New NYDFS Guidance Emphasizes Need for Blockchain Analytics

On April 28, 2022, the New York State Department of Financial Services (NYDFS) issued guidance to all virtual currency entities that are licensed under 23 NYCRR Part 200 or chartered as a limited purpose trust company under the New York Banking Law (VC Entities). This guidance emphasized the importance of employing blockchain analytics related to customer due diligence, transaction monitoring, and sanctions screening.

Summary

Transactions in virtual currencies involve sources, destinations, and types of fund flows that may be different from traditional, fiat-currencies. VC Entities must ensure that their compliance programs consider these unique characteristics to comply with the New York Banking Law, the New York Financial Services Law, federal Bank Secrecy Act/anti-money laundering regulations (BSA/AML), and Office of Foreign Assets Control (OFAC) requirements.

Although the unique characteristics of virtual currency transactions may present compliance challenges, they also lend themselves to control measures that leverage new technologies. For example, since virtual currencies enable provenance tracing, a blockchain ledger’s immutability offers a historical view of a virtual currency transmission between wallet addresses. This allows for greater insight into transaction lineage, as most virtual currencies store information on-chain, including sending and receiving wallet addresses, time and date, and the value of the transaction. However, as wallet addresses are typically pseudonymous, they do not provide information about the originator, beneficiary, or underlying beneficial owners. A VC Entity’s risk mitigation strategy must address its business profile to properly assess risk, considering which type of virtual currency is being used, as well as the volume of transactions.

Detailed Highlights

The NYDFS guidance emphasized the importance of blockchain analytics to address anti-money laundering requirements and compliance with BSA/AML and OFAC-related rules focusing on: 

• Augmenting Know-Your-Customer-related controls—For example, exploiting services and products that allow their users to obtain identifying information that ties directly to the pseudonymous on-chain data, particularly in combination with customer-provided information. Although these blockchain analytics can identify wallet addresses associated with institutions like VC Entities, and high-risk wallet addresses like darknet marketplaces, these tools have inherent limitations. Further “off-chain” verification methods are required, such as numerical scores or tiered rankings that represent the risk to the counter-party institution, supplemented with other factors such as the strength of the institution’s BSA/AML Program.
• Conducting transaction monitoring of on-chain activity—VC Entities need appropriate control measures to monitor and identify unusual activity along with procedures tailored to the VC Entity’s risk profile. These include tracing of transaction activity for each type of virtual currency the entity supports and monitoring the flow of funds through the blockchain for any inbound or outgoing activity. The Financial Crimes Enforcement Network has noted that financial institutions need to identify and report suspicious activity associated with potential sanctions evasion and conduct appropriate risk-based customer due diligence or enhanced due diligence. Some relevant typologies include assessing whether a virtual currency:

• Has substantial exposure to high-risk or sanctioned jurisdiction.
• Is processed through a mixer or tumbler.
• Is sent to or from darknet markets.
• Is associated with scams/ransomware.
• Is associated with other illicit activity relevant to the VC Entity’s business model.

A VC Entity’s documentation must describe case management and escalation processes, with clearly delineated roles and responsibilities across the business and compliance functions, including the VC Entity’s approach where there are any doubts.

• Conducting sanctions screening of on-chain activity—According to the OFAC: “Transaction monitoring and investigation software can be used to identify transactions involving virtual currency addresses or other identifying information … associated with sanctioned individuals and entities listed on the Specially Designated Nationals (SDN) List or other sanctions lists, or located in sanctioned jurisdictions.” 

VC Entities may use third-party service providers or develop blockchain analytics products and services internally. However, to the degree VC Entities choose to outsource, they must have in place clearly documented policies, processes, and procedures. 

What does this mean for you?

VC Entities should assess their risk as it relates to virtual currency transactions, including adopting more encompassing “off-chain” verification methods and implementing or updating robust BSA/AML programs.

Furthermore, given the increased emphasis on international sanctions, VC Entities must be aware of individual entities listed on the SDN List. Additionally, VC Entities must be knowledgeable about their customers and the types of risks they entail.

Call to Action

Guidehouse can help VC Entities assess their current blockchain analytics tools to address anti-money laundering requirements, BSA/AML, and OFAC-related controls as described in the Department of Financial Service’s April 28 guidance. Guidehouse can identify gaps or weaknesses with a VC Entity’s current model, conduct training on AML and sanctions compliance, and provide blockchain tracing and analytics.

In so far as the NYDFS guidance allows VC Entities to use third-party service providers, Guidehouse can assist in creating clearly defined and documented policies, processes, and procedures related to blockchain analytics tools.