In our March 2021 piece, Assessments to Drive AML and Sanctions Compliance Program Effectiveness, we discussed regulators and financial institutions’ focus on anti-money laundering enterprise risk assessments (AML Risk Assessment) as part of sound financial crime risk management, resource allocation, and compliance program development. As we previously noted, traditional financial institutions have spent years evolving their AML Risk Assessment processes, which typically involve the formula of “inherent risk – controls = residual risk.” Cryptocurrency exchanges are encouraged or, in some cases, required to conduct an AML Risk Assessment. For a cryptocurrency exchange to conduct an adequate and effective AML Risk Assessment, it must consider the unique risks possessed by its business. In the following article, we outline the current state of Bank Secrecy Act/AML regulations pertaining to Risk Assessments and some areas of consideration for cryptocurrency exchanges.
The Financial Crimes Enforcement Network (FinCEN) considers cryptocurrency exchanges to be money transmitters, or Money Services Businesses (MSBs), and, therefore, covered financial institutions under the Bank Secrecy Act. Currently, federal law and regulation does not require MSBs (i.e., cryptocurrency exchanges) to perform an AML Risk Assessment. Nevertheless, FinCEN still strongly encourages management to document a Risk Assessment in writing to provide a clear basis for the MSB’s policies and procedures.
Guidehouse notes that while not currently an affirmative requirement, AML Risk Assessments are a regulatory expectation and necessary for implementing a risk-based AML program. It is difficult to show you have a “risk-based program” if you haven’t conducted an AML Risk Assessment. Further, FinCEN’s September 2020, Advanced Notice of Proposed Rulemaking (ANPRM) proposes establishing that all covered financial institutions1 maintain an “effective and reasonably designed” AML program, which includes a requirement to conduct a written AML Risk Assessment to evidence an effective and reasonably designed program. AML Risk Assessments are also frequently cited in enforcement actions when regulators identify deficiencies.
Importantly, the regulatory environment in New York is necessary to understand, as New York is the only state in the US to require that cryptocurrency exchanges obtain a BitLicense. Unlike federal law, under New York Law (23 CRR-NY 200.15), cryptocurrency exchanges are required to perform an AML Risk Assessment. Section B of CRR-NY 200.15 also indicates that licensees shall conduct additional assessments on an annual basis, or more frequently as risks change, and shall modify their AML programs as appropriate to reflect any such changes.
The New York Department of Financial Services (NYDFS) advises firms to assess their inherent risk and implement certain controls, which include:
It is important that cryptocurrency exchanges conduct an AML Risk Assessment that is tailored to their business and operations. Specifically, cryptocurrency exchanges should consider the following, as appropriate:
Blockchain tracing solutions support many digital assets and blockchains, but not all, especially thinly traded digital assets. Furthermore, blockchain tracing solutions may not be able to apply the full suite of services for certain digital assets and blockchains. As part of the AML Risk Assessment, cryptocurrency exchanges should evaluate the volumes and values of incoming and outgoing digital assets not supported by blockchain tracing providers. Those digital assets not covered by such providers may pose a higher risk. Cryptocurrency exchanges should consider implementing other types of controls to mitigate the inherent risk of untraced digital assets (e.g., limiting or prohibiting on-chain transfers of such digital assets).
Guidehouse can help digital asset companies with their AML Risk Assessment processes and financial crime risk management frameworks, including:
1 Section I of the ANPRM indicates that “[t]he scope of program rules under consideration for amendment in this ANPRM includes those applicable to all of the industries that have AML program requirements under FinCEN's regulations, including…money services businesses...”
2 Unless cryptocurrency exchange is regulated in New York, in which case they are required. See Department of Financial Services Virtual Currency Guidance.