Cryptocurrencies have exploded in recent years, and criminals have noticed. $3.5 billion was laundered through cryptoassets in 2020, bringing a heightened regulatory focus and new risks for Virtual Assets Service Providers (VASPs) who offer cryptoasset products and services, or any company doing business with one.
In this blog, Chris Vaughan, formerly a financial crime risk manager working in cryptoassets and now Senior Compliance Associate at fscom, explains how firms should carry out risk assessments to understand and mitigate the financial crime risk from cryptoassets and tokens.
Risk assessments: the core of an effective crypto AML strategy
Any compliance professional will tell you that a risk assessment is an essential tool in the fight against financial crime, so this is where a crypto AML strategy should start. An effective risk assessment is the first step in building a framework because it allows companies to identify the risks they face and decide the appropriate controls to mitigate those risks. A risk assessment is particularly useful for VASPs because:
- The cryptoasset space is still relatively new and each year brings new changes and developments with associated risks and concerns.
- There is no standardised approach across the sector, so a risk assessment can shed light on the particular risks facing your company.
- VASPs and companies working with them do not have unlimited resources so they should take a risk-based approach to compliance. A risk assessment helps them to understand where they should focus their resources to tackle areas of highest risk.
As a starting it’s good to ask, what might we want to risk assess? We recommend firms look at four main areas:
- The cryptoasset tokens themselves
There are many categories of cryptoassets, from payment and exchange tokens like Bitcoin to Non-Fungible Tokens. A token risk assessment should understand what each kind of token does, assess the risk of that token being used as a vehicle for money laundering and terrorist financing, then apply controls to mitigate this risk.
- Products and services
Crypto products and services are usually classified as on-ramp or off-ramp depending on whether a client is buying or selling assets . A risk assessment should understand the inherent risk factors in each of these areas.
Firms servicing the cryptoasset sector should risk assess the VASPs they serve as clients and identify their risk factors. This could include a number of factors including the jurisdictions in which the VASP and/or its customers are based, the cryptoassets it offers, the size and nature of its clients, and the extent to which it is regulated.
Customers of VASPs should also be assessed to determine their risk level. This will vary according to the jurisdiction where they live, whether they are a corporation or an individual customer, the services and assets they use and their transaction activity among other factors.
The final stage of a risk assessment: implementing controls
Once a risk assessment has been carried out and the threat level determined, firms then need to decide which controls to implement to best manage and mitigate cryptoasset risk. These will vary according to the level of risk and the type of token, VASP, product or customer being assessed. But there are common controls that firms should consider implementing, including:
- Know-Your-Customer, Customer Due Diligence and Enhanced Due Diligence: This activity helps firms to test the risks they face for particular customers and third parties and undertake additional due diligence if those risks are high.
- Ability to freeze funds, or cool-down periods: When suspicious funds are received, it is important that the firm is able to freeze their clients’ assets and activity, to prevent fast onward movement.
- Travel rule: This is a control that will soon be a regulatory requirement and indeed already is one for many big crypto exchanges. It will allow exchanges to better understand their customers’ transactions to an extent by recording information along with the transaction on who is sending funds and to where.
- Blockchain monitoring: This helps firms to analyse the provenance and destination of funds sent through their wallets.
- Transaction monitoring: This involves monitoring transactions for other potentially unusual or suspicious typologies, such as unexpected high velocity or large value transactions.
The crypto industry is not likely to stand still any time soon, and cryptoassets will continue to be a growing target for prospective money launderers. Regulatory focus is only likely to increase, but whatever happens, companies who have carried out an effective risk assessment will be best prepared to manage any new risks that emerge.
Contact fscom today to discuss how we can support you with a crypto risk assessment.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.