Special Elliptic Contributor Report – Avoiding the Bite: Four Things Banks Must Urgently Do for Crypto Compliance

The Skinny:

  • In this ACFCS special contributor report, longtime financial crime compliance thought leader, Liat Shetret, the Senior Advisor for Crypto Policy and Regulation at Elliptic, tackles the challenge of banks banking cryptoasset customers.
  • She scrutinizes the pitfalls and regulatory expectations of when banks provide services to the crypto sector, through the lens of a recent high-profile federal enforcement action against M.Y. Safra Bank.
  • This and other enforcement actions with ties to the rollicking crypto sector, Shetret says, are required reading for fincrime compliance officers and reveal a path for banks directly servicing virtual asset service providers and provides guidelines, and a defensible posture, if an institution has crypto customers – but doesn’t realize it.
  • The story breaks down what are very complex and nuanced compliance rules into four practical, tactical steps.
  • The piece is also timely, building upon the more formal boundaries for what anti-money laundering best practices look like provided in recent years by groups like the Financial Action Task Force and the U.S. Treasury’s Financial Crimes Enforcement Network. 

By Liat Shetret
Senior Advisor, Policy and Regulation, Elliptic
April 7, 2020

The party is over, regulators are now crypto-educated and actively enforcing regulations. The enforcement era is here. Is your bank prepared?

Earlier this year, the Office of the Comptroller of the Currency (OCC) issued a detailed 30-page cease and desist order against a private New York-based bank, M.Y. Safra, for violating the Bank Secrecy Act/Anti-money laundering (BSA/AML) rules.

In Safra’s case, a major regulator has signalled for the first time that banks who are not applying compliance programs to mitigate specific crypto-related risks will be censured and likely fined.

The Consent Order highlights major lapses in Safra’s customer due diligence (CDD).

This included not adequately monitoring and investigating suspicious transactions, filing suspicious activity reports (SARs) and complying with a previous December 2013 Operating Agreement that required a tightening of compliance processes for cryptoasset customers.

Safra had opened and maintained high risk accounts for digital currency exchangers, digital currency ATM operators, crypto arbitrage trading accounts, blockchain developers and incubators, as well as fiat currency money service businesses (MSBs), without adjusting the bank’s compliance program.

Even if your bank is not directly banking cryptoassets, your financial institution is likely exposed to indirect risks from cryptoassets.

Here are four things your bank should learn from these cases to avoid it happening to you:

(1.)Lean in to Crypto-Education and Training:

Regulatory actions provide a golden learning opportunity for the financial services industry, as major supervisory bodies have ‘broken their silence’ with regards to how they expect banks to manage cryptoasset customers.

Reviewing the Consent Order and other regulatory press statements and enforcement actions should be compulsory reading for compliance teams in banks.

This is not only true for those that are considering directly banking cryptoassets, but also those who likely have customers engaged in trading cryptoassets and are therefore exposed to secondary indirect cryptoasset risks.

Banks should dedicate resources for updating training programs as well as policies and procedures for managing cryptoassets, and spend time familiarizing themselves with technological developments impacting lines of business.

(2.) Conduct a Crypto Risk Management Health Check: 

The digital asset ecosystem has evolved, matured and developed and there is an increasingly dynamic and sophisticated crypto-banking nexus posing both risks and opportunities for banks.

Regulators have been working hard to identify and close loopholes at this nexus and are expecting banks to follow suit. Regulators are not just watching, they are now enforcing and taking action.

Simply banning or debanking customers that handle cryptoassets will only safeguard a bank to a limited extent.

Clear regulatory guidance is now available for financial institutions, and doing nothing on cryptoasset risk management is no longer an option. Banks are expected to be taking appropriate measures and the knowledge, tools and frameworks are available to enable the application of a refined risk-based approach.

For example, ensuring your institution is revisiting all five pillars of BSA compliance against crypto asset risks is a good place to start. Safra did not engage in this exercise and the OCC took action.

Consider conducting an in-bank exercise to assess how your compliance program stands up against cryptoasset exposure, specifically across all five pillars typical of a fiat compliance program:

  • A system of internal controls to ensure ongoing compliance;
  • Independent testing of BSA/AML compliance;
  • The designation of an individual responsible for day-to-day compliance;
  • Risk-based procedures for conducting ongoing customer due diligence; and
  • Training for appropriate personnel.

Proactively managing and strengthening relationships with auditors and supervisors with the aim of setting expectations and clarifying unknowns may be an additional good practice to streamline.

Remember, the cryptoasset industry is a nascent one and both regulators and banks are hitting a learning curve in applying the risk-based approach when assessing risks for cryptoasset service providers.

(3.) Diligently Treat Cryptoasset Growing Pains: 

Between 2016-2019 Safra significantly increased its volume of transactions and onboarding of crypto business and asset customers.

Its compliance program, however, was not amended to account for the new clients being onboarded. Appropriate risk mitigation measures and controls were not put in place.

Banks should continuously be proactive and refreshing enhanced due diligence (EDD) programs, onboarding procedures and establish vetting points, particularly when engaging with high risk customers or entities based in high risk jurisdictions. Managing high risk customers is possible and the appropriate measures should be adopted and mainstreamed into banks’ compliance programs.

A good place to start is to ensure your bank formulates and sensitizes a risk appetite statement for cryptoassets and adopts commensurate policies and procedures based on the risk based approach.

Defining your risk tolerance is a critical first step for safeguarding the bank against inevitable industry changes.

Adapting the banks compliance program to account for a changing client-base, including for cryptoasset actors was something Safra failed to do.

(4.) Recognize that Cryptoasset Service Providers are not Just Another Money Service Business:

Banks shouldn’t treat cryptoasset service providers exactly as they would other money service businesses (MSBs), such as fiat-only money remittance services, as they pose different risks due to the unique properties of cryptoassets.

Safra bank opened bank accounts for crypto-asset service providers that were managed in the same way they managed accounts for other types of MSBs. This resulted in Safra failing to accurately assess the true level of risk present in its cryptoasset-related relationships.

While familiarizing and identifying key similarities and differences between cryptoasset service providers and MSB’s will help sharpen a bank’s compliance program, additional tweaks are needed to instil specific controls for cryptoassets.

Risk profiles drastically vary and cryptoasset-specific measures should have been integrated.

For example, knowing your client may mean understanding whether a crypto ATM service is offered, and whether the appropriate licensing and registration are in place for crypto-specific activities.

Having the capabilities to identify and understand if illicit sources of funds may be potentially involved is unique to cryptoassets, and derived from blockchain analytics.

Differentiating cryptoasset service providers from other MSBs is important because there have been cryptoasset exchanges which have become havens for money launderers.

Equipping your bank with the tools and know-how to identify and mitigate these specific risks protects your business and assures compliance.

Leaning in to learning about cryptoasset risk mitigation is an important first step for banks not currently banking crypto businesses. Proactively engaging with your financial institution’s supervisors is a great way to build trust, pilot changes and manage growing pains.

Further assessing your institutional BSA/AML compliance program, and assuring all five pillars have been evaluated and assessed against risks posed by cryptoasset exposure will support your efforts to implement the risk based approach effectively.

Cryptoasset service providers are not just another MSB and adjusting your risk profiles and enhancing your analytics capabilities are critical to your compliance success.

Banks continue to be gatekeepers of the global financial system and will need to evolve to successfully navigate the complex financial landscape.

To learn more about cryptoasset risk mitigation and compliance best practices in crypto finance, register for Elliptic’s webinar with the ACFCS at 11 AM ET on May 6th, 2020, What Your Bank Wanted to Know About Crypto Compliance… But Was Afraid to Ask. To learn more and register, click here

About the author

Liat Shetret, Senior Advisor, Crypto Policy and Regulation, at Elliptic.

Liat is a global anti-money laundering and counter-terrorism finance (AML/CFT) expert focusing on crypto policy and regulation at Elliptic.

She has implemented AML/CFT capacity building and financial integrity programs for regulators, financial intelligence units, law enforcement and civil society in emerging markets across Africa and the Middle East.

She holds a Master of International Affairs degree from Columbia University’s School of International and Public Affairs (SIPA) and a BA in political science and psychology from the University of Illinois. She is also a Certified Anti-Money Laundering Specialist (CAMS).