Cryptoassets have inched one step closer to becoming mainstream payment instruments. Digital assets, such as Bitcoin and Ethereum, have skyrocketed in value and sparked the interest of the masses.
Since the start of the pandemic, we have seen many digital assets outpace the gains of stocks and commodities. This has led to traditional financial institutions (FIs) and investment houses increasingly exploring the introduction of new virtual asset services or products for their customers.
While cryptoassets are not new, their foray into the mainstream market has only occurred in the last decade. As a result, most traditional financial services companies do not offer access to the nascent market. Many do not even consider the indirect exposure they have to cryptoassets.
Currently, the crypto market is largely serviced by fintech start-ups and so-called crypto exchanges, also known as virtual asset service providers (VASPs), which provide decentralised banking services such as the investment, trading, exchange, purchase, and sale of virtual assets.
However, concerns about the associated financial crime risks of cryptoasset use have increasingly been pushed to the front of the agenda. VASPs and financial institutions are still learning how to lessen the risk of facilitating financial crime for which cryptoassets are the tool or laundering method of choice.
The same applies to traditional financial services companies entering the market. Both JP Morgan Chase and Goldman Sachs have indicated they are considering providing custody services and safe deposit boxes for cryptoasset investors. Furthermore, Goldman Sachs has started a Bitcoin futures trading platform. Other traditional FIs are also looking into crypto custody products which will cut the price of existing wallets.
Even traditional financial institutions which focus on fiat assets and currently do not provide crypto services, see significant opportunity with the emergence and growth in the crypto and blockchain space. As the value and use of crypto assets continues to grow, both traditional financial institutions and VASPs need to evolve their knowledge and understanding of the financial crime risks associated with cryptoasset to mitigate risks.
How is regulation changing?
Attempts to start regulating the crypto market started in 2013 with guidance from the US’s Financial Crimes Enforcement Network (FinCEN) surrounding persons administering, exchanging, or using virtual currencies.
In 2017, regulations were released within the European Commission’s EU FinTech Action Plan. Following the Commission’s instructions to examine the applicability of EU financial law to new types of cryptoassets, the EU’s 5th Money Laundering Directive extended anti-money laundering and counter- terrorism financial rules to VASPs domiciled in the EU. Once adopted and in full force, the directive became a directly applicable law in all member states and started regulating all issuers and service providers dealing with cryptoassets.
Another important milestone in regulating the sector arrived in 2020, with the issuance of the US Anti-Money Laundering Act of 2020 (AMLA) which expanded crypto regulatory coverage to institutions with regards to compliance as well as being aware of their liabilities under the law. It also expressly expanded the scope of the US Bank Secrecy Act (BSA) to include businesses engaged in the trade of “value that substitutes for currency” – e.g., cryptocurrency.
In October 2021, the Financial Action Task Force (FATF) issued new guidance for cryptoassets to combat money laundering and terrorism financing. The 37 FATF member countries are expected to adopt these regulatory guidelines within one year.
The ‘travel rule’ which came into effect in 1996 has not been fully implemented or standardised across crypto assets, however, has lately started to include virtual assets with the introduction of the term VASP in the regulatory framework.
Last year, the updated FATF guidance outlined recommendations on handling the ‘travel rule’ when it comes to cryptoassets. Now, FinCEN and the US’s Federal Reserve Board have expressed their interest to lower the threshold for the requirement to collect, retain and transmit information on funds and transfer.
The lower threshold would require any VASP to obtain, hold, and transmit originator and beneficiary information when transferring virtual assets to or from another VASP on behalf of their clients. Most EU jurisdictions also proposed an obligation for financial intermediaries to exchange customer data when transferring cryptoassets on behalf of their clients.
A combination of a lack of applicable law and a maturing regulatory framework around cryptoassets is propelling the development of suitable solutions to ensure full compliance and risk management.
Despite efforts from regulators globally, the crypto market remains largely unregulated; regions where new rules are in effect remain broad, and bad actors can continue to cause issues. This poses a challenge for financial companies which must exercise prudent responsibility when providing banking services to crypto exchanges or users trading crypto.
These organisations are still subject to the same AML-KYC rules. FATF guidance and the monitoring approach adopted by financial institutions is centred around risk-based analysis. As efforts to standardise regulations continue apace, so do transactions in crypto.
Banks and FIs must not only follow regulations, but also recognise and act on closing their exposure to financial crime risk. Training, comprehensive KYC, compliance technology, and regulatory clarity are the foundations which will help banks adapt to the digital nature of cryptoassets.
There are a series of checks that can help manage AML risk: know your customer and know your transactions. These will assist financial institutions in adequately identifying and reporting suspicious account transactions. The use of advanced analytics to assess data and identify suspicion can help further strengthen this risk-based approach.
It is impossible to separate the enabling technology and the related technological risks from crypto as an asset. The relevance of the underlying blockchain technologies supporting each cryptoasset inevitably impacts the value of the cryptoasset itself.
Banks and other financial institutions need the ability to trace transactions and connections in real time – and the capacity to assess their relevant risks. The need for an effective compliance programme in understanding, managing, and mitigating the financial crime risks that cryptoassets pose is viewed as an extension to blockchain.
FIs need technology that supports the immutable nature of blockchain to trace the origin of cryptoassets to eliminate money laundering risks. Coordination between organisations is the first step to managing technological risks surrounding crypto. Having the tools to do blockchain analysis is critical. Ensuring the validity of the parties should be a priority.
However, this is a multi-faceted process which extends beyond transaction monitoring to encompass compliance with existing and new regulatory frameworks. In the US, all payment processors must comply with the Banks Secrecy Act and banks must identify any peer-to-peer crypto exchanges whether personal or business. This would require putting in some baseline controls for identifying customers as well as tools to report potentially suspicious activity occurring through the FI.
Emerging market risks
Financial institutions are faced with a plethora of compliance obligations designed to prevent money laundering, terrorist financing and sanctions avoidance, becoming more stringent with each successive iteration and change by regulatory bodies.
FIs must ensure full regulatory compliance for all accounts which transact with crypto by requiring them to comply with relevant AML/CFT regulations. Such requirements include record keeping, suspicious transaction reporting, model risk management, ongoing CDD/EDD, internal controls, and employee screening.
Some banks and even jurisdictions have imposed bans on cryptocurrency transactions going as far as blocking or placing holds on transfers to or from known crypto exchanges and platforms. Bans are active in India, Vietnam, Indonesia, Algeria, and Bolivia – to name just a few.
Banks and other financial institutions must incorporate regulatory compliance and risk management into their short and long- term business plan and strategy. Given the rise of cryptoassets and the inherent risks they pose, ensuring the compliance process is fully standardised is essential to reducing the likelihood that suspicious activity falls through the net.
There is evidently far more work to be done – and obligations on FIs will only increase over coming years.