Wading Through FATF Guidance and Risks for Cryptos
Greg Pinn, who is an expert in cryptocurrencies, recently conducted an informative webinar with CaseWare RCM to help us understand how cryptocurrencies are structured and help us wade through the Financial Action Task Force (FATF) guidance for a risk-based approach to virtual assets (VA).
Last year, the FATF issued its Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (VASPs) to give countries and VASPs clarity on how existing anti-money laundering (AML) and combating the financing of terrorism (CFT) regulations affect virtual asset activities and providers.
The Guidance lays out 10 elements that are critical in risk mitigation of VAs and VASPs:
- Risks associated with crypto-to-fiat and crypto-to-crypto transactions (these pose different risks than fiat-to-crypto transactions)
- Centralized vs decentralized models (most are decentralized with no single authority)
- Types of VAs offered and the features of those VAs
- Unique business models associated with VASPs
- Online-only versus in-person risks (new technology improves how we identify individuals)
- Exposure to anonymization services such as TOR (no ability for people to see what is being done online)
- Risks associated with multi-jurisdictional VASPs
- Nature and scope of the VA account, product or service (what is purpose of the VA?)
- Nature and scope of the VA payment channel or system
- Any parameters or measures in place that may lower the provider’s exposure to risk
As Greg pointed out, you may not know all the different types of cryptocurrencies and it is important to understand the differences in order to be able to assess the risk related to each. You can read more about the types of cryptocurrencies in my colleague Eric Hansen’s article here.
While many believe cryptos aren’t going anywhere, in my opinion, FIs need to carefully consider their risk-based approach, policy as well as transaction monitoring workflows, screening process and enhanced due diligence before evaluating this opportunity.
But here are some of the facts Greg pointed to in his webinar:
- With a total market capitalization of ~ $240 billion, exchanges and other VASPs need a safe and secure place to store the fiat value of their cryptocurrency.
- Currently, many crypto-exchanges bank offshore, increasing risk for the exchange and its customers.
- In addition to custodial services for VASPs, new products could be offered by financial institutions to securely store private keys for users to help secure cryptocurrency wallets.
If you do decide to include VAs and VASPs as part of your business, here are some things that Greg says you need to do to mitigate risks:
- You need to risk profile all the cryptocurrencies used by your clients. If a client is bringing money in from an exchange, you need to know not just what was the currency that they immediately transacted with but work with the exchange to understand if there were other currencies involved and what were the types of transactions being used by that user.
- You need to complete enhanced due diligence on any VASPs that you’re going to do business with. You need to understand the nature of the business, value and purpose and make sure the business is running legally and securely.
- Like with fiat currency, you need to do transaction monitoring. This is where blockchain forensics is incredibly important and can be used for both with when money comes in and also after the fact for investigations.
- Finally, keep doing what you are doing. Everything you do with traditional fiat currency applies for cryptocurrencies including sanctions screening, PEP screening, adverse media, etc.
In summary, here are the key takeaways from Greg’s webinar:
- When evaluating cryptocurrency risks, the cryptocurrency type must be evaluated and understood
- While Bitcoin maintains the largest market capitalization (about 65% of the total value of all cryptocurrency), most of the transaction volume is conducted in stable coins such as Tether.
- Each cryptocurrency type presents a different type of risk, but from an AML/KYC perspective, privacy coins pose the highest risk.
- New coins and new types will continue to emerge as coins split (hard fork), new coins are developed, and new problems are solved through cryptocurrency
We are delighted Greg could host this webinar. We produce a number of webinars each year to help compliance professionals to better understand emerging issues in the field. If you are interested in finding out more about Alessa, please do not hesitate to contact us.
About Brett Barrett
Brett Barrett (LinkedIn) is a Senior Risk Specialist at Caseware RCM where he helps financial institutions implement technology solutions to manage risk and compliance. Prior to that he was a Risk Specialist with Refinitiv, formerly the Financial & Risk division of Thomson Reuters, where he specialized in KYC and AML and helped some of the largest financial institutions in the world solve their AML, governance, risk and compliance challenges.