Tailoring AML Risk Assessments for Cryptocurrency Exchanges

In our March 2021 piece, Assessments to Drive AML and Sanctions Compliance Program Effectiveness, we discussed regulators and financial institutions’ focus on anti-money laundering enterprise risk assessments (AML Risk Assessment) as part of sound financial crime risk management, resource allocation, and compliance program development. As we previously noted, traditional financial institutions have spent years evolving their AML Risk Assessment processes, which typically involve the formula of “inherent risk – controls = residual risk.” Cryptocurrency exchanges are encouraged or, in some cases, required to conduct an AML Risk Assessment. For a cryptocurrency exchange to conduct an adequate and effective AML Risk Assessment, it must consider the unique risks possessed by its business. In the following article, we outline the current state of Bank Secrecy Act/AML regulations pertaining to Risk Assessments and some areas of consideration for cryptocurrency exchanges.

Current Regulatory Environment: Federal and New York State 

Federal Regulation

The Financial Crimes Enforcement Network (FinCEN) considers cryptocurrency exchanges to be money transmitters, or Money Services Businesses (MSBs), and, therefore, covered financial institutions under the Bank Secrecy Act. Currently, federal law and regulation does not require MSBs (i.e., cryptocurrency exchanges) to perform an AML Risk Assessment. Nevertheless, FinCEN still strongly encourages management to document a Risk Assessment in writing to provide a clear basis for the MSB’s policies and procedures.

Guidehouse notes that while not currently an affirmative requirement, AML Risk Assessments are a regulatory expectation and necessary for implementing a risk-based AML program. It is difficult to show you have a “risk-based program” if you haven’t conducted an AML Risk Assessment. Further, FinCEN’s September 2020, Advanced Notice of Proposed Rulemaking (ANPRM) proposes establishing that all covered financial institutions¹ maintain an “effective and reasonably designed” AML program, which includes a requirement to conduct a written AML Risk Assessment to evidence an effective and reasonably designed program. AML Risk Assessments are also frequently cited in enforcement actions when regulators identify deficiencies.

New York Law

Importantly, the regulatory environment in New York is necessary to understand, as New York is the only state in the US to require that cryptocurrency exchanges obtain a BitLicense. Unlike federal law, under New York Law (23 CRR-NY 200.15), cryptocurrency exchanges are required to perform an AML Risk Assessment. Section B of CRR-NY 200.15 also indicates that licensees shall conduct additional assessments on an annual basis, or more frequently as risks change, and shall modify their AML programs as appropriate to reflect any such changes.

The New York Department of Financial Services (NYDFS) advises firms to assess their inherent risk and implement certain controls, which include:

1.  Augmenting Know Your Customer (KYC)-related controls;
2. Conducting transaction monitoring of on-chain activity; and
3. Conducting sanctions screening of on-chain activity.

Key Considerations

It is important that cryptocurrency exchanges conduct an AML Risk Assessment that is tailored to their business and operations. Specifically, cryptocurrency exchanges should consider the following, as appropriate:

Blockchain Tracing Coverage

Blockchain tracing solutions support many digital assets and blockchains, but not all, especially thinly traded digital assets. Furthermore, blockchain tracing solutions may not be able to apply the full suite of services for certain digital assets and blockchains. As part of the AML Risk Assessment, cryptocurrency exchanges should evaluate the volumes and values of incoming and outgoing digital assets not supported by blockchain tracing providers. Those digital assets not covered by such providers may pose a higher risk. Cryptocurrency exchanges should consider implementing other types of controls to mitigate the inherent risk of untraced digital assets (e.g., limiting or prohibiting on-chain transfers of such digital assets).

Volumes of Higher-Risk Assets

Cryptocurrency exchanges should² develop a comprehensive coin listing process to evaluate the risk of any new and existing digital assets offered by the cryptocurrency exchange. Cryptocurrency exchanges should assess the specific AML risks associated with each digital asset offered (e.g., liquidity, privacy). As part of the AML Risk Assessment process, cryptocurrency exchanges should assess the volumes and value of higher-risk assets to evaluate exposure and determine whether the exchange is operating within its risk appetite.

Proper Classification and Segmentation of Customers

Consistent with established regulatory requirements and expectations, cryptocurrency exchanges should conduct due diligence that is commensurate with a customer’s risk profile. For example, cryptocurrency exchanges should evaluate whether their customers are transacting and trading in amounts commensurate with their peer-group segment. Proper segmentation will allow cryptocurrency exchanges to identify anomalous activity as part of the AML Risk Assessment Process. 

Large Amounts of Activity with High-Risk Counterparties

Blockchain tracing helps identify high-risk counterparties, such as mixers/tumblers, high-risk exchanges, and darknet markets. Digital asset companies should consider the volumes and values of digital asset inflows from these higher-risk counterparties to assess exposure.

How Can Guidehouse Help?

Guidehouse can help digital asset companies with their AML Risk Assessment processes and financial crime risk management frameworks, including:

• AML and sanctions risk assessment methodology development, and/or review
• Transaction monitoring coverage assessment
• Blockchain analytics and tracing
• AML and sanctions risk assessment execution
• AML and sanctions risk management framework development, including financial crime risk appetite statements, and risk-acceptance procedures
• AML and sanctions board training
• AML and sanctions risk assessment training
• AML and sanctions gap analyses

^{1 Section I of the ANPRM indicates that “[t]he scope of program rules under consideration for amendment in this ANPRM includes those applicable to all of the industries that have AML program requirements under FinCEN's regulations, including…money services businesses...”
2 Unless cryptocurrency exchange is regulated in New York, in which case they are required. See  Department of Financial Services Virtual Currency Guidance.}