07 May 2019
For many in the anti-money laundering (AML) compliance sector, cryptocurrencies remain an enigma better avoided than addressed. In some corners, it can sometimes seem like compliance staff have assessed crypto-related products and services wholesale and ended up with the oversimplified conclusion of ‘cryptocurrencies: bad.’
Yet it’s apparent by now that virtual assets are here to stay, at least for the foreseeable future. Consequently, it would benefit any bank to have a strong grasp of the technology, not only because crypto-assets can be used for good or pose unexpected compliance risks, but also because jurisdictions are currently developing the standards by which financial institutions will have to operate when dealing with crypto firms.
For a sign of that the technology isn’t going anywhere, one need only look at the draft interpretative note published by the Financial Action Task Force (FATF) in February, which would expand the scope of the intergovernmental group’s Recommendation 15 in an attempt to mitigate the risks associated with virtual assets. The note is expected to be formally adopted in June.
As part of the draft, FATF called on private-sector entities and industry experts to submit commentary on Paragraph 7(b) of the note, which would amend the organization’s Recommendation 16 by obligating member-states to ensure that virtual asset service providers (VASPs) collect and retain accurate information on payors and required data on payees.
FATF states that:
- National governments should consider virtual assets to be “property,” “proceeds,” “funds,” “funds or other assets” or other “corresponding value,” and apply appropriate FATF recommendations.
- Countries should asses the money laundering and terrorist financing risks associated with the technology and apply a risk-based approach (RBA) in managing the them.
- VASPs should be licensed or registered.
- VASPs should be subject to adequate regulation and supervision for adherence to managing money laundering and terrorist financing risks.
- VASPs should be subject to criminal, civil or administrative proceedings if they fail to comply with money laundering and terrorist financing requirements.
- The “occasional transaction” threshold designated for VASPs to conduct customer due diligence should be USD/EUR 1,000.
- VASPs should retain originator and beneficiary information in relation to Paragraph 7(b).
- Countries should ensure “the widest possible range of international cooperation” in tackling money laundering, predicate offences and terrorist financing related to virtual assets.
Managing new risks
FATF’s interpretative note doesn’t stray far from Recommendation 15, according to Ross Delston, an independent American attorney and expert witness in anti-money laundering compliance.
“Like the recommendation, [the note] fails to explicitly refer to one part of the cryptosphere that is of great concern to practioners like myself, and that is Bitcoin Teller Machines, or BTMs,” said Delston. “Like ATMs but different, these are machines often found throughout the world, including in European airports, that dispense Bitcoin (BTC) or other cryptocurrencies in exchange for cash being fed into the machine.”
BTMs often take credit cards, which “at least leaves a pathway to ultimate identification,” but the fact that the machines also accept cash without requiring customer data is a “huge opening for money launderers, terrorist financiers and other criminals,” according to Delston.
“I recommend to banks that they should treat crypto-[money services businesses] as high-risk customers, which means that enhanced due diligence (EDD) is necessary that includes continuous monitoring. EDD should also encompass an in-depth look at the AML policies, procedures and controls (PPCs) and how they are implemented,” said Delston.
What’s more, crypto-related money services businesses should go beyond the bare minimum of client identification requirements, including by conducting due diligence on where a customer’s BTC originated, what exchangers were involved in the transfer and whether the exchanges are legitimate, he said.
According to Delston, compliance departments of banks and exchangers alike should consider the following questions when dealing with virtual assets:
- Are the relevant PPCs comprehensive and tailored to the firm, and do they include proper terminology?
- Has there been a risk assessment for the firm? This a required element of US guidance.
- Is the AML compliance officer or MLRO qualified, and do they understand the business side sufficiently, including how BTC is transferred and what its risks are?
- Has there been an independent AML audit or review on a periodic basis, as required under US law and international standards?
- Have all relevant persons been trained, including the board of directors and operational folks?
Utilizing new tools
On the same weekend that FATF released the draft INR.15, I flew to Switzerland to attend a ‘Blockchain and AML Training’ course run by the Basel Institute on Governance in partnership with Switzerland-based law, tax and compliance firm, MME—perfect timing to expand my knowledge on the subject.
By the time the course ended, it was clear to me that there is still plenty for AML compliance professionals to learn about the virtual asset space, and certainly more to virtual assets than the ‘crypocurrencies-bad’ thinking suggests. For example, as a compliance officer, can you explain what the blockchain is and how it works? What is a hash? What about a cluster, a cold wallet, or a node? What are UTXOs and how do they work? How do smart contracts fit in?
During my time in Switzerland, I was also fortunate enough to see crypto-investigation software in action, in this case a product by California-based CipherTrace. As a former AML investigator, I have at times been frustrated by the fact that traditional transaction monitoring systems focus on payments between immediate senders and receivers without offering insight into where the money comes from and or where it goes.
By contrast, blockchain software can produce, not only network analyses of various entities (in this case, wallet IDs), but also “full node” information that traces where a unit of cryptocurrency has gone after it is been transferred to other parties. The technology can likewise show how virtual assets were used before the originator received them. This can be really helpful, particularly when mapping out networks or identifying whether crypto-assets have been pooled in a particular wallet.
The demonstration was also a reminder that, despite its financial crime risks, virtual asset technology has the potential for real innovation.
In 2017, UK-based fintech firm Nivaura issued two bonds through the Financial Conduct Authority’s regulatory sandbox: a “control bond” and an “experimental bond.” The control bond provides a model for the tokenisation of fiat money whereas the experimental bond marked the first-ever cryptocurrency bond fully settled on an open, public blockchain using smart contracts.
The London Stock Exchange Group announced in February that it had invested in Nivaura. That same month, JPMorgan disclosed that it had become the first US bank to successfully test a digital coin representing a fiat currency, thereby marking another milestone for blockchain technology in finance.
Virtual assets are changing finance, and compliance professionals should be prepared to adopt new tools and face new risks associated with the technology. If it’s true that criminals inevitably seek new ways to exploit the financial system, then it’s true we must seek new means to make it harder for them, no matter what means they use, and the only way to do this it to understand money laundering in all its forms.
Dev Odedra is an independent anti-money laundering and financial crime expert. He has over a decade of experience in managing financial crime risk in the retail, corporate and investment banking sectors. His expertise covers investigations, advisory and controls implementation and improvement.
This article is expressing personal opinions and is meant for information purposes only. The article does not intend to replace professional or legal advice. It is recommended that readers seek independent professional or legal advice, or speak to authorised persons/organisations.
Count reading this article to your CPD minutes, by signing up to our CPD WalletFREE CPD Wallet