State of Financial Crime 2023 Report
Hosted on blockchain technology and offering access to innovative new financial products and services, cryptocurrencies are disrupting financial systems in jurisdictions all over the world. Cryptocurrencies – or the digital tokens that represent them – may be exchanged directly between blockchain users, or via crypto exchange platforms which facilitate transactions in both fiat and digital currencies.
However, because cryptocurrencies are cryptographically secured on their blockchains, transactions between users are generally anonymous and take place in seconds. The speed and anonymity of cryptocurrency transactions is an attractive opportunity for criminals seeking to evade conventional AML/CFT controls: research shows that illicit cryptocurrency transactions totalled around $14 billion in 2021 – a rise of 79% from $7.8 billion in 2020. As of 2022, it is estimated that around $10 billion in cryptocurrency is held in illegal addresses.
With global regulators paying closer attention to cryptocurrency transactions, it is more important than ever for crypto exchanges to address their AML/CFT compliance responsibilities. In particular, crypto exchanges must address the anonymity concerns associated with cryptocurrency transactions by implementing suitable Know Your Customer (KYC) processes in order to understand who their customers are, and how they are using their services.
What is KYC? Crypto Exchanges and Digital Compliance
The Know Your Customer process is a foundation of AML/CFT compliance regulations around the world and requires financial institutions to both identify their customers and work to understand the nature of the business in which they are involved.
The conventional KYC process involves a range of due diligence measures, along with ongoing screening and monitoring as customers engage with the services that a particular firm offers. KYC is important in financial contexts because criminals employ a range of strategies to evade AML/CFT controls: by building a rich, and accurate risk profile of each individual customer, financial service providers are much better equipped to detect customers that are misusing their services, and to prevent crimes like money laundering and terrorism financing.
What does KYC mean in crypto exchanges?
In the context of crypto exchanges, KYC may be a more complicated compliance challenge since firms must work harder to establish the identities of the customers that are using their digital services, and to understand the details of transactions that they are facilitating.
Risk-based compliance: Following Financial Action Task Force (FATF) recommendations, crypto exchanges should adopt a risk-based approach to KYC compliance. Risk-based compliance requires firms to perform risk-assessments of individual customers, and then implement a proportionate AML/CFT response. If an assessment finds that a customer is high risk, the crypto exchange should deploy more intensive compliance measures – as opposed to simpler measures for low risk customers. Risk-based compliance enables crypto exchanges to deploy their AML/CFT resources more efficiently, while protecting customers from negative experiences, as far as possible.
In practice, digital KYC compliance means that ‘traditional’ KYC practices should be adjusted for the specific challenges that crypto exchanges face – and include the following measures and controls:
- Identity verification: In order to build accurate risk profiles, crypto exchanges should be able to build accurate risk profiles for their customers. With that in mind, exchanges must obtain and verify identifying information from their customers, including names, addresses, birth dates, and relevant corporate information.
- Customer monitoring: Exchanges should monitor their customers’ transactions on an ongoing basis, paying special attention for signs of criminal activity – which may include unusual transaction patterns, or transactions involving high risk customers and locations.
- Screening: Exchanges must screen their customers to ensure that they are not subject to international sanctions, or that they are politically exposed persons (PEP), and therefore at higher risk of being involved in money laundering.
- Adverse media: Customer risk profiles may be informed by adverse news stories before the same information appears in official sources. Exchanges should screen on an ongoing basis to detect customer involvement in adverse media.
Crypto Exchange KYC Risks
KYC compliance in the cryptocurrency space is complicated by an evolving regulatory landscape, and by relatively novel criminal methodologies. Accordingly, cryptocurrency exchanges should be aware of the following vulnerabilities and risks when developing and implementing their KYC solution:
- Anonymous transactions: Cryptocurrency exchange transactions offer money launderers a degree of online anonymity. Accordingly, exchanges should seek to inform their identity verification process with digital controls, including obtaining biometric customer information such as face, voice, and fingerprint scans.
- Transaction speed: Cryptocurrency funds can be moved between accounts in a matter of seconds, often outpacing AML/CFT controls. Exchanges should ensure that their own AML/CFT checks and monitoring processes can be completed before funds are transferred to user wallets.
- Structured transactions: Money launderers may attempt to evade reporting thresholds by structuring their transactions in small amounts, across multiple accounts. Crypto exchanges should ensure their controls prevent the creation of multiple accounts and share information with other financial service providers to detect and prevent structuring strategies.
- Money muling: Money launderers may seek to further exploit the vulnerabilities of cryptocurrency transactions by coercing or incentivizing third parties – known as ‘money mules’ – to engage with crypto exchange services on their behalf. Exchanges should work to detect money mules by performing suitable due diligence and identifying customers whose profiles do not match their wealth or expected financial behavior.
Negative customer experiences: Beyond the regulatory risks, crypto exchanges with inadequate or unsuitable KYC procedures also risk negatively affecting their customers’ experience of their services. Under a risk-based approach, KYC enables exchanges to build detailed risk profiles – and subsequently adjust their AML/CFT controls to better suit individuals. With that in mind, effective KYC is a way to optimize experiences for lower risk customers, ensuring service speed and efficiency where onerous AML/CFT scrutiny is not required.
AML/CFT compliance regulations require crypto exchanges to collect, analyze, and store vast amounts of digital customer and transaction data. In order to manage that obligation, crypto exchanges should seek to integrate a suitable software solution: in addition to automated speed, efficiency and accuracy, software solutions help firms add depth to their KYC procedures, and build out richer, more detailed risk profiles for their customers.
Automated KYC processes also help crypto exchanges remain agile in a rapidly changing regulatory environment. As new criminal methodologies emerge, and governments implement new cryptocurrency legislation, KYC software may help exchanges adapt to their regulatory environments and make important risk-based decisions quickly. Similarly, with the benefit of machine learning systems, exchanges may be able to perform deeper levels of analysis on historical data to reveal unforeseen vulnerabilities or unexpected diversions from expected financial behavior.
- Explore how ComplyAdvantage enables firms to detect suspicious behavior across fiat and cryptocurrencies in one platform.
- See how we’ve helped other crypto firms improve efficiency and reduce time spent remediating alerts.
Originally published 14 January 2022, updated 20 March 2023
Disclaimer: This is for general information only. The information presented does not constitute legal advice. ComplyAdvantage accepts no responsibility for any information contained herein and disclaims and excludes any liability in respect of the contents or for action taken based on this information.
Copyright © 2023 IVXS UK Limited (trading as ComplyAdvantage).