Cryptocurrency, or crypto, has overtaken the news throughout 2021 to date. Whether it be Bitcoin’s $60,000 price tag and subsequent fall, the rise of a coin based on a DOGE 1 meme, or a crypto service provider’s (CSP) IPO; it is apparent that crypto has hit the mainstream and Main Street.
One headline that flies under the radar: Crypto and its role in facilitating financial crimes. In the first installment of our “Crypto in FinCrime” blog series, we will discuss the regulatory oversight, risks to financial institutions (FI) and CSP, and how FIs may manage those risks.
Regulatory Sprint to Play Catch-Up
Less than a decade ago, Bitcoin was hovering around $400 and cryptocurrency was viewed as a conduit for anonymous, black market-level financial crime. Regulators did not fully understand how to regulate and manage the risks at the time. Fast forward to 2021, U.S. and global regulatory bodies are accelerating their coverage, and the industry is rapidly attempting to catch up. As a result of these statements and proposed rules regulating crypto, FIs would need to assess and, most likely, revise their monitoring and reporting practices.
- Proposed FinCEN Rule
Financial Crimes Enforcement Network’s (FinCEN) proposed a rule earlier this year imposing reporting and recordkeeping requirements on institutions facilitating transactions involving:
- Convertible virtual currency (CVC) 2 ;
- Digital assets with legal tender status (LTDA) 3 held in unhosted wallets 4 (e.g., MyEtherWallet);
- Hosted wallets 5 (e.g., Coinbase); or
- Wallets hosted in higher risk jurisdictions.
Due to the similar financial crimes risks associated with CVCs and LTDAs, FinCEN proposes to define CVCs and LTDAs as “monetary instruments” for the purposes of Currency Transaction Reports filing requirements and adhering to the Funds Transfer Recordkeeping Rule.
Lastly, FinCEN expects to add two new reporting and recordkeeping requirements focused on structuring activity. These new requirements would address substantial risks within FIs and CSPs. For example, FinCEN levied a $60 million fine last year on a “mixer”, or a company that breaks up crypto transactions into smaller fragments, thereby masking the true owner, for failing to collect Know Your Customer (KYC) data on over 1.2 million transactions.
At the time of writing, the proposed rule is still pending while FinCEN prioritized crypto in their first publicly addressed national priorities list on June 30, 2021. To further evidence this prioritization, FinCEN acted against one major CSP on August 10, 2021 by assessing a $100 million civil money penalty for violating the Bank Secrecy Act and FinCEN’s implementing regulations.
- FATF Draft Guidance
The Financial Action Task Force (FATF) issued draft guidance on defining crypto and CSPs. FATF confirmed that “stablecoins”, or crypto linked to an underlying asset like fiat currency, are subject to KYC and AML rules and noted the need for such providers to observe financial crime and terrorist financing requirements. The FATF stressed the importance of requirements such as collecting Customer Due Diligence and KYC data, maintaining originator and beneficiary data (aka the Travel Rule), and ongoing monitoring and reporting controls. As the global financial industry continues to define their action plan to combat crypto-facilitated financial crimes and terrorist financing, FATF is showing an understanding of these rapidly evolving advancements and appears willing to be forward-looking and progressive when considering new technology developments.
- Basel Committee Prudential Treatment
For even more global regulatory coverage, the Basel Committee for Banking Supervision (Basel) issued for comment in early June 2021 its prudential treatment of cryptoasset exposures to treat crypto. Basel stated that FIs should apply a 1,250% risk weight to crypto, similar “to the deduction of the asset from capital”: therefore, making crypto one of the riskiest assets FIs hold. The raise of the risk weight is due to the lack of recording and monitoring of crypto and its recent run of volatility. Figure 1 below provides an illustrative breakdown comparing Basel recommended risk weighting.
Figure 1. Risk Weight (by $1,000 Holdings)
As the industry awaits confirmation on proposed regulatory oversight while the risks associated with crypto continue to rise, FIs – including MSBs and CSPs– would need to adjust their transaction monitoring program, client due diligence approach, and crypto transaction monitoring strategy in order to de-mystify who is using their services to transact through crypto.
How to Mitigate Financial Crime Risks
Managing cryptocurrencies and mitigating the associated risks can be difficult for many FIs and CSPs. To start, many CSPs are rapidly growing yet do not have mature KYC programs, which results in high employee turn-over effectively creating a knowledge gaps surrounding who is accessing and transacting using crypto. The market also lacks robust tools that would be needed to monitor crypto transactions on the blockchain. Blockchain inherently offers anonymity to its users, making it difficult to follow the money and identify the “who” and “why” behind the transactions. These factors, along with the lack of industry maturity, make it difficult for FIs and CSPs to mitigate crypto risk.
As more individuals begin trading crypto, institutions may face an increased exposure to financial crime and terrorist financing. Despite the difficulties associated with mitigating financial crime and terrorist financing risks associated with crypto, institutions can still take actions to strengthen their response to these risks. Strengthening an institution’s KYC program may apply innovative approaches to understand if their CSP clients having adequate programs in place to identify who are their transacting parties and perform list screenings (i.e., sanctions, adverse media, and watchlists) to ensure the institution is not serving as a conduit for illicit movement of funds. FIs and CSPs may consider reinforcing their KYC programs, enhancing their transaction monitoring strategies (see below), and implementing emerging technology enabling blockchain surveillance. Both FIs and CSPs could include the adoption of beneficial ownership practices aimed at combatting shell companies and other higher risk entities. One global CSP has already implemented stricter KYC measures requiring users to complete a verification process in order to access products and services. Lastly, institutions may consider reevaluating their risk profile if decide to service CSP or registered crypto exchange customers.
To enhance transaction monitoring strategies, institutions can strategically include new scenarios addressing:
- Unknown relationship between originators/beneficiaries
- Structuring activity
- Transactions from/to high-risk and restricted jurisdictions
- Customer transacting in more than one crypto type
- Monitoring point of conversion from/to fiat
These are steps institutions can take to prepare for the future of crypto, as they may soon face many considerations surrounding their financial crimes processes and system architecture including utilizing new data sources and monitoring techniques.
Crypto is here to stay and likely will only continue to grow and expand into new applications. It is imperative that FIs and CSPs implement solutions combating financial crime and terrorist financing promulgated through crypto, and the traditional approach to combatting these crimes may not suffice.
In our next crypto blog post, we will cover its use in cyberattacks and ransomware, highlighted by high-profile cyberattacks leading companies to pay out ransoms in the crypto, and what institutions should do to protect themselves and more importantly, their clients.
If you have questions or would like to discuss these issues further, please contact the authors:
We would like to thank Amanda Miles and Michael Gerrity for their assistance with this blog.