Bridging the compliance gap: building AML controls for crypto
Learn the key principles for designing a robust AML compliance programme in crypto, with BVNK and Chainalysis.
As blockchains become integrated into payment systems, financial crime compliance programmes need to adapt. So how do compliance teams manage AML risks associated with crypto payments? And how do controls differ from fiat?
I teamed up with Amardeep Thandi, Director, Crypto Regulatory and Compliance, Chainalysis to answer some of these questions. You can watch our talk in full from Currency LDN 2024 here.
Blockchain analytics help you understand who you’re transacting with
At the heart of any effective financial crime compliance programme for crypto, is blockchain analytics. Blockchains are immutable public ledgers, recording all transactions made. But at first glance, they don’t tell you who you’re interacting with.
A payment made on a typical public blockchain ledger shows alphanumeric strings, known as wallet addresses. They're the crypto equivalent of bank account numbers.
Blockchain analytics platforms like Chainalysis, help to de-anonymise this information. Their data scientists use analytics, heuristics, open source intelligence, and information gathered from law enforcement and fintech partners, to group or ‘cluster’ together wallet addresses based on behaviours.
Then they do the hard part: identify the real world entity associated with those groups of wallet addresses. This can be incredibly powerful. For example, in 2022, the Office of Foreign Assets Control (OFAC) in the US sanctioned Hydra Marketplace, a dark-net marketplace, identifying 117 associated crypto wallet addresses. Chainalysis took those 117 addresses, applied its analytics, and identified 6 million more.
As this example shows, if you're processing crypto transactions but you don't use blockchain analytics, you could be interacting with a sanctioned entity without knowing it.
Blockchain data platforms like Chainalysis give this kind of intelligence to their fintech partners, but they also feed it back to law enforcement and intelligence agencies to drive investigations. And they provide it to regulators and central banks to support market supervision and the creation of country risk assessments.
At BVNK, we partner with platforms like Chainalysis to build real-time transaction monitoring programmes, assess financial crime risk and investigate suspicious activity. More on how we do that later – but first let's look at another key piece of the crypto compliance puzzle: customer due diligence.
Due diligence for crypto: how to get comfortable
Due diligence is an important part of any compliance programme. But as a bank or upstream provider, how can you understand the risks of working with partners who transact in crypto?
Whether your customer operates in crypto or fiat, many of the assessments you need to make are the same. If you're a bank onboarding an electronic money institution for example, you'd need to understand things such as:
- the nature and purpose of the relationship
- their reputation
- who their customers are
- the jurisdictions where they operate, and where their customers are located
- the services they offer
- what their financial crime risk framework looks like
These kinds of questions also apply for onboarding a crypto platform. While many of the assessments to be made are the same, there are some differences. ‘Crypto’ is a broad category, so it’s important to understand the product or service offered by the business you're onboarding, and the specific risks that it might expose you to.
After you've done your initial assessments, and if your prospective customer is already transacting on a blockchain, you can use blockchain data platforms to see whether the potential risks identified are materialising. This allows you to ask your customer the right questions about how they’re mitigating those risks, and identify risks not identified by your typical risk assessments. All in all, it means you can become a lot more comfortable with who you're doing business with.
So, let's imagine you’ve onboarded your customer. Now, you need to monitor ongoing crypto activity and put in place the right controls to detect financial crime risk. Let's look at the next steps.
Building your crypto risk management framework based on ‘exposure’
Blockchain analytics tools give you a better picture of your exposure to financial crime risks, which you can use to set thresholds and build controls.
For example, for any customer or transaction, you could use the Chainalysis platform to see your exposure to different service categories, such as 'crypto exchanges' or 'crypto ATMs'. That allows you to set thresholds and produce relevant alerts, as part of your broader risk management framework.
Amardeep Thandi, Director, Crypto Regulatory and Compliance, Chainalysis, spends a lot of time working with customers to help them develop and operationalise their risk management frameworks for crypto. He explained: “The easiest place to start is with ‘low’ and ‘severe’ risks. It’s straightforward to decide on what types of businesses you do or do not want to work with... Where I spend most of my time working with clients is in the middle. For example, can they get comfortable with 5% exposure for one category, 10% for another, and so on…”
"It’s also important to dive deeper into these categories,” added Amardeep. "For example 'crypto exchanges’ might include regulated and unregulated exchanges, as well as exchanges based in sanctioned countries so risks can differ."
Fiat vs crypto: how does transaction monitoring compare?
So, we've now got a view of our customer from 1000 feet, and the general risks they might be exposed to. But what does it look like at the level of a payment? What datapoints are available to us to help us build controls?
First let’s consider what we know about our customer. Whether it’s a crypto or fiat, that information is similar, and includes things like KYC information, IP address and device IP. We can use this information to build controls, such as geolocation controls to identify connections with countries that we don’t want to serve.
We can also see a history of any given customer’s activity, meaning we can identify overall patterns for a customer based on their historic activity and set alerts, for example, if there is a deviation.
At the individual transaction level, the information is also similar between crypto and fiat where the Travel Rule applies – including data points such as payer name, account or wallet number and other identity information such as payer address or ID document.
Name and identifying information for a counterparty isn't yet consistently available for crypto payments, but under the new Travel Rule for digital assets, financial institutions in many countries are now required to share information about the sender and beneficiaries, as they do for fiat payments. The Rule is already in place in countries like the UK and Singapore, and it’s rolling out in Europe by the end of 2024
Building an even richer intelligence picture
When I moved from working as a financial crime investigator in traditional finance to crypto, the most eye-opening thing for me was the ability to see any given counterparty’s activity.
With a crypto payment, I can go into a counterparty's wallet and see all the transactions they’ve ever made since that wallet became active. And all the transactions for that wallet after they sent my customer the transaction. That’s almost like having access to the bank statement of the person who's sending my customer money. It's a valuable source of intelligence and can help to flesh out financial crime investigations and detect patterns, trends and deviations.
But it doesn't stop at being able to see the transactions, or associated risks, with for the direct counterparty. With crypto payments, you can also see indirect exposure and risks, meaning I can see beyond the person or entity sending my customer the funds. I can go further forward, or backward, in the chain to see all the activity and risks that may exist in the entire flow of funds.
Is suspicious activity more common with crypto?
There's a perception that illicit activity is more common in crypto than it is in fiat. As a compliance officer or investigator, one measure of that could be the number of Suspicious Activity Reports (SARs) you need to file.
In my experience working across fiat and crypto, I've found the level of SARs filings to be comparable. When we see suspicious activity, there is often a crypto and a fiat element, as that tends to be how money launderers launder their money.
The difficulty with crypto payments though is knowing where to draw the line: when you can theoretically follow funds back to their inception on the blockchain, the concept of 'exposure' becomes vast. In the fiat world, it's more clear cut. A bank, for example, receives funds from an entity. They review the information for their direct counterparties and that's their obligation fulfilled.
With crypto, you're privy to much more information. Amardeep's advice here is not to overly focus your approach on how many 'hops' or links in a flow of funds, but instead to look for a change in ownership of those funds, as a more meaningful indicator.
Crypto is the new frontier of financial crime intelligence
So, to sum up: compliance teams can build really robust AML compliance programmes for crypto payments.
The inherent transparency of blockchains is a great base to start from. Combine it with the right analytics tools and frameworks, and you can build a really rich intelligence picture of the transactions you’re processing, which covers the whole history of funds, and direct, as well as indirect, risks. All of that ultimately means you can better detect and prevent financial crime.