In 2018, Japanese cryptocurrency exchange Coincheck lost $500m in one of the biggest crypto heists in history. Money laundering followed, as the penetrators needed to obscure the source of their illicit funds and convert them into legitimate cash.
In 2021, three years after the Coincheck heist, 30 individuals were charged after getting caught trying to exchange $100m through an illicit exchange on the darknet.
But the darknet isn’t the only place where criminals go to launder money. In fact, criminals will often use lawful crypto services, especially at the end of their money laundering journey.
So how do you make sure that criminals aren’t using your platform to launder money? And what happens if money laundering goes unnoticed? Let’s dive into the topic.
- Why crypto businesses must comply with AML regulations
- Who’s affected
- How criminals use crypto platforms to launder money
- How crypto businesses can detect money laundering
- Red flags to look out for
- Sanctions for crypto businesses
- Where to find out more
Why crypto businesses must comply with AML regulations
In 2018, the 5th AML Directive brought European crypto businesses into its regulatory scope, obliging them to the same AML rules as financial institutions.
The same year, the Financial Action Task Force (FATF) updated Recommendation 15 to include crypto businesses. This prompted both European and non-European members of the FATF to require crypto businesses to meet AML standards.
As a result, crypto businesses can now face sanctions, including fines and even jail time, for not fulfilling AML obligations such as customer due diligence, transaction monitoring, suspicious activity reporting, and more.
All crypto businesses, officially known as Virtual Asset Service Providers (VASPs), located in countries that have transposed FATF requirements into their national laws, must introduce measures for detecting money laundering, terrorist financing, and other financial crimes. To see whether your jurisdiction has transposed FATF requirements, check out your national AML laws.
How criminals use crypto platforms to launder money
Criminals use a number of means to hide the origins of illicit funds. Here are the top five most common money laundering schemes in the crypto industry:
- Mixing services. Offenders exploit mixing services which allow users to split up virtual assets, run them through a series of wallets, and then recombine them to appear legitimate.
- Unregulated exchanges. Criminals often switch between cryptocurrencies to cover their tracks. They use crypto platforms with lax AML compliance policies, like peer-to-peer exchanges, to convert “dirty” cryptocurrency to “clean” cryptocurrency without drawing attention to themselves. This was the scheme used in the 2018 Coincheck heist.
- Gambling platforms. Money launderers can place low-outcome bets on gambling sites that accept crypto currencies; they won’t win much but they’ll get legitimate money in the end.
- Money muling. Offenders often exploit money mules (individuals with a clean transaction history) to transfer or cash in illicit cryptocurrency. Money muling is an extremely common money laundering technique in the crypto sector. Europol, the EU law enforcement agency, estimates that up to 90% of all money mule transactions are connected to cybercrime.
- Prepaid cards. Prepaid crypto cards also create opportunities for money laundering as they allow criminals to convert “dirty” virtual assets into fiat money.
However, even if offenders exploit these money laundering schemes to hide the origins of illicit funds, their activity can still be traced using blockchain analysis.
Financial Intelligence Units can track which crypto platform facilitated the money laundering and take legal action against it, even if a platform didn’t do it on purpose.
Therefore, businesses should ensure that they can unmistakably spot money laundering and other financial crimes. Let’s talk about how to do it.
How crypto businesses can detect money laundering
To ensure that a crypto business isn’t a front for money laundering, it must have at least these three essential procedures in place:
- Know Your Customer (KYC). Crypto businesses must conduct customer verification when 1) establishing a business relationship, 2) when an existing customer carries out an occasional transaction, and 3) in other circumstances specified by law.
Verification usually includes, at the very least, collecting the customer’s name, address, and date of birth. However, there can be additional requirements depending on the jurisdiction.
- Travel Rule. According to the FATF’s Recommendation 16, known as the “Travel Rule,” crypto businesses are required to collect and share data on parties in transactions. The data collection threshold differs across jurisdictions. In Singapore, for instance, it’s S$1,500 (approximately $1,100).
- Transaction monitoring. To better assess money laundering risks that customers might pose, crypto businesses must introduce a system for ongoing transaction monitoring that detects specific indicators of money laundering. For example, businesses can analyze wallet addresses and transaction hashes.
Red flags to look out for
Before we dive deeper into money laundering indicators, note that the presence of a single red flag may not be a sufficient basis for suspecting criminal activity. In cases like this, companies should continue to monitor user activity in order to put this red flag into context.
However, if a combination of red flags is detected, then the company must freeze the suspicious assets and file a Suspicious Activity Report with a financial intelligence unit.
Suggested read: Introduction to Suspicious Activity Reports and Best Practices
Now let’s delve into the most common indicators:
A transaction has an unusual size, destination, or pattern
Any transaction that seems unusual can be a sign of money laundering. For instance, if a client, who is much older than the average user of a platform, makes a surprisingly large transaction to an account that has no connection to them, it could be a sign that they are a money mule who transfers money for criminals.
Another red flag is when customers transfer cryptocurrency to multiple addresses immediately, especially when these wallets have no relation to where the user lives and works or are located in high-risk jurisdictions.
What to do: As part of transaction monitoring, businesses should always check that a customer’s age group, location, income, and other personal information are consistent with their crypto transfers. Also, platforms should examine the parties the user is transacting with.
Use of mixing services and fraudulent exchanges
A sure sign of money laundering (or other financial crime) is when customers receive cryptocurrency from—or send cryptocurrency to—darknet marketplaces, mixing services, questionable gambling sites, fraudulent exchanges, and platforms with lax AML standards.
What to do: Monitor all transactions for indicators of criminal activity, especially in cases where customers convert between cryptocurrency and fiat. Employ blockchain analysis to detect if any mixing services or other means of money laundering have been used.
It’s always suspicious when users conduct several transactions in a row that are all just below record-keeping or reporting thresholds. This may be a sign of structuring, which is breaking down large transactions into sums that are lower than certain thresholds in order to avoid being reported.
What to do: Know your reporting thresholds and monitor for consecutive transactions below them. For instance, the US Bank Secrecy Act requires businesses to file Currency Transaction Reports whenever users exchange or transfer $10,000 or above. Therefore, if users conduct several transactions just below $10,000, they might be structuring.
Suspicious user behavior
A user who provides fake ID documents or an unreliable source of funds naturally raises suspicion. Similarly, if a person constantly changes their personal information, such as their email, IP address, or financial data, this can be an indicator that they’re engaged in money laundering.
Other red flags include situations when IP addresses are concealed using VPNs or when a user’s location doesn’t match their IP address, phone number, or bank card.
What to do: Crypto platforms must conduct customer due diligence at the onboarding stage and continuously monitor customer activity. Also, KYC procedures should include sanctions screening (some sanctions lists now include wallet numbers in addition to names).
For the full list of red flags for crypto, click this link.
Sanctions for crypto businesses
If crypto businesses fail to comply with AML regulations, the sanctions may include fines, seizure of business activity, and even criminal liability for senior management. Exact penalties vary by country. Here are some examples of sanctions from different jurisdictions:
Estonia. Until Estonia decided to toughen its crypto AML regime, the country was one of the most popular jurisdictions for crypto businesses. At present, non-compliance with Estonia’s requirements can cost companies up to €400,000 (approx. $440,000) and lead to revocation of operating licenses.
Hong Kong. Under the recently proposed requirements, non-compliance with AML/CTF requirements can cost businesses up to $1,000,000 in fines, with senior management facing up to two years in prison.
Turkey. Crypto businesses that fail to identify customers, file periodic reports, and flag suspicious transactions may be subject to administrative fines ranging from ₺30,000 to ₺4,000,000 (approx. $2,000 to $270,000).
Where to find out more
At Sumsub, we’ve written quite a few guides on AML compliance for crypto businesses. Here are our guides by jurisdiction:
Additionally, you may be interested in our article about the FATF’s guidance on virtual currencies.