ACFCS ‘Don’t Be Spooked by Crypto Workshop’ Takeaways: As crypto transactions soar into trillions of dollars, risks rise for bank AML oversight, more customers could be exchanges in disguise

The Skinny:

  • ACFCS this week capped its official two-day “Don’t Be Spooked by Crypto Workshop,” where top thought leaders in the public and private sectors offered critical insight on criminal trends, regulatory focal points and vulnerabilities that could victimize virtual exchanges and banks.
  • One high level theme that speakers highlighted is that the worlds of virtual value and brick-and-mortar banks are moving ever more closely together, with more than $4 trillion in crypto payments in a pandemic-pummeled 2020, a soaring financial throughput that took credit cards decades to eclipse.
  • As well, the touchpoints with the formal financial system are also expanding because regardless of the type of coin used – big names like Bitcoin, memecoins with a dog on them or privacy coins like Monera and Zcash – virtual value transactions chiefly begin and end with banks.
  • That also means more scammers using crypto coins to cash out on their schemes. So are all crypto exchanges bad? Broadly, compliance programs at most exchanges have improved, but there is a small subset that processes a disproportionate amount of illicit transactions, particularly those tied to cyber-enabled frauds, ransomware and related breaches and attacks, said one speaker. 

By Brian Monroe
bmonroe@acfcs.org
October 13, 2021

ACFCS this week capped its official two-day “Don’t Be Spooked by Crypto Workshop,” where top thought leaders in the public and private sectors offered critical insight on criminal trends, regulatory focal points and vulnerabilities that could victimize virtual exchanges and banks.

One high level theme that speakers highlighted is that the worlds of virtual value and brick-and-mortar banks are moving ever more closely together, with more than $4 trillion in crypto payments in a pandemic-pummeled 2020, a soaring financial throughput that took credit cards decades to eclipse.

With speculators, longtime individual and institutional investors – and even entire countries jumping whole hog into crypto because of the instability and inflation in their own fiat currencies – the nascent and volatile space is “growing like crazy,” said one speaker from blockchain analytics heavyweight, and event partner, CipherTrace.  

As well, the touchpoints with the formal financial system are also expanding because regardless of the type of coin used – big names like Bitcoin, memecoins with a dog on them or privacy coins like Monera and Zcash – virtual value transactions broadly begin and end with banks.

Financial institutions are the on-road and off-road to roiling worlds of value tucked away on an immutable blockchain.

Banks also face regulatory wrath and real risks tied to oversight of customers engaging in the crypto space.

That was evidenced in a profound and public way with the January 2020 U.S. Treasury Office of the Comptroller of the Currency action against M.Y. Safra bank for lax anti-money laundering (AML) efforts for a host high-risk transactions tied to risky jurisdictions involving digital asset customers, including:

  • Digital currency exchangers
  • Digital currency ATM operators
  • Crypto arbitrage trading accounts
  • Blockchain developers
  • Fiat-to-crypto money services businesses 

What is crypto? Security, commodity or financial oddity?

One of the biggest challenges for compliance professionals tied to virtual value is that there is no global definition of what they are, with some jurisdictions calling them a store of value, others a commodity, others a security, and finally, some deeming them on par with fiat currency.

There is “a lot of controversy in the U.S. government about who regulates what,” said one speaker.  

That means if you are a crypto exchange, or large international bank with crypto customers, “you need to have a unified risk and reporting mechanism across all of these cryptocurrencies. All of the transactions begin and end with a bank,” said another speaker.

But what a customer is doing in the digital value space is not always clear.

In some cases, money services businesses (MSBs) could open a bank account and not declare themselves to be remitting money internationally or acting as a virtual currency exchange.

The result: some speakers see over the next six months a potential increase in enforcement in such cases and an overall rise in scrutiny tied to crypto exchanges getting inline with rising industry information capture and exchange standards, such as the Paris-based Financial Action Task Force’s (FATF) Travel Rule. 

Pandemic has fueled romance scammers to drain accounts, use crypto to evade rules, create money mules

Attendees also got to see a case study of how blockchain analytics heavyweight CipherTrace used address clustering heuristics to follow the money tied to a terror group’s funding cycle.

The investigation followed a suspected address, hopping to different nodes on the blockchain, touching multiple exchanges and going forward and backward on chain to build out profiles to uncover illicit groups trying to evade detection.

But it is not just terror groups looking to enrich their coffers with the speed and global reach of crypto coins.

More fraudsters and romance scammers are coaching victims to not just liquidate their savings, but transmute them into virtual value before sending the digitized funds to addresses and exchanges controlled by criminal groups.

The coronavirus pandemic has opened new avenues for schemers looking to take advantage of the feelings of isolation and loneliness, with some illicit groups specifically targeting older individuals to offer companionship and affection.

What’s worse is that even after these vulnerable, in many cases elderly, people lose their entire life savings – sometimes hundreds of thousands of dollars – the scammers still don’t let go.

“Their utility doesn’t end when the money dries up, it just changes,” said one speaker. “After they lose all the money, they become a money mule.”

How to separate the crypto exchange wheat from the chaff? The five dimensions of risk

But with, in some cases, scammers literally coaching victims on how to buy crypto with their savings and even what addresses and exchanges to use, that begs the question: how does a bank or regulator parse out the risky exchanges – ones that might have lax AML programs or be tied to cyber-frauds – from the rest?

That is where reviewers must analyze and scrutinize the “five dimensions” of virtual asset service provider (VASP) risk. 

They are:

AML/KYC procedures

Does the crypto exchange in question have a dedicated AML program, compliance officer and does it capture and share know-your-customer information on users with banks or other crypto exchanges.

Jurisdictional risk

What is the domiciled location of the exchange and, if it is registered, where is it registered? 

Different countries have wildly different AML control requirements for crypto exchanges, spanning the gamut from none at all, to stringent rules on par with banks, to outright banning any and all crypto trading, mining and holding.

Private placement

Does the exchange allow transactions with or have some form of privacy coin support? 

That would make it difficult for the exchange to monitor or report on coins having specific red flags tied to illicit entities and dark net markets as they can’t be monitored. 

The exchange also likely couldn’t confirm source of funds or intersections with risky addresses.

Fiat support capabilities

While banks worry about direct connections to crypto exchanges, those exchanges might also be connected to crypto exchanges that only exchange with other exchanges – which may themselves be high risk.

Those exchanges, because they don’t touch other physical jurisdictions, may not be subject to the same AML rules. 

And for banks, they might not be able to see a “nested” transaction that originated from a crypto exchange, going through a second exchange to the bank. 

The illicit source would be “completely hidden,” said one speaker.

Interaction risk

Crypto exchanges have touchpoints with a wide array of entities, individuals, companies and more, good and bad.

So it is vital to gauge the percentage of its transactions that are conducted with entities deemed high risk, including: darknet markets and vendors, gambling sites, risky exchanges, mixers, blacklisted entities and cyber-enabled frauds, like malware and ransomware.

Bonus risk ratings

Does the exchange engage in any on-chain transaction monitoring, or work with third parties, that engage in trade surveillance? 

Is it easy to find names and details on the company and its doing business as name, or names and contact details of owners, controllers and top compliance officers? 

Are crypto exchanges just cyber-fraud funneling, virtual value villains?

Speakers at the workshop also noted that ransomware and related crypto payments have become a top-of-mind issue for governments around the world, including the United States.

Last month, the U.S. Treasury, for the first time, sanctioned a virtual currency exchange for laundering cyber-fraud ransomware payments.

The Office of Foreign Assets Control (OFAC) designated SUEX OTC, S.R.O. (SUEX), a virtual currency exchange, for its part in “facilitating financial transactions for ransomware actors.”

OFAC stated at the time SUEX facilitated transactions involving illicit proceeds from “at least eight ransomware variants,” with further analysis uncovering that more than 40 percent of the exchange’s known transaction history was “associated with illicit actors.” 

Overall, ransomware attacks are “increasing in scale, sophistication, and frequency, victimizing governments, individuals, and private companies around the world,” according to the U.S. Treasury, adding that last year, ransomware payments reached more than $400 million, more than four times their level in 2019.

The U.S. government estimates that these payments “represent just a fraction of the economic harm caused by cyber-attacks, but they underscore the objectives of those who seek to weaponize technology for personal gain,” according to U.S. government.

Such attacks are tantamount to national security threats because in addition to the “millions of dollars paid in ransoms and recovery, the disruption to critical sectors, including financial services, healthcare, and energy, as well as the exposure of confidential information, can cause severe damage.”

So how is the U.S. responding?

In June, officials yielded more details on the Biden Administration’s ransomware strategy, which includes four lines of effort:

  • Disruption: Of ransomware infrastructure and actors by working closely with the private sector.
  • International cooperation: To hold countries who harbor ransom actors accountable.
  • Expanding cryptocurrency analysis: To find and pursue criminal transactions.
  • Paying the piper: Reviewing the USG’s ransomware payment policies and approaches.

So does that mean all crypto exchanges are AML-flouting, cyber-fraud funneling, virtual value villains?

Not exactly, according to one government speaker.

Broadly AML programs at exchanges “have improved,” said the person. “But there is a small subset of the exchange universe that processes a disproportionate amount of illicit transactions, particularly those tied to cyber-enabled frauds, ransomware and related breaches and attacks.”