Blockchains May Raise Red Flags for Bank Regulators

By Gregory Roberts

Sept. 12 — The ever-widening embrace of blockchain technology by banks raises an array of regulatory issues, from anti-money-laundering strategies to third-party risk management, and consumer protection to stress-testing procedures.

“A lot of people say blockchains are just back-office data base products, but they're more than that,” Marco Santori, the leader of the Digital Currency and Blockchain Technology focus team at Pillsbury Winthrop Shaw Pittman LLP in New York, told Bloomberg BNA. “They fundamentally change the relationship between the parties.”

A key element of that change is that each participant in a blockchain holds the same contemporaneous version of its transactions record in a connected computer, instead of each participant maintaining a separate log that may ultimately be reconciled with a centralized version maintained by a third party.

And in a conventional blockchain, that record is open to inspection by any participant.

“That's just a non-starter for institutional financial markets,” Axoni CEO Greg Schvey told Bloomberg BNA. His company is a leading provider of blockchain technology to financial institutions.

Permissioned, Not Permissionless

To begin with, it goes without saying that no financial institution will employ a blockchain that is open to all comers — a characteristic of the original blockchain, the software that underpins bitcoins. Instead of the “trustless, permissionless” bitcoin blockchain that requires no identity verifications, the bank versions will be “permissioned,” with limited participants.

“It's going to be critical when implementing this in financial services that the identities of those actors are known — that they are known and able to be verified,” Schvey said.

Customer identification is central to the anti-money-laundering and know-your-customer regulations covered by the Bank Secrecy Act (BSA), the Patriot Act and other laws.

“The know-your-customer, anti-money-laundering process and how that plays out in relation to the technology solutions, and the regulators’ comfort with them, is going to be key,” David Treat of Accenture told Bloomberg BNA. Treat is a managing director at Accenture, a global consulting giant, and head of the company's capital markets blockchain practice.

The bitcoin Ur-blockchain was unveiled in 2009. All bitcoin transactions are encrypted and bundled into blocks for posting online, and the blocks are attached to one another in sequence: the blockchain, a term that has given way in financial circles to distributed-ledger technology (DLT). Each subsequent transaction encrypts the one before it, so the encryption for Transaction 2 would include an encryption of Transaction 1, the encryption of Transaction 3 would include an encryption of Transaction 2 (which already included an encryption of Transaction 1), and so on.

Each transaction can be examined to determine if it accurately reflects and incorporates the preceding transactions, forestalling any alteration or modification of the record. Once validated and posted, the bitcoin transaction is complete and irreversible, as with exchanges of cash in the real world. The unique, unfolding bitcoin blockchain exists on thousands of computers around the world, and anyone with an internet connection can access it.

Characteristics Cut Both Ways

Banks see big potential advantages in some of the basic characteristics of the software infrastructure: An immutable, tamper-resistant record; multiple, identical copies, available to all participants, that provide a safeguard against crashes and also are simultaneously updated, eliminating the need for data reconciliation; transactions completed at cyberspeed that are done deals.

But some of those same characteristics of the blockchain pose significant regulatory challenges for banks and other financial institutions. The unchanging permanence of the DLT record could prove to be one hurdle, Treat said.

“The immutability problem is really going to be quite troublesome, if solutions aren't developed to address regulatory requirements for customer data to be redacted or removed or fixed,” he said.

The European Union (EU) adopted rules protecting a customer's “right to be forgotten” if he or she no longer does business with a given company, and the Fair Credit Reporting Act and other U.S. laws include provisions for customers to challenge or change entries in the record, Treat said.

Although the “D” in DLT mitigates the threat inherent in a “single point of failure” in a traditional, centralized record-keeping system, it exposes the blockchain to regulations restricting the geographic dispersal of information, a particular problem in the multinational EU, Treat said.

“Regulatory requirements to keep customer data within a jurisdiction are sort of bumping up against the nature of globally distributed systems,” he said. “Solutions that understand what data is available where will be critical, and the regulatory discussion has to be revisited.”

The shared possession of DLT data on multiple servers could affect procedures for the stress testing required of banks under the 2010 Dodd-Frank Act, Schvey said. Conventional responses to the requirements involve multiple, redundant computer servers backing up each other. In a DLT set-up, Schvey asked, “Who's responsible for redundancy when they're supposed to be synchronized?”

Cases in which the ledger is distributed across company lines also could run into BSA restrictions on information sharing, Santori said.

The Upside of Blockchains

On the flip side, Treat said, DLT could save banks significant amounts of money by speeding and smoothing cross-border transactions, potentially freeing up capital held as insurance while those deals are under way. And despite the potential regulatory issues, the record-keeping technology also is viewed as a tool for restraining the mushrooming costs of regulatory compliance incurred by banks.

“There's a primary concern and hope that the DLT and blockchain solutions are going to help them adhere to regulatory reporting requirements and make the process much more efficient and simple,” Treat said. “But if the regulators don’t get on board with it and it becomes additive, that's going to be a big challenge.”

In an e-mailed statement, the Office of the Comptroller of the Currency noted that separate licenses are not required by banks in adopting technology such as distributed ledgers.

“In considering such technology, banks should ensure they have conducted appropriate risk assessments, that control processes, including data integrity and compliance monitoring, are in place and that the technology supports their strategic business plans enabling them to better serve their customers and make their processes safer and more efficient,” the OCC said.

Recent Developments

Identifying other blockchain-related concerns most likely to catch the eyes of regulators takes some educated guessing, because no banks have deployed the technology fully in their operations.

But they are getting closer: BNY Mellon, Deutsche Bank, Santander and UBS recently formed a consortium to develop a digital currency to speed global money transfers via a blockchain; Citigroup is running a test platform for a similar project; and BNP Paribas invested in a dedicated blockchain team and is promoting the technology's potential, most recently at its Blockchain Bizhackathon in New York Sept. 7-8.

And. on Sept. 7, Barclays announced it effected a letter-of-credit transaction for an Irish cheese and butter export via a blockchain, cutting a process that normally takes a week or more to less than four hours in what the bank said was a historic first.

To contact the reporter on this story: Greg Roberts in Washington at

To contact the editor responsible for this story: Mike Ferullo at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.