By The Editor
BAR: How would you describe blockchain?
AL: I would describe a blockchain as a joined-up database that can track the movement of digital assets between businesses. This has implications to all industries, especially those where businesses manage a lot of assets, whether they are financial assets such as shares, equities and invoices, or documents that should be unique, non counterfeitable and whose provenance is important, such as certificates of origin.
Blockchain platforms can provide guarantees about the origin and evolution of unique digital assets, without needing a central database or database manager. Cryptographic techniques such as hashes and digital signatures provide mathematical guarantees about the provenance of these digital assets. Different techniques are used to ensure that there is no double spending or replication of these unique assets. These assets no longer have to be held in a centralised trusted database managed by a single trusted company; instead they can be passed from party to party just like a physical asset.
BAR: Please tell us about the GDPR implications of blockchain in finance?
AL: When people talk about blockchains, they’re actually talking about very diverse set of technologies and not all blockchain platforms are architected the same way. Some share data indiscriminately, others don’t. Certain data should not be broadcast widely without the data subject’s consent, especially data containing personally identifiable information (PII). Obviously, if you put PII on a database that is shared with many entities then you are likely to be violating regulations such as GDPR, especially if that data is regarding European human subjects.
BAR: How does R3 Corda’s work around this problem?
AL: Unlike other technologies that fall under the blockchain umbrella, R3’s Corda doesn’t broadcast all data to all parties. Corda uses blockchain principles such as digital signatures and chains of provenance, which enables parties on a Corda network to communicate with each other in a standardised way, and pass digital assets, guaranteed unique, between each other. But Corda’s differentiator is that data is only sent between parties who need to know – usually the sender and receiver of an asset, and sometimes third parties such as supervisory bodies.
This means that it is easy to build GDPR compliant solutions with Corda without workarounds, unlike some other platforms where any data is broadcast to all parties indiscriminately.
R3 has over 15 of the world’s largest law firms collaborating in a legal centre of excellence, ensuring that Corda is fully compliant with regional regulations.
BAR: Is it true that the permissioned blockchain do not need to comply with GDPR?
AL: I can’t speak for other blockchains but everybody has to comply with law. You cannot just use the word “blockchain” or “permissioned” and ignore GDPR compliance. There are international, regional, and national regulations that relate to GDPR, so it is something that everybody has to think hard about. As blockchain solutions move from technical feasibility studies (proofs of concept) towards production, you may start to see certain legal and regulatory obstacles. We had a sort of head start by considering these challenges up front in our legal centre of excellence as we designed Corda.
BAR: Is it possible to store information off-chain so to speak?
AL: Yes. Off-chain simply means “not on a shared ledger”. If some data is stored off-chain, it means it’s on a server within your IT estate, and that data is not shared. But then if lots of data is being stored off-chain in order to work around data-sharing issues, we do have to ask whether this is really a proper use case for blockchain. It depends on architecture of your blockchain platform. I said earlier that Corda doesn’t share data to everybody, so on Corda you can have the best of both worlds – data shared, with consent, to a narrow group of participants.
BAR: Is R3’s Corda for everybody?
AL: Different businesses probably want different technologies for different uses. Corda was built to meet the requirement of financial institutions. But since we open-sourced the software, we have found that other industries have making use of it. The beauty of open source software is that anyone can use it to build different applications on it. It turns out that even though Corda was built with the financial industry in mind, it has broad applicability.
BAR: How secure is blockchain in general?
AL: This really depends on what you mean be “secure”. In some ways, systems that rely heavily on cryptography are more secure than traditional databases. Use of hashes and digital signatures ensures that data tampering can be easily detected. However, public blockchains, and those that share data widely, are more susceptible to data leakages as the surface area of attack is larger. This is why we specially built Corda to not broadcast all data to all parties.
BAR: What are some of the use cases on Corda so far?
AL: While R3 builds Corda, it is our partners who build the use-case applications. Some interesting production applications are: tokenised physical gold speeding up trading and settlement; tokenised baskets of high-quality liquid assets changing ownership within minutes. In trade finance, we have a pilot project with HSBC and ING that shortened the duration of the letter of credit from 10 days to under 24 hours.
BAR: What do you say to the Bank of International Settlement’s claim that the blockchain is not scalable?
AL: The BIS report talks about Bitcoin which is a public blockchain where all the data is broadcast to all parties, and all parties need to periodically synchronise their ledgers. This is very different from what we are doing with Corda, as Corda does not use a replicated ledger of all transactions that needs to be synchronised. So the throughput on Corda is much higher.
BAR: You are working on central bank digital currencies?
AL: We are also exploring the concept of wholesale digital cash with central banks of Canada, Singapore, Hong Kong and Thailand. I want to be clear that at this stage we are talking about sovereign digital currency – money issued by the central bank – but not to be held by the person on the street. It is a wholesale token for banks to pay other banks. The beauty and the benefit of this is that banks can easily create transactions containing the movement of money along with the movement of another asset such as a share, also recorded on the blockchain platform. Instead of having to reconcile multiple sets of debits and credits, the transaction is recorded as one single transaction on the platform. By recording business transactions once and only once, without the need to reconcile and trace assets across multiple ledgers, you can reduce a lot of operational inefficiencies and risks.
BAR: How can blockchain solve the KYC problem?
AL: You certainly don’t want to put personally identifiable information on a blockchain and broadcast it to the whole world in public because you would probably be violating all sorts of rules. But what you can do is that you can standardise the information into well-recognised machine-readable formats. You can keep the data on your servers, off-chain, and you can send permission tokens on-chain to allow specific banks and specific parties to access the data on demand. When the customer approves, the KYC data can be sent directly to the requesting organisation with the customers consent. Because it is standardized and machine-readable, it is easier for the banks to consume without having to leaf through physical documents.
The on-chain tokens would usually represent some form of time-bound permission to allow people to access the data. That’s what travels on the blockchain. So, it’s a digitization and standardisation story that is enabled by blockchain technology.
BAR: This is about KYC not AML?
AL: With anti-money laundering we are moving away from establishing identity and towards source of customer funds and suspicious trading patterns. One thing you can do is that you can plug in a regulators node that has access to transaction data. Regulated entities can share transaction data with supervisors in real time.
BAR: Thank you, Antony. Where can readers learn more?
AL: We have seen a massive increase in interest in Corda with the launch of Corda Enterprise, a production-grade deployment of Corda that is compatible with the open source version. Financial institutions, corporates, application developers, systems integrators and law firms interested in learning more about R3 or Corda can visit R3’s website r3.com and request to be contacted.
Antony Lewis is Director of Research at R3, based in Singapore. He is the author of The Basics of Bitcoins and Blockchains, an essential guide written in plain English for anyone who needs to learn about cryptocurrencies, ICOs, and business blockchains. Antony writes a personal blog at www.bitsonblocks.net