Catch Them if You Can…The Pressing Need for Cyber…
Understanding the specific red flags of cryptocurrency transactions and successfully implementing these red flags into the transaction monitoring process can greatly assist in filing the most accurate SARs, meeting regulatory requirements, and mitigating the AML/CFT risk.
Over the past 12 months, the use of cryptocurrency has grown tremendously with retail and institutional investors alike. Now more than ever, institutions are offering cryptocurrency related services to their clients. Additionally, cryptocurrency exchanges and companies are seeing higher than ever user activity. While the U.S. regulatory landscape on cryptocurrency is far from finalized or certain, what is certain is that for institutions transacting in cryptocurrency, those transactions will need to be monitored and suspicious activity reports (“SARs”) filed if suspicious activity is discovered. A successful transaction monitoring program can help mitigate the risks associated with cryptocurrency transactions. The unique compliance challenges that cryptocurrencies present have been met with innovative solutions, especially for transaction monitoring. One unique risk to the industry is that no central entity can control or restrict how the blockchains transact. Institutions engaging in cryptocurrency transactions should fully understand and implement current transaction monitoring regulations specific to cryptocurrencies and be alert for proposed new regulations.
The Currency and Foreign Transactions Reporting Act of 1970 or The Bank Secrecy Act (“BSA”) is the primary U.S. law used to detect, deter, and disrupt money laundering. More specifically, this law requires regulated financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash transactions over $10,000, and to report suspicious activity that might signify money laundering or other criminal activities. Institutions are able to comply with the Currency and Foreign Transactions Reporting Act of 1970 by implementing transaction monitoring systems capable of identifying illicit activity.
A transaction monitoring system aids institutions in identifying unusual or suspicious activity that must be reported to regulatory authorities and assists law enforcement in tracking criminals. Some of the key benefits of implementing a strong transaction monitoring system are:
Receive customized payments fraud intelligence
Improve data quality and architecture
Better use of time by compliance personnel
Reduce costs with automated risk scoring
Maintain full audit trail
Receive accurate and actionable SARs
With cryptocurrency now being a valid transaction option for individuals, cryptocurrency related businesses must improve their own and/or invest in new transaction monitoring systems to help track these new transaction types and ensure their tools adequately support the AML process, suspicious activity is detected, and the accuracy of identifying these suspicious transactions are not compromised.
With the increasing institutionalization and use of cryptocurrencies, the Financial Crimes Enforcement Network (“FinCEN”) has had to update its guidance originally only intended for fiat currency. The Travel Rule, which was introduced in 1996, requires financial institutions to pass certain information on to the next financial institution during funds transfers. In 2013, FinCEN issued guidance for people administering, exchanging, or using virtual currencies stating that administrators and/or exchanges of virtual currency will be considered money transmitters and are therefore subject to the Bank Secrecy Act if they admit to two acts; (1) they accept and transmit a convertible virtual currency (“CVC”) and (2) if they buy or sell convertible virtual currency. It was then updated again in 2019 to also incorporate guidance applied to certain business models involving convertible virtual currencies and include any transfer that is equal or exceeding $3,000, which requires the originator to send the receiving financial institution a series of transmittals containing detailed information before or at the time of the transaction.
Although originally cryptocurrency was advertised as being completely anonymous, in reality FinCEN has pushed for cryptocurrency exchanges to comply with record keeping requirements and the Travel Rule by sharing information about the originators and beneficiaries of cryptocurrency transactions. Future cryptocurrency regulations will continue to push on the FinCEN objective to ensure these digital assets adhere to the same category of regulations as fiat currency.
Cryptocurrency is at the forefront of U.S. regulators’ priorities. In September 2020, FinCEN director Kenneth Blanco, in the context of discussing cryptocurrency exposure, stated, “banks are not thinking about these issues, it will be apparent when examiners visit”. In December 2020, FinCEN issued a Notice of Proposed Rule Making (“NPRM”) that specifically aimed at eliminating the anonymity of cryptocurrency transactions and to report certain types of information on any transaction of cryptocurrency worth over $10,000 involving an unhosted wallet. An unhosted wallet is a software device that allows any entity or individual anywhere to conduct and store CVCs. One of the most popular unhosted wallets is “MyEtherWallet”, which is a website that allows individuals or entities access to transfer and store cryptocurrency without regulation from a financial institution or regulators. According to the new proposed rule, banks and Fintechs would also be required to keep records for any such transaction over $3,000 and the reporting would have to be done within 15 days. The specific type of information that would need to be collected from the counterparty of an unhosted wallet can be found below:
While the future of cryptocurrency transaction monitoring regulations is uncertain, it is certain that regulators will enforce AML regulations on all cryptocurrency related businesses. As such, there is a great need for comprehensive and innovative cryptocurrency transaction monitoring solutions.
In 2020, the Financial Action Task Force (“FATF”) released guidance on the characteristics of cryptocurrency money laundering schemes, drawing on internal investigations, and from case studies. From this guidance is a series of red flag indicators intended to help firms calibrate their cryptocurrency transaction monitoring measures. Red flag indicators of cryptocurrency money laundering to consider for transaction monitoring include, but are not limited to:
For tracking illicit crypto transactions, the adage of “follow the money” still applies, and its best to point to an example from recent events.
On May 7th, the Colonial Pipeline, the largest oil and gas pipeline system in the U.S., was attacked with ransomware developed by the Russian hacker group DarkSide, who collected 75 BTC (~3.1 mil USD at the time of writing) as payment. A month later, 63.7 out of the 75 BTC were recovered with a combination of police work, critical error by the attackers, and most importantly, utilizing new blockchain transaction monitoring software provided by Chainalysis in this case.
Transaction monitoring assisted FBI investigators in tracing the flow of funds from DarkSide’s ransomware wallet through several transactions across multiple blockchains and ultimately to the public address of the DarkSide’s end-wallet.
In order to mitigate the AML risks of transacting in cryptocurrencies, build confidence in the transaction monitoring process, and more effectively track and trace transaction activity, institutions should strongly consider utilizing specific cryptocurrency focused AML software.
Several vendors, such as Chainalysis, Eliptic, Coinfirm, or CypherTrace Armada, provide blockchain explorers (a piece of software that uses API and blockchain node to draw various data from a blockchain and then uses a database to arrange the searched data and to present the data to the user in a searchable format), analytics, and transaction monitoring. These services assist compliance professional and investigators by providing the following features:
With all of the cryptocurrency transaction monitoring advances, there will be inherent implications to cryptocurrency related businesses.
To better mitigate the unique risks of transacting in cryptocurrency, cryptocurrency related businesses will need to utilize the best cryptocurrency focused AML software tools that meet their institution’s needs. Cryptocurrency related businesses will need to review and decide which cryptocurrency AML software best fits their specific AML risks, but will also need to update their policies and procedures, training, and possibly staffing. The risk of not making these changes can be very costly. In late 2020, BitMEX, a P2P crypto-products trading platform, received criminal and civil charges from the U.S. DOJ. BitMEX allegedly failed to register as required under CFTC rules and to maintain an appropriate BSA and AML compliance program. The CFTC is seeking disgorgement of ill-gotten gain, civil monetary penalties and restitution. In October of 2020, FinCEN fined a New Jersey based entity $60 million in fines for violating reporting and registration requirements under the Bank Secrecy Act. The individual owned two bitcoin businesses and was able to launder more than $300 million worth of cryptocurrency by exchanging bitcoins hundreds of times on behalf of customers, operated an unlicensed money transmitting business, and was transmitting money without a license.
The following processes can better help mitigate risks of transacting in cryptocurrency:
A. Updating Policies and Procedures
Policies and procedures will need to be reviewed and regularly updated to incorporate new and/or changing cryptocurrency transaction types, provide guidance on how to review and complete alerts that are generated, and identify suspicious activity that might be occurring. Policies and procedures should be kept up to date with the latest bills and regulations passed by the government to ensure employees are well informed of these changes and have adequate guidance when reviewing cryptocurrency transactions.
B. Updating Training
Along with updating policies and procedures, training guidance and employee workshops will also need to be updated to include how to adequately review cryptocurrency transactions and correctly identify illicit activity such as structuring. Cryptocurrency transactions are very
different from regular cash or ACH transactions as the information which is presented to the transaction monitor is unique. Employees who monitor cryptocurrency transactions will need to be trained on reading and deciphering the information available such as “TX Hash” and “Output Address”, how to identify illicit activity, and how to accurately write a Suspicious Activity Report and what information to include those reports. Additionally, Compliance professionals and investigators will need training on the various cryptocurrency and transaction types the institution offers.
C. Adequate Staffing
Cryptocurrency related businesses will be required to look at their staffing and decide if their current resources are strong enough to support the influx of additional customers, cryptocurrencies, and transactions types that will occur when offering crypto related services. SARs are required to be filed within 30 days of suspicious activity being detected, and a lack of adequate staffing could negatively impact these deadlines and will put the institutions in a position for reputational risk and possible substantial fines. Staffing may also be required to enhance and/or calibrate cryptocurrency transaction monitoring systems to meet your institution’s needs. To avoid these negative impacts, institutions can either educate their current staff and/or hire subject matter experts to ensure all suspicious activity is identified and no deadlines are missed.
D. Disposition of Alerts
Treating Alerts globally is a challenge due to different AML and Cryptocurrency regulations in different countries. For this reason, institutions may need to consider deploying different environments in each region to deal with the laws in each jurisdiction and in parallel maintain an environment that tracks alerts globally. This is especially relevant with cryptocurrency transactions as the regulations differ state by state and country by country.
E. Update Transaction Monitoring Tools
Transaction Monitoring systems and AML Software will need to have the capability to process and identify illicit cryptocurrency transactions that criminals will try and conduct. Whether a firm wants to update their own existing transaction monitoring tools or implement a new system, it is imperative the tool/system is able to adequately identify and report suspicious transactions to prevent the firm from regulatory scrutiny and mitigate the risks associated with cryptocurrency transactions.
Sia Partners can assist your business in staying current with FinCEN and other regulatory guidance to ensure your institution is operating an up-to-date and effective transaction monitoring program with a focus on cryptocurrencies.
As cryptocurrency products and transactions are increasingly changing, cryptocurrency related businesses will need to learn to update their existing transaction monitoring systems and procedures to help mitigate the unique risks of transacting in cryptocurrencies. Understanding the specific red flags of cryptocurrency transactions and successfully implementing them into the transaction monitoring process can greatly assist in filing the most accurate SARs and meeting regulatory requirements. Cryptocurrency AML Software companies such as Chainalysis, Eliptic, Coinfirm, or CypherTrace Armada provide advanced technologies that can assist with the identification of the distinctive red flags of potentially suspicious cryptocurrency transactions. Cryptocurrency related businesses should select the transaction monitoring system that best fits their risk and product profile.
- 7 minutes read
- 4 minutes read
- 9 minutes read