NFTs and Money Laundering
Non Fungible Tokens (NFTs) are a verified version of digital assets, with a unique alphanumeric code that is also recorded on the blockchain to prevent tampering and fakes. NFTs do not fluctuate according to an exchange rate. Instead, prices are determined by the buyer and seller. NFTs are used to authenticate rare or limited-edition digital art, intellectual property, online gaming accessories, online property, memes, and music. NFTs include high profile public information data-leaks such as Edward Snowden’s Stay Free, as well as historical moments such as the first ever tweet from Twitter founder, Jack Dorsey. NFTs sell for millions, with even traditional institutions such as Christie’s Auction House listing items and facilitating transactions thanks to the provenance-proving capabilities of NFTs in relation to the asset itself. And although the technical aspects of NFTs represent an exciting evolution in the art world, the lack of understanding around this new technology leaves it vulnerable to trade-based money laundering attacks.
Trade-based money laundering focuses on whether the price of transaction is representative of the fair market value of the item being detected. This is designed to identify if property, physical art, wine collections, precious gems, or any other item is being truly bought or used as a vessel to disguise the illegal origins of the funds used in the purchase. Historically, this would realize as vastly over- or under-valuation of the goods. In the case of NFTs and their spiralling yet fluctuating valuations, this can be a challenge to track. Additionally, the fair market price for NFTs is not agreed upon: traditional art appraisers have no frame of reference for values. The US Treasury has outlined this challenge in its Study of the Facilitation of Money Laundering and Terror Finance Through the Trade in Works of Art. The Financial Action Task Force (FATF), a global intergovernmental money laundering and terrorist financing watchdog, considers platforms that exchange NFTs as considered virtual asset service providers (VASPs). Both the U.S. Treasury Department and FAFT have suggested that NFT transactions could fall under the jurisdiction of the Financial Crimes Enforcement Network (FinCEN) in the USA, NCA (National Crime Agency) in the UK or relevant local FIU (financial intelligence unit).
Why criminals target NFTs
Although NFTs prove the provenance of the asset, the challenges around valuation are leveraged by financial criminals in combination with the anonymity of transactions in decentralized finance (DeFi), including the public blockchain. Transactions might be recorded in the public ledger, but there are not the same Know Your Customer (KYC) checks that banks and traditional transactions are mandated to perform in unregulated entities. Those opening accounts to transact on the blockchain can do so almost anonymously (exceptions could be IP address etc used, and) and can open as many accounts as they like through which to transfer assets. These transactions mimic traditional placement and layering techniques in money laundering.
How Money Launderers Exploit NFTs
For money launders to successfully leverage NFTs in their schemes, there are several steps they must follow.
Criminals may create an asset that can be used in a ‘closed-loop’ self-washing scheme. Once assigned an NFT they use different accounts or ‘Peer to Peer’ (P2P) transactions between themselves to purchase and transfer the assets, before extracting the funds into ‘clean’ money via cryptocurrency exchanges.
Identity and artwork theft
Criminals may leverage the market value of an actual artist to create a profile on the blockchain in their name and use this perceived value to masque the trade-based money laundering occurring underneath. Identity theft and forgeries are not completely preventable in NFT marketplaces. Or criminals may perform a digital art heist through hacking to secure the initial funds, then launder them through multiple NFT trades.
Criminals will put in groundwork to develop a digital footprint that they hope will make the transaction seem less suspicious. This can include manipulating other digital real-estate, such as legitimate website (through hacking) to create links to forged assets. This is how a hacker launched an attack on Banksy in 2021.
Current NFT regulations
Smurfing is a well-known money laundering technique, in which criminals attempt to remain under value limits set by regulators to avoid flags on their transactions. As regulators attempt to keep pace with digital innovations, new mandates are being updated to attempt to prevent this. The recent Fifth Anti-Money Laundering Directive (5AMLD) from the European Parliament includes amendments that extend its obligations to virtual currency providers and custodian wallet providers (such as cryptocurrency exchanges) and art traders when the value of transactions or series of linked transactions amount to EUR10,000 or more.
In September 2020, the European Commission presented the Markets in Cryptoassets Regulation, or MiCA proposal. Although NFTs are not explicitly covered, crypto asset providers (CASPs) are in scope. Given the real-world links between NFT trades and cryptocurrencies, it is expected it impinge on NFTs. The purpose is to improve licensing and operational oversight of crypto companies, which could improve the anonymous buying and selling challenges associated with NFTs.
Although the UK does not necessarily have to adhere to AMLD5 or MiCA, it is generally seen as good practice and UK FIs tend to adopt EU regulation. UK FIs should consider this as part of their horizon scan for risk assessment as domestic legislation targeting NFTs is expected to come into effect in the UK, either as net-new or updates to existing codes. The UK Government has transposed AML requirements relating to crypto assets into national law, by including the requirements of AMLD5 and implementation via the Money Laundering and Terrorist Financing (Amendment) Regulations 2019 (the “2019 regulations”). Businesses with NFT exposure are potentially within the 2019 regulations and may need to apply for FCA registration and supervision. Those who participate in trading or storing works of art are required to register with HM Revenue and Customs (“HMRC”) for supervision under the 2019 regulations, and subject to compliance mandates.
NFTs are currently not specifically regulated in the U.S. Other regulations sometimes come to bear on NFT transactions, depending on how a specific NFT is classified. However, The U.S. Treasury, Financial Crimes Enforcement Network (FINCEN), the U.S. Commodities Futures Trading Commission (CFTC), and the Internal Revenue Service (IRS) have all begun to explore ways to monitor and regulate NFT transactions, alongside broader crypto concerns.
In response to the money laundering risks of NFTs, a report by The U.S. Treasury (Study of the Facilitation of Money Laundering and Terror Finance Through the Trade in Works of Art) outlines recommendations on regulation.
- Encouraging the creation and enhancement of private sector information-sharing programs to foster transparency among art market participants
- Updating guidance and training for law enforcement, customs enforcement, and asset recovery agencies.
If the Treasury Department does decide to exercise its regulatory authority, it could bring NFTs under the purview of FinCEN. The report outlines this proposal.
- Using FinCEN recordkeeping authorities to support information collection and enhanced due diligence
- Bringing certain art market participants under the AML/CFT legal framework and obligating them to create and maintain AML/CFT programs.
How NFT Money Laundering Is Detected
Given the anonymous nature of transactions and limited KYC data inputs, transaction monitoring becomes the focus to maintain compliance. The pattern analysis used to identify traditional money laundering typologies is relevant for NFTs, but as there is less institutional knowledge to rely on to write rules to combat NFT money laundering, FIs must turn to machine learning that can identify these patterns much faster than humans.
Unlike fraud prevention teams, AML teams do not have large sets of tagged data and confirmed incidents to work with. But the best machine learning models can begin with a cold-start and still identify and flag suspicious behavior patterns just from the transaction data.
Featurespace’s patented Adaptive Behavioral Analytics is a real-time, self-learning model approach that delivers industry-leading AML results without a tagged data set of historical transactions, while reducing false positives.