With crypto AML regulations getting stricter and fines reaching unprecedented heights, crypto businesses can’t afford any breaches in compliance.
In 2018, Japanese cryptocurrency exchange Coincheck lost $500m in one of the biggest crypto heists in history. Money laundering followed, as the penetrators needed to obscure the source of their illicit funds and convert them into legitimate cash.
In 2021, three years after the Coincheck heist, 30 individuals were charged after getting caught trying to exchange $100m through an illicit exchange on the darknet.
But the darknet isn’t the only place where criminals go to launder money. In fact, criminals will often use lawful crypto services, especially at the end of their money laundering journey.
So how do you make sure that criminals aren’t using your platform to launder money? And what happens if money laundering goes unnoticed? Let’s dive into the topic.
In 2018, the 5th AML Directive brought European crypto businesses into its regulatory scope, obliging them to the same AML rules as financial institutions.
The same year, the Financial Action Task Force (FATF) updated Recommendation 15 to include crypto businesses. This prompted both European and non-European members of the FATF to require crypto businesses to meet AML standards.
As a result, crypto businesses can now face sanctions, including fines and even jail time, for not fulfilling AML obligations such as customer due diligence, transaction monitoring, suspicious activity reporting, and more.
All crypto businesses, officially known as Virtual Asset Service Providers (VASPs), located in countries that have transposed FATF requirements into their national laws, must introduce measures for detecting money laundering, terrorist financing, and other financial crimes. To see whether your jurisdiction has transposed FATF requirements, check out your national AML laws.
Criminals use a number of means to hide the origins of illicit funds. Here are the top five most common money laundering schemes in the crypto industry:
However, even if offenders exploit these money laundering schemes to hide the origins of illicit funds, their activity can still be traced using blockchain analysis.
Financial Intelligence Units can track which crypto platform facilitated the money laundering and take legal action against it, even if a platform didn’t do it on purpose.
Therefore, businesses should ensure that they can unmistakably spot money laundering and other financial crimes. Let’s talk about how to do it.
To ensure that a crypto business isn’t a front for money laundering, it must have at least these three essential procedures in place:
Before we dive deeper into money laundering indicators, note that the presence of a single red flag may not be a sufficient basis for suspecting criminal activity. In cases like this, companies should continue to monitor user activity in order to put this red flag into context.
However, if a combination of red flags is detected, then the company must freeze the suspicious assets and file a Suspicious Activity Report with a financial intelligence unit.
Suggested read: Introduction to Suspicious Activity Reports and Best Practices
Now let’s delve into the most common indicators:
Any transaction that seems unusual can be a sign of money laundering. For instance, if a client, who is much older than the average user of a platform, makes a surprisingly large transaction to an account that has no connection to them, it could be a sign that they are a money mule who transfers money for criminals.
Another red flag is when customers transfer cryptocurrency to multiple addresses immediately, especially when these wallets have no relation to where the user lives and works or are located in high-risk jurisdictions.
What to do: As part of transaction monitoring, businesses should always check that a customer’s age group, location, income, and other personal information are consistent with their crypto transfers. Also, platforms should examine the parties the user is transacting with.
A sure sign of money laundering (or other financial crime) is when customers receive cryptocurrency from—or send cryptocurrency to—darknet marketplaces, mixing services, questionable gambling sites, fraudulent exchanges, and platforms with lax AML standards.
What to do: Monitor all transactions for indicators of criminal activity, especially in cases where customers convert between cryptocurrency and fiat. Employ blockchain analysis to detect if any mixing services or other means of money laundering have been used.
It’s always suspicious when users conduct several transactions in a row that are all just below record-keeping or reporting thresholds. This may be a sign of structuring, which is breaking down large transactions into sums that are lower than certain thresholds in order to avoid being reported.
What to do: Know your reporting thresholds and monitor for consecutive transactions below them. For instance, the US Bank Secrecy Act requires businesses to file Currency Transaction Reports whenever users exchange or transfer $10,000 or above. Therefore, if users conduct several transactions just below $10,000, they might be structuring.
A user who provides fake ID documents or an unreliable source of funds naturally raises suspicion. Similarly, if a person constantly changes their personal information, such as their email, IP address, or financial data, this can be an indicator that they’re engaged in money laundering.
Other red flags include situations when IP addresses are concealed using VPNs or when a user’s location doesn’t match their IP address, phone number, or bank card.
What to do: Crypto platforms must conduct customer due diligence at the onboarding stage and continuously monitor customer activity. Also, KYC procedures should include sanctions screening (some sanctions lists now include wallet numbers in addition to names).
For the full list of red flags for crypto, click this link.
If crypto businesses fail to comply with AML regulations, the sanctions may include fines, seizure of business activity, and even criminal liability for senior management. Exact penalties vary by country. Here are some examples of sanctions from different jurisdictions:
Estonia. Until Estonia decided to toughen its crypto AML regime, the country was one of the most popular jurisdictions for crypto businesses. At present, non-compliance with Estonia’s requirements can cost companies up to €400,000 (approx. $440,000) and lead to revocation of operating licenses.
Hong Kong. Under the recently proposed requirements, non-compliance with AML/CTF requirements can cost businesses up to $1,000,000 in fines, with senior management facing up to two years in prison.
Turkey. Crypto businesses that fail to identify customers, file periodic reports, and flag suspicious transactions may be subject to administrative fines ranging from ₺30,000 to ₺4,000,000 (approx. $2,000 to $270,000).
At Sumsub, we’ve written quite a few guides on AML compliance for crypto businesses. Here are our guides by jurisdiction:
Additionally, you may be interested in our article about the FATF’s guidance on virtual currencies.