DETER, DETECT, DEFEAT! Understanding Digital Assets Related...

DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance


TABLE OF CONTENTS

1. BACKGROUND 1

1.1 Blockchain: History, Overview, and Main Features 1

1.2 Anonymity and Pseudo-anonymity 1

1.3 DLT: Benefits and Money-Laundering Risks 2

1.4 Digital Assets Marketplace: At a Glance 3

1.5 Regulatory landscape 5

2. DIGITAL ASSETS RELATED CRIME: Stats, Anatomy, and Characteristics 6

2.1 Identify: Crypto Crime by the Numbers 6

2.2 Generic Level of Crypto Fraud: Anatomy, Perspective, and Driving Force 7

2.3 Characteristics of Digital Currencies Preferred by Criminals 9

2.4 Crypto Fraud in Motion: Types of Crimes 9

3. RISK ASSESSMENT 12

3.1 How Financial Institutions Should Approach Crypto Compliance 12

3.2 Risk vs. Uncertainty 13

3.3 Uncertainty Management: Foundation for Proactive Compliance Program 15

3.4 Virtual Currency Specific Risks 16

3.5 AML Risks and Audit Risk Model 19

3.6 Customer Risk 19

3.7 Product Risk 22 3.8 Geographic Risk 23 3.9 Identification and Verification Risk 24

3.10 Objective Blockchain ID (OBID) 25 3.11 Detection and Monitoring Risk 26

4. CROSS-BORDER COMPLIANCE: CHALLENGES and BEST PRACTICES 27

4.1 FATF: Expanding AML Rules to Digital Assets 27

4.2 Crypto Regulatory Regime by Country 28

5. CONCLUSION 31


EXECUTIVE SUMMARY:

When Bobby Axelrod, the hedge fund owner from the famous TV show "Billions", referred to crypto

for large payouts in one of its episodes and gave his employee a pin code for a Ledger Nano S with

$1,000,000 in cold storage, it was clear that the cryptocurrency revolution was spreading everywhere,

including the dark side of Wall Street. After being banned from trading, Bobby began hiding his secret

profits using crypto to securely transfer money without being detected. All of us who watched the show

remember his famous words when he met his trading partner: "You are now officially but unofficially the

proud owner of half of my half of [the hedge fund's profits], paid in crypto of course."

Axelrod's words are not too far removed from reality, and even though there remains a fictional aspect to

our pop culture, it does reflect accurately how we live and what is going on in real life, including the

crypto space.

Just a few short years ago, bitcoin was a novelty idea. Today, we have a bitcoin-culture invasion, despite

a prolonged decline in the crypto markets beginning in 2018, when millions of transactions bombarded

the bitcoin blockchain every day. But virtual currencies bring more opportunities not only for crypto

enthusiasts, but for bad actors as well. At the time of this writing, news outlets reported one of the largest

alleged crypto Ponzi schemes based on OneCoin, a fictional cryptocurrency, where promoters laundered

$1.3 billion in stolen investments around the world.

On June 20th, 2018, Deputy Assistant Director of the US Secret Service's Office of Investigations, Robert

Novy, gave testimony before the House of Representatives Financial Services Subcommittee on

Terrorism and Illicit Finance and stated that considering "the global nature of the Internet and modern

communications, ... digital currencies are particularly well-suited for supporting crimes that are

transnational in nature." 1

Hackers manage to steal millions of dollars’ worth of bitcoin and other digital currencies from crypto

wallets, and this is a big concern for all market participants, developers, regulators, and law enforcement.

Cryptocurrency today is a preferred type of payment for cybercriminals, and this is especially disturbing

since according to the UN Office on Drugs and Crime, the cost of global cybercrime is approaching $600

billion.2

Even though the cryptocurrency ecosystem is now seeing increased regulatory scrutiny, scammers

continue their illicit deeds. Crypto-related criminal activity is rising astronomically, and for most people,

the crypto space has a stigma pertaining to criminal activity and a bad reputation. That’s why crypto

enthusiasts and the entire crypto community insist on active cooperation with law enforcement, going

after fraudsters of all types.

Adding virtual assets to the product line involves strategic business decisions which include careful and

rigorous risk assessment and unique risk mitigation practices. But business-as-usual, where we are

excellent at handling the problem after the fact and applying a one-size-fits-all approach to anti-money

laundering (AML) compliance and fraud detection, is no longer acceptable. Here is where the main

question arises: how can we protect investors against being defrauded of digital currencies and adapt tools

and measures at the level of a financial institution (FI) to help law enforcement detect criminal crypto-

related activity and stop crime before it happens? How can we weed out crypto scammers and make the

digital currency ecosystem a better place for everyone?


This white paper aims to raise awareness of the risks associated with the use of digital assets and educate

the AML and compliance community about crypto-related crimes. Specifically, it sheds light on current

and anticipated threats and typologies of crime related to digital assets and their impact on financial

institutions. Our primary focus is on how we in the compliance community should have courage and

challenge the status quo to DETER, DETECT, and DEFEAT crypto-related illegal activity using

proactive risk assessment and global compliance best practices.

Some sections of this report refer to the author’s previous white paper, “Digital Ledger Technology:

Streamlined CDD Examination Process through Blockchain Application.”3 The report illustrates the author’s

continuing interest and dedication in covering the subject of blockchain technology, digital assets, and

their impact on crypto-related crimes and money laundering. Her first encounter with bitcoin was in 2016,

when she started researching virtual currencies and blockchain networks. The author believes that

blockchain and digital assets can help reshape the world of business and transform capital markets. She

shares an opinion with many experts that given governments’ need to tax and to regulate, we must address

crypto fraud and digital assets-related criminal activities if we want to protect all crypto value

propositions.

The author is an enthusiastic researcher, has 15 years of wide-ranging experience in the financial services

industry, and has a keen interest and passion for preventive compliance. Through writing, she expresses

and shares her thoughts and ideas with like-minded individuals.

Disclaimer: The views and opinions expressed in this report are solely those of the author and do not represent those of, nor

should they be attributed to, ACAMS.


1

1. BACKGROUND

In this paper, digital assets refer to the use of cryptocurrencies and security tokens. Even though the target

audience for this report is expected to have a basic knowledge of a blockchain as an underlying

technology for crypto assets, below is a brief history and an overview of the blockchain and its features,

risks, and limitations.

1.1 Blockchain: History, Overview, and Main Features

Blockchain is often referred to in the financial services industry as digital ledger technology, or DLT. It

was born in response to the 2008 financial crisis and is most widely used for virtual currencies (VCs)

such as bitcoin. The creator of bitcoin is an anonymous figure, Satoshi Nakamoto, who in October 2008

published his famous white paper, “Bitcoin: A Peer-to-Peer Electronic Cash System.”4

To create a unique and reliable digital “cash system” was a very progressive idea for a long time before

bitcoin, but all prior attempts were unsuccessful due to the problem of double spending. With digital

money, transactions could be copied, and funds spent twice, since there was no physical cash. The genius

of Satoshi was that he solved the double spending problem through the use of a confirmation mechanism

and universal ledger - the blockchain.

The blockchain ledger serves as a virtual record of all transactions on the network stored on multiple

computers of trusted participants, the so-called nodes. Anybody with basic computer skills can see the

digital footprints of blockchain activity without any restrictions. This type of blockchain network is called

public. In contrast, private networks restrict access to this information and who can be a member and

transact on a blockchain. All members of a private network are known.

Since nodes can make different entries on a record and no one node can control the information,

decentralization is considered one of the blockchain’s main features. It is a revolutionary way for data to

be registered when there is no need for validation by a trusted third party.

Another prominent DLT feature is the use of cryptography, a computer-based encryption technique which

creates a mathematical proof and provides a high level of security. Parties of cryptocurrency transactions

on a blockchain have in their possession private and public keys. A combination of both keys creates a

unique digital signature which provides a secure digital identity reference.

Nodes perform validation of a transaction where the public key plays a role as a door-opener to the entire

blockchain to participate in digital events. Each event is a piece of information necessary to transact and

is presented as a block with a digital signature, timestamp, and any other relevant data. After encryption

through cryptography and validation by nodes, data is permanently recorded on a blockchain network,

and all records are immutable and sequentially linked. Cryptography and decentralization assure

protection of ownership rights and preservation of data in a censorship-free manner.

An essential DLT component is the so-called smart contract, a self-enforced piece of code which assures

the execution of a set of transactional instructions on a blockchain network. Smart contracts translate the

terms of a transaction and contractual obligations between parties into a digital framework and therefore

provide intelligent automation of pre-determined and agreed-upon conditions. One of the biggest creators

of smart contracts is Ethereum, a unique cryptocurrency with its own blockchain platform.

1.2 Anonymity and Pseudo-anonymity

A lot of early cryptocurrency developers insisted that privacy was an absolute necessity for an open

society in the digital era, and privacy means anonymity. But anonymity is a challenging issue, and even


2

though anonymity is considered the main feature of bitcoin, the most commonly-used cryptocurrency,

bitcoin is not as anonymous as many might think.

The blockchain is created through mining, a process through which miners compete to verify each

transaction on a blockchain. Whoever solves the mathematical puzzle first will be rewarded with bitcoin.

Data recorded on a blockchain is not directly linked to an individual user’s personally identifiable

information (PII). This gives virtual currencies a certain level of anonymity and makes it more difficult

for law enforcement to identify and track suspicious transactions and connect them to specific users.

When a bitcoin transaction is recorded, it is made public and linked only with a digital address, which

makes it impossible for a trade to be traced directly to a buyer. We can view an electronic address as a

user’s pseudonym, and if it is leaked (through web trackers, cookies, or other means), his or her identity

can be revealed. So, while discussing cryptocurrency anonymity, it is proper to refer to pseudo-anonymity

instead. To avoid or reduce the risk of individuals party to a bitcoin transaction to be linked, participants

use different methods: mixing services, additional privacy protections such as CoinJoin, or more

anonymous and untraceable cryptocurrencies, such as Monero or Zcash. We will cover the topic of digital

transaction anonymity in a later section.

1.3 DLT: Benefits and Money-Laundering Risks

Decentralization, cryptography, and the use of smart contracts have the potential to bring a number of

benefits to individuals and financial institutions. As FINRA stated in its DLT report, these new

technology systems “represent the potential to create a paradigm shift for several traditional processes

in the securities industry through the development of new business models and new practices.”5 Among

those prospective advantages of blockchain technology are faster speed, the immutability of records,

increased data quality, time-stamped and sequential audit trail transaction records, enhanced traceability

of transactions, simplified onboarding, and much more. Also, it is crucially important to highlight that

blockchain resolved double spending as one of the biggest problems in the space. However, it is crucial

that blockchain benefits be in balance with novelty and the existing risks and limitations of such a new

technology.

Digital disruption, as many view blockchain technology, has revolutionary potential to transform

financial services and the banking industry. It can address some of the problems of legacy infrastructure,

data management, and various weaknesses in different financial processes. But as any disrupter has its

consequences, blockchain technology also has its risks and downsides, which cannot be ignored,

especially in the area of criminal activities and money laundering. While it is too early for experts to

evaluate all the risks presented by innovative blockchain technology and its impact on securities and

financial markets, there are significant concerns where the system has several vulnerabilities related to

privacy, data security, and cyber risk.

The issue of privacy, and therefore providing appropriate levels of access to different network users, was

covered in detail in the report “The Distributed Ledger Technology Applied to Securities Markets” from the

ESMA, the European Securities and Markets Authority. It was stated that “the identity of a party to a

transaction is in most instances, not public unless legal provision requires the disclosure of this

information. Therefore, it is of utmost importance that DLT networks are designed in a way that protects

privacy when necessary.”6 Regulators demonstrated the importance of the use of encryption and private

keys only by authorized parties for transactions to prevent the risk of illicit activities.


3

In addition to information privacy, critical consideration should be given to areas of data security and

cyber risk, especially given the potential for network user access across borders. Below are the concerns

of domestic and international regulators and market participants regarding DLT security:

How are the cryptographic keys protected from unauthorized access, modification, or loss?

How is adequate protection against attacks provided?

If a key is compromised, how will fraudulent transactions be identified and reversed? What party

will be responsible for this?

Who covers the cost of fraud?

What kind of risk can be presented by a single unsecured node?

What methods have been considered to enhance the security of assets?7

Issues of data security are crucial to anti-money laundering (AML) and fraud prevention. As indicated in

the ESMA report, “in the absence of relevant controls, those risks would be exacerbated as cryptography

could be used to conceal identities and undertake fraudulent activities.”8 Customer data security should

be a major consideration for any firm joining a DLT network. Issues concerning blockchain, crypto-

related crime, and AML, specifically customer identity, risk assessment, due diligence, and the security

and confidentiality of customer records and information, will be covered in depth in later sections.

Today, cryptocurrencies are not backed by fiat currencies and, in the opinion of numerous experts, this

makes crypto too risky for widespread adoption. Additionally, a significant challenge is that distributed

ledgers cannot scale up to achieve an appropriate volume of transactions to compete with existing

alternative methods. Lastly, it is worth mentioning that among other unintended risks presented by DLT

are issues of governance, custody, interoperability, and use of common standards. However, these are not

the focus of this analysis.

As stated above, risks and potential limitations of blockchain as an underlying technology for digital

assets-related transactions can be significantly exploited criminally in the nascent but rapidly-growing

crypto sector. But this is only half of the problem. To facilitate the laundering of their fraudulent

proceeds, criminals use the indisputable benefits of blockchain technology, such as decentralized

infrastructure, the pseudonymous nature of transactions, and use of smart contracts. Even worse, illegal

crypto-related activity will slow and sabotage the potential advantages of blockchain technology for all of

us.

1.4 Digital Assets Marketplace: At a Glance

Now, bad actors and crooks use cryptocurrency as a preferred vehicle to commit money laundering and

terrorism financing, resulting in hacking attacks, millions in losses, instability, and potential handicapping

of the entire crypto ecosystem. To effectively withstand these types of crime, the number one priority for

law enforcement and private sector professionals is to understand its nature, how fraudsters think and

operate, why they win, and why we have an explosion of crypto criminal activity.

But before we analyze cryptocurrency-related crime, its anatomy, typology, and complexity and identify

it by the numbers, let’s turn first to the current state of the digital asset marketplace and crypto-related

regulatory framework. Without this, it is impossible to identify fraud, determine its predicating factors, be

objective, and follow the investigative steps necessary to mitigate crime and have the upper hand over

fraudsters.

In the eyes of many, cryptocurrencies are the next reasonable development overtaking fiat currencies, and

since there is no centralized control entity, this means freedom and change in money, business, and the


4

world. But since the crypto landscape, with blockchain as its underlying technology, is in its early stages,

it would be premature to say whether it can bring about a revolution in financial markets or not. One thing

is for sure, however: cryptocurrencies and DLT are spreading around the world and making their mark in

the finance space!

In 2017, we saw a crypto explosion when Bitcoin (BTC) and Ethereum (ETH) experienced astronomical

jumps in value. At one point, right at the end of 2017, bitcoin reached a value just around $20,000.

Whether it was an organic development, or a fraudulently inflated overall market is a big question! Either

way, the once-hot crypto craze became an entirely different story in 2018 and 2019, when

cryptocurrencies were traded well below their 2017 values, setting new lows time after time. Till the end

of March 2019, BTC was below $4,000 and has shaken the faith of wallet holders.9

Even though BTC has been in recovery mode since and today is above $12,000, let’s don’t forget the

history lesson. If you look at the crypto stats in the table below, compiled from Statista.com,

CoinMarketCap.com and BitcoinMarketJournal.com, there are two prominent and opposing tendencies: a

significant drop in bitcoin price and similar % decrease in total market cap but outstanding growth in

number of crypto exchanges, BTC wallets and number of currencies in general. Experts still must explain

this phenomenon.

Crypto Stats 2017 2018 %Change

BTC Wallets 24,000,000 32,000,000 +33%

BTC Price $19,783 $3,769 -80.95%

Exchanges 70 200 +286%

# of Currencies 1325 2067 +156%

Total Market Cap $590,424,775,357 $127,564,509,853 -78.39%

At the time of this writing, among 2067 cryptocurrencies, the top three with predominant market

capitalization are Bitcoin, Ethereum and Ripple (XRP), with bitcoin taking the lion’s share at 53.52%

market dominance. These three have different metrics, characteristics, methods of generation, primary

use, and network and protocol types.

Digital currencies today are used for numerous purposes. Market participants can send bitcoins to each

other, automate payments in crypto for products and services, and exchange crypto for other forms of

digital and/or fiat currency on cryptocurrency exchanges or alternative trading platforms. Participants can

also exchange cryptos for a chance of winning more as members of the gaming community or use cryptos

to hold value.

Since December 2017, CME and Chicago-based CBOE have been offering their clients bitcoin futures,

though they represent only a small percentage of both exchanges’ total product lines. Among the types of

companies in the virtual space today are crypto exchanges, alternative trading platforms (ATS), registered

investment advisors (RIA), and broker-dealers (BD), each of which supports crypto wallets and accounts.

This also includes money services businesses (MSB) and remittance networks expanding into the

emerging and innovative cryptocurrency sector, crypto wallet and vault services, online crowdfunding

platforms, mining farms, social trading platforms, tumblers and mixers as anonymity-enhanced services,

and firms providing miscellaneous support.


5

In addition to the retail landscape, more and more

attention is being given to potential institutional use

of digital assets, which is supposed to bring to the

crypto space greater trade volume, price

enhancement, and a higher sense of legitimacy.

Today, there is buzz about over-the-counter (OTC)

crypto trading for institutional investors who will

have an opportunity to trade directly between each

other and not through crypto exchanges.

Another consideration is bitcoin futures trading,

which, according to plans, will be provided by the

Intercontinental Exchange (ICE), the parent

company of the New York Stock Exchange (NYSE)

in the first quarter of 2019. NASDAQ also plans to

join forces and offer bitcoin future products.

It would not be a fair analysis of the current digital asset marketplace without highlighting Initial Coin

Offerings (ICOs) as a new method to raise capital, and especially Security Token Offerings (ISOs), which

are taking over the emerging cryptocurrency landscape. In the opinion of many financial experts and

analysts, security tokens and asset-backed tokens have great potential, especially considering the

significant flood of fraud, ill-gotten profits, increased regulatory scrutiny, and enforcement action

regarding ICOs.

Token offerings for crowdfunding purposes brought many sleepless nights to investors, compliance

professionals, and regulators, since there is far less protection for mainstream investors as compared with

conventional securities markets. The co-founder of crowdfunding giant Indiegogo, Slava Rubin, stated in

one of his interviews regarding security tokens: “As guidance has become clearer around how to do these

offerings legally, there’s been a real shift in the desire for security tokens, as they offer a natural bridge

between the crowdfunding element of an ICO and the regulatory clarity of a securities offering.”10

It is also crucial to emphasize that according to the U.S Securities

and Exchange Commission (SEC) and its Chairman Jay Clayton,

offerings with the potential for profit based on either

entrepreneurial or managerial efforts of other people (the Howey

Test) always represent securities and such offerings must be

registered.11

Crypto-securities not only have a great future as a new asset class

but are going to represent every form of financial asset in the

world. As described by Jeremy Allaire, CEO of Circle, a peer-to-

peer payments technology company backed by Goldman Sachs,

“we are at the very beginning of a ‘Tokenization of Everything’

where every form of asset, every form of value storage, every form

of important record becomes a crypto token.”12

1.5 Regulatory landscape

Even though there is increasing guidance on behalf of different regulatory agencies in the US and around

the globe regarding crypto assets, still, this area is the most unregulated in the world. Lack of regulations

“we are

at the

of

Tokenization

of Everything.”


6

in this space is a big concern considering the possibility of using digital assets to launder money and what

impact it could have on mainstream investors. Additionally, crypto assets today fall under differing and

conflicting laws and jurisdictions, which present another challenge.

There is considerable confusion regarding who is doing what among regulatory agencies, since it is very

debatable how to classify cryptocurrencies: are they securities, commodities, property, or something else?

This determines how digital assets are regulated and who will provide the oversight. There are four major

regulatory agencies in the US that oversee crypto activity:

1. The Internal Revenue Service (IRS) regulate digital assets as

property (taxation can be from simple to very complex and all

crypto wallet holders must know their potential tax liability);

2. The Financial Crimes Enforcement Network (FinCEN), a bureau

of the United States Department of the Treasury, regulate

cryptocurrencies as money;

3. The SEC regulate digital assets as securities;

4. The Commodity Futures Trading Commission (CFTC) regulate

cryptocurrencies as commodities.

The federal and state laws for cryptos result in very confusing obligations and overlapping rules. Clarity

here is essential, because prohibitive and confusing stance from different regulatory authorities on digital

assets can be very expensive for all market participants and, as a result, stifle innovation.

2. DIGITAL ASSETS RELATED CRIME: Stats, Anatomy, and Characteristics

2.1 Identify: Crypto Crime by the Numbers

Digital assets represent opportunities not only for investors and financial institutions. The nascent but

rapidly-growing crypto sector, with its lack of regulation and coordination, has attracted a large number

of crooks and criminals. Not a day goes by without reports of crypto-related fraud, mining attacks,

exchange hacks, digital asset-related scams, or other fraudulent activity. Let’s look at the most compelling

crypto-related crime statistics.

In the first-ever quantitative effort to measure the level of criminal bitcoin activity, made by CipherTrace

Cryptocurrency Intelligence, 45 million transactions at the top 20 cryptocurrency exchanges globally

were analyzed, and 380,155 bitcoins received by those exchanges between 01/09/2009 and 09/20/2018

were directly from illegal sources. Analysis showed that this represents a significant amount of laundered

bitcoin with an approximate value at today’s prices of around $2.5 billion. But these are likely only half

of all illegal transactions, since criminals are usually very intelligent, motivated, and very proactive in

their strategies and how they hide their tracks.13

It is no surprise that 97% of all direct criminal bitcoin payments are sent to unregulated exchanges in

countries with weak or non-existing AML regulations. This translates into the fact that crypto

exchanges with lacking controls received 36 times more illegal bitcoins.14 Below are some other major

highlights of that analysis:

In the first three quarters of 2018, $927 million of cryptocurrency was stolen by hackers; since

the previous report, it is reported another $166 million has been stolen.


7

US FinCEN clarified its stance on regulating mixing services and included crypto-to-crypto in its

definition of money services businesses, MSBs, that are subject to the Bank Secrecy Act (BSA)

rules. It also enlisted the IRS to examine 100% of cryptocurrency MSB transmitters for BSA

compliance.

Opportunities to launder cryptocurrencies will be significantly reduced throughout 2019 and

2020 if cryptocurrency AML regulations are successfully enacted and enforced globally.

New crypto-related crime threats continue to emerge, including highly targeted mass cyber

extortion, SIM swapping, and advanced cyberattacks on exchange personnel.

It is certain that fraudulent activities will continue, and we will

see the emergence of new crypto-related crimes. Compliance

and AML professionals, financial intelligence units (FIUs), and

law enforcement should be very diligent and strive to ensure full

cooperation in their efforts to mitigate VC risks. The primary

focus here is innovation and a proactive approach to prevent

criminal activity. But first and foremost, we must have a precise

level of understanding about the nature of digital asset-related

crimes, their types, anatomy, characteristics, criminal sources,

economic effect, and what motivates criminals and what their

exit strategies are.

2.2 Generic Level of Crypto Fraud: Anatomy, Perspective,

and Driving Force

Crypto-related fraud is a crime and should be understood on two

levels: the generic level and the specific level. Like any other crime, crypto crimes share similar traits,

characteristics, warning signs, and methods. And even though there are some differences, due to specifics

between digital criminal activities, they are all contingent upon five common elements:

Integrity

Opportunity

Incentive, motivation, or pressure

Rationalization or attitude

Capability15

Analyzing crime on the generic level is not our focus, but if we want to have the upper hand over

fraudsters, we must know crime basics and understand how they are connected. It is imperative to stress

that the opportunity to commit fraud is ‘the driving factor,’ and without opportunity, a criminal scheme

cannot be successful. Of course, the ‘excellence’ of a crime is a combination of all five elements: the

individual’s integrity is affected by rationalization or pressure plus an opportunity plus the capacity of a

person(s), all of which combine when being in the right position at the right time and having the skills

needed to perpetuate the fraud.16

As for opportunity, good fraudsters are very patient and methodical in studying the system, its risk

factors, and its vulnerabilities. They are brilliant in their efforts to exploit those vulnerabilities and they

develop their plans and methods accordingly. They are also very good at understanding the specific

criminal activity they want to engage in and its variations which can be least detected. In general,

fraudsters look for the following organizational vulnerabilities:


8

Poor tone at the top/Weak ethical culture

Lack of adequate internal controls

Poor training

Poor supervision

Ineffective anti-fraud programs, policies, and procedures17

It is extremely important for all AML and FIU professionals to understand this, because small-scale

crypto crime often goes undetected as a result of weakness in the financial institution system, and it can

be committed repeatedly, since fraudsters adapt their actions when necessary, trying to avoid detection.

Sooner or later, this can turn into the whole crypto-crime machine, draining our resources, and with an

effectively implemented exit strategy, they are gone at the first signs of being detected. In such scenarios,

we are at a loss: fraudsters disappear, and the game is over.

Of course, in order not to lose a battle and win a war—yes, it is a war(!)—we cannot just hope that bad

guys will make a mistake, use poor judgment, disregard the warning signs, or not follow their exit plans.

Criminals, especially crypto criminals, are very disciplined, technologically advanced, extremely

motivated by greed, very proactive, and have a different perspective than we do. They know their

‘opportunities’ and how to manipulate the system.

Our disadvantage is slow adoption due to budgetary limits, privacy concerns, and regulations that are

reactive in nature. All of this interferes with forward-thinking and proactive methodologies for assessing

fraud and monitoring and detecting it. But most important is that reactive approaches will continue to

hold us back and do not allow us to follow our current compliance and fraud perspective effectively. This

prevents us from developing winning strategies, implementing necessary changes, and being very

adaptable.

Today, our compliance and fraud perspective, and therefore the focus of any financial institution

compliance department, AML, or FIU division, is ‘timely’ identification of and reporting on suspicious

activity, satisfying regulators and protecting the reputation of the financial institution. But, in our opinion,

this is no longer enough if we want to be proactive in fighting and winning against crypto fraud.

The new approach should be a combination of reactive, which we do well, and proactive, where we

should have a better understanding of law enforcement’s perspective - developing evidence to support

criminal prosecutions. We should be concerned with sending bad guys to jail(!), because if we do not,

they will be back with a vengeance! And the core point here is to realize that no one financial institution

exists in a vacuum, and both private sector and law enforcement are responsible for protecting our

financial system and our customers from fraud and money laundering.18

Talking about crime in general, the success of any scheme lies in the ability for fraudsters to safely

launder ill-gotten profits. That is why any discussion of crypto-related crime must include money

laundering and the connection between it and fraudulent activity. But this should be approached from a

different perspective considering that crypto-related crime is all about innovation, as opposed to financial

services institutions, which “tend to operate in their safety zones, and frequently, innovation falls outside

the institutional safety zone. As a result, there is little incentive to develop innovative techniques to fight

fraud and money laundering.”19


9

As AML professionals and members of the financial

intelligence community, we must remember that reactive

transaction monitoring and fraud detection as an acceptable

norm result in criminals having a considerable advantage.

Consequences can be devastating, since crypto-related

criminals of all types will continue exploiting vulnerabilities

in the U.S. and global financial system. Fraud compounded

greatly can have a long-lasting and multi-dimensional

negative effect. Just remember our last financial crisis, in

which “to a great extent, fraud was the root of the problem

that caused the economic distress we experienced.”20

Again, to Deter, Detect, and Defeat potential crypto-related

activity, we must intersect fraud and money laundering and

view this intersection as a focal point of fraud compliance and investigation. One of the major

components in this is an understanding of crypto-related crime on a specific level, timely assessment of

its immediate and strategic risks, and how the finances of fraudulent crypto activity flow through financial

institutions. We will cover this in detail later in the paper.

2.3 Characteristics of Digital Currencies Preferred by Criminals

Considering that a person’s digital footprint is almost always trackable, and it is much easier not to leave

a trail with dollar bills, why are cryptos so attractive to fraudsters? The answer is in specific

characteristics of digital currencies based on the underlying blockchain technology. Below are some of

those characteristics preferred by criminals:

Replacing a person’s details by their account keys

Ability to transfer value cross-border

Medium of exchange (crypto-to-crypto, crypto-to-fiat, fiat-to-crypto)

Potential for enhanced anonymity

Irreversible nature of crypto transactions

Secure alternative to wire transfers providing much faster transfer than the old legacy systems

Financial security (highly regarded by fraudsters)

Protection against theft, fraud, and lawful seizure

Blockchain forks – transactions being voided after users thought they had been completed

2.4 Crypto Fraud in Motion: Types of Crimes

The above characteristics of blockchain technology are ingeniously exploited by crypto criminals, who

are getting more and more sophisticated every day. Cryptocurrency-related fraud continues to plague

public and private organizations and has received a considerable amount of attention. Given a significant

influx of crypto wannabe millionaires, this destroys the confidence of bitcoin users and gives digital

currency a bad reputation and a negative public perception. Lack of specific regulations make financial

institutions involved in crypto assets a potential haven for fraudsters, and that is why effective fraud

prevention begins with clearly defined typologies. Below are the most compelling crypto-related crimes

and crime types.

” fraud was the

root of the

problem caused

the


10

CRYPTO EXCHANGE HACK

Growing global demand for cryptocurrencies has resulted in larger numbers of exchanges in different countries

around the world. They hold their own different cryptos for principal trading and funds for private investors. It is no

surprise that these services attract numerous crypto criminals and hackers. Among the biggest crypto robberies was

the attack on the Japanese cryptocurrency exchange Coincheck in January 2018, where account holders lost over

$533 million worth of NEM tokens. Soon after the hack, criminals laundered an estimated $79.3 million through the

dark web. At least one good thing came as a result of that hack: Japanese regulators “ramped up” their oversight and

announced that licensed trading platforms would form a self-regulatory organization (SRO) which, if approved, would

have enforcement power over its members.21

The second most-famous crypto bloodbath is the hack of another Japanese exchange, Mt. Gox, in 2014, with a loss

of 850,000 bitcoins, worth around $500 million, and approximately $28 million in cash stolen from the exchange’s

bank accounts. At the time the world’s largest crypto exchange, Mt. Gox declared bankruptcy.22

In general, any trading networks with holders of crypto assets are the primary target of hackers. They use crypto

exchanges to turn their ill-gotten profits into Bitcoin and Ether and then through multiple conversion transactions

change whatever cryptos they steal into a fiat currency of choice, for example, Colombian pesos, to deposit into

Colombian bank accounts to support illicit activities and money laundering.

Crypto exchanges around the world have different onboarding protocols as a result of different AML regimes. Some

exchanges also vary in how they update their database for ongoing screening and monitoring existing customers. If

we want to deter and prevent criminal activity, we must use all possible preemptive measures, including “blacklisting”

the stolen funds, having a very productive partnership with law enforcement, and remembering that exchanges are

the greatest source of crucial data on potential suspects. This will help us to work with local authorities and create a

secure environment with proactive monitoring and screening of user identification.

It is important to emphasize that according to a Europol 2018 IOCTA report, “it is not only the funds these entities

hold that are sought after, customer data is also targeted. Such data can be used to further fraud, including phishing

customers for their account login credentials and subsequent currency theft.”23 There is a specific anatomy for a hack

covering different areas which are supposed to be addressed in enterprise-wide risk assessments. This will be

included in our analysis later in this paper.

CRYPTOJACKING

As a new trend in cybercrime, this is a growing problem in the digital ecosystem. The aim for fraudsters is to use the

computation power of a victim’s computer to mine cryptos. The issue here is that due to the low impact on victims,

there is a relatively small number of complaints. However, this type of crypto fraud cannot be underestimated, since

criminals have to launder those illegally-mined profits. It is expected that cryptojacking will lead the 2019 list of all

major crypto-related crimes.

DARKNET/ONLINE CRIMINAL MARKETS

Today, criminals have moved from offshore accounts to cryptocurrency wallets on the web and are very comfortable

with it. After the famous case of Ross Ulbricht (Dread Pirate Roberts) and The Silk Road website, which used bitcoin

as its main currency for buying and selling drugs, weapons, and other illicit products and services, the reputation of

bitcoin was significantly damaged. Since then, shutdown of another three major Darknet marketplaces in 2017 and a

growing number of smaller alternative crypto platforms and networks further tainted the reputation of cryptocurrency.

51% ATTACK (DOUBLE SPEND ATTACK)

In simple terms, the primary condition for a 51% Attack to succeed is hackers owning more than 50% of the entire

network mining power (hash rate). Through governance of the whole chain, they can create new “blocks” based on


11

previous “blocks” and therefore have two separate versions of the same blockchain. If a single entity/node controls

the majority of a network, they will decide which transactions get approved or not, reorganize the blockchain, and

possibly reverse some of the transactions, resulting in a double-spend. The receiver thinks that he/she is already

paid but it is not the case.

Among the most famous 51% attacks are the case of the ZenCash network, in

which a massive double spend was worth around $550,000, and the latest 51%

attack on Vertcoin.

Double spend attack remain a significant vulnerability for some cryptocurrencies.

The irony here is that Bitcoin was given credit for its high level of security and

solving of the double-spend problem. It is a security flaw that doesn’t belong to

the bitcoin network.

MONEY-LAUNDERING MIXING SERVICES

As we explained in an earlier section, bitcoin transactions are pseudo-

anonymous, and it is not difficult to identify their parties. That is why smart

criminals use sophisticated money-laundering mixing services (tumblers) or

cross-currency flip services to hide their tracks and avoid being traced. Dirty

coins are kicked back and forth between different digital addresses, split up in

the process across multiple transactions, mixed with legitimate funds, and

recombined in the full amount via wallets on the dark web.

As a result of mixing and tumbling, the original ‘dirty’ coins become ‘clean’ and are deposited in an account on a

cryptocurrency exchange. Cross-currency flip services work differently, and even though they are used for legitimate

purposes (they can flip Bitcoin into, for example, Ethereum or any other cryptocurrency and then convert it back into

Bitcoin), that flip is very difficult to track. It is essential to understand that even though mixers, tumblers, and cross-

currency flops can be useful, most of them have serious security limitations and therefore they are not the most

reliable with respect to their money-laundering capabilities.

PRIVACY-ORIENTED CURRENCIES

Today, more and more criminals use privacy-oriented cryptocurrencies like Monero, Zcash, and Dash. Jarek

Jacubchek, a cybercrime analyst at Europol, explained in an interview to Business Insider: “We can see a quite

obvious and distinct shift from bitcoin to cryptocurrencies that can provide a higher level of privacy.”24

These bring an enormous headache to law enforcement and regulators. The challenge here is that since transactions

cannot easily be linked to individuals, it limits one’s ability to monitor transactions for potentially suspicious activity

and collect evidence of fraud, and different exchanges and platforms, especially those that are unregulated, provide

little cooperation with law enforcement. Privacy-based cryptos listed on formal exchanges require additional

legislation and regulatory actions. They continue to grow tremendously in popularity and are expected to replace

dedicated mixing services.

CYBERCRIME

Digital assets exist in the digital world, and because there is no physical location connected to a crypto wallet,

cryptocurrencies are a preferred type of payment and extortion mechanism for cybercriminals.

ICO/ISO SCAMS

Today, digital currency scams are the top priority for the SEC, especially ICOs, due to their unregulated nature.

Issuers are crossing regulatory red lines by selling unregistered securities and conducting unregistered offerings. The


12

SEC has opened numerous investigations to reduce fraud in the crypto and DLT space. Since the Agency views

digital assets as securities, it levies its fraud charges using existing laws that regulate traditional investments. In

addition to tough enforcement actions, the Commission requires that issuers have proper broker-dealer licensing to

offer tokens.

As of now, there is no formal U.S. regulatory framework which focuses specifically on cryptocurrencies. In addition to

the above-stated major crypto crimes, there are other digital asset-related problems:

Cryptocurrency Tax Fraud and Unreported Taxable Gains

Fraudulent activity promising fast return and defrauding of unsuspecting investors of their money

Bogus Bitcoin investments

Mobile App massive hacks

Bitcoin-to-fiat exchange fraud

Operating unregistered securities exchanges and alternative trading platforms

Death threat email scams in exchange for virtual currency

Twitter crypto scams

Misleading cryptocurrency marketing

So, with cryptocurrencies gaining more and more acceptance by financial institutions, how can we weed

out crypto criminals and make our digital currency ecosystem a better place for everyone?

3. RISK ASSESSMENT

3.1 How Financial Institutions Should Approach Crypto Compliance

Considering crypto compliance is in its early stages, it is not surprising that financial institutions that deal

with crypto assets do not maintain a strict regulatory framework. Among other things, this includes

facilitating digital asset transactions domestically and internationally. The gaps in compliance and

transactional policies, and financial institutions working in silos, result in growth in crypto crime. Those

major factors might slow massive adoption of digital assets and challenge promotion capital formation

and successful growth of the crypto economy both in the US and on a global scale.

To bridge crypto and fiat currency in a compliant manner and access large-scale global liquidity, we must

first and foremost assure investor protection from the fraudulent activity of crypto criminals, do it very

proactively, and be very dedicated. Additionally, we should pursue a combination of legislative and

technological developments and welcome cooperation between international law enforcement agencies

and the private sector, promoting the idea of a global crypto-related regulatory protocol.

Besides, while venture capitalists are having a fresh look at the crypto sector and assessing fundamentals,

we should have compliance courage and challenge the existing typology-driven transaction monitoring

methods which have been used for years. In the eyes of many, they are ineffective and create too much

ambiguity, which will be a massive problem for digital asset compliance and fighting crypto fraud due to

the presence of so many unknown variables.

We cannot afford subjectivity, especially concerning our obligations to SAR filing for potentially

suspicious activity. And here is where the necessity of mandatory adoption of emerging technological

solutions will help FIs to address regulatory challenges in the crypto space and provide practical


13

intelligence for crypto-related AML monitoring, investigation and compliance, as well as a holistic

approach towards the risk assessment and risk management.

Among those solutions are advanced analytics, machine learning, cognitive computing capabilities,

blockchain ID protocol, automated entity resolution, big data architecture, visual investigation tools,

modern graphical processing units (GPUs), advanced statistics, and other innovations.

Artificial intelligence should go hand-in-hand with human intelligence, so that we are well-equipped to

“go all in” in our efforts to be fully compliant with all required regulations. We will ensure appropriate

global Know Your Customer (KYC) and Know Your Business (KYB) protocols, as well as robust cross-

border AML compliance. Using all available tools will result in the seamless trading of cryptocurrencies

and movement of tokens.

3.2 Risk vs. Uncertainty

Without a doubt, if we want to be in the digital assets business, we will be exposed to threat. The riskiest

is always what we don’t know, don’t expect, and therefore are not prepared for and have no contingency

plan to address. Uncertainty can kill us, and if the risk analysis is primarily concerned with what

happened in the past, it is not proactive. It shouldn’t be only about exercising a risk-based approach which

makes threats predictable, either.

As stated earlier, it is about combining reactive and proactive approaches together with the technological

disruptors in a very dynamic and progressive manner and structuring our compliance thinking along a few

dimensions, with a major focus on the areas of highest uncertainty and vulnerability as a part of an

enterprise-wide AML risk assessment. This will afford us a diverse perspective on digital asset-oriented

products, financial crime and money laundering risks, and AML expectations and requirements.

It is important to emphasize that risk assessment is the core and backbone of any effective and robust

compliance program. It helps FIs identify areas of significant risks and set up policies and procedures

tailored specifically to address those risks.

Risk assessment determines how adequately we address specific risks we are facing and should be used in

multiple tiers of our decision-making process. It should be conducted on an ongoing basis and reassessed

at least every 12 to 18 months, or sooner if there are any changes of a material nature. Also, the internal

audit department should do a thorough review of the risk assessment process and any changes or

revisions. Risk-based decisions can be very beneficial only if they are based on a robust risk assessment.

It is crucially important, considering that one component of our perspective as a financial institution is to

satisfy the regulators.

An area where financial institutions are most vulnerable concerning a potential crypto risk of money

laundering is at the stage when fraudsters are trying to convert their bitcoin into fiat currency. This stage

we can control, at least in the U.S., where there are robust AML and KYC protocols.


14

In 1980s, Dennis M. Lormel, a recognized AML and terrorist financing subject matter expert, introduced

his ‘fraud continuum,’ which perfectly illustrates how the five elements of fraud we covered earlier are

connected and influence a criminal.25

The continuum is the intersection between integrity (horizontal line) and opportunity (vertical line) and

illustrates four quadrants. It will help us to better understand risk scoring regarding crypto accounts. The

bottom of the opportunity line represents limited opportunity, while north of the line is a high level of

opportunity. Similar is the integrity line: limited integrity is on the far-left side, and high integrity is on

the far right.

The lower-right quadrant (green) is where integrity is high and opportunity is low, and this is the least of

our worries, because people in the green quadrant are least likely to commit fraud. The top-right and low-

left quadrants represent moderate risk, and top-left (red) is high risk, where the combination of pressure,

rationalization, and capability as crime elements most influence an individual’s integrity.26 Of course, this

is the area of most uncertainty and, without a doubt, the most significant compliance and AML challenge.

We can, and we should, be a step ahead of the crypto criminals. To do this, we should think like

fraudsters (the old wisdom!), especially in assessing crypto risks. Since the significant risks of digital

asset-related activity are unknown, and we all fear the unknown, we should treat uncertainty with the

utmost respect and attention and give this matter some legitimate precision in better understanding risk vs.

opportunity.

Dealing with risks and uncertainties in the most effective way is a part of any financial institution’s

proactive risk assessment. The table below presents the main characteristics of uncertainty vs. risk, which

we all should be aware of to better understand crypto asset-related transactions:27


15

RISK INDICATOR UNCERTAINTY

Predictable Nature Unpredictable

Slow & Optimal Tempo Fast & Acceptable

Command & Control Organization Structure Distributed power

Transactional Management Cultural

Compliance Organization Behavior Cooperation

Efficiency Strategy Capabilities

3.3 Uncertainty Management: Foundation for Proactive Compliance Program

Having virtual assets as part of a financial institution’s business model, we are facing numerous risks—

simple and complex—and should address all of them, being very forward-thinking regarding unexpected

problems and vulnerabilities.

Before we cover and assess major inherent risks, we should define what risk is. Risk is the sum of

vulnerability (weakness in an existing system) and threat (likelihood of an event occurring). Risk must be

managed by accepting, mitigating, eliminating, transferring, or avoiding.

The areas where the most vulnerabilities for a financial institution may reside are Denial, Dilution, Detail-

oriented, Detachment, and Disgrace. These are the so-called 5 Cultural Sins:

Denial Detail-oriented Disgrace

Overconfidence Procedure driven Gaming

Fear of bad news

Dilution Detachment

Unclear appetite/thresholds Indifference

Poor communication

Weak risk ownership

Vulnerability + Threat = Risk

A weakness in an existing system Likelihood of an event occurring Risks must be managed by:

Accepting, mitigating, eliminating

transferring, or avoiding


16

Each firm involved in crypto-related business must have a protocol to identify vulnerabilities and threats,

especially since crypto risk goes hand-in-hand with cybersecurity risk.

The #1 problem with risk assessment is having a very narrow approach and not focusing on the big

picture. The five cultural sins reminds us that most financial institutions are characterized by being

overconfident (number of enforcement actions and fines!) and procedure driven. Other areas present risks

and vulnerabilities which often are not our focus. Those other ‘sins’ must be at the center of our attention

in regard to risk assessment, where we should have a clear understanding of a financial institution’s risk

appetite and thresholds, who is responsible for what, and who can address on an enterprise-wide level the

issues of risk ownership.

Also, since some of the crypto-related risks are in direct relationship with cyber risks, similar security

guidelines for how the private sector should assess and improve their ability to detect, respond to, and

prevent crypto crimes should be applied:

Identify – risk assessment and risk management strategies;

Protect – identity management, access control, data security, training;

Detect – running table-top exercises for anomalies and being sure that systems are up-to-date;

Respond – know what we are doing in case of crypto events, including response planning,

communication, analysis, mitigation, and improvement;

Recover – how we should rectify the situation according to recovery planning;

Consolidate – how to reflect all illicit crypto events in the journal and not to lose institutional

memory.

The first two categories— ‘Identify’ and ‘Protect’—are those where financial institutions have their main

focus. Other groups are most vulnerable and should be part of market participants’ holistic approach to

risk and risk assessment.

3.4 Virtual Currency Specific Risks

According to a study by the European Banking Authority (EBA), approximately 70 identifiable risks arise

from crypto activities, covered by the following five major categories:

Risks to users;

Risks to non-user market participants;

Risks to financial integrity (money laundering and other financial crime);

Risks to existing payment systems;

Risks to regulatory authorities 28

Figure 2 below illustrates those risk categories, provides risk descriptions for numerous VC activities, and

identifies different contributing drivers for these risks. Again, as we have stated above, all of those

risks(!) should be addressed by FIs.

Considering the complexity of the potential threats and a broad range of causal risk drivers, this is crucial

to assure robust monitoring and reporting of potentially suspicious activity, protecting a financial

institution’s reputation and satisfying regulatory requirements. With digital asset-related products and

services and a lack of formally defined guidance, this might be very challenging.


17

Figure 2 29


18

Figure 2 (continuing)


19

3.5 AML Risks and Audit Risk Model

The best way to understand the fraud crime problem and its risks is through the audit risk model for AML

risk assessment, consisting of two essential elements: (1) quantity of inherent risk (the risk before controls

are applied): customer risk, product risk, geographic risk; (2) quality of risk mitigation: detection and

monitoring risk, identification and verification risk, compliance risk, and regulatory/prior audit risk.

Inherent risk is reduced by control effectiveness and results in residual/AML audit risk, i.e., the risk that

remains after preventive methods of control are applied.30

AUDIT RISK MODEL:

3.6 Customer Risk

Customer risk is a major inherent risk for each financial institution and a central piece of the entire AML

compliance program and customer due diligence. It is risk associated with customers and/or businesses

due to the nature of their business, occupation, size, legal organization, or anticipated transaction activity.

Customer risk is a significant potential risk during the money laundering layering or integration stages.

Usually, higher risk customers arise when financial institutions and legal vehicles (e.g., offshore banks,

trusts, and private investment companies) offer confidentiality and intermediary services. This is

especially important in connection with crypto assets.

There are three major reasons why addressing customer risk should be our focus: KYC failure can result

in non-compliance, financial loss, and reputational loss. To mitigate customer risk, first and foremost,

financial institutions should adopt account opening procedures that allow them to determine the true

identity of a customer and to develop an understanding of normal and expected activity for a given

customer’s occupation or business operations. They also should set identification standards customized to

the risk posed by a particular customer. This is a standard protocol.

It is also a general financial industry approach that customer risk rating models, as a part of enterprise-

wide risk assessment, play two significant roles:

1. It is a consistent method for differentiating among individual risk areas (ex: types of accounts):

Low risk:

a. Resident Consumer Account

b. Nonresident Alien Consumer Account


20

Medium risk:

a. Small Commercial/Franchise Business

b. Consumer Wealth Creation

High risk

a. Nonresident Alien Offshore Investors

b. High Net Worth Individuals

c. Multiple Tiered Accounts

d. Offshore & Shell Companies

2. It determines the level of due diligence required:

Low risk (‘simplified’ or ‘standard’ due diligence)

Medium risk (‘simplified’ or ‘standard’ due diligence)

High risk (‘enhanced’ due diligence)

Prohibited customer

Digital assets, with their unique and complex nature, nascent history, and tainted reputation, add a

modern-day twist to the Placement—Layering—Integration (PLI) model and therefore should be viewed

differently when assessing customer risk. Today, drug lords can do their bad deeds without banks and fiat

currency. Dealers on streets have moved online, use cryptos to buy drugs from anonymous sellers, and

distribute them to anonymous buyers through different online illegal underground markets.

Parties of a transaction don’t know each other, and here, virtual assets present a tremendous challenge and

cause the most risk. The worst part is that criminals often prefer to deal with numerous legitimate vendors

accepting bitcoins and, in these cases, there is no need to convert them into fiat currency to spend their

illicit profits. Some of those legitimate retailers and service providers may be customers of the financial

system.

In a conventional risk-based approach, as you can see from the chart below, customer risk rating models

allow us to compare customer risk versus different methods of due diligence and suspicious activity

monitoring. Among those methods are basic profile/generic threshold monitoring, unique profile specific

to products and services used by a customer, source of wealth and financial statements, and customized

transaction profile with tailored monitoring against transaction profile.


21

As stated in the Federal Financial Institutions Examination Council (FFIEC) Manual, FIs should ensure

regular suspicious activity monitoring and customer due diligence. “If there is an indication of a potential

change in the customer’s risk profile (e.g., expected account activity, change in employment or business

operations), management should reassess the customer risk rating and follow established bank policies

and procedures for maintaining or changing customer risk rating.”31

On May 11, 2018, FFIEC updated its customer due diligence examination procedures to reflect FinCEN’s

CDD Rule. Those updates dictate establishing and maintaining a risk-based approach to CDD and EDD

and emphasize that “improper identification and assessment of a customer’s risk can have a cascading

effect, creating deficiencies in multiple areas of internal controls and resulting in an overall weakened

BSA compliance program.”32 This brought expanding obligations for AML compliance departments and

given budgetary constraints, presents a real challenge, especially in the crypto space with its workflow,

speed, and transnational nature.

Considering the above factors, we should put a different spin on standard risk-based approaches in

connection with crypto assets. This is especially important if we want to use in our assessment the five

elements of fraud and how they are interrelated, knowledge of current crypto fraud uncertainties and

vulnerabilities, and the lack of financial institutions’ “reactive” crypto compliance experience.

Among customer risk metrics should be those which address a customer’s past or expected crypto

activity, level of knowledge, experience, goals, a percentage of income or total assets derived from crypto

transactions, understanding of crypto tax liability, and risk appetite. This is nothing more than a Risk

Profile, which broker-dealers and wealth management professionals have been following for years as part

of suitability requirements.

The risk profile is viewed as a baseline for diligence and monitoring. Of course, to assure data quality,

speed, and transparency, we must deploy the most advanced technological tools for intelligence gathering,

which will help to aggregate and correlate different metrics, identify suspicious addresses and crypto

wallets, and therefore help AML and FIU officers to quickly assess risk and calculate risk levels, collect

evidence, and file a SAR if warranted.

As with past activities, all crypto-related financial services of a potential customer should be identified:

crypto exchanges, ICOs, cryptocurrency hedge funds, MSBs, ATMs, credit unions, banks, gambling

services, and alternative trading platforms. Using advanced tools, we should be aware if those services are

associated with any known criminal organizations or criminal activities. Concerning expected activity,

there should be a very detailed questionnaire including types of activity, names of potential vendors (if

known), an approximate number of monthly conversions/transfers, anticipated geolocations, especially

cross-border, and other characteristics.

Vigorous customer profiles will help compliance departments to better vet new customers, their past

financial history, the sources of funds, and help not only predict the types of transactions in which a

customer might be engaged but understand a customer’s relationship with the FI and help to separate

customers imposing the highest risk. As a result, this will give us a better stance with regulators,

especially given our expanded responsibilities in line with the FinCEN CDD Rule.

Now, let’s assume the worst-case scenario, that each customer with a crypto wallet, regardless of who that

customer is, sooner or later will be involved in a ‘fraudulent’ activity, either intentionally or by

negligence, lack of understanding of how digital assets work and their liabilities, improper valuation of

suitability, risk profile, or any other reason.


22

So, to all customers we assign a high risk right from the start, and all of them are in a red quadrant, at

least for the next 60-90 days (or more) as a test period. This time will not only give us an advantage in

better ‘learning’ a customer but allow us to closely review customer connections and relevant personal

and business dealings.

The risk remains elevated as we continue monitoring each account and conducting Enhanced Due

Diligence (EDD), as required for all high-risk customers. There should be separate EDD policies and

procedures customized to address specifics of virtual asset-related activity, and until FIs become more

familiar with the typical events of cryptocurrency transactions, we should closely monitor those

accounts/wallets.

Then, we follow the FFIEC manual, and if there are no indications of any suspicious activity, we make a

change in the customer’s risk profile and move a customer from the high-risk quadrant to a moderate risk

quadrant. To adjust risk further to a ‘low’ level, it will take additional monitoring. We will continue

further with standard segmenting by customer, behavior, and account activity. The entire process we call

‘reverse’ risk assessment.

Types of accounts which represent high risk by default, regardless of reverse risk assessment—

nonresident alien offshore investor, high net worth individuals, multiple tiered accounts—cannot be

moved to a medium risk category after an initial test period, even though there is no unexpected or

unusual activity. They should stay in a high-risk group for the remainder of the account lifecycle, and

those customers should be reviewed more closely at the account’s opening, and their activity should be

more frequently monitored throughout the whole duration of the relationship.

Even though all digital asset holders are assigned as high-risk, there are different levels of high-risk

customers based on some other metrics (product risk, geographic risk… etc.) and, therefore, different

levels of EDD should be applied. Examples of further segmentation of the high-risk customer pool might

be High-Low, High-Medium, or High-High, where the difference is based on how often a customer’s

account is reviewed.

Reverse risk assessment is a novel approach, and even though it puts us in a position of constant alert, it

gives AML and FIU professionals higher odds to detect activity not in line with the customer’s needs and

expectations, and it allows them to be more vigilant, learn on the go, and will yield better results in crypto

fraud detection.

3.7 Product Risk

While evaluating customer risk vs. due diligence and suspicious activity monitoring, we use different

methods of review, follow-up, and tracking based on accounts types. Among those methods is a profile

specific to products and services used by a customer, and even though used predominately in connection

with medium and high-risk accounts in a standard risk-based approach, this should be considered for all

types of crypto customers, at least during the initial test period. Of course, all of this will depend on the

complexity of each financial institution’s business model, risk appetite, and resources available for anti-

money laundering compliance and financial intelligence support.

Product risk should be reviewed for relative importance to other risks and in the management of the entire

risk profile of the business. When different risk categories are summed up, it gives a 360-degree view of a

customer’s risk profiles. The more high-risk products a financial institution offers, the higher its risk

rating should be. And this is a case with virtual assets.


23

As we saw from crypto typologies earlier in the paper, products and services involved with digital assets

typically: (1) favor anonymity or engage third parties, (2) support rapid movement of funds, (3) support

high transaction volumes, (4) involve cross-border transactions. Considering those characteristics, it is

undoubtedly true that crypto-related trades will provide a higher exposure for financial institutions to

fraud, money laundering, or terrorist financing. That is why we apply the same reverse approach we

described earlier to product risk.

Assessment of product risk is an inherently risky area, especially in the case of crypto assets, but it is an

essential part of surveillance functionality. Also—and it is crucial to remember—it will continue to be a

priority for regulators and auditors in the examination process.

As we can see from this paper, deep understanding and monitoring of high-risk products and mitigating

the AML risk and fraud risk they present is a very complex task, particularly if a customer and especially

a legal customer has a number of accounts and uses numerous products and services on an ongoing basis.

Current challenges with the product risk in existing risk assessment and KYC/CDD/EDD landscapes will

be multiplied by adding virtual assets to the business line, which should be viewed as a higher concern for

the reputation management of a financial institution.

It is crucial to emphasize that detailed disclosure of product risks to potential wallet/account holders is a

mandatory part of onboarding and/or pre-onboarding protocol. Risk disclosure remains one of a

regulator’s top examination priorities. Below are examples of major virtual currency risks to users:

risk of investment losses,

liquidity risk,

price volatility risk,

risk of loss when an exchange acts fraudulently,

risk of loss in value due to exchange rate fluctuation,

risk of unexpected tax liability,

risk of unfair share of mined cryptocurrency units,

risk of loss due to a change in the crypto protocol,

a customer cannot identify and properly assess risks of crypto transactions,

risk of loss due to crypto-wallet theft or hacking

3.8 Geographic Risk

As we saw from the criminal bitcoin activity report by CipherTrace, 97% of all direct illegal bitcoin

payments were sent to unregulated exchanges in countries with weak or non-existent AML regulations.

So, geographic risk, as another type of inherent risk, will significantly expose a financial institution to

crypto-related fraud, money laundering, and terrorism financing, especially in countries with inadequate

anti-money laundering control. It is evident that a customer from a geographic location which is not

cooperating in global money laundering efforts inherently presents a higher risk to a financial institution.

There are several significant factors contributing to the lack of cooperation of some countries in the

international fight against money laundering and terrorism financing: loopholes in financial regulations,

no or inadequate regulations or supervision of financial institutions, insufficient customer identification

requirements, excessive secrecy provisions, lack of efficient suspicious transaction reporting, lack of

identification of the beneficial owners of legal and business entities, obstacles to international

cooperation, and inadequate resources for preventing and detecting money laundering activities.


24

Today, it is a top priority of the global community to fight crypto-related criminal activity. FATF, an

international policy-making body which promotes and supports the AML activity of its 38 member

countries, showed a firm commitment to standard-setting for digital assets and virtual currencies.

Jurisdictions across the globe will be required to provide licensing protocols and oversee crypto

exchanges, platforms providing crypto wallets, and firms issuing new cryptocurrencies and providing

ICOs. By June 2019, the FATF will begin publishing rules for international cryptocurrency regulation.

This is a response to the increasing use of virtual assets for money laundering and terrorist financing and

at the request of the G20 ministers. We will analyze global crypto-related regulatory protocol in the next

chapter.

3.9 Identification and Verification Risk

The quantity of inherent/external risk associated with customers, products, or geographic areas is

measured with no consideration of the existing system of control and which by default cannot be

transferred away. This is one part of an AML risk assessment and its components. Another part is quality

of risk mitigation, which represents internal risk and, after considering inherent risk, defines the residual

risk. Two major components of risk mitigation are Identification and Verification Risk and Detection and

Monitoring Risk.

Identification and verification risk are in direct relationship with customer due diligence and are

associated with the ability of the FI to form a reasonable belief that it knows the true identity of each

customer. They require FIs to have processes for obtaining and identifying customer information at the

account opening stage, as well as procedures based on specific risks for verifying the identity of a

customer. Any financial institution involved in a crypto-asset business must demonstrate

KYC/CIP/CDD/EDD/OFAC processes that show robust control, ensuring that all required information

and documentation is obtained and therefore pose low identification and verification risk.

In the section ‘Customer Risk,’ we touched upon customer and enhanced due diligence as part of initial

and ongoing risk assessment. Additionally, in the author’s opinion, part of the DETER, DETECT,

DEFEAT approach and an effective EDD technique is to conduct customer due diligence interviews, for

example, for High-High risk customers based on their initial information. This can be an invaluable tool

to intersect customer, product, and geographical risk in the case of crypto-oriented customers and token

holders in a very proactive manner.

The interview should be pre-planned and conducted by an experienced AML/FIU expert, have a clear

objective, and contain a list of specifically targeted questions, expected outcomes, and metrics to measure

up against the interview results. An interviewer should review the information submitted during

onboarding, compare multiple data points, do a cross reference, confirm the relevance of presented

documents to each prospective account holder, and make appropriate recommendations. Onboarding

EDD interviews for High-High risk potential customers are similar to investigative interviews of

transaction monitoring protocol.

As we highlighted earlier, the FinCEN CDD Rule imposes new requirements on the objective of customer

due diligence, risk profile, and how we should view enhanced due diligence on higher risk customers.

Taking into consideration all the complexity of crypto-related risks and their contributing factors, this

presents a serious task for AML and compliance departments.

The biggest challenge in the identification and verification process in regard to crypto-related business

and the center of the entire CDD process is how market participants can verify the identities of qualified


25

parties in a transaction, especially given the issue of anonymity or pseudo-anonymity of different cryptos,

as well as the availability of privacy-enhanced services.

In addition, modern customer interaction with FIs through remote electronic access and transaction

initiation present an additional issue. The risks of doing crypto-related business with unauthorized or

incorrectly identified individuals in an electronic environment can and will result in financial loss and

reputation damage through fraud, the disclosure of confidential information, corruption of data, or

unenforceable agreements.

3.10 Objective Blockchain ID (OBID)

To address the challenge of customer ID in the digital era with digital assets, we should use digital tools.

Objective (Blockchain) ID is one of those tools and a cutting-edge digital process created by Daniel W.

Bingham, a former Special Agent of the Federal Bureau of Investigation (FBI), Counter Fraud / Anti-

Money Laundering solution consultant, and thought leader. Bingham worked with AML Partners,

Converus, Equifax, BlockDrive, and Acuant to build a unique ID system called a “SysFi.ID”. It is

scheduled for release in March 2019 and offered on AML Partners’ fully configurable, API-ready

platform, RegTech One.

OBID allows FIs with near 99.99% accuracy and scientific proof to confirm personal or business entity

PII and assure a high level of data security, which is cryptographically hashed. The ID is immutable and

indexed on a blockchain for retrieval.

OBID combines various biometric techniques and ‘cognitive load’ testing, an involuntary physiological

response when the brain slows its thinking to create a lie, which can be observed and measured. OBID

incorporates essential parts of ID authentication: government documents (i.e., driver’s license, passport,

SS#), customers’ IDs (passwords, pin codes, security questions), and a person’s biometrics (facial

recognition, ocular, fingerprint). As a result, OBID processes ensure cascading identity accuracies for

AML/KYC, namely, for linking accounts, transactions, and party documentation to a natural person,

exceeding the requirements of the FinCEN CDD Rule and for resolution of a variety of digital identities.

Objective (Blockchain) ID (i.e. SysFi.ID), on its RegTech platform, requires a two-minute engagement

with an individual at a computer:

1. A potential customer submits a high-definition scan or photo of government-issued ID. Via an API

interface, the RegTech platform routes the image to the Acuant service to determine if all forensic

countermeasures are in place for that particular ID document. Then a person sits in front of a computer

with a webcam and input device (mouse/trackpad/touchscreen). Facial recognition software matches the

authenticated ID to the face of the person using the computer. That person then enters his/her SS number.

2. SysFI.ID submits ID information and the individual’s SS number to Equifax to discover data from that

person’s financial history, based on which the credit bureau generates six to nine questions “on-the-fly.”

Equifax scores the answered questions, and the platform transmits results to Converus along with the

telemetry data collected from the user’s kinematic movement expressed during the response. This

Converus technology determines ground-truth identity by combining analysis of submitted answers with

kinematic analysis transmitted by the device.

3. Along with the submission user’s answers, an individual gets his/her picture taken by a webcam and

reads three sentences for a voice print submission.


26

4. Now, information from the above three steps creates multiple data points which form a “total person,”

and SysFI.ID establishes a blockchain-stored identity. The individual’s objectively-proven identity is then

triggered thereafter via biometric detection, not only for the financial services industry but for many

industries in hundreds of use cases.33

“…For the first time in history a person’s unique biometric

can be ‘objectively’ linked to self-reported PII…”34 This ID

authentication method has huge potential to prevent identity

theft and address other AML/CDD/KYC issues and can be

widely used in digital asset-related businesses. Any person, for

example, who wants to become a wallet holder, should be

required to take a two-minute OBID test. This probably will

not be acceptable for people who wish for total anonymity but

given the amount of fraud in crypto- and token-related

activities, this technological innovation will help us to

implement rigorous internal control. OBID blocks potentially

illicit activity before the crime is committed, while at the same

time spurring blockchain development in a way that is

acceptable to authorities.

In summary, OBID puts a modern spin on AML/KYC onboarding, especially in geographic locations that

are deemed high-risk for money laundering. It confirms that an account/wallet is tied to a known person,

helps with identity of high-risk customers, their transaction monitoring and offers reliability, accuracy,

and security.

3.11 Detection and Monitoring Risk

This type of major risk category is defined as the ability for FIs to monitor, detect, and report unusual or

suspicious activity and, in general, represents a common weakness of many risk assessment protocols. We

expect that a similar problem will be present in connection with crypto-oriented businesses and FIs

without a fully effective detection and monitoring system will substantially accelerate their own

reputational, regulatory, and legal risk. Any firm involved in crypto and token activity should implement

significant additional measures of control, show ongoing quality surveillance, demonstrate effective case

management, and have effective processes for detection of suspicious activity and their timely reporting.

Detection and monitoring should be viewed as a major AML risk mitigant in preventing and fighting

crypto-related fraud.

Ongoing monitoring along with the CDD will help FIs to establish the required risk-based approach and

therefore create robust client profiles. The priority here should be a process to categorize customers into

appropriate high-risk groups based on customer profiles and relative risk metrics, since not all high-risk

customers are made equal and, as we stated earlier in the paper, further segmentation should be applied.

We should compare the individual risk profile of a customer with relevant high-risk categories and based

on this conduct ongoing monitoring.

To comply with crypto AML regulations and reduce the exposure of FIs to legal liability, we should

automate transaction risk scoring, identify and document risky and potentially fraudulent crypto

transactions and their history, detect transactions with an illicit source of funds, block stolen cryptos from

being traded or transferred, and blacklist dirty coins.

“…For the first time

in history a

person’s unique

biometric can be

to self-reported PII…”


27

Another very effective method for detection and monitoring is an investigative interview where human

intelligence prevails. Like in an EDD interview, a similar protocol should be applied to handle alerts and

their investigation during regular monitoring, and, of course, this should be done on a case-by-case basis.

Additionally, since blockchain is an underlying technology for cryptocurrency and security tokens, we

should be smart and use the genius of DLT to our advantage. Its horizontal governance structure will

afford us the ability to view all relevant data to better support investigations, case decisions, and

suspicious activity reports, increase quality of monitoring, and instantly communicate between different

internal parties involved. In the risk assessment landscape, blockchain can offer a better experience,

greater convenience, and the opening of new opportunities for exploring use cases in the protocol for

detection and monitoring risk.

Consensus processes, which include confirmation of each financial event by DLT network participants,

may reduce the number of errors and false positive alerts, and, therefore, simplify the examination process

for transaction monitoring.

4. CROSS-BORDER COMPLIANCE: CHALLENGES and BEST PRACTICES

Today, the idea of international crypto-related compliance and regulatory protocol is gaining more and

more traction. To achieve this, we must assure strong cooperation between international law enforcement

agencies and the private sector, as well as rely on legislative and technological developments. The

condition for creating a highly operational blockchain-based digital asset global framework is an ability to

provide cross-border KYC, KYB, and AML protocols, and to ensure the full congruency of an FI’s crypto

activities.

A consistently increasing number of crypto thefts include robberies on a larger and smaller scale, where

fraudsters utilize numerous FIs to exploit vulnerabilities and operational gaps and explore opportunities of

misconduct by employees.

Given the existing situation of a general supervisory and law enforcement vacuum in the crypto space,

there is a growing need for virtual currency platforms and FIs involved in crypto-related business to

combine their efforts and set up a joint database of crypto wallets connected with fraudulent activity and

“blacklist” dirty coins and dirty wallets.

4.1 FATF: Expanding AML Rules to Digital Assets

FATF and regulators across the globe view cryptocurrency compliance as their top priority and focus on

expanding AML rules and regulations to digital assets. In October 2018, FATF recommended for all

member nations to set up mandatory AML obligations for FIs involved in crypto-related business,

including firms storing and administering cryptos. This goes beyond the EU Fifth AML Directive, or

AMLD 5, requiring EU nations to regulate crypto exchanges and firms providing custodian wallets by

January 2020.35 It has been dictated by numerous challenges presented by the fight against crypto-related

crimes.

As we already covered in this paper, there are specific characteristics of the blockchain as an underlying

technology for virtual currency that enable crypto transactions to take place. According to the European

Banking Authority’s (EBA) opinion on ‘virtual currencies,’ the following examples represent some risks

linked specifically to VC transactions:

Virtual currencies enable criminals to launder illicit proceeds because transactions are

anonymous, international in nature, and irrevocable;


28

Criminals can have intermediaries on every level and control certain market participants who

allow them to disguise the origins of criminal proceeds.36

One of those challenges is in connection with the increasing use of crypto-to-crypto exchanges, which

pushes the stance among regulators that AML rules for cryptocurrencies should be extended to firms and

platforms that don’t cross with fiat currency. Covering crypto-to-crypto exchanges for AML is a big

accomplishment for the European Union and the entire global compliance community. This will limit

trading, transfer, and convergence of privacy coins by criminals and their circumvention of CDD

requirements.

Another significant challenge for policymakers across the globe is the high-speed and speculative nature

of cryptocurrency transactions, as well as blockchain-specific risks which can be used in a very

‘intelligent’ manner by advanced criminals to commit numerous crypto frauds. That is why regulators

proposed to include virtual currency exchange platforms and custodian wallet providers as ‘obliged

entities’ and extend the strong AML compliance standards applied to regular financial products and

services to those which are digital asset-related.

Among those standards required must be identity verification on new customers and wallet holders. As

was stated, “the rules will now apply to entities which provide services that are in charge of holding,

storing and transferring virtual currencies, to persons who provide similar kinds of services to those

provided by auditors, external accountants and tax advisors which are already subject to the 4th Anti-

Money Laundering directive and to persons trading in works of art. These new actors will have to identify

their customers and report any suspicious activity to their Financial Intelligence Units.”37

Another AMLD 5 measure to mitigate VC risk is a proposal to set up a central database which includes

VC holder IDs and wallet addresses and give special access to those stored profiles to FIU officers.

4.2 Crypto Regulatory Regime by Country

Considering all the crypto-related risks, the specifics of existing regulatory regimes, and AMLD 5’s

special focus on virtual currencies, it is obvious that various countries will proceed with different

mandates in anticipating requirements.

The UK, for example, exhibits the most conservative approach in its efforts to cover cryptocurrency FIs

under AML regulations and includes peer-to-peer exchange platforms and third-party exchanges. Already

in January 2018, the UK Financial Conduct Authority (FCA) and the Bank of England issued a warning

of pending restrictions on bitcoin and other cryptocurrencies due to their high inherent risks and failure as

an alternative form of legal tender. They also proposed banning the retail offer of derivative crypto

products. Also, Her Majesty’s Treasury planned to tighten AML regulations by requiring digital currency

exchange users to disclose their identity.

Besides, law enforcement and regulators reported a dramatic jump in criminal abuse of privacy coins like

Monero. That is why the FCA is at the forefront of regulatory AML mandates for crypto-to-crypto

exchanges.

Japan is most famous in crypto land for the space’s largest robbery, that of the exchange CoinCheck

($533,000,000 US). If, in the past, the country took a crypto-friendly position, after this massive hack

they have proceeded with so-called “business improvement orders.” After on-site inspections of number

of exchanges, the Financial Services Agency (FSA)—Japan’s top financial regulator—determined that

some crypto exchanges had not established “effective management system to ensure proper and reliable

operation of the business and countermeasures against money laundering and terrorist financing.”38 This


29

was mainly dictated by the CoinCheck hack in January 2018 and by the most recent incident with Zaif

exchange.

Both events triggered FSA emergency inspection, which uncovered numerous problems:

Improper ID management system for existing customers

Deficiencies with customer’s registration information

Lack of solid implementation of individuals’ confirmation process

Use of digital assets in laundering money involving credit cards

Active suspicious VC trading accounts

Flaws in exchanges’ AML and KYC systems

Currently, 160 companies want to enter a virtual market in Japan which requires a tremendous increase in

oversight from the side of the FSA and the Japan Virtual Currency Exchange Association—a self-

regulatory body—and which should mandate solid corrective measures from members’ and exchanges’

immediate self-inspection, especially with the purpose of detecting signs of unauthorized activity.

The USA, among other countries, has also experienced many significant developments in connection with

regulations of crypto-oriented businesses and their enforcement. Most notable was the signing by

President Trump of an executive order which established a new task force focusing on virtual currency

and digital asset-related crimes. Also, just recently, the Governor of New York, Andrew Cuomo, signed a

digital currency study bill which will lead to creating a New York crypto task force and benefit the

blockchain community and investors. The Empire State is aiming to position itself as a “global hub for

smart innovation.”39

Also, significant news in crypto land in the U.S. was that the SEC again delayed its decision allowing

bitcoin ETFs, which are viewed as a potential accelerator of virtual currency activity and a significant

push for the increase of liquidity.

Going forward, firms involved in digital asset-related businesses should expect very tight scrutiny from

the SEC Office of Compliance Inspections and Examinations (OCIE), which will have cryptocurrency as

its top ‘examination’ priority for 2019 with the goal of protecting retail investors dealing with this risky

asset class. Considering an overall tremendous increase in the number of digital asset market participants,

as well as the overall growth of this market, the primary activities of concern for the OCIE are the offer

and sale, trading, and management of digital assets, where the products are securities, as well as

adherence to regulatory compliance. “For firms actively engaged in the digital asset market, OCIE will

conduct examinations focused on, among other things, portfolio management of digital assets, trading,

the safety of client funds and assets, pricing of client portfolios, compliance, and internal controls.”40

It is worth mentioning that digital assets were also one of the SEC priorities in its 2018 National Exam

Program with the prime focus, among other things, on adequate controls and safeguards provided by

financial professionals to protect crypto assets from theft or misappropriation and providing investors

with disclosure about the risks.41

Along with the SEC, another government entity which makes significant steps in setting a regulatory

framework against money laundering through virtual currencies is FinCEN. Already, in 2013, it issued

guidance regarding regulations to any individuals who administer, exchange, or use VCs. Also, over the

last few years, it has published a few administrative rulings explaining what impact it could have on a

crypto space.


30

Kenneth A. Blanco, the FinCEN Director, clarified the agency’s stance on cryptocurrency in 2018 at the

Chicago-Kent Block (Legal) Tech Conference. He stated: “we would expect financial institutions

adopting new FinTech to assess and understand whether the new financial products and services may be

vulnerable to exploitation for financial crime; and whether this financial service activity has AML/CFT

obligations under FinCEN’s regulations.”42

Blanco suggested that 1500 SARs a month involving VCs represent an increased number of filings in the

last few years and can be viewed as a “great success,” especially because advanced methods for

identifying suspicious activity with digital assets can provide a better understanding of the different types

of financial crime. He also reminded the audience, “we will hold companies and individuals accountable

when they disregard their obligations and allow the financial system to be exploited by criminal actors,

whether in wire transfers or cryptocurrencies.”43

Opposite to the UK, Japan, and the USA, two emerging crypto havens in the world are Malta and

Bermuda.

Malta, the EU’s smallest member, is viewed as one of the most crypto-friendly jurisdictions in the world.

Malta’s position is that cryptocurrencies are “the inevitable future of money”44 and focuses on giving

crypto market participants clarity about regulations and providing assurance, stability, and legal certainty

for future industry developments. It can provide the crypto industry a strong boost badly needed in light

of numerous frauds, hacking events, and cases of money laundering.

On November 1, 2018, Malta’s cryptocurrency regulations and licensing requirements for exchanges and

ICOs went into effect. Given the country’s past corruption and financial scandals, the Malta Financial

Services Authority (MFSA) put forth all efforts to change public opinion about the island as a jurisdiction

with a loose AML regulatory framework, attract more blockchain business, and create the foundation of a

new crypto economy in the future. Of course, as a world crypto-hub, Malta depends on the overall EU

stance on digital assets and can become less attractive if FATF puts in place tougher crypto regulations.

Bermuda is another island trying to become the center of crypto-oriented business and get a significant

chunk of the world’s crypto trading. In July 2018, local authorities passed a Digital Asset Business Act

and an ICO Bill with the purpose of changing banks’ hesitant attitudes in providing services to the

emerging Fintech sector.

Another significant crypto regulatory event on the island is the Information Bulletin released by the

Bermuda Monetary Authority (BMA) in September 2018, which set clarity for a digital asset business

license to advocate a strong AML regime. The island’s financial crypto regulations cover all market

participants: digital asset exchanges, alternative trading platforms, ICOs, custodial wallet service

providers, dealers, traders, and payment service businesses. This will give a green light to the island’s

crypto economy and blockchain innovations and help with capital formation opportunities, all while

guarding against fraud and other misconduct.

Other countries worth mentioning as players in crypto land are Canada, Mexico, Saudi Arabia, India,

North Korea, South Korea, Taiwan, and China. Taiwan, for example, has only a partial oversight of

virtual currencies with the purpose of promoting innovation and with a primary focus on AML policies

and their implementation, developing comprehensive VC and ICO regulations and creating the Thai Anti-

Money Laundering Office’s own e-wallet to investigate digital assets-related crimes and possibly

confiscate cryptos involved in fraud.45


31

North Korea and Saudi Arabia are a big concern for the FATF. North Korea experienced a significant

failure in connection with its AML regulations and their enforcement, which presented a tremendous

threat to the global financial community. On numerous occasions, the FATF has addressed this issue,

bringing special attention to the relationship between country member FIs and individuals or businesses

from North Korea, especially in light of financial sanctions based on the UN Security Council

Resolutions.

As for Saudi Arabia, in the eyes of the international regulatory authorities, even though the country “has

developed a good understanding of its ML and TF risks through its national risk assessments,” its

authority is lacking the will to conduct “sophisticated financial analysis to effectively support

investigations, in particular those into more complex cases of ML.”46 Also, “Saudi Arabia is not

effectively investigating, and prosecuting individuals involved in larger scale or professional ML

activity.”47 It is also not effectively confiscating the proceeds of crime. One of the positives is that “Saudi

Arabia conducts comparatively intensive supervision of the higher-risk sectors in accordance with a risk-

based approach.”48

The Kingdom prohibited the circulation of cryptos, even though there has been progress in the adoption

of blockchain technology, and the country’s own cryptocurrency is about to be launched in 2019. Saudi

Arabia plans to use state-backed cryptocurrency to assure speed and cost-effectiveness of cross-border

transfers and payments. Of course, the idea of ‘decentralization’ of anything(!) in a country like Saudi

Arabia, with its traditions of rulership, probably doesn’t have a real chance to flourish.

Lastly, a big concern for the U.S. and the international compliance community is Venezuela’s Petro

cryptocurrency, which is oil-backed and was created in December 2017 to combat international sanctions.

The current U.S. administration banned Venezuela’s state-owned crypto by releasing a new executive

order through which Petro was put on a list of assets and instruments included in the financial sanctions.49

5. CONCLUSION

Analysis of major global crypto developments proves that digital asset-related crimes of different

complexity have been overtaking the crypto space, and fraudsters will continue capitalizing on financial

institutions’ vulnerabilities and systemic weaknesses. To fight crypto crime and therefore support

innovation and capital formation opportunities, regulators around the world who govern blockchain and

cryptocurrency tech and compliance must develop comprehensive legislation based on global cooperation

between policymakers and law enforcement agencies.

“Safety” in crypto land is a big concern for all market participants, including exchanges, alternative

trading platforms, money services businesses, institutional investors, investment advisers, broker-dealers,

fintech companies, attorneys specializing in crypto law, private funds, firms assisting issuers with ICOs

and ISOs, and companies providing advice to their clients in connection with digital assets. Opportunities

for fraud and various crypto-related misconduct are becoming more and more sophisticated, and we

cannot predict how they will develop in the future. One thing is for certain: the crypto community needs

strong measures combatting fraud, money laundering, and terrorist financing.

Today, we don’t know the most useful blockchain use cases and nor do we know all the particulars that

regulators should take into consideration in developing well-customized rules and regulations. This

presents a tremendous challenge for emerging crypto markets and can be a big hurdle for developing new

ways to fight nefarious actors who use the same blockchain technology for their fraudulent and

manipulative activities. Another burden for a financial institution is trying to comply with various


32

regulatory schemes with conflicting laws and confusion regarding the definition of what cryptocurrency is

and who should regulate cryptos.

Also, considering the transnational nature of crypto business and the fact that, as we saw, different

jurisdictions have different regulatory frameworks in connection with digital assets, it is imperative that

major market players put forth combined efforts to create unified cross-border regulatory measures to

prevent potential fraud and give certainty to a crypto market in capital raising and investor protection.

As a protective measure, capital formation and support of blockchain technology should go hand-in-hand

with the efforts of compliance experts and law enforcement authorities to fight manipulative and

fraudulent crypto-related practices. This is an essential part of the system for handling the risks presented

by blockchain and cryptocurrency technologies.

Crypto land, with its lack of specific and clear regulations, is inherently rife with risks that present a great

danger for most unsuspecting investors. Bad actors, including fraudsters, criminal groups, terrorist

organizations, and state sponsors are trying to find new and more sophisticated venues to exploit financial

markets. With their endless greed, they also take full advantage of crypto hype, conduct shady marketing,

and advertise get-rich-quick virtual schemes which result in most participants incurring significant losses.

There are over 70 identifiable risk areas arising from crypto activities, with a large group belonging to the

high-risk category.

Understanding and mitigating those risks is a primary obligation and a core task of each financial

institution involved in crypto-oriented business. This can be very challenging considering that digital

asset compliance is at its earliest stages. A robust crypto risk assessment should address FI vulnerabilities

and identify the weakest links in the chain, be specifically tailored for virtual currency-related crimes, and

protect against those unique challenges and threats. It should be an essential part of regulatory and

transactional policies, which will help financial institutions to establish relevant common standards, to

protect investors, promote technological innovations, and support the growth of the crypto economy.

Identifying risks and their reassessment should be an ongoing process, as should risk control and testing.

A firm’s methods and processes for managing crypto-related risks should be reflected in its specific set of

policies and procedures and is based on a financial institution’s business model and appetite for risk. As a

central part of enterprise-wide risk management, it should cover potential business impacts and likelihood

of crypto-related crimes. AML/FIU officers will identify and assess weaknesses and vulnerabilities and

ensure remediation activity tracking and closure. Risk assessment should also include internal and

external risk assessments (penetration testing), as well as vendor management.

To accomplish all this, market participants should employ highly advanced fintech tools and automatic

systems which offer identity verification, source of funds confirmation, entity resolution, and risk scoring

while meeting compliance and regulatory obligations. We should understand that the rules of the game

are changing. Why should we care? As with major paradigm shifts, the digital revolution will transform

the financial industry and its business models. We are part of this revolution, and while digital asset-

related opportunities flourish, so does crime.

Financial institutions must be ready for a never-before-seen puzzle of challenges, especially in the digital

space, and adapt to a new reality of fast-changing technological innovations. We expect a period of

speculation and misuse before we step into a new era, when the financial industry will be unrecognizable,

with multiplying efficiency and value.


33

So, are we ready for mainstream crypto? Are we fully equipped to assure market integrity and investor

protection and to guard against crypto fraud? The risks of disruption cannot be ignored. We should brace

ourselves and ask the question:

“Do we want to be a disruptor or allow ourselves to be disrupted?”


34

REFERENCES: 1. https://docs.house.gov/meetings/BA/BA01/20180620/108476/HHRG-115-BA01-Wstate-NovyR-20180620.pdf

2. https://unicwash.org/oped-cybercrime/

3. https://www.acams.org/aml-white-paper-distributed-ledger-technology/

4. https://bitcoin.org/bitcoin.pdf

5. http://www.finra.org/sites/default/files/FINRA_Blockchain_Report.pdf

6. https://www.esma.europa.eu/sites/default/files/library/2016-773_dp_dlt_0.pdf

7. http://www.finra.org/sites/default/files/FINRA_Blockchain_Report.pdf

8. https://www.esma.europa.eu/sites/default/files/library/2016-773_dp_dlt_0.pdf

9. https://coinmarketcap.com/

10. https://www.ccn.com/interview-indiegogo-founder-talks-security-tokens/

11. https://www.sec.gov/news/public-statement/statement-clayton-2017-12-11

12. https://finance.yahoo.com/news/moneyconf-2018-tokenisation-everything-explained-220557064.html

13. https://ciphertrace.com/wp-content/uploads/2018/10/crypto_aml_report_2018q3.pdf

14. Ibid

15. Fraud and Money Laundering: Can you Think Like a Bad Guy? By Dennis M. Lormel

http://www.dmlassociatesllc.com/files/dml_whitepaper_20120223.pdf

16. Ibid

17. Ibid

18. Perspectives, Partnerships and Innovation. By Dennis M. Lormel


19. Ibid

20. Ibid

21. https://www.ccn.com/coincheck-hackers-have-already-laundered-40-percent-of-stolen-nem/

22. https://www.bankinfosecurity.com/hacked-mt-gox-bitcoin-exchange-chief-maintains-innocence-a-11904

23. https://www.thehaguesecuritydelta.com/media/com_hsd/report/209/document/iocta-2018.pdf

24. https://qoinfaucet.com/europol-hardcore-criminals-are-shifting-from-bitcoin-to-monero-zcash-and-dash/

25. Fraud and Money Laundering: Can you Think Like a Bad Guy? By Dennis M. Lormel http://www.dmlassociatesllc.com/files/dml_whitepaper_20120223.pdf

26. Ibid

27. Gilles Hilary. Cyber-Governance. Georgetown University McDonough School of Business, CRCP Program

28. https://eba.europa.eu/documents/10180/657547/EBA-Op-2014-08+Opinion+on+Virtual+Currencies.pdf

29. Ibid

30. Acams.org ACAMS Advanced Certification Risk Assessment – The Foundation

31. https://bsaaml.ffiec.gov/manual/RegulatoryRequirements/02

32. Ibid

33. https://www.linkedin.com/pulse/solving-3-trillion-id-management-problem-while-stopping-bingham/

34. Ibid

35. www.moneylaundering.com/news/eu-regulator-proposes-expanding-aml-rules-to-crypto-assets/

36. https://eba.europa.eu/documents/10180/657547/EBA-Op-2014-08+Opinion+on+Virtual+Currencies.pdf

37. https://blogs.pwc.de/compliance-fs/tag/5th-anti-money-laundering-directive/

38. https://finance.yahoo.com/news/japan-slaps-6-licensed-cryptocurrency-141442421.html

39. https://www.facebook.com/clyde.vanel/posts/10156105177852333?__tn__=C-R

40. https://www.sec.gov/files/OCIE%202019%20Priorities.pdf 41. https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2018.pdf

42. https://www.fincen.gov/news/speeches/prepared-remarks-fincen-director-kenneth-blanco-delivered-2018-chicago-kent-

block

43. Ibid

44. https://www.maltachamber.org.mt/en/muscat-cryptocurrencies-will-eventually-replace-money

45. http://www.nationmultimedia.com/detail/national/30353556

46. http://www.fatf-gafi.org/publications/mutualevaluations/documents/mer-saudi-arabia-2018.html

47. Ibid

48. Ibid

49. https://www.whitehouse.gov/presidential-actions/executive-order-taking-additional-steps-address-situation-

venezuela/

https://docs.house.gov/meetings/BA/BA01/20180620/108476/HHRG-115-BA01-Wstate-NovyR-20180620.pdf

https://unicwash.org/oped-cybercrime/

https://www.acams.org/aml-white-paper-distributed-ledger-technology/

https://bitcoin.org/bitcoin.pdf

http://www.finra.org/sites/default/files/FINRA_Blockchain_Report.pdf

https://www.esma.europa.eu/sites/default/files/library/2016-773_dp_dlt_0.pdf

http://www.finra.org/sites/default/files/FINRA_Blockchain_Report.pdf

https://www.esma.europa.eu/sites/default/files/library/2016-773_dp_dlt_0.pdf

https://coinmarketcap.com/charts/

https://www.ccn.com/interview-indiegogo-founder-talks-security-tokens/

https://www.sec.gov/news/public-statement/statement-clayton-2017-12-11

https://finance.yahoo.com/news/moneyconf-2018-tokenisation-everything-explained-220557064.html

https://ciphertrace.com/wp-content/uploads/2018/10/crypto_aml_report_2018q3.pdf



https://www.ccn.com/coincheck-hackers-have-already-laundered-40-percent-of-stolen-nem/

https://www.bankinfosecurity.com/hacked-mt-gox-bitcoin-exchange-chief-maintains-innocence-a-11904

https://www.thehaguesecuritydelta.com/media/com_hsd/report/209/document/iocta-2018.pdf

https://qoinfaucet.com/europol-hardcore-criminals-are-shifting-from-bitcoin-to-monero-zcash-and-dash/


https://eba.europa.eu/documents/10180/657547/EBA-Op-2014-08+Opinion+on+Virtual+Currencies.pdf

https://bsaaml.ffiec.gov/manual/RegulatoryRequirements/02

https://www.linkedin.com/pulse/solving-3-trillion-id-management-problem-while-stopping-bingham/

http://www.moneylaundering.com/news/eu-regulator-proposes-expanding-aml-rules-to-crypto-assets/

https://eba.europa.eu/documents/10180/657547/EBA-Op-2014-08+Opinion+on+Virtual+Currencies.pdf

https://blogs.pwc.de/compliance-fs/tag/5th-anti-money-laundering-directive/

https://finance.yahoo.com/news/japan-slaps-6-licensed-cryptocurrency-141442421.html

https://www.facebook.com/clyde.vanel/posts/10156105177852333?__tn__=C-R

https://www.sec.gov/files/OCIE%202019%20Priorities.pdf

https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2018.pdf

https://www.fincen.gov/news/speeches/prepared-remarks-fincen-director-kenneth-blanco-delivered-2018-chicago-kent-block

https://www.fincen.gov/news/speeches/prepared-remarks-fincen-director-kenneth-blanco-delivered-2018-chicago-kent-block

https://www.maltachamber.org.mt/en/muscat-cryptocurrencies-will-eventually-replace-money

http://www.nationmultimedia.com/detail/national/30353556

http://www.fatf-gafi.org/publications/mutualevaluations/documents/mer-saudi-arabia-2018.html

https://www.whitehouse.gov/presidential-actions/executive-order-taking-additional-steps-address-situation-venezuela/

https://www.whitehouse.gov/presidential-actions/executive-order-taking-additional-steps-address-situation-venezuela/


35

(This page is intentionally left black)

Date post:	26-Jul-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

DETER, DETECT, DEFEAT! Understanding Digital Assets Related...

Documents