Alan L Tyree

Regulation of International Electronic Trading

1. Why regulate?

Regulation of computer money should only be undertaken if:

This paper discusses the main risks of computer money, the forms of regulation that are available to control the risks, the likely effectiveness and consequences of the regulation.

The main conclusions are that in the short to medium term regulation is probably not required to control the perceived risks. In the longer term, there is no form of regulation that can control some of them.

2. What are the risks?

Various commentators have expressed the view that computer money poses the following risks: [See Tyree, Digital Cash, Butterworths, 1997 and the references listed there. ]

I will examine each of these risks with a view to estimating the severity of the risk.

2.1. Tax avoidance

Since Frank Merrick"s paper is devoted entirely to the issue of taxation and computer money, I will restrict myself here to a few comments on the subject.

Already, it is said, Australia is losing taxation revenue because of Internet commerce. The example that is always given is the purchase of CDs from America. It is a poor example since the price of CDs in Australia is artificially inflated by regulation such as the Copyright Act. This subsidy of the local market also permits book publishers to maintain prices which are substantially higher than overseas. For this reason, many Australian consumers purchase books from the US and other less restrictive markets.

However, if purchasing goods where the Australian price is not artificially inflated, the consumer has little incentive to purchase overseas. The delays in delivery, the unavailability of any redress should the goods prove defective and the natural desire of many to "buy Australian" are all reasons for the consumer to buy locally and, indeed, it is obvious that most consumers, even Internet aware consumers, do so.

The purchase of information or software is in a different category. Some information may only be available offshore. Delivery is not a problem since the information may be delivered as quickly from remote locations as from nearby ones. Consumers might still prefer to purchase software locally if it is available because of the remedies available if the software proves defective.

Can taxation revenues be lost because salary or other income is paid into offshore accounts? Computer money does offer the theoretical potential of settling all payment obligations offshore. We can assume that there will be a form of computer money available which does not allow tracing of either payer or payee. In such a circumstance, it must be tempting to request salary or other payment to be made offshore.

The problem with that scenario is that the transaction must be beneficial to both parties. There is little incentive for most organisations to agree to an unreported salary payment to a foreign account. Indeed, there are very strong reasons why most organisations would refuse outright to such an arrangement.

Taxation issues are difficult, and I am not suggesting for a moment that there is no cause for concern in the long term. However, in the short term the above considerations suggest that computer money will not have a serious detrimental effect on taxation revenues.

2.2. Seigniorage loss

Computer money is intended to replace real cash. To the extent that this replacement is successful, the private issue of money replaces the existing public issue.

A licence to print money is valuable. How valuable? The usual answer refers to seigniorage. Money is put into circulation by purchasing interest bearing securities. From an economics point of view, the issue of a bank note is a liability on which no interest is paid, but it is used to acquire assets which are interest bearing. The resulting profit is known as seigniorage.

A rough estimate of the value of seigniorage is to compute the interest on the total note and coin issue. Recent estimates indicate a total issue on the order of $20 Billion. [See Mair, "Consumer Payment Systems", Proceedings of the First Australian Money Day conference, 28 March, 1996. ] More than 75% of the value of that issue is in the form of $50 and $100 notes.

To the extent that computer money replaces "real" money, we would expect the replacement to be in the lower denominations. The total scope for replacement is then on the order of, say, $4 billion. Even if computer money were 100% successful in replacing these notes and coins, the effect is limited.

Again, in the short term, the effect of computer money on seigniorage would seem to be minimal. In the longer term, regulators might wish to consider the imposition of a tax on the issue of computer money.

2.3. Money laundering and other criminal activity

The Australian Office of Strategic Crime Assessment and the American Financial Crimes Enforcement Network share concerns about the use of untraceable computer money for the purposes of money laundering. [See Lapworth, "Anonymous Untraceable Payments on the Internet: An Infrastructure for International Crime", Proceedings of the First Australian Money Day conference, 28 March, 1996; OSCA, "Australia"s move towards electronic commerce: some implications for law enforcement", 1995; Not everyone agrees: see Maroldy, "Recordkeeping and reporting in an attempt to stop the money laundering cycle: why blanket recording and reporting of wire and electronic funds transfers is not the answer," The Notre Dame Law Review, 66, pp. 863-92 (1991). ] Since any major criminal activity requires money laundering, at least if it is successful, any structure which facilitates money laundering will indeed be a blow to crime enforcement.

If a rogue has a large amount of computer money, then it probably is easier to launder it, at least if the computer money is of the untraceable variety. This is the starting point for most of the law enforcement discussion of money laundering.

However, the would-be launderer has another problem that is usually glossed over. How does it happen that the rogue has a large amount of electronic money? Either the income from the illicit activity must be in electronic form or the cash must be converted to electronic form.

It is possible that the income from the illicit activity could be in electronic form. However, the likelihood of that will depend upon the particular form of illicit business and the particular form of electronic money. If the electronic money does not offer privacy of transactions then it is unlikely that the customers would choose to use it. For example, there is nothing in the payment mechanism that prevents prostitution or drug deals to be paid for by credit card. The main reason that this is not a major problem is that the transactions are traceable. Neither the customer nor the merchant wishes to use a payment mechanism that is so visible.

Will we see the day when a smart card or computer transfer could be used to purchase heroin on the street? It is not impossible but it does not seem credible in the immediate future since it would require card-to-card transfers or the use of portable terminals by drug dealers. If the transfers are or can be anonymous then we can expect to see this happen, but it will take some time to establish the infrastructure.

On the other hand it is now possible to engage in illicit activities where payment would naturally be by digital coin. It is easy to establish a "casino" where gambling would be with digital coins. Indeed, the University of Newcastle used such software to test electronic cash in the early days. The casino was closed under threat of prosecution by the NSW Police even though the digital coins were not "real" at the time.

An Australian could establish a computer in a foreign country that either openly or clandestinely permitted casinos or pornography. Payment for services could be by digital coin.

If the income from the enterprise is in ordinary cash, then the problem of converting to electronic cash seems no simpler than the usual money laundering problem. There must be a transaction that exchanges the "real" cash for the electronic cash. This transaction must go through an issuer of electronic money. It is no more or less difficult to detect than the usual money laundering transaction.

This suggests again that in the short term the impact of computer money will be minimal.

2.4. Money supply

Computer money has the potential to increase the money supply. There may be a long term risk that central banks could lose control. In the short to medium term, however, the risk seems so small as to be insignificant. As noted above, the scope for computer money to replace currency is not large in the short term.

It should also be noted that many forms of computer money will not have any effect on the money supply. The "digital coin" style of money is merely transferring one form of bank liability to another. The "smart card" form of computer money could increase the money supply since both the issuing bank and the card holder have the use of the money. [See Froomkin, "The Unintended Consequences of E-Cash", Computers, Freedom & Privacy Conference (CFP"97), Burlingame, California, USA, March 12, 1997; available on the Internet at http://www.law.miami.edu/~froomkin/articles/cfp97.htm ]

2.5. Insolvency of issuers

The insolvency of a computer money issuer may have consumer protection ramifications. It may also have consequences for the payment system as a whole.

Computer money, whether in the form of a digital coin or a smart card, represents a liability of the issuer in favour of the holder. [See Tyree, Digital Cash, Butterworths, 1997; Tyree, "Computer Money - Legal issues," Proceedings of the First Australia Computer Money Day (1996) ] The holder is in the position of an unsecured creditor. In the event of insolvency, the remedy of the coin or card holder is to prove in the bankruptcy or liquidation. The same is true, of course, of account holders with a bank. This is a major (although not the only) reason that deposit taking institutions in most parts of the world are subject to prudential regulation.

The consumer risk is real, but there are considerations that suggest that it may not be serious. In the case of digital coins, the holder of the coin has simply traded one unsecured debt for another, so the consumer position is not changed. In the event that digital coins may be purchased "over the counter" or in some similar way, the risk is small since the life of a digital coin may be kept short.

In the case of smart cards, the risk will be directly proportional to the amount stored on the card and the time that the card is held. Consumers should be advised to restrict the amount carried on the card if there is serious concern.

Whether there is a risk to the payment system as a whole will depend upon the organisation and structure of the computer money issuers. If the computer money is in a form which requires clearing, then the risk to the system will depend upon the effectiveness of netting arrangements and the overall amounts of computer money in circulation. [As to the effectiveness of netting arrangements, see Tyree, "Legal Aspects of Electronic Clearing and Settlement" in Banking Law and Practice, Proceedings of the 13th Annual Conference of the Banking Law Association, Surfers Paradise, 30 May 1996. ] Since the amount in circulation is likely to be small in the short to medium term, the risk is also small.

2.6. Privacy

Privacy risks are of two kinds: that there will not be enough and that there will be too much. Privacy advocates argue that smart cards can be misused to expand the data collected on individuals. [See Privacy Committee of New South Wales, Smart Cards - Big Brother"s Little Helpers, Privacy Committee of New South Wales, Syndey (August 1995) ] They further argue that once collected, the data will be used and misused. Collection of data related to spending habits is a powerful, perhaps the most powerful, surveillance technique.

In my opinion, the privacy risk is real. Current smart card technology produces "linkable" transactions. It is unclear how much information is kept on each transaction or how long the information is held.

The other form of privacy risk is that computer money provides too much privacy. [See Tyree, Digital Cash, Butterworths, 1997. ] Law enforcement agencies generally have little sympathy with privacy advocates, adhering to the view that honest people have nothing to hide.

This debate is not just about anonymous computer money, but rather about the right of the citizen to use strong cryptography. [See May, "Untraceable Digital Cash, Information Markets, and BlackNet", Computers, Freedom & Privacy Conference (CFP"97), Burlingame, California, USA ] There seems little doubt that terrorists, pornographers, money launderers and drug dealers will use strong cryptography as a means of pursuing their evil interests. The question is whether that use justifies the prohibition or regulation of strong cryptography.

The full scope of the debate is beyond the limits of this paper, but I will make a few comments later about possible regulation.

3. What can be regulated?

Assuming that we consider some or all of these risks serious enough to require regulation, what precisely should be regulated? There are really only two possibilities. We can regulated institutions or we can regulate transactions.

There have been suggestions for both forms of regulation. The Working Group on European Union Payment Systems has recommended that only "credit institutions" be permitted to issue smart cards. [Working Group on EU Payment Systems, Report to the Council of the European Monetary Institute on Prepaid Cards, European Monetary Institute, Frankfurt am Main (May 1994) ] This requires the issuing institution to conform with the prudential requirements of the central bank or other supervising authority.

Regulation of transactions has also been suggested. So, for example, it has been suggested that fully anonymous payment systems be prohibited, that smart cards be regulated to contain, or not to contain, certain information and be restricted to values below some ceiling.

It shouldn"t be necessary to point out that these two generic forms of regulation are not mutually exclusive, but I will point it out anyway. As an example, if we are concerned about the use of strong cryptography we might regulate transactions, decreeing that no ordinary citizen may use cryptography beyond a certain strength. At the same time, we might regulate institutions, decreeing that software providers must be licenced to be able to sell cryptographic software.

It is obvious that "decreeing" something does not necessarily make it happen, nor does regulation necessarily have the effect that we expect or desire. More on that later.

4. What tools are available?

"Regulation" is a very broad concept. If we wish to regulate either institutions or transactions there are several tools available. these tools may be broadly classed as self-regulation, co-regulation and legislation.

4.1. Self-regulation

Self-regulation is the darling of industry. Sometimes it works and sometimes it doesn"t. In my opinion, self-regulation has not been too successful in the banking/finance industry. As an example, in the early days of electronic funds transfer the cry from the industry was that competition and self-regulation would protect consumers, that regulation was unnecessary and would stifle the industry. The unfortunate result was disgraceful clauses (such as the conclusive evidence clause) in the conditions of use for EFT.

It is often suggested that self-regulation has worked in the case of the cheque payment system. Banks, after all, do not have onerous clauses in their contracts for the operation of current accounts. In my opinion, this argument is fallacious. The reason that the customer has so many rights is the result of years of common law decisions. These decisions have also made it extremely difficult to change the banker/customer relationship in a subtle matter. Banks are simply afraid that they will lose custom if they attempt to impose harsh conditions. This can be dressed up as a triumph of competition and self-regulation, but in truth is the result of being left with no easy method of changing the rules.

Another example of the weakness of self-regulation may be seen in the Code of Banking Practice and the related Codes promulgated by the Building Societies and Credit Unions. The final version of the Code is wholly a product of the Australian Bankers Association. Frustrated with consultation and "interference" from consumer interests, the Code was presented as a fait accompli by the ABA. The previous Labour government, eager to have a code (any code) endorsed the Code.

In a number of circumstances the Code attempts to weaken the common law rights of the customer. [For some examples, see Tyree, "Banking Code Losers," Journal of Banking and Finance Law and Practice, 6, pp. 49 - 51 (1995); the Codes are also woefully inadequate in their treatment of privacy: see Tyree, Digital Cash, Butterworths, 1997 ] The institutions claim the right to modify the Code without consultation. Some even attempt to make modifications surreptitiously such as the following clause in a credit card contract:

"If the Code of Banking Practice applies, then if there is any inconsistency between this contract and any provision of the Code of Banking Practice, then this contract applies to the extent of any inconsistency."

4.2. Co-regulation

Co-regulation attempts to provide the perceived benefits of self-regulation while incorporating the broader interests usually associated with the legislative process.

An example of successful co-regulation is the Electronic Funds Transfer Code of Conduct. This Code was established by real consultation with Government, Consumer advocates and the institutions. It is fair to say that the institutions agreed to the Code after being made "an offer they could not refuse", that legislation would inevitably follow if no Code could be established. [For a fuller discussion, see Tyree, Banking Law in Australia, Butterworths, 1995. ]

Co-regulation is also proposed as a model for a new Privacy Act. In this model, the Act would establish "information privacy principles" which would then be implemented by Codes established by the various industries. [The proposal is modeled on the New Zealand Act; see Tyree, Digital Cash, Butterworths, 1997; and see the discussion paper released by the Attorney General on 12 September, 1996, "Privacy Protection in the Private Sector". ] Industry is not given a free hand here. The Act will require that consultation take place with other parties and that the Code be approved by a Privacy Commissioner. When approved, the Code becomes enforceable.

This approach is particularly appropriate where, as with the privacy issue, broad principles must be reduced to hard specifications. The way in which a principle applies to a shoe manufacturer might indeed be different from the way in which it applies to a credit card issuer.

4.3. Legislation

Legislation is the "hard law" route to regulation. There is usually, although not always, a wide range of interests heard before legislation is passed. It is an open process. On the negative side, the process is slow and cumbersome. Reform is difficult, some would say impossible. This makes legislation a poor choice for regulation where the environment is rapidly changing or where the regulatory framework is poorly understood.

5. What are the limits?

Regulating is easy. Regulating to achieve the results that we wish to achieve is very difficult. There are two separate problems. The first is that while we can regulate Australian institutions and transactions, we may have difficulty doing that without introducing unpleasant side effects. The second problem is that the systems that we are attempting to regulate have little respect for national boundaries. How, if at all, can we hope to regulate computer money if it is possible for anyone with a computer to become an issuer.

First, the problem of side effects. If we can agree on a regulatory structure, then there is little doubt that there will be broad compliance by institutions and individuals within Australia. This compliance might be encouraged by direct monetary penalties, but it is not usually necessary to do this. There are informal, and usually effective, pressures to conform.

As mentioned, however, the problem is to avoid unpleasant side effects. Business operators usually think of these undesirable side effects in terms of "competition" but market distortions are not the only possible unsatisfactory results.

Let"s take an example. There will be substantial pressures to ensure that computer money can be traced if the "need" arises. There are powerful interest groups that believe that it is necessary in the interests of law enforcement. After all, it will be argued, not even cash is fully anonymous since it is necessary to handle it, leaving fingerprints or other traces, and it is usually necessary to hand it over in person. Untraceable, unlinkable computer money transactions are more anonymous than cash.

So, in my opinion, it is likely that some form of regulation will ensure that transactions may be traced. As far as I know, this has no market distortion side effects. However, a computer money payment is indistinguishable from any other communication. It seems impossible to have a ban on anonymous payments without also banning other anonymous communications. Do we want to ban anonymous communication? Maybe we do, maybe we don't. We have not discussed the risks or the benefits. Banning anonymous, unlinkable computer money payments necessarily has the effect of banning anonymous unlinkable communications of any kind but without any discussion of the desirability of so doing. [For a fuller discussion of anonymous communications, see May, "Untraceable Digital Cash, Information Markets, and BlackNet", Computers, Freedom & Privacy Conference (CFP"97), Burlingame, California, USA; Froomkin, "The Unintended Consequences of E-Cash", Computers, Freedom & Privacy Conference (CFP"97), Burlingame, California, USA ]

The other problem, the international character of computer money, is even less tractable. The technical requirements for establishing an Internet bank are ridiculously low. I know any number of bright secondary school kids that could do it. The commercial problem is more difficult since issuing computer money is about as useful as issuing any other form of promissory note. An issuer would need to establish credit and trust in order for the computer money to have value.

If, however, there is a sufficient demand for untraceable, unlinkable computer money, there is little that Australian regulation can do to prevent it. About the only way that I can think of is to ban Australian residents from using such a facility. Since, as noted above, a computer money payment is indistinguishable from any other encoded communication, enforcement would require banning encrypted communication. Do we really want to do that? And how would we enforce such a regulation if we did wish to do it?

6. International co-operation

These considerations lead us inexorably to the conclusion that international cooperation is required if there is to be effective regulation of computer money.

Obtaining international agreement on the form and content of regulation will certainly be slow and difficult, but perhaps not impossible. Only a few years ago it would have been thought difficult to obtain international agreement on access to bank records, yet there are very few jurisdictions now that have absolute, or even near absolute, bank secrecy laws.

But there are some, and that is the catch. If there is money to be made from it, we can be certain that some small countries will establish "computer money havens", just as they have established tax havens and bank havens. The difference, of course, is that it requires some effort and organisation to use the facilities of a "real" bank but it is extremely easy for anyone in the world to use the facilities of the virtual bank.

7. Summary

This paper has presented both good news and bad news. The good news is that, in my opinion, little regulation of computer money will be necessary in the short to medium term. The regulation that is necessary, privacy and consumer protection, is not specific to computer money so that we have some hope of doing it reasonably well.

The bad news is that we will probably attempt to regulate transaction forms. Since we have relatively little experience with the forms or with this type of regulation, we will probably do it badly. The further bad news is that even if we do it well, it is unlikely to be effective because of the very nature of computer money.

March, 1997