Digital bookkeeping-technology ‘blockchain’ can reduce the cost of regulatory compliance in the financial industry, but also exposes banks to greater risk of being hacked, the EU's cybersecurity agency says in a report.
The paper suggests that blockchain, which is designed to reduce fraud, could help automate regulatory compliance, cut the human resources needed to carry out transactions and conduct internal monitoring.
But the European Network and Information Security Agency, which produced the report, also expresses concerns that while the basics of securely implementing a blockchain system are known, new security challenges are starting to appear.
Blockchain is a bookkeeping system that keeps a copy of ledgers in the servers of all the parties involved in a particular transaction. This ensures that no party can carry out fraudulent transactions.
The technology is best known for forming the basis of the virtual currency Bitcoin, but also has the potential to improve transactions of all kinds, from regulation to keeping tabs on copyright licenses.
Enisa's report takes the form of a security checklist for EU companies, to ensure they don't leave themselves vulnerable to hackers. Among the suggested safeguards is the encryption of information and the secure storage of "keys" used to access the ledgers.
The adoption of the technology, according to the report, could help cut the cost banks face to comply with regulatory obligations introduced in the wake of the financial crisis, which began in 2008.
Some lenders spend upwards of $4 billion per year to comply with these rules, the paper says, citing economic consultancy Accenture.
But Enisa warns of emerging security threats, including "consensus hijacking" — a threat to the technology's consensus-based validation system — and difficulties in the management of "smart contracts," the basic piece of software allowing a transaction to be initiated, verified and settled.
The report also notes that because blockchain is designed to allow all parties to see the ledger, people can also inspect the transaction history of other people, which carries a privacy risk.
In an EU context, the technology will also have to grapple with privacy laws designed to allow a piece of online information to be "forgotten," whereas blockchains cannot be altered, by their very design.
"It would be difficult to prove that all data has been deleted" from all the people that keep a copy of the ledger, the paper points out.
As with any software, it is also possible that the blockchain's code may itself contain vulnerabilities that hackers can exploit, but that might not be known to the people using the technology.
One academic studying blockchains found that "large numbers of template contracts available on the web for the Ethereum scripting system contained significant vulnerabilities to their operation," the paper says.
"Consensus hijack" is a threat linked to the distribution of blockchain, which validates a transaction through a majority of the parties agreeing that the transaction has taken place. This means that a given party can't try to introduce a fraudulent transaction, because it won't be recorded on the other ledgers.
But one party using the blockchain could persuade a majority of the other participants that a false transaction has taken place — something known as a "51 percent attack."
This risk is not about traditional ways of persuading people, but a digital equivalent, linked to the amount of computing power a participant has. Anyone with enough data-crunching power can produce blockchains quicker than the rest of the distributed-ledger network, in effect overwhelming the system.
The Enisa report lists several specific ways blockchain can be used in the financial industry.
For example, changes to regulation could be directly coded into the blockchain, meaning that new restrictions and other rules on how transactions take place could be automatically implemented throughout an institution.
This could "automatically restrict new transactions that cause an institution's balance sheet to exceed risk-management parameters issued by the regulators" to which the company reports, the report says.
The added verification of a blockchain could also help banks settle transactions with parties they don't trust, according to the paper, which goes on to warn that the technology "must not be seen as a replacement to financial institutions for the operation of the financial system."
"It is a technological tool, which can be used by parties such as major financial institutions and regulators to share information and transact more easily while maintaining control over their information," the Enisa report says.Read the full report here.