red 
Last week Elliptic became the first blockchain analytics provider to offer support for MimbleWimble on the Litecoin blockchain. In this article, we describe how compliance teams can manage the risks associated with privacy-enhancing technologies, such as MimbleWimble, while meeting regulatory requirements.
One of the most challenging – and controversial – issues facing compliance teams in the crypto space relates to privacy-enhancing technologies.
On May 19, developers of the crypto-asset Litecoin implemented technical upgrade called MimbleWimble Extension Block which hides information about participants and amounts of Litecoin transactions.
Launched in 2017, Litecoin originally had a fully transparent blockchain, ensuring that transaction details could be easily traced. This transparency has allowed many cryptoasset exchanges and financial institutions to offer Litecoin trading services while satisfying regulators that they can manage the risks of financial crime.
However, with the implementation of the MimbleWimble upgrade, Litecoin users will have the ability to selectively protect their transaction information, achieving improved privacy. (You can read our detailed technical explanation of how MimbleWimble works here).
MimbleWimble’s upgrade has led to some regulated firms – such as crypto exchanges in South Korea – to ask if they can still offer Litecoin to customers while complying with Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) regulations.
Can regulated firms still offer Litecoin and remain compliant?
In short, the answer is yes. Your business can continue to offer Litecoin trading services while achieving regulatory compliance, despite the MimbleWimble upgrade.
But successfully managing Litecoin transaction risk requires your compliance team to understand regulatory privacy expectations in cryptoassets, as well as how to use blockchain analytics to mitigate risk.
Transparency and privacy on the blockchain
Bitcoin, Ethereum and most other cryptocurrencies are highly transparent: details of transaction and counterparty values are fully visible on public blockchains, even though they are presented pseudonymously.
That is, the identities of the other party appear as alphanumeric wallet addresses rather than names. However, when a wallet address can be attributed to a specific actor (such as a cybercriminal or a sanctioned entity), it becomes possible to learn a significant amount about their transactions.
Recognizing that Bitcoin and Ethereum transactions can be easily traced, innovators have developed various privacy-enhancing technologies to reduce traceability on blockchains.
One type of privacy-enhancing technology is crypto mixing or mixing coins. Mixing involves the use of services that collect funds from multiple users of Bitcoin, Ethereum, and other transparent cryptoassets and then redistribute those funds to obfuscate the trail. The commingling can involve centralized services that take custody of the user’s funds, or it can be done through “wallet privacy” – software that enables a form of decentralized mixing.
Another method to reduce visibility on public blockchains is to use privacy coins. These cryptoassets have anonymizing features built into their design, ensuring that transaction details are obscured.
Among the most widely used privacy coins is Monero. Monero has default privacy, which means all transactions are anonymized.
Other privacy coins have anonymization options. These include the privacy coin Zcash and now Litecoin. Opt-in privacy coins allow users to perform unprotected transactions with information that is fully visible on the blockchain; or users can choose to use secure addresses that hide transaction information, as in the case of MimbleWimble-enabled Litecoin transactions.
These technologies improve privacy for legitimate crypto users, but can also prove attractive to criminals. For example, Tornado Cash is a mixer that improves privacy in Ethereum transactions, but it has been exploited by illegal actors such as North Korean cybercriminals are trying to evade sanctions. Similarly, Wasabi Wallet is a privacy wallet that uses a form of decentralized mixing and has exploded in popularity among criminals using Bitcoin.
Among privacy coins, Monero has proven particularly popular with criminals, such as sellers darknet markets and ransomware gangsdue to the strength of its anonymizing features.
Regulatory expectations
The criminal use of privacy-enhancing technologies was not lost on regulators.
Regulators have generally been content to allow trading in transparent cryptoassets such as Bitcoin and Ethereum with few restrictions. Blockchain analytics solutions like those introduced by Elliptic, allow compliance teams to easily monitor transactions in these transparent coins for signs of high risk or prohibited activity.
Consequently, regulators – such as the New York Department of Financial Services (NYDFS) – now treat blockchain analytics as a core component of AML/CFT and compliance with sanctions for cryptoassets.
But where privacy-enhancing technologies are involved, regulators expect firms to take into account the increased risk of illegal activity.
According to guidance issued by the Financial Action Task Force (FATF), the global AML/CFT standard setter, regulators should ensure that the firms they supervise “can manage and mitigate the risks of engaging in activities that involve the use of technologies or mechanisms to enhance anonymity”.
Most regulators allow crypto exchanges to implement a risk-based approach when it comes to privacy coins. That is, rather than articulating a one-size-fits-all standard, many regulators will allow regulated businesses to engage in these technologies where they can demonstrate that adequate safeguards are in place to protect against the increased risks of financial crime.
Some privacy coins like Monero that have default anonymity are largely impervious to blockchain analytics. Consequently, most regulated crypto exchanges will not list Monero. Many have concluded that offering Monero trading while remaining compliant is simply impractical.
Mixers and privacy coins are different. Although certain transaction information is hidden, enough information is available on the blockchain to achieve regulatory compliance when processing transactions involving mixers and privacy coins.
Consider the case of a mixer. A regulated crypto exchange cannot identify the ultimate source or destination of funds if its clients’ transactions involve mixers. However, by using blockchain analytics, an exchange can identify that its clients’ transactions include exposure to mixers—information that the exchange can then take into account to assess the riskiness of certain transactions or to decide whether to file suspicious activity reports (SARs).
Opt-in privacy coins work in a similar way. When a customer of an exchange sends or receives transactions to the protected addresses of a privacy-enabled coin, such as Zcash or Litecoin, the exchange cannot see further. However, they can still use this information to assess the level of risk and determine whether a SAR filing is required.
It is for this reason that regulators such as the NYDFS have allowed regulated businesses to list privacy coins that have opted in, such as Zcashsupported by Elliptic through our industry-leading blockchain analytics capabilities from June 2020.
Risk management for Litecoin wallets and transactions
Cyptoasset exchanges and financial institutions should therefore be confident that they can offer Litecoin to their customers despite the MimbleWimble upgrade. This requires leveraging blockchain analytics capabilities at various points in the compliance workflow for risk management.
First, you need to be able to review Litecoin wallets before you allow your customers to make withdrawals. Elliptic is currently unique among blockchain analytics providers in offering this capability to MimbleWimble.
Using our pre-transaction verification solution Elliptical Lensyour compliance team can determine if your customers are trying to withdraw Litecoin to wallets that contain MimbleWimble’s confidentiality feature.
Using Elliptic’s configurable risk rules, you can then assign risk scores to mark those protected wallets as higher risk. Your compliance team can then take appropriate steps to mitigate those risks through Enhanced Due Diligence (EDD) measures – such as asking the customer for additional evidence of the purpose and intended destination of their transaction, or applying limits on the value of withdrawals they can make to protected wallets .
,
The image above from Elliptic Lens shows how a compliance team can review a Litecoin wallet to identify exposure to protected MimbleWimble addresses, assigning a risk score that compliance teams can use to assess the wallet in question.
Similarly, your compliance team can manage the risks associated with MimbleWimble using our transaction screening software Elliptical Navigatorwhich allows you to identify when your customers deposit Litecoin from or withdraw funds that end up in secure wallets using MimbleWimble. You can assess these transactions as higher risk and then perform an appropriate EDD or file a SAR if you still have concerns.
Privacy-enhancing features like MimbleWimble create challenges for compliance teams, but they can be successfully managed. Elliptic’s blockchain analytics solutions are unique in supporting MimbleWimble and enable your business to offer Litecoin trading services while ensuring you stay on the right side of regulations.
To learn more about how Elliptic solutions can help, contact us for a demo.
Key takeaways
- Make sure you understand the regulatory requirements regarding privacy-enhancing technologies and cryptocurrency.
- Make sure you can identify Litecoin addresses and transactions using MimbleWimble by reviewing them with blockchain analytics solutions like Elliptic Lens and Elliptic Navigator.
- Ensure your staff is trained to identify key red flags and risk indicators related to privacy coins and mixers.
