DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
TABLE OF CONTENTS
1. BACKGROUND 1
1.1 Blockchain: History, Overview, and Main Features 1
1.2 Anonymity and Pseudo-anonymity 1
1.3 DLT: Benefits and Money-Laundering Risks 2
1.4 Digital Assets Marketplace: At a Glance 3
1.5 Regulatory landscape 5
2. DIGITAL ASSETS RELATED CRIME: Stats, Anatomy, and Characteristics 6
2.1 Identify: Crypto Crime by the Numbers 6
2.2 Generic Level of Crypto Fraud: Anatomy, Perspective, and Driving Force 7
2.3 Characteristics of Digital Currencies Preferred by Criminals 9
2.4 Crypto Fraud in Motion: Types of Crimes 9
3. RISK ASSESSMENT 12
3.1 How Financial Institutions Should Approach Crypto Compliance 12
3.2 Risk vs. Uncertainty 13
3.3 Uncertainty Management: Foundation for Proactive Compliance Program 15
3.4 Virtual Currency Specific Risks 16
3.5 AML Risks and Audit Risk Model 19
3.6 Customer Risk 19
3.7 Product Risk 22 3.8 Geographic Risk 23 3.9 Identification and Verification Risk 24
3.10 Objective Blockchain ID (OBID) 25 3.11 Detection and Monitoring Risk 26
4. CROSS-BORDER COMPLIANCE: CHALLENGES and BEST PRACTICES 27
4.1 FATF: Expanding AML Rules to Digital Assets 27
4.2 Crypto Regulatory Regime by Country 28
5. CONCLUSION 31
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
EXECUTIVE SUMMARY:
When Bobby Axelrod, the hedge fund owner from the famous TV show "Billions", referred to crypto
for large payouts in one of its episodes and gave his employee a pin code for a Ledger Nano S with
$1,000,000 in cold storage, it was clear that the cryptocurrency revolution was spreading everywhere,
including the dark side of Wall Street. After being banned from trading, Bobby began hiding his secret
profits using crypto to securely transfer money without being detected. All of us who watched the show
remember his famous words when he met his trading partner: "You are now officially but unofficially the
proud owner of half of my half of [the hedge fund's profits], paid in crypto of course."
Axelrod's words are not too far removed from reality, and even though there remains a fictional aspect to
our pop culture, it does reflect accurately how we live and what is going on in real life, including the
crypto space.
Just a few short years ago, bitcoin was a novelty idea. Today, we have a bitcoin-culture invasion, despite
a prolonged decline in the crypto markets beginning in 2018, when millions of transactions bombarded
the bitcoin blockchain every day. But virtual currencies bring more opportunities not only for crypto
enthusiasts, but for bad actors as well. At the time of this writing, news outlets reported one of the largest
alleged crypto Ponzi schemes based on OneCoin, a fictional cryptocurrency, where promoters laundered
$1.3 billion in stolen investments around the world.
On June 20th, 2018, Deputy Assistant Director of the US Secret Service's Office of Investigations, Robert
Novy, gave testimony before the House of Representatives Financial Services Subcommittee on
Terrorism and Illicit Finance and stated that considering "the global nature of the Internet and modern
communications, ... digital currencies are particularly well-suited for supporting crimes that are
transnational in nature." 1
Hackers manage to steal millions of dollars’ worth of bitcoin and other digital currencies from crypto
wallets, and this is a big concern for all market participants, developers, regulators, and law enforcement.
Cryptocurrency today is a preferred type of payment for cybercriminals, and this is especially disturbing
since according to the UN Office on Drugs and Crime, the cost of global cybercrime is approaching $600
billion.2
Even though the cryptocurrency ecosystem is now seeing increased regulatory scrutiny, scammers
continue their illicit deeds. Crypto-related criminal activity is rising astronomically, and for most people,
the crypto space has a stigma pertaining to criminal activity and a bad reputation. That’s why crypto
enthusiasts and the entire crypto community insist on active cooperation with law enforcement, going
after fraudsters of all types.
Adding virtual assets to the product line involves strategic business decisions which include careful and
rigorous risk assessment and unique risk mitigation practices. But business-as-usual, where we are
excellent at handling the problem after the fact and applying a one-size-fits-all approach to anti-money
laundering (AML) compliance and fraud detection, is no longer acceptable. Here is where the main
question arises: how can we protect investors against being defrauded of digital currencies and adapt tools
and measures at the level of a financial institution (FI) to help law enforcement detect criminal crypto-
related activity and stop crime before it happens? How can we weed out crypto scammers and make the
digital currency ecosystem a better place for everyone?
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
This white paper aims to raise awareness of the risks associated with the use of digital assets and educate
the AML and compliance community about crypto-related crimes. Specifically, it sheds light on current
and anticipated threats and typologies of crime related to digital assets and their impact on financial
institutions. Our primary focus is on how we in the compliance community should have courage and
challenge the status quo to DETER, DETECT, and DEFEAT crypto-related illegal activity using
proactive risk assessment and global compliance best practices.
Some sections of this report refer to the author’s previous white paper, “Digital Ledger Technology:
Streamlined CDD Examination Process through Blockchain Application.”3 The report illustrates the author’s
continuing interest and dedication in covering the subject of blockchain technology, digital assets, and
their impact on crypto-related crimes and money laundering. Her first encounter with bitcoin was in 2016,
when she started researching virtual currencies and blockchain networks. The author believes that
blockchain and digital assets can help reshape the world of business and transform capital markets. She
shares an opinion with many experts that given governments’ need to tax and to regulate, we must address
crypto fraud and digital assets-related criminal activities if we want to protect all crypto value
propositions.
The author is an enthusiastic researcher, has 15 years of wide-ranging experience in the financial services
industry, and has a keen interest and passion for preventive compliance. Through writing, she expresses
and shares her thoughts and ideas with like-minded individuals.
Disclaimer: The views and opinions expressed in this report are solely those of the author and do not represent those of, nor
should they be attributed to, ACAMS.
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
1
1. BACKGROUND
In this paper, digital assets refer to the use of cryptocurrencies and security tokens. Even though the target
audience for this report is expected to have a basic knowledge of a blockchain as an underlying
technology for crypto assets, below is a brief history and an overview of the blockchain and its features,
risks, and limitations.
1.1 Blockchain: History, Overview, and Main Features
Blockchain is often referred to in the financial services industry as digital ledger technology, or DLT. It
was born in response to the 2008 financial crisis and is most widely used for virtual currencies (VCs)
such as bitcoin. The creator of bitcoin is an anonymous figure, Satoshi Nakamoto, who in October 2008
published his famous white paper, “Bitcoin: A Peer-to-Peer Electronic Cash System.”4
To create a unique and reliable digital “cash system” was a very progressive idea for a long time before
bitcoin, but all prior attempts were unsuccessful due to the problem of double spending. With digital
money, transactions could be copied, and funds spent twice, since there was no physical cash. The genius
of Satoshi was that he solved the double spending problem through the use of a confirmation mechanism
and universal ledger - the blockchain.
The blockchain ledger serves as a virtual record of all transactions on the network stored on multiple
computers of trusted participants, the so-called nodes. Anybody with basic computer skills can see the
digital footprints of blockchain activity without any restrictions. This type of blockchain network is called
public. In contrast, private networks restrict access to this information and who can be a member and
transact on a blockchain. All members of a private network are known.
Since nodes can make different entries on a record and no one node can control the information,
decentralization is considered one of the blockchain’s main features. It is a revolutionary way for data to
be registered when there is no need for validation by a trusted third party.
Another prominent DLT feature is the use of cryptography, a computer-based encryption technique which
creates a mathematical proof and provides a high level of security. Parties of cryptocurrency transactions
on a blockchain have in their possession private and public keys. A combination of both keys creates a
unique digital signature which provides a secure digital identity reference.
Nodes perform validation of a transaction where the public key plays a role as a door-opener to the entire
blockchain to participate in digital events. Each event is a piece of information necessary to transact and
is presented as a block with a digital signature, timestamp, and any other relevant data. After encryption
through cryptography and validation by nodes, data is permanently recorded on a blockchain network,
and all records are immutable and sequentially linked. Cryptography and decentralization assure
protection of ownership rights and preservation of data in a censorship-free manner.
An essential DLT component is the so-called smart contract, a self-enforced piece of code which assures
the execution of a set of transactional instructions on a blockchain network. Smart contracts translate the
terms of a transaction and contractual obligations between parties into a digital framework and therefore
provide intelligent automation of pre-determined and agreed-upon conditions. One of the biggest creators
of smart contracts is Ethereum, a unique cryptocurrency with its own blockchain platform.
1.2 Anonymity and Pseudo-anonymity
A lot of early cryptocurrency developers insisted that privacy was an absolute necessity for an open
society in the digital era, and privacy means anonymity. But anonymity is a challenging issue, and even
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
2
though anonymity is considered the main feature of bitcoin, the most commonly-used cryptocurrency,
bitcoin is not as anonymous as many might think.
The blockchain is created through mining, a process through which miners compete to verify each
transaction on a blockchain. Whoever solves the mathematical puzzle first will be rewarded with bitcoin.
Data recorded on a blockchain is not directly linked to an individual user’s personally identifiable
information (PII). This gives virtual currencies a certain level of anonymity and makes it more difficult
for law enforcement to identify and track suspicious transactions and connect them to specific users.
When a bitcoin transaction is recorded, it is made public and linked only with a digital address, which
makes it impossible for a trade to be traced directly to a buyer. We can view an electronic address as a
user’s pseudonym, and if it is leaked (through web trackers, cookies, or other means), his or her identity
can be revealed. So, while discussing cryptocurrency anonymity, it is proper to refer to pseudo-anonymity
instead. To avoid or reduce the risk of individuals party to a bitcoin transaction to be linked, participants
use different methods: mixing services, additional privacy protections such as CoinJoin, or more
anonymous and untraceable cryptocurrencies, such as Monero or Zcash. We will cover the topic of digital
transaction anonymity in a later section.
1.3 DLT: Benefits and Money-Laundering Risks
Decentralization, cryptography, and the use of smart contracts have the potential to bring a number of
benefits to individuals and financial institutions. As FINRA stated in its DLT report, these new
technology systems “represent the potential to create a paradigm shift for several traditional processes
in the securities industry through the development of new business models and new practices.”5 Among
those prospective advantages of blockchain technology are faster speed, the immutability of records,
increased data quality, time-stamped and sequential audit trail transaction records, enhanced traceability
of transactions, simplified onboarding, and much more. Also, it is crucially important to highlight that
blockchain resolved double spending as one of the biggest problems in the space. However, it is crucial
that blockchain benefits be in balance with novelty and the existing risks and limitations of such a new
technology.
Digital disruption, as many view blockchain technology, has revolutionary potential to transform
financial services and the banking industry. It can address some of the problems of legacy infrastructure,
data management, and various weaknesses in different financial processes. But as any disrupter has its
consequences, blockchain technology also has its risks and downsides, which cannot be ignored,
especially in the area of criminal activities and money laundering. While it is too early for experts to
evaluate all the risks presented by innovative blockchain technology and its impact on securities and
financial markets, there are significant concerns where the system has several vulnerabilities related to
privacy, data security, and cyber risk.
The issue of privacy, and therefore providing appropriate levels of access to different network users, was
covered in detail in the report “The Distributed Ledger Technology Applied to Securities Markets” from the
ESMA, the European Securities and Markets Authority. It was stated that “the identity of a party to a
transaction is in most instances, not public unless legal provision requires the disclosure of this
information. Therefore, it is of utmost importance that DLT networks are designed in a way that protects
privacy when necessary.”6 Regulators demonstrated the importance of the use of encryption and private
keys only by authorized parties for transactions to prevent the risk of illicit activities.
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
3
In addition to information privacy, critical consideration should be given to areas of data security and
cyber risk, especially given the potential for network user access across borders. Below are the concerns
of domestic and international regulators and market participants regarding DLT security:
How are the cryptographic keys protected from unauthorized access, modification, or loss?
How is adequate protection against attacks provided?
If a key is compromised, how will fraudulent transactions be identified and reversed? What party
will be responsible for this?
Who covers the cost of fraud?
What kind of risk can be presented by a single unsecured node?
What methods have been considered to enhance the security of assets?7
Issues of data security are crucial to anti-money laundering (AML) and fraud prevention. As indicated in
the ESMA report, “in the absence of relevant controls, those risks would be exacerbated as cryptography
could be used to conceal identities and undertake fraudulent activities.”8 Customer data security should
be a major consideration for any firm joining a DLT network. Issues concerning blockchain, crypto-
related crime, and AML, specifically customer identity, risk assessment, due diligence, and the security
and confidentiality of customer records and information, will be covered in depth in later sections.
Today, cryptocurrencies are not backed by fiat currencies and, in the opinion of numerous experts, this
makes crypto too risky for widespread adoption. Additionally, a significant challenge is that distributed
ledgers cannot scale up to achieve an appropriate volume of transactions to compete with existing
alternative methods. Lastly, it is worth mentioning that among other unintended risks presented by DLT
are issues of governance, custody, interoperability, and use of common standards. However, these are not
the focus of this analysis.
As stated above, risks and potential limitations of blockchain as an underlying technology for digital
assets-related transactions can be significantly exploited criminally in the nascent but rapidly-growing
crypto sector. But this is only half of the problem. To facilitate the laundering of their fraudulent
proceeds, criminals use the indisputable benefits of blockchain technology, such as decentralized
infrastructure, the pseudonymous nature of transactions, and use of smart contracts. Even worse, illegal
crypto-related activity will slow and sabotage the potential advantages of blockchain technology for all of
us.
1.4 Digital Assets Marketplace: At a Glance
Now, bad actors and crooks use cryptocurrency as a preferred vehicle to commit money laundering and
terrorism financing, resulting in hacking attacks, millions in losses, instability, and potential handicapping
of the entire crypto ecosystem. To effectively withstand these types of crime, the number one priority for
law enforcement and private sector professionals is to understand its nature, how fraudsters think and
operate, why they win, and why we have an explosion of crypto criminal activity.
But before we analyze cryptocurrency-related crime, its anatomy, typology, and complexity and identify
it by the numbers, let’s turn first to the current state of the digital asset marketplace and crypto-related
regulatory framework. Without this, it is impossible to identify fraud, determine its predicating factors, be
objective, and follow the investigative steps necessary to mitigate crime and have the upper hand over
fraudsters.
In the eyes of many, cryptocurrencies are the next reasonable development overtaking fiat currencies, and
since there is no centralized control entity, this means freedom and change in money, business, and the
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
4
world. But since the crypto landscape, with blockchain as its underlying technology, is in its early stages,
it would be premature to say whether it can bring about a revolution in financial markets or not. One thing
is for sure, however: cryptocurrencies and DLT are spreading around the world and making their mark in
the finance space!
In 2017, we saw a crypto explosion when Bitcoin (BTC) and Ethereum (ETH) experienced astronomical
jumps in value. At one point, right at the end of 2017, bitcoin reached a value just around $20,000.
Whether it was an organic development, or a fraudulently inflated overall market is a big question! Either
way, the once-hot crypto craze became an entirely different story in 2018 and 2019, when
cryptocurrencies were traded well below their 2017 values, setting new lows time after time. Till the end
of March 2019, BTC was below $4,000 and has shaken the faith of wallet holders.9
Even though BTC has been in recovery mode since and today is above $12,000, let’s don’t forget the
history lesson. If you look at the crypto stats in the table below, compiled from Statista.com,
CoinMarketCap.com and BitcoinMarketJournal.com, there are two prominent and opposing tendencies: a
significant drop in bitcoin price and similar % decrease in total market cap but outstanding growth in
number of crypto exchanges, BTC wallets and number of currencies in general. Experts still must explain
this phenomenon.
Crypto Stats 2017 2018 %Change
BTC Wallets 24,000,000 32,000,000 +33%
BTC Price $19,783 $3,769 -80.95%
Exchanges 70 200 +286%
# of Currencies 1325 2067 +156%
Total Market Cap $590,424,775,357 $127,564,509,853 -78.39%
At the time of this writing, among 2067 cryptocurrencies, the top three with predominant market
capitalization are Bitcoin, Ethereum and Ripple (XRP), with bitcoin taking the lion’s share at 53.52%
market dominance. These three have different metrics, characteristics, methods of generation, primary
use, and network and protocol types.
Digital currencies today are used for numerous purposes. Market participants can send bitcoins to each
other, automate payments in crypto for products and services, and exchange crypto for other forms of
digital and/or fiat currency on cryptocurrency exchanges or alternative trading platforms. Participants can
also exchange cryptos for a chance of winning more as members of the gaming community or use cryptos
to hold value.
Since December 2017, CME and Chicago-based CBOE have been offering their clients bitcoin futures,
though they represent only a small percentage of both exchanges’ total product lines. Among the types of
companies in the virtual space today are crypto exchanges, alternative trading platforms (ATS), registered
investment advisors (RIA), and broker-dealers (BD), each of which supports crypto wallets and accounts.
This also includes money services businesses (MSB) and remittance networks expanding into the
emerging and innovative cryptocurrency sector, crypto wallet and vault services, online crowdfunding
platforms, mining farms, social trading platforms, tumblers and mixers as anonymity-enhanced services,
and firms providing miscellaneous support.
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
5
In addition to the retail landscape, more and more
attention is being given to potential institutional use
of digital assets, which is supposed to bring to the
crypto space greater trade volume, price
enhancement, and a higher sense of legitimacy.
Today, there is buzz about over-the-counter (OTC)
crypto trading for institutional investors who will
have an opportunity to trade directly between each
other and not through crypto exchanges.
Another consideration is bitcoin futures trading,
which, according to plans, will be provided by the
Intercontinental Exchange (ICE), the parent
company of the New York Stock Exchange (NYSE)
in the first quarter of 2019. NASDAQ also plans to
join forces and offer bitcoin future products.
It would not be a fair analysis of the current digital asset marketplace without highlighting Initial Coin
Offerings (ICOs) as a new method to raise capital, and especially Security Token Offerings (ISOs), which
are taking over the emerging cryptocurrency landscape. In the opinion of many financial experts and
analysts, security tokens and asset-backed tokens have great potential, especially considering the
significant flood of fraud, ill-gotten profits, increased regulatory scrutiny, and enforcement action
regarding ICOs.
Token offerings for crowdfunding purposes brought many sleepless nights to investors, compliance
professionals, and regulators, since there is far less protection for mainstream investors as compared with
conventional securities markets. The co-founder of crowdfunding giant Indiegogo, Slava Rubin, stated in
one of his interviews regarding security tokens: “As guidance has become clearer around how to do these
offerings legally, there’s been a real shift in the desire for security tokens, as they offer a natural bridge
between the crowdfunding element of an ICO and the regulatory clarity of a securities offering.”10
It is also crucial to emphasize that according to the U.S Securities
and Exchange Commission (SEC) and its Chairman Jay Clayton,
offerings with the potential for profit based on either
entrepreneurial or managerial efforts of other people (the Howey
Test) always represent securities and such offerings must be
registered.11
Crypto-securities not only have a great future as a new asset class
but are going to represent every form of financial asset in the
world. As described by Jeremy Allaire, CEO of Circle, a peer-to-
peer payments technology company backed by Goldman Sachs,
“we are at the very beginning of a ‘Tokenization of Everything’
where every form of asset, every form of value storage, every form
of important record becomes a crypto token.”12
1.5 Regulatory landscape
Even though there is increasing guidance on behalf of different regulatory agencies in the US and around
the globe regarding crypto assets, still, this area is the most unregulated in the world. Lack of regulations
“we are
at the
of
Tokenization
of Everything.”
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
6
in this space is a big concern considering the possibility of using digital assets to launder money and what
impact it could have on mainstream investors. Additionally, crypto assets today fall under differing and
conflicting laws and jurisdictions, which present another challenge.
There is considerable confusion regarding who is doing what among regulatory agencies, since it is very
debatable how to classify cryptocurrencies: are they securities, commodities, property, or something else?
This determines how digital assets are regulated and who will provide the oversight. There are four major
regulatory agencies in the US that oversee crypto activity:
1. The Internal Revenue Service (IRS) regulate digital assets as
property (taxation can be from simple to very complex and all
crypto wallet holders must know their potential tax liability);
2. The Financial Crimes Enforcement Network (FinCEN), a bureau
of the United States Department of the Treasury, regulate
cryptocurrencies as money;
3. The SEC regulate digital assets as securities;
4. The Commodity Futures Trading Commission (CFTC) regulate
cryptocurrencies as commodities.
The federal and state laws for cryptos result in very confusing obligations and overlapping rules. Clarity
here is essential, because prohibitive and confusing stance from different regulatory authorities on digital
assets can be very expensive for all market participants and, as a result, stifle innovation.
2. DIGITAL ASSETS RELATED CRIME: Stats, Anatomy, and Characteristics
2.1 Identify: Crypto Crime by the Numbers
Digital assets represent opportunities not only for investors and financial institutions. The nascent but
rapidly-growing crypto sector, with its lack of regulation and coordination, has attracted a large number
of crooks and criminals. Not a day goes by without reports of crypto-related fraud, mining attacks,
exchange hacks, digital asset-related scams, or other fraudulent activity. Let’s look at the most compelling
crypto-related crime statistics.
In the first-ever quantitative effort to measure the level of criminal bitcoin activity, made by CipherTrace
Cryptocurrency Intelligence, 45 million transactions at the top 20 cryptocurrency exchanges globally
were analyzed, and 380,155 bitcoins received by those exchanges between 01/09/2009 and 09/20/2018
were directly from illegal sources. Analysis showed that this represents a significant amount of laundered
bitcoin with an approximate value at today’s prices of around $2.5 billion. But these are likely only half
of all illegal transactions, since criminals are usually very intelligent, motivated, and very proactive in
their strategies and how they hide their tracks.13
It is no surprise that 97% of all direct criminal bitcoin payments are sent to unregulated exchanges in
countries with weak or non-existing AML regulations. This translates into the fact that crypto
exchanges with lacking controls received 36 times more illegal bitcoins.14 Below are some other major
highlights of that analysis:
In the first three quarters of 2018, $927 million of cryptocurrency was stolen by hackers; since
the previous report, it is reported another $166 million has been stolen.
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
7
US FinCEN clarified its stance on regulating mixing services and included crypto-to-crypto in its
definition of money services businesses, MSBs, that are subject to the Bank Secrecy Act (BSA)
rules. It also enlisted the IRS to examine 100% of cryptocurrency MSB transmitters for BSA
compliance.
Opportunities to launder cryptocurrencies will be significantly reduced throughout 2019 and
2020 if cryptocurrency AML regulations are successfully enacted and enforced globally.
New crypto-related crime threats continue to emerge, including highly targeted mass cyber
extortion, SIM swapping, and advanced cyberattacks on exchange personnel.
It is certain that fraudulent activities will continue, and we will
see the emergence of new crypto-related crimes. Compliance
and AML professionals, financial intelligence units (FIUs), and
law enforcement should be very diligent and strive to ensure full
cooperation in their efforts to mitigate VC risks. The primary
focus here is innovation and a proactive approach to prevent
criminal activity. But first and foremost, we must have a precise
level of understanding about the nature of digital asset-related
crimes, their types, anatomy, characteristics, criminal sources,
economic effect, and what motivates criminals and what their
exit strategies are.
2.2 Generic Level of Crypto Fraud: Anatomy, Perspective,
and Driving Force
Crypto-related fraud is a crime and should be understood on two
levels: the generic level and the specific level. Like any other crime, crypto crimes share similar traits,
characteristics, warning signs, and methods. And even though there are some differences, due to specifics
between digital criminal activities, they are all contingent upon five common elements:
Integrity
Opportunity
Incentive, motivation, or pressure
Rationalization or attitude
Capability15
Analyzing crime on the generic level is not our focus, but if we want to have the upper hand over
fraudsters, we must know crime basics and understand how they are connected. It is imperative to stress
that the opportunity to commit fraud is ‘the driving factor,’ and without opportunity, a criminal scheme
cannot be successful. Of course, the ‘excellence’ of a crime is a combination of all five elements: the
individual’s integrity is affected by rationalization or pressure plus an opportunity plus the capacity of a
person(s), all of which combine when being in the right position at the right time and having the skills
needed to perpetuate the fraud.16
As for opportunity, good fraudsters are very patient and methodical in studying the system, its risk
factors, and its vulnerabilities. They are brilliant in their efforts to exploit those vulnerabilities and they
develop their plans and methods accordingly. They are also very good at understanding the specific
criminal activity they want to engage in and its variations which can be least detected. In general,
fraudsters look for the following organizational vulnerabilities:
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
8
Poor tone at the top/Weak ethical culture
Lack of adequate internal controls
Poor training
Poor supervision
Ineffective anti-fraud programs, policies, and procedures17
It is extremely important for all AML and FIU professionals to understand this, because small-scale
crypto crime often goes undetected as a result of weakness in the financial institution system, and it can
be committed repeatedly, since fraudsters adapt their actions when necessary, trying to avoid detection.
Sooner or later, this can turn into the whole crypto-crime machine, draining our resources, and with an
effectively implemented exit strategy, they are gone at the first signs of being detected. In such scenarios,
we are at a loss: fraudsters disappear, and the game is over.
Of course, in order not to lose a battle and win a war—yes, it is a war(!)—we cannot just hope that bad
guys will make a mistake, use poor judgment, disregard the warning signs, or not follow their exit plans.
Criminals, especially crypto criminals, are very disciplined, technologically advanced, extremely
motivated by greed, very proactive, and have a different perspective than we do. They know their
‘opportunities’ and how to manipulate the system.
Our disadvantage is slow adoption due to budgetary limits, privacy concerns, and regulations that are
reactive in nature. All of this interferes with forward-thinking and proactive methodologies for assessing
fraud and monitoring and detecting it. But most important is that reactive approaches will continue to
hold us back and do not allow us to follow our current compliance and fraud perspective effectively. This
prevents us from developing winning strategies, implementing necessary changes, and being very
adaptable.
Today, our compliance and fraud perspective, and therefore the focus of any financial institution
compliance department, AML, or FIU division, is ‘timely’ identification of and reporting on suspicious
activity, satisfying regulators and protecting the reputation of the financial institution. But, in our opinion,
this is no longer enough if we want to be proactive in fighting and winning against crypto fraud.
The new approach should be a combination of reactive, which we do well, and proactive, where we
should have a better understanding of law enforcement’s perspective - developing evidence to support
criminal prosecutions. We should be concerned with sending bad guys to jail(!), because if we do not,
they will be back with a vengeance! And the core point here is to realize that no one financial institution
exists in a vacuum, and both private sector and law enforcement are responsible for protecting our
financial system and our customers from fraud and money laundering.18
Talking about crime in general, the success of any scheme lies in the ability for fraudsters to safely
launder ill-gotten profits. That is why any discussion of crypto-related crime must include money
laundering and the connection between it and fraudulent activity. But this should be approached from a
different perspective considering that crypto-related crime is all about innovation, as opposed to financial
services institutions, which “tend to operate in their safety zones, and frequently, innovation falls outside
the institutional safety zone. As a result, there is little incentive to develop innovative techniques to fight
fraud and money laundering.”19
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
9
As AML professionals and members of the financial
intelligence community, we must remember that reactive
transaction monitoring and fraud detection as an acceptable
norm result in criminals having a considerable advantage.
Consequences can be devastating, since crypto-related
criminals of all types will continue exploiting vulnerabilities
in the U.S. and global financial system. Fraud compounded
greatly can have a long-lasting and multi-dimensional
negative effect. Just remember our last financial crisis, in
which “to a great extent, fraud was the root of the problem
that caused the economic distress we experienced.”20
Again, to Deter, Detect, and Defeat potential crypto-related
activity, we must intersect fraud and money laundering and
view this intersection as a focal point of fraud compliance and investigation. One of the major
components in this is an understanding of crypto-related crime on a specific level, timely assessment of
its immediate and strategic risks, and how the finances of fraudulent crypto activity flow through financial
institutions. We will cover this in detail later in the paper.
2.3 Characteristics of Digital Currencies Preferred by Criminals
Considering that a person’s digital footprint is almost always trackable, and it is much easier not to leave
a trail with dollar bills, why are cryptos so attractive to fraudsters? The answer is in specific
characteristics of digital currencies based on the underlying blockchain technology. Below are some of
those characteristics preferred by criminals:
Replacing a person’s details by their account keys
Ability to transfer value cross-border
Medium of exchange (crypto-to-crypto, crypto-to-fiat, fiat-to-crypto)
Potential for enhanced anonymity
Irreversible nature of crypto transactions
Secure alternative to wire transfers providing much faster transfer than the old legacy systems
Financial security (highly regarded by fraudsters)
Protection against theft, fraud, and lawful seizure
Blockchain forks – transactions being voided after users thought they had been completed
2.4 Crypto Fraud in Motion: Types of Crimes
The above characteristics of blockchain technology are ingeniously exploited by crypto criminals, who
are getting more and more sophisticated every day. Cryptocurrency-related fraud continues to plague
public and private organizations and has received a considerable amount of attention. Given a significant
influx of crypto wannabe millionaires, this destroys the confidence of bitcoin users and gives digital
currency a bad reputation and a negative public perception. Lack of specific regulations make financial
institutions involved in crypto assets a potential haven for fraudsters, and that is why effective fraud
prevention begins with clearly defined typologies. Below are the most compelling crypto-related crimes
and crime types.
” fraud was the
root of the
problem caused
the
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
10
CRYPTO EXCHANGE HACK
Growing global demand for cryptocurrencies has resulted in larger numbers of exchanges in different countries
around the world. They hold their own different cryptos for principal trading and funds for private investors. It is no
surprise that these services attract numerous crypto criminals and hackers. Among the biggest crypto robberies was
the attack on the Japanese cryptocurrency exchange Coincheck in January 2018, where account holders lost over
$533 million worth of NEM tokens. Soon after the hack, criminals laundered an estimated $79.3 million through the
dark web. At least one good thing came as a result of that hack: Japanese regulators “ramped up” their oversight and
announced that licensed trading platforms would form a self-regulatory organization (SRO) which, if approved, would
have enforcement power over its members.21
The second most-famous crypto bloodbath is the hack of another Japanese exchange, Mt. Gox, in 2014, with a loss
of 850,000 bitcoins, worth around $500 million, and approximately $28 million in cash stolen from the exchange’s
bank accounts. At the time the world’s largest crypto exchange, Mt. Gox declared bankruptcy.22
In general, any trading networks with holders of crypto assets are the primary target of hackers. They use crypto
exchanges to turn their ill-gotten profits into Bitcoin and Ether and then through multiple conversion transactions
change whatever cryptos they steal into a fiat currency of choice, for example, Colombian pesos, to deposit into
Colombian bank accounts to support illicit activities and money laundering.
Crypto exchanges around the world have different onboarding protocols as a result of different AML regimes. Some
exchanges also vary in how they update their database for ongoing screening and monitoring existing customers. If
we want to deter and prevent criminal activity, we must use all possible preemptive measures, including “blacklisting”
the stolen funds, having a very productive partnership with law enforcement, and remembering that exchanges are
the greatest source of crucial data on potential suspects. This will help us to work with local authorities and create a
secure environment with proactive monitoring and screening of user identification.
It is important to emphasize that according to a Europol 2018 IOCTA report, “it is not only the funds these entities
hold that are sought after, customer data is also targeted. Such data can be used to further fraud, including phishing
customers for their account login credentials and subsequent currency theft.”23 There is a specific anatomy for a hack
covering different areas which are supposed to be addressed in enterprise-wide risk assessments. This will be
included in our analysis later in this paper.
CRYPTOJACKING
As a new trend in cybercrime, this is a growing problem in the digital ecosystem. The aim for fraudsters is to use the
computation power of a victim’s computer to mine cryptos. The issue here is that due to the low impact on victims,
there is a relatively small number of complaints. However, this type of crypto fraud cannot be underestimated, since
criminals have to launder those illegally-mined profits. It is expected that cryptojacking will lead the 2019 list of all
major crypto-related crimes.
DARKNET/ONLINE CRIMINAL MARKETS
Today, criminals have moved from offshore accounts to cryptocurrency wallets on the web and are very comfortable
with it. After the famous case of Ross Ulbricht (Dread Pirate Roberts) and The Silk Road website, which used bitcoin
as its main currency for buying and selling drugs, weapons, and other illicit products and services, the reputation of
bitcoin was significantly damaged. Since then, shutdown of another three major Darknet marketplaces in 2017 and a
growing number of smaller alternative crypto platforms and networks further tainted the reputation of cryptocurrency.
51% ATTACK (DOUBLE SPEND ATTACK)
In simple terms, the primary condition for a 51% Attack to succeed is hackers owning more than 50% of the entire
network mining power (hash rate). Through governance of the whole chain, they can create new “blocks” based on
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
11
previous “blocks” and therefore have two separate versions of the same blockchain. If a single entity/node controls
the majority of a network, they will decide which transactions get approved or not, reorganize the blockchain, and
possibly reverse some of the transactions, resulting in a double-spend. The receiver thinks that he/she is already
paid but it is not the case.
Among the most famous 51% attacks are the case of the ZenCash network, in
which a massive double spend was worth around $550,000, and the latest 51%
attack on Vertcoin.
Double spend attack remain a significant vulnerability for some cryptocurrencies.
The irony here is that Bitcoin was given credit for its high level of security and
solving of the double-spend problem. It is a security flaw that doesn’t belong to
the bitcoin network.
MONEY-LAUNDERING MIXING SERVICES
As we explained in an earlier section, bitcoin transactions are pseudo-
anonymous, and it is not difficult to identify their parties. That is why smart
criminals use sophisticated money-laundering mixing services (tumblers) or
cross-currency flip services to hide their tracks and avoid being traced. Dirty
coins are kicked back and forth between different digital addresses, split up in
the process across multiple transactions, mixed with legitimate funds, and
recombined in the full amount via wallets on the dark web.
As a result of mixing and tumbling, the original ‘dirty’ coins become ‘clean’ and are deposited in an account on a
cryptocurrency exchange. Cross-currency flip services work differently, and even though they are used for legitimate
purposes (they can flip Bitcoin into, for example, Ethereum or any other cryptocurrency and then convert it back into
Bitcoin), that flip is very difficult to track. It is essential to understand that even though mixers, tumblers, and cross-
currency flops can be useful, most of them have serious security limitations and therefore they are not the most
reliable with respect to their money-laundering capabilities.
PRIVACY-ORIENTED CURRENCIES
Today, more and more criminals use privacy-oriented cryptocurrencies like Monero, Zcash, and Dash. Jarek
Jacubchek, a cybercrime analyst at Europol, explained in an interview to Business Insider: “We can see a quite
obvious and distinct shift from bitcoin to cryptocurrencies that can provide a higher level of privacy.”24
These bring an enormous headache to law enforcement and regulators. The challenge here is that since transactions
cannot easily be linked to individuals, it limits one’s ability to monitor transactions for potentially suspicious activity
and collect evidence of fraud, and different exchanges and platforms, especially those that are unregulated, provide
little cooperation with law enforcement. Privacy-based cryptos listed on formal exchanges require additional
legislation and regulatory actions. They continue to grow tremendously in popularity and are expected to replace
dedicated mixing services.
CYBERCRIME
Digital assets exist in the digital world, and because there is no physical location connected to a crypto wallet,
cryptocurrencies are a preferred type of payment and extortion mechanism for cybercriminals.
ICO/ISO SCAMS
Today, digital currency scams are the top priority for the SEC, especially ICOs, due to their unregulated nature.
Issuers are crossing regulatory red lines by selling unregistered securities and conducting unregistered offerings. The
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
12
SEC has opened numerous investigations to reduce fraud in the crypto and DLT space. Since the Agency views
digital assets as securities, it levies its fraud charges using existing laws that regulate traditional investments. In
addition to tough enforcement actions, the Commission requires that issuers have proper broker-dealer licensing to
offer tokens.
As of now, there is no formal U.S. regulatory framework which focuses specifically on cryptocurrencies. In addition to
the above-stated major crypto crimes, there are other digital asset-related problems:
Cryptocurrency Tax Fraud and Unreported Taxable Gains
Fraudulent activity promising fast return and defrauding of unsuspecting investors of their money
Bogus Bitcoin investments
Mobile App massive hacks
Bitcoin-to-fiat exchange fraud
Operating unregistered securities exchanges and alternative trading platforms
Death threat email scams in exchange for virtual currency
Twitter crypto scams
Misleading cryptocurrency marketing
So, with cryptocurrencies gaining more and more acceptance by financial institutions, how can we weed
out crypto criminals and make our digital currency ecosystem a better place for everyone?
3. RISK ASSESSMENT
3.1 How Financial Institutions Should Approach Crypto Compliance
Considering crypto compliance is in its early stages, it is not surprising that financial institutions that deal
with crypto assets do not maintain a strict regulatory framework. Among other things, this includes
facilitating digital asset transactions domestically and internationally. The gaps in compliance and
transactional policies, and financial institutions working in silos, result in growth in crypto crime. Those
major factors might slow massive adoption of digital assets and challenge promotion capital formation
and successful growth of the crypto economy both in the US and on a global scale.
To bridge crypto and fiat currency in a compliant manner and access large-scale global liquidity, we must
first and foremost assure investor protection from the fraudulent activity of crypto criminals, do it very
proactively, and be very dedicated. Additionally, we should pursue a combination of legislative and
technological developments and welcome cooperation between international law enforcement agencies
and the private sector, promoting the idea of a global crypto-related regulatory protocol.
Besides, while venture capitalists are having a fresh look at the crypto sector and assessing fundamentals,
we should have compliance courage and challenge the existing typology-driven transaction monitoring
methods which have been used for years. In the eyes of many, they are ineffective and create too much
ambiguity, which will be a massive problem for digital asset compliance and fighting crypto fraud due to
the presence of so many unknown variables.
We cannot afford subjectivity, especially concerning our obligations to SAR filing for potentially
suspicious activity. And here is where the necessity of mandatory adoption of emerging technological
solutions will help FIs to address regulatory challenges in the crypto space and provide practical
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
13
intelligence for crypto-related AML monitoring, investigation and compliance, as well as a holistic
approach towards the risk assessment and risk management.
Among those solutions are advanced analytics, machine learning, cognitive computing capabilities,
blockchain ID protocol, automated entity resolution, big data architecture, visual investigation tools,
modern graphical processing units (GPUs), advanced statistics, and other innovations.
Artificial intelligence should go hand-in-hand with human intelligence, so that we are well-equipped to
“go all in” in our efforts to be fully compliant with all required regulations. We will ensure appropriate
global Know Your Customer (KYC) and Know Your Business (KYB) protocols, as well as robust cross-
border AML compliance. Using all available tools will result in the seamless trading of cryptocurrencies
and movement of tokens.
3.2 Risk vs. Uncertainty
Without a doubt, if we want to be in the digital assets business, we will be exposed to threat. The riskiest
is always what we don’t know, don’t expect, and therefore are not prepared for and have no contingency
plan to address. Uncertainty can kill us, and if the risk analysis is primarily concerned with what
happened in the past, it is not proactive. It shouldn’t be only about exercising a risk-based approach which
makes threats predictable, either.
As stated earlier, it is about combining reactive and proactive approaches together with the technological
disruptors in a very dynamic and progressive manner and structuring our compliance thinking along a few
dimensions, with a major focus on the areas of highest uncertainty and vulnerability as a part of an
enterprise-wide AML risk assessment. This will afford us a diverse perspective on digital asset-oriented
products, financial crime and money laundering risks, and AML expectations and requirements.
It is important to emphasize that risk assessment is the core and backbone of any effective and robust
compliance program. It helps FIs identify areas of significant risks and set up policies and procedures
tailored specifically to address those risks.
Risk assessment determines how adequately we address specific risks we are facing and should be used in
multiple tiers of our decision-making process. It should be conducted on an ongoing basis and reassessed
at least every 12 to 18 months, or sooner if there are any changes of a material nature. Also, the internal
audit department should do a thorough review of the risk assessment process and any changes or
revisions. Risk-based decisions can be very beneficial only if they are based on a robust risk assessment.
It is crucially important, considering that one component of our perspective as a financial institution is to
satisfy the regulators.
An area where financial institutions are most vulnerable concerning a potential crypto risk of money
laundering is at the stage when fraudsters are trying to convert their bitcoin into fiat currency. This stage
we can control, at least in the U.S., where there are robust AML and KYC protocols.
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
14
In 1980s, Dennis M. Lormel, a recognized AML and terrorist financing subject matter expert, introduced
his ‘fraud continuum,’ which perfectly illustrates how the five elements of fraud we covered earlier are
connected and influence a criminal.25
The continuum is the intersection between integrity (horizontal line) and opportunity (vertical line) and
illustrates four quadrants. It will help us to better understand risk scoring regarding crypto accounts. The
bottom of the opportunity line represents limited opportunity, while north of the line is a high level of
opportunity. Similar is the integrity line: limited integrity is on the far-left side, and high integrity is on
the far right.
The lower-right quadrant (green) is where integrity is high and opportunity is low, and this is the least of
our worries, because people in the green quadrant are least likely to commit fraud. The top-right and low-
left quadrants represent moderate risk, and top-left (red) is high risk, where the combination of pressure,
rationalization, and capability as crime elements most influence an individual’s integrity.26 Of course, this
is the area of most uncertainty and, without a doubt, the most significant compliance and AML challenge.
We can, and we should, be a step ahead of the crypto criminals. To do this, we should think like
fraudsters (the old wisdom!), especially in assessing crypto risks. Since the significant risks of digital
asset-related activity are unknown, and we all fear the unknown, we should treat uncertainty with the
utmost respect and attention and give this matter some legitimate precision in better understanding risk vs.
opportunity.
Dealing with risks and uncertainties in the most effective way is a part of any financial institution’s
proactive risk assessment. The table below presents the main characteristics of uncertainty vs. risk, which
we all should be aware of to better understand crypto asset-related transactions:27
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
15
RISK INDICATOR UNCERTAINTY
Predictable Nature Unpredictable
Slow & Optimal Tempo Fast & Acceptable
Command & Control Organization Structure Distributed power
Transactional Management Cultural
Compliance Organization Behavior Cooperation
Efficiency Strategy Capabilities
3.3 Uncertainty Management: Foundation for Proactive Compliance Program
Having virtual assets as part of a financial institution’s business model, we are facing numerous risks—
simple and complex—and should address all of them, being very forward-thinking regarding unexpected
problems and vulnerabilities.
Before we cover and assess major inherent risks, we should define what risk is. Risk is the sum of
vulnerability (weakness in an existing system) and threat (likelihood of an event occurring). Risk must be
managed by accepting, mitigating, eliminating, transferring, or avoiding.
The areas where the most vulnerabilities for a financial institution may reside are Denial, Dilution, Detail-
oriented, Detachment, and Disgrace. These are the so-called 5 Cultural Sins:
Denial Detail-oriented Disgrace
Overconfidence Procedure driven Gaming
Fear of bad news
Dilution Detachment
Unclear appetite/thresholds Indifference
Poor communication
Weak risk ownership
Vulnerability + Threat = Risk
A weakness in an existing system Likelihood of an event occurring Risks must be managed by:
Accepting, mitigating, eliminating
transferring, or avoiding
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
16
Each firm involved in crypto-related business must have a protocol to identify vulnerabilities and threats,
especially since crypto risk goes hand-in-hand with cybersecurity risk.
The #1 problem with risk assessment is having a very narrow approach and not focusing on the big
picture. The five cultural sins reminds us that most financial institutions are characterized by being
overconfident (number of enforcement actions and fines!) and procedure driven. Other areas present risks
and vulnerabilities which often are not our focus. Those other ‘sins’ must be at the center of our attention
in regard to risk assessment, where we should have a clear understanding of a financial institution’s risk
appetite and thresholds, who is responsible for what, and who can address on an enterprise-wide level the
issues of risk ownership.
Also, since some of the crypto-related risks are in direct relationship with cyber risks, similar security
guidelines for how the private sector should assess and improve their ability to detect, respond to, and
prevent crypto crimes should be applied:
Identify – risk assessment and risk management strategies;
Protect – identity management, access control, data security, training;
Detect – running table-top exercises for anomalies and being sure that systems are up-to-date;
Respond – know what we are doing in case of crypto events, including response planning,
communication, analysis, mitigation, and improvement;
Recover – how we should rectify the situation according to recovery planning;
Consolidate – how to reflect all illicit crypto events in the journal and not to lose institutional
memory.
The first two categories— ‘Identify’ and ‘Protect’—are those where financial institutions have their main
focus. Other groups are most vulnerable and should be part of market participants’ holistic approach to
risk and risk assessment.
3.4 Virtual Currency Specific Risks
According to a study by the European Banking Authority (EBA), approximately 70 identifiable risks arise
from crypto activities, covered by the following five major categories:
Risks to users;
Risks to non-user market participants;
Risks to financial integrity (money laundering and other financial crime);
Risks to existing payment systems;
Risks to regulatory authorities 28
Figure 2 below illustrates those risk categories, provides risk descriptions for numerous VC activities, and
identifies different contributing drivers for these risks. Again, as we have stated above, all of those
risks(!) should be addressed by FIs.
Considering the complexity of the potential threats and a broad range of causal risk drivers, this is crucial
to assure robust monitoring and reporting of potentially suspicious activity, protecting a financial
institution’s reputation and satisfying regulatory requirements. With digital asset-related products and
services and a lack of formally defined guidance, this might be very challenging.
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
17
Figure 2 29
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
18
Figure 2 (continuing)
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
19
3.5 AML Risks and Audit Risk Model
The best way to understand the fraud crime problem and its risks is through the audit risk model for AML
risk assessment, consisting of two essential elements: (1) quantity of inherent risk (the risk before controls
are applied): customer risk, product risk, geographic risk; (2) quality of risk mitigation: detection and
monitoring risk, identification and verification risk, compliance risk, and regulatory/prior audit risk.
Inherent risk is reduced by control effectiveness and results in residual/AML audit risk, i.e., the risk that
remains after preventive methods of control are applied.30
AUDIT RISK MODEL:
3.6 Customer Risk
Customer risk is a major inherent risk for each financial institution and a central piece of the entire AML
compliance program and customer due diligence. It is risk associated with customers and/or businesses
due to the nature of their business, occupation, size, legal organization, or anticipated transaction activity.
Customer risk is a significant potential risk during the money laundering layering or integration stages.
Usually, higher risk customers arise when financial institutions and legal vehicles (e.g., offshore banks,
trusts, and private investment companies) offer confidentiality and intermediary services. This is
especially important in connection with crypto assets.
There are three major reasons why addressing customer risk should be our focus: KYC failure can result
in non-compliance, financial loss, and reputational loss. To mitigate customer risk, first and foremost,
financial institutions should adopt account opening procedures that allow them to determine the true
identity of a customer and to develop an understanding of normal and expected activity for a given
customer’s occupation or business operations. They also should set identification standards customized to
the risk posed by a particular customer. This is a standard protocol.
It is also a general financial industry approach that customer risk rating models, as a part of enterprise-
wide risk assessment, play two significant roles:
1. It is a consistent method for differentiating among individual risk areas (ex: types of accounts):
Low risk:
a. Resident Consumer Account
b. Nonresident Alien Consumer Account
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
20
Medium risk:
a. Small Commercial/Franchise Business
b. Consumer Wealth Creation
High risk
a. Nonresident Alien Offshore Investors
b. High Net Worth Individuals
c. Multiple Tiered Accounts
d. Offshore & Shell Companies
2. It determines the level of due diligence required:
Low risk (‘simplified’ or ‘standard’ due diligence)
Medium risk (‘simplified’ or ‘standard’ due diligence)
High risk (‘enhanced’ due diligence)
Prohibited customer
Digital assets, with their unique and complex nature, nascent history, and tainted reputation, add a
modern-day twist to the Placement—Layering—Integration (PLI) model and therefore should be viewed
differently when assessing customer risk. Today, drug lords can do their bad deeds without banks and fiat
currency. Dealers on streets have moved online, use cryptos to buy drugs from anonymous sellers, and
distribute them to anonymous buyers through different online illegal underground markets.
Parties of a transaction don’t know each other, and here, virtual assets present a tremendous challenge and
cause the most risk. The worst part is that criminals often prefer to deal with numerous legitimate vendors
accepting bitcoins and, in these cases, there is no need to convert them into fiat currency to spend their
illicit profits. Some of those legitimate retailers and service providers may be customers of the financial
system.
In a conventional risk-based approach, as you can see from the chart below, customer risk rating models
allow us to compare customer risk versus different methods of due diligence and suspicious activity
monitoring. Among those methods are basic profile/generic threshold monitoring, unique profile specific
to products and services used by a customer, source of wealth and financial statements, and customized
transaction profile with tailored monitoring against transaction profile.
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
21
As stated in the Federal Financial Institutions Examination Council (FFIEC) Manual, FIs should ensure
regular suspicious activity monitoring and customer due diligence. “If there is an indication of a potential
change in the customer’s risk profile (e.g., expected account activity, change in employment or business
operations), management should reassess the customer risk rating and follow established bank policies
and procedures for maintaining or changing customer risk rating.”31
On May 11, 2018, FFIEC updated its customer due diligence examination procedures to reflect FinCEN’s
CDD Rule. Those updates dictate establishing and maintaining a risk-based approach to CDD and EDD
and emphasize that “improper identification and assessment of a customer’s risk can have a cascading
effect, creating deficiencies in multiple areas of internal controls and resulting in an overall weakened
BSA compliance program.”32 This brought expanding obligations for AML compliance departments and
given budgetary constraints, presents a real challenge, especially in the crypto space with its workflow,
speed, and transnational nature.
Considering the above factors, we should put a different spin on standard risk-based approaches in
connection with crypto assets. This is especially important if we want to use in our assessment the five
elements of fraud and how they are interrelated, knowledge of current crypto fraud uncertainties and
vulnerabilities, and the lack of financial institutions’ “reactive” crypto compliance experience.
Among customer risk metrics should be those which address a customer’s past or expected crypto
activity, level of knowledge, experience, goals, a percentage of income or total assets derived from crypto
transactions, understanding of crypto tax liability, and risk appetite. This is nothing more than a Risk
Profile, which broker-dealers and wealth management professionals have been following for years as part
of suitability requirements.
The risk profile is viewed as a baseline for diligence and monitoring. Of course, to assure data quality,
speed, and transparency, we must deploy the most advanced technological tools for intelligence gathering,
which will help to aggregate and correlate different metrics, identify suspicious addresses and crypto
wallets, and therefore help AML and FIU officers to quickly assess risk and calculate risk levels, collect
evidence, and file a SAR if warranted.
As with past activities, all crypto-related financial services of a potential customer should be identified:
crypto exchanges, ICOs, cryptocurrency hedge funds, MSBs, ATMs, credit unions, banks, gambling
services, and alternative trading platforms. Using advanced tools, we should be aware if those services are
associated with any known criminal organizations or criminal activities. Concerning expected activity,
there should be a very detailed questionnaire including types of activity, names of potential vendors (if
known), an approximate number of monthly conversions/transfers, anticipated geolocations, especially
cross-border, and other characteristics.
Vigorous customer profiles will help compliance departments to better vet new customers, their past
financial history, the sources of funds, and help not only predict the types of transactions in which a
customer might be engaged but understand a customer’s relationship with the FI and help to separate
customers imposing the highest risk. As a result, this will give us a better stance with regulators,
especially given our expanded responsibilities in line with the FinCEN CDD Rule.
Now, let’s assume the worst-case scenario, that each customer with a crypto wallet, regardless of who that
customer is, sooner or later will be involved in a ‘fraudulent’ activity, either intentionally or by
negligence, lack of understanding of how digital assets work and their liabilities, improper valuation of
suitability, risk profile, or any other reason.
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
22
So, to all customers we assign a high risk right from the start, and all of them are in a red quadrant, at
least for the next 60-90 days (or more) as a test period. This time will not only give us an advantage in
better ‘learning’ a customer but allow us to closely review customer connections and relevant personal
and business dealings.
The risk remains elevated as we continue monitoring each account and conducting Enhanced Due
Diligence (EDD), as required for all high-risk customers. There should be separate EDD policies and
procedures customized to address specifics of virtual asset-related activity, and until FIs become more
familiar with the typical events of cryptocurrency transactions, we should closely monitor those
accounts/wallets.
Then, we follow the FFIEC manual, and if there are no indications of any suspicious activity, we make a
change in the customer’s risk profile and move a customer from the high-risk quadrant to a moderate risk
quadrant. To adjust risk further to a ‘low’ level, it will take additional monitoring. We will continue
further with standard segmenting by customer, behavior, and account activity. The entire process we call
‘reverse’ risk assessment.
Types of accounts which represent high risk by default, regardless of reverse risk assessment—
nonresident alien offshore investor, high net worth individuals, multiple tiered accounts—cannot be
moved to a medium risk category after an initial test period, even though there is no unexpected or
unusual activity. They should stay in a high-risk group for the remainder of the account lifecycle, and
those customers should be reviewed more closely at the account’s opening, and their activity should be
more frequently monitored throughout the whole duration of the relationship.
Even though all digital asset holders are assigned as high-risk, there are different levels of high-risk
customers based on some other metrics (product risk, geographic risk… etc.) and, therefore, different
levels of EDD should be applied. Examples of further segmentation of the high-risk customer pool might
be High-Low, High-Medium, or High-High, where the difference is based on how often a customer’s
account is reviewed.
Reverse risk assessment is a novel approach, and even though it puts us in a position of constant alert, it
gives AML and FIU professionals higher odds to detect activity not in line with the customer’s needs and
expectations, and it allows them to be more vigilant, learn on the go, and will yield better results in crypto
fraud detection.
3.7 Product Risk
While evaluating customer risk vs. due diligence and suspicious activity monitoring, we use different
methods of review, follow-up, and tracking based on accounts types. Among those methods is a profile
specific to products and services used by a customer, and even though used predominately in connection
with medium and high-risk accounts in a standard risk-based approach, this should be considered for all
types of crypto customers, at least during the initial test period. Of course, all of this will depend on the
complexity of each financial institution’s business model, risk appetite, and resources available for anti-
money laundering compliance and financial intelligence support.
Product risk should be reviewed for relative importance to other risks and in the management of the entire
risk profile of the business. When different risk categories are summed up, it gives a 360-degree view of a
customer’s risk profiles. The more high-risk products a financial institution offers, the higher its risk
rating should be. And this is a case with virtual assets.
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
23
As we saw from crypto typologies earlier in the paper, products and services involved with digital assets
typically: (1) favor anonymity or engage third parties, (2) support rapid movement of funds, (3) support
high transaction volumes, (4) involve cross-border transactions. Considering those characteristics, it is
undoubtedly true that crypto-related trades will provide a higher exposure for financial institutions to
fraud, money laundering, or terrorist financing. That is why we apply the same reverse approach we
described earlier to product risk.
Assessment of product risk is an inherently risky area, especially in the case of crypto assets, but it is an
essential part of surveillance functionality. Also—and it is crucial to remember—it will continue to be a
priority for regulators and auditors in the examination process.
As we can see from this paper, deep understanding and monitoring of high-risk products and mitigating
the AML risk and fraud risk they present is a very complex task, particularly if a customer and especially
a legal customer has a number of accounts and uses numerous products and services on an ongoing basis.
Current challenges with the product risk in existing risk assessment and KYC/CDD/EDD landscapes will
be multiplied by adding virtual assets to the business line, which should be viewed as a higher concern for
the reputation management of a financial institution.
It is crucial to emphasize that detailed disclosure of product risks to potential wallet/account holders is a
mandatory part of onboarding and/or pre-onboarding protocol. Risk disclosure remains one of a
regulator’s top examination priorities. Below are examples of major virtual currency risks to users:
risk of investment losses,
liquidity risk,
price volatility risk,
risk of loss when an exchange acts fraudulently,
risk of loss in value due to exchange rate fluctuation,
risk of unexpected tax liability,
risk of unfair share of mined cryptocurrency units,
risk of loss due to a change in the crypto protocol,
a customer cannot identify and properly assess risks of crypto transactions,
risk of loss due to crypto-wallet theft or hacking
3.8 Geographic Risk
As we saw from the criminal bitcoin activity report by CipherTrace, 97% of all direct illegal bitcoin
payments were sent to unregulated exchanges in countries with weak or non-existent AML regulations.
So, geographic risk, as another type of inherent risk, will significantly expose a financial institution to
crypto-related fraud, money laundering, and terrorism financing, especially in countries with inadequate
anti-money laundering control. It is evident that a customer from a geographic location which is not
cooperating in global money laundering efforts inherently presents a higher risk to a financial institution.
There are several significant factors contributing to the lack of cooperation of some countries in the
international fight against money laundering and terrorism financing: loopholes in financial regulations,
no or inadequate regulations or supervision of financial institutions, insufficient customer identification
requirements, excessive secrecy provisions, lack of efficient suspicious transaction reporting, lack of
identification of the beneficial owners of legal and business entities, obstacles to international
cooperation, and inadequate resources for preventing and detecting money laundering activities.
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
24
Today, it is a top priority of the global community to fight crypto-related criminal activity. FATF, an
international policy-making body which promotes and supports the AML activity of its 38 member
countries, showed a firm commitment to standard-setting for digital assets and virtual currencies.
Jurisdictions across the globe will be required to provide licensing protocols and oversee crypto
exchanges, platforms providing crypto wallets, and firms issuing new cryptocurrencies and providing
ICOs. By June 2019, the FATF will begin publishing rules for international cryptocurrency regulation.
This is a response to the increasing use of virtual assets for money laundering and terrorist financing and
at the request of the G20 ministers. We will analyze global crypto-related regulatory protocol in the next
chapter.
3.9 Identification and Verification Risk
The quantity of inherent/external risk associated with customers, products, or geographic areas is
measured with no consideration of the existing system of control and which by default cannot be
transferred away. This is one part of an AML risk assessment and its components. Another part is quality
of risk mitigation, which represents internal risk and, after considering inherent risk, defines the residual
risk. Two major components of risk mitigation are Identification and Verification Risk and Detection and
Monitoring Risk.
Identification and verification risk are in direct relationship with customer due diligence and are
associated with the ability of the FI to form a reasonable belief that it knows the true identity of each
customer. They require FIs to have processes for obtaining and identifying customer information at the
account opening stage, as well as procedures based on specific risks for verifying the identity of a
customer. Any financial institution involved in a crypto-asset business must demonstrate
KYC/CIP/CDD/EDD/OFAC processes that show robust control, ensuring that all required information
and documentation is obtained and therefore pose low identification and verification risk.
In the section ‘Customer Risk,’ we touched upon customer and enhanced due diligence as part of initial
and ongoing risk assessment. Additionally, in the author’s opinion, part of the DETER, DETECT,
DEFEAT approach and an effective EDD technique is to conduct customer due diligence interviews, for
example, for High-High risk customers based on their initial information. This can be an invaluable tool
to intersect customer, product, and geographical risk in the case of crypto-oriented customers and token
holders in a very proactive manner.
The interview should be pre-planned and conducted by an experienced AML/FIU expert, have a clear
objective, and contain a list of specifically targeted questions, expected outcomes, and metrics to measure
up against the interview results. An interviewer should review the information submitted during
onboarding, compare multiple data points, do a cross reference, confirm the relevance of presented
documents to each prospective account holder, and make appropriate recommendations. Onboarding
EDD interviews for High-High risk potential customers are similar to investigative interviews of
transaction monitoring protocol.
As we highlighted earlier, the FinCEN CDD Rule imposes new requirements on the objective of customer
due diligence, risk profile, and how we should view enhanced due diligence on higher risk customers.
Taking into consideration all the complexity of crypto-related risks and their contributing factors, this
presents a serious task for AML and compliance departments.
The biggest challenge in the identification and verification process in regard to crypto-related business
and the center of the entire CDD process is how market participants can verify the identities of qualified
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
25
parties in a transaction, especially given the issue of anonymity or pseudo-anonymity of different cryptos,
as well as the availability of privacy-enhanced services.
In addition, modern customer interaction with FIs through remote electronic access and transaction
initiation present an additional issue. The risks of doing crypto-related business with unauthorized or
incorrectly identified individuals in an electronic environment can and will result in financial loss and
reputation damage through fraud, the disclosure of confidential information, corruption of data, or
unenforceable agreements.
3.10 Objective Blockchain ID (OBID)
To address the challenge of customer ID in the digital era with digital assets, we should use digital tools.
Objective (Blockchain) ID is one of those tools and a cutting-edge digital process created by Daniel W.
Bingham, a former Special Agent of the Federal Bureau of Investigation (FBI), Counter Fraud / Anti-
Money Laundering solution consultant, and thought leader. Bingham worked with AML Partners,
Converus, Equifax, BlockDrive, and Acuant to build a unique ID system called a “SysFi.ID”. It is
scheduled for release in March 2019 and offered on AML Partners’ fully configurable, API-ready
platform, RegTech One.
OBID allows FIs with near 99.99% accuracy and scientific proof to confirm personal or business entity
PII and assure a high level of data security, which is cryptographically hashed. The ID is immutable and
indexed on a blockchain for retrieval.
OBID combines various biometric techniques and ‘cognitive load’ testing, an involuntary physiological
response when the brain slows its thinking to create a lie, which can be observed and measured. OBID
incorporates essential parts of ID authentication: government documents (i.e., driver’s license, passport,
SS#), customers’ IDs (passwords, pin codes, security questions), and a person’s biometrics (facial
recognition, ocular, fingerprint). As a result, OBID processes ensure cascading identity accuracies for
AML/KYC, namely, for linking accounts, transactions, and party documentation to a natural person,
exceeding the requirements of the FinCEN CDD Rule and for resolution of a variety of digital identities.
Objective (Blockchain) ID (i.e. SysFi.ID), on its RegTech platform, requires a two-minute engagement
with an individual at a computer:
1. A potential customer submits a high-definition scan or photo of government-issued ID. Via an API
interface, the RegTech platform routes the image to the Acuant service to determine if all forensic
countermeasures are in place for that particular ID document. Then a person sits in front of a computer
with a webcam and input device (mouse/trackpad/touchscreen). Facial recognition software matches the
authenticated ID to the face of the person using the computer. That person then enters his/her SS number.
2. SysFI.ID submits ID information and the individual’s SS number to Equifax to discover data from that
person’s financial history, based on which the credit bureau generates six to nine questions “on-the-fly.”
Equifax scores the answered questions, and the platform transmits results to Converus along with the
telemetry data collected from the user’s kinematic movement expressed during the response. This
Converus technology determines ground-truth identity by combining analysis of submitted answers with
kinematic analysis transmitted by the device.
3. Along with the submission user’s answers, an individual gets his/her picture taken by a webcam and
reads three sentences for a voice print submission.
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
26
4. Now, information from the above three steps creates multiple data points which form a “total person,”
and SysFI.ID establishes a blockchain-stored identity. The individual’s objectively-proven identity is then
triggered thereafter via biometric detection, not only for the financial services industry but for many
industries in hundreds of use cases.33
“…For the first time in history a person’s unique biometric
can be ‘objectively’ linked to self-reported PII…”34 This ID
authentication method has huge potential to prevent identity
theft and address other AML/CDD/KYC issues and can be
widely used in digital asset-related businesses. Any person, for
example, who wants to become a wallet holder, should be
required to take a two-minute OBID test. This probably will
not be acceptable for people who wish for total anonymity but
given the amount of fraud in crypto- and token-related
activities, this technological innovation will help us to
implement rigorous internal control. OBID blocks potentially
illicit activity before the crime is committed, while at the same
time spurring blockchain development in a way that is
acceptable to authorities.
In summary, OBID puts a modern spin on AML/KYC onboarding, especially in geographic locations that
are deemed high-risk for money laundering. It confirms that an account/wallet is tied to a known person,
helps with identity of high-risk customers, their transaction monitoring and offers reliability, accuracy,
and security.
3.11 Detection and Monitoring Risk
This type of major risk category is defined as the ability for FIs to monitor, detect, and report unusual or
suspicious activity and, in general, represents a common weakness of many risk assessment protocols. We
expect that a similar problem will be present in connection with crypto-oriented businesses and FIs
without a fully effective detection and monitoring system will substantially accelerate their own
reputational, regulatory, and legal risk. Any firm involved in crypto and token activity should implement
significant additional measures of control, show ongoing quality surveillance, demonstrate effective case
management, and have effective processes for detection of suspicious activity and their timely reporting.
Detection and monitoring should be viewed as a major AML risk mitigant in preventing and fighting
crypto-related fraud.
Ongoing monitoring along with the CDD will help FIs to establish the required risk-based approach and
therefore create robust client profiles. The priority here should be a process to categorize customers into
appropriate high-risk groups based on customer profiles and relative risk metrics, since not all high-risk
customers are made equal and, as we stated earlier in the paper, further segmentation should be applied.
We should compare the individual risk profile of a customer with relevant high-risk categories and based
on this conduct ongoing monitoring.
To comply with crypto AML regulations and reduce the exposure of FIs to legal liability, we should
automate transaction risk scoring, identify and document risky and potentially fraudulent crypto
transactions and their history, detect transactions with an illicit source of funds, block stolen cryptos from
being traded or transferred, and blacklist dirty coins.
“…For the first time
in history a
person’s unique
biometric can be
to self-reported PII…”
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
27
Another very effective method for detection and monitoring is an investigative interview where human
intelligence prevails. Like in an EDD interview, a similar protocol should be applied to handle alerts and
their investigation during regular monitoring, and, of course, this should be done on a case-by-case basis.
Additionally, since blockchain is an underlying technology for cryptocurrency and security tokens, we
should be smart and use the genius of DLT to our advantage. Its horizontal governance structure will
afford us the ability to view all relevant data to better support investigations, case decisions, and
suspicious activity reports, increase quality of monitoring, and instantly communicate between different
internal parties involved. In the risk assessment landscape, blockchain can offer a better experience,
greater convenience, and the opening of new opportunities for exploring use cases in the protocol for
detection and monitoring risk.
Consensus processes, which include confirmation of each financial event by DLT network participants,
may reduce the number of errors and false positive alerts, and, therefore, simplify the examination process
for transaction monitoring.
4. CROSS-BORDER COMPLIANCE: CHALLENGES and BEST PRACTICES
Today, the idea of international crypto-related compliance and regulatory protocol is gaining more and
more traction. To achieve this, we must assure strong cooperation between international law enforcement
agencies and the private sector, as well as rely on legislative and technological developments. The
condition for creating a highly operational blockchain-based digital asset global framework is an ability to
provide cross-border KYC, KYB, and AML protocols, and to ensure the full congruency of an FI’s crypto
activities.
A consistently increasing number of crypto thefts include robberies on a larger and smaller scale, where
fraudsters utilize numerous FIs to exploit vulnerabilities and operational gaps and explore opportunities of
misconduct by employees.
Given the existing situation of a general supervisory and law enforcement vacuum in the crypto space,
there is a growing need for virtual currency platforms and FIs involved in crypto-related business to
combine their efforts and set up a joint database of crypto wallets connected with fraudulent activity and
“blacklist” dirty coins and dirty wallets.
4.1 FATF: Expanding AML Rules to Digital Assets
FATF and regulators across the globe view cryptocurrency compliance as their top priority and focus on
expanding AML rules and regulations to digital assets. In October 2018, FATF recommended for all
member nations to set up mandatory AML obligations for FIs involved in crypto-related business,
including firms storing and administering cryptos. This goes beyond the EU Fifth AML Directive, or
AMLD 5, requiring EU nations to regulate crypto exchanges and firms providing custodian wallets by
January 2020.35 It has been dictated by numerous challenges presented by the fight against crypto-related
crimes.
As we already covered in this paper, there are specific characteristics of the blockchain as an underlying
technology for virtual currency that enable crypto transactions to take place. According to the European
Banking Authority’s (EBA) opinion on ‘virtual currencies,’ the following examples represent some risks
linked specifically to VC transactions:
Virtual currencies enable criminals to launder illicit proceeds because transactions are
anonymous, international in nature, and irrevocable;
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
28
Criminals can have intermediaries on every level and control certain market participants who
allow them to disguise the origins of criminal proceeds.36
One of those challenges is in connection with the increasing use of crypto-to-crypto exchanges, which
pushes the stance among regulators that AML rules for cryptocurrencies should be extended to firms and
platforms that don’t cross with fiat currency. Covering crypto-to-crypto exchanges for AML is a big
accomplishment for the European Union and the entire global compliance community. This will limit
trading, transfer, and convergence of privacy coins by criminals and their circumvention of CDD
requirements.
Another significant challenge for policymakers across the globe is the high-speed and speculative nature
of cryptocurrency transactions, as well as blockchain-specific risks which can be used in a very
‘intelligent’ manner by advanced criminals to commit numerous crypto frauds. That is why regulators
proposed to include virtual currency exchange platforms and custodian wallet providers as ‘obliged
entities’ and extend the strong AML compliance standards applied to regular financial products and
services to those which are digital asset-related.
Among those standards required must be identity verification on new customers and wallet holders. As
was stated, “the rules will now apply to entities which provide services that are in charge of holding,
storing and transferring virtual currencies, to persons who provide similar kinds of services to those
provided by auditors, external accountants and tax advisors which are already subject to the 4th Anti-
Money Laundering directive and to persons trading in works of art. These new actors will have to identify
their customers and report any suspicious activity to their Financial Intelligence Units.”37
Another AMLD 5 measure to mitigate VC risk is a proposal to set up a central database which includes
VC holder IDs and wallet addresses and give special access to those stored profiles to FIU officers.
4.2 Crypto Regulatory Regime by Country
Considering all the crypto-related risks, the specifics of existing regulatory regimes, and AMLD 5’s
special focus on virtual currencies, it is obvious that various countries will proceed with different
mandates in anticipating requirements.
The UK, for example, exhibits the most conservative approach in its efforts to cover cryptocurrency FIs
under AML regulations and includes peer-to-peer exchange platforms and third-party exchanges. Already
in January 2018, the UK Financial Conduct Authority (FCA) and the Bank of England issued a warning
of pending restrictions on bitcoin and other cryptocurrencies due to their high inherent risks and failure as
an alternative form of legal tender. They also proposed banning the retail offer of derivative crypto
products. Also, Her Majesty’s Treasury planned to tighten AML regulations by requiring digital currency
exchange users to disclose their identity.
Besides, law enforcement and regulators reported a dramatic jump in criminal abuse of privacy coins like
Monero. That is why the FCA is at the forefront of regulatory AML mandates for crypto-to-crypto
exchanges.
Japan is most famous in crypto land for the space’s largest robbery, that of the exchange CoinCheck
($533,000,000 US). If, in the past, the country took a crypto-friendly position, after this massive hack
they have proceeded with so-called “business improvement orders.” After on-site inspections of number
of exchanges, the Financial Services Agency (FSA)—Japan’s top financial regulator—determined that
some crypto exchanges had not established “effective management system to ensure proper and reliable
operation of the business and countermeasures against money laundering and terrorist financing.”38 This
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
29
was mainly dictated by the CoinCheck hack in January 2018 and by the most recent incident with Zaif
exchange.
Both events triggered FSA emergency inspection, which uncovered numerous problems:
Improper ID management system for existing customers
Deficiencies with customer’s registration information
Lack of solid implementation of individuals’ confirmation process
Use of digital assets in laundering money involving credit cards
Active suspicious VC trading accounts
Flaws in exchanges’ AML and KYC systems
Currently, 160 companies want to enter a virtual market in Japan which requires a tremendous increase in
oversight from the side of the FSA and the Japan Virtual Currency Exchange Association—a self-
regulatory body—and which should mandate solid corrective measures from members’ and exchanges’
immediate self-inspection, especially with the purpose of detecting signs of unauthorized activity.
The USA, among other countries, has also experienced many significant developments in connection with
regulations of crypto-oriented businesses and their enforcement. Most notable was the signing by
President Trump of an executive order which established a new task force focusing on virtual currency
and digital asset-related crimes. Also, just recently, the Governor of New York, Andrew Cuomo, signed a
digital currency study bill which will lead to creating a New York crypto task force and benefit the
blockchain community and investors. The Empire State is aiming to position itself as a “global hub for
smart innovation.”39
Also, significant news in crypto land in the U.S. was that the SEC again delayed its decision allowing
bitcoin ETFs, which are viewed as a potential accelerator of virtual currency activity and a significant
push for the increase of liquidity.
Going forward, firms involved in digital asset-related businesses should expect very tight scrutiny from
the SEC Office of Compliance Inspections and Examinations (OCIE), which will have cryptocurrency as
its top ‘examination’ priority for 2019 with the goal of protecting retail investors dealing with this risky
asset class. Considering an overall tremendous increase in the number of digital asset market participants,
as well as the overall growth of this market, the primary activities of concern for the OCIE are the offer
and sale, trading, and management of digital assets, where the products are securities, as well as
adherence to regulatory compliance. “For firms actively engaged in the digital asset market, OCIE will
conduct examinations focused on, among other things, portfolio management of digital assets, trading,
the safety of client funds and assets, pricing of client portfolios, compliance, and internal controls.”40
It is worth mentioning that digital assets were also one of the SEC priorities in its 2018 National Exam
Program with the prime focus, among other things, on adequate controls and safeguards provided by
financial professionals to protect crypto assets from theft or misappropriation and providing investors
with disclosure about the risks.41
Along with the SEC, another government entity which makes significant steps in setting a regulatory
framework against money laundering through virtual currencies is FinCEN. Already, in 2013, it issued
guidance regarding regulations to any individuals who administer, exchange, or use VCs. Also, over the
last few years, it has published a few administrative rulings explaining what impact it could have on a
crypto space.
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
30
Kenneth A. Blanco, the FinCEN Director, clarified the agency’s stance on cryptocurrency in 2018 at the
Chicago-Kent Block (Legal) Tech Conference. He stated: “we would expect financial institutions
adopting new FinTech to assess and understand whether the new financial products and services may be
vulnerable to exploitation for financial crime; and whether this financial service activity has AML/CFT
obligations under FinCEN’s regulations.”42
Blanco suggested that 1500 SARs a month involving VCs represent an increased number of filings in the
last few years and can be viewed as a “great success,” especially because advanced methods for
identifying suspicious activity with digital assets can provide a better understanding of the different types
of financial crime. He also reminded the audience, “we will hold companies and individuals accountable
when they disregard their obligations and allow the financial system to be exploited by criminal actors,
whether in wire transfers or cryptocurrencies.”43
Opposite to the UK, Japan, and the USA, two emerging crypto havens in the world are Malta and
Bermuda.
Malta, the EU’s smallest member, is viewed as one of the most crypto-friendly jurisdictions in the world.
Malta’s position is that cryptocurrencies are “the inevitable future of money”44 and focuses on giving
crypto market participants clarity about regulations and providing assurance, stability, and legal certainty
for future industry developments. It can provide the crypto industry a strong boost badly needed in light
of numerous frauds, hacking events, and cases of money laundering.
On November 1, 2018, Malta’s cryptocurrency regulations and licensing requirements for exchanges and
ICOs went into effect. Given the country’s past corruption and financial scandals, the Malta Financial
Services Authority (MFSA) put forth all efforts to change public opinion about the island as a jurisdiction
with a loose AML regulatory framework, attract more blockchain business, and create the foundation of a
new crypto economy in the future. Of course, as a world crypto-hub, Malta depends on the overall EU
stance on digital assets and can become less attractive if FATF puts in place tougher crypto regulations.
Bermuda is another island trying to become the center of crypto-oriented business and get a significant
chunk of the world’s crypto trading. In July 2018, local authorities passed a Digital Asset Business Act
and an ICO Bill with the purpose of changing banks’ hesitant attitudes in providing services to the
emerging Fintech sector.
Another significant crypto regulatory event on the island is the Information Bulletin released by the
Bermuda Monetary Authority (BMA) in September 2018, which set clarity for a digital asset business
license to advocate a strong AML regime. The island’s financial crypto regulations cover all market
participants: digital asset exchanges, alternative trading platforms, ICOs, custodial wallet service
providers, dealers, traders, and payment service businesses. This will give a green light to the island’s
crypto economy and blockchain innovations and help with capital formation opportunities, all while
guarding against fraud and other misconduct.
Other countries worth mentioning as players in crypto land are Canada, Mexico, Saudi Arabia, India,
North Korea, South Korea, Taiwan, and China. Taiwan, for example, has only a partial oversight of
virtual currencies with the purpose of promoting innovation and with a primary focus on AML policies
and their implementation, developing comprehensive VC and ICO regulations and creating the Thai Anti-
Money Laundering Office’s own e-wallet to investigate digital assets-related crimes and possibly
confiscate cryptos involved in fraud.45
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
31
North Korea and Saudi Arabia are a big concern for the FATF. North Korea experienced a significant
failure in connection with its AML regulations and their enforcement, which presented a tremendous
threat to the global financial community. On numerous occasions, the FATF has addressed this issue,
bringing special attention to the relationship between country member FIs and individuals or businesses
from North Korea, especially in light of financial sanctions based on the UN Security Council
Resolutions.
As for Saudi Arabia, in the eyes of the international regulatory authorities, even though the country “has
developed a good understanding of its ML and TF risks through its national risk assessments,” its
authority is lacking the will to conduct “sophisticated financial analysis to effectively support
investigations, in particular those into more complex cases of ML.”46 Also, “Saudi Arabia is not
effectively investigating, and prosecuting individuals involved in larger scale or professional ML
activity.”47 It is also not effectively confiscating the proceeds of crime. One of the positives is that “Saudi
Arabia conducts comparatively intensive supervision of the higher-risk sectors in accordance with a risk-
based approach.”48
The Kingdom prohibited the circulation of cryptos, even though there has been progress in the adoption
of blockchain technology, and the country’s own cryptocurrency is about to be launched in 2019. Saudi
Arabia plans to use state-backed cryptocurrency to assure speed and cost-effectiveness of cross-border
transfers and payments. Of course, the idea of ‘decentralization’ of anything(!) in a country like Saudi
Arabia, with its traditions of rulership, probably doesn’t have a real chance to flourish.
Lastly, a big concern for the U.S. and the international compliance community is Venezuela’s Petro
cryptocurrency, which is oil-backed and was created in December 2017 to combat international sanctions.
The current U.S. administration banned Venezuela’s state-owned crypto by releasing a new executive
order through which Petro was put on a list of assets and instruments included in the financial sanctions.49
5. CONCLUSION
Analysis of major global crypto developments proves that digital asset-related crimes of different
complexity have been overtaking the crypto space, and fraudsters will continue capitalizing on financial
institutions’ vulnerabilities and systemic weaknesses. To fight crypto crime and therefore support
innovation and capital formation opportunities, regulators around the world who govern blockchain and
cryptocurrency tech and compliance must develop comprehensive legislation based on global cooperation
between policymakers and law enforcement agencies.
“Safety” in crypto land is a big concern for all market participants, including exchanges, alternative
trading platforms, money services businesses, institutional investors, investment advisers, broker-dealers,
fintech companies, attorneys specializing in crypto law, private funds, firms assisting issuers with ICOs
and ISOs, and companies providing advice to their clients in connection with digital assets. Opportunities
for fraud and various crypto-related misconduct are becoming more and more sophisticated, and we
cannot predict how they will develop in the future. One thing is for certain: the crypto community needs
strong measures combatting fraud, money laundering, and terrorist financing.
Today, we don’t know the most useful blockchain use cases and nor do we know all the particulars that
regulators should take into consideration in developing well-customized rules and regulations. This
presents a tremendous challenge for emerging crypto markets and can be a big hurdle for developing new
ways to fight nefarious actors who use the same blockchain technology for their fraudulent and
manipulative activities. Another burden for a financial institution is trying to comply with various
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
32
regulatory schemes with conflicting laws and confusion regarding the definition of what cryptocurrency is
and who should regulate cryptos.
Also, considering the transnational nature of crypto business and the fact that, as we saw, different
jurisdictions have different regulatory frameworks in connection with digital assets, it is imperative that
major market players put forth combined efforts to create unified cross-border regulatory measures to
prevent potential fraud and give certainty to a crypto market in capital raising and investor protection.
As a protective measure, capital formation and support of blockchain technology should go hand-in-hand
with the efforts of compliance experts and law enforcement authorities to fight manipulative and
fraudulent crypto-related practices. This is an essential part of the system for handling the risks presented
by blockchain and cryptocurrency technologies.
Crypto land, with its lack of specific and clear regulations, is inherently rife with risks that present a great
danger for most unsuspecting investors. Bad actors, including fraudsters, criminal groups, terrorist
organizations, and state sponsors are trying to find new and more sophisticated venues to exploit financial
markets. With their endless greed, they also take full advantage of crypto hype, conduct shady marketing,
and advertise get-rich-quick virtual schemes which result in most participants incurring significant losses.
There are over 70 identifiable risk areas arising from crypto activities, with a large group belonging to the
high-risk category.
Understanding and mitigating those risks is a primary obligation and a core task of each financial
institution involved in crypto-oriented business. This can be very challenging considering that digital
asset compliance is at its earliest stages. A robust crypto risk assessment should address FI vulnerabilities
and identify the weakest links in the chain, be specifically tailored for virtual currency-related crimes, and
protect against those unique challenges and threats. It should be an essential part of regulatory and
transactional policies, which will help financial institutions to establish relevant common standards, to
protect investors, promote technological innovations, and support the growth of the crypto economy.
Identifying risks and their reassessment should be an ongoing process, as should risk control and testing.
A firm’s methods and processes for managing crypto-related risks should be reflected in its specific set of
policies and procedures and is based on a financial institution’s business model and appetite for risk. As a
central part of enterprise-wide risk management, it should cover potential business impacts and likelihood
of crypto-related crimes. AML/FIU officers will identify and assess weaknesses and vulnerabilities and
ensure remediation activity tracking and closure. Risk assessment should also include internal and
external risk assessments (penetration testing), as well as vendor management.
To accomplish all this, market participants should employ highly advanced fintech tools and automatic
systems which offer identity verification, source of funds confirmation, entity resolution, and risk scoring
while meeting compliance and regulatory obligations. We should understand that the rules of the game
are changing. Why should we care? As with major paradigm shifts, the digital revolution will transform
the financial industry and its business models. We are part of this revolution, and while digital asset-
related opportunities flourish, so does crime.
Financial institutions must be ready for a never-before-seen puzzle of challenges, especially in the digital
space, and adapt to a new reality of fast-changing technological innovations. We expect a period of
speculation and misuse before we step into a new era, when the financial industry will be unrecognizable,
with multiplying efficiency and value.
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
33
So, are we ready for mainstream crypto? Are we fully equipped to assure market integrity and investor
protection and to guard against crypto fraud? The risks of disruption cannot be ignored. We should brace
ourselves and ask the question:
“Do we want to be a disruptor or allow ourselves to be disrupted?”
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
34
REFERENCES: 1. https://docs.house.gov/meetings/BA/BA01/20180620/108476/HHRG-115-BA01-Wstate-NovyR-20180620.pdf
2. https://unicwash.org/oped-cybercrime/
3. https://www.acams.org/aml-white-paper-distributed-ledger-technology/
4. https://bitcoin.org/bitcoin.pdf
5. http://www.finra.org/sites/default/files/FINRA_Blockchain_Report.pdf
6. https://www.esma.europa.eu/sites/default/files/library/2016-773_dp_dlt_0.pdf
7. http://www.finra.org/sites/default/files/FINRA_Blockchain_Report.pdf
8. https://www.esma.europa.eu/sites/default/files/library/2016-773_dp_dlt_0.pdf
9. https://coinmarketcap.com/
10. https://www.ccn.com/interview-indiegogo-founder-talks-security-tokens/
11. https://www.sec.gov/news/public-statement/statement-clayton-2017-12-11
12. https://finance.yahoo.com/news/moneyconf-2018-tokenisation-everything-explained-220557064.html
13. https://ciphertrace.com/wp-content/uploads/2018/10/crypto_aml_report_2018q3.pdf
14. Ibid
15. Fraud and Money Laundering: Can you Think Like a Bad Guy? By Dennis M. Lormel
http://www.dmlassociatesllc.com/files/dml_whitepaper_20120223.pdf
16. Ibid
17. Ibid
18. Perspectives, Partnerships and Innovation. By Dennis M. Lormel
http://www.dmlassociatesllc.com/files/dml_whitepaper_20110118.pdf
19. Ibid
20. Ibid
21. https://www.ccn.com/coincheck-hackers-have-already-laundered-40-percent-of-stolen-nem/
22. https://www.bankinfosecurity.com/hacked-mt-gox-bitcoin-exchange-chief-maintains-innocence-a-11904
23. https://www.thehaguesecuritydelta.com/media/com_hsd/report/209/document/iocta-2018.pdf
24. https://qoinfaucet.com/europol-hardcore-criminals-are-shifting-from-bitcoin-to-monero-zcash-and-dash/
25. Fraud and Money Laundering: Can you Think Like a Bad Guy? By Dennis M. Lormel http://www.dmlassociatesllc.com/files/dml_whitepaper_20120223.pdf
26. Ibid
27. Gilles Hilary. Cyber-Governance. Georgetown University McDonough School of Business, CRCP Program
28. https://eba.europa.eu/documents/10180/657547/EBA-Op-2014-08+Opinion+on+Virtual+Currencies.pdf
29. Ibid
30. Acams.org ACAMS Advanced Certification Risk Assessment – The Foundation
31. https://bsaaml.ffiec.gov/manual/RegulatoryRequirements/02
32. Ibid
33. https://www.linkedin.com/pulse/solving-3-trillion-id-management-problem-while-stopping-bingham/
34. Ibid
35. www.moneylaundering.com/news/eu-regulator-proposes-expanding-aml-rules-to-crypto-assets/
36. https://eba.europa.eu/documents/10180/657547/EBA-Op-2014-08+Opinion+on+Virtual+Currencies.pdf
37. https://blogs.pwc.de/compliance-fs/tag/5th-anti-money-laundering-directive/
38. https://finance.yahoo.com/news/japan-slaps-6-licensed-cryptocurrency-141442421.html
39. https://www.facebook.com/clyde.vanel/posts/10156105177852333?__tn__=C-R
40. https://www.sec.gov/files/OCIE%202019%20Priorities.pdf 41. https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2018.pdf
42. https://www.fincen.gov/news/speeches/prepared-remarks-fincen-director-kenneth-blanco-delivered-2018-chicago-kent-
block
43. Ibid
44. https://www.maltachamber.org.mt/en/muscat-cryptocurrencies-will-eventually-replace-money
45. http://www.nationmultimedia.com/detail/national/30353556
46. http://www.fatf-gafi.org/publications/mutualevaluations/documents/mer-saudi-arabia-2018.html
47. Ibid
48. Ibid
49. https://www.whitehouse.gov/presidential-actions/executive-order-taking-additional-steps-address-situation-
venezuela/
DETER, DETECT, DEFEAT! Understanding Digital Assets Related Crime through Proactive Risk Assessment and Cross-Border Compliance
35
(This page is intentionally left black)