Compliance weekly – 25 April 2022

Anchorage Digital Bank

What happened to Anchorage Digital Bank?

On 21st April 2022, the Office of the Comptroller of the Currency (OCC) in the United States issued a Consent Order against Anchorage Digital Bank for failure to adopt and implement an adequate compliance program for the bank’s anti-money laundering (AML) requirements under the Bank Secrecy Act (BSA), as laid out in the Operating Agreement entered into with the OCC in January 2021, when Anchorage received the conditional approval to convert into a National Trust Bank. This is a reminder to all FinTech, crypto and virtual assets businesses that in order to get into the traditional financial systems, they need to comply with the traditional financial systems requirements, which often are tailored to more mature businesses. In particular, the OCC found that internal controls for customer due diligence (CDD) and monitoring suspicious activity, BSA officer and staff, and training, had not been implemented to the required standards. As part of the Consent Order, Anchorage has agreed to, among other things, appoint a Compliance Committee of at least three members of which a majority will be independent directors who are not employees or officers of the bank or any of its subsidiaries or affiliates, which Committee will meet at least quarterly, communicate a detailed remediation plan for AML compliance, including timelines and responsible persons, ensure that the appointed BSA officer has sufficient independence, authority, and resources to carry out their duties, including staff with appropriate skills and expertise (and in sufficient numbers) to support the bank’s AML compliance program, and that compliance staff is vested with  sufficient authority to fulfill their duties and responsibilities.

On an annual basis, the Board of Directors will be required to review the adequacy of the BSA officer and supporting staff, and ensure that the conclusions of the review are documented in writing, including with respect to effectiveness of the AML program, leadership, knowledge, training, and skills of BSA officer and staff, oversight and governance structures, appropriate staffing levels for the compliance function consistent with a current risk assessment. It is also expected that the Board will need to pinpoint and correct deficiencies after each review. 

This is more or less in line with the normal Board duties for oversight and supervision, and the Consent Order is a reminder that an AML compliance program is more than just running customer due diligence (CDD) checks. 

In addition, the OCC reinforced the expectation that all regulators normally have, that the bank will not outsource AML functions to a third party service provider without carrying out and documenting an assessment of the adequacy of the skills and training of the third party. Oversight of outsourced functions, including quality control checks against specific standards, is key for meeting the BSA standards. 

The OCC used the opportunity of the Consent Order for Anchorage to generally educate the industry on the minimum policies and procedures which are expected to comply with BSA standards, including:

  1. minimum data points to establish and maintain an accurate customer risk profile; 
  2. ensuring that staff have sufficient authority, training, and skills; 
  3. identifying instances where CDD information is lacking and remediation process; 
  4. maintenance of an accurate and complete list of higher risk clients; 
  5. ongoing reviews for higher risk clients, including transactional analysis, expected vs. actual activity, source and use of funds, trends / activity patterns; and
  6. critical review, including identification of disparities, red flags, having processes in place for escalating suspicious activity, etc.

Monitoring processes should apply filters in line with risk profiles identified and at a minimum size and frequency of transactions, unusual movements, or transactions involving higher risk jurisdictions, client risk profile, etc. The OCC also specifically requested that the bank have processes in place to identify transactions involving unhosted wallets, and requested an independent validation of the bank’s monitoring systems (more specifically, that the bank identify and submit to the OCC the name of an independent third-party consultant to review and provide a report on the suspicious activity monitoring (“SAR Look-Back”)

For the future, the OOC requested that the bank implement an independent testing and audit program, as well as an appropriate training program. 

Key Points

FinTech, crypto and virtual assets businesses which fall under the scope of regulations for AML compliance, irrespective of the jurisdiction they are incorporated in, need to be prepared to establish and implement internal policies and procedures which are adequate (i.e. good enough) for their operations and risks, pursuant to a risk-based approach (RBA). In addition, based on their jurisdiction, they may be held to a higher standard. This is the case, for example, for the Cayman Islands, Bermuda, the British Virgin Islands (BVI) and many offshore jurisdictions, where we see an increased focus on AML and compliance. Provenance can help, from the initial risk assessment to implementation of adequate CDD standards, training, AML officers, audit and stress testing the compliance program, as well as remediation.

AML/KYC Service Providers Selection Checklist

Taking into account the news about Anchorage, we wanted to share a few insights on the AML/KYC service providers selection checklist for CDD and customer onboarding. There are many available solutions for virtual assets and remote onboarding, from various jurisdictions and with different pricing. We tested several, and these are the top 10 things to look for:

  1. Quality of Data. Where is the data coming from? Is it comprehensive, compared to the traditional financial services solutions? A good test is to run several names through different service providers and compare the output, i.e. several sanctioned individuals, politically exposed persons (PEPs), persons with a known criminal record, and compare the results. Some of the best service providers out there are pulling data from multiple watchlists and jurisdictions, as well as publicly available corporate records. This is based on fuzzy matching algorithms. The potential matches should be flagged by the system for manual review, with links to the underlying information. 
  2. Customization Options. Since most regulators are recommending a risk-based approach (RBA) to AML/KYC programs and verifications, the best service providers would allow for different onboarding, user and risk profiles to be created, effectively embedding a risk matrix into the AML/KYC platform. In addition, since requirements concerning acceptable documentation are different based on the jurisdiction and risk category, the best in line service providers would allow different onboarding streams to be created – corporate vs. individual, authorized person vs. beneficial owner, etc. 
  3. Security. This is key. Most of the companies which would have the obligation to set up an AML/KYC/KYB/KYT compliance programme also have an obligation to maintain the security of the underlying personal information, and as “data controllers” under most data protection legislations they cannot rely on the third party service providers’ security without verification and monitoring. For this reason, as well as restrictions regarding data transfers among jurisdictions, the best providers would not retain the personal data, instead requesting the company to set up its own secure cloud solution. One aspect of note is that most remote onboarding programs now include biometric identification, and biometric data will soon be subject to enhanced protections in several jurisdictions, including in the United States.
  4. Audit Trail. Developing a risk-based compliance program is one thing, being able to prove to regulators that the program was properly implemented years after the fact is different. The best service providers would include an audit trail in their systems. This also helps to ensure that manual reviewers and approvers follow the companies’ processes, during an internal audit. Most companies are required to have a yearly audit and review of the compliance program, and the audit trail is a time saver.
  5. Automation Options. Speaking of time savers, the implementation of risk profiles and embedding risk scoring calculations into the system allow manual reviewers to gain precious time, with the additional possibility of automating “low risk / no potential matches or other issues flagged” users. This allows the compliance team to focus their attention on real issues, and diminishes the likelihood of human errors.
  6. Integrations. We haven’t yet seen any solutions offering everything that a compliance program needs to have in place, and so integrations are the key to success. From source-of-funds verifications on the wallet addresses, to the monitoring of transaction patterns, a good solution would allow for integrations, so that the compliance team is able to review things from one single dashboard or control panel. 
  7. Searches and Exports. These features are a must for recordkeeping requirements and potential audit questions. The compliance team needs to be able to separately keep track of and export information about denied applications, suspicious transactions, higher risk users, enhanced due diligence verifications carried out, etc. Sadly, in many cases, these options are missing and need to be requested or separately built in, which implies a lot of time wasted during an audit, or remediation measures needed for later. 
  8. Enhanced Due Diligence (EDD) Options. We haven’t yet seen this one. In most cases, enhanced due diligence means manual review, additional documents requested and Google cross-referencing. However, several service providers do include the possibility of enabling notes on a certain user profile, and potentially documents as well. 
  9. Auditor Access. In some cases (external auditor, regulator, or outsourced AML service provider), someone from outside the company will need access to the compliance dashboard, control panel or data, but generally not all of it. Among the various service providers, winners in this space are those including a separate “audit” functionality, with the possibility of earmarking the information and documents to be shared. After all, personal data should only be accessed on a “need to know” basis in order to comply with the data protection regulatory requirements.
  10. Developer Features. Business models and needs evolve in time. If the compliance program is a living thing, reviewable, testable and auditable on an annual basis, then technology should too. The ability to add forms, information checks and disclaimers throughout the onboarding process is most useful, and not many service providers are offering that. As an example, information on source-of-wealth and source-of-funds, data consents, projected operations and patterns of transactions are a few elements traditionally collected as part of traditional finance compliance. The ability to integrate these into the same dashboard or control panel would be extremely useful.

Other Compliance News

The Financial Action Task Force (FATF) issued a report on the state of global compliance. Also, following the biannual meeting held in Washington, D.C., on 21st April 2022, the strategic vision and the priorities for the period 2022-2024 have been agreed, including continuing mutual evaluations and collaboration, beneficial ownership transparency and implementation of the FATF standards on the beneficial ownership of legal persons as updated in March 2022, increasing recovery capabilities, and leveraging technology and digital transformation. 

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued new sanctions and designated cryptocurrency mining company BitRiver and subsidiaries as entities involved in attempts to evade sanctions imposed on Russia. The BitRiver parent company is based in Switzerland but in the press release OFAC noted that Bitriver was founded in Russia in 2017 and currently operates out of three offices across Russia.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) identified the attacker behind the Ronin Bridge hack as Lazarus, the North Korean state hacking group. 

Beanstalk, a decentralized credit based stablecoin protocol, was attacked resulting in a theft of $76 million, via a flash loan on Aave which exploited the protocol’s governance mechanism.

Bahamas issued a Policy White Paper on the future of digital assets for 2022-2026.

About Provenance

As the virtual assets industry is on the brink of mainstream adoption, the demand for services in this space far exceeds the capabilities of the traditional compliance providers. The difficulty to date has been that industry veterans have had neither the benefit of practical examples of how regulators will assess the servicing of virtual assets, nor do they have in house expertise or experience to confidently risk asses virtual asset engagements and build out the controls to mitigate associated risks. Additionally, the volatility in the asset class causes trepidation in traditional investment circles. We have established service lines across the specialist functions of compliance, internal audit, risk and advisory, with a focus on enhancing compliance and risk management solutions available to Investment Funds, Managers, Service Providers, and other participants in the virtual asset sector. We collectively bring over 75 years of experience in traditional legal, accounting and compliance services to the financial services industry, with recognised industry leaders and pioneers in developing solutions for virtual asset ventures in Cayman Islands, BVI and across the globe.

Contact Provenance

© Provenance Group. All Rights Reserved

Scroll to Top