In 2018, Japanese cryptocurrency exchange Coincheck lost $500m in one of the biggest crypto heists in history. Money laundering followed, as the penetrators needed to obscure the source of their illicit funds and convert them into legitimate cash.
In 2021, three years after the Coincheck heist, 30 individuals were charged after getting caught trying to exchange $100m through an illicit exchange on the darknet.
But the darknet isn’t the only place where criminals go to launder money. In fact, criminals will often use lawful crypto services, especially at the end of their money laundering journey.
So how do you make sure that criminals aren’t using your platform to launder money? And what happens if money laundering goes unnoticed? Let’s dive into the topic.
- Why crypto businesses must comply with AML regulations
- Who is affected
- How criminals use crypto platforms to launder money
- How crypto businesses can detect money laundering
- Red flags to look out for
- Sanctions for crypto businesses
- Where to find out more
Why crypto businesses must comply with AML regulations
In 2018, the 5th AML Directive brought European crypto businesses into its regulatory scope, obliging them to the same AML rules as financial institutions.
The same year, the Financial Action Task Force (FATF) updated Recommendation 15 to include crypto businesses. This prompted both European and non-European members of the FATF to require crypto businesses to meet AML standards.
As a result, crypto businesses can now face sanctions, including fines and even jail time, for not fulfilling AML obligations such as customer due diligence, transaction monitoring, suspicious activity reporting, and more.
Who is affected
All crypto businesses, officially known as Virtual Asset Service Providers (VASPs), located in countries that have transposed FATF requirements into their national laws, must introduce measures for detecting money laundering, terrorist financing, and other financial crimes. To see whether your jurisdiction has transposed FATF requirements, check out your national AML laws.
How criminals use crypto platforms to launder money
Criminals use a number of means to hide the origins of illicit funds. Here are the top five most common money laundering schemes in the crypto industry:
- Mixing services. Offenders exploit mixing services which allow users split up virtual assets, run them through a series of wallets, and then recombine them to appear legitimate.
- Unregulated exchanges. Criminals often switch between cryptocurrencies to cover their tracks. They use crypto platforms with lax AML compliance policies, like peer-to-peer exchanges, to convert “dirty” cryptocurrency to “clean” cryptocurrency without drawing attention to themselves. This was the scheme used in the 2018 Coincheck heist.
- Gambling platforms. Money launderers can place low-outcome bets on gambling sites that accept crypto currencies; they won’t win much but they’ll get legitimate money in the end.
- Money muling. Offenders often exploit money mules (individuals with a clean transaction history) to transfer or cash in illicit cryptocurrency. Money muling is an extremely common money laundering technique in the crypto sector. Europol, the EU law enforcement agency, estimates that up to 90% of all money mule transactions are connected to cybercrime.
- Prepaid cards. Prepaid crypto cards also create opportunities for money laundering as they allow criminals to convert “dirty” virtual assets into fiat money.
However, even if offenders exploit these money laundering schemes to hide the origins of illicit funds, their activity can still be traced using blockchain analysis. Financial Intelligence Units can track which crypto platform facilitated the money laundering and take legal action against it, even if a platform didn’t do it on purpose. Therefore, businesses should ensure that they can unmistakably spot money laundering and other financial crimes. Let’s talk about how to do it.
How crypto businesses can detect money laundering
To ensure that a crypto business isn’t a front for money laundering, it must have three essential procedures in place:
- Know Your Customer. Crypto businesses must verify the identities of their customers at the onboarding stage. This includes collecting their names, addresses and dates of birth. To better assess money laundering risks that customers might pose, businesses should also analyze wallet addresses and transaction hashes.
- Travel Rule. According to the FATF’s Recommendation 16, known as the “Travel Rule”, crypto businesses are required to collect and share data on parties in transactions exceeding 1,000 USD/EUR.
- Transaction monitoring. Crypto businesses must introduce a system for ongoing transaction monitoring that detects specific indicators of money laundering.
What are the signs of money laundering and what should companies do when they detect them? Learn more below.
Crypto compliance doesn’t have to be tough. Sumsub’s holistic AML & KYC solution for crypto businesses provides risk screening of wallets in real-time, helping you detect any suspicious activity with ease.
Red flags to look out for
Before we dive deeper into money laundering indicators, note that the presence of a single red flag may not be a sufficient basis for suspecting criminal activity. In cases like this, companies should continue to monitor user activity in order to put this red flag into context. However, if a combination of red flags is detected, then the company must freeze the suspicious wallet and file a Suspicious Activity Report with a financial intelligence unit.
Now let’s delve into the most common indicators:
A transaction has an unusual size, destination, or pattern
Any transaction that seems unusual can be a sign of money laundering. For instance, if a client, who is much older than the average user of a platform, makes a surprisingly large crypto transaction to an account that has no connection to them, it could be a sign that they are a money mule who transfers money for criminals.
Another red flag is when customers transfer cryptocurrency to multiple addresses immediately, especially when these wallets have no relation to where the user lives and works or are located in high-risk jurisdictions.
What to do: As part of transaction monitoring, businesses should always check that a customer’s age group, location, income, and other personal information are consistent with their crypto transfers. Also, platforms should examine the parties the user is transacting with.
Use of mixing services and fraudulent exchanges
A sure sign of money laundering (or other financial crime) is when customers receive cryptocurrency from—or send cryptocurrency to—darknet marketplaces, mixing services, questionable gambling sites, fraudulent exchanges, and platforms with lax AML standards.
What to do: Monitor all transactions for indicators of criminal activity, especially in cases where customers convert between cryptocurrency and fiat. Employ blockchain analysis to detect if any mixing services or other means of money laundering have been used.
It’s always suspicious when users conduct several transactions in a row that are all just below record-keeping or reporting thresholds. This may be a sign of structuring, which is breaking down large transactions into sums that are lower than certain thresholds in order to avoid being reported.
What to do: Know your reporting thresholds and monitor for consecutive transactions below them. For instance, the US Bank Secrecy Act requires businesses to file Currency Transaction Reports whenever users exchange or transfer $10,000 or above. Therefore, if users conduct several transactions just below $10,000, they might be structuring.
Suspicious user behavior
A user who provides fake ID documents or an unreliable source of funds naturally raises suspicion. Similarly, if a person constantly changes their personal information, such as their email, IP address, or financial data, this can be an indicator that they’re engaged in money laundering.
Other red flags include situations when IP addresses are concealed using VPNs or when a user’s location doesn’t match their IP address, phone number, or bank card.
What to do: Crypto platforms must conduct customer due diligence at the onboarding stage and continuously monitor customer activity. Also, KYC procedures should include sanctions screening (some sanctions lists now include wallet numbers in addition to names).
For the full list of red flags for crypto, click this link.
Sanctions for crypto businesses
If crypto businesses fail to comply with AML regulations, sanctions may include fines, seizure of business activity, and even criminal liability for senior management. Exact penalties vary by country. Here are some examples of sanctions from different jurisdictions:
The United States. Engaging in money laundering or not preventing it can lead to a prison sentence of up to 20 years and a maximum fine of $500,000 for each money laundering transaction. In October 2020, an American Bitcoin platform received a $60m fine for breaches in AML requirements.
South Korea. As of March 2021, violations of internal AML procedures, such as record keeping, can lead to fines between 30m (around $26,000) to 100m won ($88,000).
Estonia. Until Estonia decided to toughen its crypto AML regime, the country was one of the most popular jurisdictions for crypto businesses. At present, non-compliance with Estonia’s new requirements can cost companies up to €400,000 and lead to revocation of operating licenses.
Singapore. Under the Payment Services Act, fines for non-compliance with AML requirements range from S$2,000 (about $1500) to S$250,000 ( $185,000). A key demand of this regulation is for crypto businesses to have an operating license. In 2020, a Singaporean citizen was fined S$125,000 ($88,000) and sentenced to three years in prison for selling bitcoin without a license.
Where to find out more
At Sumsub, we’ve written quite a few guides on AML compliance for crypto businesses. Here are our guides by country:
Additionally, you may be interested in our ultimate guide on AML & KYC requirements for crypto.