Same, same but different – designing compliance controls for digital assets
We spoke to compliance leaders in fintechs about designing AML controls for digital asset payments, and how it compares to fiat.
For fintech compliance professionals, rule no.1 of payments is clear: don’t commit financial crime.
Most compliance professionals have spent years if not decades working in financial services and know the ins and outs of monitoring fiat payments, in line with expectations from regulators and the global AML watchdog.
But as payments go multi-rail, moving across banks and blockchains, compliance programmes need to adapt. The good news for professionals is that many tried and tested principles still apply – good governance, enhanced due diligence, a risk-based approach, independent audits and so on.
Still, there are nuances of monitoring digital asset payments and carrying out financial crime investigations on blockchains, which are important to understand. The industry is young, so sharing knowledge here is important.
That’s why last week, we brought together leaders from fintechs, banks and crypto firms to discuss how to design the right control environment for digital assets like stablecoins, which are increasingly used for payments.
What’s new about digital assets?
Digital asset payments settle near-instantly on blockchains, which can present a challenge for monitoring teams. But our group agreed this risk isn’t new. Faster payment schemes are growing in fiat payments too: in both cases, compliance teams need to design controls, and soft /hard stops which balance friction and speed.
What is different with digital asset payments though, is the amount of data we can see about a transaction, telling us where funds have come from and how they got there. With the right analytics tools, we can build a detailed picture of risk for digital asset payments.
One of our attendees referred to digital assets as the ‘most trackable’ assets in the world. The transparent, auditable and immutable nature of blockchains means you can follow the flow of funds in a blockchain transaction from originator to beneficiary, as well as the entire history of those funds in a way that isn’t possible with fiat payments.
Introducing ‘exposure’
When funds travel from one crypto wallet to another, it’s called a ‘hop’ – and you can track an infinite number of hops, from the moment funds were first moved onto the blockchain to the present day.
Lots of hops between crypto wallets could signal ‘layering’, a typical component of money laundering. But there’s more to analysing risk in digital asset payments than counting hops. Instead, we look at the ‘exposure’ of a crypto wallet. For example: a given wallet may have 10% indirect exposure to a sanctioned jurisdiction and 2-3% direct exposure to a Politically Exposed Person (PEP).
Compliance teams can use blockchain analytics tools like Chainalysis to measure exposure, and set their own acceptable thresholds, based on their risk appetite.
Plugged into global intelligence
In our discussion, we agreed that blockchain data tools have done a great job of building global intelligence communities, where you can share risk data and the outcome of your investigations with other fintechs and with law enforcement.
If you're plugged into this community, you immediately know about a huge number of existing risks, which are continually updated, rather than having to rely on any one analyst to investigate every case. That means fewer ‘false positives’ (legitimate transactions being held), and less unnecessary hassle for customers.
From my own experience in leading investigations at BVNK, I’ve seen how the outcome of our own digital asset investigations has helped notify other providers about risks and vice versa.
Danger of information overload?
Information is power, but too much can be overwhelming. If you could track the £10 in your pocket 30 transactions back to a sanctioned Russian bank, does that mean it’s not legitimately yours?
On the blockchain, that kind of tracking is possible, but as a compliance team, where do you draw the line? There isn’t much industry guidance around this yet, so it’s important that compliance teams apply their usual risk-based approach.
Once a digital asset payment has been flagged, the procedures you follow to make a decision are similar to those in fiat payments. At BVNK for example, we categorise risk ratings into low, medium, high and severe. We build tight thresholds into these rules in line with our risk-based approach.
Machine learning gives advanced protection
Our group also discussed the use of machine learning (ML). ML tools have been used in fiat payment monitoring for decades, but as with any data model, the bigger and better the input, the more powerful the output.
Digital asset payments operate on blockchains which act as transparent, shared, immutable ledgers. This means that fintechs don’t just have their own reference data to feed into ML models, but a vast pool of public global transaction information and history. This makes analytical models which detect financial crime patterns even more effective.
Our group also highlighted that there are more and more AI tools coming to market which use this data to create advanced risk ratings for crypto wallets.
Crypto monitoring brings new challenges
In our discussion, we also talked about challenges that are specific to digital assets. Specifically, anonymity of who’s sending and receiving funds, and the state of regulation.
Let’s start with anonymity. It’s true that as a compliance professional, there are some things you can see with fiat that you can’t with digital assets. For example, in a fiat payment you can always see the payer’s name. This isn’t always the case with digital assets, but the situation is changing.
The Travel Rule, which comes into force for digital assets in Europe in 2024 and is already in place in countries like the UK, US and Singapore, requires financial institutions to share information about the sender and beneficiaries, as they currently do for fiat payments. It applies where the value of a payment is above certain thresholds (typically €1000), and where the wallet owner can be traced (eg if it’s hosted by a regulated crypto exchange who has to KYC their customer).
Where the Travel Rule doesn’t apply, compliance teams use a risk-based approach.
Regulation is a moving target
Compliance teams love guidelines because they provide more certainty. But digital assets regulation is still in development around the world. It’s sometimes known as the sunrise issue: national regulators are going live with crypto regulation at different times, so applying controls globally can be challenging.
This is where experience in traditional financial services is helpful. There is a huge amount of regulatory guidance available for fiat payments. If you understand how that guidance was intended, you can apply it to digital asset payments too. At BVNK we call it borderless compliance – and it means operating in the spirit of the rules that do exist, even in places where they don’t.
Similar risk, similar controls, better intelligence
Like all payment rails, blockchains can be used to move the proceeds of financial crime. The risks for compliance teams are similar for both payment types, which means in many cases, you can apply similar controls.
But digital asset payments can be even safer than fiat, if you use the right tools and work with the right partners. And that’s because the intelligence is often more complete, more global and more up to date. I often think back to my time running fiat payment investigations at banks – and I know if I could show my teams then, what they could do with digital assets monitoring, they would be truly amazed.
A huge thank you to everyone who attended our discussion and shared their questions and perspectives. If anyone would like to take part in the next briefing or talk about these topics further, feel free to get in touch.