What FIs Need to Know about Cryptos
September 19, 2019
In this webinar, we will walk the audience through a systematic process that every financial institution should go through when evaluating the risks associated with cryptocurrencies and effective mitigation strategies.
Here are the questions and answers from the event.
Q: What is a key?
A: The way that cryptocurrency works is that there are two pieces of identifying data. The public key is public and you can share it with anybody. It is a long string of letters and numbers. Giving out your public key is sort of like giving out your email address, someone can send you money, and you can send them money. It is something that can easily be shared as an identifier for you, but nobody can steal your money with it.
Your private key is basically like your password. It is also a very long string of numbers and letters; it is not something that you can choose. Your private key is the thing that allows you to transact. Your private key is the security that locks your wallet down with just you being able to use it.
Your public key can be put on your business card, your email signature, but your private key should never ever be shared. Giving your private key away is sort of like giving them access to your bank account. With your private key, they can take all of your money. With cryptocurrency, if that money is stolen, it is gone forever. That’s true as well if you lose your private key, that money is gone forever.
Q: What additional factors does a financial institution need to assess before being able to bank as a VASP?
A: One of the first things to do is check with the regulators in your jurisdiction. If you are in the U.S., it may be a state regulator as well. New York State for example has the BitLicense program with additional steps for opening a VASP. If you are in other countries, you may just need to speak to your national regulator to understand the legal framework.
I would consult with a cryptocurrency lawyer as well to understand other banking issues within your jurisdiction. And then like any new business, I would put a toe in the water. I wouldn’t onboard billions in assets on Day 1, but start building out your compliance program for cryptocurrencies. There are going to be some additional requirements and there is going to be some additional learning.
Q: Can you speak to the new Travel Rule:
A: What the Travel Rule says is for fiat currencies, the originator and beneficiary of any transaction must be identified. Both by the originating institution, the destination institution and any correspondent banks as well. As that money travels globally it is screened by these various institutions.
Where this comes to be a very big challenge for cryptocurrencies is that cryptocurrency transactions do not have to happen through an exchange. I can send someone cryptocurrency directly from my cellphone or computer without having to go through a third-party exchange. If I do go through an exchange, it probably does not have any information on where the destination is beyond their cryptocurrency address.
Therefore, this is posing significant challenges for the cryptocurrency industry as to how this can be solved. If you are sending money from point A to B, you can include information on the destination (as SWIFT does), the problem is these cryptocurrency networks aren’t built to hold that data and a lot of people in the cryptocurrency space aren’t interested in that data being out.
There are a lot of people investigating other alternatives on the blockchain. This information is supposed to be shared instantaneously with the transaction, so this has posed significant challenges for cryptocurrency institutions and really, as an industry, nobody is quite sure how this is going to be solvable.
Q: Are you aware of any major dark web bazaars since Silk Road was shut down and do regulators have a plan to detect transactions used for illicit activities?
A: There are a number of these dark websites and there are a few compliance companies that are doing data scraping of dark websites to look for things like cryptocurrency and products being sold, such as webhose.io. This is something that law enforcement is keen to mitigate and to shut down, but in a lot of cases this is like playing whack-a-mole. You shut down one Darkweb site and the next one pops up.
That does not mean that it is not worth shutting these sites down because the more you shut them down the more they are spread out. It is really cat and mouse.
Q: By flagging certain wallets, law enforcement could potentially contact financial institutions for account activity records, similar to the PATRIOT Act’s 314a. Do you think something like this could lower the inherent risk of cryptocurrency as a whole?
A: We have started to see that a little bit with OFAC now including bitcoin addresses in a couple of profiles. About a year ago, OFAC said they were including cryptocurrencies addresses and we are starting to see it at a sanction level. I think adding this like a 314a list would be incredibly valuable. There are many players in this market who are watching forensics firms and working to facilitate that kind of information gathering. Law enforcement is very much engaged in this and I think we are only going to see that grow.
Q: In the crypto world, are there any compliance regulations that are the equivalent of the $10,000/24 hour rule that is used for fiat?
A: The $10,000 rule still exists for cryptocurrency, but it is still in dollars, not as a crypto amount. If the value is equivalent to the limit, a CTR still has to be filed.
Q: When verifying source of funds for a cryptocurrency transaction, have I done an adequate level of due diligence if I verify the source of the blockchain only, meaning should I as the AML analyst push customers to provide details of how they obtained it in the first place? Would regulators be satisfied with just the blockchain forensics?
A: I would hate to speak on behalf of a regulator, as that would only get us in trouble. Every regulator is different and every business is different and so the amount of due diligence that you need to do is not necessarily going to be the same that a company or a small or large institution would do.
What we need is better information sharing across institutions and better confidence in that information. If someone got their cryptocurrency at an exchange and that was the original source, we need to know that this has met their KYC requirements. Seek legal advice.
Q: Do you believe that crypto-to-crypto will be regulated?
A: It already is. Crypto to crypto exchanges have to register as MSBs in most jurisdictions, if not all. FATF has said that crypto to crypto is an MSB, so yes, they are.
Q: Is there any current sanction list in any jurisdiction for people who have been known to deal with crypto for criminal purposes?
A: The only sanction list that involves crypto right now is OFAC with two Iranians as sanctioned individuals with their bitcoin addresses. There is no blockchain specific sanction list.
Q: What are the crypto-friendly countries today?
A: When we look at the countries that have been most open to crypto, Switzerland is crypto heaven. There are many businesses opening up in Switzerland. Canada has been very open to crypto from a VASP perspective as there are many VASPS and crypto businesses opening up in Canada.
Then you have jurisdictions like Malta, Gibraltar, Cyprus that have been very open to cryptocurrency investments. Their banks are much more open to cryptocurrencies. We have seen a huge amount of business brought to these areas. Latin America is diverse in its views on crypto, Venezuela has its own cryptocurrency whereas Argentina has been a little more hands off.
The Middle East is another area where we have seen some movement in how they view cryptocurrencies of late. It is constantly changing.