21st September 2020
Crypto AML Red Flags
AML Red Flags
As the use of cryptocurrency becomes more widespread, cryptocurrency service providers must deal with a greater range of threats from money launderers that exploit the speed and anonymity associated with the online trade of virtual assets.
To buy and sell cryptocurrencies or virtual assets, users need access to online wallets and exchanges. These services facilitate high volumes of crypto transactions, allowing for the speedy transfer of assets and funds around the world, outside conventional banking and finance systems. That lack of regulatory oversight is attractive to money launderers, who often seek to convert illegal funds into cryptocurrency in order to avoid the AML checks imposed by traditional financial institutions. The scale of the threat is growing: research suggests that around $1 billion was laundered in crypto exchanges in 2018 and around $2.8 billion in 2019.
In response to the risks posed by cryptocurrency, the Financial Action Task Force (FATF) has conducted research into the characteristics of cryptocurrency money laundering. The research drew from previous FATF investigations into crimes involving virtual assets and from over 100 case studies contributed by jurisdictions across the FATF Global Network since 2017.
In 2020, FATF released a report about its findings: Virtual Assets Red Flag Indicators of Money Laundering and Terrorist Financing. Intended to help both financial authorities and cryptocurrency wallet and exchange firms develop and implement their AML programs, the report set out the following virtual asset red flag indicators of money laundering activity:
- Transaction Type
- Transaction Pattern
- Senders and Recipients
- Source of Funds
- Geographical Risks
While cryptocurrencies represent a new frontier on the money laundering landscape, traditional criminal strategies remain relevant. FATF found that the following types of transactional behavior, involving conventional means of payment, often indicated an attempt to launder money:
- Structuring cryptocurrency transactions in small amounts to avoid reporting thresholds.
- Making a series of high-value cryptocurrency transactions in a short period of time.
- Immediately transferring cryptocurrency deposits to a service provider in a low regulation jurisdiction.
- Immediately withdrawing cryptocurrency deposits with no transaction activity or converting deposits to multiple types of cryptocurrency while incurring fees.
- Depositing into cryptocurrency wallets with funds that have been identified as stolen.
FATF case study example: Criminals used phishing to steal KRW 400 million from South Korean victims before exchanging that money for cryptocurrency as a layering method. The criminals then carried out multiple high-value transactions to transfer the funds to a foreign crypto wallet. The funds were ultimately passed through 48 accounts in an attempt to disguise their origin.
In some cases, patterns of unusual cryptocurrency transactions may indicate that money laundering is taking place. These patterns include:
- New cryptocurrency accounts funded in a manner that is inconsistent with the owner’s customer profile and wealth.
- New accounts funded with a large initial deposit that is then traded or withdrawn in its entirety on that same day (or shortly thereafter).
- Transactions involving multiple cryptocurrencies or multiple accounts with no logical business explanation.
- Frequent transfers of large amounts of crypto within a set period of time (day, week, month) to the same account from more than one person.
- Incoming small-amount transactions from unrelated wallets that are immediately transferred to another wallet or withdrawn for fiat currency.
- Multiple crypto exchanges carried out at a potential loss as a result of commission fees.
- Frequent conversions of large amounts of fiat currency into a cryptocurrency with no logical business explanation.
FATF case study example: A securities firm spotted a foreign national making two separate transactions totaling $4.8 million between cryptocurrency accounts, within six minutes of each other, from a wallet hosted in the Cayman Islands. After submitting a suspicious transaction report, the accounts were frozen and the funds were discovered to have been illegally obtained.
The technology that secures cryptocurrency wallets and exchanges against threats also increases the anonymity of customers using the services to trade and hinders oversight from authorities. Money laundering that exploits the anonymity associated with cryptocurrency services may exhibit the following red flags:
- Transactions involving more than one type of cryptocurrency, and especially cryptocurrencies offering high levels of anonymity, that incur additional fees.
- A customer moving their funds from a transparent public blockchain to a centralized cryptocurrency exchange, and then immediately trading those funds for an AEC or privacy coin.
- Customers that operate as unlicensed service providers for other users on unlicensed peer-to-peer (P2P) cryptocurrency exchange sites. These customers may handle large cryptocurrency transfers on their customers’ behalf and charge higher fees for their own services than licensed exchanges.
- An unusual volume or frequency of transactional activity involving P2P platforms or platforms that use mixing and tumbling services with no logical business explanation.
- Funds deposited into a cryptocurrency wallet from a suspicious source, such as darknet marketplaces, gambling sites or other illegal sites.
- Users entering a cryptocurrency exchange from IP addresses associated with suspicious sources or conducting transactions with partners using encryption software.
- The use of decentralized and unhosted hardware or offline paper wallets to transport cryptocurrency funds across international borders.
- The use of proxies or domain name registrars (DNS) that allow users to conceal their domain names when registering for a cryptocurrency exchange.
- Multiple cryptocurrency wallets controlled from the same IP address.
- The use of undocumented cryptocurrencies that have been linked to fraud or Ponzi schemes.
- Funds sent or received by cryptocurrency exchanges with demonstrably inadequate customer due diligence (CDD) or know-your-customer (KYC) procedures.
- The use of cryptocurrency ATMs or kiosks to facilitate multiple small transactions, or that are in particularly high-risk jurisdictions.
FATF case study example: The darknet P2P market AlphaBay was used to buy and sell a huge range of illegal goods, including drugs, forged documents and firearms. Over 200,000 users and 40,000 vendors conducted over $1 billion worth of transactions using numerous cryptocurrencies between 2015 and 2017 — until the US government took down the AlphaBay servers.
Unusual behavior from senders and recipients of cryptocurrency often serve as red flag indicators of money laundering in the following ways:
- Users that create multiple accounts under different names to circumvent the exchange’s trading and withdrawal limits, or that attempt to open accounts frequently using the same IP address.
- Transactions that originate from untrustworthy or suspicious IP addresses or high-risk jurisdictions.
- Corporate customers that have internet domain registrations in high-risk jurisdictions or in different jurisdictions than their country of establishment.
- Customers that have insufficient KYC information, have declined requests for KYC information or that have forged their identification materials.
- Senders and recipients that lack knowledge of the source of their transactions or their relationship with their counterparties.
- Customers using identification credentials shared by another account or associated with illegal activity.
- Discrepancies between customer account IP addresses and the IP addresses of initiated transactions.
- Customers that frequently change their identification or contact information, such as email and IP addresses.
- The same customer attempting to access a cryptocurrency platform using different IP addresses in a single day.
- Customers that regularly make significant profits or losses by transacting with the same subset of individuals.
- Customers that communicate with other customers in a manner indicative of using their transactions to support illegal activity.
Money mule behaviors:
- Senders that are unfamiliar with cryptocurrency technology.
- Elderly or financially vulnerable customers engaging in high-volume cryptocurrency transactions.
- Customers that purchase large amounts of cryptocurrency in a manner inconsistent with their financial profile.
FATF case study example: A bank received cryptocurrency assets from a local company, deposited by natural and legal persons, but could not obtain information on the origin of the funds. Upon further scrutiny, the bank found that the cryptocurrency funds were linked to organized crime.
The source of cryptocurrency funds may indicate their connection to illegal activities in the following ways:
- Funds sourced directly from investments in cryptocurrency assets or initial coin offerings (ICOs), from platforms with insufficient AML/CFT controls or from third-party mixing or tumbling services.
- Transactions involving cryptocurrency accounts with known links to illegal activities, such as fraud, extortion, ransomware or darknet marketplaces, or transactions to or from online gambling sites.
- A single cryptocurrency wallet linked to multiple credit or debit cards that are used to withdraw large amounts of fiat currency.
- Higher than normal deposits into cryptocurrency wallets that are then immediately withdrawn as fiat currency.
- A lack of customer transparency over the origin of investor funds in contexts where relevant personal data may not be available to cryptocurrency service providers.
FATF case study example: In 2019, the owners of the DeepDotWeb website were found to have been receiving kickbacks in the form of cryptocurrency for referring visitors to illegal darknet marketplaces. Amounting to over $15 million, the kickbacks were moved by DeepDotWeb owners through a series of Bitcoin wallets in an attempt to conceal their origin.
Criminals that move illegal funds around the world often seek to take advantage of jurisdictions with disparities or inadequacies in cryptocurrency regulation. Geographical red flag indicators of money laundering are as follows:
- Cryptocurrency funds that originate in or are being sent to an exchange that is registered in a different country than the customer or the exchange.
- Customers using cryptocurrency exchanges or service providers located in high-risk jurisdictions or that are known to have inadequate AML/CFT measures.
- Customers that set up their physical offices in jurisdictions known to have inadequate or non-existent cryptocurrency regulations with no logical business explanation for doing so.
FATF case study example: In 2019, an unlicensed Bitcoin dealer was shut down by US authorities after using a US-based exchange to facilitate crypto trades for over $800,000 in premiums. The dealer then switched his activities to an exchange in Asia, purchasing $3.29 million in Bitcoin between 2015 and 2017 and importing his profits back into the US in small amounts to avoid reporting requirements.
Following FATF guidance and local legislation, crypto exchange AML programs should follow a risk-based model that reflects their threat landscape and regulatory environment. In practice, this means implementing measures to address traditional money laundering methodologies in conjunction with, and where relevant, the specific virtual assets red flag indicators set out by FATF in their report. Accordingly, a cryptocurrency AML compliance program should feature:
- Suitable CDD processes to identify customers accurately and highlight higher risk customers for enhanced due diligence (EDD).
- Transaction monitoring measures capable of detecting suspicious cryptocurrency transactions and facilitating reports to financial authorities in a timely manner.
- Screening measures to check cryptocurrency customers against relevant international sanctions lists and whether they are politically exposed persons (PEPs).
- Adverse media monitoring processes capable of detecting when customers are the subject of negative news media in any part of the world.