Closing the Gates on Money Laundering: Big Tech as Gatekeepers in the MetaversePosted on Mar 21, 2023
On October 28, 2021, Mark Zuckerberg announced Facebook Inc.’s name change to Meta Platforms Inc. (“Meta”) in order to reflect the company’s new focus on building the metaverse, a vast, immersive, online realm that would encompass entire digital societies and economies. This announcement propelled public interest in the platform, which has experienced significant growth since 2021. Although the metaverse presents meaningful growth opportunities for the digital economy, its architectural features disable the efficacy of the existing anti-money laundering (“AML”) regime. In order to address shortcomings in the AML framework, regulators should implement a system of gatekeeper liability using technology companies.
II. The Current Anti-Money Laundering Framework in the Metaverse
Financial transactions in the metaverse are currently subject to existing AML regulations. The Bank Secrecy Act of 1970 (“BSA”) is the statutory foundation for the existing federal AML framework. The BSA requires U.S. financial institutions to assist U.S. government agencies to detect and prevent money laundering by “keep[ing] records of cash purchases . . . , fil[ing] reports of cash transactions exceeding $10,000 . . . , and  report[ing] suspicious activity.”
Since the passage of the BSA in 1970, several laws have expanded the federal AML regime. The Money Laundering Control Act of 1986 required essentially all banks subject to federal regulation “to establish and maintain procedures reasonably designed to assure and monitor  compliance” with the BSA. In 1992, Section 1517 of the Annunzio-Wylie Anti-Money Laundering Act required financial institutions to file suspicious activity reports (“SARs”). In 2001, Title III of the USA PATRIOT Act (“USAPA”) set forth enhanced customer identification programs and customer due diligence (“CDD”) requirements. Finally, the Anti-Money Laundering Act of 2020 (“AMLA”) implemented the most recent set of legislative changes to the BSA and represented the most significant overhaul of the BSA/AML regime since the USAPA. Among other measures, the AMLA expanded the BSA to include the term “value that substitutes for currency.”
The efficacy of the existing AML framework is, however, disabled by the metaverse’s architectural features, namely its decentralization and minimal interoperability. In today’s decentralized metaverse, no single company or handful of companies owns and controls the domain. Because the metaverse lacks interoperability, users must create separate profiles for each platform (e.g., social platforms such as Decentraland and Sandbox or gaming platforms such as Roblox and Fortnite), they cannot import digital assets across platforms, and they cannot exchange currency between platforms. These design features create significant AML obstacles. For instance, decentralization diffuses control across a broad array of private actors as opposed to a small group of primary actors, thereby making it more difficult to enforce a regulatory regime. Meanwhile, the lack of interoperability provides criminals with extensive layering opportunities as they convert digital currencies across platforms in order to obscure the source of illicit funds. Finally, a third design feature inherent to cryptocurrency, anonymity, exacerbates these challenges by creating additional hurdles with respect to financial institutions’ ability to carry out effective CDD measures as mandated by AML laws.
III. The Argument for a System of Big Tech Gatekeeper Liability
Given the metaverse’s rapid growth, the domain must be subject to sufficient controls in order to maintain the integrity of financial transactions. Although the platform’s architectural features present AML challenges, regulators can implement a system of gatekeeper liability in order to bypass such hurdles. This framework uses the law as a tool to shape the metaverse into a more centralized, interoperable system, thereby shaping the behavior of individuals and entities indirectly.
First, technology corporations, as opposed to financial intermediaries, should be the designated gatekeepers. Big tech (i.e., the most dominant technology companies including Amazon, Apple, Google, Meta, and Microsoft) has a more established presence in the metaverse relative to financial institutions, and it is unclear if or when banks will be truly operational on the platform given complex banking regulations. In the interest of expediency, it is pragmatic to designate technology corporations as gatekeepers because they have already built out their platforms (on which financial transactions occur). More importantly, it is critical to limit banks’ exposure to unnecessary risk given their central role in the broader economy. Banks are uniquely subject to safety and soundness requirements at the federal level precisely because they are a linchpin of economic well-being. Fundamentally, these prudential regulations are centered on systemic stability concerns, and designating financial intermediaries as gatekeepers may unnecessarily expose them to nefarious activity by encouraging them to increase their involvement in the metaverse. Because history has demonstrated that bank failures can trigger massive systemic instability, it is imprudent for regulators to risk compromising financial stability by encouraging banks to be gatekeepers—particularly when a viable alternative exists with big tech.
Next, a key component of any regulatory regime involves enforcement mechanisms. The core feature of this system should be based on existing AML reporting requirements, as technology companies must first report suspicious activity to regulators in order for law enforcement to prevent money laundering. Because the reporting requirements currently only apply to financial institutions, Congress should amend existing statutes to cover technology companies. That is only the first step, however, as bringing big tech under the umbrella of the AML regime does not adequately address their ability to comply with affirmative obligations. Technology companies will need to invest in the necessary compliance infrastructure, but given their lack of expertise, this may present an opportunity for financial institutions to provide their services to technology companies. Alternatively, technology corporations could utilize fintech solutions that use machine learning to analyze data and detect suspicious activity.
With respect to effective enforcement, another key design feature involves ensuring that regulators actually bring enforcement actions. Historically, the AML regime has suffered from under-inclusivity; even though statutes articulate clear enforcement standards, the statutory standards tend to be watered down in practice. That said, an effective AML framework does not necessarily need to detect and punish every violation. Rather, a more realistic regime would rely on gatekeepers’ probabilistic calculations of risk to inform their compliance decisions. This risk-based strategy would allow regulators to target AML violations that they determine to be the most critical threats to the integrity of the financial system. For instance, regulators could articulate a more transparent set of priorities that guide their enforcement decisions, and gatekeepers may then be able to tailor their detection efforts accordingly, as opposed to casting too wide of a net.
Ultimately, this proposed system of gatekeeper liability uses the law to design a metaverse that is, in practice, more centralized and interoperable, which creates an environment that is more regulable. By creating gatekeepers, regulators would functionally centralize the scope of their supervision—even if the metaverse remains decentralized from a formalistic perspective. Similarly, gatekeepers would mitigate the interoperability and anonymity challenges, which stem from an information problem. With multiple gatekeepers like Meta, Google, and Microsoft, information about financial transactions that occur on their respective platforms would be shared with regulators, thus “forming an interlocking and interacting web of protection against  wrongdoing.” This repository of information would be critical towards allowing law enforcement to more effectively trace currency flows across platforms and to identify patterns when analyzing transactions stored across multiple ledgers. By creating a system in which technology companies are required to report suspicious activity to FinCEN, regulators are more likely to have the necessary information at their disposal to combat money laundering.
Given the metaverse’s potential to transform the digital economy, it is prudent to implement a regulatory framework while the platform is in its infancy and remains malleable to change. A proactive approach will allow regulators to reduce the risk of capture and focus on advancing policies that promote the integrity of the financial system. By creating a platform that is more regulable, the metaverse will build in guardrails against money laundering—a feature that is critical in order to prevent the metaverse from becoming an environment ripe for illicit activity.
 Will Oremus, In 2021, Tech Talked Up ‘The Metaverse.’ One Problem: It Doesn’t Exist., Wash. Post (Dec. 30, 2021, 8:00 AM), https://www.washingtonpost.com/technology/2021/12/30/metaverse-definition-facebook-horizon-worlds/.
 See Meet Me in the Metaverse: The Continuum of Technology and Experience, Reshaping Business, Accenture (2022), https://www.accenture.com/_acnmedia/Thought-Leadership-Assets/PDF-5/Accenture-Meet-Me-in-the-Metaverse-Full-Report.pdf (Decentraland, a user-owned Ethereum-based virtual world, saw 21,000 real estate transactions worth $110 million in 2021, and Gucci sold a virtual-only digital twin of a purse for a higher price than its real-world counterpart.).
 Heidi Wicker, Transacting in the Metaverse, But Getting Paid in Reality: Legal Considerations for Companies Establishing Payments Infrastructure, New York Law Journal (Nov. 16, 2022, 10:00 AM), https://www.law.com/newyorklawjournal/2022/11/16/transacting-in-the-metaverse-but-getting-paid-in-reality-legal-considerations-for-companies-establishing-payments-infrastructure/.
 Norbert J. Michel & Jennifer J. Schulp, Revising the Bank Secrecy Act to Protect Privacy and Deter Criminals, CATO Policy Analysis, July 26, 2022, at 2.
 The Bank Secrecy Act, Financial Crimes Enforcement Network, https://www.fincen.gov/resources/statutes-and-regulations/bank-secrecy-act.
 Michel & Schulp, see supra note 4, at 7.
 See id. (Section 1517 authorized the Treasury secretary to “require any financial institution, and any director, officer, employee, or agent of any financial institution, to report any suspicious transaction relevant to a possible violation of law or regulation.”).
 See id. at 8.
 See id.
 Congressional Research Service, R47224, The Metaverse: Concepts and Issues for Congress (2022), at 15.
 Jason Cottrell, Who Owns the Metaverse?, Fast Company (Nov. 7, 2022), https://www.fastcompany.com/90802867/who-owns-the-metaverse.
 Rodrigo Coelho, Jonathan Fishman & Denise Garcia Ocampo, Supervising Cryptoassets for Anti-Money Laundering, Financial Stability Institute (Apr. 2021), at 3.
 Among companies such as Apple, Google, and Microsoft, which have all invested in metaverse-related initiatives, Meta has emerged as the front-runner, having already established a virtual world, Horizon Worlds. Meanwhile, financial intermediaries’ presence in the metaverse remains in its infancy. Banks such as JPMorgan Chase, HSBC, and American Express have opened lounges in the metaverse that showcase promotional materials but have yet to offer financial services.
 See Congressional Research Service, R44918, Who Regulates Whom? An Overview of the U.S. Financial Regulatory Framework (2020), at 13.
 See id.
 See BSA/AML Manual: Assessing Compliance with BSA Regulatory Requirements: Suspicious Activity Reporting—Overview, Federal Financial Institutions Examination Council (2022), https://bsaaml.ffiec.gov/manual/AssessingComplianceWithBSARegulatoryRequirements/04 (Under the BSA/AML framework, financial institutions have a statutory mandate to file SARs in order to report suspicious activity that might signal criminal activity. Banks, bank holding companies, and their subsidiaries are required to file a SAR with respect to: criminal violations involving insider abuse in any amount; criminal violations aggregating $5,000 or more when a suspect can be identified; criminal violations aggregating $25,000 or more regardless of a potential suspect; transactions conducted or attempted by, at, or through the bank (or an affiliate) and aggregating $5,000 or more, if the bank or affiliate knows, suspects, or has reason to suspect that the transaction may involve potential money laundering or other illegal activity, is designed to evade the BSA, or has no business or apparent lawful purpose or is not the type of transaction that the particular customer would normally be expected to engage in.).
 There is a distinction between financial institutions providing their services to technology companies in their role as gatekeepers versus the financial institutions themselves being designated as gatekeepers. In the former case, prudential concerns are not as meaningfully implicated because banks are not the entities who bear the exclusive responsibility of effectuating the AML regime, nor do they risk liability for violating AML obligations. In other words, banks have less skin in the game, which minimizes systemic concerns.
 See Rodrigo Coelho, Marco De Simoni & Jermy Prenio, Suptech Applications for Anti-Money Laundering, Financial Stability Institute (Aug. 2019).
 See The Panama Papers: A Torrential Leak, The Economist (Apr. 9, 2016), https://www.economist.com/international/2016/04/09/a-torrential-leak (“Panama has been praised for passing a strong anti-money laundering law last year, though it remains to be seen if this will be rigorously enforced.”).
 Andrew F. Tuch, The Limits of Gatekeeper Liability, 73 Wash. & Lee L. Rev. Online 619, 625 (2017). See also The Global Framework for Fighting Financial Crime, Deloitte (June 2020), at 5 (“Different financial institutions each may hold information on the same customer which may overlap, but which may also be inconsistent and incomplete, a weakness which criminals can navigate in order to exploit the financial system.”).