FinCEN Doubles Down on Banks’ Crypto Exposure
October 9th, 2020
Taking center stage in a key-note address at the virtual 2020 ACAMS Las Vegas Conference, FinCEN Director Kenneth A. Blanco clarified a long-standing confusion banks have had regarding their exposure to cryptocurrencies and the steps they must take the mitigate these risks. Director Blanco said that FinCEN continues to focus its efforts on a number of priority areas, including that virtual currency space stating “one issue that continues to come up during these discussions relates to mitigating risks associated with emerging payment systems, including virtual currency. To be clear, exchanges are not the only ones with crypto risk exposure. These risks are not unique to money services businesses or virtual currency exchangers; banks must be thinking about their crypto exposure as well. These are areas your examiners, and FinCEN, will ask you about when assessing the effectiveness of your AML program”.
….banks must be thinking about their crypto exposure as well. These are areas your examiners, and FinCEN, will ask you about when assessing the effectiveness of your AML program.
While existing FinCEN regulations (FIN-2019-A003) clearly state that it is the responsibility of all financial institutions to identify and report suspicious activity concerning how criminals and other bad actors exploit virtual currency for money laundering, sanctions evasion, and other illicit financing purposes, many banks remained unclear on how exactly virtual currencies could effect their institutions. FinCEN’s requirements apply to all financial institutions, even if those financial institutions do not directly buy, sell, or provide custody to virtual assets. However, CipherTrace research has shown that many banks do not know how to properly detect and monitor virtual currency-related transactions.
So banks also need to be asking themselves, “What baseline controls do we have in place to identify customers? Do we have institutional or peer-to-peer virtual currency customers? How does our financial institution interact with emerging payment systems? Do we have the tools we need to identify and report potentially suspicious activity occurring through our financial institution?” All of these questions go back to the policies and procedures in place to mitigate risk.
Extensive research by CipherTrace Labs in 2019 uncovered individuals operating illicit crypto MSBs at 8 of 10 US retail banks. These illegal MSBs use their bank accounts as a conduit for accepting cash payments in exchange for cryptocurrency to support the illegal trade of fiat for crypto. They often do this by a simple ACH transfer, wire transfer, or walkup cash deposit at a depository institution.
Criminals register businesses online using fictitious or stolen IDs to create corporate entities. They then create corporate bank accounts that can be used to fund investments or operate unlicensed money service businesses. Naturally, they fail to report these crypto asset activities to the financial institution. Criminals and terrorists choose this technique because direct deposits and large sums of money moving in and out of business bank accounts—as opposed to personal accounts—are less likely to trigger fraud alerts or suspicious activity reports (SARs) at financial institutions.
Additionally, numerous peer-to-peer (P2P) marketplaces are specifically designed to help people buy and sell bitcoin and other virtual currencies with cash deposits or discrete wire transfers. To conceal their unregistered MSBs, buyers of bitcoin on these P2P marketplaces are told not to inform bank tellers that they are making deposits for the purchase of BTC, but rather are purchasing “digital services.” Similarly, for wire transfers, customers looking to buy bitcoin are directed to avoid mentioning bitcoin in any communication. These P2P exchangers don’t want their banks to catch wind of their underground money service businesses.
In addition to being unregistered, many of these P2P exchangers lack any kind of AML program and perform little or no know your customer (KYC) due diligence. This lack of controls presents huge AML risks to banks and other financial institutions. If banks are not thinking about these issues, it will be apparent when examiners visit.
FinCEN Director Blanco makes it absolutely clear that banks must have controls in place to identify, monitor, and report suspicious activity involving virtual asset-related transactions. Some financial institutions have built home-grown systems to try to identify cryptocurrency-related accounts, however, this approach results in many false positives and misses significant, large amounts of funds flows that cannot be discovered by home-grown name matching. CipherTrace research has found that a typical name-based system may entirely miss up to 70% or more of the crypto exchanges out there, and up to 90% of the actual transaction volume.
These tools often lack the intelligence (including risk ratings on crypto exchanges around the globe) necessary to perform anything but bare-bones analysis. Forward-looking banks are starting to lower their AML/CTF exposure by using specialized tools—such as CipherTrace Aramda—built to identify risky virtual asset service providers and other compliance risks stemming from crypto-asset businesses.