Cryptocurrency-related criminal transactions amount to nearly $14 billion in 2021, nearly double that of the previous year. The use of virtual currencies as a payment method has also meant that companies are at greater risk of sanctions violations. OFAC has identified crypto exchanges and wallet providers as playing a part in evading sanctions and undermining US Foreign Policy and national security interests, exposing many businesses to potential penalties and government crackdowns. 

Firms that operate in the crypto industry (as well as businesses that transact with crypto companies) must understand their compliance obligations and the associated risks that they may be exposed to. 

Some of the best practices firms should adhere to include:

1. Understanding the Risks

The Financial Action Task Force has recommended that businesses take a risk-based approach to AML/CFT compliances, which extends to cryptocurrency companies as well. This means that firms should deploy compliance measures that are proportionate to the compliance risk that their customers represent. The level of risk can be established through robust Know Your Customer and verification processes at the onboarding stage. Of course, risk profiles may change over time. By implementing ongoing transaction monitoring, companies can trace the flow of cryptocurrency assets and detect suspicious activity early on. 

Cryptocurrency platforms should also remain aware and up to date with sanctions guidelines and new regulations. This may require careful planning and ongoing improvements, including regular sanctions and compliance screening. 

2. Adopting a Compliance Program (and Appointing a Compliance Team)

Compliance programs must be overseen by qualified compliance employees that are aware of AML/CFT threats, able to spot red flags and able to make decisions related to crypto risks within the organisation. These experts must have knowledge about traditional financial regulations, as this has formed the basis of most crypto compliance regulations. Governments and regulatory bodies who have turned their attention to virtual assets almost always start by expanding existing guidance targeting financial firms. Compliance employees should always be aware of the current and anticipated regulations that will be released in the future so that firms can prepare in advance. While a background in law enforcement isn’t strictly required, it may be useful for employees as they identify potential blindspots or red flags that customers may be misusing crypto services. 

3. Maintaining Awareness of Red Flags 

Financial businesses are well-aware of the red flags associated with money laundering and fraud, but crypto businesses must be aware of the possible fraud indicators unique to their industry. These may include:

  • Layering, including exchanging one form of cryptocurrency for another, mixing or blending transactions through exchanges or dedicated crypto tumblers; 
  • Dusting, including making large volumes of small transactions in order to overwhelm AML/CFT monitoring systems; 
  • Money mule accounts whereby criminals coerce or otherwise persuade third parties to conduct transactions on their behalf to avoid identity verification measures; 
  • A history of numerous off-chain and cross-chain transactions, or transactions between different blockchains to exploit or avoid KYC disparities; 
  • Peeling techniques where stolen funds are syphoned from a sender’s wallet in a series of small transactions; 
  • Exchanging stolen crypto assets with privacy tokens to be used on the darknet; 
  • Difficulties in verifying crypto wallet ownership, which may indicate that a wallet was stolen. 

4. Implementing the Right Internal Controls

Once risk assessments have been concluded, businesses are in a better position to determine which policies and procedures they should adopt. This includes internal controls that enable due diligence and alert them to red flags that illicit activity may be taking place. For crypto companies, this usually depends on their products and services, the location of their operation and its users, and the sanctions risks they identified during their initial risk assessment. 

It’s a best practice to adopt geolocation tools and IP address blocking controls, including tools that can screen IP addresses against VPNs. In addition to collecting and verifying the names, addresses, and birth dates of customers, crypto companies should include digital identification processes (e.g. biometrics). 

Crypto companies should also play to their own strengths. For example, while crypto technologies bring new risks, they also present opportunities to enhance compliance performance, including new ways to store and encrypt customer information and verify transactions. 

5. Regular Testing and Auditing

Testing the effectiveness of your compliance program ensures that it works as it should and identifies opportunities for improvement or updates, should sanctions or regulations change. This includes testing: 

  • Sanctions list screening, including the screening of individuals on the SDN list, to ensure that the lists are up to date and flags transactions that require additional review; 
  • Keyword screening, including ensuring that screening tools are correctly flagging geographic keywords during KYC and transaction screening processes; 
  • IP blocking, including ensuring that geofencing IP address software is successfully blocking users from sanctioned jurisdictions from accessing the company’s services; 
  • Investigating and reporting transactions, including reviewing transactions that may be at risk of sanctions violations. 

Conclusion

Cryptocurrency companies are under increasing pressure to adhere to global financial governance standards, including AML and CTF regulations. Even in instances where there are no mandates, it’s clear that the market is moving in that direction, providing a competitive advantage and regulatory head-start to early adopters.