Constant Vigilance!
2022 is the year of getting crypto in [regulatory] shape, so we thought that a reminder of the famous quote would not go amiss. From the Executive Order released by President Biden in the United States, to a wide array of hearings in the U.S. Congress as well as the European Parliament and the work carried out globally at the Financial Action Task Force (FATF) level, regulators are zooming in on digital assets and projects, and that’s a good thing. It’s been encouraging public attention and debate on important issues related to privacy, human rights, entrepreneurial freedom, financial inclusion, fighting crime and corruption and compliance with laws and regulations (and why we have rules and regulations in the first place). As new regulatory proposals and industry scandals are revealed and scrutinized, the industry learns and changes for the better. FinTech, digital assets and blockchain projects are insurgents in the good sense, as the concept is explored in The Founders’ Mentality by Allen James and Chris Zook (Bain & Company) (which we recommend!), people who are changing the world. Any new industry attracts its fair share of dreamers, geeks, and opportunists, and also scammers and criminals. It’s why Provenance exists, building compliance solutions specifically designed for FinTech and virtual assets and providing a needed bridge with established traditional systems.
Sometimes, this requires getting back to the basics, or as crypto people call it, primitives. For anti-money laundering/combating financing of terrorism (AML/CFT) compliance, this means understanding the risks and what a risk-based approach (RBA) to compliance means.
Essentially, it’s about the simple reality that no two businesses are the same, and so there is no good reason for AML/CFT compliance programs to be copy-pasted from templates and left to collect dust on a shelf. Actually, having a copy-paste compliance program will raise red flags more than anything else, since the requirements from the Cayman Islands Monetary Authority (CIMA) are that the AML/CFT measures be commensurate to the risks identified and tailored to the structure and business activities. In essence, RBA means that compliance architecture and policies and procedures are living evolving things within the business organization around the following steps:
RBA Step 1: Senior management understands the nature and level of the money laundering and terrorism financing (ML/TF) risks associated with the business and operations, as well as the mandatory requirements and recommended best practices associated with the regulatory regime applicable to the business. Typically, an Initial Risk Assessment and a Regulatory Gap Analysis are carried out and documented. In all cases, it should be noted that the Board of Directors is the corporate body responsible for ensuring an organization’s compliance with rules and regulations.
RBA Step 2: A compliance architecture is designed for the organization, service providers are selected and engaged, systems and processes are implemented to identify, assess, monitor, manage and mitigate risks, and staff receive adequate resources and training to execute.
RBA Step 3: The systems are tested on a regular basis and there is an iterative process to refine and improve the compliance program and ensure it remains commensurate with the risks and compliant with the legal and regulatory requirements. Again, it is the responsibility of the Board of Directors to exercise oversight over any outsourced functions.
Any new industry or field of economic activities first develops in a regulatory void, a context where the risks are greater or not completely identified or accurately assessed. Digital assets have been known to attract or be used by criminals to a certain extent because of the lack of understanding, market standards and coherent regulation. The digital assets have matured to a sufficient extent now for the industry to actively work with regulators to create rules which are adequate to cover the known risks and still allow sufficient room for innovation. Digital assets continue to be considered as having a higher degree of risk, however, and it is expected that regulators will be concerned about the quality of the AML/CFT compliance programs that are implemented.
For the Cayman Islands specifically, the National Risk Assessment 2021 Report which was published in March 2022 identified virtual assets generally as being Medium-High Risk, with certain exceptions. Trading platforms, centralized or decentralized, OTC brokers and ATMs are classified as High Risk, while private issuances of tokens and other digital assets, investment funds, and mining/validator activities are looked at as Medium-Low or Low Risk.
There are no prohibitions on Cayman Islands businesses accepting digital assets as payment, but it is expected that fiat-to-crypto transactions be processed through virtual assets service providers (VASPs) and therefore subject to AML/KYC compliance measures and controls. There are no Cayman banking licensees that currently accept or exchange digital assets.
For the industry generally, it is expected that enhanced due diligence and additional measures to combat ML/TF risks would be implemented in the presence of certain risk indicators, also called “red flags”, including certain products or services which have been already identified as representing a higher ML/TF risk by typologies or case studies and which are considered to represent a higher risk. For example, in September 2020, the FATF published a report “red flags” specifically associated with virtual assets, based on over 100 case studies contributed by jurisdictions from 2017-2020. Some of the “red flags” identified by the FATF:
- Size and frequency of transactions similar to the traditional techniques of layering and money mules, i.e. small amounts via different accounts but with the same physical and IP address, converging into bigger transactions transferred overseas.
- Large initial deposits via new users.
- Transactions inconsistent with the customer profile, or not making economic sense.
- Use of anonymity-enhanced cryptocurrency or privacy coins.
- Transactions making use of mixing and tumbling services.
- Use of decentralized/unhosted, hardware or paper wallets.
- Use of proxies or using domain name registrars (DNS) that suppress or redact the owners of the domain names.
- IP addresses associated with a darknet or other similar software that allows anonymous communication, including encrypted emails and VPNs.
- Transactions using encrypted communication means.
- Using third parties whose customer due diligence (CDD) or know-your customer (KYC) processes are demonstrably weak or non-existent.
- Using ATMs/kiosks.
- IP addresses from sanctioned jurisdictions, or previously flagged as suspicious.
- Incomplete or insufficient KYC information.
- Use of multiple credit and/or debit cards.
- Use of third parties operating in jurisdictions that have no regulation, or have not implemented AML/CFT controls.
Since 2020, the industry itself has published several reports on typologies of risk and criminal activities observed with Elliptic, Chainalysis and CipherTrace among the principal contributors. Only last week, the Joint Chiefs of Global Tax Enforcement (J5), a group composed of the tax authorities of Australia, Canada, Netherlands, United Kingdom (U.K.) and United States (U.S.) released a list of the “red flag” indicators for non-fungible tokens (NFTs) and Web3 projects, including the following strong indicators of rugpull, bad actor and other illegal activity risk:
- high volume newly minted or secondary market transactions with no observable community behind the project;
- circular transactions, immediate resell activities or frequent trading or a network of sending and receiving parties to the same transaction or group of transactions;
- unusual pattern for a secondary transaction compared to other NFTs in the same collection;
- incorrect mint address, requesting seed phrases, similarities between collections (copy-paste);
- fishing (email offers), unverified accounts on social media with no genuine activity;
- ties to mixers, etc.
Key Points
FinTech, crypto and virtual assets businesses including recent models like DeFi, NFT, Web3, and Metaverse projects, present higher risks from a money laundering and terrorism financing (ML/TF) perspective because the industry is still at an early stage and/or rapidly evolving. However, both the industry itself and regulators are actively working to develop risk models and tools to address ML/TF risks and regulatory models which allow for innovation while protecting businesses and users. Often, this requires a return to first principles of AML/CFT compliance, and a redesign of the traditional compliance architecture to take into account how the digital assets industry operates. This is where Provenance can help.
Other Compliance News
Europeans can and will be charged for breaches of sanctions imposed by the United States. In this case, the charges were about advising North Korea on cryptocurrency and blockchain.
Airdrops can be scams. The Bored Ape Instagram account was hacked last week to advertise a fake airdrop. Some of the users who connected their wallets to receive reportedly lost US$2.8 million worth of NFTs.
Despite the announcement by Fidelity Investments last week that it plans to allow companies that use its 401(k) services the option to put bitcoin (BTC) on the menu, there is still a need to accommodate the concerns raised by the U.S. Department of Labor in March on this issue. In particular, fiduciaries responsible for overseeing BTC investment options should carefully document how they balanced their decisions with their duties of prudence and loyalty, taking into account the risks.
Following the EU’s fifth package of measures against Russia (here), Binance has announced that it will limit services for Russian nationals or natural persons residing in Russia, or legal entities established in Russia, that have assets exceeding the value of 10,000 EUR. This is in line with the prohibition on providing high-value crypto-asset services to Russia.
The U.S. House Committee on Financial Services held a hearing on 28th April on the oversight of the Financial Crimes Enforcement Network (FinCEN). While this hearing wasn’t specifically about virtual assets, we wanted to include this as a reminder that the Bank Secrecy Act (BSA) applies to digital assets and businesses exchanging and/or transmitting currency, funds, or value that substitutes for currency or funds which are in the United States or have U.S. users are required to register with FinCEN.
Gibraltar introduced new virtual asset legislation on market integrity in collaboration with the industry. The Gibraltar Financial Services Commission (GFSC) has published a Guidance Note on operational, technical and organizational standards expected for market integrity.
Uniswap has been hit with a class action lawsuit, with one of the founders and several venture capital investors also listed as defendants.
The Monetary Authority of Singapore (MAS) is reportedly looking for its FinTech and digital assets applicants to understand and have a strong risk culture, similar to traditional financial institutions. Being a startup is no excuse. We expect this will be the position of all regulators.
Other Compliance News
The Financial Action Task Force (FATF) issued a report on the state of global compliance. Also, following the biannual meeting held in Washington, D.C., on 21st April 2022, the strategic vision and the priorities for the period 2022-2024 have been agreed, including continuing mutual evaluations and collaboration, beneficial ownership transparency and implementation of the FATF standards on the beneficial ownership of legal persons as updated in March 2022, increasing recovery capabilities, and leveraging technology and digital transformation.
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued new sanctions and designated cryptocurrency mining company BitRiver and subsidiaries as entities involved in attempts to evade sanctions imposed on Russia. The BitRiver parent company is based in Switzerland but in the press release OFAC noted that Bitriver was founded in Russia in 2017 and currently operates out of three offices across Russia.
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) identified the attacker behind the Ronin Bridge hack as Lazarus, the North Korean state hacking group.
Beanstalk, a decentralized credit based stablecoin protocol, was attacked resulting in a theft of $76 million, via a flash loan on Aave which exploited the protocol’s governance mechanism.
Bahamas issued a Policy White Paper on the future of digital assets for 2022-2026.
About Provenance
As the virtual assets industry is on the brink of mainstream adoption, the demand for services in this space far exceeds the capabilities of the traditional compliance providers. The difficulty to date has been that industry veterans have had neither the benefit of practical examples of how regulators will assess the servicing of virtual assets, nor do they have in house expertise or experience to confidently risk asses virtual asset engagements and build out the controls to mitigate associated risks. Additionally, the volatility in the asset class causes trepidation in traditional investment circles. We have established service lines across the specialist functions of compliance, internal audit, risk and advisory, with a focus on enhancing compliance and risk management solutions available to Investment Funds, Managers, Service Providers, and other participants in the virtual asset sector. We collectively bring over 75 years of experience in traditional legal, accounting and compliance services to the financial services industry, with recognised industry leaders and pioneers in developing solutions for virtual asset ventures in Cayman Islands, BVI and across the globe.