Last week from October 18-20, Georgetown University hosted its “First Annual Fintech Week.” The announcement of the event and program can be found here. Georgetown Law, IIEL, NEX, and Thomson Reuters sponsored Fintech Week. It was a truly first-class gathering with candid and rich conversations involving industry representatives, tech entrepreneurs, regulators, legal specialists, compliance leaders, law enforcement representatives and others.
I attended the October 19 panels entitled “Blockchain & Beyond: Distributed Ledgers and the Future of Payments” and “Combatting the Dark Side of Innovation: Cybersecurity and Money Laundering.” I am glad I did because the panels touched on mutually relevant issues. Major takeaways from the panels included the need for partnerships and give and take between partners; the need for interoperability for scale, but maybe inter-sectoral interoperability is not needed for now; blockchain technology companies operate within existing legal and regulatory environments; privacy concerns must and can be accommodated through blockchain technology; cybersecurity will remain a concern; and digital identity needs to be reimagined.
Keynote speakers, moderators and panelists included: Shawn Malhotra (Vice President, Toronto Technology Centre, Thomson Reuters); Jenny E. Cieplak (Counsel, Crowell & Moring LLP); Angela Angelovska-Wilson (Chief Legal and Compliance Officer, Digtal Asset Holdings); Dan Conner (President, DisLedger); Isabelle Corbett (Director of Regulatory Affairs & Senior Counsel, R3); Greg Schvey (CEO, Axioni); Heather Childs (Vice President, Capital One); Rajiv Kukreja (Chief Technology Officer, Sayari Analytics); Bob Schukai (Global Head of Design, Digital Identify Solutions, Thomson Reuters); David Szuchman (Vice President and Head of Global Financial Crime Compliance, PayPal); Patrick B. Wyman (FBI).
Partnerships: Artificial Intelligence, Big Data, Blockchain, and the Cloud present challenging policy issues, especially on the privacy side. How do you ensure information quality, cybersecurity and build in appropriate access controls for such a program? You need a rigorous approach, but you also need partnerships, which was something of a theme for both panels.
Partnerships Ideally Involve Give and Take: Panelists suggested that companies provide all the information requested in a subpoena and that law enforcement agencies should review the current Suspicious Activity Report (SAR) to determine what is really important. One company representative said he “would kill for an FBI sandbox.” A major Fintech firm is partnering with regulators on a public and occasionally confidential basis. The bottom line is that there seems to be a huge appetite for more private sector-regulator dialogue, which SIIA supports.
Interoperability: At least one company is working on developing blockchain solutions for the credit default, foreign exchange, and equities markets. While interoperability is critical to scale up applications in a given sector, the notion that interoperability is needed between sectors, at least for now, was debunked. End users will likely not even be aware that they are accessing blockchained platforms. (Note: The term “interoperability” in this context means interoperable scaled distributed ledgers in a technical IT sense. We have often at SIIA written about “interoperability” in the sense of ensuring that data can flow between jurisdictions with different privacy regimes as long as the transferor complies with laws and regulations in the jurisdiction from which the data is transferred. Both kinds of interoperability are needed.)
Existing Legal/Regulatory Environment Relevance: Blockchain applications have to meet existing regulatory and legal requirements. Blockchain applications are not a pathway to the Wild West.
Privacy: There was a lot of conversation about how blockchain operators can comply with privacy laws, particularly the EU’s General Data Protection Regulation (GDPR), which enters into effect on May 25, 2018. One company representative said that for a number of his company’s projects, the data could not flow through U.S. servers. The general consensus seemed to be that the “central operators,” i.e. companies that operate private blockchains can accommodate privacy concerns because they can limit those who can “see” the transactions they register. Furthermore, there are technical ways to “cheat the immutability” of the system and delete transactions in order to comply with right to be forgotten requests.
Blockchains are not a panacea – cybersecurity will remain a concern: The response to a question from the audience on the impact of fake news on blockchains and regulatory compliance tools, was very interesting. One firm representative explained that his company only uses official records for the services his company provides. And as another expert put it most bluntly: “Technology won’t solve this. If you write c—p into the blockchain, you get transparent immutable c—p.”
Digital Identify needs to be Reimagined: In response to another question from the audience regarding whether the Indian digital identity system, Aadhar, is a model, the answer from the panel was no because Aadhar has already been breached because the information is stored centrally. Identity in the future needs to be driven more by specific cases. For example, a person should only have to share age and a picture from a legitimate document (but not everything on that document) in order to prove she/he is 21 at a bar.
There was more in these highly worthwhile conversations. I have only extracted some of the highlights. Clearly industry and regulators need to talk more with each other! And going forward, the key challenge will be to ensure that the security advantage of distributed ledger technology can be combined with the privacy enhancing advantages of private blockchains.