Cryptocurrency regulations are on the rise — we have been hearing this phrase for the past year a lot. Some of the noise is hype, but some of it points to important issues in the crypto industry.
To help you make sense of crypto compliance, our legal team summarised all the details on this intricate process.
- The cryptocurrency problem
- Musts for a bank-grade compliance
- A checklist to crypto compliance: documents and practices
As a relatively new type of currency, crypto became attractive for money-launders, terrorism financing and other financial criminals, which was quickly noticed by governments and financial regulators. At that point, financial institutions dealing with crypto have been racing to make themselves fully compliant with all applicable regulations.
However, there were still many scandals as a result of crypto AML noncompliance. Among the biggest ones is a $110 million fine demanded from a Russian exchange BTC-e by FinCEN In July 2017 and the $700,000 charge demanded from Ripple by the same FinCEN in May 2015.
Following these and many other fraud cases across the world, countries together with their regulatory bodies started to take action to protect crypto industry. As a result of these new laws, the life of crypto companies got harder, but not impossible.
Crypto compliance is complicated, but still has the traditional KYC/AML procedures at the core. There are two main parts to the solution: process- and technology-related.
Before the regulatory demands got harsher, it was enough to handle over a paper saying that you have acquired a KYC/AML solution. It is no longer a universal remedy. Now, businesses working with crypto will have to develop a methodology, compliant reports and training sessions for the employees.
With current demands, processing users and their transaction is impossible to do manually as the data has to be constantly monitored, screened across addresses, legal entities, etc. with relevant company guidances.
And here is where we start to look for an automated tool.
How to choose a crypto monitoring provider?
There are not many technologies detecting criminal activity in cryptocurrencies. The choice merely depends on the coverage spectrum match. If you are using Bitcoin (BTC), Bitcoin Cash (BCH), Ethereum (ETH), ERC20 & ERC721 tokens, LiteCoin, etc., your provider should be able to monitor them all. Of course, if you don’t want to employ a different crypto AML provider for each type of currency.
Once you have chosen a solution that fits your service, you will have to determine how you evaluate the results of screening and monitoring transactions. As an example, at Sumsub we have basic and enhanced checks.
Every transaction screening starts with a basic check — address screening via API, with automatically generated risk profiles. The screening can result in one of three levels of risk: low risk (0-25%), medium risk (25-75%), high risk (75-100%). Low-risk transactions automatically pass the check, while high-risk transfers immediately fail it and get blocked.
The levels of risk themselves are based on the intensity of their connections with the darknet market, payment processors, crypto exchanges and gambling services.
If the transaction is medium-risk (25-75%), it requires enhanced due diligence. Statistically, they are 10-15% of all transaction. The enhanced check allows compliance specialists to manually handle suspicious cases, evaluating each case for the percentage of their connections to suspicious market segments. The results are also viewed in relation to the transaction sum and the time it was made. The transaction made 2 years ago is much less risky than the one made a day ago.
The evaluation largely depends on the internal policy of the business and they can decide whether to let the transaction be or block the users who initiated it from their business.
As the technologies are few and new to the market, not many companies have managed to implement them yet. That is why we have to look at the processes themselves.
As of today, regulators demand crypto businesses develop a methodology and a step-by-step guide to basic and enhanced crypto AML, assess the source and the destination of funds, complete reports, maintain records, etc.
The aspects and regulations of crypto compliance are plenty. The exact demands will be moderated by the applicable regulatory institute which might slightly change the requirements. Down below we have gathered crypto compliance requirements of the most common regulatory bodies.
FATF — international requirements for businesses
On 21st of June 2019 FATF finalised their recommendations on cryptocurrency regulation. Their Guidance on Virtual Assets and Virtual Asset Providers states that all virtual asset service companies – from exchanges to asset management firms, businesses will have to gather customer data in cases with transactions of over $1,000 or €1,000. Here, we have put together a list of what companies might have to implement into their flow.
- Identify the sender/recipient of every transaction;
- Provide the details on the funds’ sender/recipient along with each transaction and share that data with the recipient’s service provider and, if necessary, law enforcement;
- Perform KYC and due diligence;
- Develop a risk-based approach that fits the company’s workflow and the demands of relevant regulators such as FATF, FinCEN, etc.
5MLD (5AMLD) — a European guide to crypto asset companies
The directive was introduced in 2018 and stated that AML/KYC measures are going to have to be applied to the virtual currency exchange platforms and custodian wallet providers.
Here are examples of what businesses might do to comply with 5MLD.
- Performing risk assessment;
- Design and implement appropriate AML policies, procedures, and governance frameworks;
- Deliver AML and CTF training;
- Prepare reports in case of regulatory intervention and etc.
The directive puts compliance directors and managers in charge of the quality of the checks. Incompliance is followed by criminal charges.
FinCEN — the USA guidance
On May 9, 2019, Financial Crimes Enforcement Network (FinCEN) has published a new guidance sheet on businesses that operate using convertible virtual currencies (CVC), such as crypto. FinCEN put such businesses under the definition of money transmitters, implying that they must strictly follow federal AML and Know-Your-Customer (KYC) regulations.
- Businesses considered money transmitters must develop and support an AML program that fits their business model and compliance regulations.
- Companies will have to introduce a risk-based based approach based on their customer base, the geographies served, and the services offered.
- Businesses, that fall under the category, are obliged to register with FinCEN within 180 days of starting to engage in money transmission.
FCA — the rules for the British companies
In July 2019 FCA provided some clarity on their current crypto assets regulation, specifying which tokens fall under its jurisdiction. According to it, true cryptocurrencies like bitcoin and ether, which the FCA classes “exchange tokens,” are not regulated, though AML/KYC requirements apply.
“Any token that is not a security token, or an e-money token is unregulated. However, market participants should note certain activities that use tokens may nevertheless be regulated, for example, when used to facilitate regulated payments.” — commented FCA spokesmen.
The UK Government has announced that the FCA will be the supervisor for the 5AMLD cryptocurrency regulation regime, meaning that British companies will have to follow the previously mentioned 5AMLD directive to stay compliant.
In search for crypto compliance
Starting 2019, the search for crypto compliance has accelerated with self-regulatory developments witnessed across the world.
- In February, Coinbase, eToro and other exchanges formed CryptoUK, a United Kingdom-based regulatory body.
- In April, The Korean Blockchain Association revealed its provisions for Anti-Money Laundering. Also in Korea, the Financial Intelligence Unit (FIU), has announced that it will directly regulate crypto trading platforms.
- The same month, South African Reserve Bank launched a self-regulatory body created to oversee their crypto industry and ensure that cryptocurrencies didn’t undermine financial stability and observance of financial laws such as AML.
- In June, Japan announced its Virtual Currency Exchange Association established for exchanges operating in Japan.
- It is reported that the Czech Republic is stepping up its oversight of cryptocurrency exchanges and will be implementing more stringent policies than those of the European Union in a pursuit to ensure anti-money laundering (AML) compliance.
- And lastly, about 15 countries, including the G-7 members, Australia and Singapore, will develop the new system, that is promised to be up and running by 2020.
These are not the only countries taking action. There will be many more regulatory bodies forming until the crypto industry will form proper protection from criminal activity.
To help monitor any activity within finance-related industries that is deemed out of the ordinary, illegal or threatening, businesses have to submit a SAR or a Suspicious Activity Report. SAR is a document that financial institutions, and those associated with their business, must file with a relevant regulator whenever there is a suspected case of money laundering or fraud.
As a rule, the financial authority does not request SARs from a business. The business itself is obliged to report a suspicious transaction upon detecting it. Employees are generally trained to flag and investigate such suspicious activity.
What documents you need to have to satisfy regulatory demands
The SAR usually indicates the key details of the company and the transaction suspected in fraud. There is a list of the most commonly stated data that can satisfy regulatory interest.
- The type of company and its activity;
- The contact (usually a compliance officer);
- The person who allegedly conducted the suspicious transaction;
- The type of a suspicious transaction (currency exchange, cash conversion, use of foreign bank accounts, purchase of goods, use of shell companies and so on);
- The volume and currency of the transaction;
- The alleged jurisdiction of money origin (and origin itself, that is, where did the money come from — drug trafficking, fraud, money laundering and other criminal proceeds);
- Who and under what circumstances discovered a suspicious transaction;
- The security measures taken.
Each SAR must be filed within 30 days of the date when the suspicions have risen first.
There is a possible extension of 30 days if the identity of the person conducting the suspicious activity is unknown. Overall, the filing of a SAR can’t be delayed for longer than 60 days. Each SAR must be kept for five years from the date of filing.
Penalties for non-compliance include large fines, regulatory restrictions, loss of banking charter, or imprisonment.
What processes are commonly practiced for crypto compliance
The exact requirements depend on the type of regulatory body applicable to your company, however, there are some essential practices that are most commonly demanded by all of them.
- Identity verification of the sender/recipient of every transaction;
- Risk assessment and due diligence;
- Reports reflecting the history of transactions;
- Records of all users and their transaction history;
- Compliance training to personnel, etc.
These are the roughly selected measures applicable to most cases.
All in all, by sustaining AML compliance, crypto-ventures have a chance of earning the trust of major players, such as e-commerce stores, mobile payment platforms, and financial institutions. Being fully compliant might take crypto businesses some time, but it most certainly will benefit them in future.