Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

Financial Crimes in Digital Assets and Cryptocurrencies

Regulatory Scrutiny Continues to Rise


Background Information & Introduction

How KPMG can help: Financial crimes

On March 9th, 2022, Executive Order 14067, officially titled “Ensuring Responsible Development of Digital Assets”, was signed by U.S. President Joe Biden. The Executive Order put a strong emphasis on mitigating the illicit finance and national security risks posed by misuse of digital assets. More specifically, digital asset risks related to money laundering, cybercrime, ransomware, human trafficking, and terrorist financing were called out as the most concerning.

The Executive Order did not direct any immediate changes to the way digital assets are governed; nevertheless, it marked the start of a process to develop a regulatory framework that addresses all elements of digital assets.

In response to the Executive Order, on Sept. 20, 2022, the U.S. Department of the Treasury (Treasury) published its “Action Plan to Address Illicit Financing Risks of Digital Assets” (“Action Plan”). The Action Plan echoes recent guidance issued by the Financial Action Task Force (FATF), which is the global intergovernmental body that sets international standards to prevent and address illicit financing.

As we stand midway through 2023, the regulatory landscape surrounding digital assets may not be a top priority for financial institutions. However, we believe it is only a matter of time before all financial institutions feel the regulatory pressure to have controls in place to specifically identify and mitigate digital asset risks. This belief is supported by U.S. Senators’ Elizabeth Warren and Roger Marshall who introduced bipartisan introduced bipartisan legislation on December 14, 2022 aimed at addressing risks digital assets pose in the aftermath of the FTX collapse. The introduction of theDigital Asset Anti-Money Laundering Act of 2022comes as the pressure on legislators and regulators to rein in the sector and strengthen anti-money laundering (AML) activities has only escalated. 

This “Insight” takes a deeper dive into the key threats, vulnerabilities and illicit financing risks digital assets pose, as highlighted in the Treasury’s Action Plan, and what financial institutions should begin thinking about in order to address these risks going forward. It will focus on Anti-Money Laundering (“AML”) and sanctions risks faced by Virtual Asset Service Providers (VASPs), Peer to Peer (P2P) / Decentralized Finance (DeFi) service providers, and traditional financial institutions. It will also highlight the newly introduced bipartisan legislation and what it might mean for digital assets service providers going forward. 

Virtual Asset Service Providers’ (VASPs) AML Risks

Per the Action Plan, FATF defines a VASP as a “natural or legal person who is not covered elsewhere under the Recommendations, and as a business, conducts one or more of the following activities or operations for or on behalf of another natural or legal person: exchange between virtual assets and fiat currencies, exchange between one or more forms of virtual assets; transfer of virtual assets; safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.”

The Treasury’s Action Plan noted several risks associated with VASPs, including illicit financing risks, sanctions violations, and inadequate regulation and supervision of VASPs in jurisdictions with weak Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) regulations. Similarly, recent regulatory enforcement actions also provide insight into some of the risks faced by VASPs. On October 11, 2022, for instance, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) announced settlements for over $24 million and $29 million, respectively, with Bittrex, Inc. (Bittrex), a virtual currency exchange. Also, on August 02, 2022, Robinhood Markets Inc. was fined by the New York Department of Financial Services (NYDFS) a total sum of $30M for “significant failures” in its BSA/AML obligations.

From a financial crimes perspective, VASPs generally face increased risks involving digital assets due to inadequate controls and/or failures in the following areas:

  1. Weak Customer Due Diligence (CDD). According to CipherTrace’s “Geographic Risk Report: VASP by KYC Jurisdiction”, 56% of VASPs globally have weak or porous KYC controls, meaning money launderers can potentially utilize certain VASPs to deposit or withdraw their ill-gotten funds with minimal to no KYC-related scrutiny. The impact of weak KYC controls can be seen in Santander Bank’s announcement on November 4, 2022, which stated that in the beginning in 2023, it will block UK customers from sending real-time payments to cryptocurrency exchanges as part of measures to protect their customers from potential scams (Reuters, “Santander to Block UK Transfers to Crypto Exchanges in 2023,” November, 2022) Traditional means of identification and verification have proven to be inadequate for conducting KYC due diligence in remote environments. In response, VASPs should implement robust CDD at account opening, on occasional transactions for non-customers above a threshold (e.g., $3,000), upon suspicion of Money Laundering / Terrorist Financing (ML/TF), or when there is doubt about the veracity or adequacy of previously obtained CDD information. 

  2. Weak Sanctions Monitoring. The Treasury noted that criminals are using Anonymity‑Enhancing Technologies (AEC) more and more, such as enhanced cryptography, mixers (i.e., platforms that can obfuscate the origin of cryptocurrency), or conducting transactions on an opaque blockchain. These technologies help criminals hide the movement or origin of funds, which may have ties to sanctioned entities. It is understood that AECs may have legitimate uses; however, providers of anonymizing services, may deliberately operate in a non‑compliant manner to make it more difficult for regulators and law enforcement to trace illicit funds. In March 2022, Lazarus Group, a Democratic People's Republic of Korea (DPRK) state‑sponsored cyber group, reportedly stole approximately $620 million from a blockchain project linked to the online game Axie Infinity. The group used mixers and other means to launder their illicit proceeds. VASPs must address their exposure to providers of AECs to ensure that they are not violating OFAC and other international sanction regimes.

  3. Unregistered VASP and Compliance Obligations. Another risk of transacting with VASPs is that they may not be registered with a regulatory agency where they are domiciled, or they may be providing cryptocurrency services in a jurisdiction where they are not registered. Multiple countries have issued advisories or have a database to crosscheck VASPs that are not registered. For instance, the Financial Conduct Authority (FCA) based in the UK maintains a publicly available list of unregistered VASPs. Based on the Action Plan, more enforcement actions are expected from regulators to further encourage ongoing compliance and signal to VASPs that they will be held accountable for failing to meet AML/CFT and sanctions obligations, including registration with respective agencies. VASPs should monitor for guidance, alerts, and notices concerning illicit finance trends and developments in the digital asset space and implement guidance provided, where applicable.

Peer to Peer (P2P) & Decentralized Finance (DeFi) Service Providers’ AML Risks

According to the Action Plan, P2P service providers, which are typically natural persons engaged in the business of buying and selling virtual assets, may be subject to AML regulatory requirements. Additionally, where DeFi platforms are held out as truly decentralized organizations, the Action Plan indicates that traditional MSB activities such as currency exchanges and fund transfers will nonetheless cause the DeFi service provider to be operating as a money transmitter with AML obligations, potentially holding service providers accountable. Thus, depending on the business model, P2P exchange providers and DeFi service providers may be determined to be acting as money transmitters under the Bank Secrecy Act (BSA), which is the legislative framework in the United States that requires U.S. financial institutions to assist U.S. government agencies to detect and prevent money laundering. If a P2P or DeFi service provider is effectively acting as an MSB, they would be required to develop an AML compliance program that will pass regulatory scrutiny. As noted by the Securities and Exchange Commission (SEC) Chair, Gary Gensler, in his remarks before the Aspen Security Forum “Right now, we just don’t have enough investor protection in crypto. Frankly, at this time, it’s more like the Wild West.”

Thus, if these platforms are deemed to be MSBs or money transmitters, then they would need to develop an AML program which would typically include relevant AML policies and procedures, dedicated AML compliance staff, monitoring for suspicious activity, filing SARs as necessary, and complying with KYC and OFAC requirements. On the plus side, by establishing a thorough AML compliance program, P2P and DeFi service providers can mitigate specific risks called out in the Action Plan such as illicit conversion of virtual assets to fiat currency and rapid disbursement of illicit funds. It is important to note that the Treasury Department published a risk assessment in April 2023 detailing the money laundering and terrorist financing risks related to DeFi platforms.

Non-Fungible Token (NFT) Marketplace AML Risks

While the current US regulatory landscape does not prescribe AML requirements on NFT marketplaces and transactions, it is becoming common for industry participants to expect that these regulations are coming. NFTs have become top of mind for regulators from an AML risk perspective, and it is therefore wise to get ahead of the potential future regulation by addressing AML compliance risks now. NFT marketplaces should consider building out, or enhancing, their existing KYC capabilities to address who is allowed to be onboarded onto their platforms to engage in NFT transactions. These capabilities should assist the NFT marketplace with identifying the risk level of their prospective users to monitor them more effectively for any illicit behavior. Additionally, NFT marketplaces should be compliant with OFAC and other sanction regulations to help ensure they are not onboarding users that may have ties to terrorists or sanctioned entities. Treasury is preparing to publish a risk assessment by July 2023 on the money laundering and terrorist financing risks related to NFTs, which may prescribe additional AML compliance expectations for NFT marketplaces.

Traditional Financial Institutions: AML Risks

As highlighted in the Treasury’s publication; Crypto-Assets: Implications for Consumers, Investors, and Businesses, the aggregate market capitalization of all crypto-assets has hovered just below $1.0 trillion since June 2022. While this is a sharp decline from its peak of approximately $2.9 trillion in November 2021, there is little disputing that as volatile as the market may be, digital assets are here to stay. 

National consumer research performed by Raddon Research Insights, showed that 28 percent of consumers are very or extremely interested in having digital assets services as part of their banking relationship. This escalating consumer demand for digital asset banking and custody services will force traditional financial institutions to address the dilemma of either embarking on the digital assets train or potentially losing market share to current key players and growth-drivers in this space, such as fintech companies, VASPs, and other payment service providers.

Regulatory uncertainty aside, traditional financial institutions may need to strategically consider answering the call to action by either launching their own digital assets business to compliment traditional banking services or create partnerships with VASPs and other payments service providers to meet the needs of their customers. Regardless of the route chosen, financial institutions must place special emphasis on firstly identifying and understanding the key threats, vulnerabilities, and illicit financing risks related to virtual assets, as outlined in the Treasury’s Action Plan. Regardless of the type of digital assets services a financial institution may choose to provide (i.e., issuancecustodyexchange, or trading services), a thorough assessment of both the direct and indirect risk exposure should be conducted by the relevant compliance team(s).

For example, partnering with VASPs that offer both custody and exchange services can indirectly expose a financial institution to facilitating suspicious transactions through their institution, based on their role as an intermediary when converting digital assets to fiat currency, and vice versa. Also, payment service providers that use conventional operating bank accounts to deposit or withdraw fiat funds to facilitate digital asset payment services pose indirect ML/TF risks to traditional financial institutions, as illicit actors frequently attempt to capitalize on the non-face-to-face client interaction channels available through most payment service providers.

The FATF’s updated guidance on virtual assets provides longstanding compliance and due diligence practices outlining AML/CFT measures that can be applied when partnering with virtual asset service providers. The traditional risk-based approach recommendations in FATF’s guidance puts financial institutions in a good position to cost effectively adopt these practices by leveraging existing frameworks used for customer due diligence and risk assessments within functioning AML/CFT programs.

In its guidance, the FATF notably highlighted the importance of conducting counterparty VASP due diligence prior to partnering with VASPs, and ongoing CDD and monitoring on a periodic basis thereafter. As part of this recommended due diligence, traditional financial institutions should certainly confirm whether a VASP or payments service provider has performed a thorough risk assessment of its AML/CFT program, while also performing a risk assessment of its own to understand the following factors:

  • Size and Structure – specific registration and licenses held by the VASP, as well as the asset size, revenues, staff levels, and customer types, etc.
  • Ownership – identify all beneficial owners and the percentage of ownership by foreign individuals and entities located in high-risk jurisdictions
  • Products and Services – obtain information on and understand the purpose and intended nature of the business relationship, and determine the type of digital assets offered, and which services are available to customers of the VASP and payments service provider (issuance, custody, exchange, trading services)
  • Geography – Does the VASP and payment service provider have a presence in high-risk countries? Where are their customers mainly located (domestic or foreign), and what percentage of PEPs and other high-risk customers exist? What percentage of their assets and revenue is linked to high-risk jurisdictions?
  • Channels – What are the different types of client interaction channels (in person, online, indirectly through intermediaries) available to customers of the VASP?

By performing the appropriate levels of customer due diligence regarding strategic alliances with VASPs and payments service providers, traditional financial institutions increase their likelihood of creating long lasting business relationships, while addressing compliance with evolving regulatory expectations, ultimately avoiding reputational risk implications. As the digital assets markets continue to see growth, financial institutions must remain vigilant in their efforts to meet customer demand without compromising the integrity of their AML/CFT programs in pursuit of expanded revenue opportunities realized through the digital assets space.

Noteworthy Highlights in the Digital Asset Space

Proposed Changes to the Travel Rule. The Travel Rule mandates crypto companies to send, receive, and sanction screen customer personal information alongside a crypto transaction over a particular threshold (currently $3,000). Compliance with the travel rule requires the collection of information that may not be available when completing a virtual currency transaction. Also, VASPs attempting to comply with the rule do not always have all the information necessary to determine whether a particular transaction is covered.

Furthermore, the Treasury is considering the risks and utility of lowering the $3,000 threshold. On October 27, 2020, the Federal Reserve Bank and FinCEN issued a Joint Notice of Proposed Rulemaking (NPRM) describing plans to lower, to $250 from $3,000, the threshold for the application of recordkeeping and information transmission requirements related to cross-border funds transfers. The proposed rule change would certainly pose compliance challenges to VASPs. First, the lack of an industry-wide secure messaging service makes compliance difficult. Second, there is no standardized approach to information sharing. Third, specifically to privacy coins, these coins are designed in a way that makes travel rule compliance very difficult. Coins such as Monero are programmed to allow users to engage in transactions while concealing identifying information such as their wallet address and even transaction amount. Lastly, inconsistent regulation across jurisdictions may affect the quality of information received.

FTX Bankruptcy. The November, 2022bankruptcy at FTX and the report filed by the new CEO of FTX detailing defects of internal controls and poor regulatory compliance, demonstrates the need for more regulation of digital assets. Specifically, the CEO indicated that many of the companies in the FTX Group, especially those organized in Antigua and the Bahamas, did not have appropriate corporate governance, which can lead to weak oversight of company’s AML/CFT program. Lastly, the CEO noted that FTX did not keep appropriate books and records or security controls with respect to its digital assets, which is likely leading to an extreme challenge of locating funds that were lost from client accounts. Janet Yellen, The US Secretary of Treasury, in a recent statement also indicated that reports generated by Treasury in response to President Biden’s September Executive Order on digital assets identified many of the risks identified in FTX’s collapse and subsequent bankruptcy, implying that had those reports turned into policy, the calamity could have been prevented.

The Digital Asset Anti-Money Laundering Act of 2022

As mentioned in the introduction, all indications suggest it is a matter of “WHEN not if” a regulatory framework will be developed to address all elements of digital assets. The wheels appear to already be in motion with the introduction of the “Digital Asset Anti-Money Laundering Act of 2022”.

Per Thomson Reuters, the current version of Digital Asset Anti-Money Laundering Act of 2022 would extend AML obligations to a much broader spectrum of cryptocurrency players. For example, it would require crypto entities such as digital asset wallet providers, miners, validators, and other network participants to comply with portions of the Bank Secrecy Act, including know-your-customer requirements. The “Digital Asset Anti-Money Laundering Act of 2022” would also prohibit financial institutions from using or transacting with digital asset mixers and other anonymity-enhancing technologies and from handling, using, or transacting with digital assets that have been anonymized using these technologies.

Other highlights of the Digital Asset Anti-Money Laundering Act of 2022 are detailed below:

  • Require banks and MSBs to verify customer and counterparty identities, keep records, and file reports in relation to certain digital asset transactions involving un-hosted wallets or wallets hosted in non-BSA compliant jurisdictions.
  • Direct Treasury to establish an AML/CFT compliance examination and review process for MSBs, as well as the SEC and Commodity Futures Trading Commission to establish AML/CFT compliance examination and review processes for the entities it regulates.
  • Extend BSA rules regarding reporting of foreign bank accounts to include digital assets by requiring United States persons engaged in a transaction with a value greater than $10,000 in digital assets through one or more offshore accounts to file a Report of Foreign Bank and Financial Accounts (FBAR) with the Internal Revenue Service.
  • Mitigate the illicit finance risks of digital asset ATMs by directing FinCEN to ensure that digital asset ATM owners and administrators regularly submit and update the physical addresses of the kiosks they own or operate and verify customer identity.

How KPMG Can Help

Our professionals have extensive experience providing financial crimes and AML services to clients, inclusive of numerous engagements that required specialized subject matter knowledge in the cryptocurrency and digital asset space. KPMG has an established track record of providing these services to various clients in the digital asset space, including:

  • Designing and implementing tailored transaction monitoring systems to manage financial crimes risk in both fiat and cryptocurrency, inclusive of scenario selection and the underlying rationale.
  • Performing risk assessments for digital asset providers to identify the institution’s digital asset risk exposure.
  • Conducting objective testing to assess an institution’s overall compliance with AML and sanctions laws and regulatory requirements.
  • Performing policy and procedure assessments to identify gaps in an institution’s policies and procedures and areas for enhancement to better comply with regulatory expectations.
  • Blockchain Risk Assessments to assess use case applicability for the chosen blockchain platform and solution architecture.
  • Educating on the unique AML risks that are prevalent within cryptocurrency, including but not limited to: asset provenance hops, on-ramps outside the KYC process, and the use of third parties within the crypto space.
  • Creating an effective KYC program which allows institutions to understand who their customers are, including advising on the development of customer risk ratings and screening processes.

Key Definitions

Digital Assets: A digital asset is anything that is stored digitally and is uniquely identifiable that organizations can use to realize value.

Virtual Assets: FATF defines a “virtual asset” or VA as a “digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes.” Virtual assets are a subset of digital assets that does not include central bank digital currencies or representations of other financial assets, such as digitalized representations of existing securities or deposits.

Virtual Asset Service Providers (VASP): FATF defines a “virtual asset service provider” or VASP as any natural or legal person that conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

  • Exchange between virtual assets and fiat currencies.
  • Exchange between one or more forms of virtual assets.
  • Transfer of virtual assets.
  • Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets.
  • Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

Mixers: A crypto mixer is a service that blends the cryptocurrencies of many users together to obfuscate the origins and owners of the funds, which helps to increase anonymity.

Explore more

Meet our team

Image of John Caruso
John Caruso
Principal, Forensic, KPMG US
Image of Cory R Lefkowitz
Cory R Lefkowitz
Director Advisory, Forensic, KPMG US

Subscribe to receive Investigations Insider

Helping organizations in their efforts to achieve the highest level of integrity and to manage the cost and risk of litigation, investigations, and regulatory enforcement actions.

Thank you

You are now subscribed to Investigations Insider. You will soon receive a confirmation email and will now receive timely insights from KPMG.

Subscribe to receive Investigations Insider

Investigations Insider features timely insights from KPMG thought leaders, clients, delivery teams and regulatory and enforcement professionals covering issues impacting corporations.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.