Anti-money laundering managers at banks and other financial institutions need to adapt their customer onboarding and transaction-monitoring approaches to cryptocurrency investors or risk regulatory fines, warn AML experts.
Cryptocurrencies, such as Bitcoin and Ethereum, already are involved in nearly ten percent of the total US$2 trillion of dirty money that is washed annually. That percentage is expected to grow based on the allure of cryptocurrency as a low-cost secure payment solution.
Also known as virtual currencies, cryptocurrencies represent one application of blockchain technology, a decentralized digital ledger system that maintains encrypted logs of transaction records. Cryptocurrency transaction records are associated with public keys — strings of numbers which act as investors’ digital addresses.The pseudonymous nature of cryptocurrency transactions heightens the potential for wrongdoing, claim AML experts.
Cryptocurrency criminals can be just as savvy as bank robbers when it comes to eluding detection in money laundering, terrorist financing and other illegal activities. Bank robbers rely on masks and getaway cars to avoid capture. Likewise, cryptocurrency investors may mask their identities either by using third parties as straw men or by using privacy coins. Those “alternative” cryptocurrencies ensure that the investor or owner of the coin can’t be tracked because ownership is entirely anonymous. All traces of the investor’s identity are automatically erased.
Surprisingly, even some of the most sophisticated banks and other financial institutions may not be adjusting their AML programs to catch cryptocurrency criminals. They either don’t understand cryptocurrency trading well enough or don’t think they will be harmed by cryptocurrency criminals. “Many banks may feel their exposure to cryptocurrency crime is limited, because they aren’t onboarding exchanges selling the cryptocurrencies,” says Ted Sausen, AML subject matter expert at NICE Actimize, an AML technology provider in Hoboken, New Jersey.
Another flawed tactic some banks use is playing it too safe. “Some banks are not accepting accounts related to cryptocurrency because they don’t know how to handle them,” says Natasha Taft, an AML compliance consultant in New York. “They are understandably worried about the risk involved with uncertain regulatory expectations.”
Domino-effect AML Risk
However, that approach temporarily transfers the risk elsewhere, because the customer will simply take its business to a less regulated non-bank financial institution. Eventually, banks could end up with the cryptocurrency risk they tried to avoid if they transfer or receive funds from non-bank financial institutions, says Taft, a former US compliance director at several foreign banks.
So far, banks and other financial institutions have been able to avoid regulatory scrutiny when it comes to customers doing business in cryptocurrencies, because AML watchdogs haven’t finetuned all their requirements to the growing cryptocurrency market. However, that lapse might not last for long.
At a minimum, US cryptocurrency exchanges and some other types of businesses involved with cryptocurrency payments must register with the US Treasury’s Financial Crimes Enforcement Network (FinCEN) as money transmitters. Doing so, means they must establish and follow anti-money laundering programs including filing suspicious activity reports. AML legal experts warn that banks might end up being fined if they do business, even indirectly, with a non-registered exchange or other cryptocurrency platform, if the customer funds used to buy and sell cryptocurrencies were ever discovered to involved with money laundering or other criminal activity.
In March, the US Treasury’s Office of Foreign Assets said that US persons and firms have the same sanctions obligations regardless of whether the transactions involve fiat currencies or cryptocurrencies. OFAC also suggested that it might be adding digital addresses to the Specially Designated Nationals list of blocked persons and companies with which US firms or persons cannot do business.
“Parties who identify digital currency identifiers or wallets they believe are owned by or otherwise associated with an SDN and hold such property should take the necessary steps to block the relevant currency and file a report with OFAC,” says OFAC in a statement. Failing to do so could result in significant civil and criminal penalties. OFAC urged technology companies, administrators and users of digital currencies to develop a tailored risk-based compliance program that includes sanctions list screening and other measures.
OFAC’s announcement followed the UK Parliament’s decision that it would examine how to best police cryptocurrencies. In January, South Korea became the first country among the G7 nations to ban anonymous trading of cryptocurrencies.
Not all trading in cryptocurrencies is entirely anonymous, but there is enough trading in privacy coins to warrant concern. Transactions using primary cryptocurrencies such as Bitcoin and Ethereum can potentially be linked back to the IP addresses of their owners. That’s not the case with privacy coins where every trace of the owner is erased. Privacy coins can’t even be purchased using fiat currencies such as dollars or Euros. They can only be bought or sold using primary cryptocurrencies.
The Wash Cycle
Here is a typical scenario, bank AML managers tell FinOps Report: First, the cryptocurrency criminal will open an account with a digital exchange and use his or her bank account to fund the purchase of Bitcoin and other cryptocurrencies. Account opening typically requires a verification of personal details, but the criminal might ask another person with a squeaky clean background to open it in the other person’s name to fool customer onboarding managers. Alternatively, the criminal might be one of the beneficial owners of an institutional fund or other entity.
Once the bank has approved the account opening, the customer could use the funds in fiat currencies such as dollars or Euros to buy cryptocurrencies through wire transfers or automated clearinghouse transfers to cryptocurrency exchanges. There are no uniform global policies for how they should verify the identity of investors. US cryptocurrency exchanges typically do follow policies equivalent to those of banks and other financial institutions. Foreign exchanges might not.
If the criminal isn’t caught by either the bank or cryptocurrency exchange, he or she can then move on to step two: use the “primary cryptocurrencies” to buy alternative digital currencies or privacy coins sold by so-called advanced cryptocurrency exchanges specializing in initial coin offerings. The privacy coins could ultimately be exchanged back to primary cryptocurrencies which would then be exchanged for fiat currency, completing the process of turning dirty money into clean money
Ideally, the potential for criminal activity arising from the use of privacy coins could be eliminated if regulators were to ban their use. However, that approach won’t be happening any time soon. “Governments are balancing the need for oversight with investor privacy,” says Juan Llanos, director of the financial practice for ConsenSys, a New York-based blockchain software technology firm. In addition, because advanced exchanges do not accept fiat currencies, governments may find it difficult to enforce their regulatory standards globally.
Another innovative approach to combatting cryptocurrency crime is using blockchain technology itself. Llanos says that Consensys is developing technology to identify anomalies and patterns of suspicious activity using transaction identifiers such as addresses.
Until regulators decide to ban either privacy coins or blockchain technology advances, AML departments of banks and other financial institutions will have the primary burden of sifting the good from the bad players in cryptocurrency the old-fashioned way. That means lots of hard work at the time of “ingress or eggress,” say AML experts. That is, when an account is opened and fiat currency is exchanged for cryptocurrency or when cryptocurrency is exchanged for fiat currency.
Cryptocurrency transactions made by customers with residences or sources of money from Russia, Venezuela, Lebanon, Iran, North Korea, the Ukraine and Turkey should be flagged as high-risk, recommend AML specialists. The reason: those countries have become well-known centers for cryptocurrency crime.
Likewise, banks should also consider their clients’ counterparties. Many of the estimated 645 cryptocurrency exchanges– namely those overseas — have lax customer onboarding policies.”Not all of the cryptocurrency exchanges in the world are licensed, and banks should more closely monitor, if not prohibit, the transfer of money to an unlicensed cryptoexchange” says Kamil Kaluza, managing director of QuantaVerse, a Wayne, Pennsylvania-based firm specializing in AML technology.
Transaction monitoring systems can also be tweaked to identify suspicious activities related to cryptocurrency investments. The technology has advanced far beyond a simple-rules based methodology which searches for cryptocurrency exchanges or addresses.
NICE Actimize says that its new suspicious activity monitoring system relies on machine-learning analytics and robotic process automation to reduce both the number of false-positive alerts and the time it takes to investigate an alert. QuantaVerse says that its artificial intelligence-based financial crime platform can collate customer data from transaction monitoring systems, know-your-customer databases, multiple lines of business, the deep web and other sources to generate red flags indicating suspicious activity. “Using a combination of link analysis, third-party relationship analysis and behavioral modeling, QuantaVerse found that payments from bank accounts to unknown beneficiaries were actually payments to unlicensed cryptoexchanges,” says Kaluza.
Two potential red flags of cryptocurrency crime, says Sausen, involve the movement of funds to and from cryptocurrency exchanges. Numerous payments to cryptocurrency exchanges without any conversions of cryptocurrency into fiat currency should always be investigated. So should large numbers of transactions representing exchanges of cryptocurrency into fiat exchanges without any initial purchases of cryptocurrencies.
As with catching wrondoing in wire transfers and other accounts related to traditional investments, training will go a long way. “Transaction monitoring systems and other technologies can only identify potential red flags after which point AML managers must probe more deeply,” says Joe Ciccolo, president of Bit AML, a Chicago-based regulatory compliance consultancy focused on cryptocurrency AML.
Two critical questions AML managers should ask, says Ciccolo, are what is source of the funds and purpose of the transactions. He recommends that banks take advantage of the US Patriot Act’s safe harbor provisions to share information about the source of customer funds and identities with each other and with cryptocurrency exchanges.
Purchases of cryptocurrency without a valid business case should certainly raise eyebrows. “It would not be expected that a non-profit or government agency would have a legitimate reason for executing transactions on cryptoexchanges,” says Sausen.
Unfortunately, there is no magic formula for figuring out which cryptocurrency trades are legit and which are not. A single cryptocurrency transaction might represent a sound business investment or it might signify a payment for ransomware. Multiple cryptocurrency transactions are even more problematic, because they could represent money laundering or at the very least require the client to be registered with FinCEN as a money transmitter, cautions Ciccolo. Banks who don’t want to do business with money transmitters could then opt to “derisk” or shut down the client account.
“Ultimately, cryptocurrency is no more or no less ripe for money laundering than other industry sectors,” says Kaluza. “It is simply misunderstood and, based on its growing popularity, banks and other financial institutions need to be prepared.”