Congress, not quite
with the passion and the direct answer that you have given
today, and I appreciate your service in criminal prosecutions,
your service to the people of the United States
And, Mr. Chairman, thank you for the opportunity to
question.
Ms. Haun. Thank you.
Chairman Pearce. The gentleman's time has expired.
The Chair now recognizes Mr. Budd for 5 minutes.
Mr. Budd. Thank you, Mr. Chairman.
And I thank the panel, as well, for your time.
I think it was Mr. Brito--you mentioned earlier that you
would lose--as you lost a dollar bill in a fire, you could lose
virtual currency. Isn't there some sort of a virtual wallet
that is recommended or a best practice? And if so, could you--
if that does exist can you explain what that is and how it
works?
Mr. Brito. Yes. Sure.
So there are essentially two ways in which you can hold
digital currency--kind of the same as cash. You can hold it on
your person the way you might hold a $100 bill with you, or you
can deposit it with a custodial institution. So if you deposit
it with them and they are regulated and you trust them and they
have good security measures, that is pretty safe.
If you decide to hold the digital currency yourself it has
one advantage that a dollar doesn't, which is you can make a
backup copy. Of course, you have to keep that backup copy safe.
But that is essentially it. You want to use some good,
reputable wallet software, something that is open-sourced and
that has been audited by the community; and you want to make
sure that you have good backups in safe keeping, in safe places
and that you never forget your password.
Mr. Budd. Okay. Very good.
There was a great interview recently--I think it is a good
101 for a lot of us in here who are new to this--on The Tim
Ferriss Show with Nick Szabo. I don't know if he is a
recognized name in your industry, but it was a great primer
earlier this week for me.
I went to Seoul, Korea, last week and to the DMZ, and as we
looked over into North Korea you could see that there is not
much of an economy there, and yet it is a country that we have
seen is very strong in cyber offense, and that is--they have
doubled down on that, as we know, moving towards a nuclear
state, as well.
But with their cyber, what do we see--and this is--I will
open this up to the whole panel--what do we see a country like
North Korea doing with illicit uses of virtual currencies?
Mr. Brito. I have seen media reports that some of the
ransomware that we have seen attack different private companies
and public sector organizations could be traced back to North
Korea.
Mr. Budd. Right.
Mr. Brito. And you can imagine that North Korea, if this is
true, would see ransomware as a revenue-generating activity. Of
course, if they acquire bitcoin or some other digital currency
they need to offload that and so they would need to go through
an exchange. I bet they would go through an unregulated,
unregistered exchange.
Mr. Levin. So I have seen the same sort of reports,
although, as Ms. Haun will know, the attribution in cybercrime
cases is very, very difficult to attain the identity of people
who do them. What I have seen is--and I mentioned it in my
written testimony--ransomware campaigns run in domains that I
would consider hotbeds potentially for a terrorist activity,
and it is about making a profit out of this type of activity in
order to fund operations, so I think that risk does exist.
We actually have seen that there are very limited exchanges
in a lot of these places, so we monitor for, is there liquidity
in those local markets to cash out for virtual currency
activity? For example, there is no domestic North Korean
exchange that you can cash virtual currencies into local
currency; however, there are virtual currency exchanges in
other parts of the Middle East, although liquidity is fairly
limited. I know of two exchanges where the joint liquidity in
their existence has been $2 million.
Mr. Budd. Wouldn't you say, Mr. Levin, that it would be
better for a country like North Korea to stay in virtual
currency rather than egress or come out of it?
Mr. Levin. I would say the most likely thing that would
happen is that they would use the virtual currency in order to
pay for potentially incident infrastructure that actually
exists, maybe even in the United States or off shore.
Mr. Budd. And for the panel--I'm sorry, Ms. Haun, did you
have a comment?
Ms. Haun. Oh, no. Thank you.
Mr. Budd. For the whole panel, as well--sorry, I had
another question there--do you have any idea as to the total
volume that you would see North Korea doing through virtual
currencies?
Mr. Levin. Geographic identification of virtual currency
transactions is somewhat difficult, especially where there is
no exchanger present in that local market. So companies like
mine can identify the services that are providing virtual
currency services like exchange, like merchant processing, but
if there are no sort of North Korean exchanges it is very
difficult for us to be able to assess how much volume is in
North Korea.
Mr. Budd. Thank you.
I yield back.
Chairman Pearce. The gentleman's time has expired.
The Chair now recognizes Mr. Lynch for 5 minutes.
Mr. Lynch. Thank you.
I know the last time we spoke, we discussed the committee
members perhaps taking advantage of the webinars or any other
training opportunities to educate the Members, so committee
staff will be reaching out to each of you on that.
Let me give you an extreme example: Somalia: We are having
problems--a highly insecure environment, very low capacity
among the government there, a fair amount of corruption. All of
the banks have basically pulled out of that area. They won't
even set up ATMs anymore. Al-Shabaab is very active.
The secure district is actually limited to a small sub-
district in Mogadishu around the airport, and when we fly in it
is tough to get out of the airport until really recently. And
again, they get this aversion by regular banks, so remittances
can't get in there. So we have a real problem.
How could this system, cryptocurrencies--I know we are sort
of war-gaming this on the fly, but how could this help in an
area like that where we have had such--so there is so much
reputational risk on the part of the banks that they won't go
in there because of our--ironically, because of our
antiterrorist financing laws--Bank Secrecy Act and all those.
So the banks won't go near it because they will say, ``We don't
want to be prosecuted in case Al-Shabaab gets the resources.''
Is there an opportunity here that, on payment systems, is
there some way we might help the people who just want to send
money back to their families?
Mr. Dueweke. Absolutely. Yes, and I think that is one of
the keys cases that drove me to create the Identity and
Payments Association, where you have a community that is cut
off from the banking world that is relying on remittance
systems like Impesa or WorldRemit or a few others, that have
been impacted by AML and CFT efforts that have cut them off in
some instances from Somali populations in Minneapolis or
wherever.
And while they are relying on those systems now, they are
prone to disruption, and certainly having an enhanced, in this
case, cryptocurrency or decentralized virtual currency
connection point with those systems, if done in concert with
somebody like WorldRemit who is a very responsible player and
tries very hard to identify the users of its system, then you
would have an even more reliable, more transparent component
where you would have bitcoin or a blockchain-based system be
able to interface with those last-mile mobile payment
remittance providers.
So yes, I think it would be able to extend the secure
paradigm further out into the Somali populations to allow them
to get money to those people who need it the most, and do it in
a responsible, transparent way. But you are going to have to
have some sort of relationship with a lot of different players
because there a lot of Somali populations around the world.
Mr. Brito. And if I can address that, so the--
Mr. Lynch. Sure.
Mr. Brito. If I could just say that--
Mr. Lynch. Please, yes.
Mr. Brito. --the Charity and Security Network is a
nonprofit that represents other nonprofits--
Mr. Lynch. What is the name of it again?
Mr. Brito. Charity and Security Network.
Mr. Lynch. Okay.
Mr. Brito. And they published a report recently that looked
at exactly the problem you are describing, and it is not just
conflict areas like Somalia or Syria where they are having
trouble getting payments in. It is Latin America; it is Europe,
even.
And we are actually going to be--the Coin Center will be
working with the Charity and Security Network to develop a
pilot program to potentially send grant money from the United
States to Mexico, to nonprofits in Mexico who are running grant
programs using bitcoin.
Mr. Lynch. Wow. That is great.
Mr. Levin. I could also add--
Mr. Lynch. Mr. Levin?
Mr. Levin. --I think the interesting thing about having a
cryptocurrency on the underlayer of this is that the
traditional financial system relies, when money goes from a
bank to a money transmitter and then gets sent to Somalia, the
bank gets very nervous because it has no ability to have any
insight into the underlying transaction to the customer's--
their customer's customer.
What bitcoin allows--and I have actually implemented this
with Barclay's and Circle Financial, which are two sort of
well-known fintech companies--is that the bank is actually able
in real time to know what is the underlying activity of its
customer, not on an individual who is the identity of the
person, but potentially what is the exposure to underground
market activity, or ransomware, or the terrorist financing
activity that we are interested in.
So I would like to point to that case, and I'm happy to go
further in more detail.
Mr. Lynch. That is great. Thank you.
My time has expired.
Chairman Pearce. The gentleman's time has expired, and the
Chair now recognizes Mr. Pittenger for 5 minutes.
Mr. Pittenger. Thank you, Mr. Chairman.
Again, I thank each of you for being here to give us your
sound advice.
We are dealing with very sophisticated people, as we have
found in the past. And this is not a backyard gang of hoodlums.
They look for every possible avenue to complete their efforts.
I would like to say that as we consider the
cryptocurrencies, while they are not well-known to the public
at large and they are growing, certainly to these folks it is
on--they are on the radar screen and we, as I said earlier,
should anticipate that they will be more engaged, more likely
in--outside of the United States, as you said, where there is--
we don't have the capacity for oversight that we have here.
I would welcome your involvement, particularly with the
media. I think you play a role there and I think you could help
define what you are doing in terms of defensive postures, and
offensively, and to mitigate this concern.
I think we need, each of us, to speak to this more to let
the public and, as well, that the Congress be more adept in
these concerns. So on your radar screen I hope that you will
consider a more aggressive outreach to try to work with the
media and to help tell your story.
Thank you very much. I yield back.
Chairman Pearce. The gentleman yields back.
The Chair yields himself another 5 minutes.
Mr. Wilson and Mr. Levin, as we discussed the WorldRemit
and the retroactive nature of it, in the current system can we
assure the same way that Western Union might be able to assure
that crypto going into Syria or Somalia could be traced and may
be stopped before the incident is--discuss that just a bit if
you can.
Mr. Levin. Mr. Chairman, so when you send virtual currency
transactions outwards you may not know the geographic
distribution of that--where the person you are about to send it
to, because if you consider bitcoin it is--transfers within
bitcoin are not sent to routing numbers or account numbers that
have any real-world identification system. Instead, what you
need to do is then look after the fact in order to understand
what is the activity potentially for that transaction.
If we go back to the analogy of the masks, if you are
sending it to someone that you have seen before then you might
know that this is, yes, this bitcoin address does belong to a
virtual currency exchange in Iran, for example, and you would
be able to block that at the time of transaction if you are
sort of an exchange here in the United States. However, if
someone is using a new virtual currency address, which are
quite easy to create, there is no way to know that at the time,
and instead these companies are forced to retrospectively look
at all of their transactions in order to identify what was the
activity maybe after the fact.
Chairman Pearce. Mr. Wilson?
Mr. Wilson. Exactly what Jonathan said. What we do is after
the fact look at the transaction and we can tell, again, if
this is something that is masked. And we have already tagged it
to be a nefarious exchanger or a nefarious entity we can then
alert the institution that is making this transaction and say,
``Hey, this is a possible place that you don't want to send
money.'' So that is kind of how it works right now.
Chairman Pearce. Ms. Haun, I would appreciate your
observation on the same question if you can, because really
looking at Western Union and their--I guess that they know both
parties, that we have some understanding of who is on the other
end, and they have been--will maybe even blacklist entire
regions because of the risk, but it is not anonymous sites
either.
Do you have an observation?
Ms. Haun. I am not sure. I also know that Western Union has
actually been paying some hefty fines and I think was just the
subject of a FinCEN enforcement action about a year ago--
Mr. Dueweke. $800,000.
Ms. Haun. $800,000, yes.
Mr. Dueweke. Or $800 million, I am sorry.
Ms. Haun. $800 million. That sounds--for not always
following the things that they are supposed to do under the
law.
But I think I agree entirely with what Mr. Wilson and Mr.
Levin said. I don't have much to add beyond that other than to
say it is much more difficult where you don't know where this
is going to unless you have a way of--if they haven't used a
mixer or a tumbler and they are using the same virtual currency
address, but they rarely do. The sophisticated people who are
moving money use sophisticated mechanisms and they create new
addresses.
Chairman Pearce. Okay.
I would like to thank each one of you today for your
testimony.
The Chair notes that some Members may have additional
questions for this panel, which they may wish to submit in
writing. Without objection, the hearing record will remain open
for 5 legislative days for Members to submit written questions
to these witnesses and to place their responses in the record.
Also, without objection, Members will have 5 legislative days
to submit extraneous materials to the Chair for inclusion in
the record.
I ask our witnesses to respond as promptly as you are able.
I would mention that I think everyone on the subcommittee
really appreciates the directness and the depth of your
analysis and the substance of your answers. I think that all of
you provided very valuable insights into a field that we must
be learning a lot more about.
With that, the hearing is adjourned.
[Whereupon, at 11:54 a.m., the hearing was adjourned.]
A P P E N D I X
June 8, 2017
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]