How to Use FinCEN/FATF’s Red Flags for Virtual Currency Compliance Program
In 2020, FinCEN and Financial Action Task Force (FATF) released various publications designed to assist financial institutions (FIs), designated non-financial businesses and professions (DNFBPs), and Virtual Asset Service Providers (VASPs) in identifying and mitigating risks of virtual currency (VC) transactions. But how can these be applied to an AML compliance program?
Pamela Clegg, Vice President of Financial Investigations at CipherTrace reviews the red flag indicators published by FinCEN and FATF and addresses how they fit into an AML compliance program. She also discusses how to use blockchain analysis and cryptocurrency intelligence to identify these red flags and mitigate their risks, as well as, a number of case studies that shows how financial institutions were able to identify illicit activities involving virtual currencies that were flowing through their institution.
Disclaimer: The contents of this article are intended to provide a general understanding of the subject matter. It is not intended to provide legal or other professional advice, and should not be relied on as such.
Q: How can an FI tell the difference between an ATM virtual currency transaction versus a transaction such as a purchase direct from Coinbase?”
A: Currently, most crypto kiosks, you’re actually going to input cash. In that case, from a bank, what you are primarily going to see is your customer withdrawing a lot of cash, and then obviously, you’re not going to see the cash going into the Bitcoin ATM. You could certainly see the offramp into, possibly, a debit card. Some crypto entities allow you to offramp into prepaid debit cards but most of that is going to be cash.
Now, what we have seen are banks who have installed Bitcoin ATMs themselves at their own institutions, and that is a situation where a) you make all the profits yourself instead of letting some other Bitcoin ATM operator make the profits b) you already have KYC on your customers.
If they are using it like a regular ATM and they are inserting their debit card, you know who’s using that Bitcoin ATM. Therefore, you already have the KYC done, and so then, you can do a lot of the rest from there.
You are going to need some additional policies and procedures to adhere to but that is one technique that we have seen. But most Bitcoin ATM activity is still cash-based, so you’re just really going to see the cash leaving their account.
Q: If the bank’s customer is operating a Bitcoin ATM, how would they go about monitoring that? We have keyword scans for privately-owned ATM vendors, but who are the Bitcoin ATM independent sales organizations (ISOs)?
A: First of all, if you have a customer that is operating a Bitcoin ATM, right, they have to be a registered MSB, so you would have them provide all of that information for MSB, check their FinCEN registration, all that kind of good stuff.
Look at where their Bitcoin ATMs are physically located. What are the agreements with those malls, what are the agreements with the gas stations, wherever it is that their Bitcoin is setup?
And then, as far as their actual transactions, the Bitcoin ATM operators are going to be buying their Bitcoins wholesale somehow. So, they’re going to take the cash out of their Bitcoin ATM, they’re going to deposit into your bank. That’s the customer’s cash. And then, the Bitcoin ATM operator is going to take that cash and send it off to some exchange, whether that’s Cumberland Mining, whether that’s Gemini, whomever it is, to buy more Bitcoin to feed their Bitcoin ATMs.
You are going to be right in the middle of all those transactions, so you should be able to identify with whom the Bitcoin ATM operators are transacting with. And then, you’re going to want to know their hot wallets, so you can look at with whom their customers are transacting as well, right.
So, really and truly, you’re going to want to have a relationship with us in some way so that you can mitigate all that risk which is definitely not impossible. I work with small community banks that bank Bitcoin ATM operators, and they have their compliance program geared up and ready to go to bank those crypto kiosk operators.
Q: What are some of the mitigation steps for business customers, so specifically convenience stores that have Bitcoin kiosks on site?
A: That’s a good question. That is definitely a little piece of property that the gas station convenience store has that should make them a nice little chunk of change. If I were the gas station, I would most certainly want to have an agreement with the kiosk operator. I would want to know if that kiosk operator’s registered. I do not want to have a kiosk operator who is unregistered operating in my store because then that puts me at a higher risk as well. I do not want them to track the wrong customers because then those wrong customers are going to come into my store.
Q: What is your view on FinCEN’s approach to indirect exposure, so for example, one or more steps removed from the actual transaction to a category like darknets?
A: Again, this is really where it becomes pertinent to have that information, like I showed you, the transparency, and looking at that interaction risk for those exchanges. You know, is it possible that the exchange that my customer is sending dollars to would allow them to do darknet transactions. Again, risk-based approach. If my customer is sending U.S. dollars to Gemini, Gemini is probably not going to let them do darknet transactions. Gemini has a robust program.
It’s really about identifying the risk of that intermediary institution. So, the bank’s over here, the bank customer sends to the exchange, and then it’s through the exchange that you could send to your darknet. So, it’s really looking at that intermediary risk of that exchange.
Q: Do the same rules apply for digital currency?
A: Digital currency is different in a couple different ways. Number one, digital currency represents physical fiat in most cases. Digital currency represents a dollar, or it represents the yuan, or it represents some type of fiat. Digital currency is not always blockchain-based.
Most regulators are really starting to differentiate between digital currency and virtual currency. And they should because they’re different concepts.
Q: Do you have an opinion or something you can share in terms of the compliance requirements for digital substitutes for fiat, and advice to treat the transactions?
A: Look, if they’re digital transactions, you need to look at the intermediary entity there, basically the third-party payment processor. If you are talking about Square, Venmo, PayPal, or whoever it is that’s in the middle of that digital transaction, that’s who I really want to be evaluating. They are mostly 3.14b registered, so reach out to them.
Q: Are exchanges following scheduled periodic review processes, or have they shifted to an event-based, ongoing due diligence model?
A: I hate to give the government answer of, “It depends.” It really depends on the exchange and their compliance program. We have seen a lot of exchanges build their compliance programs with compliance officers who came from the banking sector. So, in that sense, they tend to follow more of a traditional banking model and do more of a kind of a scheduled review. But a lot of exchanges are, quite simply, reactive to just the suspicious behavior that they might spot, and so then they kind of just react, and then build a case off of that as they’re submitting that SAR.
Q: Will transactions involving Bitcoin mixtures reflect in the client’s bank account, or will that conversion take place in the client’s Bitcoin wallet and then transfer to the client’s bank account?
A: That’s correct. They will not show up in the bank account. Those are all on-chain transactions, so you are not going to see that touch. It is going to touch an exchange. If I run it through a mixer, and then I send it to Coinbase to cash out, it is going to touch Coinbase, not the bank.
Q: Do crypto mixer services actually have any legitimate business purpose?
A: Some argue they do.
We just saw, the creator of Bitcoin Fog was arrested in Los Angeles a week ago. You can Google that, “Bitcoin Fog.” A guy was arrested in Los Angeles. Another really good case study to look at is the Helix mixer, H-E-L-I-X. That was Harmon, was his name, and he was from Ohio, and kind of lived between Ohio and Belize. He was also arrested and pled guilty.
Technically, mixers are not illegal, but in order for them not to be illegal, they would have to register as an MSB. And if they register as an MSB, they would certainly have to have an effective AML program, and they would have to report suspicious activity, which would kind of negate the whole purpose of them being a mixer.
Q: How does CipherTrace identify mixers?
A: Well, number one, we run funds through mixers. So, we get to send some of our funds through the mixers to identify those. And also, mixer transactions are usually pretty evident. There’s, you know, 60 inputs and there’s 100 outputs. They’re pretty easy to spot. And then, some of the mixers also follow the same algorithms, or they have a computer algorithm that they routinely rely on to mix their funds, so we can identify the transactions that way. But a lot of it is from sending funds to and from mixers ourselves.
Q: Looking from the point of view of correspondent banking, how should the correspondent bank act in these transaction monitoring cases since they will not have access to KYC data?
A: That’s a good question. So, the correspondent bank is providing the funds that are then going to be sent to the exchange. Is that right? I think that’s the situation that they’re describing.
I mean, I think a lot of this all goes down to the travel rule. Look, we even have a travel rule in crypto. Travel rule for crypto, if I’m Coinbase and I want to send a transaction to Gemini, I have to send my originator and beneficiary information along with that transaction. So, I mean, I guess I would apply the travel rule in whatever information gets passed along with those transactions via the correspondent banking, is, I guess, what you’re probably going to go off of.
Q: Do you know if there’s any sort of specific amounts you tend to see for structuring for virtual assets?
A: Less than a Bitcoin, usually. Well, it depends on the price of Bitcoin too, but definitely under a Bitcoin tends not to raise red flags in an exchange, so they like to keep it under a Bitcoin if they’re structuring into an exchange.
Now, if they’re structuring at a Bitcoin ATM, it’s going to depend on the record-keeping threshold that Bitcoin ATM set for their customers. So, if the Bitcoin ATM requires me to provide identification at $500, then I’m going to do $400, and then I’m going to do it multiple times with different phone numbers or different locations, or something like that.
Q: Given that you can do multiple hops back to the true source of funds, could the argument be made that blockchain analytics is more robust or effective than traditional transaction monitoring?
A: Absolutely. I always say, “I would much rather investigate crypto currency transactions than cash transactions, any day.”
Q: What CDD questions would we be asking a VC miner? What would be suspicious activity to watch for?
A: For a VC miner, that would be anybody who’s mining virtual currency, I would certainly want to know if they’re engaged in the pool activity, right. So, do they pool with anybody else, and with whom are they pooling? A lot of crypto now, you can’t have enough computing power by yourself to be able to mine on your own, so you very well might pool together with somebody else.
And then, I would also want to know, what are they doing with the coins that they mine? Do they hold them for investment purposes? How do they hold them?
I would also want to know, do they have any agreements with any exchanges to wholesale those coins, right? So, let’s say I’m mining LikeCoin, maybe I have an agreement with Gemini to sell them my LikeCoin, right, so that Gemini now can have more LikeCoin to provide to their customers or whatnot. So, do they have any agreements for wholesale?
Also, you know, as I mentioned, how do they store those coins, but like specifically, how do they store those coins? Do they have hardware wallets? What does their cold storage look like?
Then, you know, who else is involved in the mining activity? Is it an individual, or is it a corporation? So, do they have other people, an LSC maybe? Maybe it’s a group. If that’s the case, I would definitely ask for UBO on that particular entity. I mean, you have to, but I would certainly check out UBO on that.
And then, if they’ll provide past activity or accounts that they have at exchanges, that definitely says a lot about a person, right, what exchanges they tend to use.
Q: Does CipherTrace consider VPN addresses as a red flag?
A: Unfortunately, no, because most everybody uses VPN, especially in the crypto world. No, but I would certainly consider like Tor exit nodes, right. So, definitely look at Tor addresses.
Q: How can an FI identify a person who may be privately mining for virtual currencies?
A: It would be exchange activity. So, if they’re mining the coins, they’ll have the actual coins themselves. They’re going to send them to an exchange to cash out. So, you would be looking at incoming funds from an exchange.
You could also see other types of transactions in their account, such as, the mining rigs that they have to purchase to be able to have the mining equipment – things like that.
The type of infrastructure that they would have to be able to support their mining activity would probably be evident if it was just a consumer, and they tend to have elevated costs for internet and electricity. But the equipment costs, for sure.
Q: I heard that Bitcoin kiosk ATMs do not need to be registered as cash ATMs. Is that true?
A: I don’t know about cash ATMs. They [Bitcoin ATMs] have to register as an MSB, for sure. So, Bitcoin ATM operators are considered under the category of exchanger in FinCEN’s regulation.
There’s three categories when it comes to crypto. You can be a user, an exchanger, or an administrator. And they are certainly considered an exchanger, so they do have to register as a money transmitter. They have to register as an MSB. I don’t know about the difference between cash ATMs. I didn’t deal with a lot of cash ATMs at the bank, so I wouldn’t be able to clarify that part.
Q: Would the service provider need a third party to monitor transactions and/or delve into tracing the wallet back?
A: So, I’m assuming service provider being some type of a crypto entity. Yes, they should be running… If it’s not us, then they’d be running a competitor.. They need to have some type of transaction monitoring… It’s like a bank not using AML software.
Nowadays you have to have some type of transaction monitoring software. And then because what we do is, we identify those bad addresses. That’s not just out there on the blockchain, so they wouldn’t just know that that address belongs to a darknet marketplace. We tell them it’s a darknet marketplace because we go out and we engage with the darknet. So, we do those mixer transactions, so that we can identify those mixer addresses. So, all of that information is added intelligence on top of the blockchain that they get.
Q: Why is Tor a concern? Many people I know just use Tor for privacy reasons.
A: Sure. Many people do. Many people also send legitimate transactions to and from the Cayman Islands and Panama.
I didn’t quite address it directly, but there are non-illegal transactions that go through mixers as well. People who I like to call crypto libertarians, don’t want anyone seeing their transactions. It’s not inherently illegal, it’s just that the majority of the transactions, or the majority of the activity that does take place via those highways, whether it’s Tor or whether it’s mixers, or whether it’s what-have-you, are actually illegal or illicit activity. So, the antenna’s going to go up anyway.
Q: How do you deal with customers constantly changing IP addresses, and so using VPN, to circumvent detection?
A: That’s a good one. You know, so we do have IP data in our tool, so we can see those IPs bounce around sometimes.
I would say look at the customer’s profile and see if that’s something that is normal. I mean, if my 95-year-old grandma’s logging into her online banking from different IP addresses, that’s not normal. She does not run a VPN, so, that would definitely raise red flags. But if I did it, that is pretty normal for me. So, I think you kind of have to take an individual, case-by-case look.