Transaction Monitoring: Impact on Crypto Businesses

The Currency and Foreign Transactions Reporting Act of 1970 or The Bank Secrecy Act (“BSA”) is the primary U.S. law used to detect, deter, and disrupt money laundering. More specifically, this law requires regulated financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash transactions over $10,000, and to report suspicious activity that might signify money laundering or other criminal activities.[1]  Institutions are able to comply with the Currency and Foreign Transactions Reporting Act of 1970 by implementing transaction monitoring systems capable of identifying illicit activity. 

A transaction monitoring system aids institutions in identifying unusual or suspicious activity that must be reported to regulatory authorities and assists law enforcement in tracking criminals. Some of the key benefits of implementing a strong transaction monitoring system are:

• Receive customized payments fraud intelligence

• Improve data quality and architecture 

• Better use of time by compliance personnel

• Reduce costs with automated risk scoring

• Maintain full audit trail

• Receive accurate and actionable SARs

• Knowledge Sharing

With cryptocurrency now being a valid transaction option for individuals, cryptocurrency related businesses must improve their own and/or invest in new transaction monitoring systems to help track these new transaction types and ensure their tools adequately support the AML process, suspicious activity is detected, and the accuracy of identifying these suspicious transactions are not compromised.  

With the increasing institutionalization and use of cryptocurrencies, the Financial Crimes Enforcement Network (“FinCEN”) has had to update its guidance originally only intended for fiat currency. The Travel Rule, which was introduced in 1996, requires financial institutions to pass certain information on to the next financial institution during funds transfers. In 2013, FinCEN issued guidance for people administering, exchanging, or using virtual currencies stating that administrators and/or exchanges of virtual currency will be considered money transmitters and are therefore subject to the Bank Secrecy Act if they admit to two acts; (1) they accept and transmit a convertible virtual currency (“CVC”) and (2) if they buy or sell convertible virtual currency. It was then updated again in 2019 to also incorporate guidance applied to certain business models involving convertible virtual currencies and include any transfer that is equal or exceeding $3,000, which requires the originator to send the receiving financial institution a series of transmittals containing detailed information before or at the time of the transaction.[2]

Although originally cryptocurrency was advertised as being completely anonymous, in reality FinCEN has pushed for cryptocurrency exchanges to comply with record keeping requirements and the Travel Rule by sharing information about the originators and beneficiaries of cryptocurrency transactions. Future cryptocurrency regulations will continue to push on the FinCEN objective to ensure these digital assets adhere to the same category of regulations as fiat currency.

[1] https://tier1fin.com/alessa/blog/bank-secrecy-act-bsa-complying-u-s-aml…

[2] https://www.corporatecomplianceinsights.com/compliance-challenges-crypt…

Cryptocurrency is at the forefront of U.S. regulators’ priorities. In September 2020, FinCEN director Kenneth Blanco, in the context of discussing cryptocurrency exposure, stated, “banks are not thinking about these issues, it will be apparent when examiners visit”.[3] In December 2020, FinCEN issued a Notice of Proposed Rule Making (“NPRM”) that specifically aimed at eliminating the anonymity of cryptocurrency transactions and to report certain types of information on any transaction of cryptocurrency worth over $10,000 involving an unhosted wallet. An unhosted wallet is a software device that allows any entity or individual anywhere to conduct and store CVCs. One of the most popular unhosted wallets is “MyEtherWallet”, which is a website that allows individuals or entities access to transfer and store cryptocurrency without regulation from a financial institution or regulators.  According to the new proposed rule, banks and Fintechs would also be required to keep records for any such transaction over $3,000 and the reporting would have to be done within 15 days.[4] The specific type of information that would need to be collected from the counterparty of an unhosted wallet can be found below:

• The name and address of the financial institution’s customer
• The type of CVC or LTDA used in the transaction
• The amount of CVC or LTDA in the transaction
• The time of the transaction
• The assessed value of the transaction in U.S. dollars based on the prevailing exchange rate at the time of the transaction
• Any payment instructions received from the institution’s customer
• The name and physical address of each counterparty to the transaction of the financial institutions customer
• Other counterparty information the Secretary may prescribe as mandatory on the reporting form for transactions subject to reporting pursuant to 1010.316(b)
• Any other information that uniquely identifies the transaction, the accounts, and to the extent reasonably available, the parties involved and
• Any form relating to the transaction that is implemented or signed by the financial institution’s customer [5]

While the future of cryptocurrency transaction monitoring regulations is uncertain, it is certain that regulators will enforce AML regulations on all cryptocurrency related businesses. As such, there is a great need for comprehensive and innovative cryptocurrency transaction monitoring solutions.

[3] https://www.fincen.gov/news/speeches/prepared-remarks-fincen-director-k…

[4] https://www.complianceweek.com/regulatory-policy/fincen-proposes-bsa-re…

[5] https://home.treasury.gov/news/press-releases/sm1216

In 2020, the Financial Action Task Force (“FATF”) released guidance on the characteristics of cryptocurrency money laundering schemes, drawing on internal investigations, and from case studies. From this guidance is a series of red flag indicators intended to help firms calibrate their cryptocurrency transaction monitoring measures. Red flag indicators of cryptocurrency money laundering to consider for transaction monitoring include, but are not limited to[6]:   

1. Transaction behavior – Unusual transactional behavior such as high frequencies of transactions in a short period of time or the rapid deposit and withdrawal of funds into a recently opened account
2. Geographical Risks – Transactions that move cryptocurrency into or out of high risk countries or jurisdictions.
3. High Risk Crytpocurrency Activity – These include but are not limited to activity from darknet markets, scams to OFAC sanctioned addresses, and anomalous transactions which covers a majority of cryptocurrency activity.  
4. Structured Transactions – Multiple cryptocurrency transactions that appear to be deliberately structured in amounts that do not trigger reporting thresholds. 
5. Anonymous Transactions – Criminals seeking to exploit the anonymity of cryptocurrencies may use private coins, trade on unlicensed exchange sites, or use proxies to make trades.
6. Inadequate CDD – Cryptocurrency transactions involving accounts that have inadequate customer due diligence. 
7. Money-muling – Financially vulnerable customers or customers that seem unfamiliar with cryptocurrency technology may be used as mules to carry out transactions on behalf of money launderers. 

[6] https://complyadvantage.com/knowledgebase/transaction-monitoring-crypto…

For tracking illicit crypto transactions, the adage of “follow the money” still applies[7], and its best to point to an example from recent events.

On May 7th, the Colonial Pipeline, the largest oil and gas pipeline system in the U.S., was attacked with ransomware developed by the Russian hacker group DarkSide, who collected 75 BTC (~3.1 mil USD at the time of writing) as payment. A month later, 63.7 out of the 75 BTC were recovered with a combination of police work, critical error by the attackers, and most importantly, utilizing new blockchain transaction monitoring software provided by Chainalysis in this case.[8]

Transaction monitoring assisted FBI investigators in tracing the flow of funds from DarkSide’s ransomware wallet through several transactions across multiple blockchains and ultimately to the public address of the DarkSide’s end-wallet.[9]

In order to mitigate the AML risks of transacting in cryptocurrencies, build confidence in the transaction monitoring process, and more effectively track and trace transaction activity, institutions should strongly consider utilizing specific cryptocurrency focused AML software. 

Several vendors, such as Chainalysis, Eliptic, Coinfirm, or CypherTrace Armada, provide blockchain explorers (a piece of software that uses API and blockchain node to draw various data from a blockchain and then uses a database to arrange the searched data and to present the data to the user in a searchable format), analytics, and transaction monitoring. These services assist compliance professional and investigators by providing the following features[10]:

1. Automated, real-time APIs which conduct Know-Your-Transaction screening for sanctioned addresses, darknet activities, and suspicious transaction behavior patterns (outlined in Characteristics of Crypto Money Laundering) based on expert-assembled and auditable data.
2. Tracks data of thousands of blockchain entities and cryptocurrencies. Most of these tools have large databases with valuable information to help combat money laundering risks. Ciphertrace Armada, Chainalysis, Eliptic and Coinfirm all add and enhance their databases on a regular basis.
3. Tracing and tracking flow of funds, transactions, crypto wallets and data lineage that supports most liquid cryptocurrencies and blockchains. These activities can also assist an institution in recovering stolen funds. 
4. Workflow integration into leading AML tools.

With all of the cryptocurrency transaction monitoring advances, there will be inherent implications to cryptocurrency related businesses. 

[7] https://www.washingtonpost.com/business/2021/06/07/colonial-pipeline-ra…

[8] https://markets.businessinsider.com/currencies/news/coinbase-colonial-p…

[9] https://int.nyt.com/data/documenttools/affidavit-in-support-of-seizure-…

[10] https://go.chainalysis.com/rs/503-FAP-074/images/Ransomware-2021-update…

To better mitigate the unique risks of transacting in cryptocurrency, cryptocurrency related businesses will need to utilize the best cryptocurrency focused AML software tools that meet their institution’s needs. Cryptocurrency related businesses will need to review and decide which cryptocurrency AML software best fits their specific AML risks, but will also need to update their policies and procedures, training, and possibly staffing. The risk of not making these changes can be very costly. In late 2020, BitMEX, a P2P crypto-products trading platform, received criminal and civil charges from the U.S. DOJ. BitMEX allegedly failed to register as required under CFTC rules and to maintain an appropriate BSA and AML compliance program.  The CFTC is seeking disgorgement of ill-gotten gain, civil monetary penalties and restitution.[11] In October of 2020, FinCEN fined a New Jersey based entity $60 million in fines for violating reporting and registration requirements under the Bank Secrecy Act. The individual owned two bitcoin businesses and was able to launder more than $300 million worth of cryptocurrency by exchanging bitcoins hundreds of times on behalf of customers, operated an unlicensed money transmitting business, and was transmitting money without a license.[12] 

The following processes can better help mitigate risks of transacting in cryptocurrency: 

A. Updating Policies and Procedures

Policies and procedures will need to be reviewed and regularly updated to incorporate new and/or changing cryptocurrency transaction types, provide guidance on how to review and complete alerts that are generated, and identify suspicious activity that might be occurring. Policies and procedures should be kept up to date with the latest bills and regulations passed by the government to ensure employees are well informed of these changes and have adequate guidance when reviewing cryptocurrency transactions.  

B. Updating Training

Along with updating policies and procedures, training guidance and employee workshops will also need to be updated to include how to adequately review cryptocurrency transactions and correctly identify illicit activity such as structuring. Cryptocurrency transactions are very

different from regular cash or ACH transactions as the information which is presented to the transaction monitor is unique. Employees who monitor cryptocurrency transactions will need to be trained on reading and deciphering the information available such as “TX Hash” and “Output Address”, how to identify illicit activity, and how to accurately write a Suspicious Activity Report and what information to include those reports. Additionally, Compliance professionals and investigators will need training on the various cryptocurrency and transaction types the institution offers. 

C.        Adequate Staffing 

Cryptocurrency related businesses will be required to look at their staffing and decide if their current resources are strong enough to support the influx of additional customers, cryptocurrencies, and transactions types that will occur when offering crypto related services. SARs are required to be filed within 30 days of suspicious activity being detected, and a lack of adequate staffing could negatively impact these deadlines and will put the institutions in a position for reputational risk and possible substantial fines. Staffing may also be required to enhance and/or calibrate cryptocurrency transaction monitoring systems to meet your institution’s needs. To avoid these negative impacts, institutions can either educate their current staff and/or hire subject matter experts to ensure all suspicious activity is identified and no deadlines are missed. 

D.      Disposition of Alerts

Treating Alerts globally is a challenge due to different AML and Cryptocurrency regulations in different countries. For this reason, institutions may need to consider deploying different environments in each region to deal with the laws in each jurisdiction and in parallel maintain an environment that tracks alerts globally. This is especially relevant with cryptocurrency transactions as the regulations differ state by state and country by country. 

   E.      Update Transaction Monitoring Tools

     Transaction Monitoring systems and AML Software will need to have the capability to process and identify illicit cryptocurrency transactions that criminals will try and conduct. Whether a firm wants to update their own existing transaction monitoring tools or implement a new system, it is imperative the tool/system is able to adequately identify and report suspicious transactions to prevent the firm from regulatory scrutiny and mitigate the risks associated with cryptocurrency transactions. 

[11] https://www.jdsupra.com/legalnews/bitmex-trading-exchange-earns-crimina…

[12] https://www.financemagnates.com/cryptocurrency/news/fincen-hits-helix-a…

As cryptocurrency products and transactions are increasingly changing, cryptocurrency related businesses will need to learn to update their existing transaction monitoring systems and procedures to help mitigate the unique risks of transacting in cryptocurrencies. Understanding the specific red flags of cryptocurrency transactions and successfully implementing them into the transaction monitoring process can greatly assist in filing the most accurate SARs and meeting regulatory requirements. Cryptocurrency AML Software companies such as Chainalysis, Eliptic, Coinfirm, or CypherTrace Armada provide advanced technologies that can assist with the identification of the distinctive red flags of potentially suspicious cryptocurrency transactions. Cryptocurrency related businesses should select the transaction monitoring system that best fits their risk and product profile.