Deutschland
India
Lietuva
United Kingdom
Search
Search
Search
By Gregory Schwarz
In our March 2021 piece, Assessments to Drive AML and Sanctions Compliance Program Effectiveness, we discussed regulators and financial institutions’ focus on anti-money laundering enterprise risk assessments (AML Risk Assessment) as part of sound financial crime risk management, resource allocation, and compliance program development. As we previously noted, traditional financial institutions have spent years evolving their AML Risk Assessment processes, which typically involve the formula of “inherent risk – controls = residual risk.” Cryptocurrency exchanges are encouraged or, in some cases, required to conduct an AML Risk Assessment. For a cryptocurrency exchange to conduct an adequate and effective AML Risk Assessment, it must consider the unique risks possessed by its business. In the following article, we outline the current state of Bank Secrecy Act/AML regulations pertaining to Risk Assessments and some areas of consideration for cryptocurrency exchanges.
Federal Regulation
The Financial Crimes Enforcement Network (FinCEN) considers cryptocurrency exchanges to be money transmitters, or Money Services Businesses (MSBs), and, therefore, covered financial institutions under the Bank Secrecy Act. Currently, federal law and regulation does not require MSBs (i.e., cryptocurrency exchanges) to perform an AML Risk Assessment. Nevertheless, FinCEN still strongly encourages management to document a Risk Assessment in writing to provide a clear basis for the MSB’s policies and procedures.
Guidehouse notes that while not currently an affirmative requirement, AML Risk Assessments are a regulatory expectation and necessary for implementing a risk-based AML program. It is difficult to show you have a “risk-based program” if you haven’t conducted an AML Risk Assessment. Further, FinCEN’s September 2020, Advanced Notice of Proposed Rulemaking (ANPRM) proposes establishing that all covered financial institutions1 maintain an “effective and reasonably designed” AML program, which includes a requirement to conduct a written AML Risk Assessment to evidence an effective and reasonably designed program. AML Risk Assessments are also frequently cited in enforcement actions when regulators identify deficiencies.
New York Law
Importantly, the regulatory environment in New York is necessary to understand, as New York is the only state in the US to require that cryptocurrency exchanges obtain a BitLicense. Unlike federal law, under New York Law (23 CRR-NY 200.15), cryptocurrency exchanges are required to perform an AML Risk Assessment. Section B of CRR-NY 200.15 also indicates that licensees shall conduct additional assessments on an annual basis, or more frequently as risks change, and shall modify their AML programs as appropriate to reflect any such changes.
The New York Department of Financial Services (NYDFS) advises firms to assess their inherent risk and implement certain controls, which include:
It is important that cryptocurrency exchanges conduct an AML Risk Assessment that is tailored to their business and operations. Specifically, cryptocurrency exchanges should consider the following, as appropriate:
Blockchain Tracing Coverage
Blockchain tracing solutions support many digital assets and blockchains, but not all, especially thinly traded digital assets. Furthermore, blockchain tracing solutions may not be able to apply the full suite of services for certain digital assets and blockchains. As part of the AML Risk Assessment, cryptocurrency exchanges should evaluate the volumes and values of incoming and outgoing digital assets not supported by blockchain tracing providers. Those digital assets not covered by such providers may pose a higher risk. Cryptocurrency exchanges should consider implementing other types of controls to mitigate the inherent risk of untraced digital assets (e.g., limiting or prohibiting on-chain transfers of such digital assets).
Volumes of Higher-Risk Assets
Cryptocurrency exchanges should2 develop a comprehensive coin listing process to evaluate the risk of any new and existing digital assets offered by the cryptocurrency exchange. Cryptocurrency exchanges should assess the specific AML risks associated with each digital asset offered (e.g., liquidity, privacy). As part of the AML Risk Assessment process, cryptocurrency exchanges should assess the volumes and value of higher-risk assets to evaluate exposure and determine whether the exchange is operating within its risk appetite.
Proper Classification and Segmentation of Customers
Consistent with established regulatory requirements and expectations, cryptocurrency exchanges should conduct due diligence that is commensurate with a customer’s risk profile. For example, cryptocurrency exchanges should evaluate whether their customers are transacting and trading in amounts commensurate with their peer-group segment. Proper segmentation will allow cryptocurrency exchanges to identify anomalous activity as part of the AML Risk Assessment Process.
Large Amounts of Activity with High-Risk Counterparties
Blockchain tracing helps identify high-risk counterparties, such as mixers/tumblers, high-risk exchanges, and darknet markets. Digital asset companies should consider the volumes and values of digital asset inflows from these higher-risk counterparties to assess exposure.
Guidehouse can help digital asset companies with their AML Risk Assessment processes and financial crime risk management frameworks, including:
1 Section I of the ANPRM indicates that “[t]he scope of program rules under consideration for amendment in this ANPRM includes those applicable to all of the industries that have AML program requirements under FinCEN's regulations, including…money services businesses...”
2 Unless cryptocurrency exchange is regulated in New York, in which case they are required. See Department of Financial Services Virtual Currency Guidance.
Guidehouse is a global advisory, technology, and managed services firm delivering value to commercial businesses and federal, state, and local governments. Serving industries focused on communities, energy, infrastructure, healthcare, financial services, defense, and national security, Guidehouse positions clients for AI-led innovation, efficiency, and resilience.