Blockchain has been widely touted as the most significant technology of the last 20 years, with the potential to revolutionize the financial services industry across a range of applications, from crypto-currencies to smart contracts to fully automated clearing and settlements systems for payments.
The Cayman Islands has a large stake here. As one of the world’s leading offshore financial centers, home to approximately 70 percent of the world’s offshore investment funds and with an absence of any direct taxation on companies or individuals, Cayman is well placed to become an attractive destination for technology entrepreneurs. Cayman’s ambition to become a global leader in financial technologies (FinTech) is also supported by a sound legal framework, modern infrastructure, state of the art communications systems and a stable political climate.
Cayman now has an opportunity to realize the benefits of blockchain technology in real terms as the new era of technology-based financial services gains traction.
If there is any positive news to come out of the Equifax scandal that broke in September, it is the universal realization that centralized databases are no longer fit for purpose and can never provide the control measures, security and data protection that individuals now demand.
Equifax, the U.S. credit monitoring agency announced that sensitive personal information relating to 143 million Americans had been stolen from its database. The hacked data included addresses, dates of birth, driver’s license and social security numbers, and in some cases, credit-card information. While the attack itself targeted a centralized database, ultimately, cyber-criminals exploit humans, not computers. As the hacked data is almost certainly now in the hands of criminal gangs, there is a real risk that the identities of millions of individuals will come under further attack as the criminals now hold specific identity information that can be used against its true owners.
Conventional databases are vulnerable because they comprise a single ledger that forms a definitive record of all transactions that have taken place. A central administrator is then responsible for ensuring that this ledger is maintained, kept up to date and kept secure.
Because there is no way to verify the veracity or timeliness of these transactions, it is not possible or practicable to double-check the accuracy of the transactions against another data source.
Blockchain – or distributed ledger technology – replaces the centralized transaction database with a decentralized, distributed digital ledger where each and every transaction flowing through it is independently verified against other ledgers maintained by different parties, in different locations. In this way, the record of any single transaction cannot be altered without alteration of all subsequent transactions or “blocks” that are chained together across the entire distributed ledger.
Taking a simple example, let us assume we have a network comprising three participants: A, B and C. If A wants to send money to B, the request (represented as a “block”) is transmitted through the network. That block is then broadcast to every participant on the network and those participants (in our example, A and B and C) – must each complete several checks (e.g., whether A actually owns the money they propose to send, whether the request is valid, etc.). Once the new block is approved and added to the chain, money moves from A to B and the transaction is completed.
Information about the completed transaction is simultaneously broadcast across the blockchain network to all its participants (including A, B and C). This distributed “blockchain” ledger serves as an immutable, independently verifiable record of the transaction between A and B (and, indeed of all previous transactions between all market participants).
Advantages of blockchain technology
Blockchain technology is unique in that it lends itself to improving almost every type of transaction. Because a blockchain network operates securely without the need for any central administrator, the technology provides a viable alternative for existing processes which are largely manual, labor-intensive and paper-based. These processes often involve the secure transfer and storage of sensitive information for example, in the context of collecting “know your client” (KYC) information. Blockchain technology is ideally suited to this application.
The government of Estonia, a pioneer in the implementation of blockchain technology, now uses blockchain to secure and validate identity management, e-voting and electronic health records. Another first-adopter of blockchain is Singapore, whose monetary authority has already successfully completed a proof-of-concept pilot to explore the use of blockchain for interbank payments to simplify the payment process, reduce the time taken for transactions, enhance transparency and system resilience and reduce the cost of long-term record keeping.
Proof of concept: regaining control of your own personal data
While much of Cayman’s financial services legislation was written before the FinTech revolution began, the Cayman Islands has recently taken a number of legal and regulatory steps to allow FinTech innovation to thrive. For example, recent reforms have seen Cayman’s intellectual property laws updated and the establishment of a special economic zone allowing technology companies to benefit from specific advantages such as fast-tracked work permit applications for relocating employees.
As FinTech solutions tend to be data-driven, the enactment of Cayman’s new Data Protection Law is seen by many as the final piece in the legislative jigsaw puzzle to spark Cayman’s own FinTech revolution. One way for Cayman to take a leading role in the fast-moving global FinTech sector is to demonstrate success with an initial, modestly-aimed blockchain project.
Following the Equifax breach, a blockchain solution that returns control of an individual’s personal identity data to the individual and streamlines the process of complying with strict KYC and anti-money laundering regulations could be an easy win for Cayman.
The growing number of regulatory requirements relating to KYC and anti-money laundering together with demands for more convenient and user-friendly on-boarding processes for customers and stricter data protection requirements has increased the incentives for financial institutions to find more cost-effective mechanisms for satisfying these requirements. Blockchain technology makes this possible.
Digital identity management
The entryway into the world of digital identity management is through the creation of a digital wallet. For security purposes, this digital wallet would be maintained on a physical, USB flash drive that can be disconnected from the Internet and retained in a safe place.
This digital wallet is capable of storing personal identity data such as a copy of an individual’s passport photo page, tax numbers and other unique identifiers such as driver’s license numbers and proof-of-address information.
In the process of creating the digital wallet, a unique public/private cryptographic key pair is generated for that individual. The premise of public key cryptography is that anyone can encrypt messages using the public key, but only the holder of the paired private key can decrypt the message. Thus, security depends on the secrecy of the private key held by the individual identity owner. Once the digital wallet is created and loaded with cryptographically signed identity documentation, the individual can begin securely sharing their digital identity information in commercial transactions.
In the context of conducting commercial transactions (for example opening a bank account), it is necessary to provide identification information. In the digital world, identification can be seamless – and secure. Using blockchain technology, when an individual is asked by their bank to provide a copy of their passport, instead of sharing a physical copy of this document, they will simply sign a digital copy of the passport photo page in their wallet using the bank’s public key and deliver it to the bank via the blockchain network.
As it travels along the blockchain network, the individual need not be concerned about their passport information falling into the wrong hands. Because the passport information is cryptographically signed (encrypted) using the bank’s public key, it can only be decrypted once the bank applies its corresponding private key, which is known only to them. To everyone else on the network, only the secure hash of the passport information is visible.
This cryptographic exchange mechanism therefore prevents unauthorized sharing of secured information. For example, if the bank subsequently attempted to share the passport copy with another third party, the document would be unreadable to that third party. The individual identity owner is therefore able to retain full control over their personal data whilst being able to safely and securely share that data with third parties of their choice.
Data protection compliance
Cayman’s new Data Protection Law is drafted around a framework of privacy principles to ensure that personal data collected in Cayman is properly stored, kept no longer than necessary, and used only for the purpose for which it is collected. “Dynamic authorization” involves making the right to access data conditional on certain requirements being met. Most basically for the purposes of the proof of concept above, the bank may only decrypt the individual’s passport when this is shared with the bank by the individual, otherwise, the technology simply will not allow the bank to see this information.
One of the major benefits of blockchain technology is also its immutability, meaning the data stored on the chain cannot be altered or deleted. This could also create a data protection problem, because in theory there could be no “right to be forgotten” in the context of blockchain. However, personal data can be kept off blockchain ledgers altogether by replacing the data with an encrypted reference to the data – a “hash.” These hashes or digital fingerprints prove that data did exist at a certain date, but without the data itself appearing on the chain.
Encryption controls limiting the accessibility of personal data hashed in the blockchain is a viable solution for data protection compliance. While encrypted personal data may still qualify as personal data under the new Data Protection Law, as long as the holder of the data possesses the encryption key, if the keys will only be made available in circumstances dictated by a smart contract or by the individual data subject, then it is difficult to see the objection from a data protection perspective.
The technology also brings unprecedented data security benefits. Hacking attacks that commonly impact large centralized intermediaries like banks are almost impossible on the blockchain. If someone wanted to hack into a particular block in a blockchain, a hacker would not only need to hack into that specific block, but all of the preceding blocks going back the entire history of that chain and they would need to do it on every ledger in the network, simultaneously.
The path forward
So how can Cayman make this work in practice? We propose a three-step approach:
First, start by having the Cayman Islands Central Registry simultaneously issue a digital birth certificate (or, in the case of a company, a certificate of incorporation) onto the blockchain at the same time it issues a physical one.
Next, pass legislation and regulations to support blockchain identity management by enabling the Cayman Islands Monetary Authority to allow its licensees to recognize blockchain identities in the context of satisfying anti-money laundering requirements.
Finally, accept that no one has a crystal ball. It is futile to attempt to predict or plan for where blockchain technology will be in the next five years. Instead, our laws should create a flexible regulatory framework to enable natural growth and evolution to occur within the blockchain space in response to market demands.
As the full scale of the Equifax breach continues to sink in, investors, regulators and lawmakers are scrambling to assess the damage from one of the largest personal data breaches on record. What is clear is that the collection of large centralized sets of highly sensitive data is no longer acceptable and a solution needs to be found. Blockchain solutions already exist to overcome these deficiencies. Digital identity management also holds significant importance, as Cayman will shortly have the most comprehensive data protection laws in the region and is well positioned to take a leading role in this area. Strategically, a lead in blockchain innovation could be a real boost for Cayman’s economic future and give the jurisdiction a clear advantage in what is an increasingly competitive field of innovation.