Skip to content
Compliance & Risk

ACAMS: Fighting financial crime in the Metaverse

Tad Simons  Technology Journalist/Thomson Reuters Institute

Tad Simons  Technology Journalist/Thomson Reuters Institute

One of the overarching themes of the recent ACAMS conference was how to prevent Web 3.0 and the Metaverse from becoming a safe haven for financial scams and illicit actors

LAS VEGAS — As lawmakers continue to debate how to regulate digital assets and fight new forms of financial crime made possible by the current version of the internet, many tech and financial-crime experts are concerned that the next iteration of the internet — Web 3.0 and the Metaverse — may be an even more welcoming playground for criminal activity.

“Technology advancements are a great thing, but the Metaverse combined with Web 3.0 allows people to be more anonymous than ever,” says Jim Lee, chief of the Internal Revenue Service Criminal Investigations unit (IRS-CI). “As a result, we all know that the criminal element is going to come out somewhere, somehow.”

Is prevention possible?

Lee spoke recently at the recent 21st Annual Anti-Money Laundering & Anti-Financial Crime Conference, held by the Association of Certified Anti-Money Laundering Specialists (ACAMS), where the challenge of preventing Web 3.0 from becoming a safe haven for criminals was discussed in a number of forums.

ACAMS is attended primarily by bank regulators and other defenders of the traditional financial system, and the consensus opinion among this crowd is that anticipating how criminals could exploit Web 3.0 is the key to preventing it. Mistakes made building the current internet should have taught us that addressing content problems after the fact is a losing game, many experts say, so it’s essential to build controls and safeguards into Web 3.0 before criminals even have the opportunity to commit a crime.

Or so the thinking goes.

There are several holes in that proposition, however. Among them: i) regulators and Web 3.0 technologists would need to find a way to work together somehow; ii) not everyone agrees on the nature of the problem or how to prevent it; iii) lawmakers have a dismal record when it comes to recognizing and addressing issues involving technology before they happen; and iv) criminal activity in the Metaverse is already on the rise, so the clock is ticking.

What is Web 3.0?

Though the terms are sometimes used interchangeably, Web 3.0 and the Metaverse are not the same thing. Web 3.0 is the underlying architecture of the Metaverse, which itself is the immersive, three-dimensional digital world that proponents of the technology (such as Meta CEO Mark Zuckerberg) claim is the future of the internet.

Though the Metaverse is still in the early stages of development, elements of Web 3.0 are already being used today in the world of cryptocurrencies and other digital assets (such as with non-fungible tokens and stablecoins), all of which are based on blockchain technology. One of the key differences between today’s internet (Web 2.0) and Web 3.0, however, is that the latter is built entirely on blockchain smart-ledger technology-driven by machine learning and artificial intelligence.

The key features of Web 3.0 that most concern government officials and law enforcement are decentralization and anonymity. Not coincidentally, these are the same features that make crypto-based crimes and crypto-enabled criminal networks so hard to thwart.

The core idea of Web 3.0 and hence the Metaverse, however, is that it is entirely decentralized, meaning that no central power or government controls it. And for many Web 3.0 evangelists, that’s the central selling point of Web 3.0: Freedom from governmental control.

From a government regulator’s perspective, however, total decentralization is a huge problem. What it essentially means is that anyone can do anything, anonymously, and with no accountability, and there’s very little that conventional law enforcement can do to stop it.

Virtual crime, real-world victims

That’s not all. The trouble really starts when criminal activity in the Metaverse leaks over into the real world. At ACAMS, Lee asked his audience to imagine strapping on some virtual-reality (VR) goggles and walking into a building in the Metaverse: “Floor 1 is the ID theft room, where you exchange some sort of digital asset and they instantly give you a driver’s license, a date of birth — Personal Identifiable Information (PII) — that you can then go use for credit-card fraud, bank fraud, or whatever crime you can think of using PII.”

Floor 2 is the firearms floor in Lee’s digital dystopia. There, you can purchase the location of a gun in the real world, with no background check, “and now you’ve got a person who shouldn’t have a weapon,” Lee says. Floor 3 is devoted to human trafficking. Floor 4 to money laundering. Floor 5 to terrorism. And so on.

“It’s an ugly picture,” Lee warns.

Anjana Rajan is the Chief Technology Officer for Polaris, the largest anti-human trafficking NGO in the United States. At ACAMS, she explained that Congress should be concerned about the rise of Web 3.0 because of the “philosophy” of institutional distrust behind it. “It’s really about society and the future of our political system,” Rajan explains. “In its best form, this technology can create economic inclusion and a more secure internet, but in its worst form it can also drive the same thing that happened on January 6.”

Proponents of Web 3.0 have a distressing amount in common with anti-government violent extremists, namely, that “they don’t trust US institutions, they don’t trust the US dollar, and they don’t trust the corporations and oligarchs who run the economy,” she adds.

The difference is that Web 3.0 and the Metaverse are being built by some of the richest, most powerful people — and the largest tech companies (such as Meta, Google, and Microsoft) — in the world.

Re-thinking trust

A lawless, entirely unregulated Metaverse is not inevitable, these experts say, but it will require a re-thinking of some of the basic concepts upon which financial institutions and society at large are currently based, such as identity and trust. For example, our concept of identity in the real world revolves around a person’s PII, such as date of birth, social-security number, driver’s license number, address, etc. However, it may be time for the government “to start moving away from normal concepts of identity-based trust and instead move to concepts of trust within the ecosystem,” notes Frederick Reynolds, Chief Compliance Officer for the fin-tech start-up Brex.

In the ecosystem of the Metaverse, one’s identity is defined by the metadata on their blockchain, and trust within the ecosystem is built through blockchain activity that is independently verified by a decentralized network of fellow users. So in a sense, blockchains build trust by eliminating the need for it.

For better or worse, this is how the Metaverse works. Yet, if we’re not careful, these experts warn, criminals will figure out how to make it work for themselves before law enforcement can figure out how to stop them.

More insights