Other parts of this series:
In Part One of this series, we wrote about the maturation of the regulatory environment and the growing Privacy, Sustainability, and Financial Crime risks. In this blog, we explore evolving privacy risks of universally accessible metadata and the dangers of centralized authorities.
As the cryptocurrency environment slowly matures, regulatory scrutiny and emerging regulations on digital currency and virtual assets may create new challenges and regulatory risks for financial institutions. Presently, there is a lack of clarity in terms of how firms must handle the rapidly evolving growth of crypto and the privacy risks it can pose. We previously introduced, in Part One, the crypto ecosystem as well as the regulatory pressures and compliance risk trends. Below, we have provided a more in-depth analysis of regulatory pressures and discuss the impacts to compliance regarding privacy considerations.
Given current data privacy trends and the introduction of international and national privacy regulations, including the Global Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”), companies are beginning to understand the importance and need for data safeguarding. In the context of cryptocurrencies, it is often thought that these are anonymous or not able to be linked to an individual. However, when provided with a few additional pieces of information, a wallet identification (“ID”) may be considered Personally Identifiable Information (“PII”) since the blockchain contains wallet IDs and can be attributed to a specific individual. Consequently, the privacy concerns of an ecosystem today and as it matures include:
i. Oversight of centralized entities
ii. Evaluation of additional data available against privacy laws
iii. Ability to track spending habits of a wallet (i.e., owner of wallet)
iv. Need for physical cash or additional tokens to provide consumer privacy
Normalizing the digital currency data (e.g., transactions, wallet numbers etc.) that is often represented as part of an individual’s bank account, 401(k), or even investment portfolio, and incorporating it into a publicly accessible ledger would allow an interested party to identify the user of each wallet, which could make for an extremely valuable resource, but also gives rise to privacy concerns. Such concerns could be exacerbated by the oversight of a centralized entity. The United States Dollar, including the digital version, for example, is a centralized asset, governed by the Federal Reserve. If the government implemented and exclusively used a centralized crypto utilizing blockchain technology, all transactions of every American could be publicly available, and would likely require consumer protection laws focused on client data to remove anonymity. Based on privacy market trends, there is a low probability that all transactions would move to a public ledger maintained by a single centralized entity.
Furthermore, because most cryptocurrencies store wallet IDs on the blockchain, the majority, with the exception of privacy coins, are not considered GDPR compliant. Privacy coins are GDPR compliant, but include almost no information on the blockchain, which makes tracking them extremely difficult and not yet possible with today’s technology. The privacy coins group of cryptocurrencies obscures a portion of information used to identify users to the point of complete anonymity. Privacy coins utilize one or many methods, including stealth or ring addresses, to hide user information. Ring addresses connect various wallets to the sending and receiving of a transaction, so it is not evident who was part of the transaction. Stealth addresses create a different address, that is not publicly linked to a specific wallet, for each transaction. Due to the enhanced anonymity of this technology these coins are often heavily regulated against, if not banned, by governments due to their intrinsic value for illegal activities. Thus, despite their compliance with GDPR, privacy coins cannot be the only solution, as they pose an inherent conflict when it comes to balancing interests from a privacy versus a financial crimes’ perspective.
Is More Privacy Better?
As technology continues to evolve, consumer privacy regulations are developing along with increasing scrutiny from regulators, but the question remains – is more privacy better? As it pertains to cryptocurrency, we can ask a few questions about the privacy of each blockchain:
- Who is responsible to ensure consumer privacy, given the multi-party ecosystem?
- How can consumers exercise their rights (e.g., Right to data access, erasure, correction)?
- What information can by anonymized?
- What level of privacy is necessary in the future?
We are all accountable to ensure adequate consumer privacy is maintained in each of the blockchain environments in which we participate. With a multi-variable equation, there is no correct answer about the level of privacy. Instead, the future may have various cryptos, each having varying levels of privacy, useability, centralization, and functionality. As the stakeholders, consumers, or participants, it is our responsibility to educate ourselves about each blockchain ecosystem and the benefits and risks.
With varying cryptocurrencies, each with their own attributes, how can one ensure their rights under GDPR, or other regulations, will be preserved? Today, there is not a mainstream crypto aligning to all privacy regulations. The challenge in applying GDPR and other privacy regulations to Blockchain or Web 3.0, is that the regulations were written for old technology. GDPR articles calling out ‘right to data erasure’ directly contradict the immutability of blockchain technology and create violations if any part of the blockchain contains PII. Moreover, the responsibility cannot always belong to a CEO or Compliance Officer, as this position may not exist for cryptos. Given these discrepancies, privacy must be implemented during the design phase, as retroactive alterations are not feasible.
With increasingly strict privacy regulations, many companies are maintaining compliance by reducing identification of personal data using strategies such as pseudonymization and anonymity. With crypto transactions, while your wallet number and some transaction details are publicly available on the Blockchain, your anonymity remains intact unless someone knows your wallet number. For example, if you pay someone who you know on a personal basis, they will be able to link your wallet ID with who you are, removing anonymity. Additionally, that individual can review the public blockchain for all transactions using your wallet number to identify all transactions you have made with that wallet and your balance.
With multiple currencies and varying levels of privacy, the utilization of cryptocurrency in the future is an expected reality. It is likely that there could be different currencies for each use case. There would be a Central Bank Digital Currency (“CBDC”) in addition to various decentralized and centralized decentralized finance (“Ce-DeFi”) options. To navigate this complex ecosystem, especially during its volatile infancy, users need to perform research and partner with trusted advisors to maintain a competitive edge and prepare a resilient foundation for the future of our world.
Accenture has spent years enhancing our understanding of and anticipating changes to this new complex environment, developing best practices such as:
- Understanding crypto transaction data and their relevance to Data Privacy Laws
- Utilizing Key Ecosystem Partners
- Providing fit-for-purpose privacy solutions
- Privacy by Design
Within the blockchain of crypto, there is significant data about every transaction. Giving a single entity the ability to hold and normalize that amount of data is beneficial, but also extremely dangerous in the wrong hands. Accenture, working with hundreds of partners within this ecosystem, understands these correlations and provides solutions for privacy needs based on evolving regulations, consumer needs, and security of the blockchain. We mobilize an industrialized process for the identification of sensitive data, assessment of controls, and supporting reporting and analytics. We then design and implement a playbook for engineering privacy controls within service and product development and delivery.
In our next blog, we explore the financial crimes committed using cryptocurrencies and the financial industries best practices to circumvent challenging criminal activity.