Preparing for Potential Compliance Violations
Companies engaged in cross-border commerce are uncertain about how the use of Bitcoin and other cryptocurrencies may heighten the risk of noncompliance with the Foreign Corrupt Practices Act (FCPA) and other anti-fraud and corruption regulations. Consider what risks may arise and what controls might be needed to keep an aspiring but misguided employee from successfully executing a payoff without being caught.
with co-author Kevin Corbett
Company X is bidding on a major industrial contract in an emerging market, a piece of business that could catapult it to a record year. The Sales Vice President leading the proposal team is energized to deliver a win and reap the bonus and quick promotion to follow.
But it’s not looking good for the bid. At least that’s what a government official told the VP at a recent charity event. The official was willing to take a fresh look at the matter, especially if he had an extra incentive to do so. The Sales VP wanted this deal to happen, both for his own benefit and that of the company. This VP was going to make it happen.
“One more thing, my friend,” said the official. “Kindly make it in Bitcoins!”
Bribes reach the hands of public officials through many routes, from cash payments and excess commissions to charitable contributions, sponsorships and lavish travel. The emergence of Bitcoin and other cryptocurrencies brings another option into the mix.
Blockchain, the distributed ledger technology that underpins these currencies, is a mechanism for exchanging value and transaction information online without an intermediary. As such, it has the potential to disrupt virtually every industry.
With disruption comes risks and uncertainties. Companies engaged in cross-border commerce are uncertain about how the use of Bitcoin and other cryptocurrencies may heighten the risk of noncompliance with the Foreign Corrupt Practices Act (FCPA) and other anti-fraud and anti-corruption regulations. As companies contemplate the possibility of using cryptocurrencies, it is important to consider what risks may arise and what controls might be needed to keep an aspiring but misguided employee, such as our hypothetical VP, from successfully executing a payoff without being caught.
How a Corruption Scheme Might Unfold
Both the sales VP and the government official have a role in setting up the Bitcoin bribe. Here is a possible sequence:
- The VP and the government official each create a Bitcoin wallet, an online repository for digital currency. The wallet is software downloaded and controlled by the user, similar to an online wallet storage.
- The VP purchases Bitcoins through one of hundreds of online exchanges and stores them in the wallet.
- Bitcoin users each have multiple Bitcoin addresses, which are single-use tokens used for transactions. The government official creates a new address to which the VP sends the payment.
The vehicle for value transfer cryptocurrencies provide is paradoxically both anonymous and transparent. Bitcoin transactions are permanently recorded and traceable. At the same time, some online exchanges do not require verifiable personal information to purchase Bitcoins. For example, Dark Wallet was launched in 2014 as a Bitcoin application to protest users’ identities and was described by its founder as “money-laundering software.” On some cryptocurrency platforms, users are able to utilize fake names and addresses, making it harder to identify the individuals or entities behind the payments. The VP, therefore, might recognize the benefits of utilizing a cryptocurrency platform that offers him anonymity so that he increases his chances of not getting caught while making the aforementioned bribe. Additionally, Bitcoin mixing (putting one’s coins into a larger pool with coins from other sources) scrubs the linkability and traceability from them, making it harder to track specific payments entering the mixing service to payments exiting it. A user may also opt to use newer protocols such as Zcash, a cryptocurrency that utilizes zero-knowledge proof constructions to mask the identity of users.
Other Risks Posed by Cryptocurrencies
How could a company uncover the VP’s payment to the government official? A typical investigation would involve combing books and records for round-dollar or one-time-vendor payments. But what would be the mitigating control to identify a cryptocurrency transaction? Could the transaction go undetected?
Another problem with cryptocurrencies is that their online networks are vulnerable to hackers. For example, in August 2016, some US$65 million in Bitcoins were stolen from the Hong Kong-based Bitfinex exchange platform. Therefore, a legitimate entity could potentially obtain Bitcoins in a presumably above-board transaction from a fraudster who stole Bitcoins through a hack. That transaction might then be traced back to a payment for some illegal activity, and exchanges could commence to blacklist the legitimate entity for engaging with the fraudster.
Regulators are Taking Notice
Regulators in the United States, Europe and around the world have begun to take action to prevent companies and individuals from utilizing cryptocurrencies to launder money or conduct other illegal activity. First, governments have started to establish legal frameworks for regulation of cryptocurrency usage. For example, in the United States, the Financial Crimes and Enforcement Network (FinCEN) stated in 2013 that “digital currency firms need to comply with the same anti-money laundering rules as other financial institutions, including monitoring customers and reporting suspicious activity to the government.” Additionally, governments around the world have made numerous arrests for Bitcoin-related money-laundering involvement. Intelligence and justice agencies are employing increasingly advanced technology to identify the users behind illicit cryptocurrency activity. These advanced technologies, combined with traditional investigative techniques, helped the U.S. Justice Department identify the Bitcoin wallet of Ross Ulbricht, who was arrested for running Silk Road, an online drug bazaar.
However, some countries have yet to form coherent policies toward cryptocurrencies, and regulation on this topic is still a mixed bag worldwide.
What Companies Can Do to Prepare
Given the increasing regulation of cryptocurrencies and the risks presented by usage of this technology, companies need to take proactive steps to ensure that cryptocurrencies are not being used for bribes and other illicit activities. Here are some steps companies can take to ensure the legality of their cryptocurrency activities:
- Conduct a detailed assessment and monitoring of current and potential corruption schemes using cryptocurrencies and enhance the control environment as needed.
- Give careful consideration to the people within the company who can conduct business in cryptocurrencies, which Bitcoin addresses can send payments and to whom payments can be sent so that companies can track all users who utilize this technology for business purposes.
- Closely monitor traditional company bank accounts for transfers that involve the purchase of cryptocurrencies.
- Stay alert to the potential for dirty money — money used in some sort of criminal activity — to be laundered through Bitcoin mixing that could potentially infect a legitimate transaction.
- Train employees on compliance with FCPA and other requirements, including how to identify new red-flag schemes that involve the use of cryptocurrencies.
Becoming Cryptocurrency Ready
Cryptocurrencies, and the scams and schemes they can potentially spawn, represent new forms of business opportunity and risk. The first chapters of their story are just now being written. If the variety and pace of developments to date are any indication, the activity in this field is only likely to accelerate. By understanding digital currency and carefully planning for the emergence of new cryptocurrency applications, companies can be better prepared for the emerging era of digital commerce and an overeager VP who may try to use this technology to conduct illegal activity.Corporate Compliance Insights is a wholly owned subsidiary of Conselium Executive Search, the global leader in compliance search.