Elevated Cryptocurrency AML risk considerations
Elevated financial crime risks in cryptocurrency markets
Cryptocurrency markets are potentially vulnerable to a wide range of criminal activity and financial crimes. Many of these risks materialize not on the blockchain itself, but in the surrounding ecosystem of issuers, VCEs, and virtual wallets that support consumer access to DLT. Rapidly evolving technology and the ease of new cryptocurrency creation are likely to continue to make it difficult for law enforcement and FIs to stay abreast of new criminal uses. Heightened risks include:
− Trafficking in illicit goods: Cryptocurrencies provide an ideal means of payment for illegal goods and services, from narcotics, human trafficking, organs, child pornography, and other offerings of the “dark web.”
− Hacking and identity theft: Virtual wallets and VCEs provide hackers with attractive targets for financial fraud and identity theft. If an account is hacked via one of these services, crypto holdings can be easily exfiltrated to anonymous accounts and liquidated for fiat or other assets, with little or no possibility of reversing or cancelling the transactions after detection.
− Market manipulation and fraud: While the blockchain in principle allows all actors to view and monitor exchange transactions, the ability to detect and deter insider trading, front-running, pumpand-dump schemes, and other forms of market abuse involving unregistered ICOs and unlicensed VCEs is severely limited. The absence of regulatory oversight of unregistered offerings and the ease with which criminal actors can create new accounts to execute manipulative schemes makes these markets vulnerable.
− Facilitating unlicensed businesses: Variations in the legal and regulatory requirements surrounding cryptocurrency services in different jurisdictions create added challenges in determining whether cryptocurrency businesses comply with local rules. Providing financial services to non-compliant entities could, in some circumstances, implicate illicit proceeds provisions of national AML laws.
Elevated AML risks too
In addition to fostering the criminal activity outlined above, the anonymity, liquidity, and borderless nature of cryptocurrencies makes them attractive to potential money launderers.
− Placement: The ability to rapidly open anonymous cryptocurrency accounts provides a low-risk means for criminal groups to convert and consolidate illicit cash.
− Layering: Cryptocurrency provides an ideal means to transit illicit proceeds across borders. Unregistered ICOs also provide opportunities for large scale layering. If the money launderers also control the ICO, then they can use a fraudulent “capital raising” to convert their cryptodenominated illicit proceeds back into fiat currency.
− Integration: The growing list of goods accepted for purchase with cryptocurrencies expands integration opportunities. The willingness of ICOs to trade crypto-for-crypto could also lead to criminal enterprises taking large stakes in cryptobusinesses, with or without the awareness of those businesses.
− Terrorism financing and sanctions evasion: The same anonymity and ease of creation makes cryptoaccounts ideal for persons to receive payments that might otherwise trigger terrorism financing or sanctions red flags. Although the use of cryptocurrencies is not yet widespread in terrorism financing, terrorist groups have been experimenting with cryptocurrencies since 2014 and Bitcoin has been raised for such groups through social media fundraising campaigns.6 States targeted by sanctions have also taken an interest in creating their own statesponsored cryptocurrency, with Venezuela debuting such a coin in February 2018.7
All of these risks are heightened among the unregulated sectors of the cryptocurrency markets. Given regulatory pressure to reject anonymity and introduce AML controls wherever cryptocurrency markets interface with the traditional financial services sector, there are signs that the cryptocurrency market is diverging, with some new coins being created to be more compatible with existing regulations while “privacy coins” prioritize secrecy of transactions and identities in order to facilitate off-market transactions.8
Managing AML risk of cryptocurrency users and counterparties
FIs should approach services and customers connected to cryptocurrency with a full understanding of their respective roles with cryptocurrencies and any potential elevated risks. As with any new line of business, the central AML compliance question for FIs will be whether they can reasonably manage that risk. FIs that choose to serve new lines of business or customer types should perform a risk assessment so that they can tailor policies and procedures to ensure that AML obligations can still be fulfilled in the cryptocurrency context.
Identification and monitoring requirements
The ability to confirm the identity, jurisdiction, and purpose of each customer is essential to the fulfilment of AML programs. In spite of the inherent challenges that cryptocurrencies pose in all these dimensions, an FI must ensure that its policies and procedures allow it to perform these core functions with the same degree of confidence in the cryptocurrency context as they do for traditional services. While the precise measures necessary will depend on the particular customer and service, some broad considerations apply:
− Customer and counterparty identification: An FI cannot enter into a customer relationship unless it has confirmed the true identity of the customer. Assuming that CIP has been performed on the customer with respect to other financial services, this is most likely to arise in the context of establishing proof of ownership over a customer’s crypto-assets held outside of the FI.
− Similarly, although some (eg U.S.) AML rules do not require FIs to perform CIP on transaction counterparties (whether or not to cryptocurrency transactions), acquisition of baseline counterparty information will typically be necessary for sanctions compliance, as well as to support anti-fraud and transaction monitoring efforts. Since both identification and watchlist screening procedures should be riskbased, FIs may find it appropriate to apply more enhanced measures to the verification of crypto-holder assets in view of the underlying risks posed by such assets.
− Diligence/KYC, account monitoring, and suspicious activity: The obligation to develop a reasonable understanding of “the purpose and intended nature of the business relationship”9 would apply equally when that relationship involves dealings in cryptocurrency. Again, given the special concerns surrounding cryptocurrency markets, FIs may determine that heightened due diligence is appropriate in this context. Similarly, FIs will likely find it appropriate to develop special red flags that apply to dealings in cryptocurrency markets, and must train responsible employees accordingly.
− Transaction reporting and recordkeeping: Depending on the nature of the transaction, national AML regimes may variously require FIs to record or report the same information from crypto-to-crypto or cryptotofiat transactions that pass certain thresholds as would apply for a non-cryptocurrency transaction. As with updates to CIP, the policies and procedures in place should give the FI assurance that the information that it obtains for this purpose is accurate and is sufficient for independent testing. Importantly, true identification of the holders of cryptocurrency accounts from which funds are sent and received will enable the FI to appropriately apply transaction monitoring controls, including aggregation requirements10 and detection of structuring payments.11 To the extent that the FI intends to rely on data analytics for these functions, such systems should be in place and tested before the FI begins processing such transactions.
Assessing and managing risks of customers dealing in cryptocurrency
Special AML considerations arise when the customer of an FI is itself a cryptocurrency business. VCE or wallet services may themselves be classified as AMLobligated entities, depending on the jurisdiction(s) in which they offer services. A currency administrator, such as the issuer of an ICO, may also be subject to AML obligations, and all three business types may be subject to other financial services licensing or registration regimes. We outline some of these issues below.
(a) Crypto-business customers that are financial institutions
FIs may be required to conduct additional diligence when onboarding and monitoring crypto-business customers that are themselves FIs.
Onboarding and risk assessment for a cryptocurrency business is likely to encompass a number of questions related to the business’s compliance with applicable regulatory requirements:
− Information gathering: Does the customer’s business and compliance model permit it to collect information sufficient to perform CIP and to risk rate its own customers? Does it permit it to obtain information as to counterparties and the locations of transactions?
− Monitoring and reporting: Does the customer have mechanisms in place for account monitoring and procedures in place for required reporting?
− Geographic controls: Is the service able to control the jurisdictions in which its services are accessed?
− Legal status and licensing and registration compliance: Has the service assessed the legality of its services in all the jurisdictions in which it operates? Has it undertaken the required licensing and registration outside the U.S.?
For example, in the U.S., FinCEN guidance on servicing MSB accounts, drafted prior to the advent of cryptocurrency, remains applicable to accounts for VCEs and wallets that are MSBs.12 In addition to performing CIP, this guidance requires FIs to confirm the FinCEN registration status of the MSB (or application of an exemption); confirm compliance with state and local licensing requirements, if applicable; confirm agent status, if applicable; and conduct a basic BSA/AML risk assessment to determine the level of risk associated with the account and whether further due diligence is necessary.13While an FI is not independently responsible for the effectiveness of its customers’ AML programs, deficiencies in any of these areas are red flags that should be considered when evaluating a customer’s particular risk level.14 Accordingly, FinCEN advises that “due diligence [of MSBs] should be commensurate with the level of risk ... identified through its risk assessment,” such that if a MSB presents “a heightened risk of money laundering or terrorist financing, [the FI] will be expected to conduct further due diligence in a manner commensurate with the heightened risk.”15
Cryptocurrency businesses may argue in some cases that, whether for legal or technical reasons, their services are not covered by applicable FI registration regimes. These arguments may have merit in individual cases, but FIs may need to take some steps to evaluate the validity of these assessments (especially in cases where there is some question as to the legality of the enterprise), and may be advised to factor registration risk into their overall assessments of whether and how to provide services to such customers.16
(b) Other crypto-business risks
Even where an FI has assurance that the customer crypto-business is not an AML regulated entity, the FI should update policies and procedures in order to be able to account for particular money laundering risks posed by the business.
The question of geographic control warrants particular attention in the context of servicing cryptobusinesses. In addition to the risk of dealing with sanctioned persons and jurisdictions, the current absence of uniformity in the treatment of cryptocurrency activities in particular, the differing registration requirements and the prohibition on issuance and exchange services in China creates legal risk analogous to other services that are legal in some jurisdictions but in not others, such as online gambling. The inability to control where such services are offered raises the possibility that the enterprise itself is engaging in prohibited conduct. Where such prohibition is criminal, these violations could cause the crypto-business’s earnings to be classified as illicit proceeds for the purposes of criminal AML provisions.17 Regardless of whether national law applies a strict liability approach or a knowledge/recklessness requirement to such acceptance, FIs’ compliance programs must include reasonable measures to detect and prevent such facilitation. Even where there is no risk of criminal violation, an FI providing services to a cryptobusiness should consider whether it would provide the services to a non-crypto-business whose registration status was in doubt.
Even for ICOs that do not qualify as obligated entities under relevant AML rules, FIs should carefully evaluate whether the structure of the ICO presents AML risk. An ICO should receive particular scrutiny if (i) the token sale is not capped per user, such that unlimited amounts of funds can be transferred to the ICO issuer, and (ii) the ICO intends to convert a portion of the raised funds to fiat. FIs should examine terms and conditions of an issuance to determine whether the issuer has controls in place to avoid wrongdoing.