Cryptocurrencies are in the news on a daily basis, whether it is in headline-grabbing articles such as the sudden and dramatic failure of crypto firm FTX, or the use of cryptocurrencies in ransomware and other criminal activity. Indeed, if you were to look at sites on the dark web, such as those selling drugs, personal identification information or weapons, you would see that payments are required in cryptocurrencies. Criminals are using cryptocurrency to avoid detection and move their illicit funds from one jurisdiction to another, avoiding sanctions and engaging in fraud and money laundering without detection.
However, to claim that all cryptocurrency is used for criminal purposes would be a mistake. Not only does it disregard legitimate and legal investment, but it is a statement, often made without consideration of poorer regions of the world where the national Fiat currency is unstable, or access to banking services is expensive or limited. Often in these countries, cryptocurrencies provide a means of transferring money or buying goods, often from China, for sale in the local community. Cryptocurrencies can be more stable (especially considering stablecoins) and can provide more surety than other methods of payment.
So where does this leave FIs? How should they approach cryptocurrencies, and importantly manage the risks? Relying on the Virtual Asset Service Providers (VASPs) themselves is not enough. Yes, some VASPs will have controls in place, with established KYC/CDD undertaken on their customers, and the ongoing monitoring of customer activity. However, from a risk perspective, FIs need to understand and manage their risk, for themselves, especially where cryptocurrency is moved to and from Fiat currencies – the ‘on/off ramps’.
Thankfully, there are several practical steps firms can take, which I will explore:
1) Establish a clear risk statement and appetite
A good first step is to understand the environment, where the firm stands, does it want to avoid cryptocurrencies altogether (which is a difficult position to maintain), become a custody provider, or provide banking services to VASPs? The firm needs to decide and document its risk appetite and what this means in terms of controls.
2) Build awareness
The firm should look to build awareness across senior management, the compliance function, and wider across the firm, enhancing knowledge of the risks.
3) Monitor exposure – including a risk-based view
Even where a firm does not want to provide cryptocurrency services they need to have, at a minimum, an accurate view of their exposure. Through the use of data sets and the understanding of payments, a FI can identify exposure across their customers. An enhancement to identification is the risk rating of the payment activity and exposure. Not all VASPS are the same, and not all transactions have originated from safe sources – this is where specialist providers come in, they provide an understanding of the VASPs from a risk profiling perspective.
4) Understand a customer’s source of funds
There is a risk that firms are accepting wealth generated from illicit cryptocurrency without knowing. Asking the customer if any wealth originates from cryptocurrencies does not really work. Not only are you relying on the goodwill and honesty of the prospective customer, but how can you check? This is where currency tracing comes in, the prospective customer is asked to provide their wallet address from which the firm can then check previous activity. This is similar to asking for the last x months’ bank statements or payslips, or evidence of investment gains, share sales or property transactions etc.
5) Complement existing controls
How can enhanced data and intelligence be used to complement existing transaction monitoring, fraud, tax, and sanctions controls? This is a combination of data, intelligence, and enhanced intelligence, with enhancements to existing controls. Going beyond current approaches, new innovative detection based on data analytics is used to identify particular anomalies and patterns specific to cryptocurrencies.
6) Build an investigative capacity
Do not forget the people! How can you enhance the skills and knowledge of your people? Yes, some of this is through awareness, but more to the point what specialist tools and training can you give to your investigators? Fortunately, specialist investigative tools exist, that have been ‘honed’ through extensive use by law enforcement. These tools allow firms to ‘follow the currency’ on the chain, and follow the sources and movements of funds. These are not tools for general use within sanctions, transaction monitoring or fraud operations, but enable trained threat intelligence investigators to drill down on the initial leads and follow the crypto chain.
In Summary
This is a journey for firms. Following incremental steps, they can move towards a position of awareness and robust risk controls. We are now at a point where there are specialist vendors in this space who work daily with FIs, law enforcement, VASPS and other firms to provide data, intelligence, and tools for identifying and controlling financial crime risks.
With documented and robust controls, FIs can decide their approach to cryptocurrencies and the custody of digital assets. Whether that is the desire to avoid cryptocurrencies, custodians, exchange services or the provision of banking products and services to VASPs. Cryptocurrencies are an emerging area of payments and investments, FIs cannot realistically bury their head in the sand and ignore them. At a minimum, they need to put in robust controls to detect and protect, not only for their own safety but that for their customers and wider society. FIs need to consider those who may not have easy access to other forms of finance, this is not about exclusion, but if done thoughtfully and in a controlled manner can lead to greater inclusion.
This editorial was initially published in the Financial Crime and Fraud Report 2023 which dives into the captivating world of fraud management, digital onboarding, and financial crime in the financial services industry. You can download your free copy here.
About Colin Whitmore
Colin Whitmore is an AML subject matter expert, he brings over 20 years of experience within the banking and financial services, working in the UK and the US with firms including Reuters, Aviva, Barclays, RBS, HSBC, and now the NatWest Group.
About NatWest Group
NatWest Group is a relationship bank for a digital world. We champion potential; breaking down barriers and building financial confidence so the 19 million people, families, and businesses we serve in communities throughout the UK and Ireland can rebuild and thrive. If our customers succeed, so will we.