Money laundering is a process criminals use to obfuscate their source of income. It effectively allows them to “wash” funds by moving them through various channels, which makes it hard to identify where the funds came from.
Unsurprisingly, the move to digital transactions has led to increased money laundering risks — recent data found that cryptocurrency money laundering rose 30% year over year in 2021. It makes sense; the anonymous nature of Bitcoin and other blockchain-based transactions makes it even easier for criminals to obfuscate their funding sources.
At the same time, a report from the U.S. Department of the Treasury notes that high-value art purchases also remain a popular pathway for money laundering, as they allow criminals to convert illicit assets into sources of stable value.
Non-fungible tokens (NFTs) offer the best of both worlds for money laundering efforts: anonymous transactions backed by ownership of unique assets. But what exactly is an NFT? How do criminals carry out money laundering efforts with the digital tokens, and what steps can organizations take to reduce the risk of NFT laundering? We’ll cover these questions and more in this basic primer.
What are NFTs?
You’ve probably heard the term NFT and wondered exactly what it meant. And you’ve probably seen a few definitions of the term that started off simply enough but left you scratching your head.
We’ve got you covered.
First let’s talk about blockchain, which is the framework used to sell and purchase NFTs.
Blockchain is a “shared public ledger,” which means all transactions made on a blockchain platform — such as Bitcoin, Ethereum, Dogecoin, etc. — can be viewed by all users of the platform. While the parties involved in the transaction remain anonymous, the transaction itself becomes public record and can’t be changed or eliminated. In effect, it becomes a single “block” in a larger chain, and any attempt to modify a block disrupts the entire chain, making it almost impossible to make alterations after the fact.
Anything can be a block. In many cases, these blocks take the form of cryptocurrencies that traders exchange for real money depending on market value.
Assets can be fungible or non-fungible. Fungible assets are identical to each other and can be traded with no loss in value or change in functionality. One easy example of a fungible asset is a dollar bill. One dollar bill can be exchanged for any other with no loss in value — from a market standpoint, they’re identical.
Non-fungible assets, meanwhile, are unique. Consider the Mona Lisa. While you could exchange the Mona Lisa for another piece of art, it would never be exactly the same. It wouldn’t look the same, and it wouldn’t have the same value. Whether you trade it for another painting from a master artist or a baseball card from someone’s basement, non-fungible assets are inherently unique.
So what exactly is an NFT? In practice, non-fungible tokens combine the secure and anonymous nature of blockchain with non-fungible assets such as art.
NFTs may take the form of drawings, music, videos, or even Tweets. As a result, they’re often thought of as the future of art collecting; rather than owning physical canvases or carvings, buyers own the rights to the digital asset itself.
This is where it gets weird(er) — since NFT owners don’t actually own the physical thing itself, they can’t prevent people from downloading or screenshotting it. Think of it like owning the Mona Lisa but having it stored in a museum. There’s nothing to stop people from taking pictures of it or buying prints of the original, but when visitors look up the details, you’re listed as the owner.
Although you can’t take physical ownership of an NFT, you can sell it to someone else via blockchain if they’re willing to pay for it — but until that sale happens, you’re listed as the permanent owner of the NFT. While the long-term value of the NFT market remains to be seen, some artists are using the framework to create and sell unique digital artwork online.
Are there any regulations around NFTs?
While the volume and value of NFT transactions are on the rise — one NFT video recently sold for $6.6 million — regulations around these assets are still in their infancy.
In the U.S., for example, no specific regulations exist around NFTs, despite the fact that some platforms are now seeing billion-dollar sales figures each month. Currently, lawmakers are trying to find the best fit for NFTs — it’s likely that rules similar to cryptocurrency regulations will be applied, but given that NFTs aren’t identical to currencies like Bitcoin and Etherium, there will be some differences. It’s almost certain, however, that NFT platforms will eventually be subject to Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations under the Bank Secrecy Act (BSA).
In countries like Japan, meanwhile, NFTs likely fall under article 2.1 of the country’s Financial Instruments and Exchange Act if money or assets that are defined as “distribution of profits” are provided to the holder of an NFT, but the definition is still evolving.
Put simply, while NFT regulations are still in development, businesses should expect to see them sooner rather than later as this market evolves.
NFT money laundering risks
There are two characteristics of NTFs that make them especially appealing to criminals looking to launder funds: Anonymity and value.
Bitcoin money laundering risk
First up: anonymity. While the nature of blockchain makes it possible for everyone on the network to “see” the value of a transaction and confirm that the transaction is completed, blockchain platforms provide no details about the buyers or sellers unless these parties choose to disclose this information. This adds to the overall security of blockchain — customers can carry out transactions with confidence since there’s virtually no chance of data being tampered with or deleted, so they don’t have to worry that their personal details are at risk of being exposed.
For ordinary users, this is comforting. For money launderers, it’s ideal. Not only are their transactions effectively immutable, meaning refunds can’t be issued and transactions can’t be voided, but no one has any idea where the funds used in these transactions are coming from or how they’ve been obtained. As a result, NFTs make it possible for criminals to purchase digital art or other assets using funds obtained via illegal actions with no one the wiser.
Value is also a challenge. In the world of physical high-value art, appraisals are often conducted to determine a fair market value for the item being purchased. If anonymous buyers are willing to pay far more than the item is worth, it may be a sign of money laundering. With NFTs, meanwhile, the volatile nature of the market makes it almost impossible to determine the token’s fair market value, in turn creating a challenge for regulators looking to establish clear indicators of money laundering.
What is NFT wash trading?
NFT wash trading is a type of scam where an NFT is fraudulently bought and sold repeatedly in order to manipulate the market and drive up the price of an NFT by making it appear more valuable. Usually, the buyer and seller are the same person, operating two different wallets. However, sometimes the wallets are owned by different individuals who are colluding to manipulate prices.
The bad actor(s) benefit when they succeed in selling the NFT to an unsuspecting collector at the inflated price.
It’s important to note that wash trading is illegal in most traditional markets, such as the stock market, the bond market, and the commodities market. However, because the cryptocurrency and NFT spaces are largely unregulated at the moment, NFT wash trading can still take place. It is widely believed that future regulation of the space will attempt to quash the practice.
How can businesses reduce these money laundering risks?
With regulation on the horizon and money laundering on the rise, companies are well-served by taking steps to mitigate NFT risk.
Some potential protective measures include:
Ensuring that customers are who they say they are is a critical component of reducing NFT money laundering risk. This starts with identity verification tools that help confirm the identity of potential buyers or sellers by evaluating provided information and documents against government databases and money laundering watchlists.
Once customers are verified, two-factor authentication can help protect accounts. For example, businesses that facilitate NFT transactions or handle funds from these transactions might use one-time SMS messages, authenticator apps, or USB keys in addition to usernames and passwords.
NFT KYC/AML compliance
While KYC and AML regulations don’t apply to NFTs yet, it’s worth proactively applying these approaches to blockchain and NFT transactions to both help reduce the risk of money laundering and other financial crimes — and help you get ahead of the compliance curve.
AML programs are build on five pillars: designating a compliance officer, developing internal policies, creating an employee training program, conducting third-party audits, and deploying risk-based procedures for conducting customer due diligence. KYC compliance, which falls under the umbrella of AML typically involves three main risk-based approaches: a customer identification program (CIP), customer due diligence (CDD) processes, and continuous transaction monitoring.
At the same time, businesses must still be mindful of the customer experience. Security measures that significantly increase the time and effort required to create an account or perform an action can lead to frustration and potential customer loss. As a result, it’s critical for businesses to leverage progressive risk segmentation to find the right balance between fraud prevention and conversion.
Crypto wallets and NFT collections are an enticing target for many bad actors, who in recent years have used techniques like password spraying and credential stuffing to take over accounts and abscond with their contents. The good news is that there are steps that you can take to better protect your users from these threats.
One relatively easy step that can make a big difference is enabling two-factor authentication during the log-in process.
Two-factor authentication adds a second step — or “factor” — to the log-in process, which makes it exponentially more difficult for a hacker to get into the account.
Once a user has successfully entered their password, they are asked to provide an additional piece of information. This can take the form of a security question, a selfie, a one-time code sent to their device, etc. According to a report by Google, implementing two-factor authentication can block up to 100% of automated bot hacks.
Other cyber security measures
If you are concerned about NFT fraud taking place on your platform, there are a number of steps that you can take. The somewhat obvious measures are those listed above: Implementing identity verification and KYC processes during signup, requiring two-factor authentication, etc.
But it’s also important to regularly scan your database of users to understand how accounts are related to one another. When a large number of accounts are created using the same IP address, for example, it can be a hint that they may be used for fraudulent activities, such as NFT wash trading.
Of course, patterns like this are incredibly difficult to identify through manual review. This is why we have developed our Graph solution, which automates the review process and makes it easier to identify and visualize fraud rings and other types of fraudulent, linked accounts.
While the future of NFTs is uncertain, it’s safe to say these digital assets represent real money laundering risk. To help reduce the likelihood that criminals will use NFTs to conceal financial crime, it’s worth taking proactive steps to verify customers without impacting the speed and simplicity of the digital transaction process.
Looking to navigate the new world of NFTs? See how Persona can help.