Managing AML Risks of Virtual and Cryptocurrencies
November 20, 2020
At a recent conference, FinCEN Director Kenneth A. Blanco once again reminded financial institutions to seriously thinking about their exposure to cryptocurrencies.
The director emphasized the need for all financial institutions to look at their AML policies and procedures, especially in relation to virtual assets, adding that “these are areas your examiners, and FinCEN, will ask you about when assessing the effectiveness of your AML program. If banks are not thinking about these issues, it will be apparent when examiners visit.”
“..one issue that continues to come up during these discussions relates to mitigating risks associated with emerging payment systems, including virtual currency. To be clear, exchanges are not the only ones with crypto risk exposure. These risks are not unique to money services businesses or virtual currency exchangers; banks must be thinking about their crypto exposure as well. These are areas your examiners, and FinCEN, will ask you about when assessing the effectiveness of your AML program”.
– Kenneth Blanco, FinCEN Director
Identifying crypto transactions and customers
As clearly stated above, FinCEN is placing responsibility on all financial institutions to identify and report suspicious activities where they suspect bad actors are using virtual currencies to launder money, evade sanctions and other illicit financing purposes. These requirements apply even to those who do not directly buy, sell, provide custody, or have virtual currency exchanges as customers.
So how can financial institutions identify whether a customer is transacting with virtual currencies or whether a customer is a cryptocurrency exchange, crypto MSB or VASP? Some FIs have implemented systems that use lists of cryptocurrency exchanges and other VASPs from open sources and attempt to do name matching against their customer base, from where funds are coming, and to where they are going.
The problem with this system, as outlined in a recent study by CipherTrace, “this approach results in many false positives and misses significant, large amounts of funds flows that cannot be discovered by home-grown name matching. In some cases, this approach missed 90% of the actual cryptocurrency-related transactions within a financial institution.”
Financial institutions should instead explore the option of using third-party crypto intelligence data providers to identify virtual currency customers and transactions and mitigate their risks.
Adding crypto intelligence to existing AML systems
Given the recent emphasis by FinCEN and the failure of internal ad-hoc systems, we recently partnered with CipherTrace to integrate their crypto intelligence data into the Alessa solution. The data provided by CipherTrace enables financial institutions to:
- Identify customers transacting with convertible virtual currencies (CVCs) and unregistered crypto MSBs that may be attempting to evade supervision and fail to implement appropriate AML controls
- Monitor wire transfers, ACH and credit card transactions to identify customers involved in CVC transactions
- More effectively track the accounts associated with peer-to-peer crypto exchanges and smaller virtual currency kiosks, and cross-references the contact information of small virtual asset service providers (VASPs) with customer records to flag suspicious activities
Once a customer or transaction has been flagged, a risk score is applied and the compliance team can do the necessary investigations to determine whether the transaction needs to be reported to the regulator.
Money laundering red flag indicators from FATF
Once a customer or transaction has been flagged, the next step is to evaluate whether the transaction is high-risk or needs to be reported. The Financial Action Task Force (FATF) recently released a report that outlines a number of money laundering/terrorist financing red flag indicators associated with virtual assets (VAs) to assist reporting entities, including financial institutions (FIs), designated non-financial businesses and professions (DNFBPs), and virtual asset service providers (VASPs).
Examples of red flag indicators in the report include:
- Structuring VA transactions (e.g. exchange or transfer) in small amounts, or in amounts under record-keeping or reporting thresholds, similar to structuring cash transactions.
- Making multiple high-value transactions in short succession, such as within a 24-hour period; in a staggered and regular pattern, with no further transactions recorded during a long period afterwards, which is particularly common in ransomware-related cases; or to a newly created or to a previously inactive account.
- Transferring VAs immediately to multiple VASPs, especially to VASPs registered or operated in another jurisdiction where there is no relation to where the customer lives or conducts business; or there is non-existent or weak AML/CFT regulation.
- Depositing VAs at an exchange and then often immediately withdrawing the VAs without additional exchange activity to other VAs; converting the VAs to multiple types of VAs; or withdrawing the VAs from a VASP immediately to a private wallet.
- Accepting funds suspected as stolen or fraudulent depositing funds from VA addresses that have been identified as holding stolen funds, or VA addresses linked to the holders of stolen funds.
The report goes further into red flag indicators related to transactions, transaction patterns, anonymity, senders or recipients, source of funds or wealth and geographical risks and is a valuable resource for FIs. Download your copy of the report to learn more about red flag indicators identified by FATF.
Typologies and red flags from FinCEN
FATF is not the only agency that is tackling the risks associated with virtual currencies. FinCEN also issued an advisory that highlights prominent typologies and red flags associated with virtual currencies and identifies information that would be most valuable to law enforcement, regulators, and other national security agencies in the filing of suspicious activity reports (SARs).
Virtual currency abuse typologies covered by the advisory include the use of darknet marketplaces, P2P exchangers, foreign-located MSBs, and CVC (convertible virtual currency) kiosks.
The advisory also provides 30 red flag indicators that may help in identifying unregistered MSB activity and suspicious virtual currency purchases, transfers, and transactions. Example of red flag indicators in the advisory include:
- Large numbers of transactions from different customers sent to and from the CVC wallet address but not operating as a known CVC exchange
- Structuring of transactions just beneath the CTR threshold or the CVC kiosk daily limit to the same wallet address either by using multiple machines (i.e. smurfing) or multiple identities tied to the same phone number.
- A customer conducts transactions with CVC addresses that have been linked to extortion, ransomware, sanctioned CVC addresses or other illicit activity.
- Use of a virtual private network (VPN) services or Tor to access CVC exchange accounts
- A customer provides identification or account credentials (i.e. non standard password, IP address or flash cookies) shared by another account.
The full list of red flag indicators from FinCEN can be found here.
Given the increased use of virtual assets, your financial institution might be considering banking virtual asset service providers (VASPs). As outlined in a recent webinar, if you do decide to include VAs and VASPs as part of your business, here are some things need to be done to mitigate risks:
- When evaluating cryptocurrency risks, the cryptocurrency type must be evaluated and understood. Each cryptocurrency type presents a different type of risk, but from an AML/KYC perspective, privacy coins pose the highest risk.
- You need to risk profile all the cryptocurrencies used by your clients. If a client is bringing money in from an exchange, you need to know not just what was the currency that they immediately transacted with but work with the exchange to understand if there were other currencies involved and what were the types of transactions being used by that user.
- You need to complete enhanced due diligence on any VASPs that you’re going to do business with. You need to understand the nature of the business, value and purpose and make sure the business is running legally and securely.
- Like with fiat currency, you need to do transaction monitoring. This is where blockchain forensics is incredibly important and can be used for both with when money comes in and also after the fact for investigations.
- Finally, keep doing what you are doing. Everything you do with traditional fiat currency applies for cryptocurrencies including sanctions screening, PEP screening, adverse media, etc.
- New coins and new types will continue to emerge as coins split (hard fork), new coins are developed, and new problems are solved through cryptocurrency. It is important to stay informed and assess the risk with each.
If you are interested in finding out more about Alessa, please do not hesitate to contact us.