Crypto Regulation: Apprehending Illicit Activity

By Andrew Simpson, Chief Operating Officer, Alessa by Tier1 Financial Solutions

Many financial institutions are still examining ways to monetize opportunities in the evolving and increasingly sophisticated crypto markets. However, while the extent of regulation for certain cryptocurrency transactions and crypto-to-crypto exchanges differs by jurisdiction, one thing is clear—most countries seem to agree that the commercial exchange of cryptocurrency for fiat currency should be subject to KYC, AML, and securities obligations.

Existing FinCEN regulations and advisories clearly state that it is the responsibility of all financial institutions to identify and report suspicious activity concerning how criminals and other bad actors exploit virtual currency for money laundering, sanctions evasion, and other illicit financing purposes.

FinCEN Director Kenneth A. Blanco said in September 2020, “Banks must be thinking about their crypto exposure as well. These are areas your examiners, and FinCEN, will ask you about when assessing the effectiveness of your AML program… If banks are not thinking about these issues, it will be apparent when examiners visit.”

Virtual asset service providers (VASPs) can be higher risk, but they can also be very lucrative customers. As of January 2020, Coinbase, a U.S. cryptocurrency exchange, oversaw $21B in assets for 35 million users who buy and sell cryptocurrency by connecting their bank accounts to their Coinbase accounts and became the first U.S. exchange to go public.

Employing a Robust AML Program

Regardless of whether you are intentionally banking with VASPs, every regulated entity needs to evolve their AML program to demonstrate a risk-based approach towards cryptocurrency businesses and transactions. To start, have policies and procedures in place that help you answer questions pertaining to VASP registrations, whether KYC programs are already in place, and how transactions, payments and sources are identified and monitored. 

Avoid use of homegrown name-matching systems

Some financial institutions have built homegrown systems to try to identify cryptocurrency-related accounts. However, this approach results in many false positives and misses large amounts of funds flows. CipherTrace research has found that a typical name-based homegrown system may miss as much as 70% of crypto exchanges, and up to 90% of actual transaction volume. 

For example, “Gemini” is not only associated with the famous crypto exchange run by the Winkelvoss twins, but also Gemini Middle School in Maine, Gemini the wood coating manufacturer, Gemini the 40-year old construction business, and multiple others. Most open-source lists are incomplete, perhaps covering the top 100 exchanges but leaving out the other 600+. Even if customers were transacting with a cryptocurrency exchange you had on the list, many exchanges do not operate business under their popular name. 

For example, cryptocurrency exchange “Zebitex” does business under the vague name “Digital Service,” while Abra’s legal name is “Plutus Financial Inc.”

Risk profile each VASP 

Historically, financial institutions have treated all cryptocurrencies as one-and-the-same. This does not reflect the reality of cryptocurrency. Each cryptocurrency poses unique risks. Certain cryptocurrencies provide significant privacy and anonymity for their users. Individuals use these currencies to ensure their transaction and account privacy. While this does not imply their activities are illicit or illegal, greater privacy implies greater risk for financial institutions. Understanding the different cryptocurrencies and their level of risk is as critical as and can be more difficult than understanding geopolitical risk. 

While established cryptocurrencies like Bitcoin and Ethereum have large networks that protect them from individuals or groups that may try to take over the currency, that is not the case for smaller currencies. Depending on the technical implementation, the market capitalization and the size of the network, certain cryptocurrencies may be easy to manipulate, potentially causing significant losses for its users.

Monitor for Crypto Transactions 

As more mainstream consumer and institutional investors embrace cryptocurrencies, it becomes increasingly difficult, if not impossible, for traditional FIs to avoid entanglements with the crypto economy. According to FinCEN, activity involving cryptocurrency may be observable by financial institutions specializing in commerce related to crypto; financial institutions servicing such businesses; and financial institutions with customers actively involved in the use of cryptocurrency. 

If a bank is unable to accurately determine if their institution is serving virtual asset businesses, or if their customers are transacting in virtual asset-related payments, there is no way for them to comply with their BSA obligations.

Use blockchain forensics 

While blockchain technology provides new challenges for AML/BSA compliance, the public ledger of many cryptocurrencies such as Bitcoin or Ethereum allows for a level of transaction visibility that is not possible in traditional finance. Using blockchain forensics tools, compliance teams can analyze the transaction history and quickly risk rate any crypto customer or counterparty. This provides an incredibly valuable tool in analyzing the risk of an individual based on their transaction history and transaction proximity to high risk wallets, such as dark markets.

When evaluating the risk associated with a particular cryptocurrency, compliance officers have new challenges and new risks to consider and manage. One third of all cryptocurrency exchanges have opened since the beginning of 2018, and this trend is unlikely to slow. With adoption of these new financial vehicles growing and new users coming on-board every day, financial institutions need to engage in this new industry while managing the associated risk.