Everything AML Compliance Teams Need to Know About Crypto
Cryptocurrencies have gone from obscure to mainstream over the course of the decade. Banks can no longer ignore the risks—or forfeit the rewards—of the blockchain. A December 2020 survey by Cornerstone Advisors found that 15 percent of US consumers own cryptocurrency and that of those, 60 percent would use their bank to make such investments.
At the same time, regulators are stepping up pressure on financial institutions to identify and report any suspicious activity related to the exploitation of crypto currencies for money laundering, sanctions evasion, and other illicit financing purposes.
In this webinar, CipherTrace CEO Dave Jevans presents a complete primer for banks and financial institutions on how crypto transactions flow through the financial system, how crypto users and transactions evade detection and how to take a risk-based approach to this emerging financial instrument.
Disclaimer: The contents of this article are intended to provide a general understanding of the subject matter. It is not intended to provide legal or other professional advice, and should not be relied on as such.
Q: What do you think that our audience should be doing to get started in amending or enhancing their existing AML Compliance Programs so that they are able to adapt to this increasing regulations related to crypto currencies?
A: I think that the first thing is what’s happening today. So attending these types of presentations, learning, that’s, to me, the most important. Also establishing somebody inside the financial institution, who is going to lead the training and learning effort.
Then getting involved and understanding the couple of resources for the regulatory space. Now, the regulatory space is going to be changing very quickly, in 2021. So we will see in mid-June, mid to late June, the Financial Action Task Force recommendations, we are going to see changes at OCC, we will most likely see changes at FinCEN. So being able to monitor those changes. Also, if IRS regulates you, let us say you are a payment provider and not a bank, understanding that and having those contacts, that is important as well.
Then, I would say setting out a strategy around identifying whether you are setting up a monitoring program. So, for example, I want to extend my BSA compliance to be complete and look at virtual assets. So what is that program? So how do I get technology in or programming? How do I measure efficiency on can I detect wire transfers, ACHs, credit and debit cards that are related to crypto and then setting up rules to integrate into your existing reporting and alerting system.
And then I’d say lastly if there’s a strategy in the bank to either bank cryptocurrency companies, the high-quality ones obviously, how are you going to validate them and what is your ongoing monitoring program going to be? And then if you’re going to actually offer virtual currency services like custody, then that’s a whole other discussion around initial onboarding, verification, and monitoring. You also have to think about travel rule compliance, how to budget for it, how to know if you are compliant, and which countries you are able to do business with.
Q: What kind of questions should banks be asking during onboarding? Could you provide some sample questions?
A: There’s an organization that we’re a member of called TRISA. It’s the Travel Rule, Information Sharing Alliance, and you can find it at T-R-I-S-A, trisa.io. That is a nonprofit organization that we helped form with a number of cryptocurrency companies and financial companies to create a questionnaire that banks can use to validate and onboard customers.
Now, what we did is we took the Wolfsberg correspondent banking questionnaire and getting it down to focus on crypto. And so I would take a look at trisa.io. So that was a collaborative effort for about nine months on a global basis to look at what you can do and what you can ask. We do have a project that we are working on with global digital finance, GDF, to create a little bit more expanded version of that. But that’s a really good place to start.
And then if you want to go a little bit deeper than that, then you’d want to sort of either wait for that project that we’re working on or blend it together with the Wolfsberg agreement. But I think what you’ll find is when you’re onboarding, the Wolfsberg agreement is just, 90% if it’s not applicable to onboarding.
But let me give you some examples. Obviously, where are you? where is your jurisdiction? who are the beneficial owners? All the typical things that you would do. But then what currencies do you support? What is your anti-money laundering capabilities?
So, for example, do you do transaction screening on inbound transactions? Do you do transaction screening on outbound transactions? Do you support privacy coins like Monero or Zcash because these can potentially introduce additional risk for money laundering? Who is doing the SAR reporting? What is your compliance with CTR or Currency Transaction Reporting? These would be the basics but if you take a look at this, again, the trisa.io there’s a questionnaire that will give you a very good start.
Q: When it comes to deposit account activity, how can a non-custodian financial institution distinguish between a traditional ATM custodian and a crypto ATM?
A: Very good question. I think that gets down to diligence around the crypto ATM side of things. So knowing who they are getting a specific list and then asking if these specific customers are in your custody side of things, I think that that’s off the top of my head, my first idea around it.
Q: What are the regulations, if any, for independent Bitcoin ATM machines?
A: They’re regulated as money service businesses, so they have to register with their regulatory agency in the United States, that would be FinCEN. And in other countries, everyone has their own regulators. They have to register as MSBs, they have to perform customer identification according to the transaction level. So for example, some are at $250, some are at $500, some are at $1,000.
And then there’s different levels of compliance. So one might be taking a picture of your ID. At another level, it might be taking a picture of your ID and getting a phone number, and sending a text message to it.
Then there will be the travel rule requirement. So if the Bitcoin ATM is sending directly to another identifiable VASP they are required, certainly in the United States, shortly in Canada, definitely in Singapore, Switzerland, and probably most of Europe soon, to comply with travel rule. So it’s basic and they have to file SARs. So they really look like MSBs.
Typically, you can do $250 transactions without any identification. They are supposed to track it on a daily basis. So these are the questions you would want to ask. And again, that’s true of an individual or a company that owns 1,500 of these ATMs.
Q: How can a financial institution detect unregistered P2P exchanges transacting business visa bank deposit accounts?
A: Tricky one. So that’s a service that my company, CipherTrace, offers. There may be other commercial offerings out there, but I’ll tell you how you do it.
You identify all P2P marketplaces, and these evolve all the time. So you have to have full-time analyst team. You look at all the P2P marketplaces, then you monitor, buy/sell offers on those marketplaces, and look at which accounts and which banks they are offering to buy/sell to. And then you engage with them and offer to buy/sell, and then you get to disclose the bank account information. And this obviously can vary over time. So it’s quite an involved process but if you want to build your own, that’s how to build it.
Q: How can an FI determine that its VA customer has software that effectively flag suspicious transactions?
A: So there are two ways to do it, and they’re complimentary. One is asking them and providing an audit or asking for a third-party verification that they are actually doing it. And so this gets back to audit requirements and asking people when was their last audit, but that’s the first one.
The second one is to employ monitoring technology where you can specify that virtual assets service provider, and then have a monitoring system that will look at their cryptocurrency transactions over time, and identify the bad ones, the good ones, the risky ones, and then give you alerts if that ratio changes. That gives you a third-party view that is independent, and lets you monitor their previous history.
What happens over time, for example, they [VA] might say they have a virtual asset compliance program, but they might have bought the software and never turned it on, and that happens. You can tell that by comparing it against their peers.
Q: How are investigators going to gather evidence about the sender or beneficiary of a transaction, given that there is an issue of anonymity in crypto assets?
A: Crypto assets, by and large, are not anonymous, they are pseudonymous. It’s not everyone, but most of them. The way that it gets done right now for 99, 98% of it is that blockchain analytics companies can identify, eventually the source and eventually the receiver of the assets where it gets converted into fiat.
So it’s really about the endpoint of where does the money comes from or where does the money go to and tracing it through all the intermediaries. And then at that point, the investigator knows where to file a subpoena. So it’s not about identifying the individual per se. Unless you have other information that these wallets belong to this individual.
Typically, most investigations are based on I know where the money originated, and I know where it cashed out. And then I can file subpoenas at both ends and then I can find the true name, address information, etc., of where the money was sent from and to.
Q: Does a merchant that starts accepting crypto for goods or services become a VASP?
A: Typically not, although there’s still a debate about that, but typically not. No, it would be the merchant processor that would be the VASP because they’re doing it on the behalf of the merchant, and not the merchant itself as someone who’s accepting.
Q: Are VASPs on the hook to comply with the new travel rules for money transfers? And if they are, can you explain a bit.
A: Yes, they are. It really depends on the country. In the United States absolutely. Switzerland, Singapore, a number of jurisdictions are very strict about it.
U.S. has had some regulatory forbearance, meaning that they have only right now had a prosecution once that involved it. But I anticipate that that’s going to increase as the technology availability of solutions increases over this year.
Switzerland, it has been enforced for quite some time. Singapore as well, you can’t get registered in Singapore without showing a travel rule solution. So I would say that, if you think about it globally, you’ll probably see, by mid to the end of this year, or certainly the early part of next year that you’ll probably see 80 to 90 countries where it’s required.
Now, the interesting challenge on travel rule is, if you’re in a country where a customer wants to send funds to another VASP in another country where they don’t have that regulation, we still do not have a strong answer from the regulators about are you allowed to do it. And this is what we call the sunrise problem, which is just like the sun doesn’t rise at 6 a.m. every day in the same country, that neither do regulations, they come up at different times.
And so you’ve got this challenge of, I’m in this regulated country, and my customer’s beneficiary is not. So what do I do? And so there’s various technologies to do that. So CipherTrace has been working on a solution, it’s also a regulatory conundrum. But keep an eye on this space.
There’s been a lot of thought in this area. But that is one of the biggest problems. And it’s similar to when travel rule became in place for wire transfers, it took some time to bring that up. And, you know, even though we were going through a centralized network at SWIFT, it still took some time. Here, we’re talking about a decentralized system with no central authority and many currencies. So it’s going to take some time.
Q: Does the FDIC definition apply to a noncustodial exchange? And as a follow-up question, and is it only for crypto to fiat?
A: Okay, second one first, it is not just from crypto to fiat. So FDIC definition applies from crypto to crypto. So, for example, Changelly or Shapeshift, all those would fall under the definition of a VASP. So I’m flipping from crypto to crypto. Now, on the non-custodial, well, I am not quite sure what a noncustodial exchange is, but I guess that must be a DeFi exchange. So today, they do not; they are carved out because they do not take custody. They are carved out from the regulations because they are viewed as data providers and simply facilitating peer-to-peer transactions.
Our view is that if you look at where FDIC has been going, which is you know, we’ve been privy to all of the proposed recommendations. They’ve got a lot in there about this, which is they are looking to bring those into the fold as virtual assets service providers, and make them have some accountability around record-keeping, investigative process, SAR filing, and AML.
Now, we’ll see how far that goes but that’s where it is right now. Those are their recommendations. Now, the tricky ground here is regulating and applying regulations on companies that operate these noncustodial exchanges or DeFi exchanges, where they are clearly can be classified as VASPs versus software projects.
I, in particular, I’m absolutely against regulating software development coming from the crypto wars in the 90s when we tried to regulate crypto that just drove it all offshore. So I think doing that is a bad idea, but there is some middle ground here and that needs to be worked out.
Q: Are virtual currency ATMs currently accepting debit cards or credit cards for the purchase of virtual currencies?
A: Not to my knowledge, but it’s an obvious conversion point.
In my view, we’re either going to see traditional ATM providers adding virtual currencies into it and perhaps acquiring one of these cryptocurrency ATM companies, or we’re going to see the opposite, which is the cryptocurrency ATM companies get big enough that they’re going to add credit and debit cards. I haven’t seen one. It doesn’t mean they don’t exist, but I’m not aware of one at this time. It typically is cash.
Q: What’s the purpose of a DEX? What exactly is this and what would be the relationship to a bank?
A: So the purpose of a DEX is a couple. It creates a fully transparent market, meaning that it’s all run on smart contracts typically on the Ethereum blockchain, but we’re seeing a lot more move to Binance Smart Chain and some others which are lower cost because they have lower energy requirements to run the blockchain.
Their transactional prices are much lower. So what it does is, it basically says that I will rate this, what we call a smart contract and I’ll put it out in the public domain so everyone can read it. They understand that there’s fair trading rules and there’s fair pricing. So it’s not some mystery box, where, you go and buy/sell stock, you don’t really know what price you’re actually going to get and what the order book looks like and all that stuff, only the market maker really knows that. So it creates transparency there, that’s the first thing.
Next thing it does is it allows people, because you can trade between currencies and between users, to create contracts that mimic the existing financial services world. So for example, you can create contracts that allow you to borrow against your funds, and you lock it in.
It allows you to lock in your cryptocurrency into a contract that will not expire for six months. People can borrow against it, it allows you to lend simultaneously on the other side. This is what we call staking, but you can lend against it. You can say, “Well, I own this amount of this currency. I would like to make 6% interest on it.” And it’s all done through smart contracts, meaning no one can cheat you, no one could go bankrupt, you know that you’re going to get it, it’s programmatically visible.
It is all completely transparent and so you can create this massive wave of financial innovation products, which look like these giant institutions that we have built over the last 120 years. But you can write it all in software, and have very low transaction fees. There are no brokers, there are no brokerage fees, it’s very transparent. You know, generally, you know you are not going to get ripped off because it’s written in software. This is what is creating this wave of all these new products that are coming out.
Now, the bad side of it is, of course, people can offer contracts that have huge leverage. Right now, if you are skirting regulations, you can offer contracts with 10x, or even 100 times leverage. That is obviously something that is going to get cracked down on in various countries. The UK crackdown on it in January of this year, and we will probably see some of that coming in Canada, the U.S., and other countries.
That is the general idea of it, is full transparency, you know what you are getting, low transaction fees, no brokerage fees, and the ability to innovate and all these different products and sort of try to gobble up all of these different financial industries through software.
Q: How do we report cryptocurrency deposits in a compliant fashion? Do we complete a SAR?
A: If you feel it’s suspicious, you can complete a SAR, and there is a particular verbiage that, at least in the U.S. FinCEN wants you to use.
I think what you should do on flagging cryptocurrency deposits is find your own flagging mechanism, put it into your tool so that you know what it is and then look at it over time. And if you’re seeing a whole ton of it, then flag that for review.
Now, if somebody does one transaction at $250, that is probably fine. I would not necessarily file that as a SAR. But if they’re doing it every week, or if somebody comes in and does a $5 million one, then I would flag that if they’ve never done one before.
Q: What is the industry standard for financial institutions’ obligation to label, categorize virtual currency transactions? The person says we currently use a search list of common exchanges but as you explain there’s a lot of limitations.
A: There are many limitations. You do not have a requirement to label, for example, a SAR or anything like that as being cryptocurrency-related. You do not have to label it as crypto. They want you to but you do not have an obligation to. Certainly, you have an obligation to report what you know about it.
Q: Is exposure to crypto gambling services considered an AML red flag for a net-buy to analysis of the wallet cluster?
A: I would generally say yes because we’re seeing a lot of gambling services being used as money laundering services. Anything that takes a ton of money in, mixes it up, and sends it out tends to be abused.
I think a lot of gambling sites are used for that. But again, it depends on your jurisdictions. For example, if you are in Malta, 20 percent of your economy comes from gambling, you probably are not going to do it. But the fact is, if it’s a gambling site it is a risky proposition and you want to take a look at it.
Q: If a business-to-business payment is made via crypto, what is the bank’s responsibility in accepting the fiat from the exchange linked to the customer’s account?
A: I think that depends on the bank’s policy. If you are going to accept cryptocurrencies, you know who the customer is, you have a strong relationship with the customer and you have deemed that to be a non-risky account then great, okay, awesome.
If you think it’s risky then flag it, but a lot of people do it because the beauty of crypto is you can transfer money on a Saturday at 3 p.m. and your vendor can receive it at 3:20 p.m. and you know they got it.