How Impending Virtual Asset Regulations Impact Banks—Even Those That Don’t Think They Do Crypto
As more mainstream consumer and institutional investors embrace cryptocurrencies, it becomes increasingly difficult, if not impossible, for traditional financial institutions to avoid entanglements with the crypto economy. For example, banks face significant counter-party transaction risks from customers interacting with high-risk crypto exchanges—especially when a bank is unable to identify these transactions as to or from a virtual assetThe term "virtual asset" refers to any digital representatio... More entity.
Despite the Financial Action Task Force (FATFThe Financial Action Task Force (FATF) is a global money lau... More) introducing virtual assets (VAs) and Virtual Asset Service Providers (VASPs) into its Recommendation at the end of 2018, virtual asset regulations still varied largely from country to country. The FATF sought to close any AML gaps through the release of their new Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers in June 2019. The guidance emphasizes how effective regulation, supervision, and enforcement of the VASP sector would require a global approach.
While one of the new regulations in particular—a cryptocurrencyA cryptocurrency (or crypto currency) is a digital asset des... More “Travel RuleIn October 2018, the Financial Action Task Force (FATF), the... More”— has been the focus amongst VASPs, the Travel Rule is just one of many new obligations the FATF has recommended. The guidance also outlined a risk-based framework for VASPs to follow, bringing the same risk-based approach common to formal financial institutions to the virtual asset sector. This includes:
- supervision or monitoring of VASPs for AML/CFT purposes;
- licensing or registration; preventive measures, such as customer due diligence, recordkeeping, and suspicious transaction reporting, among others;
- sanctions and other enforcement measures; and international co-operation.
This framework marked the beginning of increased regulatory scrutiny on not only VASPs, but all virtual asset activity. Because banks and cryptocurrency are increasingly intertwined as users seek fiat on and off ramps and regulators are paying more attention to the banking sector and its exposure to virtual assets. In June of 2020, Office of the Comptroller of the Currency requested public input in advance for cryptocurrency rulemaking that will impact those banks under the jurisdiction on of the OCC. Extensive research by CipherTrace in 2019 uncovered individuals operating illicit crypto money service businesses at 8 out of 10 US retail banks. These illegal MSBs use their bank accounts as a conduit for accepting cash payments in exchange for crypto to support the illegal trade of fiat for crypto. They often do this by a simple wire transfer or walkup cash deposits at a depository institution. Many banks and other regulated financial institutions unwittingly provide a conduit for these illegal transactions. Analysis further revealed that a typical large US bank processes over $2 billion annually in undetected cryptocurrency-related transfers. Financial institutions need to understand their crypto counterparty exposure to credit cards, debit cards, ACH, wire, and swift transfers.
What Risks Do Virtual Assets Pose to Banks?
Poor KYC controls:
While new regulations have helped to make the virtual asset economy safer, some Virtual Asset Service Providers continue to lack the proper AML controls to successfully detect and mitigate money laundering and terrorism financing. In reviewing the KYC procedures at the top 500 VASPs, CipherTrace found that 57% of these VASPs had weak or porous KYC processes. These weak KYC protocols can be exploited by criminals and other bad actors to launder ill-gotten virtual assets through exchanges operating as fiat off-ramps.
Exchanges operating as direct fiat off-ramps create cryptocurrency risk exposure to both the crypto exchange’s bank and receiving user’s banks. Exchange customers sell their crypto on the exchange’s platform for fiat, which is sent to their bank account from the account at the cryptocurrency exchange’s bank via ACH or wire transfer. While the two banks aren’t directly trading cryptocurrency with each other, the value being sent represents the sale of cryptocurrency. Both banks must rely on the exchange’s AML program to adequately addressIn a cryptocurrency context, an address is a cryptographic k... More any risk that may arise from the source of crypto assets being traded. Fortunately, 2020 has seen an upward trend towards stronger KYC as previous CipherTrace research in 2019 revealed that 67% of VASPs had poor KYC—10% more than this year’s study.
Cross-border nature of virtual assets:
On average, 74% of the bitcoinThe term "Bitcoin" can either refer to Bitcoin the network, ... More moved in Exchange-to-Exchange transactions was moved cross-border in 2019. The FATF warns “illicit users of VAs, for example, may take advantage of the global reach and transaction speed that VAs provide as well as of the inadequate regulation or supervision of VA financial activities and providers across jurisdictions, which creates an inconsistent legal and regulatory playing field in the VA ecosystem.” VASPs located in one jurisdiction may offer their products and servicesGeneral services, including non-profits, forums and news sit... More to customers located in another jurisdiction where they may be subject to different AML/CFT obligations and oversight. This is of concern where the VASP is located in a jurisdiction with weak or even non-existent AML/CFT controls.
VASPs don’t have long to apply new regulations
When FATF announced the new guidance in June 2019, they gave a 12-month window before it would report on the progress of individual member nations on transposing the guidance into local laws, stating “future developments in virtual asset technology should not create loopholes that terrorists and criminals can exploit. The FATF will evaluate next steps in June 2020.”
However, many members have yet to properly adopt all of the FATF’s new virtual asset guidance, risking jurisdictional arbitrage as some countries retain effective implementation of AML requirements while others proceed without proper controls. Additionally, the creation of new regulations does not automatically equate new protocols being created or enforced overnight at VASPs. Criminals can take advantage of these AML gaps as they quickly search to offload ill-gotten funds in a race for fiat before new regulations are enforced. These cryptocurrency related transactions often go unnoticed in bank accounts and payment networks. The lack of visibility and preparedness on the part of banks and other financial institutions makes them vulnerable to fraud and compliance exposure. A CipherTrace Case Study on Kunal Kalra—operator of an unregistered crypto MSB that pled guilty to exchanging up to $25 million in cash and crypto for Darknet drug dealers— demonstrates how Kalra operated his unregistered MSB by establishing bank accounts in the names of other people and fake businesses at both a top five US bank and a smaller, regional bank.
Recent statements by FinCEN personnel and Treasury Secretary Steven Mnuchin showcase the US government’s stance on compliance expectations for financial institutions when it comes to cryptocurrency related transactions. For example, regarding the Travel Rule, FinCEN Director Kenneth Blanco said on May 13th, 2020, “The United States has long maintained an expectation that financial institutions identify counterparties involved in transactions for a variety of purposes, including AML/CFT and sanctions, even for transactions in virtual currency. Any asset that allows the instant, anonymized transmission of value around the world with no diligence or recordkeeping is a magnet for criminals, including terrorists, money launderers, rogue states, and sanctions evaders.”
In December 2019, Blanco also stated, “it is important for all financial institutions to ask themselves whether they are reporting such suspicious activity. If the answer is no, they need to reevaluate whether their institutions are exposed to cryptocurrency… If you don’t think you have crypto on your network, look again.” Banks should be able to accurately say what their cryptocurrency risk exposure is and whether they have appropriate measures in place. However, as CipherTrace research revealed that a typical large US bank processes over $2 billion annually in undetected cryptocurrency related payments, it is evident that banks cannot do this alone.
It is imperative that banks use the right tools and resources to adequately detect exposure to the fast paced, ever changing, 7×24 crypto ecosystem. Blanco adds in his May 2020 speech, “There is no substitute for the private sector’s visibility into and ability to prevent criminalA Criminal is an individual or group who has been convicted ... More exploitation of virtual currency products and platforms—particularly those of you who are organizing, developing, and administering these products and platforms. Our work together plays a significant role not just in advancing financial transparency, inclusion, and the development of the future of payment systems, but also in identifying, tracking, and stopping criminals including terrorists and other bad actors from harming others, particularly the most vulnerable.”