What happened to Anchorage Digital Bank?
On 21st April 2022, the Office of the Comptroller of the Currency (OCC) in the United States issued a Consent Order against Anchorage Digital Bank for failure to adopt and implement an adequate compliance program for the bank’s anti-money laundering (AML) requirements under the Bank Secrecy Act (BSA), as laid out in the Operating Agreement entered into with the OCC in January 2021, when Anchorage received the conditional approval to convert into a National Trust Bank. This is a reminder to all FinTech, crypto and virtual assets businesses that in order to get into the traditional financial systems, they need to comply with the traditional financial systems requirements, which often are tailored to more mature businesses. In particular, the OCC found that internal controls for customer due diligence (CDD) and monitoring suspicious activity, BSA officer and staff, and training, had not been implemented to the required standards. As part of the Consent Order, Anchorage has agreed to, among other things, appoint a Compliance Committee of at least three members of which a majority will be independent directors who are not employees or officers of the bank or any of its subsidiaries or affiliates, which Committee will meet at least quarterly, communicate a detailed remediation plan for AML compliance, including timelines and responsible persons, ensure that the appointed BSA officer has sufficient independence, authority, and resources to carry out their duties, including staff with appropriate skills and expertise (and in sufficient numbers) to support the bank’s AML compliance program, and that compliance staff is vested with sufficient authority to fulfill their duties and responsibilities.
On an annual basis, the Board of Directors will be required to review the adequacy of the BSA officer and supporting staff, and ensure that the conclusions of the review are documented in writing, including with respect to effectiveness of the AML program, leadership, knowledge, training, and skills of BSA officer and staff, oversight and governance structures, appropriate staffing levels for the compliance function consistent with a current risk assessment. It is also expected that the Board will need to pinpoint and correct deficiencies after each review.
This is more or less in line with the normal Board duties for oversight and supervision, and the Consent Order is a reminder that an AML compliance program is more than just running customer due diligence (CDD) checks.
In addition, the OCC reinforced the expectation that all regulators normally have, that the bank will not outsource AML functions to a third party service provider without carrying out and documenting an assessment of the adequacy of the skills and training of the third party. Oversight of outsourced functions, including quality control checks against specific standards, is key for meeting the BSA standards.
The OCC used the opportunity of the Consent Order for Anchorage to generally educate the industry on the minimum policies and procedures which are expected to comply with BSA standards, including:
Monitoring processes should apply filters in line with risk profiles identified and at a minimum size and frequency of transactions, unusual movements, or transactions involving higher risk jurisdictions, client risk profile, etc. The OCC also specifically requested that the bank have processes in place to identify transactions involving unhosted wallets, and requested an independent validation of the bank’s monitoring systems (more specifically, that the bank identify and submit to the OCC the name of an independent third-party consultant to review and provide a report on the suspicious activity monitoring (“SAR Look-Back”).
For the future, the OOC requested that the bank implement an independent testing and audit program, as well as an appropriate training program.
FinTech, crypto and virtual assets businesses which fall under the scope of regulations for AML compliance, irrespective of the jurisdiction they are incorporated in, need to be prepared to establish and implement internal policies and procedures which are adequate (i.e. good enough) for their operations and risks, pursuant to a risk-based approach (RBA). In addition, based on their jurisdiction, they may be held to a higher standard. This is the case, for example, for the Cayman Islands, Bermuda, the British Virgin Islands (BVI) and many offshore jurisdictions, where we see an increased focus on AML and compliance. Provenance can help, from the initial risk assessment to implementation of adequate CDD standards, training, AML officers, audit and stress testing the compliance program, as well as remediation.
Taking into account the news about Anchorage, we wanted to share a few insights on the AML/KYC service providers selection checklist for CDD and customer onboarding. There are many available solutions for virtual assets and remote onboarding, from various jurisdictions and with different pricing. We tested several, and these are the top 10 things to look for:
The Financial Action Task Force (FATF) issued a report on the state of global compliance. Also, following the biannual meeting held in Washington, D.C., on 21st April 2022, the strategic vision and the priorities for the period 2022-2024 have been agreed, including continuing mutual evaluations and collaboration, beneficial ownership transparency and implementation of the FATF standards on the beneficial ownership of legal persons as updated in March 2022, increasing recovery capabilities, and leveraging technology and digital transformation.
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued new sanctions and designated cryptocurrency mining company BitRiver and subsidiaries as entities involved in attempts to evade sanctions imposed on Russia. The BitRiver parent company is based in Switzerland but in the press release OFAC noted that Bitriver was founded in Russia in 2017 and currently operates out of three offices across Russia.
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) identified the attacker behind the Ronin Bridge hack as Lazarus, the North Korean state hacking group.
Beanstalk, a decentralized credit based stablecoin protocol, was attacked resulting in a theft of $76 million, via a flash loan on Aave which exploited the protocol’s governance mechanism.
Bahamas issued a Policy White Paper on the future of digital assets for 2022-2026.
As the virtual assets industry is on the brink of mainstream adoption, the demand for services in this space far exceeds the capabilities of the traditional compliance providers. The difficulty to date has been that industry veterans have had neither the benefit of practical examples of how regulators will assess the servicing of virtual assets, nor do they have in house expertise or experience to confidently risk asses virtual asset engagements and build out the controls to mitigate associated risks. Additionally, the volatility in the asset class causes trepidation in traditional investment circles. We have established service lines across the specialist functions of compliance, internal audit, risk and advisory, with a focus on enhancing compliance and risk management solutions available to Investment Funds, Managers, Service Providers, and other participants in the virtual asset sector. We collectively bring over 75 years of experience in traditional legal, accounting and compliance services to the financial services industry, with recognised industry leaders and pioneers in developing solutions for virtual asset ventures in Cayman Islands, BVI and across the globe.
© Provenance Group. All Rights Reserved