Financial Crimes in Digital Assets and Cryptocurrencies

On March 9th, 2022, Executive Order 14067, officially titled “Ensuring Responsible Development of Digital Assets”, was signed by U.S. President Joe Biden. The Executive Order put a strong emphasis on mitigating the illicit finance and national security risks posed by misuse of digital assets. More specifically, digital asset risks related to money laundering, cybercrime, ransomware, human trafficking, and terrorist financing were called out as the most concerning.

The Executive Order did not direct any immediate changes to the way digital assets are governed; nevertheless, it marked the start of a process to develop a regulatory framework that addresses all elements of digital assets.

In response to the Executive Order, on Sept. 20, 2022, the U.S. Department of the Treasury (Treasury) published its “Action Plan to Address Illicit Financing Risks of Digital Assets” (“Action Plan”). The Action Plan echoes recent guidance issued by the Financial Action Task Force (FATF), which is the global intergovernmental body that sets international standards to prevent and address illicit financing.

As we stand midway through 2023, the regulatory landscape surrounding digital assets may not be a top priority for financial institutions. However, we believe it is only a matter of time before all financial institutions feel the regulatory pressure to have controls in place to specifically identify and mitigate digital asset risks. This belief is supported by U.S. Senators’ Elizabeth Warren and Roger Marshall who introduced bipartisan introduced bipartisan legislation on December 14, 2022 aimed at addressing risks digital assets pose in the aftermath of the FTX collapse. The introduction of the “Digital Asset Anti-Money Laundering Act of 2022” comes as the pressure on legislators and regulators to rein in the sector and strengthen anti-money laundering (AML) activities has only escalated. 

This “Insight” takes a deeper dive into the key threats, vulnerabilities and illicit financing risks digital assets pose, as highlighted in the Treasury’s Action Plan, and what financial institutions should begin thinking about in order to address these risks going forward. It will focus on Anti-Money Laundering (“AML”) and sanctions risks faced by Virtual Asset Service Providers (VASPs), Peer to Peer (P2P) / Decentralized Finance (DeFi) service providers, and traditional financial institutions. It will also highlight the newly introduced bipartisan legislation and what it might mean for digital assets service providers going forward. 

According to the Action Plan, P2P service providers, which are typically natural persons engaged in the business of buying and selling virtual assets, may be subject to AML regulatory requirements. Additionally, where DeFi platforms are held out as truly decentralized organizations, the Action Plan indicates that traditional MSB activities such as currency exchanges and fund transfers will nonetheless cause the DeFi service provider to be operating as a money transmitter with AML obligations, potentially holding service providers accountable. Thus, depending on the business model, P2P exchange providers and DeFi service providers may be determined to be acting as money transmitters under the Bank Secrecy Act (BSA), which is the legislative framework in the United States that requires U.S. financial institutions to assist U.S. government agencies to detect and prevent money laundering. If a P2P or DeFi service provider is effectively acting as an MSB, they would be required to develop an AML compliance program that will pass regulatory scrutiny. As noted by the Securities and Exchange Commission (SEC) Chair, Gary Gensler, in his remarks before the Aspen Security Forum “Right now, we just don’t have enough investor protection in crypto. Frankly, at this time, it’s more like the Wild West.”

Thus, if these platforms are deemed to be MSBs or money transmitters, then they would need to develop an AML program which would typically include relevant AML policies and procedures, dedicated AML compliance staff, monitoring for suspicious activity, filing SARs as necessary, and complying with KYC and OFAC requirements. On the plus side, by establishing a thorough AML compliance program, P2P and DeFi service providers can mitigate specific risks called out in the Action Plan such as illicit conversion of virtual assets to fiat currency and rapid disbursement of illicit funds. It is important to note that the Treasury Department published a risk assessment in April 2023 detailing the money laundering and terrorist financing risks related to DeFi platforms.

As highlighted in the Treasury’s publication; Crypto-Assets: Implications for Consumers, Investors, and Businesses, the aggregate market capitalization of all crypto-assets has hovered just below $1.0 trillion since June 2022. While this is a sharp decline from its peak of approximately $2.9 trillion in November 2021, there is little disputing that as volatile as the market may be, digital assets are here to stay. 

National consumer research performed by Raddon Research Insights, showed that 28 percent of consumers are very or extremely interested in having digital assets services as part of their banking relationship. This escalating consumer demand for digital asset banking and custody services will force traditional financial institutions to address the dilemma of either embarking on the digital assets train or potentially losing market share to current key players and growth-drivers in this space, such as fintech companies, VASPs, and other payment service providers.

Regulatory uncertainty aside, traditional financial institutions may need to strategically consider answering the call to action by either launching their own digital assets business to compliment traditional banking services or create partnerships with VASPs and other payments service providers to meet the needs of their customers. Regardless of the route chosen, financial institutions must place special emphasis on firstly identifying and understanding the key threats, vulnerabilities, and illicit financing risks related to virtual assets, as outlined in the Treasury’s Action Plan. Regardless of the type of digital assets services a financial institution may choose to provide (i.e., issuance, custody, exchange, or trading services), a thorough assessment of both the direct and indirect risk exposure should be conducted by the relevant compliance team(s).

For example, partnering with VASPs that offer both custody and exchange services can indirectly expose a financial institution to facilitating suspicious transactions through their institution, based on their role as an intermediary when converting digital assets to fiat currency, and vice versa. Also, payment service providers that use conventional operating bank accounts to deposit or withdraw fiat funds to facilitate digital asset payment services pose indirect ML/TF risks to traditional financial institutions, as illicit actors frequently attempt to capitalize on the non-face-to-face client interaction channels available through most payment service providers.

The FATF’s updated guidance on virtual assets provides longstanding compliance and due diligence practices outlining AML/CFT measures that can be applied when partnering with virtual asset service providers. The traditional risk-based approach recommendations in FATF’s guidance puts financial institutions in a good position to cost effectively adopt these practices by leveraging existing frameworks used for customer due diligence and risk assessments within functioning AML/CFT programs.

In its guidance, the FATF notably highlighted the importance of conducting counterparty VASP due diligence prior to partnering with VASPs, and ongoing CDD and monitoring on a periodic basis thereafter. As part of this recommended due diligence, traditional financial institutions should certainly confirm whether a VASP or payments service provider has performed a thorough risk assessment of its AML/CFT program, while also performing a risk assessment of its own to understand the following factors:

• Size and Structure – specific registration and licenses held by the VASP, as well as the asset size, revenues, staff levels, and customer types, etc.
• Ownership – identify all beneficial owners and the percentage of ownership by foreign individuals and entities located in high-risk jurisdictions
• Products and Services – obtain information on and understand the purpose and intended nature of the business relationship, and determine the type of digital assets offered, and which services are available to customers of the VASP and payments service provider (issuance, custody, exchange, trading services)
• Geography – Does the VASP and payment service provider have a presence in high-risk countries? Where are their customers mainly located (domestic or foreign), and what percentage of PEPs and other high-risk customers exist? What percentage of their assets and revenue is linked to high-risk jurisdictions?
• Channels – What are the different types of client interaction channels (in person, online, indirectly through intermediaries) available to customers of the VASP?
  

By performing the appropriate levels of customer due diligence regarding strategic alliances with VASPs and payments service providers, traditional financial institutions increase their likelihood of creating long lasting business relationships, while addressing compliance with evolving regulatory expectations, ultimately avoiding reputational risk implications. As the digital assets markets continue to see growth, financial institutions must remain vigilant in their efforts to meet customer demand without compromising the integrity of their AML/CFT programs in pursuit of expanded revenue opportunities realized through the digital assets space.

As mentioned in the introduction, all indications suggest it is a matter of “WHEN not if” a regulatory framework will be developed to address all elements of digital assets. The wheels appear to already be in motion with the introduction of the “Digital Asset Anti-Money Laundering Act of 2022”.

Per Thomson Reuters, the current version of Digital Asset Anti-Money Laundering Act of 2022 would extend AML obligations to a much broader spectrum of cryptocurrency players. For example, it would require crypto entities such as digital asset wallet providers, miners, validators, and other network participants to comply with portions of the Bank Secrecy Act, including know-your-customer requirements. The “Digital Asset Anti-Money Laundering Act of 2022” would also prohibit financial institutions from using or transacting with digital asset mixers and other anonymity-enhancing technologies and from handling, using, or transacting with digital assets that have been anonymized using these technologies.

Other highlights of the Digital Asset Anti-Money Laundering Act of 2022 are detailed below:

• Require banks and MSBs to verify customer and counterparty identities, keep records, and file reports in relation to certain digital asset transactions involving un-hosted wallets or wallets hosted in non-BSA compliant jurisdictions.
• Direct Treasury to establish an AML/CFT compliance examination and review process for MSBs, as well as the SEC and Commodity Futures Trading Commission to establish AML/CFT compliance examination and review processes for the entities it regulates.
• Extend BSA rules regarding reporting of foreign bank accounts to include digital assets by requiring United States persons engaged in a transaction with a value greater than $10,000 in digital assets through one or more offshore accounts to file a Report of Foreign Bank and Financial Accounts (FBAR) with the Internal Revenue Service.
• Mitigate the illicit finance risks of digital asset ATMs by directing FinCEN to ensure that digital asset ATM owners and administrators regularly submit and update the physical addresses of the kiosks they own or operate and verify customer identity.

Digital Assets: A digital asset is anything that is stored digitally and is uniquely identifiable that organizations can use to realize value.

Virtual Assets: FATF defines a “virtual asset” or VA as a “digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes.” Virtual assets are a subset of digital assets that does not include central bank digital currencies or representations of other financial assets, such as digitalized representations of existing securities or deposits.

Virtual Asset Service Providers (VASP): FATF defines a “virtual asset service provider” or VASP as any natural or legal person that conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

• Exchange between virtual assets and fiat currencies.
• Exchange between one or more forms of virtual assets.
• Transfer of virtual assets.
• Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets.
• Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

Mixers: A crypto mixer is a service that blends the cryptocurrencies of many users together to obfuscate the origins and owners of the funds, which helps to increase anonymity.