As cryptocurrencies gain in popularity, regulators, the media and policymakers are starting to pay greater attention to the financial crime threats they sometimes pose. In this blog, we look in more detail at the compliance issues faced by cryptocurrency companies, as well as ask how the best Anti Money Laundering (AML) policies and practices can be designed.
Perhaps the first question to ask is what is distinctive about building an AML programme for a crypto firm versus a traditional company?
Industry experts argue that a risk-based strategy is essential and a thorough risk assessment is the first step in this process. It is also vital to revisit risk assessments regularly, especially given the present rate of regulatory and technological change.
Personnel is another key issue that must be addressed. A poll conducted by ComplyAdvantage, a RegTech company that provides anti-money laundering technology, found that, while most compliance teams aimed to employ those from banking, regulatory, and FinTech backgrounds, 68 per cent of crypto exchanges preferred hiring from other crypto enterprises. Firms will suffer not just a restricted labour pool but also the potential of “group think” if they do not look to develop well-rounded compliance teams which can draw on a variety of perspectives.
Technology considerations are also among the most important, with many cryptocurrency companies electing to outsource core technological components of AML and KYC. Onboarding and identity verification, client screening, monitoring, and transaction risk management are all areas where specialised knowledge is useful.
Firms that grow quickly without automated screening and monitoring systems face a variety of dangers, including enrolling consumers without doing proper due diligence and handling a large volume of warnings manually which may result in slippage or processing errors. Such breaches will eventually be discovered by regulatory authorities.
What are the risks of non-compliance with AML regulations?
One big issue is that decentralised exchanges and decentralised money systems can facilitate sanctions evasion, particularly in situations where there are no in-built compliance mechanisms integral to the decentralised code. While, for example, there is unlikely to be enough liquidity in the crypto market for Russia’s government to successfully evade Western sanctions fully, sanctioned Russian actors may nevertheless seek to use crypto to avoid Western penalties — even if this may be traceable on the public blockchains. Criminals laundered $8.6bn (£6.4bn) of cryptocurrency in 2021, up by 30% from the previous year, a report by blockchain data company Chainalysis says. However, what is often not considered in public discussions of this phenonomen is that laundering money through public blockchains leaves a permanent trail, actually making it easier for law enforcement to eventually trace the activity.
Another problem is the facilitation of terrorist financing. As a result, businesses may expect further rigorous terrorist funding safeguards to be implemented as needed. For example, the Indian government recently probed the use of crypto by the Al Qassam brigades, Hamas’ armed branch.
Finally, companies should be wary of layering. Criminals may attempt to obscure the source of unlawful fiat currency by converting it to cryptocurrency. For example, the Financial Action Task Force reported an instance in which thieves stole KRW 400 million from victims in South Korea via phishing before transferring the cash to a foreign crypto wallet via repeated high-value transactions. The payments were routed via 48 accounts to conceal their source.
The consequences of non-compliance with AML regulations for crypto companies may include the refusal of a license to operate, causing a firm to move or close.
Where can crypto firms expect to see big regulatory changes coming up?
The EU has proposed a new legislative package that includes new measures for the crypto industry. The 6th Money Laundering Directive covers licensing, regulation, and supervision. It highlights that crypto asset service providers (CASPs) must be authorised in their home countries and lays out requirements for CASPs operating under the freedom to provide services in the EU.
The British government has also announced its intention to make the UK a global crypto-asset technology hub. This includes bringing stablecoins into the scope of legislation as a “recognised form of payment,” developing a “financial market infrastructure sandbox” to support innovation, establishing a crypto asset engagement group and working to issue a non-fungible token for the Royal Mint.
How can firms manage sanctions risks?
According to a poll conducted by ComplyAdvantage as part of its State of Financial Crime 2022 research, businesses are focused on the requirement for real-time data from vendors as they manage sanctions risks. A staggering 96 per cent of organisations stated that real-time data would improve their due diligence effectiveness.
Avoiding sanctions violations is a constant problem that risks serious regulatory and reputational implications. Western nations are increasingly employing sanctions to address international issues. As a result, it is no wonder that access to real-time data is such a critical issue that must be addressed, for firms to comply appropriately with potential risks.
It is fortunate then that innovations in data collecting and handling have made real-time updates and screening a reality. It is possible to obtain minute-by-minute updates from public sanctions lists and through official announcements and media. Continuous screening is also an option, allowing firms to analyse, restrict, and report potentially sanctioned transactions as they happen.
How can firms get ahead of new regulations in their jurisdiction?
The easiest way for businesses to stay ahead of new rules is to conduct horizon scanning, which involves mapping impending regulatory changes to compliance budgets ahead of time. This will guarantee that they have the necessary personnel in place to deal with many new demands.
Firms must also embrace new regulations and their implications. In addition to devoting time to discussions with local regulators, this helps to guarantee that new legislation is designed with the reality of running a cryptocurrency enterprise in mind.
Are there any emerging threats crypto compliance teams should be aware of?
Ransomware is one of the biggest emerging threats, and regulators around the world are exploring how to tighten controls to tackle this problem. Entities involved in critical infrastructure projects are among those most at risk of coming under attack.
Another threat is darknet markets. These global online marketplaces enable buyers and sellers of illegal goods. Participants often use virtual currencies as their preferred method of payment. Regulators are now using sanctions to try and take down these markets.
As regulators place a greater focus on cryptocurrency service providers, the need for vigilance is increasing — not just to keep on top of the latest regulations and guidelines but also to be constantly aware of the ever-changing tactics of fraudsters. In an industry which is, sometimes unfairly, viewed with doubt and scepticism, reputation is king.
You can read more about regulatory changes and emerging risks here.