View PDF

An insider’s view: Bitcoin is less private than Visa. That should change.

In this BPI guest post, an anonymous banking insider with deep expertise in fraud and money laundering mitigation shares their thoughts on the current state of bitcoin privacy.

About the author:

The author is choosing to stay anonymous to protect their identity and the company they work for. They have worked at multiple publicly traded financial institutions in the fraud prevention and mitigation space; from ground-level tactics to enterprise strategy and policy.  They have also held leadership roles at one the nation’s largest identity verification companies, preventing fraud and working with federal and local law enforcement.  They have been accountable for tactical implementation and monitoring of KYC / CIP programs and work closely with their peers who are focused on Anti-Money Laundering (BSA / AML) compliance and reporting.  They are currently employed by a bank as internal consultant in the fraud space, serving them as well as their clients which include several of the top-10 crypto exchanges in the United States to prevent fraud and comply with existing regulatory guidelines around customer identity.

Author’s public key: 191f5d72d63edc9459ed096b


Privacy is not secrecy

Financial privacy – and, more specifically, the requirement to obtain informed consent prior to the collection and use of another’s personal financial information - is fundamental to individual freedom.

Democratic nations across the globe have recognized this concept by adopting laws that enhance individuals’ rights to control their personal information, including financial information, such as the European Union’s General Data Protection Regulation (GDPR).  The U.S., which has been infamously slow to enact any major federal data privacy policy, may finally be on the verge of passing the first federal privacy statute in the American Data Privacy and Protection Act.  

Currently, the U.S.  addresses financial privacy in a piecemeal fashion under various state and federal laws, like the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to protect their customers’ financial data (including personal information and transaction data) and to disclose what information they collect and share with others.  As a part of the GLBA, consumers must also be given the right to opt out of having their information shared with third parties.

However, due to the dual threats of exponentially increasing cybercrime and increased government surveillance and scrutiny of financial transactions, individual financial privacy is and has been under attack on multiple fronts, and the true costs are starting to manifest in noticeable ways.

As someone who has seen identity theft upend the lives of countless victims, I know how important financial privacy is to protect consumers from scammers and the criminal networks that have proliferated over the last 15 years. It’s estimated that global fraud losses equate to 6.4% of global GDP, coming in at a staggering $5.38 trillion dollars in 2021. Experts cite protecting and securing personal financial information as one of the most important actions a person can take to mitigate these threats.

New paradigms, same concerns

The emergence of Bitcoin and other cryptocurrencies is reshaping the global financial sector. The White House estimates that 40 million Americans have bought or used cryptocurrencies. This emergence brings new challenges and paradigms that are important to understand. One example is Bitcoin’s public ledger; although the ledger is open and publicly available, it can be used pseudonymously and privately.

Some point to this pseudonymity as a potential tool in the financing of criminal activity. Both research and real-world experience have shown that this concern is misplaced and overblown, as discussed in greater detail below. Further, as Bitcoin and cryptocurrency adoption grows, the vast majority of these transactions are being facilitated by regulated exchanges and / or third-party custodians, which are subject to existing requirements that guard against illicit activity, such as know-your-customer (KYC) regulations and transactional monitoring requirements.

In fact, Bitcoin transactions are fundamentally less private than any other type of regulated financial transaction. As someone that works in fraud prevention, this concerns me.

Privacy ranks: Cash, Visa, then Bitcoin

Different types of financial transactions have varying degrees of individual privacy.  Globally, cash provides the highest-level privacy; as a result, to combat tax evasion, money laundering, and the financing of illicit activity, many countries (including the U.S.) have reporting requirements for transactions that exceed certain value thresholds. 

When we leverage third parties to conduct transactions on our behalf (such as a credit card company or a bank), we continue to enjoy a relatively high level of privacy, as the third party (e.g., Visa, or a bank) is legally bound not to disclose our transaction information from others without our consent (subject to limited exceptions, such as a validly issued subpoena).   These types of financial transactions can often be more convenient than using cash and they also allow us to maintain basic privacy from the public and from the counterparties we transact with (for example: how much we spend, where we spend it, how much money we have, etc.)

However, because Bitcoin is an open, public ledger, a user’s transaction history is available publicly to everyone.

For example, when a Bitcoin user pays a vendor from a Bitcoin wallet, anyone can see all the transactions in the past that are linked to the holdings in that wallet address – and in many cases, how much Bitcoin is in the wallet!

Let’s compare that to my check-out experience at Wal-Mart with my Visa card:

  • I authorize Visa to send Wal-Mart money on my behalf.
  • The money isn’t really “my money” - instead comes from a larger pool of commingled, universally denominated funds at Visa.
  • Visa is not sharing my transaction history with Wal-Mart, nor can Visa glean any insights about my transaction information via this transaction with Wal-Mart.
  • Visa does not tell Wal-Mart the balance I am carrying on my credit card or my credit history, nor can that information be deduced  by Wal-Mart based on the transaction information.

Today’s controls

In an effort to curb the financing of illicit activities, financial institutions today apply scrutiny at the critical points of leverage that matter most from a risk management perspective – namely, knowing who their customers are. This includes collecting, validating, and storing key elements of a user’s identity (social security number, name, address).

Additionally, regardless of the user’s activity or the currencies they are using, banks also monitor user transactions and activity for suspicious patterns that may be linked to money laundering or terrorist financing, as required by law.

Although most guidelines from regulators require banks to use reasonable, contextually appropriate, risk-based approaches to remain compliant, there are some key dollar thresholds at which reporting the details of transactions are required - especially those involving cash deposits or withdrawals.  Prominent examples include:

  • Currency Transaction Report (CTR) and Suspicious Activity Report (SAR) - $10,000 + cash transaction(s) aggregated in a day
  • Monetary Instrument Log (MIL) - purchases of $3,000 to $10,000 of "monetary instruments"
  • Travel Rule - any transaction over $3,000 for originating banks

All these thresholds require financial institutions to submit extensive information on the customer and their activities, and the penalties for noncompliance are severe. Banks scrutinize transactions below these thresholds in a risk-based way - predominantly for credit risk and fraud loss risk. Anti-Money Laundering (AML) risk is, of course, also considered for smaller-dollar transactions, but most of the focus in the AML space is a product of the above thresholds.

Bitcoin privacy and illicit use

Bitcoin users who don’t want to share their entire transaction history or net worth when transacting with a merchant can use collaborative transaction tools to bring their financial privacy up to par with their other payment methods.  These tools provide a similar service to what Visa provides its users today; they shield transactional details from both the counterparty to the transaction and from external observers.  These collaborative transaction tools demonstrate a clear benefit to end-users but are viewed suspiciously by policymakers and the financial institutions that are enabling the crypto exchanges and services, as these tools are also conceptually attractive for criminals who want to try to "break the chain” of visibility into the sources of their funds.  This is very similar to how criminals have been leveraging the existing financial system to launder money - by layering their funds across multiple sources, making it harder for law enforcement to easily follow along.

Despite all of this hand wringing, criminals and money launderers have not flocked to Bitcoin, simply because investigators can always follow the money on the public ledger. In fact, despite Bitcoin’s 14-year operating history, 99.5% of all money laundering is still facilitated through the existing financial system. Further, the United Nations estimates global money laundering to be approximately 2% to 5% of global GDP - so we are not talking about a small sample size.

Indeed, officials at the Department of the Treasury agree that when it comes to catching money launderers, the primary point of leverage occurs at the conversion of crypto assets to fiat currency (like the US dollar).

"Use of virtual currency to purchase goods or services also requires then at some point conversion back to fiat currency through the use of financial institutions that of course are then subject to strict international anti-money laundering standards"

- Todd Conklin, Deputy Assistant Secretary - Cybersecurity and Critical Infrastructure Protection, US Department of the Treasury - speaking on the impact of cryptocurrencies on Russia’s ability to evade recently placed sanctions

Even the leaders of the blockchain forensics industry, Chainalysis, confirm the obvious in their 2022 crypto crime report:

“The biggest difference between fiat and cryptocurrency-based money laundering is that, due to the inherent transparency of blockchains, we can more easily trace how criminals move cryptocurrency between wallets and services in their efforts to convert their funds into cash.”

For these reasons, money launderers are not flocking to Bitcoin - despite public narratives to the contrary.

Closing the gap

As discussed, Bitcoin users who are fully outside of the financial system can potentially have a very high-level of financial privacy if they don’t need to exchange Bitcoin for dollars (or other fiat currency) in any significant amount.

However, as Bitcoin users grow via regulated exchanges, lawmakers must ensure that their financial privacy is protected at the same level as all other regulated payment rails.  If this isn’t addressed soon, the global threat that fraud poses today will only accelerate.  As someone who combats professional fraudsters for a living, I can assure you that a bad guy’s ability to discern an individual’s spending habits and net worth will dramatically enhance the targeting and effectiveness for scams of all varieties.

Bitcoin, with banks and regulated exchanges, will always provide a lower-level of absolute privacy compared to being outside of the system, given existing federal regulations and reporting requirements discussed above.

However, just because the ceiling for absolute individual privacy for Bitcoin with banks is lower than without them doesn't mean the floor for individual privacy should also be lower.  This is a problem that can and should be urgently fixed.

If banks want to continue to be a part of the growth of Bitcoin in a way that supports the privacy of their users, they should work to enable the same level of financial privacy that Americans are legally entitled to for day-to-day transactions - regardless of how those individuals choose to pay or be paid.