Cryptocurrency: Risks to your institution and the regulatory landscape
Cryptocurrency (crypto) is defined as a decentralized digital currency intended to be used in buying or selling goods and services. Crypto can come in many forms. The purpose of this blog is to extend the conversation from my previous blog, Cryptocurrency: The go-to guide, and explore the risks to your institution and to the larger regulatory landscape.
As the utilization of cryptocurrency increases, so do risks to the financial services industry. The risks may be detrimental to company fraud losses and regulatory compliance. Fortunately, the Anti-Money Laundering Act of 2020 (AMLA 2020) explicitly requires the Bank Secrecy Act (BSA) to be applied to crypto. More specifically, crypto exchanges are being considered as money service businesses (MSBs) meaning crypto exchanges must follow:
The travel rule
All other BSA regulations including –
Customer Due Diligence (CDD),
Suspicious Activity Reports (SARs), and
Cash Threshold Reports (CTRs)
How this is going to be fully applied by regulators has yet to be determined. However, many measures can be applied today by the financial services industry to ensure compliance when regulatory direction is published.
Risks to the financial services industry
Change isn’t possible without risk.
The risk in the widespread adoption of crypto is that poor AML and fraud practices are heavily present in the crypto exchange market. The reasons are multifold:
Enhanced Due Diligence (EDD) is not required on crypto exchanges or ATMs at this time.
Regulators have established guidance within AMLA 2020 to require crypto exchanges to operate as MSBs, however, cryptos do not fit neatly into the current regulatory framework. Moreover, crypto exchanges/ATMs being categorized as MSBs allow for anonymous transactions of up to $1,000. Meaning, unless these customers exceed $1,000 at a single crypto exchange the only personal identification information collected is limited to a phone number or email address. This allows illicit funds (i.e., smurfing/traditional money laundering practices) to easily move through the blockchain with total anonymity
Crypto exchanges do not fit neatly in the definitions of a MSB because they are more like a financial institution in the way they operate. This is due to fiat currency, a government-issued currency that is not backed by a commodity such as the U.S. Dollar, being transferred to a new type of digital currency rather than fiat to fiat.
Financial compliance professionals and crypto ATMs/exchanges, generally speaking, have limited understanding of each other. This leads to facilitation and unintentional overlooking of typical financial crime trends within the industry. Crypto operators are not incentivized to monitor and report AML and fraud practices which means profit is often prioritized over compliance.
Lack of FinCEN enforcement of crypto exchanges/ATMs
Illicit crypto funds are not only flowing in the U.S. The U.S. Department of Treasury is beginning to crackdown especially with the release of the Suex OTC sanctions addition,part of a broader process of restricting crimes in the crypto universe overall.
Risks to crypto consumers
The risks to the consumers of crypto are also especially high. Crypto is highly volatile, intangible, exists on a non-regulated 24-hour stock market, and is uninsured by any authority. All of which appeal to criminal/illegitimate purposes.
Trending schemes and scams facilitated by crypto
Smurfing
Money-laundering through crypto exchanges/ATMs
Romance scams
Fake investment scams (i.e. initial coin offerings)
Crypto used to purchase on the black market
Human trafficking, organ trafficking, and adult services
Art and antiquities money laundering including NFTs
Crypto pump and dump
Fake crypto exchanges
Blackmailing scams
Phishing, smishing, and vishing
Ransomware
How to mitigate the risks
To prevent the facilitation of illicit funds through crypto exchanges and ATMs, as well as to assist law enforcement, there are several detection and compliance strategies that can be employed.
The first method of mitigation is screening your customers, whether business or personal, for sanctions (as required by law). Special attention should always be paid to sanctioned and high-risk countries. On top of sanctions screening, full due diligence should be done on all clients that are onboarded to the institution. Full due diligence includes:
Conducting full KYC/KYB
Collecting beneficial ownership for businesses (including parent and intermediary companies)
Conducting risk analysis on public records
Monitoring transactional activity (especially within the blockchain)
Adverse media screening