What happens when a 96 bitcoin ransom payment ends up on Bitfinex?

"Hello, to get your data back you have to pay for the decryption tool, the price is $1,200,000... You have to make the payment in Bitcoins."

This is a snippet from a recent court case concerning ransomware that just crossed my desk. Companies that fall victim to ransom attacks fear the publicity it might attract, so the details of these attacks are usually swept under the table. But in this case, the ransom payer—a British insurer that traced the bitcoins to Bitfinex, a major bitcoin exchange—has appealed to the UK High Court for an injunction, thus providing us with a vivid peak into the inner workings of an actual attack.

Ransomware is a big issue these days. A hacker maliciously installs software on a victim's computers, encrypts various files, and then asks for a bitcoin ransom to fix the problem.

It's the bitcoin leg of this transaction that has made these attacks economical. Prior to bitcoin, running an illicit business based on ransom payments was fraught. Bank accounts leave a paper trail. Cash, though anonymous, can't be transferred remotely. And gift cards are limited to small amounts. With bitcoin, hackers finally gained access to a form of electronic cash that allowed them to not only make remote ransom demands, but large ones too.

A steady parade of ransomware has since emerged. While early types of ransomware like WannaCry, CryptoLocker, and Locky targeted personal computers for small amounts of money, the most recent strains—Maze, Sodinokobi, Nemty, and others—attack governments and enterprises for million dollar amounts. The Nunavut government, a territory in Northern Canada, was a recent victim:

The Nunavut government was crippled by bitcoin ransomware DoppelPaymer on November 2, leaving thousands reliant on food vouchers well into December. https://t.co/gbpzCzc3aO

— John Paul Koning (@jp_koning) December 8, 2019

One thing I've never really understood is why ransomware can be so widespread given that all bitcoin transactions are written to the public blockchain. I mean, can't a bitcoin ransom payment be easily tracked to its final destination, say a bitcoin exchange, and frozen?

The court case in question, AA v Persons Unknown & Others, Re Bitcoin, provides some insights into just that. Although the judge heard the case back on December 13, 2019, the text of the injunction was only released a few days ago.

It makes for entertaining reading. Here's a short timeline:

• In Autumn 2019, a Canadian company was hacked. The hacker installed BitPaymer, a strain of ransomware, which encrypted the company's files
• The hacker demanded $1.2 million in bitcoins
• Luckily, the Canadian company had cyber crime attack insurance with a British insurer
• The British insurance company hired an "Incident Response Company" to pay the ransom
• The response company negotiated for a reduction in ransom to $905,000
• The bitcoins were acquired and sent to the hacker on October 10, 2019. According to the injunction, the purchase of the 109.25 coins was conducted by "an agent of the Insurer, who was referred to as JJ."
• Having receive the ransom, the hacker provided the fix. The files were successfully decrypted
• The insurance company wanted its money back, so in December it hired a blockchain analytics company, Chainalysis, to trace the ransom payment
• Chainalysis tracked 96 of bitcoins to an address linked to Bitfinex, a major bitcoin exchange
• The insurer then went to British High Court to force Bitfinex to reveal the identity of "PERSONS UNKNOWN WHO OWN/CONTROL SPECIFIED BITCOIN" and to freeze the 96 bitcoins.

So were the 96 bitcoins returned to the insurer?

For now, we don't know the final outcome. The document only brings us up to December 13, 2019, when the judge gave Bitfinex till December 19 to provide the names of “persons unknown”, the owner of the 96 bitcoins. To prevent "persons unknown" from getting wind of the proceedings and fleeing with their coins, the hearing was held in private and the text of the case suppressed. The document having been made public, we can assume that some sort of resolution was arrived at.

It's interesting to speculate what this resolution might have been. Bitcoin is still a relatively new, and thus largely undefined, phenomenon. As bitcoin cases slowly trickle into the court system, the decisions made by judges will be important in determining the eventual legal status of cryptocurrencies.

It could be that "persons unknown" is the same individual who perpetrated the initial ransom attack, and they just haven't yet sold the 96 bitcoins yet. In which case the conclusion is simple: the guilty party will be prosecuted and Bitfinex will return the bitcoins.

But it is more interesting (and more likely) that "persons unknown" is a third-party (say an over-the-counter broker) who bought the bitcoins from the hacker, and deposited them at Bitfinex, and hasn't sold them yet.

This third-party could be entirely innocent about the origin of the coins. They might try to say to the judge: "hey—we didn't know the 96 bitcoins we bought were linked to ransom payments. We shouldn't have to give them back."

But that's not how property law works. Even if you accidentally come into possession of stolen property—and surely ransomed bitcoins qualify as stolen—then a judge can still force you to give them back to the rightful owner. This would be bad news for the innocent broker. Being obliged to cough up 96 bitcoins could easily bankrupt it.

"Persons unknown" might respond to the injunction by pleading that the 96 bitcoins are a form of money, like banknotes, and so they needn't be returned. Banknotes, coins, and other highly-liquid paper instruments have a very special legal status. If you unknowingly accept some banknotes from someone who just obtained them illegally (say via ransom or theft), the law can't compel you to give those banknotes back to the original victim. Money, as the great British jurist Lord Mansfield once declared, isn't like regular property: it "can not be recovered after it has passed into currency."

This special legal status (which I’ve written about before) was granted to banknotes centuries ago in order to ensure that these early forms of money remained highly liquid. If every merchant had to verify that the notes they were about to receive weren't stolen, the wheels of trade would have ground to a halt. Whether a modern judge would be willing to extend this sanctuary to cryptocurrency, and thus allow “persons unknown” to keep the 96 coins, remains to be seen. But I’m skeptical.

Another possibility is that the person (or company) that innocently accepted the 96 ransomed bitcoins and deposited them on Bitfinex has already sold them. If so, which party does the British insurance company have to pursue? Some entity (or group of entities) must now be in possession of the 96 bitcoins, right? Can’t the insurer just go after the next person down the chain?

I don't know the specifics about how an exchange like Bitfinex hold bitcoins for clients, but it may be very difficult to pinpoint who actually has title to those specific 96 bitcoins. When bitcoins are deposited at an exchange, they are sent to the exchange's hot wallet along with all other incoming bitcoin deposits. So the ransomed bitcoins would have been commingled with a bunch of clean bitcoins.

When the person who originally deposited the 96 bitcoins on Bitfinex put in an order to sell on the exchange's order book, the unsuspecting buyers (all of them Bitfinex customers) would now have a claim on various bitcoins held in Bitfinex's hot wallet. Are the bitcoins on which they have a claim necessarily the ransomed ones, and thus subject to the injunction? Or do the buyers just have a general claim on any random bitcoin held on their behalf by Bitfinex? If so, would that mean that Bitfinex itself is on the hook for paying the insurer 96 bitcoins?

Anyways, you can see how this all gets complicated very fast. A lot is riding on how thoroughly the history of unspent bitcoin outputs can be traced.

Given bitcoin traceability and the ease of getting an injunction, one can imagine that it might make sense for insurers, bitcoin exchanges, and over-the-counter traders to build some sort of private "ransom registry". The moment that an insurer pays a ransom to a hacker, that insurer simultaneously announces the offending address to the registry. A verified OTC trading desk can now protect itself from potential bankruptcy by always checking the registry to make sure that any bitcoins offered to it are "good" bitcoins. Exchanges too would likewise cross-check incoming bitcoin deposits against the registry.

This would be good news for potential ransom victims. With the exits for ransom payments being choked off, these sorts of exploits would become less feasible. Extortionists may simply stop trying to run their schemes.

You could also imagine hackers coming up with strategies for dissuading victims from posting transactions to the ransom registry. "If you announce the ransom payment to the registry, we'll leak your files to the public," or something along those lines.

Or maybe extortionists will simply start to use bitcoin mixers more. Mixers are services that allow people to commingle their bitcoins in order to preserve anonymity. Astonishingly, most ransom payments don't currently go through mixing services. According to Chainalysis, the company that was hired by the British insurer, around half of the addresses to which ransom is paid redirect the bitcoins to an exchange.

But even if hackers did use mixers, bitcoin exchanges may be reticent to accept incoming deposits. Binance, for instance, recently refused to make a payout to Wasabi, a wallet that automatically mixes bitcoins. Should exchanges like Bitfinex all refuse to accept bitcoins that have been mixed, that chokes off the ability to extort people using bitcoin as ransom.

For now, we don't know how the defendant’s responded to the injunction. But in any case, it makes for interesting speculation.

Two notions of fungibility

A few centuries ago, lack of fungibility used to be a big weakness of monetary systems. But technological and legal developments eventually solved the problem. Nascent systems like bitcoin are finding that they must wrestle all over again with fungibility issues.

Fungibility exists when one member of a population of items is perfectly interchangeable with another. So for instance, because your grain of wheat can be swapped out with my grain without causing any sort of change to our relative status, we would say that wheat grains are fungible. Fungibility is a desirable property of a monetary system. If all monetary items are interchangeable, then trade can proceed relatively smoothly. If monetary items are not fungible, then sellers cannot accept the monetary item without pausing for a few moments to verify and assay it, and this imposes frictions on trade.   

In this post I argue that there are two ways for something to be fungible. They can be fungible for physical reasons or for legal reasons.

By physical fungibility, I mean that members of a group are objectively indistinguishable from each other. In the previous example, our wheat grains are physically fungible because a cursory inspection shows that they look, feel, and smell exactly the same. Now, a deeper analysis might reveal that the two grains are not in fact perfectly fungible. For instance, it may be the case that your grain of wheat is the hard red winter variety and mine is durum, in which case they are not substitutes, durum being better for making pasta. Or perhaps we each have durum grains, but yours enjoyed an excellent growing season—plenty of sun and sufficient rain—whereas mine isn't so healthy. And so your grains can produce more pasta per than mine. And thus they aren't exact substitutes.

We could even go down to the molecular level and determine that the grains are not perfectly equal and thus not quite interchangeable. But for commercial purposes, there is typically some sufficiently-deep level of analysis at which fungibility between types of wheat grains can be established by an experienced grain inspector and accepted by the market. 

Among commodities, gold and silver achieve a notably high level of physical fungibility. As long as a gram of gold is pure, it is perfectly exchangeable with any other gram of pure gold. Gold's fungibility doesn't necessarily carry over to gold coins, however. Earlier processes used to make coins, in particular hand striking, were not very effective at creating perfectly equal specimens. The edges of coins were often irregular, leaving coins vulnerable to clippers who would safely cut off some gold (or silver) without fear of being detected. Thanks to natural wear and tear, coins that had been in circulation for a few years would contain less precious metals than new coins. Both clipping and natural wear & tear meant that the metal content of coins was not uniform.

New technologies helped increase the physical fungibility of coins. For instance, reeded edges—those little lines on the edge of a coin—prevented people from clipping off bits without detection.  It was now obvious to the eye if someone had attacked the coin. Likewise, shifting from hand-hammered coinage to mechanical screw presses allowed for a more circular final product, one less susceptible to clippers (see comparison below). The invention of restraining collars—which prevented metal disks from shifting around while they were being stamped—also helped. With clipping much reduced, coins that had been in circulation for a while were more likely to be equal in weight to new ones.

These two photos compare hammered coins to milled ones (source)

In addition to physical improvements, an attempt was also made to buttress the fungibility of coins with laws. There are two types of laws that achieve this: legal tender and the so-called "currency rule." Legal tender laws required debtors and creditors to accept all coins deemed legal tender by the authorities at their stipulated face value. So even if two different shillings were not physically fungible--say one was clipped and worn and thus contained far less silver than the second newer one--those participating in trade were obligated to treat them as if they were perfectly interchangeable.

Legally-enforced fungibility was no panacea. In the absence of physical fungibility, the imposition of legal tender laws often had  perverse effects. If two coins were not exact physical substitutes because their metal content differed, but law required them to be treated as interchangeable tender, then the owner would always spend away the lighter one while hoarding the heavier one. Legal tender laws, after all, had artificially granted the "bad" coin the same purchasing power as the "good" coin. Thus the good money is chased out by the bad, which is known as Gresham's law.
 
The second set of rules that courts formulated in order to help fungibility, the currency rule, requires us to shift our attention to banknotes. Like coins, banknotes are not particularly fungible in the physical sense, but for a different reason. Banknotes have historically carried a unique identifier, a serial number—coins haven't. An owner of a banknote can carefully jot down the serial number of each note and, if it is stolen, use that number to help track it down.

In 1748, Hew Crawfurd did exactly this. Before sending two Bank of Scotland £20 notes by the mail, Crawfurd not only recorded their numbers but also signed the back of each one with his name, thus further breaking down their physical fungibility. When they went missing, Crawfurd was able to use this lack of fungibility to his advantage by advertising in the newspapers the numbers of the two stolen notes and the fact that they had been signed by him. One of the notes was eventually identified after it had been deposited at a competing bank, presumably long after the robber had spent it. The bank, however, refused to return the stolen property to Crawfurd.

In the resulting court case, the judge ruled in favor of the bank. Crawfurd would not have his stolen property returned to him. The court reasoned that if the note was returned to Crawfurd, then no merchant would ever risk accepting a banknote unless they knew its full history. This would damage the "currency" of money. After all, requiring merchants to pour through newspaper after newspaper to verify that no one was advertising a particular serial number as lost or stolen would be prohibitively expensive. Banknotes would be rendered useless, depriving the Scottish economy of much of its circulating medium. By allowing merchants to ignore the lack of physical fungibility of banknotes, i.e. the unique marks on each banknote, the court recreated fungibility by legal means. To this day, the currency rule that was first established in Scottish courts in the 18th century continues to apply to banknotes in most legal systems. (Kenneth's Reid's full account of this case is available here).

Bitcoin, a purported monetary system, is interesting because it: 1) lacks physically fungible and 2) is unlikely to ever be granted legally fungibility in the form of legal tender status or via an extension of the currency rule.

Bitcoin's lack of physical fungibility is more similar to that of banknotes than coins. It arises from the fact that all bitcoin transactions are publicly recorded. This means that it is possible to trace the history of a given bitcoin. If the token has been stolen, say in a highly-visible exchange hack, then said token may not be as valuable as a bitcoin that has a clean history. In theory, a forward-thinking actor will only accept a tainted coin at a discount because there is always a risk that the original owner will be able to reclaim his or her stolen property.

There seems little likelihood that the courts will solve bitcoin's lack of physical fungibility by fashioning a form of legal fungibility for it. The state will probably never be friendly enough toward bitcoin to grant it legal tender status. Nor do I think it is advisable that courts extend the currency rule to bitcoin by granting merchants the right to ignore the trail left by a given bitcoin, as they do with banknotes. As I pointed out here, to do so would violates the property rights of the original owner of the stolen objects. Only a select few instruments, those that have already proven themselves to be vital to facilitating society's trade, should be protected in this way.

With no legal route to establish fungibility, the only path remaining for bitcoin's architects is to go back to square one and try to improve the physical equivalency between bitcoins. One way they can do so is by anonymizing the blockchain. If transactions can no longer be traced, than clean and dirty bitcoins all look exactly the same. Full anonymity is easy to implement in new cryptocurrencies. Monero and Zcash, for instance, have gone this route.

In the case of a legacy cryptocurrencies like bitcoin, this functionality would have to be added on to its existing codebase. I have heard rumours that bitcoin developers like Adam Back and Greg Maxwell are working on developing code for anonymizing the bitcoin blockchain. But even if the technology is up to snuff, given the difficulties of achieving sufficient consensus for upgrading bitcoin, it remains to be seen if a fungibility-restoring technology could ever get off the ground.

In my view, the idea that bitcoin developers must try to achieve the same level of fungibility as coins and banknotes is misguided. Proponents of this idea are operating on the assumption that bitcoin is, like coins and banknotes, a payments medium or monetary system. But this is wrong. Whatever its original purpose might have been, bitcoin's first and foremost role is as a new type of gambling machine, a global and decentralized financial game. Like lotteries, casinos, and poker tournaments, and other types of zero-sum games, the main service that bitcoin provides its users is the fun of gambling and the allure of becoming very rich. If they want to benefit their users, Bitcoin developers should be working towards furthering its role as a gambling machine rather than mistakenly pursuing the dream of becoming the next monetary system.

People who play financial games such as lotteries benefit from the unique serial number on lottery tickets. If their tickets are stolen from them, this identifier may allow the original owner to get their ticket back. And that way they can still potentially win the big pot.

The same applies to bitcoin. Most people who hold bitcoins are doing so because they expect its price to hit $1 million. At least if their coins can be traced, a bitcoin owner who has been robbed may still have a chance to win that jackpot (and buy that Lamborghini they've been dreaming about). Removing the very feature that makes bitcoin non-fungible—and thus potentially traceable in the case of theft—would only do harm to the average bitcoin user. Anonymizing the bitcoin blockchain would make about as much sense as removing the serial numbers on lottery tickets.

Bitcoin's lack of fungibility isn't a bug, it's a nice feature.

Tainted money

In many parts of the world, cash held in ATMs or in cash-in-transit vehicles is protected by so-called intelligent banknote neutralization technology. When a thief tries to force the ATM open, plastic packs filled with dye explode, spraying both the thief and the banknotes. These notes have now been demarcated as stolen. A shopkeeper may refuse to accept marked notes or may only accept them at a large discount to their face value. At this point, cash has ceased to be fungible. One banknote is not a perfect substitute for another.

The dye used in banknote neutralization is often mixed with a taggant, a chemical marker that contains a unique combination of elements chosen from thirty or so rare earth metals. This ensures that a given block of cash is protected by a one-of-its-kind dye pack. So if the authorities apprehend the ink-stained thief with the marked cash, they can actually trace the stuff back to its original owner and return it. This incentivizes any would-be ATM thief to think twice.

Cash is normally fungible. Norway has an interesting way of keeping crooks from robbing ATMs. Exploding dye packs in the ATM stain the stolen notes. Now that they are no longer fungible, the notes are far less marketable. https://t.co/r29NOZXasI pic.twitter.com/0IRGbskur0

— JP Koning (@jp_koning) July 16, 2018

An analogy can be drawn to bitcoin. Each bitcoin's history is indelibly recorded on the bitcoin blockchain. So if a coin is reported stolen, it is theoretically possible for law authorities to see the movement of the stolen coin as it passes from owner to owner. Any buyer of bitcoins needs to be concerned with the possibility that they will be confronted by the authorities and obliged to return that coin to its original owner. This possibility could affect the fungibility of bitcoins. Coins with clean histories may trade at a premium to those without clean histories.

This similarity between tainted bitcoins and banknotes is only superficial, however. In most parts of the world accepting stolen bitcoins is far more risky than accepting stolen banknotes. Even if a seller does their best to make sure that a buyer's bitcoins aren't stolen, they could be legally obliged to return the bitcoins to their rightful owner if their analysis is wrong. The legal treatment of stolen banknotes is different. A seller can mistakenly accept stolen banknotes but as long as they have done so in good faith, they cannot be legally obliged to return them to their original owner.

Good faith means honestly. If a seller knows that the buyer is using stolen banknotes, then the seller would not be acting in good faith if they accepted those notes. If the seller has no knowledge about whether the notes have been stolen, then they are acting in good faith if they accept them. This state of mind is sometimes referred to as acting with a pure heart and an empty head.

The difference between bitcoins and banknotes is best illustrated by an example. Say I am holding a garage sale. A thief buys a knickknack from me using a stained $10 note. I am not familiar with intelligent banknote neutralization, so I do not know that the banknote has been stolen. I try to deposit the stained note at the bank and the bank notifies the police. Thanks to the taggant, it can be proven that the note was stolen from Bank X's ATM a few days before. Since I innocently accepted the note i.e. I did so in good faith, I am not obligated to give it up to Bank X. If, on the other hand, I knew about intelligent banknote neutralization, and this could be proven in court, then I would be obliged to give the note back. But it was an honest mistake, and so I am forgiven.

Continuing the example, say the thief bought another knickknack at my garage sale using bitcoins. Prior to accepting his bitcoins, I did a careful analysis of the blockchain to see if the coins had been stolen, but nothing turned up. It turns out my analysis was flawed. In actuality, the thief held-up a bitcoiner at gun point the night before and stole her bitcoins. Even though I did my very best to ensure they weren't stolen, I could be obliged by the law to give the bitcoins back to their original owner.   

The law is very forgiving towards users of banknotes. Sellers can be fairly uninformed, or objectively stupid if you will. They can make honest mistakes accepting banknotes. But an honest mistake with bitcoin could be very costly. With bitcoin, there is no protection for fools.

In the above example, bitcoins are treated by the law as regular property. When someone steals a piece of property, say a painting or a car or a piece of jewelry, and sells it, the law needs to determine which of two innocent parties gets to keep the property; the owner who was robbed or the buyer who innocently gave up something to the thief in return for the stolen property. For almost all types of property, including paintings and cars and jewelry (and bitcoin), the law usually favours the original property owner. Even though the new owner participated in the transaction in good faith, they must return the stolen goods. 

Banknotes have been granted special status by the law. They are one of the few types of stolen property that an innocent third party gets to keep. As a result of this exception, trade conducted with banknotes is far more fluid than trade conducted with other types of property. A seller who is offered a banknote doesn't have to worry about investigating that note's past history to verify that it was stolen. This greases the wheels of commerce. But it comes at a price. The property rights of the original owner have been thrown under the bus.

Should the exemption that has been granted to banknotes be extended to bitcoin? Probably not. Property rights are very important. If we trample on them at all, it should only be in certain situations where there is a very good reason for doing so. At the time that English courts originally granted the property exemption to banknotes they were already responsible for a large portion of England's commerce. This is still the case, with cash generally participating in for around half of the UK's retail payments.

Treat banknotes as regular property and people would have to take on the full risk of accepting stolen notes. This would put a significant damper on trade. Bitcoins are not used for buying and selling things at a retail level. When bitcoins pass from one hand to the other, it is almost always for speculative reasons, not mercantile ones. Given that the bar for removing the property rights of the original owner should be a high one, bitcoin probably doesn't clear the hurdle.

An homage to the cheque (or check)

The check used to buy Alaska (source)

I recently read an FP article about the odd persistence of the cheque as a way to make payments. According to the author, even though cheques are slow and cumbersome, people are willing to live with these drawbacks because they like the ability to write messages in the memo field. Competing electronic payments options (in Canada at least) don't have the ability to write memos.  

Why do people still use checks? It's the memo field, apparently: https://t.co/ui0D0oTHEI pic.twitter.com/lkpEr9ZpEk

— JP Koning (@jp_koning) June 21, 2017

As someone pointed out to me on Twitter, in the U.S. the cheque's memo field is more than just a place for writing personal reminders. According to the law in certain states, when you disagree with your creditor about how much is owed—say the contractor who is building your deck has spent too much on materials—by writing out a cheque for less than the agreed amount and including "paid in full" in the memo line, the debt is extinguished the moment the contractor cashes it.  

What follows are some other neat things about cheques that don't get much attention.

People tend to think of cheques as a mere set of instructions issued to a banker on how to move bank deposits. To transfer deposits, we could always just walk into a bank and do this in person, but we prefer to save time and energy by issuing the instructions on paper.

But a cheque is more than just a substitute for a set of in-person verbal instruction. By inscribing these instructions onto a long-lived medium, we've created an entirely distinct financial instrument, something akin to a debt or a derivative. As long as a cheque exists, it derives its value from the underlying deposits that are expected to be delivered by the issuer.

Normally we take for granted that a $1000 cheque is worth $1000. But this isn't always the case. For instance, if the cheque writer decides to spend a $1000 cheque that has been post-dated for three months—i.e. the underlying cash can not be collected till then—the receiver will typically only accept said cheque at a discount to face value, say $960. After all, the receiver needs to be compensated for the interest they will have to forego in holding that cheque for the three months to encashment, not to mention incurring the risk that the cheque writer fails in the interim.

We don't normally think of cheques as a form of debt or financing, but after India's demonetization an interesting example of this practice was brought to light. This fascinating story describes how small-scale enterprises in Varinasi accept post-dated cheques as payment and then bring them to a battawala—or "one who deducts"—for discounting. The battawala sets his commission, or discount, based on the creditworthiness of the cheque issuer. The ability to sell post-dated cheques allows these businesses to finance expense such as salaries and inventories. A second article describes a battawala market that "opens from 3-7 p.m. every day at Chowk, the heart of the business district," where several thousand battawallas sit and trade post-dated bearer cheques for cash.

North America also has a post-dated cheque market of sorts. Payday lenders, which offer short-term lending to those who can't get it from banks, only issue loans on the provision of a post-dated cheque. They accept these cheques at large discount to face, so that a $350 cheque can only buy, say, a $300 loan.

In addition to being a form of debt, cheques are also a type of money. I don't mean in the sense that cheques allow for the transfer of underlying bank deposits; rather, an uncashed cheque can itself be transferred between many different parties as a medium of exchange. This is something that younger people who only use credit cards and P2P options may not know, but if the issuer of the cheque writes "to bearer" in the pay to field, then literally anyone who is 'bearing' or holding that cheque can bring it into the bank to be cashed. Given that it grants universal access to underlying cash, a $100 bearer cheque might be transferred three or four time over the course of a few days, resulting in $300 worth of transactions being consummated rather than just $100. In the first of the two articles I linked to above, for instance, the owner of a small sari business says that it isn't uncommon for a bearer cheque to change hands as many as five times. 

Just a head's up. Even if you indicate the name of the recipient in the pay to field of a cheque you've written, say to John Doe, he can still use it as a medium for paying someone else rather than cashing it... without you even knowing. By endorsing the back of the cheque with his signature, John Doe converts it into a bearer cheque. This is called blank endorsement. Anyone he gives it to can now either bring it in to be cashed or continue passing it off in a long chain of transactions. In the U.S., these sort of cheques are called third-party checks, although banks tend to be a little leery about accepting them these days.

The use of cheques-as-money is promoted by laws that, like banknotes, grant them currency status. I touched on this distinction last week, but here it is again. Say that person A is carrying some sort of financial instrument in their pocket and it is stolen. The thief uses it to buy something from person B, who accepts it without knowing it to be stolen property. If the financial instrument has not been granted currency status by the law, then person B will be liable to give it back to person A. If, however, the instrument is currency, then even if the police are able to locate the stolen instrument in person B's possession, person B does not have to give up the stolen cheque to person A. We call these special instruments negotiable instruments.

Instruments like cash and cheques that have been granted currency status, or are negotiable, have a big advantage over those that haven't. Because they won't be on the hook for returning stolen negotiable instruments, shopkeepers and others can accept these instruments without having to set up costly verification procedures. This means these instruments will tend to be more liquid than those that are non-negotiable.   

A neat result of the transferability of cheques is that cheque payment systems are incredibly robust in the face of disasters and banking system shutdowns. Any direct transfer a bank deposit, say using a debit card or some other form of electronic fund transfer, requires that the parties to a payment to establish a  communications channel with their respective banks. If there is a problem with either of the banks, the merchant, or the connection itself, then the transfer can't go through. With a cheque however, there is no need to communicate with one's banker. A cheque is created entirely without the bank's say-so. Anyone is allowed to receive that cheque, it being their choice to either cash it or pass it along. Which means that if the banking system is on the fritz, cheque payments can proceed.

The most famous example of this robustness is the Irish banking strike of 1970. With the entire banking system shut, for six months post-dated cheques circulated as the main form of money. In a well-known paper, Antoin Murphy recounts how pub owners acted as evaluators of the credit quality of each cheque, an episode I once wrote about here.

Another nice property of cheques is that, like cash, they can be used by the unbanked. If someone receives a cheque, they can go to the issuer's bank and cash it, even if they don't have a bank account. Alternatively, they can simply endorse the back of the cheque and spend it on as a medium of exchange.

This combination of negotiability, robustness, openness, and decentralization means that long before bitcoin and the cryptocoin revolution, we already had a decentralized payments system that allowed pretty much everyone to participate and, indeed, fabricate their own personal money instruments!

Was there ever a more versatile payments instrument than the cheque? Because you can write on them, a whole language of cheques has emerged, allowing for significant customization. By putting crossings on cheques, like this...

...the cheque writer is indicating that the only way to redeem it is by depositing it, not cashing it. This means that the final user of the cheque will be easy to trace, since they will be associated with a bank account. Affix the words non-negotiable within the cross on the front of the cheque and it loses its special status as currency. Should it be stolen and passed off to an innocent third-party, the victim can now directly pursue the third-party for restitution. To even further limit the power of subsequent users to use the cheque as money, the writer can indicate the account to which the cheque must be deposited.

This language of checks can be used not only by those that have originated the cheque, but also by those that receive it in payment. On the back of any check, any number of endorsements can be written, effectively allowing for the conversion of someone else's payment instructions into your own unique medium of exchange.    

In summary, while the popularity of the cheque has certainly been declining over the last few decade, it is still hanging in there—and that's because it seem to be providing some unique services that haven't yet been replicated by cheaper, digital alternatives. While those in the fintech space often smirk at cheques at as an outdated payments option inevitably doomed to extinction, they might be better served trying to replicate some of these features instead.

The road to sound digital money

No, I'm not talking about sound money in the sense of having a stable value. I'm talking about money that is sound because it can survive natural disasters, human error, terrorist attacks, and invasions.

Kermit Schoenholtz & Stephen Cecchetti, Tony Yates, and Michael Bordo & Andrew Levin (pdf) have all recently written about the idea of CBDC, or central bank digital currency, a new type of central bank-issued money for use by the public that may eventually displace banknotes and coin. Unlike private cryptocoins such as bitcoin, the value of CBDC would be fixed in nominal terms, so it would be very stable—much like a banknote.*

It's interesting to read how these macroeconomists envision the design of a potential CBDC. According to Schoenholtz & Cecchetti, central banks would provide "universal, unlimited access to deposit accounts." For Yates this means offering "existing digital account services to a wider group of entities." As for Levin and Bordo, they mention a similar format:

"Any individual, firm, or organization may hold funds electronically in a digital currency account at the central bank. This digital currency will be legal tender for all payment transactions, public and private. The central bank will process such payments by debiting the payer’s account and crediting the payee’s account; consequently, such payments can be practically instantaneous and costless as well as completely secure."

I don't want to pick on them too much, but all these authors are describing a particular implementation of central bank digital money: account-based digital money. There's an entirely different way to design a CBDC, as digital bearer tokens. My guess is that the authors omit this distinction because macroeconomists tend to abstract away from the differences between various types of money. Cash, coins, deposits, and cheques are all just a form of M in their equations. But if you get into the nitty gritty, bearer tokens and accounts two are very different beasts. Some thought needs to go into the relative merits and demerits of each implementation, especially if this new product is to replace banknotes at some hazy point in the future.

Let's first deal with account money. An owner of account-based money needs to establish a connection with the central issuer every time they want to make a payment. This connection allows vital information to flow, including instructions about how much money to transfer and to whom, confirmation that there is sufficient funds in the owner's account, and a password to confirm identity. Only then can the issuer dock the payor's account and credit the payee.

Bearer money, the best examples of which are banknotes and coins, never requires a connection between user and issuer. As I described in last week's post, courts have extended to banknotes the special status of having"currency." What this means is that if you are a shopkeeper, and someone uses stolen banknotes to buy something from you, even if the victim can prove the notes are stolen you do not have to give them back. The advantage of this is that there is never any need for a shopkeeper to call up the issuer in order to double check that the buyer is not a thief.** As for the issuer, say a central bank, they are not responsible for the debiting and crediting of banknote balances, effectively outsourcing this task to buyer and sellers who settle payments by moving banknotes from one person's hand to the other. The upshot of all this is that since users and issuers of bearer money don't need to exchange the sorts of information that are necessary for an account-based transaction to proceed, there is no need to ever link up.

This makes bearer money an incredibly robust form of money. If for any reason a connection can't be established between user and issuer, say because of a disaster or a malfunction, account-based money will be rendered useless. Examples of this include the recent two-day outage of Zimbabwe's account-based real-time gross settlement system due to excess usage, or the famous 2014 breakdown of the UK's CHAPS, its wholesale payments system, which limited the system to manual payments. M-Pesa, Kenya's mobile money service, has periodic outages, and last month my grocery store, Loblaw, suffered from a malfunction in its debit card system. Banknotes—which don't require constant communication with the mothership—worked fine throughout.

The private sector used to be heavily engaged in providing bearer money, both in the form of banknotes and bills of exchange. However, bills of exchange-as-money went extinct by the early 1900s. As for banknotes, the government thoroughly monopolized this activity by the mid-1900s. Which means the government has—perhaps inadvertently—taken on the mantle of being the sole issuer of stable, disaster-proof money. So any plan to slowly phase out government paper money is simultaneously a plan to phase out society's only truly robust payments option.

Going forward, it's always possible that governments once again allow the private sector to  issue bearer money. With the government's bearer money monopoly brought to an end, the public would be well-supplied with the stuff and central banks could safely exit the business of providing a robust payments option. But I can't see governments agreeing to relinquish this much control to private bankers. Which means that for society's sake, whatever digital replacement central banks choose to adopt in place of banknotes and coins should probably have bearer-like capabilities in order to replicate cash's robustness. Account-based money won't cut it. Nor will volatile private tokens like bitcoin.

One way to design a digital bearer money system is to have a central bank issue tokens onto a distributed ledger and peg their value, say like the Fedcoin idea. The task of verifying transactions and updating token balances would be outsourced to thousands of nodes located all over the world. So if all the nodes in the U.S. have been knocked out, there will still be nodes in Europe that can operate the payments system. This would restore a key feature of banknotes, that they have no central point of failure, thereby allowing central banks to get rid of cash. I'm sure there are other ways of creating robust money than using a distributed ledger, feel free to tell me about them in the comments section.

---

* CBDC would be redeemable on a 1:1 basis for traditional central bank money (and vice versa), so the two would have the same value and be interchangeable. Consumer prices, which are already expressed in terms of traditional central bank money, would now also be expressed in terms of CBDC. Since consumer prices tend to be sticky for around four months, CBDC holdings would have a long shelf-life. If CBDC was designed like bitcoin--i.e. its quantity was fixed and there was no peg to existing central bank money--then its value would diverge from traditional central bank money. Price would continue to be expressed in terms of traditional central bank money, and would be sticky, but there would be a distinct CBDC price that would no longer be sticky. So CBDC would no longer have a long-shelf life; indeed, CBDC prices could become quite volatile. See here.
** The caveat here is that while banknotes have long since been granted currency, CBDC—which does not exist—has not. Nor have cryptocurrencies like bitcoin been granted currency status. But if a central bank were to issue a bearer form of CBDC, it's hard to imagine the courts not declaring it to be currency fairly early on, unlike say bitcoin.

PS: I just stumbled on a 2006 paper from Charles Kahn and William Roberds which nicely captures these two types of money:

On currency

David Birch recently grumbled about people's sloppy use of the term legal tender, and I agree with him. As Birch points out, what many of us don't realize is that shopkeepers have every right to refuse to accept legal tender such as coins and notes. This is because legal tender laws only apply to debts, not to day-to-day transactions. If someone has borrowed some money from you, for instance, then legal tender laws dictate a certain set of media that you cannot refuse to accept to settle that debt. These laws have been designed to protect your debtor from a situation in which you demand payment in a rare medium of exchange, say dinosaur bones, effectively driving them into bankruptcy.

Conversely, they also protect you the lender from being paid in an inconvenient settlement medium. In Canada, for instance, a five cent coin is legal tender, but only up to $5. If your debtor wants to pay off a $10,000 debt using a truckload of nickels, you can invoke legal tender laws and tell them to screw off—give me something more convenient.

Joining in with Birch in the grumbling, I'd argue that people make just as many errors with the term currency as they do with legal tender. When we use the word currency, we typically mean a grab bag of paper money, coins, deposits, and cryptocurrencies, or we use it to describe national units of account such as dollars, yen, pounds, pesos, ringgits, bitcoin, etc. But the word currency shouldn't be used so sloppily. 

Henry Dunning Macleod, a monetary theorist who wrote in the 1800s, has an interesting discussion of the etymology of the word. Macleod was a unique character in his own right. Trained as a commercial lawyer, he signed up as director of the Royal British Bank which failed in 1856 due to questionable loans and self dealing. Macleod went on to write a number of large tomes on monetary theory,  history, and law, including the Elements of Economic, on which I am drawing from for this post. Perhaps his main contribution to economics is the coining of the term Gresham's law, according to George Selgin.

From Macleod we learn that currency used to be used an adjective, not a noun. Certain types of goods or instruments were considered to be "current" in the eyes of the law and common business practice. They were said to have "currency," but were not themselves currency. Here is a clip from his book:

Meaning of 'currency'—money, unlike goods, is 'current.' If stolen and spent, new owner has the right to keep it. pic.twitter.com/mnWcWTtzTb

— JP Koning (@jp_koning) December 28, 2015

Let's break this down. Property that had been granted currency had a different legal status from property that didn't. Let's assume that a good has been stolen and sold by the thief to a third party, a shopkeeper, who innocently accepts it not knowing that it has been stolen. For most forms of property the original owner could sue the third party and get the stolen article back. But not if that good is one of the few to be considered by society to have currency, wrote Macleod. When an article is said to have currency, or to be current, the original owner cannot chase the third party to recover stolen property. So in our example, our shopkeeper gets to keep the stolen good, even if its stolen nature has been proven in court.

Coins had always been current according to mercantile practice, but if you read through Macleod you'll see that over the course of the 1700s, British common law jurists granted currency status to a series of new financial instruments, including banknotes, bills of exchange, stock certificates, exchequer bills, bonds, and more. (I went into this here.) What this illustrates is that an item didn't have to be money to have currency (e.g. bonds were considered to be current), nor did it have to be government-issued to be current (banknotes and bills of exchange were privately-issued).

Granting currency-status to a select group of instruments provided them with some useful mercantile properties. Consider first the converse: when the law did not grant currency to a certain good, any transfer of that good came with strings attached. For instance, if you tried to pawn off an expensive gold ring on a shopkeeper, the possession of that ring in your pocket would not be sufficient for the shopkeeper to establish title. If the ring had been stolen, and he/she accepted it, the shopkeeper might be forced to give it back to its original owner, leaving the shopkeeper out of pocket. So they would be wary at the outset about accepting the ring from you, perhaps requiring a time-consuming verification process before agreeing to the deal.

On the other hand, the shopkeeper would not hesitate to accept a gold coin. Because coins were current according to the law, anyone who received them in trade would not have had to worry about returning them to an angry victim down the line, and therefore could avoid the necessity of setting up a costly verification procedure. This would have encouraged trade in these instruments, rendering them much more liquid than items that weren't current.

According to Macleod, it was only after these early court cases that people started to directly refer to banknotes, coin, yen, dong, pounds, krona, and the like as currency-the-noun, a linguistic switch which Macleod angrily blamed on Yankee "barbarism":

"It is quite usual to say that such an opinion or such a report is Current: and we speak of the Currency of such an opinion or such a report... But who ever dreamt of calling the report or the opinion itself Currency?... To call Money itself Currency, because it is current, is as absurd as to call a wheel a rotation, because it rotates...Such as it is, however, this Yankeeim is far too firmly fixed in common use to be abolished."

It is interesting to note that while not all instruments that had currency were money (i.e. bonds), likewise not all money was granted currency status. According to Macleod, bank deposits did not have currency because, unlike banknotes and coins, deposits could not be dropped in the streets, stolen, lost or transferred to someone else by manual delivery. If you think about it, each movement of a bank deposit requires direct contact with the banking system in order to process the transfer. This effectively weeds out transfers of lost or stolen property, especially in Macleod's day where banking was conducted in person at a branch. Since anyone receiving bank deposits in payment needn't worry about a deposit being dubious, there was no need for the law to grant currency status to deposits.

All of this still has relevance today. Take the case of private cryptocurrencies, ICOs, and central bank digital currencies (CBDC). Because law makers have not been very clear about their legal status, bitcoin and other forms of crypto don't have currency, at least not in the Macleodian sense of the term. This means that a storekeeper who accepts bitcoin (or a future Fedcoin) may also be taking on the liability to give said coins back if they are proven to be stolen. And this lack of currency-status can only handicap a cyptocoin's ability to freely circulate.

If this post achieves anything, it's to illustrate that a special amnesty was once granted to a small set of financial instruments. This amnesty used to be referred to as currency. While we don't have to go back to the old practice of using of the word currency to refer to this special amnesty, we should at least be aware that this amnesty is still present and relevant.