This article appeared in the November/December 2021 edition of ABA Bank Compliance. Reprinted with permission.

BY GABRIEL HIDALGO, ESQ, CAMS

Cryptocurrency is no longer a fad. Digital currency has become mainstream, as evidenced by the number and range of institutions trading, issuing, and investing in it, as well as a startling fact: as of August 2021, the global market for cryptocurrency is valued at $2.10 trillion, up from $1 trillion at the beginning of 2021. Institutional players—from payment companies, to asset management funds, to financial institutions, luxury products, and industrial companies—are all seeking ways to get involved. But one other fact remains inescapable: regulatory scrutiny and emerging regulations on digital currency and virtual assets will create new challenges and regulatory risks for compliance officers.

Background

“Cryptocurrency,” “digital asset,” or “convertible virtual currency” are all terms for the same concept, a digital medium of exchange. Transactions with these assets are secure because of a technology called cryptography. These employ decentralized control—as opposed to centralized banking systems—through the use of blockchain technology.  Businesses that allow customers to trade cryptocurrencies are exchanges, or virtual asset service providers (VASPs). For more information on the basics of cryptocurrency, see “Virtual Currencies: What Banks Need to Know” in the November–December 2018 issue of ABA Bank Compliance. You can also find information explaining cryptocurrency and blockchain on the ABA website.

Recent Developments

Among recent developments is a letter published in July 2020 by the Office of Comptroller of the Currency (OCC) clarifying that federally chartered banks and savings associations have the authority to provide custody services for cryptocurrencies. The OCC’s letter concludes, that “cryptocurrency custody services, including holding unique cryptographic keys associated with cryptocurrency, is a modern form of traditional bank activities related to custody services” and can extend “beyond passively holding ‘keys.’”

Demonstrating how the lines are blurring between banks and VASPs, in September 2020 the state of Wyoming granted a cryptocurrency exchange a license to form a crypto bank, which will be known as Kraken Financial. Kraken is the first cryptocurrency exchange to establish a special purpose depository institution, known as a SPDI (pronounced “speedy”), under a new law in Wyoming. The law allows SPDIs to offer custody and payment services in digital assets and lets depositors switch between cryptocurrency and fiat currency, but does not allow loans on digital currency deposits.

A second OCC letter published in January 2021 clarifies that national banks and thrifts can participate in independent node verification networks (INVNs), such as blockchains, and use stablecoins in payment activities. An INVN is a shared electronic database, such as a distributed ledger, where copies of the same information are stored on multiple computers. An INVN's participants, known as “nodes,” validate transactions, store transaction history, and broadcast data to other nodes. A blockchain is the incorruptible digital ledger of transactions that can be programmed to record not just financial transactions but almost anything of value. (For a detailed explanation of how Blockchain works, see the sidebar to this article, which is an excerpt of Virtual Currencies: What Banks Need to Know in the November–December 2018 issue of ABA Bank Compliance.

What this means is banks may “validate, store, and record payments transactions by serving as a node on an INVN. Likewise, a bank may use INVNs and related stablecoins—a new class of cryptocurrency that is backed by a reserve asset— to carry out other permissible payment activities. In deploying these technologies, a bank must comply with applicable law and safe, sound, and fair banking practices,” the OCC stated.

There’s the rub for compliance officers. New technologies are already here, but the established rules still apply. Regulators are recognizing that new technologies and systems such as cryptocurrency and blockchain are within the scope of mainstream banking activities, and financial institutions still must ensure compliance with Bank Secrecy Act/Anti-Money Laundering (BSA/AML) requirements.

                                                                        

One of the challenges of the rapid evolution and proliferation of VASPs and cryptocurrency is a lack of clarity in how institutions should handle them and the risks they can pose. Other than the limited guidance from the OCC and some from FinCEN and the Securities and Exchange Commission, there is not a fully developed regulatory system for cryptocurrencies. What are compliance professionals to do? It comes back to fundamentals, and for many institutions, that may mean re-examining how they assess and mitigate risks.

Five Ways to Mitigate Crypto Risks

In this dynamic environment, banks’ compliance teams have more to think about than ever. Integrating digital currency and/or VASP customer relationships into financial institutions’ everyday activities while maintaining a robust AML compliance program sooner or later will be on every compliance professional’s to-do list. With that in mind, here are five ways that banks can mitigate some of the risks arising from cryptocurrency.

1. Review best practices for banking money service businesses (MSBs). The Financial Crimes Enforcement Network (FinCEN) classifies many VASPs as money transmitters, meaning VASPs need to comply with the regulatory requirements for money service businesses. Strengthening and sustaining effective AML programs for cryptocurrency customers can be difficult. FinCEN has issued two advisories that help define when the MSB rules apply to cryptocurrency providers and offer a helpful starting point for compliance officers, which can be found on FinCEN’s website.

2. Identify other types of high-risk digital currency customers. Much like when offering traditional banking services, banks should clarify the categories of customers that fall into heightened risk categories. Central to identifying high-risk customers is a strong risk assessment function. Areas that institutions should consider and some questions they should strive to answer include:

  • Customer’s compliance program strength. When the customer is a financial institution or an entity that must implement a compliance program, how strong is that program? Can the strength of your customer’s compliance program be relied on when adjusting the compliance controls to oversee and monitor your customer’s activity? Banks should examine the customer’s Know Your Customer (KYC) protocols, transaction monitoring controls, and sanction screening program within the initial review to gauge the strength of the compliance program. A customer that relies on manual controls with a thinly staffed compliance team should be a red flag.
  • Jurisdictional concerns. Where a potential customer resides or operates can be a red flag for an institution’s risk assessment. For example, is the individual or entity based or operating from a jurisdiction known for instability, corruption, and weak regulatory oversight? This is a genuine concern with VASPs, which are based throughout the world.
  • Unregulated or underregulated financial entity applicants. Unfamiliarity with regulatory requirements or a lack of regulatory discipline can be problematic. Is the entity unaccustomed to regulatory oversight, or does it operate in a jurisdiction with a less developed regulatory system?
  • Politically exposed persons (PEPs). Institutions should have the ability to screen for PEPs, but equally important is continual monitoring of customers with political exposure, not just during onboarding. Most countries recognize as PEPs individuals who are government officials, political party leaders, senior executives in government-owned or international organizations, and relatives and close associates of such individuals. Is the potential customer a PEP or related to one? Could the person’s profile change, creating a political exposure that did not exist previously?
  • Sanctioned individuals, entities, and countries. A robust compliance program should have ready access to sanctions lists such as those maintained by the United States, United Kingdom, and European Union. Screening and monitoring for sanctions, as for PEPs, should not just happen during the onboarding process but should be conducted continually. Is the potential customer on a sanctions list, or affiliated with a person or entity who is?
  • Unusual behaviors. Certain behaviors can suggest red flags and warrant investigation. For example, is the customer intentionally avoiding certain types of identification? Is the customer exceeding expected business volume or using unexpected products or services? One kind of unusual behavior would be a customer that sets up a transactional account that it instead uses for aggregating funds. Another is an account with a history of a stable number of small transactions that suddenly sees much more frequent and larger transactions. These behaviors might not necessarily indicate a high risk for financial crime, but they merit a deeper look. The more an institution knows about its banking customers, the better it can distinguish between normal and unusual account activity.

The Financial Action Task Force (FATF), which published guidance on virtual assets and VASPs in 2019, notes that financial institutions “should apply a risk-based approach when considering establishing or continuing relationships with VASPs or customers involved in VA (virtual asset) activities, evaluate the money-laundering/terrorism financing risks of the business relationship, and assess whether those risks can be appropriately mitigated and managed.”  FATF added that “it is important that financial institutions apply the risk-based approach properly and do not resort to the wholesale termination or exclusion of customer relationships within the VASP sector without a proper risk assessment.”

3. Understand the needs and challenges of building new books of business. Financial services is a competitive industry, and banks need to focus on growing revenue and assets through new business. Compliance officers can support their institutions in building new books of business by understanding the needs as well as the compliance challenges of new products and services and customer segments.

Cryptocurrency and stablecoins have moved beyond the “trend” phase, and may present the possibility to be a revenue driver for many banks. VASPs such as crypto exchanges and digital asset wallet providers are growing in number nearly every day. However, there are still risks in the fast-growing and sometimes volatile cryptocurrency industry. Traditionally, cryptocurrency offers speedy, cross-border transactions, often with little information on the true owners of underlying wallets when the wallets are unhosted by a regulated VASP. Financial institutions can apply their traditional BSA/AML practices to those entities that service cryptocurrency assets, but the opacity of entities on the other side of crypto transactions gives many banks pause.

When considering offering any new product, financial institutions should assess their risk appetite and risk management framework, and make sure to align those accordingly. A more conservative institution may face challenges when developing product sets serving VASPs. If an institution decides to expand into serving VASPs, then it likely will need to recalibrate its risk appetite and risk mitigation practices.

4. Mitigate money-laundering risks. Institutions today combat money-laundering risks through customer due diligence and transaction monitoring. Those foundational activities form the foundation of AML controls for digital currency as well. Institutions should construct a program to counter money-laundering that includes enhanced due diligence and ongoing monitoring for higher-risk customers.

Two approaches can help institutions conduct enhanced due diligence and monitoring. One is to leverage technology solutions to streamline processes. The second is regular training of staff about red flags and changes in regulatory policies or industry standards. As a rapidly evolving industry, standards for cryptocurrency businesses inevitably will change, and financial institutions will need to keep up to date, not only regarding how crypto businesses are evolving but also regarding legislative and regulatory responses. This is a highly dynamic area and new laws and regulations are a fact of life in this area.

Red flags for VASPs are different from those of traditional bank clients. For example, no one representing a cryptocurrency entity is likely to deposit large amounts of cash, given the very nature of their business. In addition, digital currency customers are generally technologically savvy; everything they do, they prefer to do digitally. Technology and training work well together to limit false positives in suspicious activity monitoring while achieving thorough monitoring and keeping compliance teams in the know.

5. Review best practices for high-risk customers. Strengthening and sustaining effective AML programs for cryptocurrency customers can be difficult. One key is for compliance officers to review best practices in effective enhanced due diligence and how to maintain effective compliance standards when onboarding high-risk customers. To do this, compliance professionals should take their existing knowledge and enhance it by learning from other sources of expertise.

Financial institutions should keep in mind:

KYC protocols must be followed stringently. Deviation from established KYC processes, such as providing too many exceptions, can weaken a bank’s controls and invite regulatory action. In the context of cryptocurrency, an exemption might be offered if certain documentation is not available, such as corporate formation documents translated into English. Given that many VASPs are based outside the United States, that might be a logical exemption from traditional KYC protocols. However, institutions should carefully consider which deviations make sense and which open the door to risk.

Customers can learn from banks. Cryptocurrency exchanges and other VASPs already have regulatory requirements to meet, but they can learn and adopt some best practices in their businesses from traditional financial institutions. As an example, lessons learned from transaction monitoring other high-risk customers, such as correspondent banking, can inform practices followed by cryptocurrency businesses.

Compliance is not a one-size-fits-all solution. Each financial institution should examine its own needs, risk appetite, and risk profile, as well as its risk management framework. Compliance officers cannot simply “set it and forget it” when it comes to risk management programs. Evolving risks require institutions to adapt their risk management frameworks. Tailoring processes to an institution’s particular situation is the best way to address the challenges and opportunities that cryptocurrency brings. The best compliance programs are dynamic ones that evolve and change over time to address new typologies and trends.