Other parts of this series:
In Part Two of this series, we explored evolving privacy risks of universally accessible metadata and the dangers of centralized authorities. In this blog, we explore the identification of financial crimes red flags and how the financial industries’ regulatory environment protecting the consumer is not always in their best interest.
Financial crime red flags
The recent surge in investments by banks in blockchain technology reflects a bullish bet on the technology that underpins cryptocurrency. In 2021, the 13 largest financial institutions (FIs) in the U.S. invested $3 billion in blockchain technology to modernize their payments processing, custody offerings, capital markets platforms, and other facets of their operations.1 Indeed, these developments are reflected in the expected accounting treatment of entities registered with the SEC in that cryptocurrency exchanges must report the digital tokens they hold for customers on their balance sheets as liabilities; such firms will likely see their balance sheets grow exponentially. A prominent Cryptocurrency Exchange Company claims to have custody of $278 billion of cryptocurrencies as of 31 December 2021, but the firm only reported $21.3 billion on its balance sheet. 2
As the trend toward institutional investments in blockchain technology continues, so too does the expectation that cryptocurrency would serve as a medium of exchange alongside traditional fiat currencies. Continuing these trends, FIs are accepting both the complex operational challenges of this rapidly evolving digital asset as well as the emerging financial crime risks and issues that these assets naturally present.
Crime associated with crypto
The signature features of cryptocurrency—anonymity, ease of use, and limited oversight—pose financial crime risks to the financial system that are undeniable. The spectrum of criminal acts associated with cryptocurrency includes fraud, money laundering, sanctions evasion, and cyber-crime, among others. Although mechanisms have been put into place to trace the identity of individuals using cryptocurrencies as a medium of exchange, the processes, controls, and oversight are limited and not nearly as mature when compared to those of traditional fiat currencies. Unique financial crime risks within the cryptocurrency space are “un-hosted wallets”, or self-hosted or non-custodial wallets which are not supported by a custodial exchange, which are as untraceable as cash payments – and which pose a veritable challenge to regulators and enforcement authorities. While un-hosted wallets are known to be a challenging feature of monitoring traceability of cryptocurrency transactions, the use of “mixers” and “tumblers,” used to combine various types of cryptocurrencies to conceal the identity of the payer, have been utilized to corrupt virtual marketplaces with a wide range of criminal activity, allowing transfer of funds for illegal purposes combined with the masking of the transacting identities. Known as “darknet markets,” these criminal marketplaces have burgeoned in the expansion of crypto. One such highly publicized case involved the operation of darknet money laundering service involving mixers and tumblers.
Cryptocurrencies are also used to evade economic sanctions. In October 2020, representatives of Russia’s central bank told a Moscow newspaper that the new “digital ruble” would make the country less dependent on the U.S. and better able to resist sanctions. It would let Russian entities conduct transactions outside the international banking system with any country willing to trade in digital currency. Russia could find willing partners in other nations targeted by U.S. sanctions, including Iran, that are also developing government-backed digital currencies. China, Russia’s largest trading partner in both imports and exports, according to the World Bank, has already launched its own central bank digital currency.
The war in Ukraine has provided further evidence of Russia’s use of cryptocurrencies by the fact that Russian lawmakers hinted at accepting bitcoin as payment for exports to evade Western sanctions, sending shockwaves through the cryptocurrency sector. Some analysts believe it could hinder growth as Western lawmakers may have more reason to believe cryptocurrency could be used for nefarious and illicit purposes; others believe it shows the potential for crypto’s universal usage as “it fits many narratives … making it unstoppable.” 3 As the economic situation in Russia grows more dire, cryptocurrency exchanges must ensure their Know Your Customer (KYC) protocols are strong and efficient to prevent any transactions with sanctioned persons who may now increasingly transact with bitcoin due to the Russian government accepting the coin as payment for oil and gas exports. This move by Russia may trigger U.S. and European lawmakers to respond with increased regulation on the cryptocurrency sector. It would be important for cryptocurrency firms to watch the Russian gas market and forthcoming legislation from Capitol Hill to ensure they can respond if stronger regulations are enacted.
Given these features of cryptocurrency and its nexus to criminal acts, the Financial Action Task Force (FATF) has advised regulators to take the financial crime risks associated with cryptocurrency seriously. In October 2021, the FATF issued its updated guidance for virtual assets and virtual asset service providers (VASPs) which lays out the task force’s expectations that mitigation of money laundering (ML) and terrorism financing (TF) risks is expected with virtual asset (VA) activities.4 The FATF guidance focuses on a range of areas including defining terms such as VA and VASP; applying FATF standards to stablecoins, mitigating ML/TF risks associated with peer-to-peer transactions; licensing and registration of VASPs; implementing ‘travel rule’ principles and guidance on Principles of Information-Sharing and Co-operation. The key question is not whether financial institutions need to meet these requirements but rather how they will meet these expectations.
Indeed, law enforcement and policy makers have taken notice. In the first half of 2019, FATF and the Financial Crimes Enforcement Network (FinCEN) extended application of the travel rule to VASPs and virtual currency businesses (VCBs), requiring VASPs to hold personally identifiable information (PII) for originators and beneficiaries. The guidance from the FATF and FinCEN has already had a real impact; recently, founders of a cryptocurrency derivatives exchange entered pleas with the US government on money laundering charges.5
These agencies are not alone: The U.S. government is mobilizing significant resources to fight cryptocurrency crime. In January 2021, the U.S. Congress enacted into law the Anti-Money Laundering Act (“AMLA”), which included amendments to the Bank Secrecy Act (BSA) including the reference to cryptocurrency and digital assets; and FinCEN requires financial institutions to report transactions involving un-hosted wallets over certain thresholds. Further, in October 2021 the Department of Justice created the National Cryptocurrency Enforcement Team (“NCET”) which is responsible for managing enforcement actions involving cryptocurrencies and digital assets. The use of digital assets such as a Central Bank Digital Currency (CBDC) would provide the technological backbone and security inherent within a blockchain while also providing a mechanism for government regulatory oversight such as KYC 12 and AML transaction monitoring.
For firms on the right side of the law, their primary concern remains safely and securely sending information between VASPs, a significant challenge given exchanges’ appeal to cybercriminals and the growing number of VASPs in the market.
As FIs face the financial crime risks posed by cryptocurrencies and the associated regulatory and enforcement scrutiny, they do so under challenging circumstances such as inefficient processes underpinned by legacy systems that are not equipped to handle the latest requirements. Adding to this, many firms are challenged with a lack of global procedures or policies, inefficient and fragmented processes, transaction monitoring rules with high false positives, duplicated effort across teams, a lack of governance and accountability, and lack of traceability for data feeds and user access. The key question is what are the exact steps that FIs need to take to apply the conventional AML and sanctions disciplines to this new blockchain transaction type?
KYC, KYT, and the Travel Rule Requirements
Knowing both the customer and the transaction is the primary challenge associated with financial crime risks and given the unique problems that cryptocurrencies pose in this regard, firms must make targeted and strategic investments to equip their staff to understand these transaction monitoring capabilities. Blockchain analysis tooling vendors can facilitate the analysis of transactions across blockchains for potential sanctions impacts and criminal uses. These vendor solutions can be deployed to support identity attribution and analyze blockchain transactions for suspicious activities (i.e., KYT) and financial crime compliance divisions should be investing in these tools.
Furthermore, firms must augment their transaction monitoring platforms with crypto-related scenarios and thresholds, and investigation processes would need to be similarly updated to adequately monitor and understand the emerging challenges and risks specific to cryptocurrency transactions so that suspicious activity reports (SARs) can be documented adequately. Therefore, the first step in managing financial crime risk is to invest in the technology solutions that assist tailored transaction monitoring for cryptocurrency transaction.
Revamp Operating Models and Risk and Control Frameworks
In parallel with making investments in transaction monitoring solutions, firms must also begin adjusting their operating models to accommodate for these new risks and controls in a holistic fashion. A range of approaches must be considered in the adaptation to incorporating cryptocurrencies within the risk and control framework.
First, evaluating the holistic impact of virtual currencies across the risk framework is a key initial step. Moreover, a strong risk framework must guide firms to identify which transactions must comply with the FATF/FinCEN travel rule. These efforts must incorporate an end-to-end financial crime risk management approach that includes all the use cases within the approved business design. These efforts would necessitate both the onboarding and upskilling of teams as well as efforts the hiring of third-party service providers may be needed to support in the transformation effort. As the risk and control framework would serve as the foundation for policy expectation, the AML Compliance team’s participation in these efforts will be critical.
Update Policies and Procedures and Training Programs
Policies and procedures and associated training programs would need to be updated to reflect the expected actions as set out in the risk and control framework. VA guidelines need to be incorporated into KYC policies and processes (e.g., consider requiring a digital identification document for transacting customers), and this would involve not only a knowledge of the customer, but also of the transaction in addition to sufficient due diligence of the counterparty VASP to ensure the counterparty is a trusted partner who can keep PII secure. Due diligence processes are compounded in difficulty with the necessity of vendor APIs to bridge communications between other VASPs, raising the need for due diligence processes to extend to these API providers, so each step in the VASP-to-VASP communication chain is with a trusted and compliant partner to minimize regulatory risk. Firms must be ready to launch training programs to prepare the organization for the management of these risks.
Further, staff training must be developed to support cryptocurrency processes and enhance technology across key platforms including transaction monitoring, sanctions, politically exposed persons (PEPs) scanning, and KYC and know your transaction (KYT) procedures. Finally, firms must carefully consider the approach and planning steps that would be required to effectively drive these enterprise-wide initiatives.
Bringing it all together
Firms face an enormous challenge in dealing with financial crime risks associated with cryptocurrency and embedding solutions into the organization to drive continued growth of the risk and control framework may require a strategic approach based on up-front investments in people, technology, and processes.
Risk assessments and associated controls would need to be updated to define new processes for the identification of counterparties, customers, jurisdictions, custodial services, liquidity sources associated with cryptocurrencies. Training and upskilling of teams will be needed and engagement with specialized third-party service provides may be needed to accelerate the transformation efforts.
In our next blog, we explore how cryptocurrency effects your environmental, social, and governance structure through emissions reporting, market disruption, and the reduction of centralization.
- “These 13 FIs have invested the most in crypto and blockchain to date.” Business Insider. https://markets.businessinsider.com/news/currencies/13-top-banks-investing-cryptocurrency-blockchain-technology-funding-blockdata-bitcoin-2021-8
- “Crypto exchanges told to treat customer assets as liabilities.” The Wall Street Journal. https://www.wsj.com/articles/sec-tells-exchanges-to-treat-customer-crypto-holdings-as-liabilities-11648743902#:~:text=The%20new%20accounting%20guidelines%20instruct,methods%20used%20by%20such%20platforms.
- “Russia is talking about using bitcoin as payment for exports.” Barron’s. https://www.barrons.com/articles/russia-bitcoin-crypto-prices-exports-51648210574?tesla=y
- “Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers.” Financial Action Task Force. https://www.fatf-gafi.org/publications/fatfrecommendations/documents/guidance-rba-virtual-assets-2021.html
- “Third founder of cryptocurrency exchange pleads guilty to Bank Secrecy Act violations.” United States Department of Justice. https://www.justice.gov/usao-sdny/pr/third-founder-cryptocurrency-exchange-pleads-guilty-bank-secrecy-act-violations#:~:text=Damian%20Williams%2C%20the%20United%20States,to%20violating%20the%20Bank%20Secrecy