In 2021 the Bank for International Settlements (BIS) published a report entitled Supervising cryptoassets for anti-money laundering, which has important implications for those working in the crypto space. The BIS promotes international cooperation amongst central banks, and its 63 members account for 95% of global GDP. The report provides a summary of the state of cryptoasset regulation amongst its members and an overview of regulatory frameworks, supervisory practises, enforcement action, international cooperation and information sharing.
Although aimed at supervisors, the report is also a must read for compliance officers. It offers insights into how regulations are being drafted and implemented as well as how risks are being assessed in this fast-evolving industry. Those working in firms that offer crypto exchanges, service crypto exchanges or custody services will gain a greater understanding of what their regulators and supervisors are interested in. The report also highlights the challenges associated with operating in multiple jurisdictions, and provides a glimpse into possible future areas of regulation and enforcement.
This report should be read alongside other reports issued by the Financial Action Task Force (FATF), the global anti-money laundering and counter financing of terrorism (AML/CFT) standard setter, which are referenced throughout the BIS publication.
This article provides a summary of what compliance officers need to know and key themes identified in the report.
What do Compliance Officers need to know?
- Regulations differ vastly between jurisdictions, with countries and global standard setters adopting varying definitions of cryptoassets and criteria under which activities should be subject to regulation
- Most supervisors are implementing an ‘on-ramp’ period for cryptoassets as they roll-out new regulations, using this as an opportunity to raise awareness of AML/CFT risks and requirements
- Supervision remains at the nascent stage but there are a variety of tools available for enforcement
- There is a general consensus that ML/TF risks associated with cryptoasset adoption are on the rise
- More enforcement action is expected in the near future
- There is a recognition that a multi-stakeholder approach is needed to raise awareness and mitigate AML/CFT risks in the cryptoassets industry
Lack of uniformity among regulatory frameworks
The report concludes that cryptoasset service providers must meet multiple requirements across varying jurisdictions. Although significant progress has been made in adopting standards issued by the FATF, the supervision of cryptoassets remains in its infancy around the world. Most jurisdictions are in the process of implementing and enforcing regulation, with the report indicating that “effective implementation remains a work in progress.” The lack of a globally accepted definition of cryptoassets, criteria for determining how firms should be supervised, and agreed taxonomy to classify cryptoassets across different types of regulation (AML/CFT, consumer protection, market integrity, etc) creates a minefield that must be navigated by cryptoassets service providers.
The definition adopted by the Financial Stability Board (FSB) for cryptoassets, “a type of digital asset that depends primarily on cryptography and digital ledger or similar technology,” is much broader than the definition adopted by (FATF), which focuses on assets that can be “digitally traded, or transferred and can be used for payment or investment purposes.” This has affected how authorities regulate cryptoassets. When classifying cryptoassets for regulation, the following factors may be taken into account by different jurisdictions to understand the nature and risks posed by these assets:
- Nature of the issuer (e.g. identifiable, non-identifiable; public, private; regulated, unregulated)
- Intended use of the cryptoasset (e.g.used as a means of raising funds, of investment, of payment, granting rights to services/products in a company’s network or ecosystem)
- Holders’ rights (e.g. claim to the delivery of an underlying asset, to a granted interest, to access or use a service in a network or platform)
- Claim redemption (e.g. contractual claim, fixed redemption claim, dependent on price development)
- Control over the ledger (e.g. open to the public, open to specific parties, closed to a limited number of authorized parties)
- Validation of the ledger (e.g. permissioned, permissionless)
- Mechanism to transfer the cryptoasset’s ownership (e.g. centralized, peer-to-peer, decentralized)
With regards to market activities, supervisors may choose to classify cryptoassets under one of the following three categories:
- Primary market activities: Relate to the issuance and distribution of assets (e.g. issuer and investor onboarding, deal structuring, risk assessment, asset registration, distribution of the asset to market participants)
- Secondary market activities: Comprise trading (e.g. admission of the asset to trading, price discovery, order matching, asset transmission), clearing and settlement and servicing (e.g. asset management, custody)
- Tangential activities: aimed at supporting and ensuring that primary and secondary market activities are conducted in an efficient manner (e.g. infrastructure services, ancillary services)
Firms looking to be registered or authorized need to be able to clearly explain which factors apply and what activities they are carrying out as part of the application process in different jurisdictions.
Varied application of FATF standards
As for the adoption of FATF standards, the report reiterated FATF’s assessment that most countries have not fully implemented these standards. Some countries such as China have banned cryptoassets, other countries have introduced specific prohibitions for financial institutions looking to work with cryptoassets (Belgium and Lithuania), some have developed bespoke crypto regulatory regimes (Japan, Netherlands, Singapore and the UK) while other countries have opted for extending existing frameworks to crypto (Canada, Germany, Switzerland, and the US). Some jurisdictions have chosen to regulate crypto-to-crypto transactions, while others have not, and countries such as Japan go beyond the FATF definition of cryptoassets by opting to regulate gatekeepers, network operators, technical maintenance providers and application developers in decentralized finance. With regards to the now infamous ‘travel rule’ requiring originator and beneficiary information in crypto transfers, the report highlights that few jurisdictions have implemented this effectively, with many citing limited access to a technology solution to do this. And when it comes to location, some authorities such as those in Canada, the Netherlands and Singapore, have opted to include cryptoasset service providers ‘offering services,’ which is not currently defined, into their countries’ regulatory frameworks. This applies even when they are physically based or domiciled in other countries. This too goes beyond FATF requirements.
FATF requirements include the following:
- Performing customer due diligence (CDD) on new and existing customers
- Record-keeping of transactions where required
- Assessing risks and applying a risk-based approach
- Having internal controls to assess compliance with AML/CFT policies
- Performing enhanced due diligence (EDD) in specific circumstances
- Reporting their suspicions promptly to the relevant Financial Intelligence Unit
Firms working in this space need to ensure that they have the proper control environment in place to allow them to operate in line with regulatory frameworks that have been introduced or to ensure that their clients have the right AML/CFT controls in place working effectively.
Supervisory practices in nascent stage but increased focus on AML/CFT risks
As many of the crypto-related laws and regulations are new, supervision of compliance in alignment of these laws is in its infancy. The report indicates that the state of supervision “could be best described as in flux,” with a recognition that supervisors should be technology neutral, flexible and adopt agile models that can evolve with innovation. This means that there may be little guidance for firms, and that those working in and supervising this space are learning from each other and may need to focus on cross-learning opportunities with regulators upskilling providers on AML/CFT and technologists upskilling supervisors. Most authorities recognize that there is limited AML/CFT experience in the cryptoassets sector and are looking to address this. At the moment, there have been few on-site examinations. However, authorities have indicated that they intend to “ramp up these efforts,” meaning firms should ensure that they have well documented policies, processes and procedures that they can share with regulators should they land on their doorstep. In the meantime, authorities are using open source intelligence, tip-offs and financial intelligence analysis to identify unregistered providers of cryptoassets. Lastly, there is a recognition that there is a need for innovation in supervisory approaches, such as the development of SupTech and using more data, blockchain and innovative solutions, if regulators are to keep up with those they supervise in this space.
Although regulators recognize the potential that cryptoassets have in making financial transfers and payments more efficient, this development is not without AML/CFT risk. Factors that increase risks include speed, global coverage and options for making holders of cryptoassets anonymous, as well as the potential to obfuscate transactions. The report highlights that given the significant illicit use of crypto (estimated at USD$11 billion in 2019), AML/CFT supervision and enforcement is important. This has led international standard setting bodies to review not only AML/CFT risks but also risks to consumers, investors, financial stability and markets posed by new business models. To manage these risks, many countries have carried out a risk assessment on cryptoassets, with Japan and Switzerland including this as part of their AML/CFT national risk assessment (NRA) process. There are also differing views on the risks posed by peer-to-peer (P2P) transactions. While some jurisdictions consider risks to be similar to those posed by cash exchanges, other jurisdictions are calling for peer-to-peer (P2P) transactions to be subject to regulation. What appears to be universally accepted is that global coordination and cooperation is essential to target risks from P2P transactions, but also to manage other risks given the borderless nature of cryptoassets. Firms should be aware of ML/TF risks presented by their products and services to limit social and economic harm of criminal misuse of cryptoassets.
To date, limited enforcement action has been carried out given the newness of crypto regulation. However, the report indicates that “more enforcement actions are expected in the future” as supervision of the industry matures. Most countries tend to have the same types of enforcement tools available when AML/CFT breaches occur. These include:
- Warning letters
- Orders to comply with specific instructions
- Public naming
- Suspension or revocation of license or registration
- Prohibiting individuals from operating in financial services
- Removing, replacing or restricting the powers of managers, directors and controlling owners
Firms should ensure that they are in the best possible position to respond to regulatory enforcement action and seek out external advice and or counsel as needed. To date, the majority of enforcement action has been linked to criminal as opposed to civil action. And while many authorities publish fines and enforcement action, the level of detail available varies by country.
To learn more about the latest trends in the crypto and decentralized finance space, download our latest report: State of Financial Crime 2021: Mid-Year Review.