Against this background, boards and executive teams should ask themselves two broad sets of questions. The first concerns what steps are being taken to remain resilient and support customers through near-term economic pressures; and the second, whether their own strategic plans align with medium-term structural changes in their operating environment.

Indeed, a strong grasp of the ever-evolving regulatory environment must inform how financial services firms answer these questions.

Near-term economic pressures

Disruptive economic factors will command attention in the near term. The credit risk outlook is increasingly precarious, and lenders will need to be able to demonstrate to supervisors how they are managing the associated risks. Many insurers and investment funds will also face credit-related pressures in their portfolios and may need to boost their credit teams if the volumes of defaults and corporate restructurings begin to rise.

Where credit risks crystallize, they will feed through to regulatory capital positions. Firms will also need to be vigilant for sudden bouts of volatility within the capital markets.

Central banks and regulators will be working hard to understand market vulnerabilities, with continued stress-testing of individual firms, funds, and the wider system. Margining practices will be under scrutiny.

There is also a major conduct risk component to the current economic situation, with consumers feeling the cost-of-living squeeze. Conduct supervisory standards are substantially higher now than in previous downturns, and firms will rightly be expected to support their customers through a period of economic hardship.

This is a particular dilemma for lenders, who will need to make judgements about when and how to exercise forbearance. It will also be a challenge for insurers, who may see rising numbers of policyholders struggling to cover their premiums, creating the possibility of protection gaps that will draw supervisory attention.

Embedding climate & nature risks

Climate and nature risks will increasingly shape the financial services operating environment. Less advanced firms may find themselves given progressively less leeway for shortcomings in the year ahead.

Efforts are underway in numerous arenas to improve the structure and content of transition plans, and firms will need to shift gears to keep up with new rules, guidelines, and greater supervisory scrutiny.

Firms will also need to keep an eye on the still-evolving nature-related risk disclosure framework being developed by the Taskforce on Nature-Related Financial Disclosures, a financial services industry advisory group whose members represent more than $20 trillion in assets. The Taskforce’s risk disclosure framework is due to be finalized in Fall 2023.

Technology transforming the sector

Technology enables firms to provide new and better products and services, develop deeper insights, and do so ever-more efficiently. However, as supply chains and delivery services models become more complex, both the regulatory regime and firms’ risk management and control frameworks have struggled to maintain pace with technological innovation.

Nowhere is this clearer than in relation to digital (and particularly crypto) assets. Regulated firms have increasingly been engaging with an evolving ecosystem of digital asset technology providers and developing client offerings. The European Union’s Markets in Crypto-Assets framework will enter into force this year, but a further regulatory response may be needed to tackle issues such as leveraged trading and crypto-lending as regulatory uncertainty and gaps will persist.

In the United Kingdom, meanwhile, the Financial Services and Markets Bill, once passed, will give authorities the power to oversee digital assets markets. The secondary legislation that will clarify which activities and market participants they will regulate, however, is yet to emerge.

The transition period for the U.K.’s operational resilience framework will soon enter its second year, and U.K.-based firms need to demonstrate measurable progress with regards to important business services. The 24-month implementation period for the E.U.’s Digital Operational Resilience Act begins this month, and firms within the E.U. will need to begin their work post-haste to be on track for the early 2025 deadline.

The resilience of the delivery of financial services in which third-party suppliers are involved is a major issue. In some cases, firms will need to develop contingency exit strategies and business continuity plans for third-party exposures, including substitute service delivery methods.

Long-standing concerns about model risk management also now have a distinctly technological flavor, with supervisors scrutinizing how firms are deploying artificial intelligence and machine learning. When finalized later this year, the U.K. Prudential Regulation Authority’s (PRA) proposed principles on model risk management will require a large amount of work to catalogue, categorize, and risk-assess models that for some firms could number in the thousands given the PRA’s expansive definition of model.

A general principle will be relevant for firms across all sectors and regions: people, and not models, should be responsible for decision-making. Boards and executive teams should be able to demonstrate that they understand the functioning of their models, including those based on new technologies such as machine learning.

Rising geopolitical tensions

Finally, rising geopolitical tensions will continue to be another feature of the changing risk environment in which financial services firms are operating. International markets are increasingly fragmenting, as nations and business leaders look at how to build supply chain resilience and security through greater localization of production and supply.

Given the volume of alerts generated by transaction monitoring systems, the inherent limitations of legacy systems and data, and strengthened baseline expectations, it is no wonder that some firms feel they are having to run ever-faster just to keep up. The status quo does not appear sustainable, and operating model reform will need to be part of the response, including considering changes to internal structures, resourcing models, and technology strategies.

Resilience and strength

Financial service firms face many headwinds as the new year begins but will do so from a position of resilience and strength, having successfully navigated the vicissitudes of the last three years. The major challenge will be to navigate the choppy near-term waters without losing sight of the medium-term processes of structural change playing out in relation to geopolitics, technology, and sustainability.

Regulation continues to be a major force that will shape the operating environment for financial services, and an integrated view of the regulatory landscape — as well as an ability to connect such a view with business strategy decisions — remain imperative for firms looking to stay at the forefront of the industry.

This blog post was taken in part from a recent report written by David Strachan & Suchitra Nair of Deloitte. You can sign up to receive Deloitte’s Financial Markets Regulatory Outlook report, due to be published later in January, here.

As we enter 2023, the specter of a potential recession looms over all budgetary and strategic decisions. Professionals in corporate law and tax departments are already anticipating having to do more with less, which will likely impact how they work with their outside partners over the next 12 months. Add into this a mixture of new governmental regulations, and these next 12 months could start to look less optimistic and more of a trial to overcome.

In the most recent Thomson Reuters Institute Insights podcast, available on the Thomson Reuters Institute Insights podcast channel, our team of strategists reveal the trends they’re watching as we enter 2023, and how changes in the overall economy may affect this coming year’s strategic priorities.

Rabihah Butler, Head of Compliance & Government Insights, says that compliance is the name of the game in the risk and fraud space, with the Beneficial Ownership Act, the Enablers Act, crypto-regulation, and ESG compliance all playing their part to make the coming regulatory year a complicated one. And in the event of an economic downturn, there may be questions surrounding who bears the burden of that compliance risk, as well as how government entities and court systems will be able to continue key system reforms that they began during the pandemic.

Natalie Runyon, Head of ESG Insights & an Advisory Services Consultant, believes 2023 may be “a painful year because of multifaceted operational challenges and other headwinds” facing those responsible for ESG within organizations. The Securities and Exchange Commission’s rules on greenhouse gas emissions and the European Union’s new corporate sustainability reporting requirements both will increase work for lawyers and accountants, while certain social aspects of ESG — most significantly, the increased focus on employee well-being as a key performance indicator of organizational well-being — will remain a key priority for boards, especially in a tighter labor market.

Zach Warren, Head of Technology and Innovation Insights, views the tech and innovation landscape as one where next-generation technologies such as artificial intelligence, blockchain, and even ChatGPT may be taking a back seat to tried-and-true standards like business development and security and data protection. Thomson Reuters research has shown that while technology investment has continued thus far in the legal and tax industries alike, a recession may mean scaling back some research and development initiatives.

Bill Josten, Head of Legal Marketplace Innovation Insights, notes that what is top of mind for corporate law department leaders and law firms alike isn’t changing: the volume of matters they’re seeing is increasing. However, flat budgets and a potential down economy may have changed the calculus of how those matters will be tackled. Tighter budgets are forcing corporate law departments to tier their outside work, which could mean a potential rise in utilization of alternative legal services providers. Law firms, meanwhile, also are eyeing what inflation might mean for their realization rates and how to hold onto demand in the face of those tightening corporate purse strings.

Finally, Nadya Britton, Head of Tax and Accounting Insights, explains that small and midsize tax & accounting firms are looking to continue their advisory services expansion, particularly with continued industry automation and a de-emphasis on simple compliance work, while large tax firms are focusing on specialization in specific industry areas. Corporate tax departments, meanwhile, are “all about data, data, data,” Britton says, particularly with trying to better integrate the tax function into their organizations’ wider business initiatives. Even though any economic downtown may not impact tax as strongly as other industries, there are still implications around the industry’s growth plans to be considered.

As our team of strategists describe it in the podcast, 2023 is set to be a complicated year, but research has shown that there can be reason for optimism among all areas of professional services. Even with economic uncertainty looming on the horizon, the next year can prove fruitful with a little strategic planning and care.

Episode transcript.

You can get the whole story on the outlook for 2023 and listen to the most recent Thomson Reuters Institute Insights podcast here.

The hearing exposed some partisan differences even as broad agreement emerged on what needs to be done to reduce risks for crypto investors. Republicans and Democrats remained apart in their views of the future of a digital-asset world shaken by the swift collapse of a firm regarded as one of the safest bets in the industry. Indeed, the FTX failure showed basic concerns that must be resolved before mainstream firms can assure regulators that investor protections are in place.

Republicans who have been ardent advocates of deregulation used the hearing to slam U.S. agencies for failing to act sooner to halt fraud at FTX and for going too slow in drafting rules. Numerous Democrats argued against taking hasty actions until more is known about the FTX failure, which led to Bankman-Fried’s recent arrest and indictment on multiple criminal charges.

Garden of Eden full of snakes

“My fear is that we will view Sam Bankman-Fried as just one big snake in a crypto Garden of Eden,” U.S. Rep. Brad Sherman (D-Calif.) told the hearing of the U.S. House Financial Services Committee. “The fact is, crypto is a garden of snakes.” Sherman has been a persistent critic of cryptocurrency, which he sees as mainly a tool for tax evasion, funding for illicit activities, money laundering and sanctions evasion.

Republican legislators at the hearing argued against curbs that discourage innovation and argued for moving more quickly to put basic rules in place.

Despite testy exchanges and finger-pointing across the aisle, the hearing showed bipartisan consensus that the industry needs to assure transparency, asset custody, and governance that curbs conflicts of interest and self-dealing.

The FTX case also illustrates the challenging complexities in resolving a digital-asset bankruptcy, Ray said during the hearing. But the process was the same that he followed while overseeing the collapsed energy trading firm Enron, he said. “You follow the money.”

The FTX event could lead to “information being gathered that will inform legislation in a positive way,” said Sarah Riddell, a Morgan Lewis lawyer who worked for the Commodity Futures Trading Commission (CFTC) and participated in drafting the Dodd-Frank legislation.

Riddell compared the job ahead to the post-financial crash rulemaking that required a multi-faced, complicated process. The industry firms that have put compliance in place in their crypto practices could emerge intact, she said. “The firms with good tires will survive the heightened attention this has brought.”

AML as a unifier

U.S. Senators Elizabeth Warren (D-Mass.) and Roger Marshall (R-Kansas) recently introduced bipartisan legislation aimed at mitigating risks that digital assets pose to U.S. national security by closing “loopholes” that enable money laundering using cryptocurrencies. The introduction of the Digital Asset Anti-Money Laundering Act of 2022 comes in the wake of a number of high-profile government actions and scandals in the crypto sector, including the Treasury Department’s blacklisting of the cryptocurrency “mixer” Tornado Cash in August as well as the FTX bankruptcy and founder Bankman-Fried’s subsequent indictment. Amid these scandals, pressure on legislators and regulators to rein in the sector and strengthen anti-money laundering (AML) activities has only mounted.

Among other things, the Digital Asset Anti-Money Laundering Act of 2022 would extend AML obligations to a much broader spectrum of cryptocurrency players. For example, it would require such crypto entities as digital asset wallet providers, miners, validators, and other network participants to comply with portions of the Bank Secrecy Act, including know-your-customer requirements. The Act would also prohibit financial institutions from using or transacting with digital asset mixers and other anonymity-enhancing technologies and from handling, using, or transacting with digital assets that have been anonymized using these technologies.

The Act would also direct the U.S. Treasury Department to establish an AML/counter-terror finance compliance examination and review process for money services firms and directing the U.S. Securities and Exchange Commission and CFTC to establish similar compliance examination and review processes for the entities those agencies regulate.

“Rogue nations, oligarchs, drug lords, and human traffickers are using digital assets to launder billions in stolen funds, evade sanctions, and finance terrorism,” Sen. Warren said in a written statement. “The crypto industry should follow common-sense rules like banks, brokers, and Western Union, and this legislation would ensure the same standards apply across similar financial transactions. The bipartisan bill will help close crypto money laundering loopholes and strengthen enforcement to better safeguard U.S. national security.”

The senators noted that the Treasury Department, U.S. Justice Department and other national security and financial crime experts “have warned that digital assets are increasingly being used for money laundering, theft and fraud schemes, terrorist financing, and other crimes.”

In fact, rogue nations have used digital assets to launder stolen funds, evade American and international sanctions, and fund illegal weapons programs, the statement noted, adding that in 2021, cybercriminals raked in at least $14 billion in digital assets — an all-time high.

Further, Binance, the world’s-largest crypto platform, was reported to have laundered more than $10 billion for criminals and sanctions evaders over the last few years. However, splits among Justice Department prosecutors are delaying the conclusion of a long-running criminal investigation into Binance, it was recently reported. A Binance spokesperson declined comment.

You can download TRRI’s 7^th report on Fintech, RegTech, and the role of compliance in 2023 here

On the other hand, there are signs of a slowdown in the growth of the fintech sector. In the first half of 2022, for example, the total capital invested in fintech worldwide reached $59 billion, which was flat year-over-year, according to Innovate/Finance’s 2022 Summer Investment Report. What’s more, there were 3,045 deals completed in the fintech sector, fewer than the 3,401 deals in the first half of 2021.

The slowdown is echoed in the findings from this year’s TRRI survey. There was a fall in the number people feeling extremely positive about fintech and regtech. For fintech overall, this year’s survey reported that 15% of respondents were extremely positive compared with 31% last year. For regtech, 15% of respondents felt extremely positive compared with 26% in 2021. What’s more, less than one-in-ten (8%) of respondents from G-SIBs felt extremely positive about fintech.

It may be unsurprising that respondents felt less positive about innovation and digital disruption given the challenges that firms must address across the board. This year, respondents said that the availability of skills (20% fintech, 16% regtech) and regulatory approach (14% fintech, 18% regtech) were the most significant challenges anticipated in the next 12 months. For G-SIBs, concentration risk and third-party providers ranked highest among challenges for fintech (15%), whereas cultural approach (15%) was the biggest challenge facing G-SIB regtech users. Data governance and cyber resilience also feature highly in the list, with other areas including financial crime and operational resilience also prominent.

Regulators are also adopting technological solutions to help with their supervisory roles and the management of large volumes of data. That means, firms need more interaction with regulators on fintech and regtech. More than two-fifths (43%) of G-SIBs reported having spoken to their regulator about fintech and regtech. This contrasts with responses from other financial services firms, nearly 60% of which reported that their regulator had not spoken to them about the use of technological solutions.

Despite this current slowdown and waning of enthusiasm, the future of the fintech market remains optimistic, the report observes, recommending that financial services firms should continue to invest in technology, IT infrastructure, and associated skillsets. To maximize the potential of technological innovation, firms must continually reassess their technological needs and then invest in solutions tailored to the activities of their business.

The Fintech, Regtech, and the role of compliance survey has, in its lifetime, attracted more than 3,000 respondents. Participants from all sectors of financial services — from globally significant banks to technology start-ups — took part in this seventh survey. The survey results are intended to help financial services firms with planning, resourcing, and direction, allowing them to benchmark whether their approach, skills, strategy, and expectations are in line with those of the wider industry. The report specifically focuses on areas that directly affect the compliance function.

The report also assesses the extent to which firms are turning the technological challenges they are now facing into opportunities, embracing new ways of working and navigating the evolving regulatory approach.

To understand this more fully, the key components of fraud — pressure, opportunity, and rationalization (known as the fraud triangle framework) — must be better understood themselves, according to Carey Oven, National Managing Partner of Deloitte’s Center for Board Effectiveness.

All of these components come into play in fraud, Oven explains, adding that i) pressure is present around the increasing expectation that ESG data be released to the public; ii) the transparency, auditability, and nature of disclosed data are governed by the controls around that data, the estimates used for the data, and the data creation — all of which present additional opportunities for fraud; and iii) the immaturity in the data’s transparency, verifiability, and auditability “presents an opportunity for additional pressure and ultimately rationalization of fraud.”

For example, many companies were very quick to issue climate transparency reports, even a decade or so ago, and now these disclosures are in the public domain. The problem is that these disclosures were not conducted with hardened, auditable data. And this increases the risks that these ESG numbers will be seen as potential fraud.

Corporate boards become involved

Corporate boards have a huge role to play in reducing the potential for ESG fraud and risk. Indeed, “the board’s responsibility around ESG boils down to risk,” Oven states, simply because of their fiduciary responsibilities. To meet these requirements, corporate directors need to understand what could potentially go wrong with performance disclosures that a company is making public around their ESG activities.

Indeed, ESG risks have been on the minds and agendas of boards for the past several years, Oven says, mostly because risk oversight is a perennial responsibility of a corporate board. That means, that whatever ESG information has been publicly disclosed voluntarily and what might go into public filings is of keen interest to the full board and the audit committee.

Management is also trying to understand what additional proactive measures they need to put into their risk management processes for ESG both in terms of using some of the existing infrastructure they have around risk, but also how the unique scenarios and risks specific to ESG layer into that.

Possible risk reduction actions

Audit committees and C-level management need to take joint steps to assess and mitigate ESG risk, Oven says. Some of these steps should include:

Dedicating resources — The first step in reducing the potential for ESG fraud it so make sure that enough time, budget, and effort have been allocated to assessing the ESG risk landscape and how it impacts the company. Management and the board must understand what risks need to be addressed and what effective, permanent resources are required to continually analyze this new risk area.

Embedding ESG into the company’s risk infrastructure — Another key step is analyzing how ESG fits into the current risk infrastructure of the company, explains Oven. Because ESG is on the board agenda, top management needs to provide additional disclosure to the board and involve the board as the company moves through the ESG risk assessment journey.

The risk appraisal part of this preparation also involves understanding and documenting the full ESG data evolution from the point of collection as raw data to the point the information is publicly released. This ensures that detailed processes and procedures are developed and that the right internal controls and data governance levels are fortified. “Boards with their responsibility for and expertise in oversight and governance should be involved in this effort,” Oven states.

Gathering stakeholders to weigh in — Once the documentation of protocols and controls is complete, stakeholders from across the organization, including individuals from corporate legal, finance, and internal audit, need to convene to determine what information will be reported in any filings and transparency reports. “What we see organizations doing is putting forth responsibilities where Chief Sustainability Officer or Chief Risk Officers are owning certain elements of the program,” says Oven. “But the program right from the planning stage needs to be influenced by internal stakeholders, including internal audit and board.”

It is easy to conclude that the potential for ESG fraud will remain high on the agendas of corporate directors because of the ongoing acute presence of the three components of fraud — pressure, opportunity, and rationalization. As a result, corporate boards and their audit committees will continue to play a pivotal role in the maturation of ESG data governance and in supporting internal controls to ultimately reduce these risks.

As those cyber risks have increased, so too has the growth of insurance coverage for cyber incidents. But while cyber insurance has begun to receive more uptake, increasingly stringent standards for coverage as well as confusion about the options available for cyber incidents could leave some companies in the lurch.

According to the 2022 Cyber Readiness Report from insurance provider Hiscox, almost two-thirds (64%) of companies now have cyber insurance as either a standalone insurance policy or as part of another policy. This represents a small rise from 58% two years ago. The highly regulated financial services sector has the highest rate of cyber insurance adoption at 74%, while the construction and travel/leisure industries have the lowest adoption at 53% each.

Crimes of opportunity

Judy Selby, a partner in the insurance practice at law firm Kennedys and a regular speaker on cyber issues, said that she’s beginning to see an improvement of companies’ general cyber awareness that current hacking incidents are largely “crimes of opportunity,” rather than dependent on the industry in which a company operates.

“I think for years, there was a thought process that nobody would be interested in my data, my company’s data,” Selby said. “And if you remember the days of the big retail incidents, the data breaches, I remember companies saying to me personally, well, we don’t have credit cards, so nobody’s going to want our information.”

Now however, she added, “I think the uptake is getting higher now than it used to be. And part of that was this realization that yes, it can happen to us, which is a really big deal. And also recognizing that the exposures come from so many different angles.”

Indeed, the Hiscox survey found a strong correlation between exposure to a breach and a desire for cyber insurance. Out of the firms that did not have cyber insurance or did not plan to get it, nearly 80% had not experience a cyber-attack within the past year. Just over half (51%) of those were also considered “novices” in cyber readiness, according to the Hiscox scale.

Even among those companies that had cyber insurance, however, there remained some stratification between the types of coverages they held. Notably, companies were split roughly down the middle as to whether they held a standalone cyber policy or covered cyber as part of a larger policy. Among companies with 250 or more employees, 35% had a standalone cyber policy in place, and 40% had cyber coverage as part of another policy. At companies with under 250 employees, those figures were 28% and 29%, respectively.

“I think the uptake is getting higher now than it used to be. And part of that was this realization that yes, it can happen to us, which is a really big deal. And also recognizing that the exposures come from so many different angles.”

Selby said she is a proponent of standalone coverage, if possible, for a few reasons. First is simply “because the coverage is so comprehensive, you have all this great first-party coverage for dealing with an incident.” Particularly with more sophisticated cyber-attacks, policies that include business interruption coverage, regulatory coverage, and liability coverage are coming into play.

Concerning the latter, Selby noted that many companies are “not technically or financially able to respond to an incident on their own.” When a network is encrypted and the company’s access to it is blocked, for example, even the simplest of questions become complicated: How do we communicate with each other? How do we hire vendors to come in and help us? And even if we wanted to pay a ransom, how would we do that?

“These are things you don’t want to have to learn on your own,” she explained. “And so, the first-party coverage can be a real lifeline to companies to efficiently and effectively manage this incident from [not only] a financial standpoint [and] an operational standpoint, but also from a reputational standpoint.”

Preparing for a cyber incident

Outside help on cyber incidents may be increasingly necessary because overall cyber readiness is falling, the Hiscox survey notes. Respondents’ self-assessment of overall cyber readiness fell by 2.6% overall during the past year, with the number of companies qualifying as “experts” falling from 20% to 4.5%. The survey attributed those decreases to awareness of new vulnerabilities such as the Apache Log4j logging library vulnerability, as well as a continued talent crunch for cybersecurity experts.

That’s why Selby said she tells clients to not only get to know the details of their insurance providers’ coverage options (and subsequent limits on policies), but also what she calls providers’ “cyber squad” team. A typical cyber insurance provider will have a mix of panel firms, forensic analysts, notification vendors, and more that can be a godsend in a pinch, often provided at discounted rates.

This extra value can be important when making a business case for cyber insurance as well, she added, as the insurance has become more expensive and the scrutiny for coverage has gotten more intense. Some security measures, such as multi-factor authentication, are now table-stakes for coverage, which could scare off some businesses. However, Selby drew an analogy to property insurance: Every provider is going to ask not only about fire incidents that happened in the past, but sprinkler systems and fire exits that could help prevent them in the future.

“It always surprises me when people… complain about having to provide the information,” Selby said. “It’s like, if you don’t understand your own risk, why would you expect another company to say, okay, we’ll insure that for you, we’ll take that risk on your behalf when you don’t know what it is? And then when you say that, they go, oh yeah, that makes sense.”

Ultimately, cyber issues aren’t going away, particularly as the Hiscox survey found the median cost of a cyber-attack nearly doubled in the both the United States and the United Kingdom last year. That means cyber insurance will also continue to represent a piece of companies’ risk mitigation profile by necessity.

“The issues that people have with applying for the coverage, that shouldn’t stand in the way,” Selby said. “I think people should proceed and get the coverage, and when you get it, keep it, even if the price has gone up.”

“Technology advancements are a great thing, but the Metaverse combined with Web 3.0 allows people to be more anonymous than ever,” says Jim Lee, chief of the Internal Revenue Service Criminal Investigations unit (IRS-CI). “As a result, we all know that the criminal element is going to come out somewhere, somehow.”

Is prevention possible?

Lee spoke recently at the recent 21^st Annual Anti-Money Laundering & Anti-Financial Crime Conference, held by the Association of Certified Anti-Money Laundering Specialists (ACAMS), where the challenge of preventing Web 3.0 from becoming a safe haven for criminals was discussed in a number of forums.

ACAMS is attended primarily by bank regulators and other defenders of the traditional financial system, and the consensus opinion among this crowd is that anticipating how criminals could exploit Web 3.0 is the key to preventing it. Mistakes made building the current internet should have taught us that addressing content problems after the fact is a losing game, many experts say, so it’s essential to build controls and safeguards into Web 3.0 before criminals even have the opportunity to commit a crime.

Or so the thinking goes.

There are several holes in that proposition, however. Among them: i) regulators and Web 3.0 technologists would need to find a way to work together somehow; ii) not everyone agrees on the nature of the problem or how to prevent it; iii) lawmakers have a dismal record when it comes to recognizing and addressing issues involving technology before they happen; and iv) criminal activity in the Metaverse is already on the rise, so the clock is ticking.

What is Web 3.0?

Though the terms are sometimes used interchangeably, Web 3.0 and the Metaverse are not the same thing. Web 3.0 is the underlying architecture of the Metaverse, which itself is the immersive, three-dimensional digital world that proponents of the technology (such as Meta CEO Mark Zuckerberg) claim is the future of the internet.

Though the Metaverse is still in the early stages of development, elements of Web 3.0 are already being used today in the world of cryptocurrencies and other digital assets (such as with non-fungible tokens and stablecoins), all of which are based on blockchain technology. One of the key differences between today’s internet (Web 2.0) and Web 3.0, however, is that the latter is built entirely on blockchain smart-ledger technology-driven by machine learning and artificial intelligence.

The key features of Web 3.0 that most concern government officials and law enforcement are decentralization and anonymity. Not coincidentally, these are the same features that make crypto-based crimes and crypto-enabled criminal networks so hard to thwart.

The core idea of Web 3.0 and hence the Metaverse, however, is that it is entirely decentralized, meaning that no central power or government controls it. And for many Web 3.0 evangelists, that’s the central selling point of Web 3.0: Freedom from governmental control.

From a government regulator’s perspective, however, total decentralization is a huge problem. What it essentially means is that anyone can do anything, anonymously, and with no accountability, and there’s very little that conventional law enforcement can do to stop it.

Virtual crime, real-world victims

That’s not all. The trouble really starts when criminal activity in the Metaverse leaks over into the real world. At ACAMS, Lee asked his audience to imagine strapping on some virtual-reality (VR) goggles and walking into a building in the Metaverse: “Floor 1 is the ID theft room, where you exchange some sort of digital asset and they instantly give you a driver’s license, a date of birth — Personal Identifiable Information (PII) — that you can then go use for credit-card fraud, bank fraud, or whatever crime you can think of using PII.”

Floor 2 is the firearms floor in Lee’s digital dystopia. There, you can purchase the location of a gun in the real world, with no background check, “and now you’ve got a person who shouldn’t have a weapon,” Lee says. Floor 3 is devoted to human trafficking. Floor 4 to money laundering. Floor 5 to terrorism. And so on.

“It’s an ugly picture,” Lee warns.

Anjana Rajan is the Chief Technology Officer for Polaris, the largest anti-human trafficking NGO in the United States. At ACAMS, she explained that Congress should be concerned about the rise of Web 3.0 because of the “philosophy” of institutional distrust behind it. “It’s really about society and the future of our political system,” Rajan explains. “In its best form, this technology can create economic inclusion and a more secure internet, but in its worst form it can also drive the same thing that happened on January 6.”

Proponents of Web 3.0 have a distressing amount in common with anti-government violent extremists, namely, that “they don’t trust US institutions, they don’t trust the US dollar, and they don’t trust the corporations and oligarchs who run the economy,” she adds.

The difference is that Web 3.0 and the Metaverse are being built by some of the richest, most powerful people — and the largest tech companies (such as Meta, Google, and Microsoft) — in the world.

Re-thinking trust

A lawless, entirely unregulated Metaverse is not inevitable, these experts say, but it will require a re-thinking of some of the basic concepts upon which financial institutions and society at large are currently based, such as identity and trust. For example, our concept of identity in the real world revolves around a person’s PII, such as date of birth, social-security number, driver’s license number, address, etc. However, it may be time for the government “to start moving away from normal concepts of identity-based trust and instead move to concepts of trust within the ecosystem,” notes Frederick Reynolds, Chief Compliance Officer for the fin-tech start-up Brex.

In the ecosystem of the Metaverse, one’s identity is defined by the metadata on their blockchain, and trust within the ecosystem is built through blockchain activity that is independently verified by a decentralized network of fellow users. So in a sense, blockchains build trust by eliminating the need for it.

For better or worse, this is how the Metaverse works. Yet, if we’re not careful, these experts warn, criminals will figure out how to make it work for themselves before law enforcement can figure out how to stop them.

That’s why it’s crucial to separate fact from fiction.

In the latest Thomson Reuters Institute Insights podcast, available on the Thomson Reuters Institute channel, we speak with Gabriel Hidalgo of FTI Consulting and Teresa Anaya of Archblock about digital assets, how they act within their own ecosystem, and how that compares to and interacts with the traditional economy.

As the podcast explains, it can be a little overwhelming to try to understand native currency, tokens, stablecoins, decentralized finance (DeFi) and a US Central Bank Digital Currency (CBDC), especially if what you’re hearing sounds like a sales pitch or a scam. During this podcast, we break them down and explain how many of these concepts work and the truth behind the names, in an unbiased look at the digital asset and cryptocurrency industry.

From digital coins collapsing and investors losing money to a myriad of regulatory questions, the world is buzzing around the topic of digital assets, how they work, and most importantly, whether they can be trusted as a part of the global economy.

In the last month, the crypto exchange FTX has fallen from grace at top speed in a very public way. We have also seen celebrities, like Kim Kardashian, fined for endorsing a digital token, Ethereum Max, improperly; and Binance, another crypto exchange, ran afoul of regulators in the US and the United Kingdom.

Yet, cryptocurrencies and tokens are just two individual types of digital assets; and from native currencies to stablecoins, there is a full ecosystem that should be understood as the world moves toward including digital currency, and its infrastructure, into the larger economy. This isn’t to say that you should convert all your money into digital assets tomorrow, but it would be smart to be well-versed in this area as it evolves.

In speaking to Hidalgo and Anaya — two experts both with years of experience in the digital assets space — we get walked through their insights on the basics of digital assets and its related infrastructure. This walk is not intended as financial advice, of course, but the clarity will be important.

Indeed, as the podcast makes clear, there is no crystal ball that can tell you what to invest in or when; and there is no full certainty on what direction governments will go in legitimizing the new digital asset ecosystem. What we can be provided, however, is a crucial roadmap to understanding what is true and what may be “too good to be true” in the world of digital assets.

Episode transcript. 

You can access the latest Thomson Reuters Institute Insights podcast, featuring a discussion about the digital asset ecosystem, here.

Yet, mistakes, data breaches, and data exposure tend to happen when people communicate and share information digitally, and firms need to make it as straightforward as possible for employees to leverage modern UC tools while remaining compliant and secure.

“Increased reliance on simple, easy-to-access but unauthorized chat and text platforms will pose a significant challenge for many types of entities operating in our markets. Internal compliance programs must adopt internal controls consistent with this new landscape. Firms must inculcate a culture of compliance at all levels of their organization to mitigate the risks associated with using unauthorized chat and text platforms.”

— Kristin N. Johnson, commissioner, US Commodity Futures Trading Commission (CFTC), September 2022

In its 4th annual survey report on modern communications compliance and security, security and compliance software firm Theta Lake highlights the complex challenges faced by those professionals tasked with maintaining compliance, security, and data privacy within firms and companies. The report is based on the views and experiences of more than 500 compliance and security professionals from the heavily regulated financial services, healthcare, and government sectors across the United States, the United Kingdom, and Canada. The report provides a snapshot of how communication platforms are being used and the issues with which organizations are struggling and can help organizations benchmark their own practices and expectations against those of the wider industry.

Heightened regulatory focus on modern communications

The survey findings come against the backdrop of fines of more than $2 billion already levied by the US Securities and Exchange Commission (SEC) and the CFTC for failures of organizations to capture, retain, and supervise communications. The situation underscores that a lack of visibility and oversight is one of the biggest risks faced by firms in a modern hybrid workplace. For example, the survey showed that two-thirds (66%) of financial services leaders believe employees are using unmonitored channels, posing heightened compliance and security compliance risks.

“As technology changes, it’s even more important that registrants appropriately conduct their communications about business matters within only official channels, and they must maintain and preserve those communications.”

— Gary Gensler, chair, SEC, September 2022 

The crackdown on non-compliant communications is the clearest indicator yet that regulators have lost patience with firms that have yet to address supervision and record-keeping risks that were exacerbated by the pandemic.

Attempts to offset these risks is made harder by the limitations of legacy supervision and archiving approaches, which also pose real risks and costs to businesses. As a case in point, 39% of survey respondents cited gaps in coverage as a top challenge with their existing archiving tools, while only 9% reported having no issues. Another 45% said they needed to be able to selectively archive written in-meeting communications like chat without having to record the video or audio. A mismatch between legacy tools built for email and today’s workplace, where 81% use chat and 63% use video equally or more than email, has created critical gaps in records. It has also put a spotlight on dated compliance tools that are unable to capture, retain, and supervise dynamic communications data.

“The time is now to bolster your record retention processes and to fix issues that could result in similar future misconduct by firm personnel.”

— Sanjay Wadhwa, senior associate director of enforcement, SEC, September 2022

As a result, organizations face growing challenges to both enable communications across the platforms that employees and customers use while deploying technologies to appropriately capture, retain, and supervise these interactions to meet regulatory obligations.

“The [survey report] findings show just how integral modern communication platforms have become in today’s workplace, but there’s a lot of catching up to do when it comes to the compliance and security tools currently being used. The more than $2 billion in fines is the biggest wake-up call yet that compliance and unified communications teams need to be in lockstep to ensure a comprehensive approach to record-keeping and supervision.”

— Stacey English, director of regulatory intelligence, Theta Lake

Proactive compliance needs modern tools

The views and experiences of survey participants highlighted numerous challenges that organizations need to overcome in order to stay safe and compliant in an increasingly complex communications environment.

Organizations are seeking specific capabilities in modern compliance tools, including the ability to capture contextual information such as reactions, emojis, GIFs, edits, or deletions as well as features like whiteboards. Tools also need proactive compliance functionality, including the capability to automatically post disclaimers and remove problematic content.

“Let me be clear here: I am talking about more than putting together a stock policy and giving a check-the-box training. This requires proactive compliance, and this type of approach has never been more important than today — a time of rapid and profound technological change.”

— Gurbir S. Grewal, director, SEC Division of Enforcement, October 2021

Unsurprisingly, the control environment across all organizations is varied and complex, as approaches evolve to meet the rapid and constantly changing nature of communications and regulatory expectations.

Some 66% of survey respondents in the financial services industry are using documented usage policies as controls, with 65% using internally built platform controls, and 62% using specialist software to enforce policies. Almost half (45%) of organizations take a more draconian approach, however, by disabling features to limit the risk of new channels. Perhaps not surprisingly, the most frequently disabled features are camera functionality, file sharing, and screen sharing.

In the short term, bans and blocks may work as a control. Given that the features being disabled are essential, however, it is only a matter of time before employees circumvent such policies — an observation reinforced by the recent regulatory enforcement action.

Organizations need modern compliance and security technology to give them the confidence and assurance to unlock the value of the platforms in which they have invested, rather than disable them, allowing staff and customers access to the features they want to use.

For more, you can download a copy of Theta Lake’s 2022 Modern Communications Compliance and Security Report here

Even before the collapse of FTX, complaints from consumers who were hit by other types of digital currency losses have been rising at an alarming rate, the CFPB reported. The CFPB report said the crypto market has become a magnet for fraudsters who see little chance that their schemes will be detected due to the absence of investor protection and the opaque nature of the market.

Crypto firms hiding behind “terms & conditions”

The fledgling crypto industry’s $2 trillion market, made up of complex and illiquid digital assets, lacks controls and account management operations to handle customers’ problems, the CFPB report suggested. The firms often “hide behind terms and conditions” to delay transactions when customers try to claim their crypto assets.

The report found that despite marketing claims that they offered “immediate access” to funds, some crypto firms have often delayed or denied redemptions based on “identity verification issues, security holds, or technical issues.” Many customers also reported the transactions were settled at prices far below quoted levels when unexpected or unexplained fees were tacked on. Some firms cited “market spreads” that led to payouts far below quoted prices. Further, the transaction concerns were most often handled in some form, the CFPB report said, even if they were settled on disadvantageous terms for consumers.

The largest complaint category, representing about 40% of complaints, involved fraud-related matters, and sometimes included use of social media by digital currency participants in a potent mix of deception and opaque fund movement. The CFPB reported that in many instances of fraud reports from customers, the transaction provider declined to accept responsibility or to help in recovering funds, arguing that since they act as intermediaries they are not contractually required to act. In some cases, they required customers to submit to “mandatory arbitration” and clauses that prohibited them from joining class actions.

US regulators have said that since the crypto firms operate from offshore domiciles, they have only limited powers to intercede when fraud surfaces. The CFPB itself said its “complaint bulletin” was meant as a risk warning, but the agency went no further in committing its own enforcement division to pursuing wrongdoing.

Enforcing crypto fraud “time-consuming” 

The CFPB, with its own packed rulemaking and enforcement agenda, suggested that pursuing bad actors would be a drain on agency resources since the anonymity of crypto “makes tracing crypto-assets stolen by fraudsters more time consuming for regulators and law enforcement.” The agency said it would continue to log complaints and follow up with efforts to recover funds from crypto firms it could reach; however, in most cases, it said it would refer complaints to the Federal Trade Commission or other law enforcement authorities.

In its bulletin, the CFPB said the fraud complaints ranged from sophisticated “nation-state” level operations to the types of social engineering scams or cyber breaches seen in ransomware attacks by bad actors seeking payments in hard-to-trace cryptocurrencies. Among the leading scam methods the CFPB noted were: i) playing on a victim’s emotions to extract money or posing as customer service representatives to gain access to customer accounts; ii) using social media posts or targeting different communities in affinity attacks aimed at younger populations, Black and Latino communities, older consumers, and service members; and iii) impersonating crypto-asset developers, founders of major websites such as YouTube, or the official accounts of governments to solicit crypto-asset donations to help the people of Ukraine.

The CFPB also described various tactics that crypto firms used to evade or delay regulations or returning assets to customers, including: i) patterning transactions by using many small transactions to evade money laundering and fraud controls; ii) freezing consumer assets immediately prior to entering bankruptcy or using decentralized finance (DeFi) as part of the crypto-asset ecosystem; and iii) using hacked SIM cards and mobile phone numbers to activate and take control of users’ credentials, or linking transactions and a crypto address with a consumer’s identity on their other transactions.

While the CFPB’s bulletin was intended as a warning to consumers, it cited one area in which it might take direct action — the use of deceptive claims of government savings account insurance, which is guaranteed by the Federal Deposit Insurance Corporation (FDIC). In a May announcement, the CFPB said it could bring action under the Consumer Financial Protection Act, which prohibits any fraud involving deceptive claims around FDIC insurance.

“Our analysis of consumer complaints suggests that bad actors are leveraging crypto-assets to perpetrate fraud on the public,” said the CFPB’s Chopra. “Americans are also reporting transaction problems, frozen accounts, and lost savings when it comes to crypto assets. We will continue our work to keep the payments system safe from fraudsters targeting Americans.”