On June 11, 2018, the United Kingdom’s Financial Conduct Authority (FCA) issued guidance in the form of a “Dear CEO” letter on “Cryptoassets and Financial Crime.” It’s among the only guidance from a major regulator to assist banks in understanding their anti-money laundering obligations specifically for clients involved in cryptoasset/cryptocurrency activity. While directly applicable to banks in the U.K., the principles are generally consistent with anti-money laundering requirements globally and serve as a good resource for banks around the world. The letter itself gives the high-level framework and this article provides annotated analysis to help banks understand how to execute on the guidance.
Clients offering services related to cryptoassets
Where you offer banking services to current or prospective clients who derive significant business activities or revenues from crypto-related activities, it may be necessary to enhance your scrutiny of these clients and their activities.
While the letter says “may,” it is almost certainly a regulatory expectation that banks will give additional scrutiny to clients that are crypto-related businesses. The level of additional scrutiny may vary based on the type of crypto-related activity. In some cases, it may just mean asking a few additional questions. But in all cases, banks need to have a plan to do more for clients involved in crypto-related activity than its low or standard risk clients.
Appropriate steps or actions to consider may, subject to the circumstances and services being provided, include:
• developing staff knowledge and expertise on cryptoassets to help them identify the clients or activities which pose a high risk of financial crime
Developing the expertise is essential, but the key here is also to document your analysis of the financial crimes risk. For example, you may determine that a client engaged in crypto mining is a lower risk than a crypto exchange client processing transactions on behalf of its own customers. Regulators will not object to banks treating clients differently so long as there is a factual basis to support the decision and the analysis is documented.
• ensuring that existing financial crime frameworks adequately reflect the cryptorelated activities which the firm is involved in, and that they are capable of keeping pace with fast-moving developments
By “frameworks,” the FCA is likely referring to a number of different aspects of a bank’s financial crimes program. First, policies and procedures. Do your policies and procedures discuss crypto-related activities, their potential risks, and controls in place to mitigate those risks? Second, transaction monitoring. Criminal activity and money laundering methods can look different for crypto-related businesses than more traditional businesses. Does your transaction monitoring account for these crypto-specific money laundering typologies? Third, risk assessment. Do you have a process to regularly assess the risk of cypto-related businesses based on changes in the industry and the client’s business model? Do the controls in place effectively mitigate those risks? Fourth, training. In addition to general anti-money laundering training, do you have targeted training about the risks of crypto-related businesses.
• engaging with clients to understand the nature of their businesses and the risks they pose
Here, the FCA is talking about enhanced due diligence. In the current environment, collecting the standard level of due diligence for clients with crypto businesses is not enough. This means asking more questions about the nature of the business, who are the business’s customers, where are those customers located, what is the business’s revenue, what do they intend to use the accounts for, and what is the expected activity in the accounts. How many additional questions and what, if any, verification of the responses is required will likely depend of the nature of the clients crypto business, whether the explanations make sense, and whether the account activity is consistent with the client’s responses.
• carrying out due diligence on key individuals in the client business including consideration of any adverse intelligence
Adverse intelligence could mean a number of different things. From criminal charges at one end of the spectrum, to negative references in the news articles or blogs at the other end. Again, the level of research required will likely depend of the nature of the clients crypto business. For some businesses, a simple Google search for negatives articles on the business and associated individuals could be sufficient. In other cases, a deeper level of research including a search databases such as World-Check could be required.
• in relation to clients offering forms of crypto-exchange services, assessing the adequacy of those clients’ own due diligence arrangements
There is typically no requirement for banks to conduct due diligence on their customer’s customer. However, there is a regulatory expectation that banks understand their customer’s anti-money laundering program and what level of due diligence their customer performs on their clients. By onboarding a crypto-exchange, your bank is opening itself up to the financial crimes and reputational risks of the exchange and its underlying customers. A bank needs to do enough due diligence on the exchange to ensure the bank is comfortable with the exchange’s level of due diligence on their clients and that the exchange’s risk tolerance is in line with the bank’s.
• for clients which are involved in ICOs, considering the issuance’s investor-base, organisers, the functionality of tokens (including intended use) and the jurisdiction
From a financial crimes perspective, the obvious concern with ICOs is the potential for fraud. In addition to understanding the underlying business, the rationale for the ICO, and the ICO investor-base, banks need to pay close attention to what occurs in the account after the money is raised. Do the transactions appear to be consistent with the purpose disclosed in the coin offering? Or do you see excessive transfers from the accounts to individuals associated with the business or for personal expenses such as cars, houses, luxury goods, etc.? These could all be potential indications of fraud.
Customers using cryptoassets
Some of your customers or clients may be holding or trading cryptoassets, and selling them may be the source of a customer’s wealth or funds. In a retail context, this may be discovered by, for example, enquiring about the source of a deposit, or because the customer has previously made large transactions with cryptoasset exchanges.
The key to understating the risk for retail clients holding or trading cryptoassets is understanding the client’s source of funds/wealth in relation to the crypto transactions. If a client’s using his or her salary to make relatively infrequent, low value transfers to or from a regulated crypto-exchange, there may be no additional analysis or review needed. These client may properly be considered low or standard risk absent other risk factors. However, if a client is frequently transacting with crypto-exchanges in values that far exceed expected income based on their employment, that is certainly something that needs to be further investigated. Similarly, if the client earned their money through crypto investing or trading, banks may need to ask additional questions to understand when the cryptoassets were acquired, from who, and at what price the cryptoassets were sold. These questions will help the bank get comfortable that the client earned the money through legitimate trading and investing and were not (a) receiving cryptoassets for the sale of illegal goods; (b) using money earned from illegal activity to purchase cryptocurrency; or (c) using accounts at your institution to help facilitate the client’s operation of an unlicensed exchange.
Where a firm identifies that a customer or client is using a state-sponsored cryptoasset which is designed to evade international financial sanctions, we would see this as a high-risk indicator.
Clients using state-sponsored crytoassets to potentially evade international sanctions is one circumstance where banks should seriously consider whether there is an acceptable risk-based approach or whether the bank is better off prohibiting these clients and this activity all together. The potential downside of knowingly engaging in this type of activity is enormous.