With the European Union’s adoption of the Fifth Anti-Money Laundering Directive (“5MLD”), cryptocurrency exchanges and custodian wallet providers will become subject to the same anti-money laundering requirements as other financial institutions. In the United States, exchanges and custodian wallet providers are already subject to registration with the U.S. Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”) and its anti-money laundering requirements.
For custody accounts, there is a popular misconception among crypto wallet providers and more traditional financial institutions that there are lesser anti-money laundering requirements for custody accounts. This is not true. While the requirements might vary from other types of accounts and across jurisdictions, they are no less stringent when it comes to knowing your customers and identifying potentially suspicious activity.
In general, there are six key anti-money laundering requirements for crypto wallet providers: (1) regularly assessing the financial crimes risk of your business; (2) designating a person responsible for anti-money laundering; (3) collecting customer due diligence or “know your customer” information; (4) internal controls to detect, investigate and report on suspicious activity; (5) on-going training; and (6) independent testing of the anti-money laundering program. While, at a high level, these requirements are the same as those for other financial institutions, the specifics how crypto wallet provider meet these requirements can differ.
Crypto wallet providers should have a written assessment of their business’s money laundering and terrorist financing risks. The risk assessment should take into account risk factors related to who their customers are, where their customers are located and the products and services offered.
Customer Risk. Certain customers pose a greater risk of money laundering and terrorist financing than others. For example, government officials and their family members are higher risk because of the potential for bribery and corruption. Customer with negative public information, which can range from a prior conviction to media articles that allege potential criminal activity, are higher risk than those without that information.
Geographic Risk. Clients from certain countries also pose a greater risk of money laundering and terrorist financing. For example, certain countries are internationally recognized as having weaker anti-money laundering standards or as having higher levels of corruption.
Product Risk. In the custody context, customer’s using accounts to custody cryptocurrency on behalf their own clients are higher risk due to the lack of information the crypto custody provider will have on the customer’s clients.
By assessing the business’s customer, geographic and product risk, the business can use a risk-based approach to mitigate these risks. As discussed below, this will mean collecting additional information and/or performing additional transaction monitoring on customers and activity deemed to be higher risk. These risks may also change over time, so the assessment should be regularly updated to reflect changes in the business as it changes or grows.
Regulators in many jurisdictions will request a copy of your written risk assessment as part of their examination. Crypto wallet providers should also consider how they might use the risk assessment more affirmatively with banking partners and/or potential clients to demonstrate that they understand the risks and have controls in place to address them.
Designating a Person Responsible
In most jurisdictions there is a requirement to designate a specific individual responsible for the anti-money laundering program. Where firms get in trouble here is by having someone who is either unqualified or without sufficient status in the organization to escalate issues to executives when they arise.
Customer Due Diligence/Know Your Customer
In all jurisdictions, there is a basic level of due diligence that firms must collect. This includes things like name, address, date of birth and some sort of government identification. Beyond the basics, there is other essential information that crypto wallet providers must collect: (1) source of funds to purchase the crypto assets; (2) beneficial ownership of entity clients; (3) enhanced due diligence for high risk customers; and (4) special due diligence on customer’s that will use their account to custody assets of the customer’s clients.
Source of Funds. If you think about how cryptocurrencies are used to launder money, generally the way it works is that the criminal has fiat currency earned from criminal activity (drug trafficking for example) and they want to conceal the fact that it comes from criminal activity, make it harder for law enforcement to trace and/or disguise the true owner of the money. The criminal converts the fiat currency to cryptocurrency and then uses a wallet provider to hold the cryptocurrency before transferring it to another account or someone else. One of the ways a wallet provider can try to determine if the cryptocurrency is being used to launder money is to ask about where the customer got the money to purchase the cryptocurrency. This is often referred to as source of funds or source of wealth. If the explanation for where the customer got the money to purchase the cryptocurrency doesn’t make sense, it could be an indication the customer is involved in criminal activity.
For example, assume you have a customer that tells you they are a teacher and used their salary to purchase the cryptocurrency. If the customer has a relatively small amount of cryptocurrency, the explanation would seem to make sense and there would be no need to do any additional review. If, however, the teacher has $2 million in cryptocurrency, then you’ll need to follow-up with some additional questions. It could be that the teacher is tech savvy and used her modest salary to buy bitcoin in 2012 and has HODLed it ever since. In that case, the $2 million may make sense. On the other hand, if there is not a reasonable explanation for how the teacher got the $2 million in bitcoin, then it could be a sign she is involved in criminal activity and a determination will need to be made whether the client needs to be reported to regulators or law enforcement. The whole key is understanding whether the client’s explanation for how they got the assets makes sense.
Beneficial Ownership. As criminals get more sophisticated, they are increasingly using legal entities to help launder money. For just about any big financial crime you hear about in the news, there is almost always shell companies, front companies, personal holding companies or other legal entities used to move and hide the money. For this reason, almost all jurisdictions require that you collect information on the individuals that own and control the entity.
Enhanced Due Diligence for High Risk Customers. The basic idea here is that for any customer group you’ve identified as higher risk, you need to collect more information than you do for the average customer. For a government official or their family, it may be asking more questions about the nature of their position, their salary and details about prior employment. For a customer with negative information, it may require asking the customer to explain what happened. For more significant information, it may require doing a more formal background investigation. At the end of the day, you’ll need to be able to demonstrate that you took a reasonable approach to collecting and assessing additional information for customers who present a higher risk.
Customer’s that Custody Their Clients Assets. Typically, there is no requirement to conduct due diligence on your customer’s clients. You are only responsible for due diligence on your direct customer. However, because the customer’s clients will be custodying assets with your firm, you are indirectly accepting the risk of their clients. Therefore, it is very important to make sure that your customer’s risk appetite is consistent with yours and that they are meeting their own anti-money laundering obligations. This means understanding generally the types of clients your customer does business with, where they are located and the products and services offered to them. You’ll need to communicate to your customer that you expect them to have their own anti-money laundering program, collect the required due diligence on their clients and that on a risk basis you will want to verify that they are meeting their obligations. For some clients, this may mean getting an annual certification that they are compliant with all applicable anti-money laundering and economic sanctions requirements. With higher risk customers, you may want to ask for a copy of the customer’s last independent test of their anti-money laundering program.
Internal Controls to Detect, Investigate and Report Suspicious Activity
The level of internal controls required will depend on the size of your business and the potential money laundering and terrorist financing risks identified in your risk assessment. At a minimum, you’ll need to have some process for employees to escalate potential concerns. In smaller organizations, this may be reporting directly to the individual responsible for anti-money laundering. In larger organizations, there will be a much larger anti-money launder team that would likely include a group of people whose entire job is to review potentially suspicious activity.
You’ll also need some form of transaction monitoring. Again, this will vary based on the size of the organization and risk. Transaction monitoring can range from a person manually reviewing transaction activity to very sophisticated algorithms to identify anomalies and certain money laundering typologies. Any potential suspicious activity identified through transaction monitoring must also be escalated for review.
Finally, you must have a process to review clients and transactions for potential violations of any applicable economic sanctions.
Ultimately, it is the responsibility of the individual in charge of anti-money laundering or their designee to review the potentially suspicious activity and determine whether it needs to be reported to regulators or law enforcement.
On-going Anti-Money Laundering Training
Most jurisdictions require employees to have anti-money training. In many countries, the requirement is for annual training. Your anti-money laundering training should be tailored to the specific risks presented by your customers and business.
Finally, most jurisdictions require annual independent testing of the anti-money laundering program to ensure it meets the legal requirements. At large firms, this testing if often performed by an internal audit group. At small firms, the testing will likely be outsourced to a third-party. The key here is that the testing be performed by someone qualified and independent.