QUESTION
We are writing a policy for cryptocurrency compliance. We are a mid-sized nonbank. I am the Compliance Manager, and I have two in support staff. Our Board of Directors thinks cryptocurrency will continue to be a part of bank and nonbank transactions. They retained a research firm that says it is growing quickly.
I recognize that there are benefits to cryptocurrency. However, in writing this policy, we see how it can also impact our Anti-Money Laundering safeguards. So, we need to know the risks of cryptocurrency triggering our AML tripwires.
What are the safe versus risky features of cryptocurrency?
ANSWER
Your question comes at a time when cryptocurrency is a hot topic in banking and government circles. Indeed, the Treasury Department views cryptocurrency as potentially leading to economic instability due to increased fraud risk in the absence of sufficient government regulation. The Washington Post reports:
“The Treasury Department will warn the White House that cryptocurrencies could pose significant financial risks that outweigh their benefits unless the government rolls out major new regulations, according to two people familiar with the matter.”[i]
I speak with DC political types all the time, and I can tell you that a good percentage of them do not know what cryptocurrency is, let alone how to regulate it. Sometimes I wonder if they only just recently figured out how to send an email. Several of them are oblivious to how the Internet works, so I suppose they think it works by magic.
But, there is no mystery to cryptocurrency. It’s not magic.
Cryptocurrency is establishing itself as a legitimate alternative to traditional finance. As such, it should be regulated. And, as to linking it to Anti-Money Laundering (AML), you are entirely correct: there is a direct interface with Know Your Customer (KYC) processes and cryptocurrency.
Understand that cryptocurrencies had a total market capitalization of $900 billion in June, which jumped to $1 trillion in August.[ii] That is astounding growth!
You’ll need to become familiar with certain new terminology to make sense of cryptocurrency compliance. I will embolden a few words that are particular to cryptocurrency. So, let’s dig in!
What is Cryptocurrency?
Some people believe that cryptocurrency is impervious to scrutiny and appropriate regulation. The notion here is that transactions are “transparent” because they are kept in blockchain ledgers. Thus, it is erroneously thought, cryptocurrency can’t be well-regulated. However, these are simply digital ledgers that capture each transaction, which can be traced back to a wallet address. Transactions are time-stamped and immutable because to alter something in a ledger, every single block in the chain, across all its distributed versions, would need to be changed.
There is also the view that cryptocurrency is where criminals hang out to hide their nefarious purposes. I don’t think that holds up to scrutiny. The fact is that only 0.15% of such transaction volume was related to crime in 2021.[iii]
Is cryptocurrency vulnerable to cyberattacks? Well, yes and no. Wallets are owned and accessed by persons, which means they will be vulnerable to fraudsters and cybercriminals.[iv] But the blockchain technology that facilitates and records cryptocurrency transactions is nearly impossible to edit and is rooted in cryptography. However, cryptocurrency wallets need to be secured to protect them from attack.
It seems to me that anyone who thinks cryptocurrency is a fad has not been paying attention. It jumped by 567% in 2021[v] and is forecasted to have a compound annual growth rate of 12.8% between 2021 and 2031.[vi]
I have read that people in economies battling hyperinflation have avoided devaluation of their hard-currency wages by exchanging them for digital currencies, which are then used to pay for food and other products.[vii] In economies with high remittance-based GDPs, cryptocurrency seems to be a fast and reliable way to transfer funds overseas compared to traditional alternatives, which may offer poor exchange rates. Some large financial institutions also appear to recognize opportunities to mobilize in cryptocurrency investing. Small companies seem to acknowledge that cryptocurrency can fill financial access gaps in regions where the traditional finance market is more limited.
But money attracts thieves!
Criminality and Cryptocurrency
Cash has anonymity, but crypto currency does not! Cryptocurrency transactions are traceable through the blockchain, and cryptocurrency wallets are represented by a numbered key rather than held in a natural or legal person’s name. Therefore, KYC is an essential tool in cryptocurrency compliance.
Blockchain analysis can show the transaction history of a cryptocurrency coin or crypto wallet, but criminals will still find ways to obfuscate their source of funds and identities. The same risk and transaction patterns and factors used in KYC for traditional financial products show evidence of similar criminals, such as money launderers, cybercriminals, and traffickers. These crooks tend to adapt to and use the efficiencies of new technology.
Vendors that provide wallets to businesses and individuals must aim to have an accurate and perpetual KYC record of persons they are onboarding and servicing. If there are signs of criminality, law enforcement can trace the behavior and know who is behind it.
As cryptocurrency and its accessibility continue to grow, so does the evidence of criminal activity. International financial compliance regulators such as the Financial Action Task Force (FATF), the Financial Crimes Enforcement Network (FinCEN), and the European Union are taking the lead in developing regulatory approaches to virtual currencies. Although these efforts are critical, regulation is still much too tenuous and loose. Regulations certainly do not maintain international continuity.
Another transaction medium is a “kiosk” that lets users purchase Bitcoins (and other cryptocurrencies) using cash or a debit card. This “kiosk” is called a Bitcoin Automated Teller Machine (BATM). The BATM is a quickly growing medium that requires regulation. To get a sense of how quickly BATMs are being installed, in June 2022 there were 37,786 BATMs available in seventy-eight countries.[viii] As of today, there are nearly 38,723 BATMs.
Ratifying policies and procedures for cryptocurrency transactions is “mission critical” to a financial institution involved in cryptocurrency transactions. Frankly, given the lack of comprehensive regulation, it is vital that banks and financial institutions develop their own best practices and manage AML strategies that will mitigate the risks bad actors pose, making sure due diligence is as complete as possible.
Safe and Risky Features
You asked about distinguishing between safe and risky features of cryptocurrency. I believe that a primary, reliable measure of risk is traceability. The blockchain provides a record of transactions and ownership. But what if that history is hidden, or nobody is reviewing it?
And, to be sure, traceability in cryptocurrency and digital assets varies.
There are several
known ways that ownership is obscured in cryptocurrency transactions, and you
must ensure that your KYC initiatives account for them. I will provide four
examples.
1. Mixers
Also called tumblers, mixers aim to hide the origin of their users’ funds by obscuring the transaction history of crypto assets. For instance, Bitcoin Fog[ix] allowed users to transfer funds from their crypto wallets into ‘the fog,’ where the assets would be mixed with other users’ currencies to anonymize the funds. After the currencies were mixed, the original user would receive a random number of payouts, each containing a random amount of cryptocurrency.[x]
2. Decentralized Finance (DeFi)
This is a growing area within
cryptocurrency. Decentralized Exchange Services (DEXs) are a central
component of DeFi. Based on the blockchain, they allow users to connect with
one another directly and exchange crypto assets more easily and securely.
Traditional centralized exchanges require an intermediary to complete
transactions, whereas DEX users can exchange currency from wallet to wallet.
Here's the weakness in DeFi: the huge drawback
of decentralized exchanges is that they do not have a central administrator, so
suspicious activity can be challenging to address. The 2020 Kucoin hack. Kucoin
is a kind of broker between buyers and sellers of cryptocurrency.[xi]
Kucoin was hacked by a North Korean hacking organization, the Lazarus Group.[xii]
This illustrates the KYC risks associated with DEXs. In the wake of the hack,
the Lazarus Group laundered approximately $19.5 million of the roughly $275
million worth of crypto assets through DEXs.[xiii]
DEXs are not without risk, but thorough KYC can mitigate the risk for entities
transacting with them.
3. Privacy Coins
These digital assets vary, or, put
otherwise, some coins are only traceable some of the time. Certain coins allow
users to turn their privacy functions off; others, such as Monero, do not.
Monero can hide potential criminal
activity because it uses an “obfuscated public ledger,” where no outside
observer can determine the cryptocurrency's source, amount, or destination. Coins
like Zcash record the transaction data but don’t publicize the transaction
history or wallet address.
4. Non-Fungible Tokens (NFTs)
These digital assets[xiv]
use blockchain to authenticate digital content and prove ownership. Bad actors
can use NFTs to conceal ownership. For example, certain NFTs were being caught
by the Office of Foreign Assets Control (OFAC), and the cryptocurrency
addresses belonging to the REvil ransomware group were sanctioned. Such
associations are concerning, but appropriate AML screening should enable you to
navigate NFTs with considerable confidence.
Screening
for KYC
You should
conduct due diligence when assessing a cryptocurrency business for potential
money laundering and compliance risks. To screen for KYC, I suggest your policy
should resolve these four questions:
1. Do you know who you are dealing with
and their previous risk history?
2. Does the entity have its own KYC best
practices for crypto transactions?
3. Is the source of funds known when
receiving cryptocurrency or fiat money earned by trading cryptocurrency?
4. Is the transaction behavior normal, or
does it include peculiar or suspicious patterns?
Risk Mitigation Recommendations
I will close with recommendations for mitigating risk in cryptocurrency transactions in the context of AML and KYC compliance requirements. These are not meant to be comprehensive. Each financial institution must evaluate these transactions with respect to its size, complexity, risk profile, and risk tolerance.
Policies and
Procedures should include:
· Comprehensive KYC data, such as company
structures, ultimate beneficial owners, sanctions, politically exposed persons,
and adverse media.
· Information on virtual currencies and related
businesses, including virtual currency exchanges, BATMs, custodians and payment
processors, initial coin offerings, crypto funds, and published information on
crypto-related crime.
· Blockchain analytics that provide indicators of
risks, check the source of wealth funds based on coin and wallet addresses, and
perform transaction monitoring for cryptocurrencies.
· A flexible, adaptable, and intuitive onboarding and screening solution that packages the above capabilities into an easy-to-use single platform or a vendor retained to provide such services.
Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group
[i] Treasury
will warn White House that crypto needs major regulations, A new assessment
from the Biden administration is expected to find that cryptocurrencies pose
threats to investors, Stein, Jeff and Tory Newmyer, The Washington Post,
September 8, 2022, https://www.washingtonpost.com/us-policy/2022/09/08/treasury-crypto-warn-white-house
[ii] Total
Cryptocurrency Market Cap, Global Cryptocurrency Charts, CoinMarketCap.com,
https://coinmarketcap.com/charts
[iii] Crypto
Crime Trends for 2022: Illicit Transaction Activity Reaches All-Time High in
Value, All-Time Low in Share of All Cryptocurrency Activity, Chainalysis, January
6, 2022, https://blog.chainalysis.com/reports/2022-crypto-crime-report-introduction
Note, this is down from 3.37% in 2019 and 0.62% in 2020.
[iv] How
to Safeguard your Cryptocurrency Wallet from Digital Expoits, CISOMAG,
August 17, 2020, https://cisomag.com/cryptocurrency-wallet-security
[v] The
2022 Crypto Crime Report, Chainalysis, https://go.chainalysis.com/2022-Crypto-Crime-Report.html
[vi] Cryptocurrency
Market Outlook – 2030, Goswami, Aarti and Pramod Borasi, and Vineet Kumar, Allied
Market Research, https://www.alliedmarketresearch.com/crypto-currency-market
[vii]
A case in point would be Venezuela. See As Venezuela’s Economy Regresses,
Crypto fills the Gaps, Ellsworth, Brian, Reuters, June 22, 2021, https://www.reuters.com/technology/venezuelas-economy-regresses-crypto-fills-gaps-2021-06-22
[viii]
Bitcoin ATM Map, Coin AMT Radar, https://coinatmradar.com
[ix] Bitcoin
Fog was the longest-running cryptocurrency “mixer,” gaining notoriety as a popular
money laundering service for criminals who sought to hide their illicit
proceeds from law enforcement.
[x] Until
the US government took down Bitcoin Fog in 2021, the site mixed 1.2 million
Bitcoin (worth more than $300 million), most of which could be traced back to “darknet”
marketplaces.
[xi] Kucoin
is a third-party cryptocurrency exchange, matching buyers and sellers. insofar
that they stand between buyers and sellers. Like stock brokers, it makes money
from charging trading fees.
[xii] Lazarus
Group Pulled Off 2020’s Biggest Exchange Hack and Appears to be Exploring New
Money Laundering Options, Chainalysis, February 9, 2021, https://blog.chainalysis.com/reports/lazarus-group-kucoin-exchange-hack
[xiii]
KuCoin thief sells out millions in crypto tokens on decentralized exchanges
- but Elliptic can still trace them, Robinson, Tom, Elliptic, September 29,
2020, https://www.elliptic.co/blog/kucoin-thief-sells-out-millions-in-crypto-tokens-on-decentralized-exchanges
[xiv]
Often these NFTs are works of art.
