AML and cryptocurrencies –
background and threats to
effective AML
Giles Dixon, CBP
Senior Consultant, Cryptocurrencies,
Financial Services Advisory
Grant Thornton Canada
“The challenges blockchain technology
currently presents for AML professionals…exist
now but are scantly addressed.”
Source: “When two worlds collide”
3AML and cryptocurrencies.
Some background
Although definitions of virtual currency vary depending on source, the definition below can give
us a good idea…
“Virtual currency is a digital representation of value that functions as a medium of
exchange, a unit of account, and/or a store of value*.
Cryptocurrencies like bitcoin are a form of virtual currency that use cryptography and
encryption techniques to regulate the generation of units of the currency and verify the transfer
of funds, operating independently of a central bank.
Although cryptocurrencies operate like currency, they do not have legal tender status. In
Canada, bitcoin is considered closer to a ‘commodity’ in the eyes of certain regulators such as
the OSC and others.
*Source: IRS Notice 2014-21
4AML and cryptocurrencies.
Where did it all start?
October 31st, 2008, a whitepaper, “Bitcoin: A Peer-to-Peer Electronic Cash System” was posted by an
individual / group of individuals / entity called “Satoshi Nakamoto”. The whitepaper how Bitcoin would work
• Over 9 pages, the word “anonymous” is only mentioned once
• The paper describes a new way of exchanging value without
the need for a trusted third party or intermediary
• “The public can see that someone is sending an amount to
someone else, but without information linking the transaction to
anyone. This is similar to the level of information released by
stock exchanges, where the time and size of individual trades,
the "tape", is made public, but without telling who the parties
were”.
https://bitcoin.org/bitcoin.pdf
Source: “Bitcoin: A Peer-to-Peer Electronic Cash System”
5AML and cryptocurrencies.
Where did it all start?
Satoshi Nakamoto?
The unknown person or people who designed bitcoin and, as part of its implementation,
the first Blockchain.
Or perhaps…
6AML and cryptocurrencies.
Cryptocurrency - legal or illegal?
Source: Thomson Reuters, October 2017
Recently banned
7AML and cryptocurrencies.
AML Regulation
Governments around the world are beginning to grapple with the broad range of regulatory challenges presented by the
virtual currency (“VC”) world. A report by the Bank for International Settlements categorizes the measures taken to date as
follows:
a) Imposing restrictions on regulated entities for dealing with virtual currencies;
b) Adopting legislative/regulatory measures, such as the need for exchange platforms dealing with VC to be
subject to regulation as money remitters, or the proposed regulation of VC intermediaries in some jurisdictions
for AML/ATF purposes;
c) Publishing statements cautioning users about risks associated with VC and/or clarifying the position of
authorities with respect to VC; and
d) Monitoring and studying developments.
But that is changing! This year, we have started to see some jurisdictions going public with more firm regulatory
stances on specific areas of the virtual currency world - Australia, Switzerland and Japan are some
examples….but the landscape is still very much developing.
8AML and cryptocurrencies.
Amendments to Canada’s AML legislation (not yet in force)
In June 2014, Canada published drafts (which were further amended in 2015) to amend its AML/AFT legislation to treat
persons and entities engaged in the business of dealing in VCs as money service businesses (“MSBs”):
Paragraph 5(h) of the Act was replaced by the following:
(h) persons and entities that have a place of business in Canada and that are engaged in the business of providing at
least one of the following services:
• foreign exchange dealing,
• remitting funds or transmitting funds by any means or through any person, entity or electronic funds transfer
network,
• issuing or redeeming money orders, traveller’s cheques or other similar negotiable instruments except for cheques
payable to a named person or entity,
• dealing in virtual currencies, or
• any prescribed service;
Under the same list of services, (h.1) also includes “persons and entities that do not have a place of business in Canada,
that are engaged in the business of providing” …the above listed services.
9AML and cryptocurrencies.
Effective AML and the challenges of moving from real world to virtual
No AML Regime
Identifying and
assessing riskCounterparties
Monitoring / vetting
crypto transactions
Digital Relationship
Monitoring
Know your customer / know
your digital customer
Investigation
and reporting
AML Defences Need to Evolve
10AML and cryptocurrencies.
AML Continuum – Points to consider
• Those coming to us are being proactive in getting their AML
regime to a place where it needs to be…but often they do
not have much in place today – it needs to be built rather
than enhanced.
• It is important to understand each organization’s
interpretation on new nomenclature being born in this
industry e.g. verified / un-verified.
• Also important to understand the fundamentals of different
types of offerings / products / coins available and what
they do / what makes them unique. Bitcoin is just one.
• Understand, for each specific organization, the possible
flows / entry and exit points – different for each.
Challenges / Threats / Points to consider
• Does the organization operate with an ‘unverified’ customer
base? What portion of their business is made up of this type of
customer?
• How easy is it for customers to enter the virtual world?
• Consider the network around the business (and the risk
presented) – e.g. counterparties, franchisees etc.
• Consider why someone would use an ATM vs. an exchange
vs. other forms in to the virtual world e.g. Flexepin.
• What is it about a particular exchange or crypto currency that
means customers use them? E.g. arbitrage? Anonymity? What is
the legitimate business story?
• Need an approach to assessing risk of new technologies as they
emerge – current regulatory requirement very much applies here.
Applying Canada’s AML rules
No AML Regime
Identifying and
assessing riskCounterparties
Monitoring / vetting
crypto transactions
Digital Relationship
Monitoring
Know your customer / know
your digital customer
Investigation
and reporting
11AML and cryptocurrencies.
AML Continuum – Points to consider
• Naturally, the pseudo-anonymous nature of crypto makes
knowing your customer a (potential) challenge
• Verified (in the virtual world) does not always mean I know who
my customer is!
• KYC controls not being applied consistently (primarily in the
case of the ATM world) for each customer.
• These organizations have grown quickly, and in some cases
are only now considering their AML programs. Large back
book of ‘un-verified’ customers to understand.
• There is a challenge of compliance capacity.
• The trade off / conflict (in some parts of this industry) between
compliance and commercial is real.
Challenges / Threats / Points to consider
• Understand what “verified” actually means. What
functionality do these customers have? (we’ll explore this some
more shortly)
• How does this translate to being able to know who their
customers are?
• Is there a ‘legacy’ book of un-verified customers and if so,
what controls does the organization have in place to mitigate
against the risk this poses?
• To what extent does the ID documentation collected reflect
the standards expected of ‘similar’ organizations such as MSBs
– this can be challenging in a digital realm.
Applying Canada’s AML rules
No AML Regime
Identifying and
assessing riskCounterparties
Monitoring / vetting
crypto transactions
Digital Relationship
Monitoring
Know your customer / know
your digital customer
Investigation
and reporting
12AML and cryptocurrencies.
AML Continuum – Points to consider
Customer Base Make Up
Unverified
Verified
Verified
(Higher)
• Cryptocurrency deposits allowed – no
limits
• Cryptocurrency withdrawals - limited
• Many moving to ‘no withdrawals’ model
• Deposits allowed – VC and FIAT (FIAT
limited)
• Withdrawals allowed – VC and FIAT
(limited)
• Some exchanges offer a ‘higher’ level
verification option
• Larger limits allowed on deposits and
withdrawals
Customer Typical functionality allowedTypical % of
customer base
C. 90%
C. 10%
Let’s explore the concept of ‘unverified’ and ‘verified’ a bit further. We have typically seen the
following customer make up at VC exchanges. It is important to note the model described
below differs from exchange to exchange:
Current KYC (needs
enhancement)
• Name
• Email Address
• Country of residence
• Phone number
• All of above
• Proof of address
• Government ID
• All of above
• Government ID
• Social Insurance
Number
• Source of funds
13AML and cryptocurrencies.
AML Continuum – Points to consider
• The list of counterparties at any given VC operator can be
long.
• Exchange A and Exchange B may be in exactly the same
business and dealing with exactly the same coins, but each
have very different controls in place.
• This is important as a number of exchanges provide
services to one another which help them, in turn, provide
service to their customers.
• Many other types of virtual businesses are involved too –
each bring their own challenges from an AML perspective
such as miners and wallet providers, developers.
• Counterparty due diligence is crucial.
Challenges / Threats / Points to consider
• Consider the due diligence that is undertaken on the
counterparty – what has been done, if anything?
• How do the counterparty’s controls compare? Scrutinized?
• Does the counterparty have experience in the industry? In the
crypto world, almost anyone can play.
• Has there been anything in the media which would reflect
negatively on the counterparty?
• Do individuals at the counterparty have a history of
enforcement?
• Where is the counterparty located?
• How is the organization financially? Are they stable?
Applying Canada’s AML rules
No AML Regime
Identifying and
assessing riskCounterparties
Monitoring / vetting
crypto transactions
Digital Relationship
Monitoring
Know your customer / know
your digital customer
Investigation
and reporting
14AML and cryptocurrencies.
AML Continuum – Points to consider
Let’s consider one example of a counterparty network from the perspective of a crypto
currency exchange.
Crypto
Exchange A
Exchange B
• Buying Exchange A’s coins /
tokens to sell to their customers.
• Exchange offers wallets that
support Exchange A’s coins /
tokens.
Independent Wallet Provider
• Offers wallets that are enabled
to support Exchange A’s coins /
tokens.
Miners
• Mine the coins / tokens that
eventually end up at Exchange
A.
• How have they funded their
operations?
Other Banks?
• Customers have linked their
bank account to Exchange A
and are depositing funds from
their account in exchange for
Exchange A’s coins / tokens.
Protocol Developers
• They maintain the protocol on
which Exchange A’s platform
sits.
• Are they designing the protocol
with ML risks in mind?
Exchange C
• Exchange A is buying liquidity
from Exchange C.
• What controls do they have in
place on their exchange?
MSB
• The MSB is used as an
intermediary to receive virtual
currency, exchange for fiat and
transfer funds to the bank
accounts of other related parties
15AML and cryptocurrencies.
AML Continuum – Points to consider
• The blockchain is (potentially) a tool which can help us
all. Every transaction ever undertaken is recorded and
visible on the network. The challenge is knowing how to
make sense of it all.
• Technologies such as tumblers and mixers have been
seen to be one of the main ways of laundering funds in the
virtual realm.
• Should the focus be on large volumes / large frequency
prioritized over low dollar values?
• Some VC operators are better than others - for the vetting
of cash at B-ATMs are weak. More needs to be done.
• The notion of “ring-fencing” is becoming possible.
Challenges / Threats / Points to consider
• Need to think about the right parameters to apply- do we
need full KYC at $1 or at $500?
• Consider IP address KYC and monitoring.
• The infrastructure is easily there for the monitoring to occur,
these 'fintech' companies are built in a way that using
and monitoring data is part of their DNA.
• Can I decide to facilitate some of your transactions but not
all?
• What about an environment where AML is built in from
the start i.e. blockchain with all required controls and
capability built in from inception - anonymity completely
removed while benefits of the blockchain still exist.
Applying Canada’s AML rules
`
No AML Regime
Identifying and
assessing riskCounterparties
Monitoring / vetting
crypto transactions
Digital Relationship
Monitoring
Know your customer / know
your digital customer
Investigation
and reporting
16AML and cryptocurrencies.
AML Continuum – Points to consider
Let’s explore further how this plays out in an example scenario – we can quickly start to see
why and where risk exists…
Virtual World
(Exchange or
wallet provider)
Real World
• Dollars deposited at ATM – no
KYC undertaken;
• Exchanged for bitcoin and
deposited in to bitcoin wallet at
an exchange.
• Subsequent VC deposits made
from other exchanges.
2
1
• Customer is unverified.
• All funds sent to verified wallet at
another exchange where customer
has used a false identity.
3
• Funds
withdrawn out
in to banking
system.
4
Illicit Funds
17AML and cryptocurrencies.
AML Continuum – Points to consider
• How do we know who we are dealing with in an on-line
world?
• How much do we need to know?
• Some of the monitoring tools are too expensive for the
more traditionally built AML programs.
• The blockchain monitoring tools available can be helpful –
but they are still learning / building their profiles with
time.
• Easier world for nominees?
• At a more fundamental level, is the capacity there to learn,
understand, and effectively implement virtual monitoring?
Challenges / Threats / Points to consider
• Think of a future where there is ready access to know your
digital footprint in a way never contemplated in the non-
virtual world.
• “Central” ID repositories that sit on the blockchain are
potentially where we are heading.
• Now more than ever we are required to work together
with people who bring the skills and experience needed
to tackle the challenge – whether this be subject matter,
technological, or otherwise.
Applying Canada’s AML rules
No AML Regime
Identifying and
assessing riskCounterparties
Monitoring / vetting
crypto transactions
Digital Relationship
Monitoring
Know your customer / know
your digital customer
Investigation
and reporting
18AML and cryptocurrencies.
AML Continuum – Points to consider
• No reporting yet of crypto currency transactions by Canadian
players that we are aware of.
• This is being discussed and contemplated.
• Investigations are on the rise by regulators around the
globe. The SEC is increasing scrutiny on ICOs with more
than a dozen companies under investigation in the US.
• Quebec government’s chief data scientist recently
announced opinion on money laundering through
bitcoin.
Challenges / Threats / Points to consider
• Need to build reporting framework.
Applying Canada’s AML rules
No AML Regime
Identifying and
assessing riskCounterparties
Monitoring / vetting
crypto transactions
Digital Relationship
Monitoring
Know your customer / know
your digital customer
Investigation
and reporting
19AML and cryptocurrencies.
Where next from here?
• We as AML professionals must embrace the technology for what it is and learn more in
order to better understand its opportunities and threats from an AML perspective;
• More is needed (and understanding will help) to put the right structures in place;
• This falls on us as AML professionals and practitioners, but also those operating in the
industry;
• We should move away from considering the ‘real’ and ‘virtual’ world as two independent
worlds;
• We need to integrate our thinking and approaches otherwise we create opportunities for
illegal funds/owners of those funds to flourish;
• Not a one size fits all approach.
Thank you. Please feel free to get in
touch to discuss further.
Giles Dixon, CBP
Senior Consultant, Cryptocurrencies,
Financial Services Advisory
Grant Thornton Canada
Tel: +1 (416) 607 2689
Cell: +1 (647) 676 4671