[go: up one dir, main page]

Showing posts with label regulation. Show all posts
Showing posts with label regulation. Show all posts

Thursday, April 11, 2024

Why I'm in favor of financial illiteracy

 
I'm not a fan of mandatory investor education classes. The issue was brought up recently by former chair of FDIC, Sheila Bair, who sees early financial education as ways to stop future FTX-style disasters.

The model of finance I've been using for many years is the fairly dismal dark forest model. The financial industry is a shadowy forest full of sly foxes waiting to prey on retail investors. The list of sly foxes is long: all sorts of Samuel Bankman-Frieds, IRS scammers, internet ponzi schemers, stock con-artists, bankers hocking high-fee products, fly-by-night gold mine promoters, and shady crypto platforms. It's truly horrifying out there.

So why not implement mandatory high school financial literacy classes to upgrade the retail class's defences against this dark forest?

My first concern is that high school students can only absorb so much. Mandatory financial literacy classes will inevitably come at the expense of learning other very important things like math, writing, and science, which are at the base of so many vital disciplines.

Second, while I'm sure financial literacy classes might help a bit to protect us against the dark forest, I don't think they'll do much. The prototypical retail investor's single biggest weakness is that we are all incredibly busy people. As we rush through the dark forest we simply don't have enough time to familiarize ourselves with its many arcana. This incapacity to pay sufficient attention makes us easy pickings, no matter whether we've had a few financial literacy classes or not.  

The dark forest preys not only on our rushed lives, but also our need to keep up with the Joneses, our precarious and stressful financial situations, and our worries for loved ones. I'm just not convinced that a few years of high-school financial literacy classes will release us from these eternal and very-exploitable emotions.

Luckily, we have two other major defences against the dark forest: the competitive market and the government.

The government can make the dark forest safer by flushing out bad actors and pushing fraudsters to the nether regions, then nudging us retail investors towards the parts made safe. It does so by regulation, standard investor protections, licensing requirements, and through law enforcement and the court system.

As for the market, its competitive nature gives rise to a class of trained and experienced financial professionals who are generally equipped to lead retail investors through the dark forest.

If we get these two defences right, then we can afford ourselves a great luxury: a retail investor class that gets to remain relatively ignorant of finance while being safe in its ignorance. This ignorance is a thing of beauty. Instead of folks having to waste time and energy learning about the forest's fox population, its patois, and its dangerous pathways, they can focus on their own very busy lives, families, studies, hobbies, and careers. That's what we want them to do. We don't want a world where the average person needs to give up an hour or two each week slogging through financial literacy 101. We want them to blithely use financial products and take for granted they will be safe, and then get on with more important things.

Alas, if we get these two defences wrong, then we get disasters like Sam Bankman-Fried's FTX, which destroyed the financial lives of thousands of innocent retail investors. 

What happened with FTX? In the case of FTX's offshore exchange, there was a complete absence of government regulation. Not so FTX's US arm. Alas, FTX-US operated under a bare-bones regulatory framework courtesy of state licensing boards, which are simply not appropriate for overseeing a trading venue like FTX, and are more equipped for watching over remittance companies like Western Union. (See my article Let's stop regulating crypto exchanges like Western Union.) This was the dark forest at its darkest.

To see how see this first line of defence can be properly deployed, take a look at what happened in Japan when FTX collapsed. FTX's Japanese customers were made 100% whole a few months after the debacle. (American ones are still waiting). That's because Japan got things right and forced FTX Japan to adopt appropriate regulation, effectively preventing the sly fox Bankman-Fried from preying on Japanese citizens. (See my article Six reasons why FTX Japan survived while the rest of FTX burned.) 

The second defence against predators like Sam Bankman-Fried, a market-supplied legion of trained and experience financial professionals, was lacking, too, since stuff like dogecoin and dogwifhat is outside the ambit of the financial professional class, and deservedly so. Had seasoned institutional investors and other financial professionals been operating in the sector, they would have used their training to suss out the FTX fraud much earlier, guiding folks away to safer exchanges.

The two defences entirely lacking, the result was a wave of innocent retail investors left free to venture into into the dark forest. But mandatory financial literacy classes don't fix this. Government regulation and elite financial professionals do. 

Monday, March 18, 2024

How PayPal can use stablecoins to avoid AML requirements and make big profits


There's a new financial loophole in town: stablecoins. Stablecoins are dollar, yen, or pound-based payments platforms that are built using crypto database technology.

Financial institutions are always looking for loopholes to game the system. Typically this has meant avoiding capital requirements or liquidity ratios in one jurisdiction in favor of a looser standards elsewhere. The new stablecoin loophole allows for a different set of financial standards to be avoided, society's anti-money laundering regulations.

I'll explain this new loophole using PayPal as my example.

PayPal now offers its customers two sorts of regulated platforms for making U.S. dollar payments. The first type will be familiar to most of us. It is a traditional PayPal account with a U.S. dollar balance, and includes PayPal's flagship platform as well as PayPal-owned platforms Xoom and Venmo. These all have strict anti-money laundering controls.

The second type is PayPal's newer stablecoin platform, PayPal USD, which has loose anti-money laundering controls. PayPal USD is built on one of the world's most popular crypto databases, Ethereum. Dollars held on crypto databases are typically known as stablecoins, the most well-known of which are Tether and USDC.

What do I mean by fewer anti-money laundering controls?

If I want to transfer you $5,000 on PayPal's traditional platform, PayPal will first have to grant both of us permission to do so. It does so by obliging us go through an account-opening process. PayPal will carry out due diligence on both of us by collecting our IDs and verifying them, then running our information against various regulatory blacklists, like sanctions lists. Only after we have passed a gamut of checks will PayPal allow us to use its platform to make our $5,000 transfer.

Contrast this to how a payment is made via PayPal's new stablecoin platform.

First, we both have to set up an Ethereum wallet. No ID check is required for this. That now allows us to access PayPal's stablecoin platform. Next, I have to fund my wallet with $5,000. I can get these these funds from a third-party who already holds money on PayPal's stablecoin platform, say from a friend, or from someone who buys goods from me, or from a decentralized exchange. Again, no ID is required for this transaction to occur. Once I have the funds, PayPal will process my $5,000 transfer to you.

Can you spot the difference? In the transaction made via PayPal's legacy platform, PayPal has diligently got to know everyone involved. In the second transaction, PayPal makes no effort to gather information on us. And lacking our names, physical addresses, email addresses, or phone numbers, it can't do a full cross-check against various regulatory black lists.  

More concretely, PayPal's legacy platform does its best to stop someone like Vladimir Putin, who is sanctioned, from ever being able to sign up and make payments. But if Putin wanted to use PayPal's new stablecoin platform, PayPal makes almost no effort to stop him from jumping on.

One of the biggest expenses of running a legacy financial platform is anti-money laundering compliance. Programmers must be deployed to set up onboarding and screening processes. Compliance officers must be hired. If a transaction is suspicious, that may trigger a halt, and the transaction will have to be painstakingly investigated by one of these officers. The platform is hurt by lost customer goodwill  no one likes a delay.

That's where the stablecoin loophole begins.

PayPal can reduce its costs of getting to know its customer by nudging customers off its traditional platform and onto its PayPal USD stablecoin platform. Now it can onboard them without asking for ID. Since it no longer collects personal information about its user base, fewer transactions trigger flags for being suspicious, and only rarely do they register hits on sanctions blacklists. That means fewer halts, delays, and costly investigations. PayPal can now fire a large chunk of its compliance staff. The reduction in costs leads to a big rise in earnings. Its share price goes to the moon.

For now, PayPal's stablecoin platform remains quite small. Only $150 million worth of value is held on the platform, as the chart at the top of this post shows. The company's legacy platforms are much larger, with around $40 billion worth of balances held. Given the compliance cost difference, though, I suspect PayPal would love it if its stablecoin platform were to grow at the expense of its legacy platform.

I've used PayPal as my example, but the same calculus works for the financial industry in general. If every single bank in the financial system were to convert over to a stablecoin platform for the delivery of financial services, and no longer use their legacy platforms, the industry's total anti-money laundering compliance costs would plummet.

So far I've just explained this all from the perspective of financial institutions, but what about from the viewpoint of the rest of us? Society has set itself the noble goal of preventing bad actors from using the financial system. A large part of this effort is delegated to financial institutions by requiring them to incur the expense of performing due diligence on their platform users. This requires a big outlay of resources. Many of these costs are ultimately passed on to us, the users.

If institutions like PayPal switch onto infrastructure that doesn't vet users, then resources are no longer being deployed for the purposes we have intended, and the broader goals we have set out are being subverted. Is that what we want? I'd suggest not.



Some followup thoughts:

1. PayPal's stablecoin platform employs fewer anti-money laundering controls than its regular platform. On the other hand, its stablecoin platform has stricter standards in other areas, including the safety of its customer funds. I wrote about this here: "It's the PayPal dollars hosted on crypto databases that are the safer of the two, if not along every dimension, at least in terms of the degree to which customers are protected by: 1) the quality of underlying assets; 2) their seniority (or ranking relative to other creditors); and 3) transparency."

2. The pseudonymity of stablecoins is something I've been writing about for a while. In a 2019 post, I worried that at some point this loophole would lead to "hyper-stablecoinization," a process by which every bank account gets converted into a stablecoin. I'm surprised that almost five years later, this loophole still hasn't been closed.

3. The typical riposte to this post will be: "But JP, stablecoins are implemented on blockchains, and blockchains are transparent. This prevents bad actors from using them, and so stablecoins should be exempt from standard anti-money laundering rules." I don't buy this. Bad actors are using stablecoin platforms, despite their pseudo-traceability. "Its convenient, it's quick," say a pair of sanctions breakers about payments made via Tether, the largest stablecoin platform. Society has deputized financial institutions to perform the crucial task of vetting all their users. By not doing so, stablecoin platforms are shirkers. Trying to outsource the policing task to the public or to the government by using a semi-transparent database technology doesn't cut it.

Wednesday, January 31, 2024

What does the recent ruling on the Emergencies Act mean for your banking rights?


A Federal judge ruled last week that the emergency banking measures taken to end the Ottawa convoy protest in 2022 contravened the protestor's rights. In this post I want to provide my reading of this particular ruling and what is at stake for Canadians and their bank accounts. 

To be clear, Justice Mosley's ruling touched on far more than the banking measures, and extended to the broader legality of the government's invocation of the Emergencies Act on February 14, 2022, subsequently revoked on February 23. However, since this is a blog on money, I'm going to limit my focus to the banking bits of the court ruling.

(By the way, I've written about emergency banking measures a few times before.)

To remind you, there were two emergency banking measures enacted in February 2022 that affected regular Canadians. The most well-known measure was the freezing of bank accounts. The RCMP collected the names of protestors, and forwarded these to banks and credit unions, which used this information to locate protestors' accounts and immobilize their funds. In the end, 280 bank accounts were frozen.

The second and less well-known banking measure was the requirement that banks share protestors' personal banking information with the RCMP and the Canadian Security Intelligence Service (CSIS), including how much money the protestor had in their account and what sorts of transactions they made.

Justice Mosley has ruled that these banking measures  both the freezing and the sharing  violated the Canadian Charter of Rights and Freedoms. Specifically, they contravened Section 8 of the Charter, which specifies that everyone has the "right to be secure against unreasonable search or seizure."

The best way to think about Section 8 is that all Canadians have privacy rights. These rights cannot be trodden on by the government. The police can't conduct unjustified personal searches of your body or home, say by snooping on your credit card transactions. Nor can they seize your bank statements or your computer in order to gather potentially incriminating information on you.

This doesn't mean that a Canadian can never be subject to searches and seizures. Section 8 doesn't apply when the person who is subject to a search or seizure has no privacy rights to be violated. So for example, if I leave my old bank statements in the trash on the curb, it's likely that I've forfeited my privacy rights to them, and the police can seize and search them without violating Section 8 of the Charter.

An interesting side point here is that Canadians don't forfeit their privacy rights by giving up their personal information to third-parties, like banks. We have a reasonable expectation of privacy with respect to the information we give to our bank, and thus our bank account information is afforded a degree of protection under Section 8 of the Charter.

My American readers may find this latter feature odd, given that U.S. law stipulates the opposite, that Americans have no reasonable expectation of privacy in the information they provide to third parties, including banks, and thus one's personal bank account information isn't extended the U.S. Constitution's search and seizure protections. This is known as the third-party doctrine, and it doesn't extend north of the border.

Canadians can also be lawfully subject to searches and seizure by the police if these actions are reasonable, as stipulated in Section 8 of the Charter. There are a number of criteria for establishing reasonableness, including that a search or seizure needs to be authorized by law, say by a judge granting a warrant. In addition, the law authorizing the warrant has to be a good one. (Here is a simple explainer.)

Before we dive into why Justice Mosley ruled that the government's bank account freezes and information sharing scheme violated Canadians' rights, we need to understand the government's side of argument.

On the eve of invoking the emergency measures, Prime Minister Justin Trudeau promised that the government was "not suspending fundamental rights or overriding the Charter of Rights and Freedoms." He reiterated this a week later after the Emergencies Act had been revoked:


But what about the legal specifics of the banking measures? Were they compliant with the Charter, and how? Government lawyers argued from the outset that the requirement for banks to share personal banking information with the RCMP and CSIS did not violate Section 8 of the Charter. While the sharing order constituted a search under Section 8, it was a reasonable search, they said, and reasonable search is legitimate.

As for the freezes, and here things get more complicated, the government maintained that they did not constitute seizures at all, and thus weren't protected under Section 8. The government begins with a literal argument. The funds in the 280 frozen bank accounts were not taken or seized; rather, banks were simply asked to "cease dealing" with some of their customers in such a way that these customers never lost ownership of their funds. This was a mere freeze, the government claims, rather than a harsher sort of government "taking" of funds , say like a Mareva injunction, warrant of seizure, or restraint order, all of which are seizures under Section 8 of the Charter.

As back up, the government offered a more technical argument. According to Canadian legal precedent, it is only certain types of government searches and seizures that trigger Section 8 protections. These are laid out in a case called Laroche v Quebec (Attorney General). Specifically, only those seizures occurring in the process of an investigation and prosecution of a criminal offence are protected. The government maintains that the freezes it placed in February 2022 were not related to a criminal offence  they were merely designed to "discourage" participation in the protest  and so they were not the sorts of seizures protected by the Charter. (The government's full argument that it laid out for Justice Mosley here.)

The invocation of the Emergencies Act required the independent inquiry be launched, the results of which were released in February 2023. The commissioner of that inquiry, Justice Rouleau, ended up siding with the government's assessment of the legality of the bank account freezes. The freezing of accounts was "not an infringement" of section 8 of the Charter, wrote Rouleau, because they were not a seizure.

Here I'm going to briefly inject my own personal thoughts as a citizen blogger.

Look, I think it's a good thing that the government has various financial buttons at its disposal that it can press to lock or restrict my funds, like restraint orders. But I also think its a good thing that these buttons are subject to certain controls, one of which is that they must respect my basic rights, even in an emergency situation. I find it somewhat worrying that in this particular case the government seems to be arguing that it has at its disposal a new type of "immobilize funds" button that is completely exempt from charter oversight due to the fact that it, somewhat arbitrarily, escapes definition as a seizure. This seems like a distinction without a difference to me.
 
Disagreeing with both Justice Rouleau and the government's logic, Justice Mosley in his judicial review ends up siding with the counter-arguments deployed by two civil liberties organizations that opposed the government in the case. (Their respective arguments are laid out here and here).

First, regarding the sharing of information with the RCMP and CSIS, Mosley rules this constituted a search covered by Section 8. Contra the government, these searches were not reasonable, and thus they violated the protestors' Charter rights.

While the government had argued that the searches were reasonable due to their limited duration and targeted focus, the judge finds that they lacked an "objective standard." Banks only needed a "reason to believe" that they had the property of a protestor before reporting the information to the RCMP or CSIS, but according to Mosley this criteria was too wide and ad hoc to qualify as reasonable. Would a hunch or a rumour qualify as a "reason to believe"? Perhaps.

The searches were also unreasonable, according to Justice Mosley, because they had none of the other well-defined standards for reasonable search, including a lack of prior authorization for each search by a neutral third party like a judge. In February 2022 it was bankers, not judges, that carried out the searches, assembly line-like.   

As for the freezes, Justice Mosley disagrees with the government's arguments, finding that the freezing of bank accounts did indeed constitute a seizure of the sort protected by Section 8. Adopting the viewpoint of a regular Canadian, he first argues that a "bank account being unavailable to the owner of the said account would be understood by most members of the public to be a 'seizure'."

Mosley proposes an alternative opinion that it was the forced disclosure of the financial information by banks to the RCMP and CSIS that constituted a seizure. In this reading, what was being seized was personal payments and ownership data. The protestors had a "strong expectation of privacy" in these financial records, and thus Section 8 is applicable.

So to sum up, a Federal court has deemed that the bank accounts freezes placed on protestors in February 2022 were indeed seizures, and not some other strange sort of freeze-not-a-seizure, and therefore they were subject to the Charter. As for the searches, they were unreasonable (as were the seizures). The government will be appealing to the Federal Court of Appeal, so these arguments will be re-litigated. Stay tuned.

My take is that Justice Mosley's rulings are reasonable and helpful guidelines for future governments seeking to levy banking measures in subsequent emergencies. The ruling doesn't expressly ban the levying of bank freezes, and that's probably a good thing. Let's not forget that the requirement for banks to cease dealings with protestors, albeit illegal in this particular case as per Justice Mosley, was a fairly effective measure. The threat of having their money immobilized helped get the protestors to leave, right? And not a single person was injured. Think of bank account freezes as the domestic version of foreign sanctions, a way to bloodlessly defuse an emergency situation and avoid sending in the more deadly cavalry. This seems like a good tool, no?

The catch, as Mosley suggests, is that the government needs to tighten up the the process of freezing bank accounts come next emergency so that they are constitutional. How tight? One might argue that the standard for freezes shouldn't be as high as a regular restraint order on funds during a non-emergency. On the other hand, freezes shouldn't become some sort of dark tool for circumventing the Charter.

Friday, December 1, 2023

Even crypto mixing deserves a threshold

Many of you may not realize this, but in most parts of the developed world, banks automatically record and report our transactions to law enforcement. The logic behind this is that by giving up our personal data, we get more security, albeit at the cost of 1) losing our privacy, and 2) adding an extra layer of costly red tape into financial life.

It's a pragmatic compromise, and one hopes that the benefits outweigh the costs. The way that we've been balancing this compromise up till now is by using thresholds, so as to reduce the cost side of the equation. Below a certain dollar threshold (i.e. $10,000 for cash), transactions don't get reported. The folks making these sub-threshold transactions thus enjoy the dignity of not having their privacy invaded, nor do they add to the financial sector's administrative burden. However, they also don't contribute to the effort to improve security and safety.

Anyways, last month, the U.S. government announced a new anti-money laundering reporting requirement, one for crypto mixing. In doing so it broke with a long tradition of not including a threshold. That got my hackles up. Thresholds have always been key to balancing the costs and benefits of automatic reporting requirements.

In short, the government thinks that mixing of cryptocurrency is of primary money laundering concern. Any U.S. financial institution that knows, suspects, or has reason to suspect that a customer's incoming or outgoing crypto transaction, in any amount, involves the use of a mixer will have to flag it and send a report to the government. That report must include information like the customer's name, date of birth, address, and tax ID. 

I submitted the following comment on the proposed rule for crypto mixing. If you agree, feel free to copy it and add your own comment to the growing pile. 

Dear sir/madam,

Re: Proposal of Special Measure Regarding Convertible Virtual Currency Mixing, as a Class of Transactions of Primary Money Laundering Concern

Historically, all U.S. anti-money laundering recordkeeping and reporting requirements have been accompanied by a monetary threshold. The current proposal to impose recordkeeping and reporting requirements for crypto mixing is the sole exception. This should be fixed.

When Treasury Secretary Henry Morgenthau published an executive order to implement the U.S.'s first large cash transaction reporting regime all the way back in 1945, for instance, he established a $1,000 reporting requirement for transactions in which only bills in denominations over $50 were present. He also set a $10,000 reporting threshold when small and large denomination bills were involved in the transaction.

Morgenthau's thresholds remained in place through the 1950s and 1960s. They were eventually ratified in 1972 with the implementation of a $10,000 cash reporting threshold for the purposes of implementing the Bank Secrecy Act.

When suspicious activity reports were introduced in 1996, the government's initial proposal did not include a reporting threshold. But after receiving public comments, the government admitted that its first version of the rule would impose a "burden of reporting." In its final version it introduced a $5,000 threshold for filing a suspicious activity report, which remains to this day.

In addition to reporting thresholds for cash transactions and suspicious activity, the government has set a number of thresholds for recordkeeping requirements. For instance, financial institutions are required to keep a log of all cash purchases of monetary instruments between $3,000 and $10,000.

The government's long history of twinning reporting and recordkeeping requirements with thresholds is a pragmatic compromise. It balances law enforcement's need for information against the administrative burden imposed on the private sector as well the invasion of privacy imposed on civil society. It only seems fair and prudent to extend this pragmatic compromise to cryptocurrency mixing recordkeeping and reporting requirements, especially in light of the fact that, as FinCEN admits, there are "legitimate purposes" for mixing.

I would suggest a threshold of at least $10,000, which is in-line with the cash transaction reporting threshold.

Sincerely,
JP Koning
Moneyness Blog

Thursday, November 16, 2023

Kraken v Kraken, or how to protect the public from crypto exchange failures


It's been a full year since FTX International and FTX-US collapsed, and the shocking thing is  there is still no regulated crypto venue in the U.S.! You'd think some lessons would have been learnt.

To best protect the public from the Sam Bankman-Frieds of the world, what the U.S. requires is securities-level oversight of crypto exchanges. Exchanges like Coinbase and Kraken are offering the sorts of investment services to the public that the U.S.'s main securities regulator, the SEC, is ideally positioned to regulate, such as trading, margin, custody, and market making. But one year after FTX's collapse, there doesn't appear to be a single SEC-regulated exchange.

The exchanges blame this on the SEC's lack of clarity. The SEC blames this on exchanges refusing to come in and register. God knows who's telling the truth.

Whatever the case, this intransigence only increases the odds that there'll be another U.S. crypto exchange collapse in the next few years, one that appropriate regulation could have otherwise prevented, or at least sheltered investors from the fallout.

What sort of protections am I talking about? After Canada suffered through the collapse of QuadrigaCX a few years back, and a bunch of Canadians like myself lost money, crypto exchanges were brought under the auspices of our existing securities regulatory framework, with a few nips and tucks to the rules to make them fit. This has led to a lot of changes that make Canadian crypto customers safer. I'm going to share the best example in this blog post.

Kraken is a well-known crypto exchange that serves both American and Canadian customers. However, if you're an American customers who uses Kraken, you possess a very different sort of asset than Canadian customers do.

Let's look at the fine print of the U.S. platform:

Source: Kraken's terms of service for U.S. customers

So in the U.S., asset are held "by us for you." That is, Kraken itself is doing the holding, safekeeping, or providing custody of crypto for its customers.

A key observation I want to make here is how fundamentally different this is from how standard regulated marketplaces function like the NASDAQ or the Toronto Stock Exchange. Traditional marketplaces offer a venue to trade assets, but they don't offer custody. If they tried to introduce this, their regulator would very quickly say no. I'll explain why below.

But first, let's head over to Kraken Canada. Once again, here's the fine-print:

Source: Kraken's terms of service for Canadian customers

What the underlined wording says is that if you're a Canadian, Kraken does not hold your crypto for you. That's very different from the U.S. Instead, Kraken says that customer crypto is deemed to be "custodial assets" and delegates your crypto to a "designated trust account at a Crypto Custodian." Bingo. There's the separation of trading from custody that I was talking about earlier, which aligns with standard practices for marketplaces.

Scan further through the fine print and you learn who that crypto custodian is: Anchorage Digital Bank:

Source: Kraken's terms of service for Canadian customers


Who is Anchorage? Anchorage is a federally-charted trust that is overseen by the Office of the Comptroller of the Currency, one of the key U.S. federal banking regulators. So if you hold some coins on Kraken, and you are an American, you own what is essentially a Kraken IOU, and you have to trust Kraken, but if you are a Canadian, you're effectively putting most of your trust in a federally charted financial institution. That's pretty stern stuff. 

Canadian securities regulators require all crypto exchanges operating in Canada to delegate at least 80% of customer crypto to a third-party custodian. (The other 20% can be held in a hot wallet for liquidity purposes.) Kraken doesn't appear to be doing this for its American customers, and that's because there's no U.S. regulator prompting it to do so. On top of requiring this separation, Canadian regulators stipulate that third-party custodians must be qualified. That is, they can't just walk in off the street. The custodian has to meet the regulator's standards, which requires having a Systems and Organization Controls (SOC) designation, and a bunch of other stuff too.

You can probably see by now that if you're a customer of Kraken, it's better to be Canadian than American, for the following reasons:

Anchorage is a federally-regulated financial institution and subject to strict oversight. Kraken U.S. is for the most part unregulated. No one is peering over its shoulder to check whether it is doing a good job safekeeping your coins.
Kraken has its fingers in a lot of different businesses, but Anchorage specializes on custody, and so it's probably better at the task.
Anchorage is independent from Kraken. This separation mitigates the risk of loss, theft, or misuse of assets by Kraken management. This is particularly salient in Kraken's case because it engages in many other business activities, such as trading or market-making, and these pose potential conflicts of interest.

In the future, one hopes that Kraken's U.S. exchange provides the same level of customer protection as Kraken's Canadian platform. But that's only go to happen if and when the SEC dictates a fundamental separation of crypto trading from custody, and whether U.S. crypto exchanges actually listen to the SEC.

Addendum (Nov 21): Talk about good timing. The SEC just announced that it is suing Kraken's U.S. entity for, among many other things, failing to segregate customer crypto assets and dollar balances. Segregation is different than third party custody. It basically means that customer property is kept separate from corporate property. This helps to prevent double-dipping. An exchange can make use of a third party custodian, for instance, but not segregate those funds into corporate and customer buckets. The combination of segregation and third-party custody is optimal.

By contrast, Canadian securities law clearly specifies that Kraken and any other Canadian exchange must already be segregating customers crypto and funds from corporate funds. In the regulators' own words, exchanges must keep customer property "separate and apart from its own property." This is in addition to the requirement that they use a third party custodian to store customer crypto and fiat. We can verify by reading Kraken's undertaking with Canadian regulators, in which it promises that it will be keeping customer crypto "separate and apart from its own assets."

Segregation is just one other low-hanging bit of customer protection that U.S. crypto exchanges should already have implemented, but probably won't until prodded by the government.


The next section is for pedants only, of which I'm embarrassed to be, which is why I'm putting this in very small print:

Kraken owns a U.S. bank. How does this fit into the story? Here are the details: In the U.S., the Kraken crypto exchange is really just the trade name for Payward Ventures. Payward Ventures is in turn a subsidiary of Payward, Inc. Payward, Inc has another subsidiary, Payward Financial, Inc, that owns a state-charted bank -- Kraken Bank. Notably, when you sign up as a customer of the Kraken crypto exchange, you are entering into a relationship with Payward Ventures, not Payward Financial. There is no indication in the exchange's terms of service that Kraken Bank is in any way involved in custody. Which seems... odd? Why wouldn't Kraken use its bank for custody?

When Kraken first applied to do business in Canada earlier this year, it said it wanted to use Kraken Bank as its custodian. Given that Kraken is in fact using Anchorage Bank as we speak, I suspect that Canadian regulators told Kraken: "Hey, guys. Kraken Bank is not sufficiently independent, you're going to have to use a third-party." And I suspect they were right about this.

Meanwhile, what about Canada's most popular exchange, Coinbase? Coinbase's Canadian terms of service doesn't indicate that it is using a qualified custodian. Customer assets are "held by the Coinbase Group for your benefit." Yeah, that's not going to fly with the regulators. I suspect that within a few months you're going to see it using a third-party like Anchorage, or its just going to leave Canada.

Tuesday, September 26, 2023

Thoughts on Privacy Pools and the law


Here's my quick first-pass take on Privacy Pools, the heir apparent to privacy tool Tornado Cash. My comments are on the legal side, and less so the technical side, although the two aren't mutually exclusive. 

I've already written a bunch of times about Tornado Cash on this blog. Financial privacy is an important topic. 

The quick story is that after attracting a few billion in criminal funds, the Tornado Cash "stack" was sanctioned by the Office of Foreign Assets Control (or OFAC, the U.S.'s sanctioning authority). Privacy Pools is the Ethereum community's attempt to offer up an olive branch to OFAC. "We know you didn't like the last attempt, but we're going to make some changes. What do you think?"

I'm fascinated with the Privacy Pools idea, which will allow users to pick and choose who they associate with, thus excluding potentially bad actors. With fewer bad actors, OFAC may be less hasty to sanction the tool. 

While in theory that sounds great, here's my worry. Privacy Pools still relies on an old Tornado Cash feature: relayers. (For this observation, I'm indebted to Jon Reiter, who wrote a useful article on Privacy Pools for Blockhead.) It also relies on a new type of third-party: association set providers or ASPs.

Relayers and association set providers are a problem, as I'll show below. And the reason has nothing to do with OFAC or sanctions law, but a set of Federal statutes against racketeering found in Chapter 95 of the U.S. criminal code.

Let's assume that Privacy Pools gets deployed and begins to successfully screen out bad actors. That'll make it an even more tempting target for dirty money seeking redemption, bad actors devoting ever more resources to sneak into the mix. Inevitably, some of them will get through and when they do, the authorities will have to find an actor in the Privacy Pools stack to blame. I suspect they'll target relayers and ASPs.

Let's start with relayers. It's likely that the authorities can show that relayers are engaged in an activity defined under a key section of U.S. racketeering law, § 1960, as "money transmission." To avoid breaking this law, relayers will need to register with the Financial Crimes Enforcement Network, or FinCEN, the U.S. government's money laundering watchdog. Registration will obligate relayers to set up an iron-clad customer identification program, which involves collecting and verifying user ID cards, as well as filing Suspicious Activity Reports (SARs) with FinCEN, thus undoing much of Privacy Pools' stated benefits.

Let's back up a sec. Who are relayers?

Doing stuff on the Ethereum blockchain requires paying a small processing fee, and these fees are visible to everyone. When a privacy seeker withdraws from Privacy Pools or Tornado Cash, this fee payment effectively reveals who the user is. To solve this problem, both systems rely on a group of third-party individuals or entities relayers to pay this fee on behalf of users, thus restoring privacy, an effort they are remunerated for. But this sounds to me like "transferring funds on behalf of the public," which is Chapter 95's definition of money transmission, which leads me to suspect that relayers can be drawn into said law's licensing and registration requirements.*

Now, I'm just a maritime lawyer, so if I suspect that relayers are money transmitters, who really cares, right? But it's not just me who is making this claim. In its recent indictment of individuals involved in the Tornado Cash stack, the Department of Justice named relayers as engaging in money transmission.

Let's move on to ASPs. With Privacy Pools, users can build unique association sets that allow them to dissociate from potential bad actors. In a recent paper, the Privacy Pools designers suggest that in practice, professional intermediaries – association set providers will emerge to set up and curate these sets. Users will in turn subscribe to whatever ASP-provided sets meet their needs.

It's inevitable that ASPs will make mistakes and let bad actors into their sets, resulting in illicit money being laundered through Privacy Pools. In response, the authorities may try to follow the same script they used for relayers and accuse a faulty ASP of being an unlicensed money transmitter. But that may not stick; unlike a relayer, an ASP doesn't actually transfer any money. The Department of Justice has more up its sleeve than that, though. They can charge faulty ASPs with breaking other laws in Chapter 95, specifically the money laundering statutes §1956 and 1957.

To avoid a potential money laundering indictment, the intermediaries that curate association sets will have to make a good faith effort to exclude bad actors. Simple blacklists derived from chain tracing tools provided by companies like Chainalysis probably won't cut it. ASPs will have to undertake the same level of customer due diligence as banks and other financial institution. That means painstakingly collecting ID, doing background checks, and more. As before, that may unravel some of the purported anonymity of the Privacy Pools system.

The fact that relayers and ASPs may face FinCEN registration requirements and/or other anti-money laundering obligations isn't necessarily a death knell for projects like Privacy Pools, but it may pose some challenges.

1) Relayers and ASPs may try to sidestep U.S. law by operating outside the U.S. and, if possible, set up their operations to exclude Americans. That means cutting off a big chunk of the world from using the tool. With fewer users, the ability of Privacy Pools to obfuscate the tracks of all its non-U.S. users will be limited.

2) Some relayers and ASPs may choose to accept American customers in a compliant way. They'll verify their users, submit reports to FinCEN, and more. But at that point an American will probably be roughly indifferent between getting privacy from Privacy Pools or Coinbase, a centralized exchange that already complies with the requirements. Any U.S. user who becomes a customer of Coinbase can deposit ether and withdraw it to a new address, thus removing the outside world's ability to track the transaction, albeit at the expense of disclosing their personal information to Coinbase. Privacy Pools would afford this same level of privacy. It would offer U.S. users privacy from the broader community, but not from the employees of a relayer or ASP.**

If Privacy Pools is only providing Coinbase-levels of privacy to Americans, what's the point?

3) Lastly, perhaps the developers can figure out now  before Privacy Pools is even deployed  how to do away with relayers while still preserving privacy, thus entirely bypassing Federal racketeering law's definition of money transmission. Or maybe they can figure out how to design the relaying system such that it falls out of the definition. 

Whether that's even possible is a technical issue that goes waaay beyond my abilities.


* Why can't other elements of the Privacy Pools stack, including the core smart contracts and the people who develop them, be pulled into being defined as money transmitters? My assumption in this post is that if the smart contracts are: 1) non-upgradeable, that is, they are set in stone from the moment they are published, 2) the developer no longer has any association with the "stack" after publishing the contracts; 3) the system is not governed by a DAO; 4) there is no stream of profits thrown off by the system; and 4) there is no token (as was the case with Tornado Cash's TORN), then it is probably less likely that the smart contracts and/or their designers would fall under the definition of a money transmitter. But I could be wrong.

** Mind you, Coinbase and a fully-compliant Privacy Pools wouldn't be perfect substitutes. Whereas Coinbase takes ownership of one's ether, thus subjecting privacy seekers to the risk of Coinbase going bankrupt, Privacy Pools is just a smart contract, and not subject to that same risk. For a sub-group of privacy seekers who worry about Coinbase going bust, FinCEN-compliant relayers and ASPs may be strictly superior to Coinbase.  

Friday, September 22, 2023

Coinbase: "What if we call them rewards instead of interest payments?"


Here's a question for you: which U.S. financial institutions are legally permitted to pay interest to retail customers?

We can get an answer by canvassing the range of entities currently offering interest-paying dollar accounts to U.S. retail customers. It pretty much boils down to two sorts of institutions:

  • Banks
  • SEC-regulated providers like money market funds.

There seem to be a few exceptions. Fintechs like PayPal and Wise are neither of the above, and yet they offer interest-yielding accounts to retail customers. But if you dig under the hood, they do so through a partnership with a bank, in Wise's case JP Morgan and in PayPal's case Synchrony Bank. (Back in the 2000s, PayPal used a money market mutual fund to pay interest). So we're back to banks and SEC-regulated entities.

And then you have Coinbase.

Coinbase will pay 5% APY to anyone who holds USD Coins (USDC), a dollar stablecoin, on its platform. (Coinbase co-created USDC with Circle, and shares in the revenues generated by the assets backing USD Coin.) The rate that Coinbase pays to its customers who hold USDC-denominated balances has steadily tracked the general rise in broader interest rates over the last year or so, rising from 0.15% to 1.5% in October 2022, then to 4% this June, 4.6% in August, and now 5%.

Coinbase isn't a bank, nor is it an SEC-approved money market mutual fund. And unlike Wise and PayPal, Coinbase's interest payments aren't powered under the hood by a bank.

So how does Coinbase pull this off?

In short, Coinbase seems to have seized on a third-path to paying interest. It cleverly describes the ability to receive interest as a "loyalty program", which puts it in the same bucket as Starbucks Rewards or Delta's air miles program. The program itself is dubbed USDC Rewards, and in its FAQ, customers are consistently described as "earning rewards" rather than "earning interest."

This strategy of describing what otherwise appears to be interest as rewards extends to Coinbase's financial accounting. The operating expenses that Coinbase incurs making payments on USDC balances held on its platform is categorized under sales and marketing, not interest expense

Oddly, this key datapoint isn't disclosed in Coinbase's financial statements. Instead, we get this information from a conference call with analysts last year, in which the company's CFO described its reasoning for treating USDC payouts as rewards:

Source: Coinbase Q4 2022 conference call
 

The flow of "rewards" that Coinbase is currently paying out is quite substantial. Combing through its recent financials, Coinbase discloses in its shareholder letter that it had $1.8 billion of USDC on its platform at the end of Q2. Of that, $300 million is Coinbase's corporate holdings, as disclosed on its balance sheet. So that means customers have $1.5 billion worth of USDC-denominated balances on Coinbase's platform.

At a rewards rate of 5%, that works out to $75 million in annual marketing expenses. (Mind you, not everyone gets 5%. We know that MakerDAO, a decentralized bank, is only earning 3.5% on the $500 million worth of USDC it stashes at Coinbase). In any case, the point here is that the amounts being rewarded are not immaterial.

Interestingly, Coinbase does not pay rewards on regular dollar balances held on its platform. It only provides a reward on USDC-denominated balances. This gives rise to a yield differential that seems to have inspired a degree of migration among Coinbase's customer base from regular dollar balances to USDC balances. 

For instance, at the end of Q1 2023, Coinbase held $5.4 billion in U.S. dollar balances, or what it calls customer custodial accounts or fiat balances. (See below). By Q2 2023 this had shrunk to $3.8 billion. Meanwhile, USDC-on-platform rose from $0.9 billion (see below) to $1.5 billion.

Source: Coinbase Q1 2023 shareholder letter


As the above screenshot shows, Coinbase has tried to encourage this migration by offering free conversions into USDC at a one-to-one rate. It has also extended the program to non-retail users like MakerDAO, although its non-retail posted rates are (oddly) much lower than its retail rates. Institutional customers usually get better rates than retail.

Incidentally, Coinbase isn't the only company to have approached MakerDAO to sign up for its fee-paying loyalty program. Gemini currently pays MakerDAO monthly payments to the tune of around $7 million a year, but calls them "marketing incentives." Paxos has floated the same idea, referring to the payments as "marketing fees" that would be linked to the going Federal Funds rate. The aversion to describing these payments as a form of interest is seemingly widespread.

There's two ways to look at Coinbase's USDC rewards program. The positive take is that in a world where financial institutions like Bank of America continue to screw their customers over by paying a lame 0.01% APY on deposits when the risk-free rate is 5.5%, Coinbase should be applauded for finding a way to offer its retail clientele 5%.

The less positive take is that USDC Rewards appear to be a form of regulatory arbitrage. Given that Coinbase uses terms like "APY" and "rate increase" to describe the program, it sure looks like it is trying to squeeze an interest-yielding financial product into a loyalty points framework, which is probably cheaper from a compliance perspective. If Coinbase was just selling coffee, and the rewards were linked to that product, then it might deserve the benefit of the doubt. But Coinbase describes itself as on a mission to "build an open financial system," which suggests that these aren't just loyalty points. They're a financial product. And financial products are generally held to strict regulatory standards in the name of protecting consumers.

We've already seen hints of regulatory push back against the rewards-not-interest gambit so popular with crypto companies. In the SEC's lawsuit against Binance, it named Binance's BUSD Rewards program as a key element in Binance's alleged effort to offer BUSD as a security, putting it in violation of Federal securities registration requirements. Like Coinbase's USDC Rewards program, BUSD Rewards offered payments to Binance customers who held BUSD-denominated balances at Binance. BUSD is a stablecoin that Binance offered in conjunction with Paxos.

Coinbase's lawyers seem to have anticipated this argument and have already prepared the legal groundwork to rebut it. The SEC sent a letter to Coinbase in 2021 that asked why USDC Rewards was not subject to SEC regulation. In its response, Coinbase had the following to say:

Now, I have no idea whether this is a good argument or not. Having observed securities law from afar over the last few years, I'm always a bit flummoxed by the degree of latitude it offers. It seems as if a good lawyer could convincingly argue why my Grandma's couch is a security, or that Microsoft shares aren't securities.

If you think about it more abstractly though, loyalty points and interest are kind of the same thing, no? In an economic sense, they're both a way to share a piece of the company's revenue pie with customers. Viewed in that light, why shouldn't a program like USDC Rewards inherit the same legal status as Starbucks Rewards or air miles?

If Coinbase's effort to shape its USDC payouts as rewards ends up surviving, others will no doubt copy it. Wise and PayPal might very well stop using a bank intermediary to offer interest-paying accounts, setting up their own loyalty programs instead. A whole new range of investment opportunities marketed as loyalty programs might pop up, all to avoid regulatory requirements.

But it's possible to imagine the opposite, too. In a column for Atlantic, Ganesh Sitaraman recently described airlines as "financial institutions that happen to fly planes on the side." If loyalty points and interest are really just different names for the same economic phenomena, then maybe airline points, Starbucks Rewards, and USDC Rewards should all be flushed out of the loyalty program bucket and into stricter regulatory frameworks befitting financial institutions.

Tuesday, September 19, 2023

How did Zcash avoid getting OFAC'ed?

The 2022 sanctioning of privacy tool Tornado Cash by the Office of Foreign Assets Control (or OFAC, the U.S.'s sanctioning authority) has inspired a new privacy idea: Privacy Pools

An olive branch to OFAC, Privacy Pools will let users choose who they associate with, the idea being that proactive filtering will quickly expose bad actors who try to use the tool, and so OFAC may be less hasty to apply sanctions to Privacy Pools smart contracts. I think it's a neat idea. We'll see where it goes.

Zooko Wilcox, the creator of the original anonymous cryptocurrency, Zcash, doesn't like the notion of bending a knee to OFAC. In an interesting conversation with Vitalik Buterin, one of the creators of Privacy Pools, Wilcox argues that the Privacy Pools regulatory dance is "unnecessary" because OFAC simply doesn't have the authority to sanction a protocol to death. And he puts forward Zcash as an example of a privacy technology that coexists peacefully with OFAC. Which is a fair point. Zcash has been around for seven years now, and OFAC hasn't shut it down.

This piqued Vitalik's interest, who later on in the podcast goes on to ask Zooko why Zcash hasn't been OFAC'ed, given that it does exactly what Tornado Cash does: provide privacy.

I don't think it's a great idea for folks like Vitalik who are designing tools like Tornado Cash and Privacy Pools to take lessons from Zcash's experience with OFAC. And that's because Zcash is a very different beast than Tornado Cash/Privacy Pools. The two just don't land in the same regulatory bucket.

If you've been watching OFAC's dealings with crypto over the years, you'll notice that Zcash falls in the same OFAC bucket as other base layers like Bitcoin, Ethereum, Monero, Ripple, and more. When OFAC catches a sanctioned actor who controls an address on one of these base chains, it updates its list of sanctioned entities with the relevant address. This is how things have worked since 2018, when the first two bitcoin addresses were added to OFAC's list. But OFAC has always left the functionality of the chain itself unhindered, nor does it impinge on the ability of the chain developers to do their job by sanctioning them.

In fact, I've found a handful of Zcash addresses designated by OFAC, including one associated with the disinformation campaigns set up by recently-deceased Russian mercenary leader/oligarch Yevgeniy Prigozhin:

Source: OFAC


Here are a few more blocked addresses. But that's it. Zcash still works fine.

With the arrival of Tornado Cash/Privacy Pools, we've entered into completely new territory of smart contract-based tools built on programmable chains. How OFAC deals with these tools is going to be much more complex and tricky than how it deals with base chain addresses controlled by sanctioned entities. The Tornado Cash sanctions represent OFAC's first attempt, perhaps a clumsy one. Privacy Pools is a riposte from developers that, after being eyeballed by OFAC, might end up at a different equilibrium.

Zcash's regulatory experience just doesn't translate over to the sorts of things Vitalik is working on. It's in smart contact-space where the current evolution of OFAC's prodding of crypto is occurring, but Zcash doesn't have smart contract-based tools.

So from the perspective of a Zcasher like Zooko, it's just not necessary for him to play games with OFAC. The last five years of OFAC behavior suggests that OFAC can't and/or won't sanction Zcash-the-protocol to death, nor Bitcoin-the-protocl or Ethereum-the-protocl. 

But the fact remains that the sanctioning of Tornado Cash (which has already survived one court challenge) suggests that OFAC does seem to have the authority to enact such a ban at the emerging smart contract level. That may not be concerning to Zooko now, but one day it might be possible to build all sorts of automated tools on top of Zcash. And at that point Zcash developers may have to play the same "unnecessary" olive branch game with OFAC that Ethereum smart contract developers like Vitalik are engaged in now.

Tuesday, September 12, 2023

There are now two types of PayPal dollars, and one is better than the other

PayPal now offers its customers two types of U.S. dollars. In addition to having the option of opening a traditional PayPal account to maintain a balance of dollars, PayPal customers can now hold something new called PayPal USD, a crypto version of a dollar. Whereas PayPal USD uses a crypto database, Ethereum, to host U.S. dollar balances (which in industry-speak is sometimes known as a stablecoin), the first sort of dollar relies on a conventional database.

There are currently around $45 million worth of PayPal USD in circulation, as the chart below illustrates:

Source: CoinMarketCap


Which type of PayPal dollar is safer for the public to use?

If you listen to Congresswoman Maxine Waters, who in response to PayPal's announcement fretted that PayPal's crypto-based dollars would not able to "guarantee consumer protections," you'd assume the traditional non-crypto version is the safer one. And I think that fits with most peoples' preconceptions of crypto.

Not so, oddly enough. It's the PayPal dollars hosted on crypto databases that are the safer of the two, if not along every dimension, at least in terms of the degree to which customers are protected by: 1) the quality of underlying assets; 2) their seniority (or ranking relative to other creditors); and 3) transparency.

Here is a bit of commentary on each factor:

The quality of underlying assets

PayPal's crypto dollars, which are managed by a third-party called Paxos, are 100% backed by the safest sorts of short-term collateral: U.S. Treasury-bills, reverse repo (backed by U.S. government securities), and commercial bank deposits. In finance lingo, these assets are known as cash and cash equivalents. A big reason for this conservative investment approach is that Paxos is subject to a set of strict investment limits as determined by its regulator, the New York State Department of Financial Services (NYDFS). You can read about the NYDFS's stablecoin regulatory framework here.

By contrast, PayPal's regular dollars, which are regulated piecemeal under each U.S. states' own peculiar version of a money transmitter license, can almost always be legally backed by riskier assets. (Here is PayPal's list of state-issued licenses.)

For instance, if you comb through the fine print at the back of PayPal's annual report, the total amount of customer funds held in the form of regular PayPal dollars comes out to $36 billion at year-end 2022. Of this $36 billion, PayPal has invested $11 billion in "cash & cash equivalents." Put differently, just 30% of its dollars are backed by top notch assets, far less than the 100% ratio for PayPal's crypto dollars. PayPal invests another $17 billion of its customer's billions in something called available-for-sale debt securities which, if you dig further, is made up of stuff like government bonds, commercial paper, corporate debt securities, and more. See the list below:

Source: PayPal 2022 annual report

These available-for-sale securities assets are not as reliable as cash and cash equivalents, particularly treasury bills. First, they have riskier issuers, as is the case with commercial paper and corporate debt, both of which are emitted by companies. Second, they are characterized by longer terms-to-maturity, as is the case with government bonds and corporate debt securities. Prices of long-term debt are much more volatile than short term debt. 

It would be illegal for PayPal to back its new crypto-based dollars with the assets listed above, yet for some reason it is fine if it backs its traditional dollars with them.

Customer's ranking relative to other creditors

The second drawback of PayPal's regular dollars is that the assets underlying them don't really "belong" to customers in any strong sense of the word. They belong to PayPal. 

More precisely, PayPal's terms of service has this to say: "...any balance in your Balance Account and any funds sent to you which have not yet been transferred to a linked bank account or debit card if you do not have a Balance Account, represent unsecured claims against PayPal..."). The bold is my emphasis.

To understand what this means, let's say that PayPal goes bankrupt. You, a long time PayPal customer, hold $1000 worth of PayPal dollars. You might think that you are guaranteed to be made whole because there exists a corresponding set of underlying customer assets that has been specially earmarked for you and other PayPal customers. But that's not the case. Customers are what is referred to in finance as an unsecured creditor of PayPal, which means you'd be relegated to having to fight with PayPal's other creditors (banks, bond holders, etc) to get a piece of the pie, and that's only after PayPal's secured creditors – those highest in the pecking order – get first dibs. That could potentially mean getting maybe $600 or $700 instead of your original $1000.

The reason for this, as explained here by Dan Awrey, is the fairly lax state-by-state regulatory frameworks under which PayPal's regular dollars are issued, which "often do not require that permissible investments be held in trust for the benefit of customers—thus potentially forcing customers to compete with an [money services business]’s other unsecured creditors in the event that it is forced into bankruptcy."

By contrast, the regulator of PayPal's crypto-based dollars, the NYDFS, specifies that the reserves backing any crypto-based dollar "shall be held at these depository institutions and custodians for the benefit of the holders of the stablecoin, with appropriate titling of accounts." To translate, the assets underlying your $1000 in PayPal USD cryptodollars are not PayPal's assets. Nor are they Paxos's. They are yours. No need to squabble with competing vultures for what's left.

But oddly, PayPal is under no legal obligation to extend these very sensible protections to all of its regular PayPal dollars.  

Degree of transparency

The last big difference between the two types of PayPal dollars is that the crypto version offers far more transparency to customers. If you want to get current information about the assets underlying your crypto PayPal dollars, all you need to do is open up one of PayPal USD's soon-to-be published attestation reports. Published monthly, these reports must include market values of the assets backing PayPal USD's, both in total and broken down by asset class. These values must be recorded on two separate days each month, or 24 times per year. Furthermore, these attestation reports must be prepared by an independent auditor.

By contrast, the only way to get vetted financial information about the assets backing traditional PayPal dollars is to read its audited financial statements, which come out just once a year. For the rest of the twelve months, customers are left in the dark.

So where am I going with all of this?

This illustrates the absurdity of some of the rules we've created surrounding monetary instruments. The fact that one type of PayPal dollar has robust protections while the other is only haphazardly protected, and only because the first is managed with a crypto database and not a traditional database, seems incredibly arbitrary to me. 

Financial regulations exist, in part, to protect retail customers against shoddy financial providers. Shouldn't all PayPal customers, no matter what database technology they select, get to benefit from the same standard protections? What's the logic behind stipulating that one type of PayPal customer is to have the benefit of monthly attestation reports, for instance, while limiting the other type of customer to a black void of information? 

The problem here isn't just one of having a few bad standards. Doesn't having multiple standards add to people's confusion about how they are protected?

Just to make things even more absurd, there's actually a third type of PayPal dollar. It comes in the form of balances held in a PayPal Savings accounts. 

Unlike the two types of PayPal dollar described above, the third type is insured by the government up to $250,000. PayPal Savings dollars also pay interest, whereas the first two don't, or are prohibited from doing so. PayPal offers this product in conjunction with a bank, Synchrony Bank, which means this third type of PayPal dollar conforms to an entirely different set or rules than the other two: Federal banking law.

But this only reinforces what a Frankenstein of a monetary system we've created. Why are only PayPal Savings dollars protected by deposit insurance, whereas the other two types of PayPal dollars aren't? How does this cacophony of features (or lack of features) help retail customers who, amidst all their other duties in life, simply don't have time to peruse the fine print of each different dollar emitted into the economy?

Thursday, June 29, 2023

There won't be a Blackrock bitcoin ETF, at least not until Binance bites the dust

Back in 2018 I wrote about the controversy over the constant stream of bitcoin ETF denials emanating from the Securities and Exchange Commission (SEC). And my conclusion then was: "further rejections likely." My conclusion in 2023 is the same. Even with Wall Street-giant Blackrock entering the scene with a proposed Nasdaq-listed iShares Bitcoin ETF, nothing has changed: a bitcoin ETF probably probably won't get approved.

The FT says that the big difference this time around is that Blackrock will enter into a "surveillance-sharing agreement with an operator of a United States-based spot trading platform for bitcoin." It's pretty clear that this agreement will be with Coinbase, the U.S.'s largest crypto market.

This may sound convincing, but the idea that Blackrock is the first potential bitcoin ETF issuer to enter into surveillance-sharing agreement with a U.S. exchange is wrong. It's an old tactic, one that hasn't worked to-date.

When the Winklevoss twins famously tried to launch their bitcoin ETF on the Bats BZX exchange many years ago, part of their (modified) proposal involved BZX entering into a surveillance-sharing agreement with the Gemini Exchange, a U.S. crypto exchange. But the SEC didn't see this as adequate in 2018, so it's not apparent to me why that approach would be adequate now.

Let's back up. Why surveillance sharing agreements?

I got into this in more detail five years ago, but here's a quick explanation. When an exchange lists an ETF, particularly a commodity-based one, that ETF is typically underpinned by some sort of commodity, say lumber or copper, that gets traded on another exchange (or set of exchanges). The SEC believes that a mutual agreement to share information between the relevant exchanges is key to preventing fraudulent and manipulative acts. For example, if one exchange serves as a venue for trading bananas, and another exchange wants to list a banana ETF, the SEC will only approve said ETF if the listing exchange shows that it can monitor the underlying spot banana exchange to catch manipulators, the end goal being to protect investors.

The Winklevoss's earlier attempt to prevent manipulation through surveillance sharing with Gemini wasn't deemed sufficient by the SEC, for two reasons. Gemini was neither significant (i.e. "big relative to the overall market"), nor was it regulated as a national exchange.

Fast forward to 2023. In its proposal, Blackrock is essentially swapping out Gemini with Coinbase, by having Nasdaq, the exchange that will list the iShares Bitcoin ETF, share surveillance with Coinbase. But unfortunately for Blackrock, nothing has changed. First, much like Gemini, Coinbase isn't a regulated exchange. Secondly, Coinbase isn't all that big in the global scheme of things, especially compared to global titan Binance, an offshore exchange. So I doubt that a surveillance sharing agreement with Coinbase will get Blackrock's proposal over the line. 


A second tactic that Blackrock is using to get SEC approval is to establish another surveillance sharing agreement with a regulated futures exchange, one that offers bitcoin contracts. As I explained in my 2018 article, this is how the massive SPDR Gold ETF got approved a few decades ago. When trading in a commodity occurs informally, say via over-the-counter markets (as it does with gold), and it's not possible for an exchange that lists an ETF to ink surveillance sharing agreements, then the SEC may accept an agreement with a futures exchange as a substitute, in SPDR's case the NYMEX exchange.

In Blackrock's case, it has chosen to have Nasdaq, the exchange on which it will list, mutully share information with CME futures exchange, which lists bitcoin futures.

At first blush, Blackrock seems on the right track. The CME ticks the "regulated" column, unlike Coinbase. What about the "significant" column? The CME's open interest of around $1.5-2.0 billion is about half of Binance's $3-4 billion in futures open interest (and just a small fraction of the $10 billion combined total of Binance and all other unregulated offshore exchanges), so I'm not sure how the CME will qualify as big enough. (I get this data from The Block.) Put differently, if you wanted to manipulate the price of bitcoin using futures, you'd probably be able to do a fine job of it via Binance's futures market, and so Blackrock's surveillance sharing agreement with the CME just won't be all that effective.

In any case, this particular gambit has been tried before, and it hasn't worked. A parade of ETFs have tried to use a CME surveillance sharing agreement as their ticket to SEC approval, many using in-depth statistical analysis showing why the CME qualifies as "significant," and none have convinced the SEC, so it's not evident why Blackrock is special.

If Blackrock's iShares Bitcoin ETF isn't going to get approved, what needs to happen to get a bitcoin ETF over the line?

In my opinion, the unregulated offshore market needs to die. Much of crypto price discovery (and thus potential manipulation) occurs in offshore markets, both on the spot and futures side. Given the logic that the SEC has used up till now, Binance needs to go bust, and kosher venues need to take its place, before a U.S. bitcoin ETF get approved, because it's only then that a majority of bitcoin trading will migrate to venues that tick both the SEC's "regulated" and "significant" requirements.