Blockchain Analytics, RegTech & Information-Sharing Utilities *(OUTLINE + BULLET BODY)*

Here's a paradox criminals learned the hard way. The public blockchain that was supposed to make crypto anonymous is actually a permanent, public ledger of every transaction ever made — and once an investigator links one wallet to a real identity, the whole money trail can light up. That's the power, and the limit, of blockchain analytics. By the end of this lecture, you'll understand how that tracing works, where the broader RegTech toolkit fits, and how information-sharing utilities like 314(b) let institutions see what no single bank can see alone — along with the legal limits on all three.

- A **blockchain** is a **public, immutable, distributed ledger** — on public chains like Bitcoin and Ethereum, **every transaction is permanently visible** to anyone, identified by **pseudonymous wallet addresses** rather than names. - **Pseudonymous ≠ anonymous.** Blockchain analytics tools exploit exactly this: they trace the flow of funds across addresses and try to **attribute** addresses to real-world entities (exchanges, VASPs, darknet markets, sanctioned wallets, ransomware actors). - Core techniques: **clustering / common-spend heuristics** (group addresses likely controlled by one entity), **attribution** (label clusters using known on/off-ramp data), and **tracing** funds through hops to a **VASP off-ramp** where KYC identity can be obtained. - Use cases: investigating illicit flows, screening counterparties against **sanctioned wallet addresses** (OFAC now lists specific crypto addresses on the SDN List), and **on/off-ramp risk** scoring — the chokepoints where crypto meets the regulated financial system. - **Limits:** **mixers/tumblers, privacy coins** (e.g., Monero), **chain-hopping** across many blockchains, **cross-chain bridges**, and **DeFi** protocols deliberately break or obscure the trail. Attribution is **probabilistic**, not certain — heuristics can mislabel, and analytics is an **investigative lead**, not proof. (Domain 6 goes deeper on crypto typologies.)

- **RegTech** = **regulatory technology** — software that helps institutions meet AML/compliance obligations **more efficiently and effectively** (automation, analytics, and data tools applied to compliance). - Typical RegTech functions: **digital identity / KYC onboarding**, automated **screening**, **transaction monitoring**, regulatory **reporting**, **risk assessment**, and case management — often delivered cloud-based and via APIs. - **Benefits:** lower cost and manual effort, faster onboarding, better detection, consistency, and scalability. FATF and FinCEN actively **encourage responsible innovation** (e.g., the 2018 interagency statement encouraging innovative AML approaches). - **Limits & cautions:** RegTech does **not transfer the legal responsibility** — the institution remains accountable. Risks include **vendor/third-party and concentration risk**, **integration and data-quality** challenges, **model risk** (same SR 11-7 obligations), and **over-reliance** on tools without human judgment.

- A single institution sees only **its own slice** of a customer's activity. Information-sharing lets institutions and government **combine views** to detect networks that cross firms. - **USA PATRIOT Act §314(b)** — **voluntary** information sharing **between financial institutions** to identify and report potential ML/TF. It provides a **safe harbor from liability** for sharing, *provided* the institution **registers/notifies FinCEN annually** and shares only for the permitted AML/CFT purpose. - **USA PATRIOT Act §314(a)** — **government-to-institution**: law enforcement, via FinCEN, sends institutions **lists of subjects** under investigation; institutions **search records** and report matches. (314(a) = government asks; 314(b) = institutions share with each other — a classic exam contrast we'll revisit in Domain 5.) - **Public-private partnerships (PPPs)** — structured collaboration between **FIUs/law enforcement and the private sector** to share **typologies, red flags, and strategic intelligence** (FATF endorses PPPs as an effective-AML mechanism). Examples internationally include the UK's JMLIT model. - **Information-sharing utilities / consortia** — shared platforms where institutions pool **KYC data or screening intelligence** to reduce duplication and surface cross-institution risk.

- **Benefits across the board:** broader visibility, network-level detection, reduced duplication, and faster, more efficient compliance. - **Privacy & data-protection limits:** sharing is bounded by **data-protection law** (e.g., GDPR in the EU) and by the **statutory purpose** — §314(b) sharing must be **for AML/CFT purposes only**, not general commercial use. - **Tipping-off still applies:** information sharing does **not** override SAR confidentiality — institutions may share underlying facts under §314(b) but must **not** disclose that a SAR has been filed. - **Accountability isn't outsourced:** utilities and RegTech **assist** compliance; the institution **retains** its legal obligations, and shared intelligence still requires the institution's own **investigation and decision-making**.

So three tools, three sets of limits. Blockchain analytics turns crypto's public ledger against the criminal — clustering and attribution trace funds to an off-ramp where identity lives — but mixers, privacy coins, and DeFi fight back, and attribution is a lead, not proof. RegTech automates the compliance stack and regulators encourage it, but it never transfers the legal responsibility and it carries vendor and model risk. And information-sharing — §314(b) between institutions with its safe harbor, §314(a) from the government, and public-private partnerships — lets the industry see the networks no single bank can, bounded always by privacy law, the AML-only purpose, and the tipping-off rule. That closes Domain 4. Next, we step into Domain 5 and follow a case from the moment an alert lands to the moment it's escalated — the investigation lifecycle.