Kiffmeister’s #Fintech Daily Digest (20220309)

Biden Issues Executive Order on Crypto and Digital Dollar

U.S. President Joe Biden signed an Executive Order outlining a whole-of-government approach to addressing the risks and harnessing the potential benefits of digital assets and their underlying technology. The Order lays out a national policy for digital assets across six key priorities: consumer and investor protection; financial stability; illicit finance; U.S. leadership in the global financial system and economic competitiveness; financial inclusion; and responsible innovation. It directs federal agencies to coordinate efforts at drafting cryptocurrency regulations. It also directs the U.S. Treasury Department to draft a report on “the future of money and payment systems,” and asks agencies to evaluate how the U.S. could issue a central bank digital currency (CBDC) “should issuance be deemed in the national interest.” “The Order also encourages the Federal Reserve Board to continue its research, development, and assessment efforts for a U.S. CBDC, including development of a plan for broader U.S. Government action in support of their work. This effort prioritizes U.S. participation in multi-country experimentation, and ensures U.S. leadership internationally to promote CBDC development that is consistent with U.S. priorities and democratic values.” [Read more]

ECCB DCash Service Resumes

The Eastern Caribbean Central Bank (ECCB) announced that full functionality of the DCash CBDC platform has been restored effective March 9.  It had been down since January 14, 2022As part of the restoration, the platform now benefits from several upgrades including an enhanced certificate management process and an updated version of the software which provides the foundation for the DCash system. Extensive testing and assurance exercises were conducted prior to restoration of the platform to ensure full functionality of the service in accordance with quality assurance specifications. [More here]

E-Purses & Offline CBDCs

Franklin Noll, who is a big fan of “smart banknotes” is not so keen on stored-value devices (“E-Purses”) that hold and transfer digital currency via NFC and do not require internet or outside electricity. He trots out various problems with E-Purses, all with little to no substantiation.  He claims that E-purses are expensive, costing at least $1 each if produced in the millions of units. He questions the durability of the devices and the likelihood of high replacement rates. The cards required periodic charging, which is a problem in areas with spotty electricity, and they require chips that can be hacked and need to be sourced from anywhere but China. Franklin also doubts that E-Purses will be widely adopted, based on the adoption failures of similar devices in the past (the UK Mondex and Finnish Avant cards in the 1990s. He claims that part of the problem was that they required a lot of user maintenance. [Read more]

This is not the first time that E-Purses have been the subject of lazy bashing. A 2021 Sveriges Riksbank staff memo asserted that the technical construction of digital currencies (DCs) requires that they be verified by a remote ledger, in order to avoid double spending. It dismissed the possibility of using local devices that cannot be tampered with and program them such that a token cannot be spent more than once, claiming that such 100% tamper-proof devices do not exist. However, Mondex used tamper-resistant hardware to do what the paper says is impossible. It likely failed due to a flawed business model, as did other attempts to implement rechargeable smart card-based systems (MintChip and VisaCash) and not because, as Franklin Noll claims, because they required a lot of maintenance.  As for the Bank of Finland Avant card I don’t see anything in Aleksi Grym’s Avant  “lessons learned” paper about user maintenance.

As for hacking risk, in general, offline hardware wallets are more secure than online platforms, because the former have a much smaller attack surface because they are never connected to the Internet. An attacker cannot compromise an offline wallet that is turned off and stored in a pocket or a drawer. Although, there is no denying that offline wallets’ lack of centralized validation increases the risk of counterfeiting or double spending, it can be mitigated. The first line of defense is the use of tamper-resistant hardware. While offering a familiar user experience, smartphones in general do not present the security guarantees that would be needed for an offline DC system. They are perfect terminals for online DCs but offline systems require a tamper resistant element to enforce policy and prevent cheating while disconnected from the network and smartphones have not been designed with this adversarial model in mind.

Resistance to tamper attacks can be augmented by software countermeasures. For example, unique keys for every card/wallet can limit the impact of a successful hardware attack. A compromised card can not impersonate another and must continue to spend using its pre-assigned know-your-customer-verified identity. Also, mutual authentication between offline hardware wallets can reassure both parties involved in a person-to-person transaction that the funds being transferred are genuine and that double spend attacks are actively prevented. Software running inside the hardware could include limits on numbers of transactions, maximum balances, etc. In the event of a complete compromise of a card, the attacker can theoretically mint or double spend any amount. However, she cannot force other legitimate users to bypass the issuer rules on their cards, so high value items cannot be transferred this way. As for sneaky Chinese firms embedding malicious code into the cards, that risk can be mitigated by security certifications run by local labs.

However, I take Franklin’s point he hinted at on Twitter, that for E-Purses and other DC form factors (including smart banknotes) we can’t assume that, if we build it, they will come!

Thailand eases crypto tax burden until 2023 to promote industry

Thailand’s cabinet has approved the exemption of a 7% value-added tax (VAT) on crypto-asset trades on regulated exchanges, from April 2022 until the end of 2023. Also, investors will be able to offset annual losses against crypto-asset profits on regulated exchanges for tax calculations. Transfers of Thai central bank digital currency (CBDC) will also be VAT exempt. [Read more]

UAE Close to Adopting Initial Virtual Asset Law

The United Arab Emirates (UAE) Securities and Commodities Authority (SCA) is coming closer to issuing its virtual asset regulatory and supervisory framework. It has also completed its consultation on developing the necessary regulatory framework to address the risks of money laundering and terrorist financing related to virtual assets and virtual asset service providers in the United Arab Emirates, in order to ensure that the virtual assets sector adheres to the recommendations and requirements of the Financial Action Task Force (FATF). [Read more]

Dubai creates agency for virtual asset regulation

The Dubai government approved a new virtual assets law and established the Dubai Virtual Assets Regulatory Authority (VARA).  VARA will operate as an affiliated agency of the Dubai World Trade Center and will focus on compliance and disclosures of virtual asset service providers in the United Arab Emirates (UAE). The new agency will also handle the UAE’s crypto licensing regime. These crypto licenses will only be given to firms that establish a business presence in the UAE. [Read more]

Fraud Is Flourishing on Zelle. The Banks Say It’s Not Their Problem

Created in 2017 by America’s largest banks to enable instant digital money transfers, Zelle comes embedded in banking apps and is now by far the most widely used money transfer service in the United States. Other types of bank transfers or transactions involving payment cards typically take at least a day to clear. But once crooks scare or trick victims into handing over money via Zelle, they can siphon away thousands of dollars in seconds. There’s no way for customers — and in many cases, the banks themselves — to retrieve the money. [Read more]