17 July 2020
Banks and Virtual Assets - What Risks are involved?
Poor KYC controls:
As the virtual asset economy is made safer by new and updated regulations, there are still Virtual Asset Service Providers (VASPs) without sufficient AML control in order to discover and supress money laundering and terrorism financing. It is estimated that more than 50% of these VASPs have weak and insufficient KYC processes. This would allow for criminals and other bad actors to exploit these weak KYC protocols in order to legitimize illegally obtained virtual assets, e.g. through exchanges operating as fiat off-ramps.
These exchanges that serve as direct fiat off-ramps might cause risks exposure to both the receiving user’s, as well as the crypto exchange’s banks. Crypto users trade their crypto via exchange's platform for fiat, which the cryptocurrency exchange’s bank transfers via ACH or wire transfer to the user's bank account. So, the sale of cryptocurrency is actually occurring even though the two banks aren’t directly trading cryptocurrency with each other. The exchange’s AML program must be relied upon by both banks to identify and mitigate risks that might happen from the source of cryptocurrencies being traded.
Virtual assets don't care for borders: In Exchange-to-Exchange transactions in 2019, 74% on average of the bitcoin moved was cross-border. FATF warned that “illicit users of VAs, for example, may take advantage of the global reach and transaction speed that VAs provide as well as of the inadequate regulation or supervision of VA financial activities and providers across jurisdictions, which creates an inconsistent legal and regulatory playing field in the VA ecosystem.” In one jurisdiction, VASPs may offer their services to customers in another jurisdiction where the AML/CFT obligations and oversight are different. If the VASP is located in a jurisdiction with weak or even non-existent AML/CFT controls, legitimate concerns are raised.
New regulations deadlines are short for VASPs In June 2019, FATF has announced a new guidance. They gave twelve months for individual member nations to implement their guidance into local laws before it would report on their progress. In regard to that, FATF stated that: “future developments in virtual asset technology should not create loopholes that terrorists and criminals can exploit. The FATF will evaluate next steps in June 2020.”
But many members haven't yet adopted all of FATF’s new virtual asset guidance properly. Some countries did retain effective introduction of AML regulations, while others proceed without proper controls, thus risking jurisdictional ajudication. New protocols aren't going to appear and be enforced overnight at VASPs just because new regulations were made. There are still AML gaps criminals can exploit as they quickly search to launder ill-gotten crypto-funds for fiat before new regulations are made and enforced. Banks and payment networks don't really notice these cryptocurrency related transactions. This lack of visibility could make them unprepared and thus vulnerable to compliance exposure and fraud.
Steven Mnuchin, FinCEN personnel and Treasury Secretary, recently implied that the US government’s stance on compliance expectations for financial institutions when it comes to cryptocurrency related transactions is on the right course. With regards to the Travel Rule, for example, Kenneth Blanco, the FinCEN Director said on May 13th, 2020, “The United States has long maintained an expectation that financial institutions identify counterparties involved in transactions for a variety of purposes, including AML/CFT and sanctions, even for transactions in virtual currency. Any asset that allows the instant, anonymized transmission of value around the world with no diligence or recordkeeping is a magnet for criminals, including terrorists, money launderers, rogue states, and sanctions evaders.”
Then Blanco also stated in December 2019, “it is important for all financial institutions to ask themselves whether they are reporting such suspicious activity. If the answer is no, they need to reevaluate whether their institutions are exposed to cryptocurrency… If you don’t think you have crypto on your network, look again.” The cryptocurrency risk exposure for banks should be transparent and they should have appropriate measures in place. However, the current state of affairs might signify that the banks cannot do this alone.
Banks must have adequate resuorces and specialized tools to detect exposure to the fast changing, quick and 24/7 crypto global system. In his May 2020 speech, Blanco added, “There is no substitute for the private sector’s visibility into and ability to prevent criminal exploitation of virtual currency products and platforms—particularly those of you who are organizing, developing, and administering these products and platforms. Our work together plays a significant role not just in advancing financial transparency, inclusion, and the development of the future of payment systems, but also in identifying, tracking, and stopping criminals including terrorists and other bad actors from harming others, particularly the most vulnerable.”