Key takeaways from the ACFCS Boston Crypto Compliance Symposium

The Skinny:

  • At the ACFCS East Coast Crypto Compliance Symposium in Boston, more than 100 thought leaders, regulators and investigators gathered to analyze challenges, offer solutions.
  • Rising domestic and international AML standards are challenging the crypto sector, forcing them to work together more aggressively than ever before with each other, and legacy banks. The current industry focal point: FATF’s titular “Travel Rule.”
  • Speakers highlighted a bevy of crypto-tinged trends with direct import to financial crime compliance professionals, including more criminals pushing the defrauded masses to buy Bitcoin before paying ransoms.
  • For crypto exchanges themselves, federal investigators are noting more criminals attempting to launder money by swimming virtual assets through multiple privacy-focused coins and even playing in online casinos, which can act as de facto “tumblers” or “mixers.”

By Brian Monroe
bmonroe@acfcs.org
March 9, 2020

As crypto firms work to digest rising domestic and international standards for strengthening financial crime compliance, they are realizing they can’t do it alone.

The surging virtual value sector is feeling additional pressure to partner more aggressively with brick-and-mortar banks to better share information and see all the tiles of a complicated and ever-undulating illicit finance mosaic.

These moves are vital for the nascent but notoriously volatile crypto sector in its quest for legitimacy – a search bolstered, ironically enough, by top U.S. officials stating stronger regulations for crypto firms are coming.

Why? Because strong compliance controls can be viewed as a competitive advantage rather than profit-hungry cost center.

This expected wave of higher compliance standards will crash into a trend noted by investigators that more scammers, spammers and organized criminal groups are pushing the defrauded masses to pay their ransoms in crypto coins – a move done in a bid to thwart law enforcement and muddy the money trails by tumbling into digital worlds.

Those are just some of the key takeaways speakers highlighted for attendees at the ACFCS East Coast Crypto Compliance Symposium 2020 in Boston. The Friday event covered crypto and compliance, the blockchain, trade-based money laundering (TBML), how to investigate crime when it jumps into virtual worlds, cannabis and more.

The event included more than 100 attendees, speakers and technology leaders, an overall diverse mix of compliance professionals, regulators, investigators and other thought leaders analyzing where crypto and compliance converge.

Panel one: Crypto and Traditional Financial Services: Worlds Apart or One World?

In a persisting interlinked irony, though banks consider most crypto exchanges high risk, and both sectors have to implement roughly the same anti-money laundering (AML) rules, in too many cases the virtual universe and legacy banks seem to be worlds apart.

The can learn from each other – crypto firms subject to AML rules can see how banks have improved effectiveness in many of the most historically challenging areas of compliance, while banks can learn from the lean, data and technology-driven fincrime departments of crypto firms, operations also engaging in expansive, holistic and convergent training practices.

Banks also can’t continue to keep their communal heads in the sand and pretend they will never interact with a crypto firm or, worse, just pout, see the sector as upstart competition and pretend they will go away.

That’s because formal virtual currencies and those vying for funding and attention are on the rise – even though they may not have the torrid pace of just a few years ago.

Amidst a boom in recent years in initial coin offerings (ICOs), the way the virtual asset sector raises funds for new crypto coins, overall fundraising soared from $426 million in April 2017 to $6.4 billion in November 2017.

As a point of context, the total amount raised in 2018 was almost $11.4 billion, against little more than $10 billion during 2017, a mere 13 percent growth, according to media reports.

The at-times explosive growth, and then, weeks or months later, hasty retrenchment, of the value of certain crypto coins has caused many banks to see these firms as very risky. 

It doesn’t help that more criminals are pushing illicit funds – from fraud, drugs or cyber hacks – into well known coins, like Bitcoin, or privacy-driven coins, like Monero.

So the panel on Friday wondered aloud: Which is riskier to bank, a crypto exchange or legal cannabis business?

Something that might surprise you: One panelist posited that it’s easier for the legal cannabis operations to get and keep a bank account than some crypto-related firms.

That begs the question: are crypto firms always high-risk?

The panel of Jeffrey Billingham, Mark duBose and Joseph Ciccolo, CAMS, AMLCA, CFE challenged those assumptions on crypto and blockchain and guided a deeper conversation, uncovering that – just as their brick-and-mortar brethren – crypto firms can have a wide array of compliance practices.

In fact, many larger, more well-known crypto exchanges employ big names in the compliance field and have invested heavily in technology to craft world class automated transaction monitoring systems and digital identity verification tools to prevent the risky, anonymous and criminal from using their platforms to legitimize sullied funds and frustrate international investigators. 

Panel Two: Following the (Digital) Money – Case Studies on Blockchain Tracing in Fraud, Sanctions Evasion and More

This panel, bringing to bear deep investigative expertise on the public and private sides of the equation, unraveled one of the biggest fallacies of the crypto world: Bitcoin and many other cryptocurrencies aren’t really anonymous.

Those transactions can be traced along the blockchain, a fact that can be crucially important in criminal investigations, threat intelligence and risk management – even though the names on the public ledger may not always have an apparent tangible link back to a flesh-and-blood user.

In this session, members of law enforcement illustrated exactly how they followed the digital money using real-world cases and gave insights on how criminals are exploiting cryptocurrencies along the way.

One takeaway that should not be lost on financial crime compliance professionals: Criminals are migrating to privacy coins like Monero and person-to-person (P2P) exchanges like LocalBitcoins and Tandem, critical risk points that can help uncover threats for analysts at crypto exchanges and legacy banks.

Even so, law enforcement and crypto firms are getting better at following the (digital) money, according to Hank Basile and Jordon Sorrell from Homeland Security Investigations (HSI) and Joanna Marathakis from Circle, by partnering up and using bespoke analytical tools to make connections hidden in the ether of cyberspace.

Another question that got attendees talking: Are online casinos de facto crypto coin mixers?

Marathakis argued that in some instances, that is the case. 

Criminals are targeting online casinos with weak AML due diligence practices, those asking few questions about source of funds and that can move money internationally to act as pseudo “mixing” or “tumbling” services.  

In essence, the criminal can load funds from a bevy of sources – crypto exchanges, stolen credit and debit cards and illicitly-charged prepaid cards – into an online casino, and, after losing or winning, it doesn’t matter, pull the funds out as a transaction to a bank or other crypto exchange. 

To many receiving institutions, the funds would simply be viewed as the legitimate winnings of a lucky gambler.

That is just one of the red flags financial crime compliance professionals at crypto exchanges should be aware of when analyzing transactions and risk ranking users.

Panel Three: Crypto Compliance After the FATF Guidance – What it Means for Crypto Exchanges, Banks and Others

Last June the Financial Action Task Force (FATF) issued its long-awaited guidance on the regulation of virtual assets, including cryptocurrencies, ushering in a new era for all stakeholders in the crypto space.

The move is also causing a massive schism in the virtual asset sector into those with AML programs inline with international standards and those that don’t – or simply chose not to operate any more.  

For regulators, the guidance creates new pressure to ensure that crypto firms are in full compliance with their fincrime mandates.

For both crypto exchanges and banks, the guidance has raised new compliance challenges, including compliance with the requirement that customer and transaction data must move from crypto exchange to crypto exchange and to banks – the nexus between the virtual and physical worlds.

That requirement, colloquially dubbed the “Travel Rule” and the push for greater visibility into crypto transactions has caused a ruckus in the already raucous and privacy-focused crypto sector, with some saying the obligation is impossible to meet and others offering potentially costly solutions in dense and didactic whitepapers.

In this session, attendees heard from regulators and crypto compliance experts on how they’re responding to the guidance and what comes next.

The general consensus: more pressure and expectations are incoming, requiring exchanges to band together to find out how to balance transactional transparency, user privacy, regulatory scrutiny and law enforcement inquiries.

One question that immediately grabbed the audience’s attention: For banks considering virtual asset relationships, are there good crypto firms and bad crypto firms?

The answer was yes, according to panelists.

But that teases out a further line of inquiry: How do you tell the difference and weed out bad actors?

To get the right answer, try asking better questions, according to Joseph Ciccolo, CAMS, AMLCA, CFE, founder of BitAML, Steve Ryan, the CCO at CipherTrace, and Adam Goldstein, Deputy Chief Compliance Officer and Program Governance Head for Gemini Trust.

Such queries could include: 

  • Is the crypto firm you are banking registered with FinCEN?
  • Is the crypto firm licensed at the state level or has acquired the appropriate licenses in the countries it operates or takes and receives payments and related transactions. 
  • Does that crypto firm send and respond to Patriot Act Section 314(b) requests, which allow financial institutions to share information on entities suspected of money laundering?
  • Is the crypto exchange engaging in high risk activity, such as having ties to darknet markets or tumbling sites or transacting in higher risk jurisdictions, like Russia?

If the answers to some or all of these questions are yes, you might have a bad crypto firm on your hands.

Moreover, the pressure on crypto firms to better root out bad apples, and not be judged as a “bad” crypto firm, is only going to increase this year.

More crypto regulation is likely in the U.S. in the coming months, but for both exchanges and financial institutions, that’s likely a good thing.

Compliance has become a competitive advantage for the crypto world, panelists said. 

“It doesn’t matter whether you are in crypto or traditional banking, the same rules apply [in terms of financial crime compliance requirements],” Ciccolo said. “These are the rules in the books, and everyone has to follow the rules.”

Panel Four: Blockchain Applications in the Financial World – Use Cases in Digital Identities, Contracts and More

In this panel, a noted expert with a deep bench of experience in both government financial crime investigations and private industry aspirations highlighted how distributed ledger technologies, or blockchains, go far beyond cryptocurrencies.

The technology has a much longer lineage than most realize, going back decades, and now encompasses from digital identities to smart contracts and much more.  

In recent years, there has been an explosion of blockchain-based applications that could have major impacts on financial crime compliance.

But separating fact from fiction can be tricky. 

This session cut through hype to give real-world case studies on blockchain tech already in use in fincrime compliance, and a look ahead to what’s coming in the future.

Dr. David Utzke, an agent and Senior Analyst with the U.S. government, helped attendees learn about how distributed ledger technologies, blockchain solutions and artificial intelligence coming together to change the world. 

How? These technologies are making cities smarter, contracts more agile and create counter-crime systems that are more intuitive and adaptable, better analyze massive and varied sources of data and cement processes and results into being on an immutable ledger. 

Utzke also provided an illuminating jaunt through history, helping attendees understand how centralized virtual currencies morphed into decentralized crypto currencies in the first place.

 “Smart Cities worldwide are using blockchain as the foundation of plans to enhance urban living,” among other aims, he said, highlighting where distributed ledger technology (DLT), the Internet of Things (IOT) and artificial intelligence (AI) “work together toward the overall goal of digitizing technologies. These systems can encompass everyday life.

Utzke also helped attendees better understand a dizzying array of loudly buzzing buzzwords typically associated with crypto, but have only recently merged into being.

For instance, he stated that Distributed Ledger Technology (DLT) and Digital Currencies are distinctly different technologies.

Some key concepts to understand:

  • ¨ DLT is not exclusively used for digital currency.
  • ¨ As of May 2019, there are over 861 variations of blockchain (1st Generation DLT) and hundreds of blockless distributed ledgers (5th Generation DLT) each with uniquely distinct architectures.
  • ¨ DLT has the crypto-economic purpose of reducing or eliminating intermediaries and has the ability to reduce financial crime as a result. However, it is important to be aware that it can create new points of entry for fraud and financial crime.

What does DeFi mean?

  • DeFi is an acronym of Decentralized Finance, which refers to a technology set that aims to replicate and innovate on current financial services models/products using decentralized blockchain technology. 
  • These financial services range from Digital Assets that may or may not represent assets in the real world, to financial smart contracts that can replicate derivative products found in traditional finance markets.

For Crypto Lending & Borrowing, how do these decentralized protocols work?

  • DeFi lending platforms provide loans to users or businesses in a trustless manner (i.e., without any intermediaries), whereas the lending protocols allow every participant to get interest on crypto coins and tokens.

What is DeFi Banking?

  • That is banking done via the blockchain, which can resolve some the issues tied to DeFi lending platforms, including transacting in a trustless manner without intermediaries. Privacy comes from the security of the blockchain’s distributed ledger.
  • Since the blockchain can handle everything, including peer-to-peer transactions, there is no longer a need for intermediaries. Blockchain in retail banking: Making the connection | McKinsey

But how do crypto sector participants handle some of the AML compliance sector’s bread and butter basics, like know your customer (KYC) duties?

The answer? By banding together to share knowledge, data and best practices. Here is an example:

  • A consortium of six banks and licensing authorities in the UAE, formed Feb 2020, to share verified data about customers using blockchain.
  • The six banks in the consortium include Emirates NBD, Emirates Islamic (the Sharia-compliant subsidiary of Emirates NBD), HSBC Bank Middle East, The National Bank of Ras Al Khaimah, Abu Dhabi Commercial Bank and Commercial Bank of Dubai.
  • The banks together hold nearly 44 per cent of total banking assets in the UAE as of June 2019 (Moody’s), Dubai KYC

 AI, blockchain and AML: the future is now

These technologies also hold the promise of radically changing how AML professionals create systems to comply with regulators and counter criminals. 

An anti-money laundering solution crafted and implemented on the blockchain “could leverage the inherent qualities of the blockchain in order to identify and prevent illicit transactions,” according to IDMerit.  

If the underlying software used to monitor and review transactions is an AI with deep machine learning functionality, it could “effectively run through strings of data to determine if money laundering activity is occurring.” 

In short, the reason this would be a tectonic change over current AML practices is because AI syncing with the blockchain will be “able to detect patterns in large volumes of data while adapting to changes in criminal activity over time with its machine learning capabilities.”

These tools have the potential to automate one of the most challenging areas of AML: transaction monitoring. 

That’s because the pitfall-strewn exercise must be tuned by precise underlying customer data, related risk ranking and, finally, get a manual review by a human that makes the final decision — a human whose fincrime training may not be up to snuff.  

Taken together, an AI and DLT tag team could make transaction monitoring “much more efficient and effective than current processes are today,” according to the report. “Plus, if suspicious activity is detected, it could be highlighted, flagged and stopped for further investigation. All this activity would be immutably stored on the blockchain as well.”

Panel Five: Crypto and Hawala Networks – Key Concerns and Policy Considerations

Where did the chicken go?

That is one question asked by speaker Nikos Passas in his panel, a lively discussion analyzing trade irregularities and their broader links to financial crimes.

That is a subject Passas has been sharing thought leadership for decades and currently lectures on as a professor of criminology and criminal justice at Northeastern University and as co-director of the Institute for Security and Public Policy.

Attendees were genuinely surprised that the most innocuous of items can potentially hide millions of dollars in illicit finance, inadvertently funding organized crime, terror attacks and burying the telltale trails of corruption.

Some of the more glaring examples of tainted trade: chicken exported to Colombia from the U.S. basically disappeared when attempting to review import data from the Colombian side of the equation.

Another: why is it that licorice, which has historically ranged in value from 25 cents to less than a dollar, surged all the way up to $5 per item in Pakistan and as much as $30 per item in Afghanistan and Syria at one point in time.

Trade-based money laundering is a multi-billion dollar problem that Passas offered some critical ways to counter. 

At the heart of his proposal: better collecting and analyzing trade data, which, in many cases, is scattered across a confusing and at-times seemingly impenetrable tangle of agencies, bureaus and boundaries.

But while it might be difficult to collect: It’s still all right there for the taking, Passas said. 

“The data we need is available,” he said. “All of this is available, but no one is putting it together in one place. It’s scattered. It’s like having a 4K TV available, but we are watching analog programs in black and white.”

Panel Six: Paying for Pot – Lessons Learned After Legal Cannabis and Where We Go Next

In Massachusetts, recreational cannabis sales topped – appropriately and hilariously enough – out at $420 million in 2019.

Yet the enduring conflicts between state legalization and federal narcotics laws have kept most financial institutions far away from the potentially lucrative sector.

Despite this, there are financial institutions successfully serving the legal cannabis industry, while managing the many financial crime risks. 

In this interactive session, attendees heard directly from institutions banking marijuana-related businesses.

And what did they learn when innovation and opportunity clashed in a brouhaha with cannabis wrestling compliance?

For one, more banks are likely intersecting the formal and informal cannabis sectors than they may realize, according to speaker Deirdra O’Gorman, founder of Empyreal Logistics. 

In a nuanced panel that saw through what can be a hazy and misunderstood issue,  she offered insight on how to quell the continuing tensions between state and federal marijuana banking laws.

One key takeaway for fincrime compliance professionals: If you think your bank is not banking a business tied to the budding cannabis sector, think again.

There is currently a “Green Gold Rush,” with the direct cannabis operations experiencing an annual growth rate of 23 percent and overall revenues north of $12 billion.

There are some 10,000 licensed plant-touching businesses in the legal cannabis sector in the U.S. and an estimated triple to even 10 times that number of ancillary businesses serving the industry, such as CBD sellers and others who have not officially registered with state and federal oversight bodies.

Even though other sectors might be green with envy at the cannabis sector’s mushrooming profits, many operations – even though legal at the state level – struggle to get and keep bank accounts and typically are barred by tax laws from employing basic banking products, like debit and credit cards. 

The growth in the cannabis sector, and propensity for a variety of businesses to add related items, such as CBD oils, soaps and other products to their shelves, puts more pressure on AML professionals to engage in more rigorous customer and corporate screening. 

That’s because these institutions, inadvertently, may be banking customers at a much higher risk level than they realize, or can tolerate or mitigate – a dynamic that state and federal regulators will not be happy about if they find these cannabis-related connections first.