How to Comply with FinCEN’s Rules for Virtual Currencies
In recent addresses, FinCEN Director Kenneth A. Blanco has repeatedly reminded financial institutions that they need to look at their risk exposure as well as, policies and procedures related to cryptocurrencies or convertible virtual currencies (CVCs).
Many FIs believe that this guidance does not apply to them since they do not directly buy, sell, or provide custody to virtual assets. However, research has shown that many banks do not know how to properly detect and monitor virtual currency-related transactions and in fact, are inadvertently allowing them to flow through their institution.
In this webinar, Dave Jevans, CEO at CipherTrace discusses the following:
- FinCEN’s rules for CVCs and what they mean to FIs
- Red flags and money laundering typologies for CVCs that are worth noting
- How CVCs are not detected by FIs and the surprising discovery by one bank when they used crypto intelligence to analyze the transactions flowing their institution
- Actionable steps within your screening and transaction monitoring processes that you can implement today to reduce your exposure to criminal actors using virtual assets
Here are the questions and answers from this presentation.
Q: At what stages does KYC come into cryptocurrency? Is it only when someone wants to buy crypto at an exchange?
A: Typically when they want to buy crypto at an exchange. Some of them will require you to register and do KYC if you are doing currency swaps. So there are services that allow you to swap from one currency to another. Some of them have historically not required KYC, which is a problem, because those are money transmitter services. Several of the big high profile ones have had visits from regulators and law enforcement and are now requiring it. So it’s not just buying and selling, sometimes it’s trading. But you know, as we’ve seen 56% of them really have poor or non-existent KYC at this point in time.
Q: If you were onboarding an individual, what would you be looking for?
A: I think the first thing you can do is run their name through the list of management and beneficiary owners of these virtual assets. Also run the companies through the list of P2P exchangers. So we maintain lists of who are the active people running these money service businesses, these P2P exchanges, and just see if you get a hit there and then dig a little deeper.
Q: If you were onboarding a business, what would you be looking for?
A: You would be looking for the name of the business and the names of the people to see if they are known to be operating cryptocurrency companies. You would want to look for the name of the business, you’d be wanting to also look for the name of their bank accounts. So a lot of these businesses are effectively DBAs (Doing Business As) if you will. You know, the name of their accounts what they register will be different from the operating name of the company. So you’re going to want to look for both of those.
And then I think once you’ve done the onboarding, doing a follow up a little later is also worth seeing if that account shows up in our data feeds because what we find is oftentimes, as I mentioned, there’s companies with 30 bank accounts. They may not use them for some period of time for this activity. They may keep them around in reserve and then use it if one of their accounts gets the derisked somewhere else.
Q: How is transaction monitoring done in cryptocurrency, is blockchain.info used for transaction monitoring?
A: No. So blockchain.info will give you a view of transactions, but you really have no idea where those transactions came from or where they’re going and whether they’re criminal sanctioned, ransomware etc. So what CipherTrace does is we have a whole team of analysts that monitors all the cryptocurrency exchanges and other VASPs out there. So we monitor over 3000 of them on a daily basis and probably every week there is 25 more that come up in the world.
Then there’s performing transactions between them, which goes into a whole set of algorithms that allows us to figure out which crypto addresses across which cryptocurrencies belong to which of these virtual assets service providers. You can imagine the data is much more rich than theblockchain.info, but it’s a whole layer of, terabytes of data of which addresses belongs to whom. And then we have criminal researchers who are looking at where stolen bank accounts are sold, stolen credit cards are sold, ransomware is done, the dark markets.
Then we have proprietary relationships with law enforcement and other providers to get you know, who are the bad guys, what’s been stolen, who’s trying to launder what through where. And then this is the information that gives you that rich intelligence that can be used to monitor your transactions either on the blockchain or in the banking system.
Q: CipherTrace announced that it applied for patents on a Monero tracing solution. How far along is this solution developed and when do you think that might be available to law enforcement agencies?
A: We’ve been working on it for year and a half now. The initial research was funded by the Department of Homeland Security. So yeah, we’ve been working on it for some time. I will say this, it’s a work in progress. You know, there’s probably quite a lot more work to be done here. Monero is the most difficult cryptocurrency to trace.
We’ve developed a number of effective mechanisms for reducing, you know, all the decoy transactions, for example narrowing down on the transaction flows, the visual exploration of Monero as it moves between addresses and probabilities, but there’s still quite a bit more to be done. So I don’t know that you’ll ever be able to deterministically track it like you can track Bitcoin, but you know, there’s a lot to be done there, but we could probably talk for hours about where we are and what needs to be done. But we keep in touch with law enforcement quite closely because there’s a bit of interest as you could imagine.
Q: In the prepaid card space, moving on through, what would you be looking for via transactions?
A: That is an interesting one. So you know, we’re working on that as far as who’s issuing them, how they’re related to crypto. You’d also be wanting to look at where those funds are going to, so are they using prepaid funds to purchase crypto? So you know, right now, that’s where I would say it stands. I think you know, there’s considerable work to be done there in understanding that loop. And we’re working with some of the issuers of these cards to get a better understanding of how to close the entire loop.
Q: Is there a central database where illegal crypto providers are listed?
A: That’s part of what the product offerings that CipherTrace brings to banks and government agencies – that database of who is bad, who is good. So we have a whole knowledge base inside the system, which breaks them down into high-risk virtual asset service providers, criminal ones, sanctioned entities, terrorist entities, ransomware entities, dark markets, exchanges, scams, all that stuff. So there’s a massive set of databases, easily sortable and then gives you the information so that you can use and filters. And then of course we have the bank account information, the credit card information, and other things tied into it.
Q: How can VASPs prevent processing transaction from mixer services?
A: CipherTrace has a product that VASPs purchase, which is called Sentry. It’s a programming interface and API that is a real time risk scoring API. So similar to what you would use when you process a credit card, for example, where you need to do it in real time. It’s a real-time API.
So when money comes in, for example, or money is about to be sent out, you call the API and in 50 milliseconds, it comes back and says, okay, it’s risky or it’s not. And it will tell you things like, it came through a mixer and we have categories of all the different mixers and there’s risk scores around it. So, “it went through a mixer, but it came through two steps before it got you,” things like that.
So that’s how you do it, is you do it in real time when the funds come in so then you can determine whether you need to take a look at it. Or if someone wants to send to a mixer, if that’s against your policies, you can stop it. But typically the main thing is you want to control it on the inbound when people send you money.
Adding crypto intelligence to existing AML systems
Given the recent emphasis by FinCEN and the failure of internal ad-hoc systems, Alessa recently partnered with CipherTrace to add crypto intelligence data to AML solutions. The data provided by CipherTrace enables financial institutions to:
- Identify customers transacting with convertible virtual currencies (CVCs) and unregistered crypto MSBs that may be attempting to evade supervision and fail to implement appropriate AML controls
- Monitor wire transfers, ACH and credit card transactions to identify customers involved in CVC transactions
- More effectively track the accounts associated with peer-to-peer crypto exchanges and smaller virtual currency kiosks, and cross-references the contact information of small virtual asset service providers (VASPs) with customer records to flag suspicious activities
Once a customer or transaction has been flagged, a risk score is applied and the compliance team can do the necessary investigations to determine whether the transaction needs to be reported to the regulator.
To learn more about how Alessa can help mitigate the risks associated with virtual asset players and transactions, contact us.