Cryptocurrencies a Moving Target for Compliance Officers

January 7, 2020

If you have had experience with cryptos, you will understand that they are not just a digital or virtual version of a fiat currency. There are similarities, but you need to know the differences.

Financial institutions (FIs) need to be aware of the types of cryptocurrencies and the different risks with each one in order to do a proper risk assessment.

FATF Guidance on Cryptos

Greg Pinn, an expert in cryptocurrencies, recently conducted an informative webinar with CaseWare RCM to help us understand how they are structured and to help us wade through the Financial Action Task Force (FATF) guidance for a risk-based approach to virtual assets (VA).

In mid-2019, FATF issued its Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers to give countries and VASPs (virtual asset service providers) clarity on how existing anti-money laundering (AML) and combating the financing of terrorism (CFT) regulations affect virtual asset activities and providers.

FATF also adopted and issued a note on new technologies that further clarifies the international standards relating to virtual assets and describes how “countries and obliged entities must comply with the relevant FATF Recommendations to prevent the misuse of virtual assets for money laundering and terrorist financing and the financing of proliferation.”

As Greg pointed out, the FATF Guidance lays out 10 elements that are critical in risk mitigation of VAs and VASPs:

a)      Risks associated with crypto-to-fiat and crypto-to-crypto transactions (these pose different risks than fiat-to-crypto transactions)

b)     Centralized vs decentralized models (most are decentralized with no single authority)

c)      Types of VAs offered and the features of those VAs

d)     Unique business models associated with VASPs

e)     Online-only versus in-person risks (new technology improves how we identify individuals)

f)      Exposure to anonymization services such as TOR

g)     Risks associated with multi-jurisdictional VASPs

h)     Nature and scope of the VA account, product or service

i)      Nature and scope of the VA payment channel or system

j)       Any parameters or measures in place that may lower the provider’s exposure to risk

In the webinar, Greg focused on item (c) - the type of virtual assets and their features because many think that cryptocurrencies are like traditional currencies and they all exhibit the same kind of behavior. That is a misconception.

So let’s take a look at the different types of cryptocurrencies that Greg reviewed in the webinar along with their risk profiles.


Conventional cryptocurrencies serve primarily has a means of holding and transmitting value, like fiat currency. Many, but not all, conventional coins split off (also known as hard-forked) from Bitcoin or were modifications of the Bitcoin code

Risk profile:

  • Bitcoin, the most famous and popular cryptocurrency, has many tools available to track and monitor transactions, thereby helping to manage and mitigate risk.
  • Bitcoin is the most widely adopted, with an estimated 42 million wallet users, thereby making it the most commonly used currency for both legal and illicit activity.


Stablecoins are cryptos whose value is tied to a currency, basket of goods, commodities, or other stable asset to minimize price volatility.

As Greg pointed out, there are some significant risks here: “While stablecoins have a great value, I think they provide significant amount of risks because they are pegged to an asset. You could be stuck with something that is completely without value. Until you can get reliable audits of these firms’ assets, I would not encourage FIs to work with stablecoins. You’re not sure if the value is real or imagined.”

Risk profile:

  • While stablecoins are marketed as being backed by the pegged asset, it is hard to guarantee that the central authority possesses the assets to back up the currency.
  • When stablecoins are pegged to a fiat currency (as many are), users can transact with the ease and lack-of-controls of cryptocurrency but without the volatility of other cryptocurrencies.

Smart Contract

Coined “The World’s Computer,” Ethereum and subsequent smart contract (sometimes called dApps) cryptocurrencies enable code to be run on the blockchain.

Greg points out this code can be used to store, process, and represent ticket sales, equity trades, game tokens, and many other real-world assets in addition to running as normal software code. “Your ownership is tied to your wallet, there is no protection if your funds get hacked – the biggest risk for smart contracts,” he said.

Risk profile:

  • Smart contracts can be written and deployed by anyone. Because of this, there have been numerous hacks (and subsequent losses) due to errors made by the creator of the smart contracts.
  • Smart contract wallets can store both value and other assets as defined by smart contracts, making it difficult to determine the nature of trades.


The goal of settlement networks is to replace existing cross border payment networks that banks, MSBs, and people currently use. Ripple is focused on banks and MSBs, while Stellar is focused on individual exchanges of value. Greg says “They are really trying to change the way people transfer money.”

Risk profile:

  • Both Ripple XRP and Stellar Lumens can be freely traded as a cryptocurrency, so the risk is similar to conventional cryptocurrencies.

Exchange Tokens

Exchange tokens provide an easy mechanism to transact within an exchange and pay reduced exchange fees. The largest is the Binance Coin (BNB). “These pose similar risks to conventional tokens.”

Risk profile:

  • Exchange tokens may be centralized and managed by the exchange, enabling the exchange to burn tokens and perform other currency management tasks.
  • Risk profile of exchange tokens follows the same risk profile as other conventional tokens of similar

Privacy Coins

Privacy coins use advanced cryptographic algorithms to ensure transactions are not linkable or traceable, thereby ensuring senders, receivers and transactions can be obfuscated from 3rd party observers. “This is the one that everyone knows and worries about – and rightfully so. Privacy coins are the biggest area of risk from an AML/KYC perspective,” Greg said.

Risk profile:

  • Privacy coins represent the biggest AML/KYC risk of all cryptocurrencies.
  • Monero transactions are private by default, whereas Zcash transactions can be either public or private.
  • By obfuscating wallets and transactions, it can be difficult of impossible for a 3rd party to identify the nature and risk of a transaction.

“By using privacy coins, individuals are, by default, saying they understand that this puts them in a higher risk category,” said Greg. “They may not be happy about it…but that is the reality.”

Supply Chain

By combining the immutable ledger of cryptocurrencies with tagging devices such as RFID tags, supply chain cryptocurrencies provide full supply chain traceability and material authenticity. Greg described this as “a chain of custody for high-end goods.”

Risk profile:

  • Supply chain cryptocurrencies represent a very small percentage of the market.
  • While trading of supply chain cryptocurrencies is open to any user with a compatible wallet, these purpose-built currencies are used mainly by individuals investing in the projects or using the supply chain aspects.

In summary, here are the key takeaways from Greg’s webinar:

  • When evaluating cryptocurrency risks, the type must be evaluated and understood
  • While Bitcoin maintains the largest market capitalization (about 65% of the total value of all cryptocurrency), most of the transaction volume is conducted in stable coins such as Tether.
  • Each cryptocurrency type presents a different type of risk, but from an AML/KYC perspective, privacy coins pose the highest risk.
  • New coins and new types will continue to emerge as coins split (hard fork), new coins are developed, and new problems are solved through cryptocurrency

We are delighted Greg could join CaseWare RCM for this webinar. We produce a number of webinars each year to help compliance professionals to better understand emerging issues in the field. If you are interested in finding out more about Alessa, please do not hesitate to contact us.

About Eric Hansen

Eric Hansen (CAMS) (LinkedIn) is a Senior Risk Specialist at Caseware RCM. He has been consulting clients globally on matters of Risk and Compliance for over ten years. Eric is a member of Transparency International where he serves on their working group for Beneficial Ownership transparency. Previously, he was a Director of Risk & Compliance at Dow Jones Canada where he advised clients on areas such as AML, Anti-Corruption and Economic Sanctions.

Try Alessa