The FATF's New Sanctions Compliance Guidance for the Virtual Currency Industry

Reporting & Record-keeping Requirements

One of the biggest concerns for regulators attempting to oversee the virtual currency industry was the lack of transparency. Many crypto firms allow users to transact anonymously, and there are not many standards in place to track whether proper reporting and recordkeeping practices are followed.

Record-keeping

The new FATF sanctions rules require any person or organization that engages in crypto transactions to follow OFAC regulations. The Office of Foreign Assets Control, or OFAC, is responsible for identifying individuals that are subject to sanctions and ensuring that businesses respond accordingly.

Generally, organizations are prohibited from transacting with the individuals and entities on OFAC sanctions lists. However, exceptions can be granted through a general license. These licenses are publicly issued and allow certain transactions to be performed.

Any entity that transacts with holders of blocked property must keep records of those transactions and make them available for OFAC to examine.  Every transaction should have complete and accurate records, and you should retain them for at least five years from the date of the transaction or five years after the property is unblocked.

Reporting

Crypto firms must comply with reporting standards in addition to the FATF recordkeeping requirements. Here are some of the most common reports that the virtual currency industry is expected to produce:

• Initial Blocked Property Reports
• Annual Blocked Property Reports
• Rejected Transaction Reports
• On-Demand Reports Requested by OFAC

You must file the initial blocked property reports within 10 business days after that virtual currency is blocked. The annual blocked property reports outline all the sanctioned assets held as of June 30^th of that year. Crypto firms are required to produce this report by September 30^th.

Organizations have to file a rejected transaction report whenever they attempted to complete a transaction, but it was rejected because of sanctions requirements. This report is due by the 10^th business day after the transaction is rejected.

Crypto companies can file these reports through the OFAC Reporting System, ORS.

‍

‍

Know Your Customer Process

The new compliance guidelines also require virtual currency firms to create a 'Know Your Customer' process. Often called KYC procedures for short, this guidance means that the business must gather information about their clients before transacting with them.

For example, crypto providers will need to obtain user information like name, address, date of birth, social security number, and more. Other relevant data may include government ID, residency documents, and even IP addresses associated with transactions.

Crypto companies must also gather details about the entities they transact with. This includes trade and legal names, beneficial ownership information, line of business, which countries they operate in, and other relevant government documents.

It is a red flag if a user is unable or unwilling to provide identification information or complete the KYC process. Virtual firms should be wary of users that offer unclear or incomplete data, as it could be a red flag that illicit activity is occurring. Likewise, it is also a concern if users attempt to access your platform from a VPN or IP address that is linked to a sanctioned jurisdiction.

While the KYC process is crucial at customer onboarding, it should also be conducted on an ongoing basis. The goal is to collect enough data to determine whether the individual appears on a sanctions list and adjust your due diligence measures accordingly.

If a user refuses to provide updated information or is non-responsive to your request, it may indicate a sanctions nexus. Similarly, your KYC process should alert you when a user attempts to transact with a blocked person or a sanctioned jurisdiction.

Risk-Based Approach

Since members of the virtual currency industry must avoid engaging in unauthorized transactions or other business dealings with sanctioned jurisdictions or persons, adopting a risk-based approach is key.

What does the risk-based approach entail? In short, it means that no two customers are the same – and your due diligence measures should vary accordingly. There is much more risk involved in dealing with someone in a high-risk jurisdiction or a sanctioned person.

Another way to look at it is that no compliance program or solution will be suitable for every business or circumstance. As such, you should have procedures in place based on the type of business involved, the products and services you offer, locations served, and types of customers. During the KYC process, you should develop a risk profile for each user based on this data.

Those that fall into higher-risk categories will require additional due diligence. Crypto firms may need to enhance their transaction monitoring effort, expand sanctions screenings, and collect other information to adhere to anti-money laundering regulations.

Applying the Risk-Based Approach to Sanctions Screenings

You may be wondering, how can organizations in the virtual currency industry apply the risk-based approach to sanctions screenings?

Sanctions screenings are an important part of the know your customer process, as it allows you to better understand a particular customer’s risk profile. To be effective, crypto firms must develop a process to conduct routine and ongoing sanctions screenings to ensure that they comply with FATF regulations. There are significant penalties for violating sanctions regulations, so businesses must do everything they can to remain compliant.

While this may seem overwhelming, it is best to start by evaluating what sanctions risks you are exposed to. Once you determine your exposure, you can take steps to minimize those risks through a sanctions compliance program. These procedures should be relevant to the types of transactions the crypto firm is engaging in. They should also reflect their geographic locations and client base.

You must also determine if the counter-parties you are relying on have adequate compliance programs in place. Doing so will allow you to identify areas that may cause your firm to interact with sanctioned regions or persons.

Management Commitment & Training

Another key takeaway from the FATFs new AML compliance guidelines relates to management commitment and training. Let's review these aspects of sanctions regulations in more detail, including how crypto firms can ensure they meet all requirements.

Management Commitment

There needs to be a commitment from management to make that happen to have successful sanctions and KYC programs. For example, senior management should endorse sanctions-related policies and procedures and review them frequently to ensure that they still meet the needs of the business.

Crypto companies should appoint a dedicated compliance officer that has the right technical expertise to oversee training programs and drive AML strategies. They should also provide adequate resources to accomplish compliance goals, such as technology, human capital, and expertise,

Training Considerations

You cannot be fully compliant with FATF sanctions regulations without implementing a robust training program for your employees. It makes sense – you can’t ensure compliance with AML laws if your staff is not aware of what that entails or how they should escalate red flags.

Sanctions-specific training is critical to the success of your KYC program. The scope of this training will vary based on the individual roles, the size and sophistication of the organization, and the risk profile of the crypto firm. However, all personnel should know how to comply with the internal controls designed for their job.

The compliance training should be done regularly – or at least once per year. Conducting AML training at onboarding is not sufficient, as sanctions laws and requirements will evolve.

Internal Controls Guidance

The new sanctions compliance guidelines that FATF has issues for the virtual currency industry also address internal controls. Internal controls refer to the policies and procedures that a crypto firm will design to support risk assessment and regulatory compliance efforts.

When a business operates in the virtual currency industry, the internal controls will be based on the types of transactions they facilitate, which users they support, and where they operate. Location of the transaction plays a major role in the development of internal controls, as that will determine which sanctions might apply and what regulations they must comply with.

These controls can help crypto firms identify sanctioned users, interdict, escalate, record, and report transactions as appropriate. They will facilitate the due diligence efforts you assign based on a customer’s risk profile and alert the organization to any red flags that indicate illicit activities or compliance breakdowns.

In other words, internal controls help to pinpoint any risks and concerns before they get too far, so the firm can take appropriate action. Internal control can identify weaknesses in your KYC and onboarding process and ensure that you can enforce the policies and procedures you established. They can also help you complete a root cause analysis of compliance breaches – and remediate them – to avoid any sanctions violations.

FATF does not currently mandate the use of certain software for screenings, transaction monitoring, or investigations – but it can be very helpful for building up your internal controls tools. Here are some ways that technology can facilitate this process for crypto firms:

Geolocation Technology

Location is perhaps the most crucial component of developing appropriate internal controls and following the risk-based approach. As such, geolocation technology can make all the difference.

For instance, you can use geolocation tools and IP address blocking controls to ensure that your business does not transact with blocked assets of sanctioned entities. By preventing transactions from occurring with sanctioned individuals in the first place, crypto firms can reduce their risk of violating the FATF sanctions compliance guidelines.

OFAC has already acted against crypto firms that engaged in prohibited transactions because they did not have appropriate controls to prevent sanctioned users from leveraging their platforms. Had they used the geolocation information that they had access to, they would have blocked the transaction from happening to begin with.  

Simply put, companies in the virtual currency industry must invest in technology that alerts them when a user is on a sanctions list or attempts to transact with a blocked currency. The right analytics tools can help firms identify IP misattribution too. This will prevent users from relying on known virtual private networks to circumvent these requirements.

Geolocation technology should collect data points like IP addresses, other known IP addresses, physical location, and more. The information can be collected from various sources, such as what the customer provides, what appears on a sanctions list, email addresses, and other transactional data.

Sanctions Compliance in Practice

As the FATF and other regulatory authorities begin to exert greater control over the virtual currency industry, these firms will need to adapt their processes and respond accordingly. There have already been instances of OFAC enforcement actions against crypto businesses, but they were allowed to remediate the root causes of the violations.

There will be an adjustment period as organizations align their internal processes to what is required by FATF and OFAC, so understanding remedial measures are keys. Here are some examples of what firms are doing to start moving towards compliance:

• Perform retroactive batch screenings of all your users to identify sanctions risks
• Implement a sanctions-related training program for all employees including management
• Invest in IP address blocking and similar restrictions for sanctioned regions
• Hire appropriate compliance staff, including a dedicated chief compliance officer
• Review end-user agreements to address sanctions requirements
• Build a keywords list of sanctioned areas to use during the KYC process
  

As you can see, many of these remediating measures involve implementing or improving internal controls, adopting appropriate processes and procedures, and investing in the right tools to support the risk-based approach.

The FATF's Guidance for Virtual Assets and VA Service Providers

About sanctions.io

sanctions.io is a comprehensive Anti-Money Laundering solution with a simple to integrate API which companies can use to continuously scan their clients and business partners against the most important Sanctions & Crime Lists. Start your 7 Day FREE TRIAL right here.

Photo by André François McKenzie on Unsplash