Loading…

A Better Way to Fight Money Laundering – American Banker quotes Jim Richards and Others

Jim Richards was quoted in an August 2019 American Banker article titled “Is There a Better Way to Fight Money Laundering?” by Victoria Finkel. AB Link

The article is well-researched, well-written, and accurately and fairly makes the point that there are better ways to fight money laundering, but there are impediments. Like all articles, though, the editors are required to edit, and quotes are often trimmed to fit the flow, cadence, and tone of the article.

Below are the two quotes that are in the article. I’ll add the context for each.

“Everybody in the regime wants to try to make it more efficient and effective, but everybody’s got a different definition of efficient and effective,” said Jim Richards, the former global head of financial crimes risk management for Wells Fargo and the founder of RegTech Consulting.

What was not included in the article was the next sentence, where I stated that:

“The prudential regulators are focused on safety and soundness, or how we do our jobs: conducting risk assessments, writing policies and procedures, risk rating and performing due diligence on our customers, documenting and validating the models developed for monitoring transactions, and documenting the reasons why we don’t file a suspicious activity report. Law enforcement, on the other hand, is focused on how well we do our jobs: providing timely, actionable intelligence to law enforcement in order to fight financial crime. And since it is the regulators, not law enforcement, that are examining us, our focus is rightly on compliance – how we do our jobs – and not on how well we provide intelligence to law enforcement.”

The article also quotes Greg Baer of the Bank Policy Institute, who has this take on the dilemma of being examined on how we do our jobs, not on how well we do our jobs:

“The examiners who determine compliance are not allowed to know, in all but rare cases, what becomes of the suspicious activity reports that are filed,” Baer of the Bank Policy Institute said. “So that compliance rating is driven far more by things like, are there written policies and procedures, has there been strict one hundred percent adherence to those policies and procedures, rather than the efficacy of the SARs that are filed. What that leads to is, AML is examined much the same way as any other function — through a check-box kind of approach,” Baer said. This in turns shifts the balance with regard to bank priorities, with compliance becoming the main focus. That includes an over reliance on defensive SARs and a fixation on minutiae, according to industry experts.”

John Byrne, a long-time industry expert, is also quoted:

“We have these laws for one reason and one reason alone — and that’s to get valuable data and information in the hands of law enforcement, so there can be a reaction,” said John Byrne, an expert on anti-money-laundering issues and vice chairman of AML RightSource. “When regulators are criticizing banks for being a couple of days late in a filing or putting a company on a cash reporting exemption list by error, that’s a problem.”

The next Richards quote deals with the lack of actionable feedback on the reports that are being filed:

“What the CFOs and the CEOs are saying is, what are we getting for all this money we’re pumping into the AML/BSA regime?” said Richards, the former Wells Fargo executive. “Can we produce fewer alerts and have it cost less and investigate fewer cases and file better SARs? The answer to that is maybe — but we don’t know what a better SAR is.”

We don’t know what a better SAR is because the feedback SAR filers get from regulators, law enforcement, and FinCEN is scattered and ad hoc, at best, and non-existent, at worst. I have written about the need for feedback through what I have called TSV SARs, or Tactical or Strategic Value SARs, on multiple occasions. See, for example, https://regtechconsulting.net/money-laundering-terrorist-financing-general/fincens-fy2020-report-to-congress-reveals-its-priorities-and-performance/

The American Banker article has some other excerpts that deserve mention. First is an estimate of the amount of illicit funds in the US financial system:

“The United Nations Office on Drugs and Crime estimates that as much as $2 trillion is illegally laundered around the world each year — while law enforcement reportedly catches less than 1% of that. As much as $300 billion in illicit funds make their way through the U.S. financial system in a given year, according to the Treasury Department.”

The estimate of the amount of illicit funds flowing through the US financial system is close to the amount of illicit funds reported by SAR filings!

In 2018, banks and credit unions filed ~975,000 SARs. Based on some empirical data and some conversations with BSA Officers, the average depository institution SAR reports ~$245,000. In 2018, MSBs filed ~875,000 SARs. Those average about $36,000. “Others” filed another $275,000 SARs, and I’ll guess that those averaged ~$50,000. The total? Almost $300 billion. And that doesn’t include a percentage of the 18 million Currency Transaction Reports: if the average CTR reported $20,000 and 20% of the CTRs involved illicit funds, that would add another $70 billion being reported by financial institutions. So it may not be a reporting issue at all.

So, financial institutions are reporting over $300 billion in potential illicit funds flowing through the US financial system every year. But what percentage of the total flow of funds is illicit? Based on excerpts from the 2015 and 2018 US National Money Laundering Risk Assessments, the total annual flow of funds through the two main wire transfers systems (Fedwire and CHIPS), ACH, debit cards, and cash is about $2 quadrillion dollars. So the illicit funds flowing through the US system represent about 0.0001% of the total funds. Interesting …

A second excerpt that caught my eye is the following:

“… broad AML legislation recently introduced by a bipartisan group of senators — Mark Warner, D-Va., Doug Jones, D-Ala., Tom Cotton, R-Ark., and Mike Rounds, R-S.D. — would require the Department of Justice to report annually on how frequently law enforcement agencies use Bank Secrecy Act reporting as part of their investigations.”

What is interesting is that while it would be great to have a new law to compel the Justice Department to report annually on how law enforcement is using BSA reports, there already is a law that compels the Treasury Department to report semi-annually on how law enforcement is using BSA reports, and it is not being enforced! Take a look at the USA PATRIOT Act’s section 314(d). Once again, I’ve written about this: https://regtechconsulting.net/aml-regulations-and-enforcement-actions/sar-feedback-what-ever-happened-to-section-314d/

Hopefully, this well-researched, well-written American Banker article will be well-received by everyone who has an interest in seeing the US BSA/AML regime become more effective, more efficient, and better serve the global, national, and local financial systems and financial institutions as we continue the fight against financial crime.

Is the Clinical Cannabis Catch-22 Coming to Closure?

The Scottsdale Research Institute case may be a significant step forward in the normalization of cannabis. And it may address one of the most vexing clinical cannabis catch-22 situations there is today.

Schedule I of the Controlled Substances Act lists drugs that are both harmful and have no currently accepted medical use. Marijuana or cannabis was included in Schedule I since the passage of the Controlled Substances Act in 1970, and has remained there, notwithstanding great public, political, and other pressure to reschedule or even deschedule it.

Congress has the ability to reschedule marijuana. Let’s assume that they’re not prepared to act anytime soon: that would take courage and compromise, two things that appear to be lacking in this Congress. But the DEA also has the ability to reschedule marijuana, but it has not done so, and various DEA publications have indicated that it won’t do so because of a dearth of clinical trials demonstrating currently accepted medical use, or medical efficacy. One of the reasons for the dearth of clinical trials is a lack of availability of approved research-grade cannabis. Under the Controlled Substance Act, the DEA controls who gets to product cannabis for clinical trials. Currently, there is one such approved facility, the University of Mississippi. And the cannabis produced by that facility is, by most accounts, not very good (the picture here is from the Scottsdale Research Institute court filing, mentioned below). So why aren’t there more facilities approved to grow cannabis for medical research?

The DEA controls that, too. From 1970 (when the CSA was passed and cannabis was included in Schedule I), dozens of applications to produce cannabis for medical research were filed, and none were approved. In late 2015 a federal law was passed that compelled the DEA to act on these applications – to approve or deny them – within 90 days. Again, dozens of applications have been filed. And none have been acted on.

An interesting case is now before the US Court of Appeals (District of Columbia) called In re: Scottsdale Research Institute, LLC, District of Columbia Court of Appeals, case No. 19-1120, where a medical research company is seeking to compel the DEA to act on its application to produce pharmaceutical-grade cannabis. The facts are important …

A doctor in Arizona, Dr. Suzanne Sisley, has the necessary federal approvals to run a clinical trial to determine whether cannabis is effective in treating veterans’ PTSD (as Dr. Sisley writes in her Declaration supporting the petition, she “struggled for seven years [from 2009 to 2016] to get approval from four different federal agencies to conduct clinical trials of cannabis as a treatment for PTSD symptoms in veterans.”). But she cannot begin those trials without pharmaceutical grade cannabis, which the only approved supplier cannot provide. In 2016 she (actually, her company and the appellant in this case, Scottsdale Research Institute, LLC, or “SRI”) submitted an application to grow her own cannabis for her clinical trials, but the DEA hasn’t acted on that application, notwithstanding the law that says it has to. Without pharmaceutical-grade cannabis to run her FDA-approved clinical trials, she was stuck. This petition, called a Writ of Mandamus, was brought to compel the DEA to act. Notably, the Writ of Mandamus does not seek to compel the DEA to grant the application to produce cannabis for research: as SRI writes in its petition, “mandamus here will not divest the agency of its discretion. It simply allows the process contemplated by the statute to begin, not end. The agency still maintains discretion to deny or delay the application.”

So let’s sum up:

  • The DEA won’t consider rescheduling cannabis without clinical trials.
  • Clinical trials require approved, pharmaceutical-grade cannabis.
  • The DEA decides who produces pharmaceutical-grade cannabis.
  • The only DEA-approved producer of pharmaceutical-grade cannabis cannot produce pharmaceutical-grade cannabis.
  • Since 2016, the DEA has been required by law to either approve or reject applications to produce cannabis for medical research within 90 days of receiving the application.
  • The DEA has received dozens of applications from entities seeking to produce pharmaceutical-grade cannabis.
  • The DEA has neither approved nor rejected any of those applications in the 3+ years it has been compelled by law to do so.
  • SRI is bringing a federal court action to compel the DEA to consider its application.

As Dr. Sisley and SRI’s petition to the District of Columbia Court of Appeals provides:

“Millions of Americans believe cannabis holds the key to ending their pain and suffering, making the need for clinical trials acute no matter the outcome of SRI’s clinical trials. If those studies show that thirty-eight states (and counting), doctors, legislators, and the American public are all wrong—i.e., that cannabis lacks medical utility—then we must know this now. Those using cannabis to treat conditions like PTSD may be jeopardizing their health and welfare. But in the more likely alternative— i.e., SRI’s studies prove that cannabis has medical value—DEA’s delay inexcusably deprives combat veterans and others of a treatment option necessary to ease their pain. Either way, more delay is unconscionable.”

The Court of Appeals issued a preliminary ruling on July 29th regarding SRI’s June 11th petition: the DEA has 30 days to file a response, and SRI then has 14 days to file a reply to that response. Notably, after receiving SRI’s 284-page petition, the Court of Appeals has limited the DEA’s response to 7,800 words, and SRI’s reply to 3,900 words. (This article is 800 words long, by the way).

I doubt that clinical trials will prove that cannabis lacks medical utility – but whether something has medical utility isn’t really the question. Many non-approved, and unapprovable, products have some medical utility, but can’t be safely used as federally-approved medicines. Let’s allow the clinical researchers to do their jobs. Let’s allow – perhaps we need to compel – federal regulatory agencies to do their jobs. And wherever and however this comes out at the end, at least we will know what safe and appropriate medical uses there are for cannabis, or components of cannabis.

SAR Feedback? What Ever Happened to Section 314(d)?

Wouldn’t it be great if Treasury published a report, perhaps semi-annually, that contained a detailed analysis identifying patterns of suspicious activity and other investigative insights derived from suspicious activity reports (SARs) and investigations conducted by federal, state, and local law enforcement agencies (to the extent appropriate) and distributed that report to financial institutions that filed those SARs?

To get Treasury to do that, though, would probably require Congress to pass a law compelling it to do so.

Hold it. Congress did pass that law.  Almost 18 years ago. And, by all accounts, it’s still on the books. What happened to those semi-annual reports? When did they begin? If they began, when did they end?

Section 314(d) – Its Origins

What became 314(d) was introduced in the House version of what became the USA PATRIOT Act. The House version, the Financial Anti-Terrorism Act, was introduced on October 3, 2001. It was marked up by the House Financial Services Committee on October 11. The Senate version, originally titled the Uniting and Strengthening America Act, or USA Act, was introduced on October 4th and had sections 314(a) (public to private sector information sharing), 314(b) (cooperation among financial institutions, or private-to-private sector information sharing), and 314(c) (“rule of construction”). There was no 314(d) in that early version.

On October 17th, HR 3004, the Financial Anti-Terrorism Act, was passed by the House 412-1. Title II was “public-private cooperation”. Section 203 was:

“Reports to the Financial Services Industry on Suspicious Financial Activities – at least once each calendar quarter, the Secretary shall (1) publish a report containing a detailed analysis identifying patterns of suspicious activity and other investigative insights derived from suspicious activity reports and investigations conducted by federal, state, and local law enforcement agencies to the extent appropriate; and (2) distribute such report to financial institutions as defined in section 5312 of title 31, US code.”

The Senate and House versions were reconciled, and on October 23rd the House Congressional Record shows a consideration of what was then the USA PATRIOT Act. That version of the bill then included what had been section 203 and was now 314(d). It was the same, except instead of a quarterly report it was a semi-annual report (“at least once each calendar quarter” was changed to “at least semiannually”).

SAR Activity Review – Was That The Answer to 314(d)?

The ABA has written, and at least one former FinCEN employee has stated that the “SAR Activity Review – Trends, Tips, and Issues” was the response to 314(d). The SAR Activity Reviews were excellent resources. They contained sections on SAR statistics, national trends and analysis, law enforcement cases, tips on SAR form preparation and filing, issues and guidance, and an industry forum. The first SAR Activity Review noted that it was published under the auspices of the BSAAG, was to be published semi-annually in October and April, and was “the product of a continuing collaboration among the nation’s financial institutions, federal law enforcement, and regulatory agencies to provide meaningful information about the preparation, use, and utility of SARs.”  Although that certainly sounds like it is responsive to section 314(d), there is no reference to 314(d).

And the first SAR Activity Review was published more than a year before 314(d) was passed. Even the first SAR Activity Review published after the enactment of the USA PATRIOT Act and section 314(d) – the 4th issue published on July 31, 2002 – didn’t make any reference to 314(d). Beginning with the 6th issue of the SAR Activity Review, published in October 2003, the authors broke out the statistics from the “Trends, Tips & Issues” document and published a separate, and more detailed, “SAR Activity Review – By The Numbers”. The last SAR Activity Review (the 23rd) and the last “By The Numbers” (the 18th) were published on April 30, 2013. None of those forty-one publications referenced 314(d). After the SAR Activity Reviews stopped, FinCEN continued to publish “SAR Statistics”, and did so three times from June 2014 through March 2017.  For the last few years, FinCEN has maintained SAR Stats on its website – https://www.fincen.gov/reports/sar-stats  – that is updated on a monthly basis. Those statistics are useful, but cannot be thought of as “containing a detailed analysis identifying patterns of suspicious activity and other investigative insights derived from suspicious activity reports and investigations conducted by federal, state, and local law enforcement agencies to the extent appropriate”, quoting the 314(d) language.

Does Anyone Know What Happened to 314(d)?

I don’t have the answer to that question. Perhaps 314(d) is seen as satisfied by the accumulation of advisories, guidance, bulletins, etc., published by FinCEN and other Treasury bureaus and agencies and departments from time to time. Perhaps there is a Treasury Memorandum out there that I’m not aware of that provides a simple explanation. Perhaps not: most BSA/AML experts I speak with are not even aware of 314(d), and if the SAR Activity Review did satisfy the spirit and intent of 314(d), the last one was published more than six years ago. But everyone in the private sector BSA/AML risk management space has been clamoring for more feedback from law enforcement and FinCEN on the effectiveness and usefulness of their SAR filings. Perhaps a renewed (or any) focus on 314(d) is the answer.  The revival of 314(d) could give FinCEN the mandate they’ve been looking for to provide more valuable information to the private sector producers of Suspicious Activity Reports. We would all benefit.

One in Two Cannabis Dispensaries is Robbed or Burglarized? Perhaps not …

Are there any good studies on robbery and burglary rates of cannabis related businesses as compared to other businesses? Are cannabis related businesses robbed or burglarized at higher rates than other cash intensive businesses?

These questions may not be answered – I know I haven’t found good answers, and I have looked. Two written statements by the Credit Union National Association (CUNA) and American Bankers Association (ABA) provide two very different answers.

The Senate Committee on Banking, Housing, and Urban Affairs held a hearing on “Challenges for Cannabis and Banking: Outside Perspectives” on July 23, 2019. Both CUNA and the ABA had representatives provide written testimony and answers questions from the Senators. The written statement from the representative of CUNA included the following statement (which was picked up by one of the Senators during the question and answer session):

“A 2015 analysis by the Wharton School of Business Public Policy Initiative found that, in the absence of being banked, one in every two cannabis dispensaries were robbed or burglarized—with the average thief walking away with anywhere from $20,000 to $50,000 in a single theft.”

One in every two cannabis dispensaries is robbed or burglarized! That is a stunning statistic. Actually, it is really two statistics because of the significant difference between a burglary and a robbery. Without getting into legal minutia, burglary is entering into a structure or dwelling with the intent to commit a crime; robbery is taking something from a person using force, or the threat of force, to do it. Put another way, a burglary becomes a robbery if there is someone in the structure or dwelling and the perpetrator uses force or the threat of force to take something. Both are serious crimes, but robbery is much more serious than burglary, as it (the robbery) involves direct victims.

The written statement from the American Bankers Association included the following:

“In Denver, [the roughly 500] cannabis businesses make up less than 1% of all local businesses but have accounted for 10% of all reported business burglaries from 2012-2016. On average, more than 100 burglaries occur at cannabis businesses each year according to the Denver Police Department, and burglaries and theft comprise almost 80% of Denver’s cannabis industry-related crime.”

CUNA’s statement that one in every two cannabis dispensaries is robbed or burglarized caught me by surprise.  The ABA’s statement – that roughly one in five cannabis business is burglarized – seems more reasonable. Logically, if one in every two dispensaries was robbed or burglarized, there would be headlines. I can’t find them. So I looked into CUNA’s source for its one in two conclusion, what they called “the Wharton analysis.”

It doesn’t exist.

Here’s a link to the Wharton “analysis” … https://publicpolicy.wharton.upenn.edu/live/news/2214-cash-crime-and-cannabis-banking-regulations-in-an/for-students/blog/news#_edn2.

First, it is a 2017 student blog written by three students which bears the following disclaimer: “The views expressed on the Student Blog are the author’s opinions and don’t necessarily represent the Wharton Public Policy Initiative’s strategies, recommendations, or opinions.”

This November 20, 2017 student blog – not a Wharton Public Policy Institute publication at all – is titled “Cash, Crime, and Cannabis: Banking Regulations in an Illegal Market”. Under the heading “Risky Business”, the three student authors write:

“Not only are cash businesses conducive to tax manipulation, they also hurt many individuals, because of the risk of crime. In 2015, one in two cannabis dispensaries were robbed or burglarized, with the average thief walking away with anywhere from $20,000 to $50,000 in a single act [citation]. Mitch Morrissey, district attorney of Denver, notes a direct increase in crime cases related to the marijuana industry, and sees the reasoning behind the robberies stating: ‘You hit a 7-Eleven, you’ll get 20 bucks. You hit a dispensary, you’ll get $300,000 on a good day’ [citation].”

The citation the students provide is http://www.sivallc.com/the-growing-need-for-a-cannabis-dispensary-security-plan-infographic/

That page is no longer available. But the citation is not to an article or study, but simply to the infographic, which they label “Dispensary Security Infographic” and the source is shown as “Bubulyan Consulting Group”.  Bubulyan Consulting Group is actually Bulbulyan Consulting Group, which was the original name of Siva Enterprises. Avis Bulbulyan is the CEO of Siva Enterprises (www.sivallc.com).

I haven’t reached out to Mr. Bulbulyan to ask him where he obtained the data for the inforgraphic, but it appears that the source was an NBC news story from February 4, 2014 (available at https://www.nbcnews.com/storyline/legal-pot/high-crimes-robber-gangs-terrorize-colorado-pot-shops-n20111). That story includes the following:

“In 2009, the Denver Police Department estimated that about 17 percent of marijuana retail shops had been robbed or burglarized in the last year. That was good news: a bit less than liquor stores (20 percent) and banks (34 percent), and on par with pharmacies. Today, however, a darker picture has emerged. There are about 325 marijuana companies in Denver, based on an analysis of licensing data done for NBC News by Marijuana Business Daily, a leading trade publication. (Most companies hold numerous licenses.) At the same time, there have been about 317 burglaries and seven robberies reported by these companies in the last two years, according to police data. That’s an annual robbery and burglary rate of about 50 percent, more than double what it was in 2009. While a Denver Police spokesperson disputed these figures, the department doesn’t have its own.”

As written above, there is a significant difference between a burglary and a robbery. Using NBC’s numbers from its 2014 story, “that’s an annual robbery rate of about 1% and a burglary rate of about 49%.”

So what is the experience of law enforcement and the cannabis industry?

Colorado statistics seem to paint a very different picture

The City of Denver has an “Open Data” effort that includes marijuana-related crime (“crimes reported to the Denver Police Department which, upon review, were determined to have clear connection or relation to marijuana.”). It is available at County of Denver Marijuana Crime . That data suggests that marijuana-related business burglaries peaked in 2013 at 101, and dropped to 74 for the first eleven months of 2018. That suggests a burglary rate of 12% – 15%. Marijuana-related business robberies peaked in 2014 at 5: they recorded 1 such event in 2018. That rate is between 0.2% and 1%. Notably, these statistics are not comparing the marijuana-related crime rates with overall crime rates. It may well be that marijuana dispensaries are burglarized and robbed at roughly the same rate as other cash intensive businesses.

In an October 2018 report by the Colorado Division of Criminal Justice on organized crime cases in Colorado, the DCJ wrote “there has been concern that, due to the cash-only nature of the industry, robbery would be prevalent, but this has not been the case.” This seems in keeping with the 2014 NBC story that anecdotally suggests a robbery rate of 1% for cannabis dispensaries (in the Denver area).

Some research also suggests that the crime/cannabis nexus isn’t as strong as the anecdotes suggest, and in fact state-legal cannabis dispensaries may help reduce crime.

In a paper published in May 2018 “High on Crime? Exploring the Effects of Marijuana Dispensary Laws on Crime in California Counties” (http://ftp.iza.org/dp11567.pdf) the authors looked at violent and property-related crimes in California on a county-by-county level, and concluded that:

“The results suggest no relationship between county laws that legally permit dispensaries and reported violent crime. We find a negative and significant relationship between dispensary allowances and property crime rates, although event studies indicate these effects may be a result of pre-existing trends. These results are consistent with some recent studies suggesting that dispensaries help reduce crime by reducing vacant buildings and putting more security in these areas.”

Although this study doesn’t refer to robberies or burglaries at cannabis dispensaries, it seems logical that if those dispensaries were being robbed or burglarized at a rate of 50%, the study would have pointed that out.

A study published in the Journal of Preventive Medicine in March 2018 https://www.sciencedirect.com/science/article/pii/S0091743517305078 by university researchers funded by the Centers of Disease Control and Prevention looked at “the geography of crime and violence surrounding tobacco shops, medical marijuana dispensaries [MMDs], and off-sale alcohol outlets in a large, urban low-income community of color” using data from 2014. The abstract provides:

“Results indicated that mean property and violent crime rates within 100-foot buffers of tobacco shops and alcohol outlets—but not MMDs—substantially exceeded community-wide mean crime rates and rates around grocery/convenience stores (i.e., comparison properties licensed to sell both alcohol and tobacco) …”

Conclusion

There is no doubt that cash intensive businesses – bars, restaurants, convenience stores, casinos, cannabis dispensaries – are more likely to suffer burglaries and/or robberies than those businesses that are not cash intensive. And it seems logical that cannabis dispensaries, which struggle to get and maintain banking relationships and are therefore more cash intensive than other businesses, and have a very valuable and largely untraceable product on their premises, are more likely to suffer burglaries and/or robberies at an even higher rate. But that combined rate is probably not 50%. It is probably closer to the ABA’s figure (from the Denver Police Department, apparently) of 20%, or even the County of Denver data that suggests a rate of 12% – 15%.  Regardless, public policy should be driven by accurately reported and cited information: citing a 2015 Wharton Business School study is very different than citing a 2014 NBC News report. Although the robbery rates and burglary rates may in fact be high, and the NBC News report accurate, we are all better served if the bases of our collective public policy decisions are known and accurate.

The Federal Government must step up and provide legislation, regulation, and regulatory guidance to the financial services industry so that cannabis businesses and cannabis related businesses can have access to the full suite of banking services – notably deposit accounts, cash management services, payroll services, merchant banking services, credit, and insurance. The SAFE Banking Act might be a good first step.

Business Email Compromise – New FinCEN Advisory and Trend Analysis

FinCEN has issued an updated advisory on Business Email Compromise (BEC) fraud schemes: FinCEN 2019 BEC Advisory . At the same time it issued a Financial Trend Analysis that provides some details on what FinCEN is seeing from the Suspicious Activity Reports on BEC schemes: BEC Trends

FIN-2019-A005 Updated Advisory on Email Compromise Fraud Schemes Targeting Vulnerable Business Processes (July 16, 2019)

This 2019 Advisory is 12 pages long, and supersedes the 2016 advisory: FinCEN 2016 BEC Advisory. Highlights of the 2019 Advisory can be summarized as follows:

Instances of BEC reported to FinCEN have climbed from averaging just under 500 reports per month (averaging $110 million monthly in total attempted BEC thefts) in 2016 to over 1,100 monthly reports (averaging over $300 million monthly in total attempted BEC thefts) in 2018. Since November 2016, financial institutions reported over 6,000 instances and over $2.6 billion in attempted and successful transactions affiliated with suspected money laundering activity through BEC schemes.

Three observed trends since the 2016 Advisory. First, a concentration of targeting of particular sectors: manufacturing and construction (25% of reported BEC cases), commercial services (18%), and real estate (16%). Second, the majority of BEC incidents (reported in the Trends Analysis at 73%) affecting U.S. financial institutions and their customers are increasingly involving initial domestic funds transfers, rather than international, likely taking advantage of money mule networks across the United States to move stolen funds. Third, the two most common impersonations – CEO and vendor – are trending in different directions: CEO impersonations are trending down (from 33% of reported incidents in 2017 to 12% in 2018), and vendor impersonations are trending up (from 30% of incidents in 2017 to 39% in 2018, becoming the most common BEC method). FinCEN also noted that the average transaction amount for BECs impersonating a vendor or client invoice was $125,439, compared with $50,373 for impersonating a CEO.

A BEC scheme’s probability of success and the potential payout from fraudulent payment instructions often depends on (1) the criminal’s knowledge of their victim’s normal business processes by leveraging publicly available information about the victim organization’s vendors, contracts, and business processes, and (2) weaknesses in the victim’s authorization and authentication protocols.

In this 2019 Advisory, FinCEN broadens its definitions of email compromise fraud activities to clarify that such fraud targets a variety of types of entities and may be used to misdirect any kind of payment (not just wire transfers) or transmittal of other things of value. While many email compromise fraud scheme payments are carried out via wire transfers (as originally stated in the 2016 BEC Advisory), FinCEN has observed BEC schemes fraudulently inducing funds or value transfers through convertible virtual currency payments, ACH transfers, and purchases of gift cards.

The 2019 Advisory also expands the types of victims beyond commercial businesses. FinCEN analysis has indicated criminal groups use a variety of techniques to conduct BEC fraud against individuals, particularly and increasingly those with high net worth, and entities that routinely use email to make or arrange payments between partners, customers, or suppliers. Targets of these schemes fall outside of the definition of traditional business customers, such as government entities and non-profit organizations or even the financial institutions themselves.

Footnote 7 provides that “The definitions of email compromise fraud, BEC, and EAC supersede the definitions in the 2016 BEC Advisory.” Those definitions are (and the red font indicates changes from 2016):

Email Compromise Fraud: Schemes in which 1) criminals compromise[1] the email accounts of victims to send fraudulent payment instructions to financial institutions or other business associates in order to misappropriate funds or value; or in which 2) criminals compromise the email accounts of victims to effect fraudulent transmission of data that can be used to conduct financial fraud. The main types of email compromise, the definitions of which have been modified to reflect the expansion of victims being targeted, include:

Business Email Compromise (BEC): Targets accounts of financial institutions or customers of financial institutions that are operational entities, including commercial, non-profit, nongovernmental, or government entities.

Email Account Compromise (EAC): Targets personal email accounts belonging to an individual.

BEC Fraud against Governments – BEC frauds have targeted accounts used for pension funds, payroll accounts, and contracted services. Schemes against government victims are consistent with other common typologies in BEC fraud. BEC schemes targeting government entities also often include vendor impersonation.

BEC Fraud against Educational Institutions – In 2016, financial institutions reported to FinCEN over 160 incidents of BEC targeting educational institutions where criminals attempted to steal over $50 million. The education sector has the largest concentration of high-value BEC attempts in financial sector reporting, even though only approximately 2% of BEC incidents affected educational institutions in 2017. Schemes against educational institutions frequently involve vendor impersonation. Attackers use authentic-looking payment requests to direct funds to domestic bank accounts they control. Large-scale construction and renovation projects have repeatedly been targets of high-dollar thefts.

BEC Fraud against Financial Institutions – In some cases, BEC actors directly target the financial institutions themselves. This scheme typically involves spoofing bank domains and sending what appear to be credible messages to imitate official communications between bank employees, such as sending emails that appear to be from a financial institution’s SWIFT (wire operations) department with payment instructions and SWIFT reference numbers in the email text to enhance its apparent legitimacy to the victim.

Information Sharing – The 2019 Advisory encourages financial institutions to use 314(b) to share information. FinCEN points out that many beneficiaries of BEC schemes play roles in larger networks of criminal activity and laundering of funds from illicit activity (“FinCEN encourages financial institutions to share valuable information about BEC beneficiaries and perpetrators, for purposes of identifying and, where appropriate, reporting activities that they suspect may involve possible terrorist activity or money laundering.”).

The 2019 Advisory includes a section on information for US financial institutions (which supersedes the 2016 advisory):

Risk Management Considerations – In determining the inherent risk of BEC, financial institutions should consider the level of information available publicly about key financial counterparties and processes, including information on public websites or on the darknet (e.g., email account login credentials that have been compromised and posted for sale). Financial institutions need to also consider its procedures and processes relating to how it (1) authenticates participants in communications,( 2) authorizes transactions, and (3) communicates information and changes about transactions. A multi-faceted transaction verification process, as well as training and awareness-building to identify and avoid spear phishing schemes, are critical.

Response and Recovery of Funds – To request immediate assistance in recovering BEC-stolen funds, financial institutions should file a complaint with the FBI’s Internet Crime Complaint Center (IC3), contact their local FBI field office, or contact the nearest USSS field office. These agencies are part of FinCEN’s Rapid Response Program (RRP). Financial institutions should also use the 314(b) information sharing process to request assistance from other financial institutions involved in (victims of or unwitting participants in) the scheme.

Suspicious Activity Reporting – Financial institutions should provide all pertinent available information on the event and associated suspicious activity, including cyber-related information, in the SAR form and narrative. Specifically, the following information is highly valuable to law enforcement and FinCEN in investigating BEC/EAC fraud:

Transaction details:

1) Dates and amounts of suspicious transactions;

2) Sender’s identifying information, account number, and financial institution;

3) Beneficiary’s identifying information, account number, and financial institution; and

4) Correspondent and intermediary financial institutions’ information, if applicable.

Scheme details:

1) Relevant email addresses and associated Internet Protocol (IP) addresses with their respective timestamps;

2) Description and timing of suspicious email communications and any involved compromised or impersonated parties; and

3) Description of related cyber-events and use (or compromise) of particular technology in the conduct of the fraud. For example, financial institutions should consider including any of the following information or evidence related to the email compromise fraud:

  1. a) Email auto-forwarding
  2. b) Inbox sweep rules or sorting rules set up in victim email accounts
  3. c) A malware attack, and
  4. d) The authentication protocol that was compromised (i.e., single-factor or multi-factor, one-step or multi-step, etc.)

[1] Criminals engaged in email compromise fraud may directly compromise email accounts through unauthorized electronic intrusions in order to leverage the compromised account for sending messages, or they may instead impersonate an email account through spoofing the email address or using an email account closely resembling a known counterparty or customer’s email address (i.e., that is slightly altered by adding, changing, or deleting one or more characters).

Facebook’s Libra – The Fed has “serious concerns” about Libra and warns that their process to address these concerns will not be a sprint

Speaking like “a normal human being”, Fed Chairman Powell says Libra raises “many serious concerns regarding privacy, money laundering, consumer protection, and financial stability.”

For comments on the Libra White Paper, see RTC Article on Libra White Paper

On July 10, 2019, Federal Reserve Chairman Jerome Powell appeared before the House Financial Services Committee for his semi-annual report to Congress. Although his prepared remarks and opening statement did not touch on Facebook’s Libra, Committee Chair Maxine Waters (D. CA) opening question was on Libra and Facebook’s Calibra wallet and her concerns about both (as expressed in the Committee’s July 2nd letter to Mark Zuckerberg, Facebook COO Sheryl Sandberg, and Calibra CEO David Marcus). The question and Chairman Powell’s answer are at the 20-minute mark of the CSPAN video ( Congressional Video ). The Chairman’s answer:

“We do support responsible innovation in the financial services industry as long as the associated risks are appropriately identified and managed. And as we’ll discuss, while the project sponsors hold out the possibility of public benefits, including improved financial access by consumers, Libra raises many serious concerns regarding privacy, money laundering, consumer protection, and financial stability. These are concerns that should be thoroughly and publicly addressed before proceeding. And that’s why at the Fed we’ve set up a working group to focus on this set of issues. We are coordinating with our colleagues in the government in the United States, the regulatory agencies and Treasury; we’re coordinating with central banks and governments around the world to look into this. I’ll just add that the process in addressing these concerns, we think, should be a patient and careful one, and not a sprint to implementation.”

Chairman Powell’s language is particularly interesting. He sees “a possibility of public benefits” but he appears to have no doubt that Libra raises “many serious concerns regarding privacy, money laundering, consumer protection, and financial stability.” He is also telling Facebook and the Libra/Caibra project sponsors that regulatory approval will be at the regulators’ pace (“patient and careful”), not the usual fintech pace (“a sprint to implementation”).

And I echo Ranking Member McHenry’s statement that Chairman Powell’s “candor is welcome and encouraged, and we thank you for attempting to speak like a normal human being …”. I have followed four Federal Reserve chairs (Greenspan, Bernanke, Yellen, and Powell), and have found that Chairman Powell is the only one of the four that I could consistently understand! In fact, Alan Greenspan’s infamous line – “Since becoming a central banker, I have learned to mumble with great incoherence. If I seem unduly clear to you, you must have misunderstood what I said” – seems to have been the modus operandi of his successors, also … except for Chairman Powell.

FATF Terrorist Financing Risk Assessment Guidance

Is the United States a jurisdiction with no or very few known (or suspected) terrorism or TF cases?

The Financial Action Task Force (FATF) released its Terrorist Financing Risk Assessment Guidance on July 5, 2019. It is available at FATF TF Guidance

As FATF notes in its introduction of the Report …

The FATF requires each country to identify, assess and understand the terrorist financing risks it faces in order to mitigate them and effectively dismantle and disrupt terrorist networks. Countries often face particular challenges in assessing terrorist financing risks due to the low value of funds or other assets used in many instances, and the wide variety of sectors misused for the purpose of financing terrorism.

This guidance aims to assist practitioners, and particularly those in lower capacity countries, in assessing terrorist financing risk at the jurisdiction level by providing good approaches, relevant information sources and practical examples based on country experience.

This report builds on the 2013 FATF guidance on national money laundering and terrorist financing risk assessments, and draws on inputs from over 35 jurisdictions from across the FATF Global Network on their extensive experience and lessons learnt in assessing terrorist financing risk. Recognising that there is no one-size-fits all approach when assessing terrorist financing risk, this guidance provides relevant information sources and considerations for different country contexts.

The report addresses:

    • Key considerations when determining the relevant scope and governance of a terrorist financing risk assessment, and practical examples to overcome information sharing challenges related to terrorism and its financing.
    • Examples of information sources when identifying terrorist financing threats and vulnerabilities, and considerations for specific country contexts (e.g. financial and trade centres, lower capacity jurisdictions, jurisdictions bordering a conflict zone etc.).
    • Relevant information sources for practitioners when identifying cross-border terrorist financing risks but also terrorist financing risks within the banking and money or value transfer sectors, and facing those non-profit organisations that fall within the FATF definition.
    • Good approaches for maintaining an up-to-date assessment of risk, and areas for further focus going forward.

The report includes an interesting discussion around “considerations for jurisdictions with no or very few known (or suspected) terrorism or TF cases”. It provides:

34. It is important that countries assess and continue to monitor their TF risks regardless of the absence of known threats. The absence of known or suspected terrorism and TF cases does not necessarily mean that a jurisdiction has a low TF risk. In particular, the absence of cases does not eliminate the potential for funds or other assets to be raised and used domestically (for a purpose other than terrorist attack) or to be transferred abroad. Jurisdictions without TF and terrorism cases will still need to consider the likelihood of terrorist funds being raised domestically (including through willing or defrauded donors), the likelihood of transfer of funds and other assets through, or out of, the country in support of terrorism, and the use of funds for reasons other than a domestic terrorist attack.”

The United States – What Does the SAR Data Show About Terrorist Financing Cases?

The FATF Report includes a list (in Annex A) of the fifty-six countries that have money laundering/terrorist financing, or stand-alone (in the case of nine of the fifty-six) terrorist financing risk assessments. The US is one of those nine, with a 2015 and 2018 national terrorist financing risk assessment. The 2018 assessment (available at US 2018 Terrorist Financing Risk Assessment) notes that depository institutions and money services businesses (MSBs) filed approximately 33% and 58%, respectively, of the 6,000 SARs filed for terrorist financing in 2015, 2016, and 2017 (see pages 16 and 18). The US report notes that these numbers come from the FinCEN SAR data, available at https://www.fincen.gov/reports/sar-stats. Looking at that data reveals the following:

6,131 – Total number of SARs filed with suspicious activity category of “Terrorist Financing” in filing years 2015 through 2017

2,188 – Depository Institutions

3,446 – Money Services Businesses (MSBs)

   288 – Other

    137 – Casinos

      51 – Securities/Futures

      21 – All Other Listed Filers (Insurance, Card Clubs, Loan/Finance Companies)

Using the FinCEN data, it appears that for the three year period indicated, depository institutions (approximately 11,000 banks and credit unions) filed 35.7% of the terrorist financing SARs, and MSBs filed 56.2% of the terrorist financing SARs. Looking at all (available) years’ filings – 2012 through Q1 2019 – depository institutions did, in fact, file 33% (33.4%) of the terrorist financing SARs and MSBs filed 58% (58.6%) of the terrorist financing SARs.

But the 6,131 terrorist financing SARs filed in 2015 through 2017 made up only 0.1% of the total number of SARs filed in that period – 5,822,709. Does this make the United States one of those “jurisdictions with no or very few known (or suspected) terrorism or TF cases”? Regardless, as the FATF notes, “the absence of known or suspected terrorism and TF cases does not necessarily mean that a jurisdiction has a low TF risk. In particular, the absence of cases not not eliminate the potential for funds or other assets to be raised and used domestically for a purpose other than a terrorist attack or to be transferred abroad.” 

FinCEN Updates its Marijuana SAR Data… but Actionable Information is Still Needed!

I previously wrote about the FinCEN quarterly Marijuana Banking Report in an article published August 26, 2018: August 26, 2018 Article

The FinCEN Report is available at FinCEN Marijuana Banking Report.

FinCEN appears to be doing its best with the limited resources that the Administration has allocated and Congress has provided. If properly resourced with the needed technology, capability, and staffing resources, I expect that FinCEN could do much more with the valuable information that the 633 depository institutions are providing through the 81,725 marijuana-related SARs they have filed over the last 5 years.  Here’s hoping that the Administration and Congress step up.

Until those resources are deployed, it appears that the public will continue to receive some good data through the quarterly Marijuana Banking Reports, but not much usable information.  The raw data that was provided indicates that since the FinCEN Guidance introduced the “marijuana-related SAR” concept in February 2014, 493 banks and 140 credit unions have filed one or more of the three types of marijuana-related SARs. Leaving aside what constitutes each of the three types of marijuana-related SARs (the quarterly Marijuana Report doesn’t accurately describe the three types, as I discuss below), FinCEN reports that 81,725 marijuana-related SARs have been filed since Q2 2014. That is good data, but it would be useful information if, for example, that number was compared to the total number of SARs filed by depository institutions in the same period of time (according to FinCEN’s SAR data, that is 4,653,076 SARs) so that we would know that marijuana-related SARs make up 1.76% of all depository institution SARs and are being filed by about 5% of all depository institutions. Other examples of useful and useable (actionable) information include:

Actionable Information

  1. The size and locations of the banks and credit unions filing the marijuana SARs
  2. The locations of the Marijuana Related Businesses (MRBs)
  3. Whether the activity involves medicinal/medical or recreational/adult-use MRBs
  4. The types of MRBs: growers/cultivators, producers, manufacturers, distributors, testing labs, retailers, dispensaries
  5. How many MRBs are being reported and why
  6. Whether the MRBs are part of larger, national (or even international) companies that are coming to dominate the US cannabis industry.
  7. The types of marijuana-related SARs the banks and credit unions are filing: for example, how many banks are only filing Marijuana-Termination SARs, how many of the Marijuana-Limited SARs are 90-day follow-ups rather than net new customers.
  8. Quarter-over-quarter and year-over-year trends: e.g., from Q4 2018 to Q1 2019, the total number of marijuana-related SARs is up 12% but Marijuana Termination SARs are up 14% … what is FinCEN seeing in those filings that could be useful for depository institutions considering whether to provide banking services to MRBs?
  9. There are ten times as many Marijuana Limited SARs (61,036) as there are Marijuana Priority SARs (6,067), and three times as many Marijuana Limited SARs as Marijuana Termination SARs (19,368): why is that? How many of the Marijuana Limited SARs are “continuing activity” SARs (where FinCEN has instructed financial institutions to file a marijuana-related SAR every 90 days regardless of the nature of the activity)?
  10. Whether, and to what extent, the voluntary information sharing provisions of 314(b) and 31 CFR 101.540 are being used by these institutions?

Banks and Credit Unions Aren’t the Only SAR Filers, and What About Marijuana-related CTRs?

There are two other limitations on the Marijuana Banking Report that stand out to me.

First, the Report is limited to banks and credit unions, which, for FinCEN’s reporting purposes, are collectively “Depository Institutions”. Overall, Depository Institutions filed about 45% of all SARs in 2018: MSBs filed 40%, casinos filed about 2.5%, Broker/Dealers filed about 1.2%, and “Other” filed about 11%. It would be instructive to know what other reporting entities are filing marijuana-related SARs.

Second, the original FinCEN Guidance also referred to the two primary large cash transaction reports: CTRs for financial institutions and Form 8300s for non-financial trades and businesses. It would be instructive to know how many of these reports are filed on known marijuana related businesses (linkages between SAR data and CTR/Form 8300 data can be made by TIN or other identifiers on conductors and beneficiaries of the cash transactions).

The Quarterly Marijuana Banking Reports Misstate the 2014 Guidance

In addition, FinCEN should consider “cleaning up” the report. I re-offer (having originally offered in August 2018) four suggestions.

First, when describing the three marijuana SAR categories (Limited, Priority, and Termination), FinCEN refers to Cole Memo “red flags” … but none of the three Cole Memos (or the Ogden Memo) have any “red flags”. The red flags are actually set out in the FinCEN guidance – and there are 23 red flags to consider – and that original guidance correctly refers to the Cole Memo “priorities” when describing the three marijuana SAR types.  Although some may quibble with my distinction, the term “red flags” is a red flag for banking auditors and regulators … the Cole Memo has priorities, the FinCEN guidance has red flags.

Second, footnote 1 of this Report describes when to use each of the three marijuana SAR types. For the marijuana “Termination” SAR, FinCEN indicates that it is to be used when the financial institution has decided to terminate its relationship with the MRB because (1) the financial institution “has decided not to have marijuana related customers for business reasons” or (2) the MRB is not fully compliant with the appropriate state’s marijuana regulations, or (3) the MRB raises one or more of the Cole Memo red flags. (Note the use of the alternative “or”). This language is different than the 2014 guidance, which has nothing about deciding not to have marijuana related customers for business reasons.  I would like to see FinCEN provide the industry with guidance for not only exiting MRBs, but also about simply not providing banking services to marijuana related customers for business/risk reasons.  It is clearly needed if less than 650 of more than 11,000 banks and credit unions are knowingly or unknowingly providing banking services to MRBs.

Third, there is nothing in the 2014 guidance, nor in the FinCEN Marijuana Banking report, that defines a “marijuana related business”.  It is certainly implied that to be an MRB requires being subject to state marijuana regulations, but clear guidance would be helpful. Also, there are many businesses that do not have to be licensed and are not governed by state marijuana regulations, but are indirectly dealing with MRBs. Footnote 7 of the 2014 guidance referred to indirect services (“a financial institution could be providing services to a non-financial customer that provides goods or services to a marijuana-related business (e.g., a commercial landlord that leases property to a marijuana-related business). In such circumstances where services are being provided indirectly, the financial institution may file SARs based on existing regulations and guidance without distinguishing between “Marijuana Limited” and “Marijuana Priority.”): but it did not differentiate between (what I’ll call) Direct MRBs (those that are required to be licensed under state marijuana regulations) and Indirect MRBs (those that capital, services, products, property to Direct MRBs).

Finally, the Marijuana Banking Report describes the marijuana Limited-Priority-Termination SAR categories as “three phases for describing a financial institution’s relationship to marijuana-related businesses.” That isn’t accurate: there is not a progression or phasing of these categories, and the original 2014 guidance didn’t describe them that way. A bank or credit union (or any filer) doesn’t have to start with a Limited SAR, then progress to a Priority SAR, then end with a Termination SAR: they are three distinct SARs, dependent on the circumstances of each case.

The Marijuana Data Is Good, But Actionable Information Would Be Better!

 

 

A Contempt Fine of $50,000 a Day for “Stashing Documents” But Not Producing Them

Three Chinese “multi-billion dollar banks disregarding an order to produce records or a witness essential to an investigation into a state-sponsor of terrorism’s proliferation of nuclear weapons” are hit with a fine of $50,000 for every day they refuse to comply, concluded Federal District Court Justice Beryl A. Howell in a May 15, 2019 Opinion that was only recently unsealed. Judge Howell noted that “Bank Three’s stashing documents somewhere in its facilities is not responsible to the subpoena.”

In story published June 24th – Link – the Washington Post identified the three Chinese banks as Bank of Communications, China Merchant’s Bank, and Shanghai Pudong Development Bank. This writer offers no comment on the accuracy of the Post’s claims.

This will be an interesting case, or series of cases, to follow. Titles 18 and 50 are impacted and US/Chinese relations could be impacted.

 

The original (March 18, 2019) Order is available on PACER at March 18 Order to Compel

The May 15th Order is available on PACER at May 15 Contempt Order

Libra Decentralized Blockchain and Cryptocurrency … and Digital Identity?

Facebook, PayPal, Visa, Lyft, Uber et al are launching “Libra” … and a global digital identity?

The Libra Association wants to give billions of people access to financial services through their new decentralized blockchain, Libra. And a prerequisite of this goal of financial inclusion is (apparently) the creation of an open identity standard: a decentralized and portable digital identity, or global digital identity. I found it interesting that they only mention this need for a global ID in passing and buried on the ninth page.

Below is the text of the Libra White Paper with my embedded comments. The link to the White Paper is Libra White Paper

Title: White Paper From the Libra Association Members – An Introduction to Libra

Libra’s mission is to enable a simple global currency and financial infrastructure that empowers billions of people.

This document outlines our plans for a new decentralized blockchain, a low-volatility cryptocurrency, and a smart contract platform that together aim to create a new opportunity for responsible financial services innovation.

Problem Statement

The advent of the internet and mobile broadband has empowered billions of people globally to have access to the world’s knowledge and information, high-fidelity communications, and a wide range of lower-cost, more convenient services. These services are now accessible using a $40 smartphone from almost anywhere in the world.1 This connectivity has driven economic empowerment by enabling more people to access the financial ecosystem. Working together, technology companies and financial institutions have also found solutions to help increase economic empowerment around the world. Despite this progress, large swaths of the world’s population are still left behind — 1.7 billion adults globally remain outside of the financial system with no access to a traditional bank, even though one billion have a mobile phone and nearly half a billion have internet access.2

JRR Comment: The Libra Association’s Founding Members (which include PayPal, Stripe, Visa, eBay, Facebook, Lyft, and Uber) begin with a positioning statement: the problem – notwithstanding the technology innovations of the last decade, billions of people have been left behind – is one that few can argue with. And it deserves a noble solution – Libra. The nobility of their solution is set out in the “Opportunity” paragraph, below.

For too many, parts of the financial system look like telecommunication networks pre-internet. Twenty years ago, the average price to send a text message in Europe was 16 cents per message.3 Now everyone with a smartphone can communicate across the world for free with a basic data plan. Back then, telecommunications prices were high but uniform, whereas today, access to financial services is limited or restricted for those who need it most — those impacted by cost, reliability, and the ability to seamlessly send money.

All over the world, people with less money pay more for financial services. Hard-earned income is eroded by fees, from remittances and wire costs to overdraft and ATM charges. Payday loans can charge annualized interest rates of 400 percent or more, and finance charges can be as high as $30 just to borrow $100.4 When people are asked why they remain on the fringe of the existing financial system, those who remain “unbanked” point to not having sufficient funds, high and unpredictable fees, banks being too far away, and lacking the necessary documentation.5

Blockchains and cryptocurrencies have a number of unique properties that can potentially address some of the problems of accessibility and trustworthiness. These include distributed governance, which ensures that no single entity controls the network; open access, which allows anybody with an internet connection to participate; and security through cryptography, which protects the integrity of funds.

JRR Comment: Having established the two problems to overcome – accessibility to, and trustworthiness of, the mainstream financial system – the Founding Members have set out the three main attributes needed to overcome those problems. Those attributes are (i) distributed governance, (ii) open access, and (iii) security through cryptography. But those are the same three attributes that existing blockchain systems have, and those existing blockchain systems haven’t solved those two problems. So they continue their pitch in the next paragraph …

But the existing blockchain systems have yet to reach mainstream adoption. Mass-market usage of existing blockchains and cryptocurrencies has been hindered by their volatility and lack of scalability, which have, so far, made them poor stores of value and mediums of exchange. Some projects have also aimed to disrupt the existing system and bypass regulation as opposed to innovating on compliance and regulatory fronts to improve the effectiveness of anti-money laundering. We believe that collaborating and innovating with the financial sector, including regulators and experts across a variety of industries, is the only way to ensure that a sustainable, secure, and trusted framework underpins this new system. And this approach can deliver a giant leap forward toward a lower-cost, more accessible, and more connected global financial system.

JRR Comment: Here is where the Founding Members lay out why existing blockchain systems haven’t addressed the problems of accessibility and trustworthiness: volatility, lack of scalability, and ignoring mainstream regulatory protections. So between these two paragraphs that have three solutions and three problems, the Founding Members have assembled the six attributes of Libra: distributed governance, open access, security through cryptography, stability, scalability, and adoption of mainstream regulatory protections.

What they don’t include here – but bring up for the first time on page 9 of the original paper – is (perhaps) a seventh attribute of Libra. The Libra Association wants to create an open identity standard: a decentralized and portable digital identity, which they describe as a prerequisite to overcoming the problem they are trying to solve – financial inclusion.

The Opportunity

As we embark on this journey together, we think it is important to share our beliefs to align the community and ecosystem we intend to spark around this initiative:

  • We believe that many more people should have access to financial services and to cheap capital.
  • We believe that people have an inherent right to control the fruit of their legal labor.
  • We believe that global, open, instant, and low-cost movement of money will create immense economic opportunity and more commerce across the world.
  • We believe that people will increasingly trust decentralized forms of governance.
  • We believe that a global currency and financial infrastructure should be designed and governed as a public good.
  • We believe that we all have a responsibility to help advance financial inclusion, support ethical actors, and continuously uphold the integrity of the ecosystem.

JRR Comment: This is good marketing. It begins with “as we embark on this journey together” and continues with six bullets beginning with “we believe” instead of “it is our position that …”.

Introducing Libra

The world truly needs a reliable digital currency and infrastructure that together can deliver on the promise of “the internet of money.”

JRR Comment: Does the world truly need a digital currency and infrastructure? And what is “the internet of money”? Again, this is a great marketing document.

Securing your financial assets on your mobile device should be simple and intuitive. Moving money around globally should be as easy and cost-effective as — and even more safe and secure than — sending a text message or sharing a photo, no matter where you live, what you do, or how much you earn. New product innovation and additional entrants to the ecosystem will enable the lowering of barriers to access and cost of capital for everyone and facilitate frictionless payments for more people.

Now is the time to create a new kind of digital currency built on the foundation of blockchain technology. The mission for Libra is a simple global currency and financial infrastructure that empowers billions of people. Libra is made up of three parts that will work together to create a more inclusive financial system:

  1. It is built on a secure, scalable, and reliable blockchain;
  2. It is backed by a reserve of assets designed to give it intrinsic value;
  3. It is governed by the independent Libra Association tasked with evolving the ecosystem.

The Libra currency is built on the “Libra Blockchain.” Because it is intended to address a global audience, the software that implements the Libra Blockchain is open source — designed so that anyone can build on it, and billions of people can depend on it for their financial needs. Imagine an open, interoperable ecosystem of financial services that developers and organizations will build to help people and businesses hold and transfer Libra for everyday use. With the proliferation of smartphones and wireless data, increasingly more people will be online and able to access Libra through these new services. To enable the Libra ecosystem to achieve this vision over time, the blockchain has been built from the ground up to prioritize scalability, security, efficiency in storage and throughput, and future adaptability. Keep reading for an overview of the Libra Blockchain, or read the technical paper. [the 29-page technical paper is available at  https://developers.libra.org/docs/assets/papers/the-libra-blockchain.pdf]

JRR Comment: The technical paper is the key. So far, all of this is simply puffery and marketing.

The unit of currency is called “Libra.” Libra will need to be accepted in many places and easy to access for those who want to use it. In other words, people need to have confidence that they can use Libra and that its value will remain relatively stable over time. Unlike the majority of cryptocurrencies, Libra is fully backed by a reserve of real assets. A basket of bank deposits and short-term government securities will be held in the Libra Reserve for every Libra that is created, building trust in its intrinsic value. The Libra Reserve will be administered with the objective of preserving the value of Libra over time. Keep reading for an overview of Libra and the reserve, or read more here.

JRR Comment: Although Google isn’t a Founding Member of the Libra Association, you might want to Google “stable coins”. A crypto or virtual currency tied to a fiat currency (i.e., the US dollar or Euro), is known as a “stable coin” to distinguish it from the unstable crypto currencies that drift and move through un- and under-regulated, or regulated and un- or under-supervised hype, hubris, and FOMO.

The Libra Association is an independent, not-for-profit membership organization headquartered in Geneva, Switzerland.

The association’s purpose is to coordinate and provide a framework for governance for the network and reserve and lead social impact grant-making in support of financial inclusion. This white paper is a reflection of its mission, vision, and purview. The association’s membership is formed from the network of validator nodes that operate the Libra Blockchain.

JRR Comment: On May 6, 2019, Facebook Global Holdings II, LLC registered Libra Networks in Geneva, Switzerland. The English translation of the “purpose” statement was “Provision of services in the fields of finance and technology, as well as the development and production of software and related infrastructure, in particular in connection with investment activities, the operation of payments, financing, identity management, data analysis, big data, blockchain and other technologies (see states for full purpose).” There was no mention of social impact grant-making.

Members of the Libra Association will consist of geographically distributed and diverse businesses, nonprofit and multilateral organizations, and academic institutions. The initial group of organizations that will work together on finalizing the association’s charter and become “Founding Members” upon its completion are, by industry:

JRR Comment: Notice that this paragraph speaks to the future membership of the Libra Association as including nonprofits, multilateral organizations, and academic organizations. But the current members include the planet’s biggest payments, ride-sharing, telecom companies, and venture capitalists. 

  • Payments: Mastercard, PayPal, PayU (Naspers’ fintech arm), Stripe, Visa
  • Technology and marketplaces: Booking Holdings, eBay, Facebook/Calibra, Farfetch, Lyft, Mercado Pago, Spotify AB, Uber Technologies, Inc.
  • Telecommunications: Iliad, Vodafone Group
  • Blockchain: Anchorage, Bison Trails, Coinbase, Inc., Xapo Holdings Limited
  • Venture Capital: Andreessen Horowitz, Breakthrough Initiatives, Ribbit Capital, Thrive Capital, Union Square Ventures
  • Nonprofit and multilateral organizations, and academic institutions: Creative Destruction Lab, Kiva, Mercy Corps, Women’s World Banking

We hope to have approximately 100 members of the Libra Association by the target launch in the first half of 2020.

Facebook teams played a key role in the creation of the Libra Association and the Libra Blockchain, working with the other Founding Members. While final decision-making authority rests with the association, Facebook is expected to maintain a leadership role through 2019. Facebook created Calibra, a regulated subsidiary, to ensure separation between social and financial data and to build and operate services on its behalf on top of the Libra network.

Once the Libra network launches, Facebook, and its affiliates, will have the same commitments, privileges, and financial obligations as any other Founding Member. As one member among many, Facebook’s role in governance of the association will be equal to that of its peers.

JRR Comment: This suggests that the twenty-seven Founding Members will have different commitments, privileges, and financial obligations than the next (approximately) seventy-three other members. We do know from a paragraph below that one of those privileges is that the members of the Libra Association are going to receive dividends for providing capital to “jumpstart the ecosystem”.

Blockchains are described as either permissioned or permissionless in relation to the ability to participate as a validator node. In a “permissioned blockchain,” access is granted to run a validator node. In a “permissionless blockchain,” anyone who meets the technical requirements can run a validator node. In that sense, Libra will start as a permissioned blockchain.

To ensure that Libra is truly open and always operates in the best interest of its users, our ambition is for the Libra network to become permissionless. The challenge is that as of today we do not believe that there is a proven solution that can deliver the scale, stability, and security needed to support billions of people and transactions across the globe through a permissionless network.

JRR Comment: This is a key statement. Bitcoin is a permissionless blockchain: anyone or any entity can participate as a “validator node”. But as the Founding Members note, permissionless blockchains like Bitcoin are not scalable, stable, nor secure, so Libra will launch as a permissioned blockchain, with the direction and promise that it will consider going permissionless … if the problems of scalability, stability, and security of a permissionless system can be overcome.

One of the association’s directives will be to work with the community to research and implement this transition, which will begin within five years of the public launch of the Libra Blockchain and ecosystem.

Essential to the spirit of Libra, in both its permissioned and permissionless state, the Libra Blockchain will be open to everyone: any consumer, developer, or business can use the Libra network, build products on top of it, and add value through their services. Open access ensures low barriers to entry and innovation and encourages healthy competition that benefits consumers. This is foundational to the goal of building more inclusive financial options for the world.

JRR Comment: “Open to everyone” could be the sales pitch of the current mainstream financial sector, where with APIs, any consumer, developer, or business – fettered somewhat by regulators’ insistence that the financial sector have some rules of the road – can access and use the financial system.

The goal of the Libra Blockchain is to serve as a solid foundation for financial services, including a new global currency, which could meet the daily financial needs of billions of people. Through the process of evaluating existing options, we decided to build a new blockchain based on these three requirements:

  • Able to scale to billions of accounts, which requires high transaction throughput, low latency, and an efficient, high-capacity storage system.
  • Highly secure, to ensure safety of funds and financial data.
  • Flexible, so it can power the Libra ecosystem’s governance as well as future innovation in financial services.

The Libra Blockchain is designed from the ground up to holistically address these requirements and build on the learnings from existing projects and research — a combination of innovative approaches and well understood techniques. This next section will highlight three decisions regarding the Libra Blockchain:

  1. Designing and using the Move programming language.
  2. Using a Byzantine Fault Tolerant (BFT) consensus approach.
  3. Adopting and iterating on widely adopted blockchain data structures.

JRR Comment: Here is where the Founding Members will lose 99% of their readers. The following paragraphs on a new programming language, a play on the age-old Byzantine General’s Problem (once again, Google it), pseudonymity, and the LibraBFT consensus protocol, will be lost on most readers.

“Move” is a new programming language for implementing custom transaction logic and “smart contracts” on the Libra Blockchain. Because of Libra’s goal to one day serve billions of people, Move is designed with safety and security as the highest priorities. Move takes insights from security incidents that have happened with smart contracts to date and creates a language that makes it inherently easier to write code that fulfills the author’s intent, thereby lessening the risk of unintended bugs or security incidents. Specifically, Move is designed to prevent assets from being cloned. It enables “resource types” that constrain digital assets to the same properties as physical assets: a resource has a single owner, it can only be spent once, and the creation of new resources is restricted. The Move language also facilitates automatic proofs that transactions satisfy certain properties, such as payment transactions only changing the account balances of the payer and receiver. By prioritizing these features, Move will help keep the Libra Blockchain secure. By making the development of critical transaction code easier, Move enables the secure implementation of the Libra ecosystem’s governance policies, such as the management of the Libra currency and the network of validator nodes. Move will accelerate the evolution of the Libra Blockchain protocol and any financial innovations built on top of it. We anticipate that the ability for developers to create contracts will be opened up over time in order to support the evolution and validation of Move.

JRR Comment: I’ve read the technical paper once, and didn’t fully understand it (and never will). But it appears that Move appears focused on, or at least addresses, smart contracts perhaps more elegantly than other blockchain-based applications.

To facilitate agreement among all validator nodes on the transactions to be executed and the order in which they are executed, the Libra Blockchain adopted the BFT approach by using the LibraBFT consensus protocol. This approach builds trust in the network because BFT consensus protocols are designed to function correctly even if some validator nodes — up to one-third of the network — are compromised or fail. This class of consensus protocols also enables high transaction throughput, low latency, and a more energy-efficient approach to consensus than “proof of work” used in some other blockchains.

In order to securely store transactions, data on the Libra Blockchain is protected by Merkle trees, a data structure used by other blockchains that enables the detection of any changes to existing data. Unlike previous blockchains, which view the blockchain as a collection of blocks of transactions, the Libra Blockchain is a single data structure that records the history of transactions and states over time. This implementation simplifies the work of applications accessing the blockchain, allowing them to read any data from any point in time and verify the integrity of that data using a unified framework.

The Libra Blockchain is pseudonymous and allows users to hold one or more addresses that are not linked to their real-world identity. This approach is familiar to many users, developers, and regulators. The Libra Association will oversee the evolution of the Libra Blockchain protocol and network, and it will continue to evaluate new techniques that enhance privacy in the blockchain while considering concerns of practicality, scalability, and regulatory impact.

JRR Comment: First, note that those using various blockchains to conduct transactions are not anonymous at all – their names are masked (like a pseudonym), but traceable (therefore, pseudonymous). Transactors are very trackable and the immutability of the blockchain makes those tracks permanent.

For more details, read the technical paper on the Libra Blockchain. Detailed information is also available on the Move programming language and the LibraBFT consensus protocol. We’ve open sourced an early preview of the Libra testnet, with accompanying documentation. The testnet is still under development, and APIs are subject to change. Our commitment is to work in the open with the community and hope you will read, build, and provide feedback.

The Libra Currency and Reserve

We believe that the world needs a global, digitally native currency that brings together the attributes of the world’s best currencies: stability, low inflation, wide global acceptance, and fungibility. The Libra currency is designed to help with these global needs, aiming to expand how money works for more people around the world.

Libra is designed to be a stable digital cryptocurrency that will be fully backed by a reserve of real assets — the Libra Reserve — and supported by a competitive network of exchanges buying and selling Libra. That means anyone with Libra has a high degree of assurance they can convert their digital currency into local fiat currency based on an exchange rate, just like exchanging one currency for another when traveling.

JRR Comment: Note what the Founding Members are not writing. The term “such as”, and the descriptors “stable” and “reputable” are little more than suggestions. They are not writing that Libra will be backed by Federal Reserve bank deposits and short-term US- and UK-government currencies. And, who is going to hold these guarantees? See below …

This approach is similar to how other currencies were introduced in the past: to help instill trust in a new currency and gain widespread adoption during its infancy, it was guaranteed that a country’s notes could be traded in for real assets, such as gold. Instead of backing Libra with gold, though, it will be backed by a collection of low-volatility assets, such as bank deposits and short-term government securities in currencies from stable and reputable central banks.

It is important to highlight that this means one Libra will not always be able to convert into the same amount of a given local currency (i.e., Libra is not a “peg” to a single currency). Rather, as the value of the underlying assets moves, the value of one Libra in any local currency may fluctuate. However, the reserve assets are being chosen to minimize volatility, so holders of Libra can trust the currency’s ability to preserve value over time.

The assets in the Libra Reserve will be held by a geographically distributed network of custodians with investment-grade credit rating to provide both security and decentralization of the assets. The assets behind Libra are the major difference between it and many existing cryptocurrencies that lack such intrinsic value and hence have prices that fluctuate significantly based on expectations.

JRR Comment: Just as we don’t know what “low-volatility assets” are backing Libra, we don’t who will be holding those assets.

Libra is indeed a cryptocurrency, though, and by virtue of that, it inherits several attractive properties of these new digital currencies: the ability to send money quickly, the security of cryptography, and the freedom to easily transmit funds across borders. Just as people can use their phones to message friends anywhere in the world today, with Libra, the same can be done with money — instantly, securely, and at low cost.

JRR Comment: Let’s see how instant and cheap it is to quickly send money once 200+ countries’ regulatory bodies apply their regulatory standards.

Interest on the reserve assets will be used to cover the costs of the system, ensure low transaction fees, pay dividends to investors who provided capital to jumpstart the ecosystem (read “The Libra Association” here), and support further growth and adoption. The rules for allocating interest on the reserve will be set in advance and will be overseen by the Libra Association. Users of Libra do not receive a return from the reserve. For more on the reserve policy and the details of the Libra currency, please read here.

The Libra Association

To make the mission of Libra a reality — a simple global currency and financial infrastructure that empowers billions of people — the Libra Blockchain and Libra Reserve need a governing entity that is comprised of diverse and independent members. This governing entity is the Libra Association, an independent, not-for-profit membership organization, headquartered in Geneva, Switzerland.

JRR Comment: So the investors who provided capital to jumpstart the Libra ecosystem, described as “the Libra Association”, will receive dividends from the interest on the reserve assets. And the Libra Association is a not-for-profit membership organization. Lawyers will need to figure this out because I can’t: receiving dividends sounds like for-profit to me …

Switzerland has a history of global neutrality and openness to blockchain technology, and the association strives to be a neutral, international institution, hence the choice to be registered there. The association is designed to facilitate the operation of the Libra Blockchain; to coordinate the agreement among its stakeholders — the network’s validator nodes — in their pursuit to promote, develop, and expand the network, and to manage the reserve.

The association is governed by the Libra Association Council, which is comprised of one representative per validator node. Together, they make decisions on the governance of the network and reserve. Initially, this group consists of the Founding Members: businesses, nonprofit and multilateral organizations, and academic institutions from around the world.

JRR Comment: I didn’t see any academic institutions listed as Founding Members.

All decisions are brought to the council, and major policy or technical decisions require the consent of two-thirds of the votes, the same supermajority of the network required in the BFT consensus protocol.

Through the association, the validator nodes align on the network’s technical roadmap and development goals. In that sense, it is similar to other not-for-profit entities, often in the form of foundations, which govern open-source projects. As Libra relies on a growing distributed community of open-source contributors to further itself, the association is a necessary vehicle to establish guidance as to which protocols or specifications to develop and to adopt. The Libra Association also serves as the entity through which the Libra Reserve is managed, and hence the stability and growth of the Libra economy are achieved. The association is the only party able to create (mint) and destroy (burn) Libra. Coins are only minted when authorized resellers have purchased those coins from the association with fiat assets to fully back the new coins. Coins are only burned when the authorized resellers sell Libra coin to the association in exchange for the underlying assets. Since authorized resellers will always be able to sell Libra coins to the reserve at a price equal to the value of the basket, the Libra Reserve acts as a “buyer of last resort.” These activities of the association are governed and constrained by a Reserve Management Policy that can only be changed by a supermajority of the association members.

JRR Comment: Here is another difference with Bitcoin: the ability to destroy (burn) Libra. This reads a lot like what a central bank does in controlling the money supply. And it will be interesting to see how regulators across the globe classify and regulate the Libra Association.

In these early years of the network, there are additional roles that need to be performed on behalf of the association: the recruitment of Founding Members to serve as validator nodes; the fundraising to jumpstart the ecosystem; the design and implementation of incentive programs to propel the adoption of Libra, including the distribution of such incentives to Founding Members; and the establishment of the association’s social impact grant-making program.

An additional goal of the association is to develop and promote an open identity standard. We believe that decentralized and portable digital identity is a prerequisite to financial inclusion and competition.

JRR Comment: This appears on page 9 of the original paper. This is a big deal. The Libra Association wants to create an open identity standard: a decentralized and portable digital identity. It is odd that they didn’t write in the opening paragraphs that a prerequisite of financial inclusion – the singular problem that they are trying to overcome with Libra – is a common, open, and decentralized digital identity.

An important objective of the Libra Association is to move toward increasing decentralization over time. This decentralization ensures that there are low barriers to entry for both building on and using the network and improves the Libra ecosystem’s resilience over the long term. As discussed above, the association will develop a path toward permissionless governance and consensus on the Libra network. The association’s objective will be to start this transition within five years, and in so doing will gradually reduce the reliance on the Founding Members. In the same spirit, the association aspires to minimize the reliance on itself as the administrator of the Libra Reserve.

For more on the Libra Association, please read here.

What’s Next for Libra?

Today we are publishing this document outlining our goals for Libra and launching libra.org as a home for the association and all things Libra. It will continue to be updated over the coming months. We are also opensourcing the code for the Libra Blockchain and launching Libra’s initial testnet for developers to experiment with and build upon.

There is much left to do before the target launch in the first half of 2020.

  • The Libra Blockchain: Over the coming months, the association will work with the community to gather feedback on the Libra Blockchain prototype and bring it to a production-ready state. In particular, this work will focus on ensuring the security, performance, and scalability of the protocol and implementation.
  • The Libra Association will construct well-documented APIs and libraries to enable users to interact with the Libra Blockchain.
  • The Libra Association will create a framework for the collaborative development of the technology behind the Libra Blockchain using the open-source methodology. Procedures will be created for discussing and reviewing changes to the protocol and software that support the blockchain.
  • The association will perform extensive testing of the blockchain, which range from tests of the protocol to constructing a full-scale test of the network in collaboration with entities such as wallet services and exchanges to ensure the system is working before launch.
  • The association will work to foster the development of the Move language and determine a path for third parties to create smart contracts once language development has stabilized — after the launch of the Libra ecosystem.

Together with the community, the association will research the technological challenges on the path to a permissionless ecosystem so that we can meet the objective to begin the transition within five years of the launch.

  • The Reserve:
  • The association will work to establish a geographically distributed and regulated group of global institutional custodians for the reserve.
  • The association will establish operational procedures for the reserve to interact with authorized resellers and ensure high-transparency and auditability.
  • The association will establish policies and procedures that establish how the association can change the composition of the reserve basket.
  • The Libra Association:
  • We will work to grow the Libra Association Council to around 100 geographically distributed and diverse members, all serving as the initial validator nodes of the Libra Blockchain.
  • The association will develop and adopt a comprehensive charter and set of bylaws for the association on the basis of the currently proposed governance structure.
  • We will recruit a Managing Director for the association and work with her/him to continue hiring for the association’s executive team.
  • We will identify social impact partners aligned with our joint mission and will work with them to establish a Social Impact Advisory Board and a social impact program.

The association envisions a vibrant ecosyste

How to Get Involved

m of developers building apps and services to spur the global use of Libra. The association defines success as enabling any person or business globally to have fair, affordable, and instant access to their money. For example, success will mean that a person working abroad has a fast and simple way to send money to family back home, and a college student can pay their rent as easily as they can buy a coffee.

Our journey is just beginning, and we are asking the community to help. If you believe in what Libra could do for billions of people around the world, share your perspective and join in. Your feedback is needed to make financial inclusion a reality for people everywhere.

  • If you are a researcher or protocol developer, an early preview of the Libra testnet is available under the Apache 2.0 Open Source License, with accompanying documentation. This is just the start of the process, and the testnet is still an early prototype under development, but you can read, build, and provide feedback right away. Since the current focus is on stabilizing the prototype, the project may initially be slower to take community contributions. However, we are committed to building a community-oriented development process and opening the platform to developers — starting with pull requests — as soon as possible.
  • If you want to learn about the Libra Association, read more here.
  • If your organization is interested in becoming a Founding Member or applying for social impact grants from the Libra Association, read more here. The association will work with the global community in the coming months and continue to partner with policymakers worldwide to further the mission.

Conclusion

This is the goal for Libra: A stable currency built on a secure and stable open-source blockchain, backed by a reserve of real assets, and governed by an independent association. Our hope is to create more access to better, cheaper, and open financial services — no matter who you are, where you live, what you do, or how much you have. We recognize that the road to delivering this will be long, arduous, and won’t be achieved in isolation — it will take coming together and forming a real movement around this pursuit. We hope you’ll join us and help turn this dream into a reality for billions of people around the world.

JRR Comment: Notwithstanding some of my comment, this is an exciting and positive development. Moving blockchain technology, whether permissioned or not, distributed or not, pegged cryptocurrency or not, out to known, accountable people from large companies, associations, nonprofits, and academic institutions has to be a good thing. Giddy up!

End Notes
1 Best Buy. “AT&T prepaid Alcatel CAMEOX device purchase.” Bestbuy.com. Available: https://www.bestbuy.com/site/at-t-prepaid-alcatel-cameox-4g-lte-with16gb-memory-cell-phone-arctic-white/6008102.p?skuId=6008102 (Accessed: May 15, 2019).
2 A. Demirgüç-Kunt, L. Klapper, D. Singer, S. Ansar, and J. Hess. The Global Findex database 2017: Measuring financial inclusion and the fintech revolution. World Bank Group, 2018. Accessed: May 15 2019. Globalfindex.worldbank.org. [Online]. Available: https://globalfindex.worldbank.org/sites/globalfindex/ files/2018-04/2017%20Findex%20full%20report_0.pdf
3 OECD. Mobile phones: Pricing structures and trends. Paris, France: OECD Publishing, 2000, p. 67. [Online]. Available: https://books.google.com/books?id=pcP84M_GBeoC&pg=PA6&lpg=PA6&dq=1999+price+SMS+europe&source=bl&ots=TIbwgZWCmj&sig=ACfU3U2Z_yRawxW78qVSVO_wHCtRupoqoA&hl=en&sa=X- &ved=2ahUKEwjOmeG9tMHiAhVVFzQIHU8eBEMQ6AEwD3oECAkQAQ#v=onepage&q=SMS&f=false
4 Consumer Federation of America. “How payday loans work.” Payday Loan Consumer Information. Available: https://paydayloaninfo.org/facts (Accessed: May 19, 2019).
5 A. Demirgüç-Kunt, L. Klapper, D. Singer, S. Ansar, and J. Hess. The Global Findex database 2017: Measuring financial inclusion and the fintech revolution. World Bank Group, 2018. Accessed: May 15 2019. Globalfindex.worldbank.org. [Online]. Available: https://globalfindex.worldbank.org/sites/globalfindex/ files/2018-04/2017%20Findex%20full%20report_0.pdf