Metaverse money laundering: Risks and regulation

By Julian Dixon
Julian Dixon, founder and chairman at Napier, explains the challenge of remaining compliant while offering products and services through the metaverse

Funds are flowing through the metaverse.

Once the sole preserve of gamers, this 3D immersive world of virtual and augmented reality has seen its potential amplified by big brand and celebrity endorsement, predicted to generate up to US$5tn by 2030, according to McKinsey

From Gucci’s avatar-clad designs to Jonny Depp’s non-fungible token (NFT)-based artwork, art and fashion are eminent beneficiaries selling virtual versions of their products for digital currencies to reach new markets and elevate customer interaction

Yet, with innovation comes risk, and with profits a parallel rise of criminal activity. Money laundering is flourishing in this fast evolving, decentralised and unregulated space as illicit actors exploit security loopholes, making black money harder to trace. 

An identity crisis? 

Owned by its users, the metaverse has no central authority to hold people to account and enforce the mandatory anti-money laundering (AML) compliance, which typically governs financial service companies.

As such, Know Your Customer (KYC) and Customer Due Diligence (CDD) protocols central to the verification of customer identity and risk assessment prior to opening an account are not always applied by crypto exchanges. 

While this can often be the result of inadequate tools rather than deliberate oversight, the result is the same; opportunists are revelling in the anonymity, hiding behind avatars or concealing the origins of illegally gained funds in digital wallets.

In this transient space, phishing scams are thriving; capitalising on the boom in metaverse real estate investment to drain wallets through fake log in panels of legitimate wallet providers or domains of well-known metaverse platforms. 

Fortunately, some certainty prevails.

As the underpinning ledger-tracking and storing of all digital exchanges, Blockchain technology, in theory, provides a tamper-proof encryption to critical transactions.

This accountability and assurance, therefore, must be the foundation on which to build a robust security solution, though scammers are still finding ways to muddy their trail.

From the use of multiple blockchains and different crypto currencies – buying coins in one form and selling in another - to flitting between different metaverse platforms, black money has a complex ride around the system. 

The battle to regulate 

Aware that new technologies are outpacing existing anti money laundering (AML) frameworks, authorities are responding, though a sense of playing catch up prevails.

Set to be implemented in 2024, the EU’s Markets in Crypto Assets (MiCA) proposal draws crypto-assets, crypto-assets issuers and crypto-asset service providers (CASPs) under a regulatory framework for the first time. 

The intention is to better protect consumers wallets and introduce liability if investors’ crypto assets are lost through criminal activity. Yet ultimately this falls short, particularly in respect to large-scale (CASPs) who should be subject to greater supervision and stricter requirements if the bill is to have meaningful impact on the sector. 

Of course, bringing more order and legitimacy to the metaverse payment systems without stifling the innovation and freedom market players can expect from this decentralised space is a tricky balance to strike.

Indeed, securing this borderless, fast-moving space demands unity, clarity and consistency, yet there’s a number of discrepancies to figure out, especially beyond Europe. 

With constitutional US laws traditionally deferring to individual state laws, responses to fraud are likely to be fractured, while questions remain over how jurisdiction is best determined in this fast evolving, new world.

For example, does the cyber criminal’s physical location when the offence is committed dictate accountability, or does their nationality come into play? 

Building trust with customers and regulators  

The law may still be work in progress, but regulation is on the ascendancy and a consensus prevails: sifting out the criminals at the point of onboarding remains key to tackling metaverse malpractice. 

Compounded by rising geopolitical tensions and a volatile macro environment, the core tenets of identity and trust must be at the heart of the crypto AML program for digital payment facilitators.

Not only will this enable cross-border payments for regional and global merchants to be facilitated securely, but mitigate the reputational damage caused when bad actors slip through the net. 

While the practically instantaneous nature of crypto payment would appear to be a challenge when detecting fraudulent behaviour, the same agility can inform the compliance process.

Payment systems that incorporate advanced technology, such as artificial intelligence and machine learning, into their KYC and CDD measures will see the benefits.

Real-time screening of new users’ details against ever growing global sanctions lists and  transaction monitoring that can enhance identity verification will help root out suspicious activity faster and ensure a more proactive approach to security. 

When it comes to combating financial crime in the metaverse, technology isn’t the golden bullet but has a significant part to play.

Improving the quality and traceability on actionable data and insights constantly generated by the blockchain will be critical in building a comprehensive picture of a fast evolving threat landscape.

Dealing with both the vast risks and opportunities the metaverse presents will demand a collective effort in which the most advanced processes and procedures are ever more vital to underpin the emerging policies.


Featured Articles

Why CISOs Remain Crucial in the Age of Rampant Ransomware

As ransomware attacks escalate, the CISO has emerged as an indispensable guardian for the cybersecurity of companies

Q&A: Protiviti's Sameer Ansari on CISOs' Growing Challenges

Managing Director - Global Cybersecurity and Privacy Lead at Protiviti, Sameer Ansari discusses his views on the growing challenges CISOs now face

How Partnerships Proved Pivotal for UnitedHealth After Hack

When hackers hit UnitedHealth subsidiary Change Healthcare with a huge cyber attack, its partnership with Vyne Dental proved pivotal in managing fallout.

Transforming Cybersecurity: IBM & Palo Alto's AI Integration

Technology & AI

C-suite Indifference to Cyber Could Cost Business £145k

Operational Security

Why Avast Warn of Social Engineering in Cybersecurity

Operational Security