Economic Crime and Corporate Transparency Bill – in a Public Bill Committee at 10:05 am on 25 October 2022.
We will kick off. You are very welcome, witnesses. Thank you for joining us. Would you be so kind as to briefly introduce yourselves and your positions?
Arianna Trozze:
Hello everyone. My name is Arianna Trozze, and I am a PhD researcher at University College London. I look at detecting and prosecuting financial crime involving cryptoassets, and for the past year I have also been advising the Home Office on a part-time basis on technical aspects involving cryptoassets in relation to this Bill.
Andy Gould:
Morning. My name is Andrew Gould. I am a detective chief superintendent with the City of London police. My job is to run the cyber-crime programme for the National Police Chiefs’ Council, which is focused on building capacity and capability across policing.
Thank you. We will go straight into questioning.
Q Thank you very much. First of all, I have a question for you, Mr Gould. The national fraud policing strategy states that the police’s response to fraud is delivered by local forces, but capability across those forces varies widely. It mentions the regional organised crime units being very limited in their capacity. Do you think that that situation has improved since 2019, when the report was published, and could you say a bit about what extra resources the ROCUs need?
Andy Gould:
Sure. Fraud is not really my area of responsibility—I am focused very much on computer misuse act offending—but yes. I know there has been significant additional resource put into the ROCUs for fraud in the last couple of years. Is there enough capacity to meet the demand? Probably not. What policing probably needs to do is take a slightly different approach. Rather than trying to investigate those volume crime offences, it should focus more on those organised crime groups or individuals that are doing the most harm. That is the kind of pivot that policing is trying to make, in terms of being more proactive. I know Commander Adams is giving evidence this afternoon, and he will be able to tell you more about that.
Q Thank you. I have a question on cryptoassets. Do you think, broadly speaking, that the enforcement agencies have the expertise that they need to deal with the economic crime dimensions of the cryptoassets issue?
Andy Gould:
Yes, I do. I think we have got the capability, but what we lack is capacity. The capability we have got today does not necessarily mean we will be able to maintain that capability tomorrow. We have invested, through the national cyber-security strategy and the programme through Government. We have got about an extra £100 million that has been invested over the last four years or so, building capability across policing. Some of that money we have effectively taken into crypto, so that cyber money is being used to cross-subsidise wider policing. We have created what we describe as cryptocurrency tactical advisers across the whole of policing. There are now officers in every force and every regional organised crime unit who are trained and equipped to do that. We have nationally procured the investigative tools to enable them to progress the investigations, and we have a national storage platform to store that once we have seized it.
We are in a position where we have actually seized hundreds of millions of pounds worth of cryptocurrency assets within the last year or so. The challenge we have is that it is getting harder and harder to do. The assets themselves are becoming more diverse and more technically complex, so our officers are in a bit of an arms race trying to keep up.
On the tools that we use, you might have one supplier that is brilliant on Bitcoin but not so good on another asset class, so we need more than one investigative tool to be able to investigate effectively. That is very expensive. One of the providers is currently quoting $60,000 to $80,000 per licence. That is unachievable, or unsustainable, for policing. We need to procure nationally for everybody, so we have an 80% discount on our current investigative tool, taking that approach.
The big worry for me at the moment is not just the technology changes and whether we will be able to maintain that level of resourcing and expand the capacity across policing; we have created a real staff retention problem. Because crypto is an emerging market, some of the best expertise and understanding of crypto in the UK sits within policing. We have been investigating cryptocurrency since 2015 or 2016. One of my sergeants has just been offered 200 grand to go to the private sector. We cannot compete with that. That is probably the biggest risk that we face within this area at the moment.
Q Thank you. Ms Trozze, I know that you are a specialist on crypto, so would you like to add anything to that?
Arianna Trozze:
I would echo Andy’s point about the difficulty of tracing certain cryptoassets and investigating certain chains and things like that, and how this is evolving rapidly in competition with the existing providers and the blockchain services themselves. It gets more and more difficult to investigate as time goes on. You need more and more capacity building and investigative tools. At the same time, the crypto companies and the blockchain companies are seeking to develop their technologies in ways that will evade that detection, so it is a constant race between the two sides to be able to effectively investigate and prosecute these crimes.
Q Leading on from that question, we are putting a lot of provisions in the legislation. Is the legislation sufficient to keep pace with those technological changes?
Arianna Trozze:
One of the key ways that legislation can future-proof itself in the face of this rapidly developing technology is via the definitions. I think that the definition of cryptoasset in the Economic Crime and Corporate Transparency Bill is sufficient to do that. Probably most importantly, the inclusion of cryptographically secured contractual rights means that the definition will cover smart contracts, which is really the technology that underpins all the major advances in the space of, for example, decentralised finance and non-fungible tokens that have taken place, and that we expect to continue to develop in the coming years. Furthermore, the ability to amend those definitions via secondary legislation is clearly a positive, because in the event that something slips through the cracks and develops in a way that we cannot anticipate, it will make it more efficient to change them.
Q Are the measures in the Bill sufficient to protect consumers from being victims of economic crime via crypto?
Arianna Trozze:
Because they are very clear that they include cryptoassets, it really makes the rules clear for everyone in the industry. Consumers then know as well what rights they have. My view is that it obviously cannot do everything, but the fact that there are provisions for victim compensation goes a long way to also protecting consumers. Obviously, it does not prevent the crimes from occurring, but it helps them to recover the losses.
Q Briefly, how do you feel the measures in the Bill relate to the other measures around regulation in the Financial Services and Markets Bill? I am conscious that the two Bills are going at the same time.
That is okay. No problem.
Q When we talk about things like cryptoassets, it is difficult for lay people like me—I am sure I am not alone—to envisage what exactly we are talking about. I recognise some of the operational sensitivities under which you are working, but would it be possible for you to give us an illustration of how cryptoassets have been used to disguise this activity?
Andy Gould:
Probably the most obvious area would be around ransomware, which is if you are an organisation and you get hacked and attacked and then lose access to all your files or systems, and then get a demand from a cyber-criminal saying, “Okay, if you want to get access back, you have to pay”—basically, an extortion demand. That extortion demand will virtually always be in cryptocurrency, because there is a view that that is harder to trace.
Depending on the kind of cryptocurrency, the traceability varies. Effectively, a lot of the technology that sits behind cryptocurrencies is based within what is described as the blockchain. Arianna is much better at explaining this than me, but the blockchain is effectively a public ledger, if we are talking about Bitcoin or something like that. We can see all the transactions. It is like your bank account or NatWest or any other bank doing its transactions in the public space—everybody can look at them. It is effectively decentralised and very public, so there are real benefits in that. The anonymity comes from not knowing who is sending what or who is who, in terms of the bank accounts—the wallet equivalent.
That provides opportunities to follow the money, but, although you might be able to see where the money goes, you will not necessarily know who has sent it or who has received it. There are other investigations you would need to do that. And there are tools—mixing services or exchanges—that will jumble it all up and then send it elsewhere, and you will not be able to see what has come in compared with what is going out. That is why criminals like to use it—because, as they see it, it covers their tracks effectively.
Arianna Trozze:
One way to make it a bit clearer is to situate cryptocurrency money laundering in the traditional phases of money laundering. When we talk about money laundering, we tend to talk about three specific phases—placement, layering and integration. In the crypto space, placement may look like someone depositing their Government-issue currency into a cryptocurrency exchange, and exchanging it for cryptoassets, or potentially using what is called a fiat on-ramp to buy cryptoassets using their fiat currency. They may also use something like an over-the-counter broker, which may allow them to buy cryptoassets using cash.
Then, the layering process follows, which is kind of what Andy was talking about, in terms of trying to obfuscate the origin and trail of funds. There are a lot of different tactics that the criminals can use to do that. As Andy mentioned, they may use mixing services, to try to break the chain. They may create thousands of different cryptocurrency wallets and accounts and transfer the funds among them in order to make it more difficult to trace. They may exchange them for various different types of cryptoassets, including privacy coins, which we, again, have a lot of trouble chasing, although there have been advancements in that regard. Finally, they may move to completely different blockchains, using what are called blockchain bridges, and that further makes it more difficult to trace—as Andy mentioned before, different providers have different capabilities and different expertise in terms of which chains they specialise in and which assets they are able to trace. That is something else that they may do to hide that trail of funds.
Finally, we have the integration process, which is criminals using those now-cleaned funds for mainstream economic activity. We know that sometimes they may seek to keep those funds in cryptoassets in an attempt to further their gains, speculatively investing in the market; or they may, again, use one of these exchanges or what is called a fiat off-ramp to transfer their cryptoassets back into pounds or any other currency.
Q It is really the complexity that is the barrier, is it not? The actual use of cryptoassets of itself brings an additional complexity, so it is clearly an ideal tool for those who are up to no good.
Andy Gould:
To give you a sense of the scale of the challenge, there are thousands of different forms of cryptoassets or cryptocoins in existence. We have to learn to use all the ones that the criminals are using. We can only do it with the private sector. There is no way we can invest in or have the skills in-house to be able to develop all of those tools for all of those different asset classes, so we work really closely with all the big private sector companies to build that capability. It is why we do big open national procurements—because that is the only way it is affordable.
Q Is cyber-crime and cryptocurrency-based crime growing quickly?
Andy Gould:
It is really hard to say, because it is so hard to identify or report at scale. However, I would say yes. If you talked to all of the big cyber-incident companies and the threat intelligence companies about what we are seeing, in terms of reporting, then yes, everybody would say that it is rising. Certainly, the crime survey for England and Wales does.
Q What is the criminal structure in this market? Is it teenage hackers in their bedroom or sophisticated organised crime groups?
Andy Gould:
It is both. There is a real mixture. You can have your sophisticated organised crime groups, with some of those having a bit of a crossover with hostile state actors, which makes that more complex to manage. You therefore have a lot of overseas threat at the higher end, but during the pandemic we also saw a shift of mainstream, traditional—if that is the right way of describing them—UK-based criminals moving into cyber-crime, because a lot of the tools are readily available on the internet and are quite easy to use.
Q You just said that some of those organised crime groups have connections to hostile states—presumably such as North Korea, Iran and Russia.
Q So is there now a blurring of a national security threat and economic crime?
Q And are we investing enough in tackling that kind of crime?
That was not the question. Are we investing enough?
Q Lots of us are trying to get our brains around this. I had a session yesterday with a whole load of people in the crypto industry who tried to convince me that there is actually better transparency because it is open—you can go in and see it—and there ought to be a way in which, with the right algorithms, you could follow the money more easily than in other ways. Is that true? Were they conning me, or is that vaguely true?
Andy Gould:
No, there is definitely an element of truth in that. If you have a public blockchain, you can see where it is moving, and that is very open—Bitcoin is the most obvious open public blockchain and the most popular crypto. However, that does not mean that you necessarily know who it is that starts and finishes. That is the issue, and with a lot of the different criminal services available, it is becoming harder and harder to manage. It is becoming more tricky. So, the answer to your question is probably yes and no.
Q We welcome the Minister’s attempts to start bringing this into a regulatory framework. However, looking at the other aspects of money laundering and economic crime, the so-called enablers are often the bad guys. In this world, those who establish a new form for crypto are presumably the ones who, if they are not properly regulated and supervised, could create a system for facilitating economic crime, fraud and money laundering. I do not think that we have proposals in here, really, for the supervision and regulation, have we? Are those badly missing?
Andy Gould:
The Financial Conduct Authority has taken on regulatory powers in this space. I am not an expert in that area, but that is looking pretty promising. A lot of UK-based entities that were offering those services are no longer able to do so, so there has definitely been a clean-up of the market in that space, which is positive.
The challenge is that international regulation, and a lot of the recent work we have seen in that space, has driven a lot of overseas exchanges and providers, which might have been operating in a bit of a grey space, shall we say, to suddenly look to become more legitimate and comply because they want to come into the mainstream financial system. I would use the analogy that the tide is going out on a lot of the more criminal providers. They are effectively being left as “clearly not engaging, clearly criminal”, and a lot of those that may be operating in the grey space in international jurisdictions are becoming more and more legitimate as they clean up their acts.
Q This is really Liam’s question, but, because it is digital, the answer must be global, must it not?
Q And that is really hard.
Q I want to follow up on what you were saying about how you can follow the flows, but you do not always know who is sending and who is receiving. I want to understand a bit more about crypto accounts. I understand that you do not need an account in order to make a transaction, but if you do have an account you can see who is making transactions. Is there more that can—or needs to—be done to say that everybody must have an account? Is that practical and how could it happen? Secondly, what is the current level of identification and verification checks when setting up a crypto account, and what level should there be?
Andy Gould:
The average member of the public using cryptocurrency will probably be using an account through one of the legitimate exchanges. They will go through the whole “know your customer” process that they would go through for a bank. Regulation pretty much covers that; I think we are in a good place with it. It is the criminal exchanges and criminal service providers that regulation would not affect. You would not be able to build an infrastructure that stops them being able to create their own wallets, as you could for those accounts with what are effectively crypto banks.
Arianna Trozze:
There has been research that some of the KYC processes, especially in some of the higher-risk exchanges, are quite easy to fool with fake documents and other such things. There are companies serving UK customers that are still not registered with the FCA and do not meet its KYC or AML requirements, despite its best efforts. For example, none of the Bitcoin ATMs operating in the UK is registered with the FCA, even though they are supposed to be, and they tend to have quite lax KYC requirements. They may require you to put in a phone number. Some of them have more requirements, but whether it is a rigorous process remains in question.
Q What more could be done about that?
Arianna Trozze:
In my view, the only thing would be more enforcement efforts against non-compliant companies. I do not know how practical that is, or what kinds of resources there are to address the problem, but to me the only way forward is to make sure that those companies and operators know that it is not acceptable to be working and serving UK customers without a licence.
Q What are the consequences for them if they do that?
Andy Gould:
I think the FCA has prosecution powers and enforcement and regulatory options, but I could not say what it is doing about that.
Q Do you know if there are cases where it has used those powers?
Andy Gould:
I do not know. They only came in earlier this year, so I would be surprised if the FCA has got to the stage where it is able to exercise them in terms of investigation.
Mr Gould, to follow on from that important point, I understand that the Bill removes the need for powers of arrest before you can do search and seizure. Can you explain the impact of that? Will it be useful for reducing the number of victims once you have spotted an issue happening?Q
Andy Gould:
Yes, definitely. That is a huge benefit of the Bill; it is one of the provisions that we have been asking for. Imagine a scenario where you execute a search warrant on criminal premises: you go in and you can see stolen property, but at the moment, if they are not there, they are not under arrest and there is no existing investigation. You then have no power to take that crypto under the Proceeds of Crime Act 2002. So yes, that is a big step forward for us.
Q Thank you for giving me another go. I have two quick questions. If you had a blank sheet of paper and you were able to amend the Bill in the cryptoassets space, what would be your No. 1 amendment to improve it? Secondly, Mr Gould, do you also look at counter-terrorism within your brief?
Q Okay. I was going to ask something about counter-terrorism, but I will not if that is not your area. So my only question is to both of you: if you had an opportunity to amend the Bill, what would you do?
Andy Gould:
We are generally very happy with the provisions of the Bill. One area that we might want to look at is storage of the assets. Imagine you have £100 million- worth of cryptocurrency. That is really expensive to store, and there is always a security risk around where it is stored. If we were able to turn that into cash straight away at the point we get the restraint from the magistrates court, and that that was a standard power, a lot of that cost and security concern would be taken away. That would be one area where we could improve.
There is an existing power under POCA, where you can go to the Crown court and make that application, but that can be contested by the defendant. There is a cost associated with that. If we had a standard power to do that, I think we would be a bit happier, but we are generally very happy with the provisions in the Bill.
Q Apart from turning cryptoassets into cash in the way that you have described.
Arianna Trozze:
I see both sides of that argument. Obviously, if assets are transferred into cash and then the original assets significantly gain value, and if the person with the assets were then found not to be a person of crime, the Government would be on the hook for the change in value of those assets. There are two sides to the argument but, as Andy mentioned, the storage is quite risky and very expensive. I ultimately agree, but I see both sides of the argument.
Q As a brief follow-up, do you have any information on how much that cost is likely to be? That would be very useful to us. I appreciate you might not have that figure in front of you now, but it would be useful to have that detail.
Okay, we have come to the end of this session. Thank you very much for joining us.