Crypto AML Regulations: Global Approaches
As cryptocurrencies become increasingly mainstream, regulators, the media and policymakers are paying more attention to the financial crime risks associated with them. But what are the biggest compliance challenges crypto firms face, and what does a best practice AML program look like? This guide is designed to serve as a practical, hands-on resource for financial compliance professionals working in the crypto industry. It covers the essentials of building and scaling a crypto AML program, how to navigate regulatory change, and the emerging use cases — and threats — compliance teams should look out for.
The Important Role of Cryptocurrency
Cryptocurrencies are one of the most dynamic, fast-changing and innovative parts of the financial services landscape. All innovation comes with risks, however, and many policymakers have identified anti-money laundering compliance and controls as one of the biggest crypto vulnerabilities.
What Is AML in Cryptocurrency?
Many of the best practices around anti-money laundering (AML) crypto compliance are consistent with those in other financial services firms. A risk-based approach remains central, and a comprehensive risk assessment is a foundational step in this process. Revisiting risk assessments periodically is also critical — especially considering the current rate of regulatory change.
The money laundering typologies crypto firms must manage are also broadly similar to other financial institutions — money muling, for example, is a threat common to all firms. One of the primary additional risks above and beyond fiat currency-based typologies concerns tactics used by criminals to anonymize their operations. This includes off-chain transactions.
One issue where the compliance challenges are arguably greater for crypto firms is personnel. Many experienced compliance professionals have higher salary expectations than smaller, fast-growing crypto firms can support, and these firms lack the structure and processes offered by bigger organizations. In addition, our State of Financial Crime 2022 survey showed that, while most compliance teams sought to hire from banking, regulatory and FinTech backgrounds, 68% of crypto exchanges cited other crypto firms as their preferred hiring background. This could create limitations — not only will the hiring pool be limited, but firms will risk a “group think” approach. A well-rounded compliance team will draw on a range of perspectives.
Whatever role in the AML team they hold, relationship building is key for compliance officers in crypto firms. This is especially important for anyone interfacing with regulators but matters internally too. As crypto firms scale, compliance teams will have to navigate potential conflicts of interest and handle communicating with stakeholders who may prize growth ahead of the firm’s regulatory responsibilities.
Technology decisions are among the most critical and do not come with a set of “one size fits all” answers. Do firms build in-house or outsource to specialist providers? Mindful of the importance of automation for sustaining rapid growth, many crypto firms opt to outsource. Specific areas where specialist expertise is beneficial include onboarding and identity verification, customer screening and monitoring and transaction risk management. Firms that scale rapidly without automated screening and monitoring tools face a number of risks, including onboarding customers without completing adequate diligence and having a high volume of alerts that must be remediated manually. Ultimately, such lapses will be noticed by regulatory authorities.
Finally, crypto compliance teams need to understand their firms’ expansion plans in order to assess their regulatory implications. If these relate to a new coin or product launch, have the compliance implications been fully assessed at the design stage? If a firm is entering a new market, does it have a local presence that can support relationship development?
To explore these topics and questions in more detail, download our full guide. It includes hands-on guidance firms can incorporate into their crypto AML programs.
An Overview of Global Crypto AML Regulations
Crypto AML regulations around the world diverge in many ways, and firms operating in multiple jurisdictions will need to understand the nuances of each market they operate in. Indeed, navigating regulatory arbitrage is one of the biggest challenges crypto compliance teams face. Some of the major markets explored in the report include:
Crypto AML Regulations: The Americas
In the United States, the Anti-Money Laundering Act 2020 (AMLA) brought into the scope of the Bank Secrecy Act any providers that deal with virtual assets and digital assets. Since then, however, crypto regulations in the US have continued to move at a rapid pace. In March 2022, President Biden signed an Executive Order on Ensuring Responsible Development of Digital Assets (EO).
In Canada, cryptocurrency offering providers are treated as issuers of securities, and dealers in virtual currencies must register as money service businesses (MSBs). Additional requirements are set out in Canada’s Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFRs).
Crypto AML Regulations: Europe
Across the European Union, crypto regulations are currently governed by the 5th Anti-Money Laundering Directive, which brought crypto-to-fiat exchanges and custodial wallets into scope. However, the EU is introducing a new AML/CFT package that will have significant implications for cryptoasset service providers.
The United Kingdom’s government has announced plans to make the country a global cryptoasset technology hub — including recognizing stablecoins as a form of payment. The government is also reviewing cryptoassets as part of its wider look at the country’s economic crime legislation. The UK’s regulator — the FCA — has issued Dear CEO letters on managing cryptoasset risks and also recently issued a joint statement from UK financial regulatory authorities on sanctions and the cryptoasset sector.
Crypto AML Regulations: Asia Pacific
Australia treats cryptoassets as either financial products regulated by the Australian Securities and Investment Commission (ASIC) or as consumer products regulated by the Australian Competition and Consumer Commission (ACCC). Cryptoasset exchanges or cryptoasset secondary service providers (CASSPrs) are registered with AUSTRAC for AML/CFT purposes.
In Singapore, cryptoassets are regulated under the Payment Services Act (PSA) as “digital payment tokens” (DPTs), and cryptoasset providers are regulated as “digital payment token services.” They must be authorized by the Monetary Authority of Singapore (MAS). The country’s recently passed Financial Services and Markets Bill 2022 also brings into the scope of local regulation cryptoasset firms that are located in Singapore but offer their services abroad. The bill also introduced important new licensing requirements and powers for MAS.
Japan was one of the first countries to introduce crypto-specific regulations, with different types of tokens subject to different types of regulation. Their regulatory status is enshrined in the Payment Services Act. The country’s next regulatory moves are likely to relate to crypto exchanges, in part to help manage sanctions risks associated with Russia.
By contrast, in China, only the country’s own digital yuan is accepted as legal tender, with all other cryptocurrency transactions banned as of September 2021. Individuals are not yet banned from holding cryptocurrencies, however.
Explore regulatory requirements country-by-country in more detail by downloading our full report below.
Why AML Compliance for Cryptocurrency Firms Is Essential
As governments globally continue to map out their regulatory frameworks for cryptocurrencies, firms will soon face an inflection point. Understanding where the AML compliance landscape is now — and where it’s likely to go in the months ahead — will help firms prepare. This will enable them to build valuable confidence among prospective customers and regulators.
Getting ahead of the latest regulations requires firms to conduct horizon scanning, mapping upcoming regulatory changes to compliance budgets ahead of time. This will ensure firms have the right staff in place to cope with a large volume of new requirements.
Firms must also understand new requirements and their impact. This could require an incremental change to existing rules and controls or the wholesale introduction of a new program in a new jurisdiction. Many regulatory risks — such as those associated with sanctions — are not typically crypto-specific.
Staying ahead of AML compliance requirements also means investing the time to have a dialogue with local regulators. One effective way to do this is by contributing to regulatory consultations. This helps to ensure new regulations are built with the realities of operating a crypto firm in mind.
Our guide explores the importance of a proactive regulatory approach in more detail.
Risk of Non-Compliance With Crypto Anti Money Laundering Regulations
Non-compliance with anti-money laundering regulations presents a number of significant risks for crypto firms. While the exact nature of these will depend on the violation in question and the firm’s business model, some of the risks include:
- Facilitating sanctions evasion: This is particularly a risk when dealing with decentralized exchanges (DEX) and decentralized finance (DeFi) platforms. Analysts have shown, for example, that bitcoin has been used to evade sanctions on Iran.
- Enabling terrorist financing: Governments operating in geopolitically sensitive climates — including in India — have argued this is the biggest financial crime risk related to crypto. As a result, firms should expect additional, more stringent terrorist financing measures where necessary. India’s government, for example, recently investigated the use of crypto by the al-Qassam brigades, the military wing of Hamas.
- Layering: Criminals may seek to convert illicit fiat currency into crypto in order to disguise its origins. The Financial Action Task Force (FATF) highlighted a case in which criminals stole KRW 400 million from victims in South Korea through phishing before carrying out multiple high-value transactions to transfer the funds to a foreign crypto wallet. The funds were passed through 48 accounts in an attempt to disguise their origin.
Ultimately, the consequences of AML non-compliance for crypto firms themselves could include being denied a license to operate, forcing a firm to relocate or close. If controls are found to have lapsed, firms will likely have to conduct significant manual remediation work. For example, they may have to rescreen customers who have not gone through appropriate due diligence processes or recalibrate transaction monitoring tools and accept a higher volume of false positives while new rules are built and refined.
Regulators frequently publish guidance on AML risks in their jurisdictions, helping firms to get ahead of potential areas of non-compliance. Our crypto AML guide explores in full the major regulatory risks cryptocurrency firms need to be aware of.
What to Expect in Our AML for Crypto Firms Guide
This guide is the product of numerous interviews conducted with firms operating in the crypto space globally — including exchanges, trading platforms, consultancies and Elliptic, a blockchain analysis provider. In it, we explore many of the topics highlighted here in more detail, including:
- The crypto AML regulatory landscape: This includes the global regulatory picture, key regulations in major crypto markets and likely developments through 2022
- Building an AML program: A practical guide to building and scaling a program for crypto firms, including some of the risks and opportunities firms need to know about
- Emerging use cases and threats: From darknet markets to fraud and sanctions evasion, as crypto use cases evolve, so will illicit actors. We look at how firms can stay ahead
- Success stories: Meet some of the crypto firms working with ComplyAdvantage to scale and optimize their AML programs
Disclaimer: This is for general information only. The information presented does not constitute legal advice. ComplyAdvantage accepts no responsibility for any information contained herein and disclaims and excludes any liability in respect of the contents or for action taken based on this information.
Copyright © 2022 IVXS UK Limited (trading as ComplyAdvantage).