Guardians of their company's existence, compliance teams must leave no stone unturned to mitigate crypto risks
The crypto industry we witness today is an impressive proof of concept Bitcoin brought to light over 10 years ago. Various applications emerged and proved that cryptocurrency can make lives easier. Plenty are still in discovery, namely Non-Fungible Tokens (NFTs), and others are already well established, like Initial Coin Offerings (ICOs). The newest mountain to conquer is compliance and no single approach fits all.
Binance, the largest cryptocurrency exchange in the world, is a case in point. The appetite of the company for compliance and cooperation with regulatory bodies is visible through various activities and their most recent reflection on 2021. Nevertheless, the Department of Justice and Internal Revenue Service of the United States launched an investigation toward the exchange’s U.S. center in March 2021. Although Binance was not accused of wrongdoing, the incident got compliance officers’ attention. Lesson learned: as guardians of their company’s existence, compliance teams must leave no stone unturned to mitigate abrupt compliance risks and protect their organizations from regulatory hassle.
Compliance officers in conventional banking as well as Virtual Asset Service Providers (VASPs), exchanges, over-the-counter desks, hosted wallets, payment processors, crypto ATMs, and other financial institutions are adopting best practices from TradFi compliance to cope with the evolving and tumultuous cryptocurrency regulations.
There is a wealth of knowledge on virtual assets, crypto, blockchain, and other related topics. Below, we’ll take a close look at some of the top compliance challenges in the crypto industry — and how to address them.
1- The Travel Rule - Financial Crimes Enforcement Network (FinCEN)
When Bitcoin made an appearance in 2009, it instantly drew the suspicion of financial regulators. Put in effect by the U.S. Treasury Department’s FinCEN in 1996, the travel rule is a funds transfer regulation by recordkeeping. The rule dictates that financial institutions, including non-bank financial institutions, are required to send transactions and client information to the recipient institution.
The rule was created by federal regulators to assist domestic and foreign law enforcement agencies in detecting, investigating, and prosecuting financial crimes such as money laundering by keeping an information trail of transaction originators and recipients under the Bank Secrecy Act (BSA). According to these guidelines, administrators and or exchangers of virtual currency shall be regarded as money transmitters and subject to the BSA if they admit to the following two acts:
- If they accept and transmit a convertible virtual currency (CVC).
- If they buy or sell convertible virtual currency.
The issue of counterparty identification is the most difficult to solve. It stems from a Travel Rule compliance obligation to establish the identity of a counterparty who controls the receiving address in a virtual currency transaction.
In the conventional banking business, value is transferred between persons or companies. When Alice sends money to Bob, a routing code or SWIFT code, which is supplied when a transfer is requested, is a simple way for Alice’s financial institution to identify Bob’s financial institution. This approach allows the relevant counterparty to get the necessary Travel Rule data.
However, in the crypto world and due to the decentralized nature of most crypto and virtual currencies, Bob can construct an address (usually a virtual currency wallet public address) as a destination for receiving value without registering ownership in a centralized repository.
When a VASP client requests a withdrawal of funds to an external virtual currency address, the underlying virtual currency networks have no mechanism or communication layer in place to identify the controlling entity of the receiving address. Here’s how compliance officers ought to address the challenges of travel rule compliance in the crypto industry.
Identify transactions that need to be regulated
Not all transactions are subject to travel rule regulations. Compliance officers should differentiate those transactions to ensure proper assessment of the organization’s compliance fitness.
Assess the interoperability of the organization
VASPs’ capacity to interact and exchange data with counterparty VASPs utilizing numerous messaging protocols is referred to as interoperability. VASPs will be shut off from exchanging information in a conforming way with other VASPs using other protocols if they are confined to exchanging information only with VASPs using the same messaging protocol as them.
Excessive fragmentation in the pursuit of compliance might occur, resulting in a considerable rise in the expense and complexity of the Travel Rule. Compliance officers must assess the counterparty risk to ascertain if a transaction causes non-compliance with the travel rule.
Secure Stored and Transferred Records
Obtaining the records from beneficiary institutions is half of the challenge. Securing those records is equally critical. Malicious assaults in the non-face-to-face realm are quite likely, and as a result, the parties must prioritize the security of the transmitted data. Compliance officers must ensure that customer personally identifiable information (PII) and transaction data should never be shared or retained in a centralized setting due to the requirement to ensure the security of sensitive data. They must devise strong encryption standards and data transfer protocols to provide consistent security and ensure that client data is not compromised or leaked while it is transported or gathered.
Validate Transactions And Evaluate Beneficiary Addresses
Using blockchain explorers and blockchain search engines that offer browsing services for the transactions to trace and validate the beneficiaries one by one is too manual a process for a growing business. Just in November last year, Binance recorded an all-time high of 16,262,505 transactions in a single day. Realistically speaking, the volume of transactions may deem compliance impossible using manual methods. When the business becomes large such methods add to the cost and complexity. As with everything else in the cryptocurrency industry, the cumbersome manual checks cannot keep up with the compliance requirements of scaling operations.
Although cryptocurrency transactions do not have the same validation protocol as in conventional banking, since all cryptocurrency transactions take place on a blockchain public ledger, the data is accessible to the world and most importantly VASPs seeking compliance. This has enabled blockchain data analytics companies to offer cutting-edge solutions enabling tracking, analytics, risk monitoring, compliance, attribution, and visualization for transactions seamlessly and in a future-centric manner.
2- Lack Of Regulatory Clarity
Cryptocurrency rules are changing at a breakneck speed. In an interview, Elena Hughes, chief compliance officer of Gemini Trust Co. said to The Wall Street Journal that not having a single regulator that oversees all crypto requires creative staff to ensure compliance in all directions.
“For the third year running, our annual members survey cites “lack of regulatory clarity” as a top challenge for the industry. Against a heightened increase for crypto policy and regulation already in 2022, we call on policymakers and agencies to further engage with the industry through the GDF co-regulation model,” says Lawrence Wintermeyer, executive co-chair of Global Digital Finance (GDF). He highlights that the lack of regulatory clarity is the top concern of the crypto industry, based on an annual member survey.
Know Your Regulator
The underlying difficulty is that crypto-financial regulation is fragmented. In the United States alone, there are many federal banking and market oversight agencies with overlapping powers, as well as state regulatory agencies. Anti-Money Laundering, Global Economic Sanctions, Customer Identification and Know Your Customer regulations are governed by all those agencies, namely:
- The Office of Foreign Assets Control (OFAC)
- The Financial Crimes Enforcement Network (FinCEN)
- Securities and Exchange Commission (SEC)
- Commodity Futures Trading Commission (CFTC)
Researching the regulatory bodies within your jurisdiction is essential to the reliability of any compliance program, but that’s not all. An important question compliance officers need to ask is: where are my customers based? Do I have reliable sanction screening procedures in place? For an institution’s risk assessment, the location of a potential customer’s residence or business might be a red indicator. Is the individual or company, for example, based or operating in a country with a history of insecurity, corruption, and lax regulatory oversight? Are there global sanctions that may put the business at risk for providing them with service?
Many compliance officers tend to hire an expert consultant at this point, which has benefits. Alternatively, there are sources available online that contain all the pieces and parts to develop your company’s approach to crypto compliance.
Keep All Records
In August 2021, FinCEN announced a $100M Enforcement Action Against Unregistered Futures Commission Merchant BitMEX, a well renowned P2P crypto-products trading platform for Willful Violations of the Bank Secrecy Act. Amongst various takes from FinCEN that declared Bitmex’s failure to comply with its obligations under the BSA, BitMEX resorted to hiring an independent consultant to conduct a historical analysis of its transaction data, sometimes referred to as a Suspicious Activity Report (SAR) lookback, to determine whether BitMEX must file additional SARs on this activity.
The OFAC of the US Department of the Treasury produced a sanctions compliance guide for the virtual currency business on October 15, 2021. The agency highlighted in the guide:
“OFAC may impose civil penalties for sanctions violations generally based on a strict liability legal standard. In many cases, a U.S. person may be held civilly liable for sanctions violations without having knowledge or reason to know they were engaging in such a violation.”
To further strengthen the resilience of a compliance program, compliance officers must back it up with a strong database of accessible historical records. It may be just what the organization needs to prove to auditors that it was not exposed to illicit activities.
Conclusion
Between this booming industry of cryptocurrency and hacks and economic sanctions, regulations are developing daily around the world. To respond, compliance officers in conventional financial institutions and VASPs alike must update their practices to keep up with this dynamic environment and address the expectations of the authorities. Whether the organization is based on cryptocurrency or is looking to integrate it, compliance officers have more to think about than ever.
In a work setting where compliance is a priority, it is critical to monitor and act on suspicious activity to ensure that you and your company are protected and stay compliant. A firm that does not adapt will fall behind, and the same is true for compliance professionals.
What is certain?
The cryptocurrency sector should continue to collaborate closely with regulators to produce compliance solutions that will not jeopardize the industry’s future growth and innovation.
There is no one-size-fits-all solution for Crypto Compliance.
Each compliance officer should examine their institution’s own needs, risk appetite, and compliance policy, as well as its risk management framework. Compliance officers cannot simply “set it and forget it” when it comes to risk management programs. Institutions must modify their compliance frameworks as regulations change. The best way to manage the issues and possibilities that cryptocurrency presents is to tailor systems to each institution’s unique scenario. Compliance programs that adapt and alter over time to accommodate new approaches and trends are the most effective.
Written By: Omar Marzouk
Writer, Content marketing at Blockchain Group
Discover Innovative Ways To Achieve Crypto Compliance
