This article provides information on AML/CFT risk considerations for VASPs and cryptocurrencies.
Cryptocurrencies (also known as Virtual Assets or VA) allow people to transfer value in seconds: something which conventional banking systems cannot do. Not only can value be transferred but there are considerable cost savings: a blockchain is a shared tamper-proof ledger which means the parties do not need to reconcile their records.
VAs can be used to quickly move funds globally and to facilitate a range of financial activities—from money or value transfer services to securities, commodities or derivatives-related activity, among others. Thus, the absence of face-to-face contact in VA financial activities or operations may indicate higher ML/TF risks. Similarly, VA products or services that facilitate pseudonymous or anonymity-enhanced transactions also pose higher ML/TF risks, particularly if they inhibit a VASP’s ability to identify the beneficiary.
Illicit users of VAs may take advantage of the global reach and transaction speed that VAs provide as well as of the inadequate regulation or supervision of VA financial activities and providers across jurisdictions, which creates an inconsistent legal and regulatory playing field in the VA ecosystem.
Virtual Asset Service Providers (VASPs) located in one jurisdiction may offer their products and services to customers located in another jurisdiction where they may be subject to different AML/CFT obligations and oversight. This is of concern where the VASP is located in a jurisdiction with weak or even non-existent AML/CFT controls.
Crypto assets are vulnerable to misuse by criminals to launder money and fund terrorism:
If you provide crypto asset-related financial services in the ordinary course of your business, you will likely be captured under local and international laws for combatting money laundering and terrorism financing. These laws are designed to create compliance policies, procedures and controls and are commonly referred to as Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT).
• Is the cryptocurrency parent regulated for AML/CFT?
• What 3rd party partnerships does the Cryptocurrency business have in place?
o Are any of these partnership big brands – such as PayPal and BitCoin?
o Results of due diligence such as adverse media checks?
o Does the cryptocurrency provider have a partnership with Mastercard and/or Visa?
• What banking institution is the cryptocurrency business primarily trading with? (Conduct checks for adverse media, control and ownership (>25%).
• What will be the customer’s primary purpose of cryptocurrency trading?
o Speculation/Trading cryptocurrencies?
o Long-term Investment in cryptocurrencies?
o Hedging inflation?
o Hedging FX?
For what purpose is foreign trade required?
o Trading for business or personal purposes?
• What Fiat currency did the customer use to purchase the cryptocurrency
• What proportion of volume and value of cryptocurrency is expected from customers’ transactions? (NB: set a ‘frequency’ and ‘high value’ threshold).
o Proportion of low value, high frequency transactions?
o Proportion of high value, high frequency transactions?
o Proportion of high value, low frequency transactions?
• What are the identity verification requirements of the cryptocurrency provider?
• Does the cryptocurrency provider facilitate transactions on ATMs or Kiosks?
• Does the cryptocurrency provider facilitate tokens/currency for online games?
• Centralised or Decentralised settlement platform?
• What country is the primary AML/CFT supervisor for the cryptocurrency business (location of parent entity, license held)
• What is FATF findings for that country in regards to Virtual Asset Service Providers?
• What Fiat currencies does the cryptocurrency authorise?
• Are these Fiat currencies linked to any High risk jurisdictions for bribery, corruption, lack of AML/CFT regulations, harbouring terrorism, Sanctions?
When managing risks the ‘unknown unknowns’ leave volatility. To lessen volatility, research should be a key factor to the risk management process.
The basic two rules of risk management can be thought of as:
In order for anti-money laundering and countering financing of terrorism (AML/CFT) laws to be effective, AML/CFT laws require flexibility. This means use of definitions that readily capture innovative technologies.
Risk Based Approach
The risk based approach to AML/CFT laws work well. The former arbitrary approach of using rigid definitions, gave opportunity for businesses to follow the letter of the law and not the spirit of the law. This allowed businesses to seek short cuts and not meet intended regulatory outcomes.
Application of the risk based approach means businesses must objectively establish that compliance has been met.
Establishing a Defence
If an AML Supervisor can establish a plausible circumstance that highlight AML/CFT weaknesses in a compliance framework, the onus shifts to the business to prove the AML Supervisor wrong. This requires the business to reasonably establish that policies, procedures and controls are adequate and effective to identifying, managing and reporting AML/CFT risks.
New and emerging typologies include crypto currency, online games, all forms of online trading and online recruitment of criminal groups.
Vulnerable 3rd parties, (commonly known as ‘gatekeepers’), include real estate agents, lawyers, brokers, financial advisers and accountants. Criminal groups will seek a path of less resistance. Small and medium sized businesses become targets with criminals searching for weak policies and controls.
In order to establish adequacy and effectiveness, small and medium sized businesses should ensure a minimum level of regulatory confidence is consistently present.
When profiling client risks, matters to consider include: (a) what is the source of funds (origination, value, volume), (b) how did the client’s existing wealth originate, (c) what countries are linked to the client’s structure – (i) country where trustee resides, (ii) country where beneficiaries reside, (iii) country where settlor resides, (iv) country where assets (value) are located, (v) country where tax commitment(s) reside.
Understanding the nature and purpose of the client’s business relationship is essential for adequate customer risk profiling.
Once customer risk is known, ongoing account monitoring provides greater opportunity to detect suspicious activity.
With data providing a customer risk profile, the business is in a better position to confirm if the red flag is unusual or expected client behaviour.
Businesses reliant on manual processes are likely to have exorbitant compliance costs and/or weaker compliance systems. The exception would be those businesses who have few customers and a low volume of customer activity.
Data automation can ensure a consistent application of business policy, with instant and real time compliance risk reporting.
Evidence Based Compliance
Regardless of style and application of an AML/CFT framework, all businesses should be able to provide reliable records and/or description of systems to confirm to their auditor or AML Supervisor, the likelihood that ML/FT activity has the potential of being detected.
Failing to achieve these basics creates regulatory risk which may result in irreversible harm to brand.
In July 2021, the Financial Action Task Force (the FATF) released a 76-page research report detailing opportunities presented through use of technology for managing AML/CFT compliance.
This followed the public statement from the FATF’s president at the time of the Covid outbreak, that businesses and government should now be making better use of technology:
“Use of digital/contactless payments and digital onboarding reduce the risk of spreading the virus. As such, the use of financial technology (Fintech) provides significant opportunities to manage some of the issues presented by COVID-19.” (source)
This article provides a summary and direct statements obtained from the FATF July 2021 research report. Access to the full report can be obtained at this link: Opportunities & Challenges of New Technologies for AML/CFT.
New technologies have the potential to make anti-money laundering (AML) and counter terrorist financing measures (CFT) faster, cheaper and more effective.
Accordingly, the FATF reviewed the opportunities and challenges of new technologies for AML/CFT to raise awareness of relevant progress in innovation and specific digital solutions.
This project included the review and analysis of regulatory technology (RegTech) and supervisory technology (SupTech), both of which can improve the effectiveness of FATF Standards.
Innovative skills, methods, and processes, as well as innovative ways to use established technology-based processes, can help regulators, supervisors and regulated entities overcome many of the identified AML/CFT challenges.
For the purpose of this report, the Financial Action Task Force explains – “new technologies for AML/CFT” refers to:
New technologies seek to improve the speed, quality, or efficiency and cost of some AML/CFT measures, as well as the costs of implementing the AML/CFT framework more broadly, compared to the use of traditional methods and processes. The technologies of greatest relevance are cross-cutting and enable new digital ways to collect, process, analyse data.
For example, digital identity solutions can enable non-face-to-face customer identification/verification and updating of information. They can also improve authentication of customers for more secure account access, and strengthen identification and authentication when onboarding and transactions are conducted in-person, promoting financial inclusion and combating money laundering, fraud, terrorist financing and other illicit financing activities.
The Financial Action Task Force found one of the main challenges hindering the effective implementation of AML/CFT measures is poor understanding of ML/TF threats and risks. Decision-making, based on inadequate risk assessments is sometimes inaccurate and irrelevant, relying heavily on human input and defensive box-ticking approaches to risk, rather than applying a genuinely risk-based approach.
The inability to adequately identify, assess and mitigate money laundering and terrorist financing risk, including the fundamental elements of risk identification (customer identification/verification and monitoring of transactions) poses an obstacle to effectiveness in AML/CFT. This is where new technologies can provide the most added value.
Moreover, traditional risk assessment tools, based on spreadsheets (such as Excel) or static reporting platforms, do not allow data to be analysed at a large scale, limiting the potential for correlations and analysis to generate a more fine-grained picture of the risks. In addition, the quality of the data obtained by legacy systems varies and may not offer the accuracy and detail required to comply with AML/CFT standards.
In the private sector, poor risk assessment can lead to a defensive box-ticking application of the AML/CFT framework, which is inefficient and burdensome, and more importantly does not reflect the real ML/TF threats to the institutions. Poor risk assessment undermines a genuine risk-based approach to decision-making and protecting the integrity of the financial system.
The use of new technologies in the identification, assessment and management of ML and TF risks allows risk analysis to be more dynamic, provide network analysis, and operate at customer, institutional, jurisdictional and cross-border levels.
Technology can also enable financial inclusion through enhanced digital tools for transaction monitoring. As set out in the guidance on financial inclusion, enhanced ongoing monitoring can be used to manage the ML/TF risks associated with the trustworthiness of customer identification and verification data, so that ML/TF risk management is not so heavily reliant on CDD at the time of customer onboarding. For example, in cases where customers are able to provide only less reliable forms of evidence of identity – and therefore identification and verifications elements are not sufficiently robust – technological solutions, such as behavioural analytics, may support a strengthened and enhanced transaction and business relationship monitoring, thereby enabling customer take-on. These technologies can also give a robust ongoing monitoring process and provide a better understanding of risk.
RegTech was identified by 52% of respondents as the AML/CFT area where the majority of benefits from new technologies may be secured. In particular, respondents confirmed the processing and analysis of large data sets required for risk assessments and analysis, CDD, as well as transaction monitoring, as the areas securing the greatest benefits from new technologies.
Machine Learning is a type (subset) of AI that “trains” computer systems to learn from data, identify patterns and make decisions with minimal human intervention. Machine learning involves designing a sequence of actions to solve a problem automatically through experience and evolving pattern recognition algorithms with limited or no human intervention — i.e., it is a method of data analysis that automates analytical model building.
An API is a type of software which allows different applications to connect and communicate. APIs are also often used to provide payment services, for instance, in accepting donations over websites. Respondents to the Digital Transformation questionnaire mentioned APIs among the most used and relevant solutions to the identified money laundering and terrorist financing problems.
Technology can facilitate data collection, processing and analysis and help actors identify and manage money laundering and terrorist financing (ML/TF) risks more effectively and closer to real time. Faster payments and transactions, more accurate identification systems, monitoring, record keeping and information sharing between competent authorities and regulated entities also offer advantages.
The increased use of digital solutions for AML/CFT based on Artificial Intelligence (AI) and its different subsets (machine learning, natural language processing) can potentially help to better identify risks and respond to, communicate, and monitor suspicious activity.
Difficulties with the explainability and interpretability of digital solutions are another key challenge for both industry and regulators that in part stems from the limited availability of relevant expertise and a lack of awareness of innovative technologies’ potential among AML/CFT professionals, both in industry and government.
When used responsibly and proportionally, innovative AML/CFT technologies can help identify risks and focus compliance efforts on existing and emerging challenges, but manual review and human input remains very important. Combining the efficiency and accuracy of digital solutions with the knowledge and analytical skills of human experts produces more robust systems that can effectively respond to AML/CFT requirements whilst being fully auditable and accountable.
The use of new technologies and innovation can help the public and private sectors improve the effectiveness of their risk-based implementation of the FATF Standards.
Likewise, Artificial intelligence (AI) and machine learning (ML) technology-based solutions applied to big data can strengthen ongoing monitoring and reporting of suspicious transactions. These solutions can automatically monitor, process and analyse suspicious transactions and other illicit activity, distinguishing it from normal activity in real time, whilst reducing the need for initial, front-line human review.
Similarly, the adoption of innovative solutions, such as Application Programming Interface (APIs) and Distributed Ledger Technology (DLT), data standardisation, and machine readable regulations can help regulated entities report more efficiently to supervisors and other competent authorities. The technologies also allow alerts, report follow-ups, and other communications from supervisors, law enforcement, or other authorities to regulated entities and their customers, as well as communications among regulated entities, and between them and their customers.
Transaction monitoring using AI and machine learning tools may allow regulated entities to carry out traditional functions with greater speed, accuracy and efficiency (provided the machine is adequately and accurately trained). These models are useful for filtering the cases that require additional investigation. The use of new technologies for monitoring purposes should, for the most part, continue to be integrated with the broader monitoring systems which include an element of human analysis for specific alerts or areas of higher risk. These systems must also improve their degree of explainability and auditability in order to fully comply with the majority of supervisory requirements.
Their utility for AML/CFT lies in the ability to, for example, connect customer identification software with monitoring tools, or risk and threats identification tools with customer risk profiles in order to generate alerts or alter risk classifications as relevant. APIs allow this integration to happen much more quickly and with much larger datasets. This is particularly relevant as one of the most difficult challenges for many financial institutions is the integration of many different and often incompatible systems, including legacy technologies and specialised tools, created by different developers.
The use of new technologies for AML/CFT can only truly become effective if systems are based on standardised data that is easier for technology developers to integrate into their tools, easy to understand and explain to non-experts, and easy to communicate to counterparts and competent authorities when needed.
The interpretability and explainability of new technologies to supervisors is key to securing support for these tools. Regulated entities must be able to explain, and remain responsible for, the principles and technical details of the innovative solutions before deploying these new technologies. Supervisors must be able to understand the models used by AI tools in order to determine their accuracy and their relevance to the identified risks.