Contributor Report: The Top 20 ways for U.S. Crypto Exchangers to Avoid Unwanted Federal Scrutiny
Thursday, August 2, 2018
Posted by: Brian Monroe
By Ross S. Delston, Lourdes C. Miranda and John E. Rollins
August 2, 2018
When it comes to the intersection of cryptocurrencies and financial crimes, it’s clear this area is still an emerging hot button issue with Federal regulators, investigators in the US and internationally, and global watchdog groups, all of whom are still wrestling with how best to counter criminals attempting to exploit virtual currencies.
In recent years, virtual currency exchangers have been at the heart of some of the most high-profile criminal cases, with some used as a gateway for darknet hackers to monetize their cyber fusillades, others dinged by examiners for lax anti-money laundering (AML) programs or attracting close scrutiny from government authorities after the exchanger’s systems themselves have been hacked and cryptocurrencies stolen.
But what many may not realize is there is a crucial missing piece of context in this seemingly roiling sea of bad press relentlessly heaping compliance uncertainty upon a nascent industry – these counter-crime control failures are the exception, not the rule.
For many crypto exchangers – the vital real-world banking link allowing enthusiasts to switch from digital dollars to fiat currencies and back – ensuring AML programs are baked into all of their systems and users is a top-of-mind issue, with some even testing the waters on new ways to conduct customer due diligence, risk scoring and transaction monitoring that would leave their brick-and-mortar brethren way back in the 20th century.
Even so, there are some common mistakes cryptocurrency firms can make that may raise regulatory ire. In this article, we lay out a series of best practices for exchangers to employ along with pitfalls to avoid that will keep away examiner or investigator scrutiny. And remember, when the examiners take the time to place your exchange under an electron microscope, they likely won’t leave until they find something.
From left to right, John, Lourdes and Ross
So here is a collection of 20 ways to help ensure compliance harmony:
1. Federal registration: Register as a money services business (MSB) with the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) – remember that cryptocurrency exchangers, the Feds don’t call them exchanges, are considered MSBs by FinCEN, and therefore failure to register is not only a Federal felony, but also can result in more serious penalties than any AML compliance failure. Well, other than laundering money for darknet sites. Don’t do that either.
2. Pillar strength: Have a real and effective AML program, not one that is half…baked. An AML program has four pillars if you’re a cryptocurrency exchanger, which means written Policies and Procedures (PPCs), designation of an AML compliance officer with experience in line with the risk of the exchanger, training and an independent review, also called an independent audit.
On the training side, that can be bolstered through a bevy of resources, including certifications that can be obtained from https://cryptoconsortium.org/certifications/CBP or https://www.udemy.com/bitcoin-certification/, among others. For an effective AML program, all four pillars are required – try sitting on a chair with three legs if you don’t believe us – it can be done but odds are you’ll fall down and break a crown – and look foolish in even attempting to do so.
3. Independence Day: Now remember the audit piece we just mentioned? Make sure you have an independent AML audit done by a competent, qualified person who is not only an expert but also independent. That means the individual cannot have drafted your PPCs, cannot have conducted training, and cannot have participated in the functioning of your AML program in any form. Because otherwise, he or she would be evaluating their own work, and who among us is brave enough to dispute their own work?
And note, while an independent AML audit without any recommendations is a very nice document, unfortunately it’s not an AML audit report. To paraphrase Socrates, an unexamined AML program like an unexamined life is sure to be incomplete.
Two key points to remember: On most Federal bank exams, the first place a regulator starts the exam with is looking at the latest AML independent audit, then seeing if any identified issues have been addressed. They then ask to see what issues were highlighted in a prior regulatory exam, and see if those issues have been fixed. The virtual exchange parallel: if you have had a recent AML audit or prior Federal exam, make sure the issues are fixed or you have a plan in place to do that – with realistic, achievable timetables.
4. Prior experience preferred: The issue of compliance officer expertise is also something to take seriously. Don’t appoint the most junior person in the room as your AML Compliance Officer (AMLCO) – this is a sure way to make your regulator unhappy and your AML program ineffective.
Regulations, guidance and enforcement actions have been resoundingly clear on this issue: the compliance officer must have experience in line with the risk of the institution. The prevailing mindset currently extends this mantra to the rest of the compliance team. Meaning: Both your compliance officer and the rest of the team must possess the overall accumulated acumen, through sheer numbers of depth of singular expertise, that can handle and mitigate the perceived risks of customers, products, geographies and financial throughput.
5. IR(YeS please): Don’t hesitate to welcome the IRS – yes, the IRS – since that fun Federal agency is the onsite examiner for MSBs. And while the folks who show up to talk to you are not focused on whether you’ve correctly filed your taxes, they also won’t hesitate to report you to the IRS-CI, that’s Criminal Investigation to you newbies.
And don’t ever tell the folks at the IRS – or any Federal regulator or supervisor – that you won’t give them access to your premises, your files or your transactions. Forget waving a red flag at a bull, this is more like wearing a meat suit when visiting the wolf sanctuary. Either way, it ain’t pretty. The good news? You have the MSB BSA/AML Examination Manual (2008) as a guide in your dealings with the IRS.
6. Show and tell: Don’t say you have an AML program because you check the U.S. Treasury’s Office of Foreign Assets Control (OFAC) sanctions list. That’s a “tell” for subject matter experts (SMEs) in the AML field that indicates to them that you don’t really understand what an AML program is all about.
Every US person, including both companies and individuals as well as foreign companies doing business in the United States, is prohibited from dealing with any country on the OFAC list or any individual on OFAC’s specially designated nationals (SDN) list, whether your company has an AML program or not.
7. Risky business: As part of your AML program, conduct a comprehensive risk assessment of your operations, products, services, and geographies and update this periodically and as your business risk profile changes.
Understand your key business areas with higher AML and counter-financing of terrorism (CFT) risks, such as cash in/cash out services, transactions involving so-called privacy coins, new products or business practices, and intersections with other third-party convertible cryptocurrency exchangers.
8. Emerge ahead: Remember your highly qualified AMLCO? Make sure your compliance officer keeps up-to-date on the latest regulatory and enforcement developments in the BSA/AML field as well as new and emerging Fintech and cryptocurrency technologies. And don’t ignore your AMLCO at the water cooler. Make sure your AMLCO holds regular meetings with other members of senior management and your board of directors. And while you’re at it, seek opportunities to engage with relevant regulatory agencies – this is a great way to establish credibility and provide thought leadership while educating the regulators – and, with apologies to Jim Comey, Lordy do they need it!
9. Register here: Make sure you follow and understand the regulatory and registration requirements in all of the jurisdictions where you do business, including state, national and international ones. Make sure you stay compliant with all applicable requirements wherever you do business.
10. License sense: Don’t forget the little guy. It’s a good idea to register and obtain relevant licenses for each individual who provides money transmitting services for your clients in the relevant jurisdictions in which they provide these services.
11. Product previews: As part of your AML program, take appropriate proactive steps to mitigate and manage AML/CFT risks ahead of time, before launching new products, services or technologies. No one likes to play catch up, and neither do the Feds.
12. Spinning records: Fulfill recordkeeping requirements and put in place programs to conduct ongoing customer and transaction monitoring, and file suspicious activity reports (SARs) and customer transaction reports (CTRs) where applicable in a timely manner.
Note that some foreign jurisdictions use the term ‘suspicious transaction report’ (STR) rather than SAR, which is the international term for the same thing, but may come with different thresholds. For instance, in the U.S., the CTR threshold is more than $10,000, the SAR threshold, $5,000. Though some MSBs, to ease regulatory fears, have voluntarily dropped below these figures. Internationally, most jurisdictions have no dollar threshold whatsoever for the filing of STRs, and neither do the international standards of the FATF 40 Recommendations.
13. Strong boards: Make sure your board of directors is actively involved in the process of reviewing and approving your AML program as well as changes made to the program. It’s a great idea for at least one board member to possess a strong understanding of cryptocurrency and financial crime issues and compliance rules and regulations. Being a member of cryptocurrency professional organizations and obtaining credentials as a certified cryptocurrency expert is strongly encouraged and will strengthen your credibility with the Feds.
14. Dollar signs: Offer services that convert cryptocurrencies ONLY into US dollars (fiat currency) and ONLY from US-based exchangers. Offering services to convert cryptocurrencies into Euros and other foreign fiat currencies as well as accepting transactions from non-US-based exchangers may attract bad actors.
15. Reputation only: Offer and accept ONLY well-known and reputable cryptocurrencies - currently Bitcoin, Litecoin, and Ethereum. Other unknown cryptocurrencies could be mined or created by bad actors. Be careful when considering the addition of new cryptocurrencies to your platform. Seek appropriate regulatory approvals and licenses if seeking to offer tokenized securities or conduct initial coin offerings (ICOs) – ever hear of the Securities and Exchange Commission (SEC) or Financial Industry Regulatory Authority (FINRA)?
16. In the mix: Accept ONLY cryptocurrency transactions from well-known and reputable mixers (transferring tokens within the same cryptocurrency in attempts to enhance the privacy and anonymity of the source) and shifters (converting tokens from one cryptocurrency to another) identified based on your customer due diligence (CDD) and enhanced due diligence (EDD) of those firms, even though not explicitly required by the MSB AML program rules or the MSB exam manual.
17. Personal issues: Require your customers to provide Personally Identifiable Information (PII). Every exchanger should have the capability to verify their customer’s identification, their source of funds, and bank account information. It’s easier to verify PII and source of funds if you accept credit cards, debit cards, and wire transfers ONLY. That’s right, leave the piggy bank at home.
18. What’s in your wallet: Don’t accept transactions from wallet services that are unknown and you haven’t vetted because some wallet services only require an email address and don’t require PII. Ensure that your platform offers wallet services.
19. Cash out: Don’t accept physical cash, no surprises here… But, make sure you don’t accept Bitcoin ATM (BTM) deposit receipts either since some BTMs don’t require PII and BTMs typically accept cash without identifying the source of funds. In other words, BTM receipts often provide as much information as cash with regard to identification, the source of funds, and bank account information.
20. Dumped and de-risked: Pay attention to your account relationships with banks. MSBs are already considered high risk by most banks. As a result, many MSBs have been de-banked due to an industry-wide de-risking process. So you need to be careful and even more cognizant to create an airtight compliance program.
You don’t want to be de-banked by your bank. It’s not fun, and you will find it really difficult to replace your current account relationship with an account at a new bank as the first thing they will ask is what happened at your old bank.
About the authors:
Ross S. Delston
Ross is an independent Washington, D.C.-based attorney, expert witness and financial crime compliance consultant. He is a former Federal banking regulator at the FDIC with over 40 years of experience in the financial sector who has specialized in BSA/AML issues for the last 18 years.
Lourdes C. Miranda
Lourdes is an independent Washington, D.C.-based financial intelligence analyst, fraud investigator and former Federal employee. She has over 25 years of government and corporate experience in compliance; cyber security; risk management; fraud investigations; financial intelligence; counter threat finance; counterterrorism and counterintelligence collection around the globe.
John E. Rollins
John is a New York, NY-based financial crimes investigator, expert witness and litigation consultant. He leads the Forensic Services practice at Stout Risius Ross, LLC in New York. He has over 17 years of experience serving as either an expert witness or consultant in an array of matters, including complex commercial litigation, fraud and financial investigations, asset forfeiture and money laundering matters, and responses to regulatory enforcement actions or inquiries.