Cryptocurrency AML risk considerations
From a regulatory standpoint, many of the risks associated with cryptocurrencies echo those presented by new financial products and technologies of the past: untested business models, potential for abuse and fraud, lack of a clear understanding of how cryptocurrencies are sold and traded via DLT, and the underlying uncertainty of a rapidly evolving regulatory environment.
At the same time, key aspects of the cryptocurrency ecosystem are, by design, different from past financial products and platforms. Peer-to-peer transaction authentication was created to permit coin holders to bypass institutional intermediaries, which otherwise act as essential gatekeepers in the global AML regime. The putative anonymity of cryptocurrency counterparties can frustrate the Know Your Customer (KYC) and customer identification procedures (CIP) on which existing AML regimes depend. The online ecosystem surrounding cryptocurrency opens new cyber and insider threat vulnerabilities, while the iterative nature of DLT prevents reversibility when a fraudulent or unlawful transaction has occurred. Finally, the absence of in-built geographic limitations makes it difficult to resolve which jurisdiction, or jurisdictions, may potentially regulate a particular service or transaction.
In this environment, both FIs and regulators must confront technically complex problems in a compressed time span and in the face of what often appear to be unquantifiable risks. After an initial period of relative forbearance, financial regulators are now responding more aggressively to emerging risks and potential benefits associated with cryptocurrency, ICOs, and DLT. Recent moves by regulators in the United States, South Korea, and other jurisdictions to assert authority over cryptocurrency markets underscore this backdrop of legal and regulatory uncertainty. The ambiguous legal status of many cryptocurrency businesses further raises the stakes for FIs doing business with cryptocurrency entrepreneurs, whose regulatory risk tolerance may be more likely to reflect the “wild west” culture of technology startups than that of traditional financial services providers.
State of global AML regulation
Despite calls for the adoption of global AML standards for cryptocurrency trading4, no such uniform rules have yet emerged. There has nonetheless been some convergence toward the FATF view that cryptocurrency payment service providers should be subject to the same obligations as their non-crypto-counterparts5, and the majority of jurisdictions that have issued rules or guidance on the matter have concluded that the commercial exchange of cryptocurrency for fiat currency (including through Virtual Currency Exchanges (VCEs)) should be subject to AML obligations (or, in the case of China, prohibited).
Differences in national regulations include: (i) the existence of special licensing requirements for VCEs; (ii) the extent to which AML rules also cover administrators and wallet services; (iii) the extent to which ICOs are covered by securities laws or equivalent regulations with AML regulatory implications; and (iv) the extent to which crypto-to-crypto exchange is treated differently from cryptoto-fiat exchange. In many cases, the regulatory status of these activities is either ambiguous or case-specific, or is otherwise subject to pending changes in law and regulation. Note that while national security sanctions laws are outside of the scope of this article, the breadth of sanctions screening requirements will generally equal and, more often, exceed that of AML compliance obligations.
Elevated financial crime risks in cryptocurrency markets
Cryptocurrency markets are potentially vulnerable to a wide range of criminal activity and financial crimes. Many of these risks materialize not on the blockchain itself, but in the surrounding ecosystem of issuers, VCEs, and virtual wallets that support consumer access to DLT. Rapidly evolving technology and the ease of new cryptocurrency creation are likely to continue to make it difficult for law enforcement and FIs to stay abreast of new criminal uses. Heightened risks include:
− Trafficking in illicit goods: Cryptocurrencies provide an ideal means of payment for illegal goods and services, from narcotics, human trafficking, organs, child pornography, and other offerings of the “dark web.”
− Hacking and identity theft: Virtual wallets and VCEs provide hackers with attractive targets for financial fraud and identity theft. If an account is hacked via one of these services, crypto holdings can be easily exfiltrated to anonymous accounts and liquidated for fiat or other assets, with little or no possibility of reversing or cancelling the transactions after detection.
− Market manipulation and fraud: While the blockchain in principle allows all actors to view and monitor exchange transactions, the ability to detect and deter insider trading, front-running, pumpand-dump schemes, and other forms of market abuse involving unregistered ICOs and unlicensed VCEs is severely limited. The absence of regulatory oversight of unregistered offerings and the ease with which criminal actors can create new accounts to execute manipulative schemes makes these markets vulnerable.
− Facilitating unlicensed businesses: Variations in the legal and regulatory requirements surrounding cryptocurrency services in different jurisdictions create added challenges in determining whether cryptocurrency businesses comply with local rules. Providing financial services to non-compliant entities could, in some circumstances, implicate illicit proceeds provisions of national AML laws.
Elevated AML risks too
In addition to fostering the criminal activity outlined above, the anonymity, liquidity, and borderless nature of cryptocurrencies makes them attractive to potential money launderers.
− Placement: The ability to rapidly open anonymous cryptocurrency accounts provides a low-risk means for criminal groups to convert and consolidate illicit cash.
− Layering: Cryptocurrency provides an ideal means to transit illicit proceeds across borders. Unregistered ICOs also provide opportunities for large scale layering. If the money launderers also control the ICO, then they can use a fraudulent “capital raising” to convert their illicit proceeds back into fiat currency.
− Integration: The growing list of goods accepted for purchase with cryptocurrencies expands integration opportunities. The willingness of ICOs to trade crypto-for-crypto could also lead to criminal enterprises taking large stakes in crypto businesses, with or without the awareness of those businesses.
− Terrorism financing and sanctions evasion: The same anonymity and ease of creation makes crypto accounts ideal for persons to receive payments that might otherwise trigger terrorism financing or sanctions red flags. Although the use of cryptocurrencies is not yet widespread in terrorism financing, terrorist groups have been experimenting with cryptocurrencies since 2014 and Bitcoin has been raised for such groups through social media fundraising campaigns.6 States targeted by sanctions have also taken an interest in creating their own statesponsored cryptocurrency, with Venezuela debuting such a coin in February 2018.7
All of these risks are heightened among the unregulated sectors of the cryptocurrency markets. Given regulatory pressure to reject anonymity and introduce AML controls wherever cryptocurrency markets interface with the traditional financial services sector, there are signs that the cryptocurrency market is diverging, with some new coins being created to be more compatible with existing regulations while “privacy coins” prioritize secrecy of transactions and identities in order to facilitate off-market transactions.8
Managing AML risk of cryptocurrency users and counterparties
FIs should approach services and customers connected to cryptocurrency with a full understanding of their respective roles with cryptocurrencies and any potential elevated risks. As with any new line of business, the central AML compliance question for FIs will be whether they can reasonably manage that risk. FIs that choose to serve new lines of business or customer types should perform a risk assessment so that they can tailor policies and procedures to ensure that AML obligations can still be fulfilled in the cryptocurrency context.
Identification and monitoring requirements
The ability to confirm the identity, jurisdiction, and purpose of each customer is essential to the fulfilment of AML programs. In spite of the inherent challenges that cryptocurrencies pose in all these dimensions, an FI must ensure that its policies and procedures allow it to perform these core functions with the same degree of confidence in the cryptocurrency context as they do for traditional services. While the precise measures necessary will depend on the particular customer and service, some broad considerations apply:
− Customer and counterparty identification: An FI cannot enter into a customer relationship unless it has confirmed the true identity of the customer. Assuming that CIP has been performed on the customer with respect to other financial services, this is most likely to arise in the context of establishing proof of ownership over a customer’s crypto-assets held outside of the FI.
− Similarly, although some (eg U.S.) AML rules do not require FIs to perform CIP on transaction counterparties (whether or not to cryptocurrency transactions), acquisition of baseline counterparty information will typically be necessary for sanctions compliance, as well as to support anti-fraud and transaction monitoring efforts. Since both identification and watchlist screening procedures should be riskbased, FIs may find it appropriate to apply more enhanced measures to the verification of crypto-holder assets in view of the underlying risks posed by such assets.
− Diligence/KYC, account monitoring, and suspicious activity: The obligation to develop a reasonable understanding of “the purpose and intended nature of the business relationship”9 would apply equally when that relationship involves dealings in cryptocurrency. Again, given the special concerns surrounding cryptocurrency markets, FIs may determine that heightened due diligence is appropriate in this context. Similarly, FIs will likely find it appropriate to develop special red flags that apply to dealings in cryptocurrency markets, and must train responsible employees accordingly.
− Transaction reporting and recordkeeping: Depending on the nature of the transaction, national AML regimes may variously require FIs to record or report the same information from crypto-to-crypto or cryptotofiat transactions that pass certain thresholds as would apply for a non-cryptocurrency transaction. As with updates to CIP, the policies and procedures in place should give the FI assurance that the information that it obtains for this purpose is accurate and is sufficient for independent testing. Importantly, true identification of the holders of cryptocurrency accounts from which funds are sent and received will enable the FI to appropriately apply transaction monitoring controls, including aggregation requirements10 and detection of structuring payments.11 To the extent that the FI intends to rely on data analytics for these functions, such systems should be in place and tested before the FI begins processing such transactions.
Assessing and managing risks of customers dealing in cryptocurrency
Special AML considerations arise when the customer of an FI is itself a cryptocurrency business. VCE or wallet services may themselves be classified as AMLobligated entities, depending on the jurisdiction(s) in which they offer services. A currency administrator, such as the issuer of an ICO, may also be subject to AML obligations, and all three business types may be subject to other financial services licensing or registration regimes. We outline some of these issues below.
(a) Crypto-business customers that are financial institutions
FIs may be required to conduct additional diligence when onboarding and monitoring crypto-business customers that are themselves FIs.
Onboarding and risk assessment for a cryptocurrency business is likely to encompass a number of questions related to the business’s compliance with applicable regulatory requirements:
− Information gathering: Does the customer’s business and compliance model permit it to collect information sufficient to perform CIP and to risk rate its own customers? Does it permit it to obtain information as to counterparties and the locations of transactions?
− Monitoring and reporting: Does the customer have mechanisms in place for account monitoring and procedures in place for required reporting?
− Geographic controls: Is the service able to control the jurisdictions in which its services are accessed?
− Legal status and licensing and registration compliance: Has the service assessed the legality of its services in all the jurisdictions in which it operates? Has it undertaken the required licensing and registration outside the U.S.?
For example, in the U.S., FinCEN guidance on servicing MSB accounts, drafted prior to the advent of cryptocurrency, remains applicable to accounts for VCEs and wallets that are MSBs.12 In addition to performing CIP, this guidance requires FIs to confirm the FinCEN registration status of the MSB (or application of an exemption); confirm compliance with state and local licensing requirements, if applicable; confirm agent status, if applicable; and conduct a basic BSA/AML risk assessment to determine the level of risk associated with the account and whether further due diligence is necessary.13While an FI is not independently responsible for the effectiveness of its customers’ AML programs, deficiencies in any of these areas are red flags that should be considered when evaluating a customer’s particular risk level.14 Accordingly, FinCEN advises that “due diligence [of MSBs] should be commensurate with the level of risk ... identified through its risk assessment,” such that if a MSB presents “a heightened risk of money laundering or terrorist financing, [the FI] will be expected to conduct further due diligence in a manner commensurate with the heightened risk.”15
Cryptocurrency businesses may argue in some cases that, whether for legal or technical reasons, their services are not covered by applicable FI registration regimes. These arguments may have merit in individual cases, but FIs may need to take some steps to evaluate the validity of these assessments (especially in cases where there is some question as to the legality of the enterprise), and may be advised to factor registration risk into their overall assessments of whether and how to provide services to such customers.16
(b) Other crypto-business risks
Even where an FI has assurance that the customer crypto-business is not an AML regulated entity, the FI should update policies and procedures in order to be able to account for particular money laundering risks posed by the business.
The question of geographic control warrants particular attention in the context of servicing crypto businesses. In addition to the risk of dealing with sanctioned persons and jurisdictions, the current absence of uniformity in the treatment of cryptocurrency activities in particular, the differing registration requirements and the prohibition on issuance and exchange services in China creates legal risk analogous to other services that are legal in some jurisdictions but in not others, such as online gambling. The inability to control where such services are offered raises the possibility that the enterprise itself is engaging in prohibited conduct. Where such prohibition is criminal, these violations could cause the crypto-business’s earnings to be classified as illicit proceeds for the purposes of criminal AML provisions.17 Regardless of whether national law applies a strict liability approach or a knowledge/recklessness requirement to such acceptance, FIs’ compliance programs must include reasonable measures to detect and prevent such facilitation. Even where there is no risk of criminal violation, an FI providing services to a crypto business should consider whether it would provide the services to a non-crypto-business whose registration status was in doubt.
Even for ICOs that do not qualify as obligated entities under relevant AML rules, FIs should carefully evaluate whether the structure of the ICO presents AML risk. An ICO should receive particular scrutiny if (i) the token sale is not capped per user, such that unlimited amounts of funds can be transferred to the ICO issuer, and (ii) the ICO intends to convert a portion of the raised funds to fiat. FIs should examine terms and conditions of an issuance to determine whether the issuer has controls in place to avoid wrongdoing.
A longer version of this article appear in the 2018 edition of the International Comparative Legal Guide to Anti-Money Laundering. The authors are grateful to the following Allen & Overy lawyers for their contributions to this work: Jane Jiang, Tiantian Wang and Jason Song (China); Dennis Kunschke (Germany); Giovanni Battista Donato, Emanuela Semino, and Amilcare Sada (Italy); Neyah van der Aa, Robin van Duijnhoven, and Daphne van der Houwen (the Netherlands); Ben Regnard-Weinrabe and Heenal Vasu (UK); and Bill Satchell, Justin Cooke, Lindsay Kennedy, Derek Manners, and Chelsea Pizzola (U.S.).
1. For the purpose of this article, the term “FIs” encompasses any class of persons that is obligated to undertake AML measures under the law or regulation of a particular jurisdiction. Different terms of art may be used in different jurisdictions (eg, “financial institution,” “obligated person,” etc.).
2. As defined by the Financial Asset Task Force (FATF), the term “cryptocurrency” refers to any “mathbased, decentralised convertible virtual currency that ... incorporates principles of cryptography to implement a distributed, decentralised, secure information economy.” FATF, Virtual Currencies Key Definitions and Potential AML/CFT Risks (June 27, 2015), fatf-gafi.org/media/fatf/documents/reports/Virtual-currency-key-definitions-and-potential-aml-cft-risks.pdf (hereinafter FATF 2015 Guidance). The first cryptocurrency to come into existence is called Bitcoin, and other cryptocurrencies have since been created adopting parallel principles. Cryptocurrencies may overlap to an extent with products created via socalled “initial coin offerings” or “ICOs” which are discussed further in Part 2, infra.
3. A process through which consensus with respect to digital data replicated, shared, and synchronized across multiple nodes (or ledgers) affords confidence as to the authentication and accuracy of the shared digital data. A distinguishing feature is that there is no central administrator or centralized data storage responsible for maintaining or authenticating the accuracy of data.
4. See, eg, Steven Mnuchin, Sec’y, U.S. Dep’t of Treasury, Panel Discussion at the World Economic Forum: The Remaking of Global Finance (Jan. 25, 2018) (stating that his primary goal is “to make sure that [digital currencies are] not used for illicit activities” and, to do this, he has suggested “the world have the same regulations.”); Emmanuel Macron, President of France, Special Address at the World Economic Forum (Jan. 24, 2018) (calling for “a global contract for global investment”).
5. See FATF 2015 Guidance, supra note at 12.
6. Zachary K. Goldman et al, Terrorist Use of Virtual Currencies, Center for a New American Security (May 2017), lawandsecurity.org/wp-content/uploads/2017/05/CLSCNASReport-TerroristFinancing-Final.pdf
7. Venezuela Says Launch of “Petro” Cryptocurrency Raised USD735 Million, Reuters (Feb. 20, 2018), reuters.com/article/us-crypto-currencies-venezuela/venezuela-says-launch-of-petro-cryptocurrency-raised-735-million-idUSKCN1G506F
8. For example, the cryptocurrency Monero uses “stealth addresses,” which are randomly generated for each individual transaction, and “ring confidential transactions,” which conceals the amount being transacted. See Nicolas van Saberhagen, Crypto-Note v. 2.0 (Monero White Paper) (Oct. 17, 2013), github.com/monero-project/research-lab/blob/master/whitepaper/whitepaper.pdf
9. Eg, FATF Recommendation 10 (“Customer Due Diligence”), cfatf-gafic.org/index.php/documents/fatf-40r/376-fatf-recommendation-10-customer-due-diligence
10. 31 C.F.R. § 1010.313.
11. 31 U.S.C. § 5324.
12. Interagency Interpretive Guidance on Providing Banking Services to Money Services Businesses Operating in the United States (Apr. 26, 2005),fincen.gov/sites/default/files/guidance/guidance04262005.pdf
13. Id. at 3 (stating that “it is reasonable and appropriate for a banking organization to insist that a money services business provide evidence of compliance with such requirements or demonstrate that it is not subject to such requirements”).
14. Fed. Fin. Insts. Examination Council, Nonbank Financial Institutions—Overview, Bank Secrecy Act Anti-Money Laundering Examination Manual,ffiec.gov/bsa_aml_infobase/pages_manual/OLM_091.htm (last visited Apr. 12, 2018).
16. An ACAMs white paper has raised concerns over the phenomenon of derisking in crypto services, and of the potential fair banking services ramifications. “While consistent regulation is lacking, [VCEs] are being denied fair banking services because they are being ‘de-risked’ by [FIs]. The discrimination from fair banking services VCEs are facing is comparable to the medial marijuana industry. Unlike its high-risk counterpart, Fintech innovators operate in a field that is federally legal.” Sherri Scott, Cryptocurrency Compliance: An AML Perspective, ACAMS White Paper (n.d.),files.acams.org/pdfs/2017/Cryptocurrency_Compliance_An_AML_Perspective_S.Scott.pdf
17. FATF-modeled AML regimes include prohibitions on the acceptance of proceeds of a crime (“illicit proceeds”). See, eg, 18 U.S.C. §§ 1956-57.
This article has been abbreviated as part of the Allen & Overy Legal & Regulatory Risk Note, a quarterly publication. The article was first published in The International Comparative Legal Guide to: Anti-Money Laundering 2018. Access to the full article can be found here. For more information please contact Karen Birch – firstname.lastname@example.org, or tel +44 20 3088 3710.