OCC Hits New York Based Bank With First-Ever Enforcement Action for Lack of Crypto AML Compliance
On January 30, the Office of the Comptroller of the Currency (OCC) issued the first cryptocurrency-related enforcement action against a U.S. bank—M.Y. Safra Bank (MYSB), which is headquartered in New York City. The enforcement action consisted of a cease and desist order that was wholly focused on deficient anti-money laundering (AML)Anti-Money Laundering (AML) rules are in place to help prote... More practices for compliance and monitoring of the bank’s digital asset customers (DAC). These entities included cryptocurrencyA cryptocurrency (or crypto currency) is a digital asset des... More exchanges, bitcoinThe term "Bitcoin" can either refer to Bitcoin the network, ... More ATMA Bitcoin ATM (Automated Teller Machine) is a business who o... More operators, and virtual OTCs as well as other crypto-related businesses.
The Consent Order, a settlement of cease and desist proceedings alleged that for more than two years MYSB failed to fully vet its cryptocurrency customers and transactions in high-risk jurisdictions. This lack of AML controls included opening accounts for VA customers without sufficient customer due diligence (CDD) and a lack of adequate monitoring and investigating of suspicious transactions linked to these customers.
These deficient AML and BSA policies and procedures prevented MYSB from effectively identifying and investigating suspicious activity linked to crypto-related accounts. This lack of visibility into risky transaction also meant the bank could not send suspicious activity reports (SARs) to the Financial Crimes Enforcement Network (FinCEN).
Under the enforcement action, MYSB must now implement a number of measures to update its AML and Bank Secrecy ActThe Bank Secrecy Act (BSA) is U.S. legislation aimed toward ... More (BSA) compliance programs. While no monetary penalties were assessed in this first-ever crypto-related enforcement action against a bank, it sends a strong message to the financial service industry. MYSB will face increased business costs related to ensuring their compliance programs adequately addressIn a cryptocurrency context, an address is a cryptographic k... More all corrective actions mandated by the enforcement action.
In short, within 30 days the Order requires MYSB’s Board of Directors to:
- Appoint a Compliance Committee to monitor and oversee the bank’s compliance with the Order’s provisions
Within 45 days the Board must:
- Ensure the bank develops, implements and adheres to a written comprehensive training program that educates all appropriate bank employees and board members on their responsibilities under the BSA
Within 90 days the Board must:
- Ensure the bank implements an independent BSA audit
- Ensure the bank implements and adheres to a comprehensive written program that appropriately monitors and reports suspicious activity
- Ensure the bank implements and adheres to a written system of internal controls and processes to file SARs
- Propose an independent, third-party consultant to perform a SAR look-back to determine whether additional SARs should be filed for any previously unreported suspicious activity
- Ensure the bank implements and adheres to appropriate policies and procedures for collecting CDD information
- Ensure bank management develops an institution-wide BSA/AML Risk Assessment.
Within 180 days the Board must:
- Ensure the bank has a permanent, qualified, and experienced BSA Officer and sufficient staff.
If this action is any indication, bank regulators such as the OCC, Federal Reserve Banks, and the FDIC have already begun to scrutinize banks’ cryptocurrency exposure during examinations. It also demonstrates that these regulators expect banks to be able to identify and properly risk-rate consumer and commercial customers who buy, sell, exchange or administer cryptocurrency.
In what is perhaps further evidence of this trend, CipherTrace has seen more interest among bankers and regulators in our blockchainA blockchain is a shared digital ledger, or a continually up... More analytics education and cryptocurrency forensics certification programs.
Many Crypto AML Risks Remain Invisible to Banks
Until recently, most banks erroneously assume that executing a keyword search on “bitcoin” is enough to find cryptocurrency transactions within their payment flows. However, ferreting out crypto asset transactions or identifying customers who are engaged in VA-related activities requires more sophisticated blockchain analytics tools and intelligence. With more than 2,000 crypto entities in the virtual assetThe term "virtual asset" refers to any digital representatio... More ecosystem, dubious activity often goes undetected. In fact, recent CipherTrace Labs research found that most banks underestimate the amount of crypto transactions in their payments flows by as much as 80-90%. The research also found the typical U.S. bank facilitates, often unknowingly, $2 billion annually in virtual asset activity.
A Sign That Traditional Banking and Crypto Entities Have Become Increasingly Intertwined
This OCC enforcement action should be a wake-up call regarding the growing presence of cryptocurrency entities in the traditional financial servicesGeneral services, including non-profits, forums and news sit... More industry. Virtual asset entities must intersect with the traditional financial institutions in some manner in order to offramp virtual assets into the fiat world. This may take the form of a commercial MSB account holder acting as a VA money transmitter, a cash-intensive business receiving funds from bitcoin ATM deposits, or individuals wishing to remain “anonymous” by cashing out their cryptocurrency for prepaid debit, iTunes, or Google Play cards.
In addition, numerous dark marketA Dark Market is a commercial website that operates via dark... More and dark vendors broker P2P purchases of cryptocurrencies. Theses websites advertise which banks, large or small, can be used to receive the funds for purchasing crypto. This can be done by making cash counter deposits, wire transfers, or even Zelle or Venmo transfers. Once the sellers confirm the deposit of the funds into their accounts, they then transfers the crypto to the buyer, thus completing the transaction. The bank accounts used by these P2P brokers are usually not identified as MSBs or even commercial accounts. Often, they are consumer checking accounts and the bank is misled to the purpose of the cash deposits. However, per FinCEN regulations, individuals buying and selling crypto in a P2P manner are considered cryptocurrency exchangers and should therefore be registered as MSBs.
Successfully Banking Cryptocurrency Entities
Several banks have demonstrated their ability to satisfy regulators while banking a wide range of cryptocurrency entities. Some of the most well-known banks who bank crypto-related MSBs include Silvergate, Signature, and Metropolitan. Meanwhile, other banks are beginning to express interest and invest in their compliance structure to begin embracing potentially lucrative crypto MSBs.
Nonetheless, most banks still find themselves ill-equipped to identify and monitor virtual asset service providers as MSBs, or they lack the expertise and resources to successfully monitor virtual asset businesses. Apart from the standard AML and KYC procedures a financial institution might have in place, it is imperative for banks to understand their cryptocurrency laundering risk exposure and provide proper crypto-related training to the appropriate staff.
Banks currently have a number of advanced tools and methods for risk management and AML/CTF compliance for conventional payments, but are left exposed to risk when it comes to virtual currencies that use traditional payment systems such as SWIFT, ACH networks, or simple fiat deposits. CipherTrace uses its expertise in blockchain, cryptocurrency and crypto AML to give banks the tools and training they need to combat compliance risks.
Read the full OCC enforcement action:
For more on how CipherTrace’s Cryptocurrency Risk Intelligence for financial institutions can help uncover and mitigate virtual asset risks, request a demo now: https://ciphertrace.com/request-demo/