How to Comply with FinCEN’s Rules for Virtual Currencies
In recent addresses, FinCEN Director Kenneth A. Blanco has repeatedly reminded financial institutions that they need to look at their risk exposure as well as, policies and procedures related to cryptocurrencies or convertible virtual currencies (CVCs).
Many FIs believe that this guidance does not apply to them since they do not directly buy, sell, or provide custody to virtual assets. However, research has shown that many banks do not know how to properly detect and monitor virtual currency-related transactions and in fact, are inadvertently allowing them to flow through their institution.
In this webinar, Dave Jevans, CEO at CipherTrace discusses the following:
- FinCEN’s rules for CVCs and what they mean to FIs
- Red flags and money laundering typologies for CVCs that are worth noting
- How CVCs are not detected by FIs and the surprising discovery by one bank when they used crypto intelligence to analyze the transactions flowing their institution
- Actionable steps within your screening and transaction monitoring processes that you can implement today to reduce your exposure to criminal actors using virtual assets
Here are the questions and answers from this presentation.
Q: What do you consider the three major AML/CTF-related risks associated with cryptocurrency?
A: I think one of the top ones is unknowingly providing banking services particularly to an unlicensed money service business. This can result in fines to the bank, being investigated, and if you’re not detecting it, you may get a knock on the door or a phone call or an email from an investigator who has found out about it because they’re investigating one of these exchanges that’s actually using your bank account. So, I would say that is probably the top risk.
The next one would be on the CTF side of things, if you are unwittingly providing funds for people to either cash out or donate funds for terrorist financing. It’s admittedly relatively small as far as our analysis goes. I mean, terrorists still like bags full of cash dropped out of airplanes onto Jeeps, but crypto is growing and being able to identify that as another one. And then I’d say the third one is going to be around credit and debit card transactions and identifying those because we are seeing more and more use of credit/debit card, but also alternate payment schemes to fund crypto that is involved in money laundering. So, those would be my top three, being able to identify those major risks.
Q: Do you know where the cryptocurrency payments are concentrated? Is the U.S. a big player?
A: The U.S. is a big player. So, if we look at transactional activity, now, this is pure payments activity. The largest is China, believe it or not, even though they keep trying to restrict it. Our analysis is that about 25% of transactions have China on one side of it or the other. The U.S. is next. And then Europe broadly is next. Germany has a lot. The Netherlands has quite a lot as well. The UK has probably over 100 virtual asset service providers, so that’s a lot, and then it breaks down from there.
Q: So, it sounds like there isn’t one specific region where there is a concentration of virtual currencies. You sort of need to be aware globally. Is that correct?
A: That’s correct. So, when we did our analysis, for example, of the KYC processes, we looked at vast in 80 countries, every country, as far as we can tell, including North Korea, because I was looking at that data earlier this morning, every country has some amount of crypto going on. And for example, we did an analysis on Iran, which, you know, many countries have sanctions against, we detected over the last 2 years over 72,000 different IP addresses involved in cryptocurrency transactions. So, it’s everywhere.
Q: What program would the unhosted wallets be using to store and transfer the virtual currency on an iPhone or computer?
A: There’s a number of wallet software that is available for iPhone and Android that you can get off the app store. So, there’s a bunch of different cryptocurrency wallets. There are ones that are open source. MetaMask is one. There are commercial ones that I like to use on my iPhone, I use one called BRD, B-R-D. I love it. It’s easy to use. It’s pretty secure and you can recover your funds if your phone gets stolen as long as when you set up a wallet, you set a recovery phrase and keep it locked in a vault in your house and don’t put it on the internet anywhere. I love that product.
On computers, there’s a whole bunch of different wallets out there. There’s an Electrum Wallet that is very popular. People use MetaMask quite a bit, although that has recently been subject to a number of spoof attacks, where there were people paying ads on Google Ads to fake MetaMask and people were installing it and they were stealing people’s crypto. So, always be careful, phishing happens in crypto, not just in banking and PayPal.
Q: Please clarify the placement stage to a digital wallet at a bank. Are these physical cash deposits or something else? And doesn’t the bank see it?
A: There’s like a couple of different ways that it’s done. So, there are walk-up cash deposits, and we did that in that case study, which was a nationwide scheme to put cash deposits in different branches. You know, sometimes you’d have two or three per day at different branches. And for some reason, that wasn’t triggering any suspicious activity in the existing monitoring, but when we were able to link it to crypto, then it immediately lit up all of this activity.
Wire transfers are a big way because, of course, a lot of this is international in nature. Crypto is very global. Every country is doing it, people in every country. So, everyone’s hungry for bank accounts. In fact, I’ve met a gentleman who runs a business, all he does is create bank accounts for cryptocurrency companies around the world and he charges $5,000 per account, and that’s 100% his business. Believe it or not, a former banker out of the UK moved out into a small little country village in Europe and makes a very good living creating bank accounts.
ACH is certainly is another way, and then credit cards. So, many financial institutions do not want their customers purchasing crypto with credit cards due to the fraud possibility. So, if crypto goes down, oftentimes you get a lot of chargebacks. But there’s, of course, obviously, the fraud and money laundering issues associated with it as well. So, we also see Venmo being used and PayPal quite a bit as well, which makes it difficult because you can’t tell what’s a good PayPal transaction from a bad one.
And so, that’s something that I think the industry is trying to work on here, is provide a little bit more clarity on some of these payment aggregators. You’ll also see payment aggregators like MoonPay, which effectively uses another service and their money service licensed business to be able to get money in and out of bank accounts and to fund the wallets.
Q: How can a bank’s monitoring unit tell that a transaction has gone through a mixer or a tumbler? Are there indicators for the bank to see?
A: So, I think the way to do that, because unless you’re directly hosting crypto, like, so, for example, if you’re going to be a custody provider, then yes, you can tell using blockchain analytics tools like CipherTrace to do that, you can tell that immediately. But if you are not directly dealing with crypto, then what you need to do is look at your customer who is doing crypto and look at their transactions.
Now, if they’re simply wiring money in from a risky exchange, you’re not going to be able to know, oh, well, I know that customer went through a mixer, then to that exchange, then to me. You won’t be able to make that transition and link directly.
There are some heuristic technologies we’ve been working on to try to link those things together through exchanges, but as you can appreciate, an exchange might have 10,000, 100,000, 1 million, 10 million customers, so it’s going to be very difficult to link it that way. What’s more important is to know that it’s a highly risky exchange.
Now, what some financial institutions are doing is if a customer is saying, “Well, I’m doing crypto,” or, you know, you know that they are and you call them up and say, “Well, you’re doing an awful lot of crypto. Why is that, for a personal account? What’s the source of funds?” for example. You may actually request some of their crypto addresses, and we’ve seen that as well. And then you can use tools like CipherTrace to monitor it and determine, “Oh, look, they’re sending stuff through mixers.”
Q: What pattern of transactions should the banks be seeing for anyone who has set up an unregistered MSB?
A: So, it’s difficult to do it just from pattern analysis traditionally. If you have a specific crypto monitoring tool that you’re able to run screens against your ACH and wire transfers or credit cards, then you’ll be able to know pretty much immediately with a high degree of certainty that they’re doing it based on the accounts that they’re sending or receiving funds to or from or where they’re purchasing using the credit cards. So, there, you’ll be able to tell pretty much immediately. And if you get one hit, then you’ll know that that customer may be doing others and you can start to look at their transaction patterns.
Now, most customers, you know, are legit. And so, you know, they might invest. So, for example, I personally had a system set up for the last 4 years an exchange in the United States where once a week, I would buy $500 of Bitcoin. So, you know, just regular, that type of thing, that’s fairly legit. It’s just, you know, like a savings account or an investment account. The criminal side tends to be either, you know, the stuff you’d expect, right? So, things that come in at just under $10,000 on a repeated basis. But for some of these things, it’s sketchy to do it just based on currency amount without having those other telltale signs.
Q: Are there any restrictions you would recommend FIs impose on individuals investing in virtual currency?”
A: The first one that a number of financial institutions have implemented is to not allow them to do it on credit cards. Some people do it on credit cards, but treat it as a cash advance transaction and apply fees on it immediately. But I mean, the most strict ones are those that say, obviously, it’s your money, you can do with it what you will, but the risk to the bank is really when it’s on the credit card side of things. I would say, I mean, unfortunately, people are gullible and there’s a lot of Ponzi schemes. There’s a lot of romance scams that all use crypto as a payment. There’s a lot of these doublers. So, you know, someone goes on Twitter and pretends to be Elon Musk and says, “Hey, you saw, I bought a billion and a half in crypto last month. To get everyone started, if you send me 1 Bitcoin, I’ll send you 2 for the first 100 people.” And that’s not investing, that’s just stupidity, but people do that every day. I’m not quite sure how you tell people not to do that, but, you know…
Q: What is your response to a banker that says we do not bank VCs?
A: I would say it depends on the size of the bank. Anyone from mid-size to large, I’d say, yes, you do, you just don’t know it. And it’s true, there’s probably tons and tons of small banks that don’t, but in our experience, you know, these P2P players, I mean, they’re basically MSBs. So, that means you bank crypto. With 8,000 cryptocurrency ATMs, someone’s banking them.
Q: Why don’t all regulators around the globe, criminalize dealing with cryptocurrencies? How do financial institutions sort of, you know, mitigate the risks around the cryptocurrency transactions?
A: Our research shows that criminal transactions using cryptocurrencies are around 1%. That includes theft, fraud, ransomware, drugs. That we can track, it’s around 1%. Now, can we track everything? No, but we work with others in the industry. We work with law enforcement around the globe. So, we have a pretty good picture. I mean, we might be wrong, it could be 1.5%, but it’s not 10%, and it’s not 5%, it’s around 1%.
So, you know, think about cash, a lot of that’s used for criminal. Think about credit cards, ACH, wire transfers, I mean, there’s crime everywhere. So, that’s why it’s not legal…I mean, cryptocurrency is only illegal in very few places mostly because governments want to control the currency. They want to control their people. They don’t want currency moving out of their country. That’s really the typical reason to do it.
If you look at cryptocurrencies, obviously, there’s a ton of functionality. There’s wonderful things that are being built with them on these DeFi systems. They power a lot of microtransaction systems, building things that could never be done before. They’re great investment products. They are remittance products, global products. I mean, people want to move money out of, you know, Venezuela, for example, for legitimate reasons, all kinds of things. That’s why it’s not illegal in all but a few very repressive regimes. The challenge is homogenizing regulations and enforcing what we have. So, for example, certain countries, like I mentioned, Seychelles, not to just finger them but they’re one that pops out as very high rate of having cryptocurrency companies domiciled there purely to avoid regulations. Well, if they were to enforce KYC on virtual asset companies or any other company, that would help a lot.
So, I don’t think we need more regulation, I think we need better enforcement of regulation and we need to empower financial institutions because at the end of the day, it all comes out of the bank or goes in at a bank. You know, help them enforce the rules and give them the tools and technologies and make it easy for them to help enforce it. I mean, crypto is here to stay. Like I said, it’s $4.3 trillion last year in transactions. That’s a third as much as MasterCard, Visa, AmEx, and every other credit card put together.
Q: Is there any special tags or wording that FIs should be putting into a SAR if they have identified a crypto transaction that is suspicious?
A: Yes, there is. For FinCEN, now and this isn’t true of other regulators, everyone will have their own thing that they want to see, but this is the tag that FinCEN wants you to use if you’re filing a SAR in the United States. So, CVC FIN-2019-A003. They would like to see that tag.
Here are questions from a previous presentation.
Q: At what stages does KYC come into cryptocurrency? Is it only when someone wants to buy crypto at an exchange?
A: Typically when they want to buy crypto at an exchange. Some of them will require you to register and do KYC if you are doing currency swaps. So there are services that allow you to swap from one currency to another. Some of them have historically not required KYC, which is a problem, because those are money transmitter services. Several of the big high profile ones have had visits from regulators and law enforcement and are now requiring it. So it’s not just buying and selling, sometimes it’s trading. But you know, as we’ve seen 56% of them really have poor or non-existent KYC at this point in time.
Q: If you were onboarding an individual, what would you be looking for?
A: I think the first thing you can do is run their name through the list of management and beneficiary owners of these virtual assets. Also run the companies through the list of P2P exchangers. So we maintain lists of who are the active people running these money service businesses, these P2P exchanges, and just see if you get a hit there and then dig a little deeper.
Q: If you were onboarding a business, what would you be looking for?
A: You would be looking for the name of the business and the names of the people to see if they are known to be operating cryptocurrency companies. You would want to look for the name of the business, you’d be wanting to also look for the name of their bank accounts. So a lot of these businesses are effectively DBAs (Doing Business As) if you will. You know, the name of their accounts what they register will be different from the operating name of the company. So you’re going to want to look for both of those.
And then I think once you’ve done the onboarding, doing a follow up a little later is also worth seeing if that account shows up in our data feeds because what we find is oftentimes, as I mentioned, there’s companies with 30 bank accounts. They may not use them for some period of time for this activity. They may keep them around in reserve and then use it if one of their accounts gets the derisked somewhere else.
Q: How is transaction monitoring done in cryptocurrency, is blockchain.info used for transaction monitoring?
A: No. So blockchain.info will give you a view of transactions, but you really have no idea where those transactions came from or where they’re going and whether they’re criminal sanctioned, ransomware etc. So what CipherTrace does is we have a whole team of analysts that monitors all the cryptocurrency exchanges and other VASPs out there. So we monitor over 3000 of them on a daily basis and probably every week there is 25 more that come up in the world.
Then there’s performing transactions between them, which goes into a whole set of algorithms that allows us to figure out which crypto addresses across which cryptocurrencies belong to which of these virtual assets service providers. You can imagine the data is much more rich than theblockchain.info, but it’s a whole layer of, terabytes of data of which addresses belongs to whom. And then we have criminal researchers who are looking at where stolen bank accounts are sold, stolen credit cards are sold, ransomware is done, the dark markets.
Then we have proprietary relationships with law enforcement and other providers to get you know, who are the bad guys, what’s been stolen, who’s trying to launder what through where. And then this is the information that gives you that rich intelligence that can be used to monitor your transactions either on the blockchain or in the banking system.
Q: CipherTrace announced that it applied for patents on a Monero tracing solution. How far along is this solution developed and when do you think that might be available to law enforcement agencies?
A: We’ve been working on it for year and a half now. The initial research was funded by the Department of Homeland Security. So yeah, we’ve been working on it for some time. I will say this, it’s a work in progress. You know, there’s probably quite a lot more work to be done here. Monero is the most difficult cryptocurrency to trace.
We’ve developed a number of effective mechanisms for reducing, you know, all the decoy transactions, for example narrowing down on the transaction flows, the visual exploration of Monero as it moves between addresses and probabilities, but there’s still quite a bit more to be done. So I don’t know that you’ll ever be able to deterministically track it like you can track Bitcoin, but you know, there’s a lot to be done there, but we could probably talk for hours about where we are and what needs to be done. But we keep in touch with law enforcement quite closely because there’s a bit of interest as you could imagine.
Q: In the prepaid card space, moving on through, what would you be looking for via transactions?
A: That is an interesting one. So you know, we’re working on that as far as who’s issuing them, how they’re related to crypto. You’d also be wanting to look at where those funds are going to, so are they using prepaid funds to purchase crypto? So you know, right now, that’s where I would say it stands. I think you know, there’s considerable work to be done there in understanding that loop. And we’re working with some of the issuers of these cards to get a better understanding of how to close the entire loop.
Q: Is there a central database where illegal crypto providers are listed?
A: That’s part of what the product offerings that CipherTrace brings to banks and government agencies – that database of who is bad, who is good. So we have a whole knowledge base inside the system, which breaks them down into high-risk virtual asset service providers, criminal ones, sanctioned entities, terrorist entities, ransomware entities, dark markets, exchanges, scams, all that stuff. So there’s a massive set of databases, easily sortable and then gives you the information so that you can use and filters. And then of course we have the bank account information, the credit card information, and other things tied into it.
Q: How can VASPs prevent processing transaction from mixer services?
A: CipherTrace has a product that VASPs purchase, which is called Sentry. It’s a programming interface and API that is a real time risk scoring API. So similar to what you would use when you process a credit card, for example, where you need to do it in real time. It’s a real-time API.
So when money comes in, for example, or money is about to be sent out, you call the API and in 50 milliseconds, it comes back and says, okay, it’s risky or it’s not. And it will tell you things like, it came through a mixer and we have categories of all the different mixers and there’s risk scores around it. So, “it went through a mixer, but it came through two steps before it got you,” things like that.
So that’s how you do it, is you do it in real time when the funds come in so then you can determine whether you need to take a look at it. Or if someone wants to send to a mixer, if that’s against your policies, you can stop it. But typically the main thing is you want to control it on the inbound when people send you money.
Adding crypto intelligence to existing AML systems
Given the recent emphasis by FinCEN and the failure of internal ad-hoc systems, Alessa recently partnered with CipherTrace to add crypto intelligence data to AML solutions. The data provided by CipherTrace enables financial institutions to:
- Identify customers transacting with convertible virtual currencies (CVCs) and unregistered crypto MSBs that may be attempting to evade supervision and fail to implement appropriate AML controls
- Monitor wire transfers, ACH and credit card transactions to identify customers involved in CVC transactions
- More effectively track the accounts associated with peer-to-peer crypto exchanges and smaller virtual currency kiosks, and cross-references the contact information of small virtual asset service providers (VASPs) with customer records to flag suspicious activities
Once a customer or transaction has been flagged, a risk score is applied and the compliance team can do the necessary investigations to determine whether the transaction needs to be reported to the regulator.
To learn more about how Alessa can help mitigate the risks associated with virtual asset players and transactions, contact us.