5 best practices for robust cryptocurrency compliance

Driven by advances in blockchain technology, the spread of cryptocurrency has introduced new financial possibilities in jurisdictions around the world. However, the opportunities and benefits of cryptocurrencies have been accompanied by new risks, as criminals use regulatory blindspots to launder money, finance terrorist activities, and commit other financial crimes. In 2021, cryptocurrency-related criminal transactions hit a new high, amounting to around $14 billion – almost double the 2020’s $7.8 billion. 

Given the regulatory uncertainty surrounding cryptocurrencies, it is important that firms operating in this space understand their crypto compliance obligations, and are able to detect and address the risks that they face. 

With that in mind, let’s take a look a five key best practices for good cryptocurrency compliance: 

1. Perform a comprehensive risk assessment

The Financial Action Task Force (FATF) recommends that financial institutions take a risk-based approach to AML/CFT compliance – and this guidance extends to cryptocurrency service providers. Risk-based compliance requires firms to deploy compliance measures in proportion to the compliance risk that their customers present. To establish that risk, crypto firms must perform individual risk assessments, collecting and verifying information about their customers, and building risk profiles to inform future compliance decisions. 

Given the relative novelty of cryptocurrencies and their potential disruptive effects, regulators are paying close attention to the way crypto firms handle risk-based compliance. In particular, firms should consider the anonymity and speed of cryptocurrency transactions, and how those factors might inform a risk assessment. With that in mind, a comprehensive approach to cryptocurrency compliance should include: 

• Rigorous onboarding: Crypto firms should learn as much as possible about new customers, emphasizing the Know Your Customer (KYC) process and proper identity verification. 
• Transaction monitoring: Firms must implement systems to trace the flow of cryptocurrency assets. 
• Regulatory awareness: Crypto firms should understand what regulators expect of them, and be able to anticipate regulatory changes by studying draft guidance. 
• Virtual analysis: Given the online nature of cryptocurrency transactions, firms should seek to be able to perform virtual asset risk assessments, taking the time to understand the details and nuances of each asset that they accept or handle. 

Bear in mind that a risk assessment isn’t a one-and-done compliance task but should be an ongoing process. Crypto firms should revisit their risk assessments throughout business relationships to ensure that they remain accurate. 

A Guide to AML for Crypto Firms

Build a best practice AML program for your crypto firm and stay ahead of the latest regulatory trends with this guide.

Download the guide

2. Understand criminal typologies

The KYC crypto controls that a firm implements must be based on a close understanding of criminal typologies and red flags in order to be effective. Many crypto money laundering typologies share characteristics with conventional money laundering typologies but are exacerbated by the inherent risks of blockchain technology – such as increased anonymity and transaction speeds. With that in mind, typical cryptocurrency money laundering typologies include:

• Layering: Criminals may attempt to move illegal crypto assets through ‘layers’ of transactions. Typically this may involve exchanging one form of cryptocurrency for another, blending transactions across cryptocurrency exchanges (mixing), or cycling illegal money through fiat and cryptocurrencies. 
• Dusting: Money launderers may make large numbers of small cryptocurrency transactions in order to create AML/CFT noise, and subsequently overwhelm monitoring systems. 
• Money mules: Criminals may coerce or incentivize third parties (often financially vulnerable people) to conduct transactions on their behalf – and so avoid AML/CFT identity verification measures.
• Off-chain or cross-chain transactions: Money launderers may conduct crypto transactions off-chain, where crypto KYC and other AML/CFT controls are nonexistent, or between different blockchains in order to exploit KYC disparities. 
• Stolen NFTs: Certain non-fungible tokens (NFT) may be stolen from users’ wallets. In these contexts, criminals may attempt to launder subsequent profits across multiple transactions, or may use ‘peeling’ techniques where stolen funds are taken from a sender’s wallet in a series of small transactions. 
• Darknet transactions: Stolen crypto assets may be exchanged with privacy coins – which can subsequently be used in transactions on the darknet. 
• Crypto wallet theft: Criminals may steal crypto wallets containing virtual assets such as NFTs. If a wallet operates independently of a crypto service provider or exchange it may be very difficult to verify its ownership. 

3. Build your compliance team

Your cryptocurrency compliance program will only be as good as the employees that oversee it. With that in mind, it is important to ensure that you appoint compliance employees with the ability and expertise to spot AML/CFT threats, and with an understanding of the crypto risk landscape. In practice, this means that crypto firms should consider the following skill sets and expertise when hiring compliance personnel: 

• Finance: Despite widespread fragmentation, crypto AML/CFT regulations have tended to align with traditional financial regulations, while many international regulators have expanded the scope of their existing guidance to take in virtual assets. 
• Policy: The crypto regulatory landscape often reflects the changing policies of governments and lawmakers that are working to keep pace with emerging technologies. With that in mind, compliance employees with policymaking expertise may be able to help firms anticipate and adapt to incoming crypto regulations. 
• Law enforcement: Cryptocurrency technologies are often introduced at regulatory frontiers and subsequently prompt lawmakers to reassess existing rules. Compliance employees with backgrounds in law enforcement or investigation may be particularly useful in these contexts since they may be able to identify knowledge gaps or blindspots, and be able detect novel attempts to misuse crypto services for criminal purposes.

4. Integrate compliance technology within your cryptocurrency compliance process

The data collection obligations that cryptocurrency compliance entails require firms to implement a suitable software solution. Software automation enables cryptocurrency service providers to enhance the speed and accuracy of a range of crucial KYC processes, including customer due diligence (CDD) and transaction monitoring.

Given the risks associated with cryptocurrency transactions, an effective compliance solution might emphasize the following technological factors: 

• Digital identity: In addition to names, addresses, and birth dates, cryptocurrency compliance solutions may integrate biometric technology such as fingerprint, face, or voice scans to enhance their customer identification processes. 
• AI: Artificial intelligence systems allow firms to streamline and manage the vast amounts of data that crypto compliance entails. In particular, AI may enable firms to impose risk categories on their AML/CFT alerts and minimize false positive alerts. 
• Blockchain: While cryptocurrency technology poses new AML/CFT risks, firms may also use it to enhance their compliance performance. Blockchains are built on distributed ledger technology which offers new ways for firms to store and encrypt customer information, and independently verify transactions. 

5. Manage stakeholders

Like conventional financial institutions, cryptocurrency service providers must ensure that every stakeholder in their compliance solution understands their role and responsibilities. In practice, this means that crypto firms should facilitate strong lines of communication between senior management and compliance teams, and appoint a money laundering reporting officer (MLRO) to oversee the functionality of the AML/CFT program. Similarly, crypto firms should seek to ensure that their relationship with the relevant financial regulators and authorities remains strong in order to facilitate the swift remediation of compliance alerts.

Crypto firms should also seek to implement an internal training program to ensure that their compliance employees remain familiar with the latest AML/CFT best practices, the latest criminal methodologies, and incoming regulations.