Why Adapt Existing Transaction Monitoring Capabilities to Tackle Cryptocurrency AML?

What are the anti-money laundering regulations for cryptocurrency?

A recent update report from the Library of Congress (dated November, 2021) highlights the increase in jurisdictions that are now implementing a regulatory framework around the use of cryptocurrencies. In 2018, the report originally identified eight jurisdictions with an absolute ban and fifteen jurisdictions with an implicit ban. However, the updated November 2021 report has seen those numbers rise to nine and 42 jurisdictions, respectively.

These implicit bans prohibit banks and other financial institutions from dealing in cryptocurrencies, offering services to individuals/businesses that deal in cryptocurrencies, and banning cryptocurrency exchanges.

Why is crypto AML compliance so important?

As crypto and digital currencies become more mainstream, there’s greater pressure to get anti-money laundering policies and strategies updated and standardized. In the updated November 2021 report, a total of 103 jurisdictions are identified as applying tax, AML/CTF (Anti-Money Laundering/Counter Terrorist Financing) laws to cryptocurrencies, with the vast majority applying both. These jurisdictions include the European Union Member States, with the exception of Bulgaria. Previously, in 2018, only 33 jurisdictions were found to regulate cryptocurrencies in these areas, with just five applying both tax and AML/CFT laws. This trend will continue to increase as bodies such as The Financial Action Task Force (FATF) continue to extend the application of its standards to new technologies and areas of risk.

Do absolute and implicit bans effectively manage the risks of digital currencies?

Despite these efforts to regulate crypto, the question still remains: is the approach of explicitly or implicitly banning the use or servicing around crypto currencies the most effective way of protecting organizations from the criminal abuse and risk exposure attributed with the digital currencies?

Historically, creating a prohibition focused regulatory framework around a particular activity does not make the challenge disappear. On the contrary, oftentimes it makes the entity, which the framework sought to protect, more prone to abuse, as it removes all protection for the parties involved, simply driving illicit activity to less regulated routes and creating further financial exclusion.

It can be argued that the current approach which some countries and individual financial institutions – with very notable exceptions – are taking to the management of cryptocurrency risk can be likened to the ongoing de-risking phenomenon impacting correspondent banking. De-risking involves removing the risk entirely, rather than managing it with appropriate policies, risk assessments and tools.

The EBA’s recent opinion piece on de-risking outlines how simply stopping access to services for a specific product, or a portion of the customer population, can be perceived as a sign of ineffective AML/TF risk management rather than the opposite. Removing the ‘risky’ customer, or banning the servicing of certain activity, does not translate to a removal of risk. Without effective risk detection in place, financial institutions are only exposing themselves to further indirect risk, which is going on undetected. This is why crypto transaction monitoring is key.

The EBA’s investigations around the reasoning and impact of de-risking to support the need for financial inclusion reinforces another trend we are seeing in the financial landscape: the decision of certain organizations to ban or remove the risk rather than accepting and managing the controlled exposure. According to the EBA, reasons to de-risk involve instances where ML/TF risks, or reputational risks, exceed an institution’s risk appetite. This is when an institution lacks the relevant knowledge or expertise to assess the risks associated with a specific business model, or when the real or expected cost of compliance exceeds generated profits.

Can new technologies help de-risking crypto?

The EBA guidelines state the need for greater engagement between Authorities and Institutions in order to keep building trust in underlying technologies, systems, and processes, and to encourage the advancement of AML/CFT controls and risk management as a suitable alternative to de-risking. This is particularly relevant to both Competent Authorities and Financial Institutions working in areas with exposure to virtual assets. When it comes to cryptocurrencies, as with other areas of the financial industry considered higher risk for ML/FT such as Correspondent Banking, applying the right tools and technologies can be more effective in combatting illicit use for tax evasion, money laundering or terrorist financing than banning the activity entirely.

“New technologies have the potential to make anti-money laundering and counter terrorist financing measures faster, cheaper and more effective. They can improve the implementation of FATF Standards to advance global AML/CFT efforts, ensure financial inclusion and avoid unintended consequences.”

Opportunities & Challenges of New Technologies for AML/CFT – FATF

What are the challenges to crypto transaction monitoring?

Many global financial institutions, as well as regulatory and industry bodies, have recognized both the risk and the clear opportunity that are present in the global adoption of cryptocurrency usage. In 2021, the updated regulatory virtual asset guidance from FAFT was issued, and as a result, provided further intelligence needed to add clarity and consistency in understanding the risks – and perhaps more crucially – the steps needed to mitigate those risks. This intelligence forms the building blocks required to help institutions make better, more risk-informed decisions rather than falling back on de-risking.

Many institutions have historically favored using traditional rules-based transaction monitoring systems to tackle emerging and more complex financial crime risk typologies, which has consistently proven to be unable to adapt to new data sources, behaviors and risks.

One example related to cryptocurrency risk is the reliance on transaction monitoring systems within certain banks to identify (unknown) points of contact and fiat/crypto conversion between their customers and Cryptocurrency Exchanges. This is done by analyzing transaction narratives and looking for keywords such as ‘Kraken’, ‘Coinbase’ or the asset names themselves. Using this approach in isolation can lead to further challenges and missed risk. For example, transactions that do not contain these keywords may simply be missed, making it increasingly difficult to identify patterns of activity and build genuine risk profiles.

How to tackle anti-money laundering compliance for cryptocurrency

In response to the challenges of traditional monitoring, many leading financial institutions are now looking at introducing new technology and data capabilities that will both consolidate and generate intelligence from multiple sources in order to see all activity in context. For example:

• Enriching a bank’s KYC and transactional data sets with additional third-party corporate registry data and/or intelligence from the virtual asset domain

• Integrating intelligence from on-chain analytics companies

This will allow the institution to not only identify the exchanges and resolve them as entities but can flag high risk/criminal exchanges, or those with poor or no KYC (Know Your Customer) programs, overlay keywords and narrative indicators to build a better risk profile of crypto usage.

Shifting to a multi-dimensional view of risk and control by applying innovative technologies and smoothly integrating multiple data sources is the way forward, combined with applying strong KYC and KYCC (Know Your Customer’s Customer) policies from the outset.

In an ever-evolving industry landscape amidst the ongoing need and demands surrounding cross border transactions and the rapid proliferation of crypto currencies, challenges will continue to arise for financial institutions. These are based around how best to leverage existing investments in AML/CTF processes, and tools to manage new risks and typologies and keep the business growing. As such, when looking at implementing new technology to either increase effectiveness of existing tools or to replace legacy systems, financial institutions should consider the vendors’ ability to create context, adapt to new typologies seamlessly and at speed, and help business grow.

Re-defining Know You Customer (KYC)