Designing a BSA/AML framework for virtual currencies

Sep 07, 2018
Sep 07, 2018
0 min. read
Business risk consulting Risk consulting Financial services Cryptocurrency

As interest in virtual currency usage grows and becomes a popular topic, the need for a regulatory framework is in high demand. Virtual currency was introduced in 2009 in the form of bitcoin; now there are more than 1,500 different coins and tokens within the virtual currency world. Financial institutions are interested in banking virtual currency administrators or exchangers, but are unsure how to adjust their current Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) programs to properly identify and reduce their risk.

Direct and inherent risks

There are several concerns regarding the risks associated with virtual currency. Some of the most notable concerns are around potential anonymity, the fact that virtual currencies can be accessed from virtually anywhere in the world, the ease of transfers internationally and the lack of transaction limits.  While coins such as ethereum and bitcoin can be de-anonymized through public records, big data and analytic matching, other virtual currencies exist that allow for deeper privacy through technology.  Hence, virtual currency can have a higher degree of anonymity and potentially an increased risk that a virtual currency user could be on an Office of Foreign Assets Control (OFAC) list. The OFAC database is a published list of individuals, companies and targeted countries that are engaged in illegal activities and pose threats to the national security, foreign policies or economy of the United States.

To understand the anonymity regarding virtual currencies, one must understand how virtual currencies are transferred. Each virtual currency holder holds the virtual currency in one or more wallets (similar to bank accounts) which are only associated by a random number or key, not a name or anything to establish ownership.  Each time a transaction occurs, information is publicly recorded, in the case of bitcoin and most other coins, into a ledger that is pseudo-anonymous, due to the type of information that is being recorded. At this stage and with varying potential layers of protection, there may or may not be a way to identify the sender or receiver of this coin.

Virtual currency administrators and exchanges that accept and transmit a convertible virtual currency or buy or sell a convertible virtual currency for any reason are considered to be money transmitters under FinCEN’s regulations, and are therefore, subject to money service business (MSB) registration, reporting and recordkeeping regulations.1 As financial institutions store virtual currencies, they often have to rely on the administrators and exchangers BSA/AML policies and procedures, which can increase the institutions overall risk rating.

Global market

Regulations regarding virtual currency differ from country to country. Several countries do not consider virtual currency to be a legal tender; however, exchanges are likely to be considered legal as long as they are registered or maintain compliance with that specific country of presence.

In March 2018, the United Kingdom announced the launch of a Cryptoassets Task Force (CTF), to help manage risks around crypto assets. As cryptocurrencies are not considered currency or commodities for regulatory purposes under the Markets in Financial Instruments Directive II (MIFID II), they are not currently regulated by the U.K’s Financial Conduct Authority (FCA). However, the FCA “warned that any firms dealing in, arranging transactions in or advising on or providing services relating to cryptocurrency derivatives, including futures, contracts for difference and options, must comply with all applicable rules in the FCA’s handbook and any relevant provisions in directly applicable EU regulations.”2 Exchangers are legal and must register with the FCA and abide by AML/counter terrorism standards that are required of financial institutions.

Within the European Union (EU), no EU member can introduce its own currency. As there is no uniform regulation currently in place, regulations vary depending on the country.

One of the largest virtual currency markets, Japan, considers bitcoin a legal tender. At this time, no other country has deemed virtual currency a legal tender. In addition, exchangers are legal as long as they are registered with the Japanese Financial Services Agency.

In contrast, trading bitcoin in China is illegal. Private parties may store bitcoin, but financial institutions are prohibited from handling transactions related to cryptocurrency. India does not consider virtual currency a legal tender; however, exchangers are legal, even though there are no regulations for them.

Two of the more progressive countries are Switzerland and Singapore. Switzerland considers bitcoin to be legal foreign currency, and the Swiss government has accepted virtual currency as payment. While Singapore does not recognize virtual currencies as a legal tender, payments are accepted in the form of virtual currency and there are numerous bitcoin ATMs throughout the country. Singapore requires exchangers to verify and collect personal information for these users.

Many countries are still in the process of developing and/or enhancing regulations around cryptocurrency. As cryptocurrency grows, countries are continuously trying to understand the implications posed by this form of currency and what policies and procedures they can establish to safeguard themselves.

U.S. regulations

Currently, the United States does not consider bitcoin to be a legal tender, which complicates which regulatory body will take the lead for defining federal regulations. However, the various regulators are currently working to provide more guidance.

The legality around exchangers depends on the individual state. Several states require exchangers to register with that state for a license. Illinois and Kansas will not issue a state license to an entity that solely engages in virtual currency.

Per the Commissioner of Financial Institutions in Hawaii, “no company is licensed to transmit bitcoin in Hawaii. If companies are offering to transmit bitcoins, they are doing so in violation of Hawaii’s money transmitter laws.”3 There are currently two bills in progress (SB 2853 and SB 3082) to reverse this. These two bills would define virtual currency within the Money Transmitters Act and would require exchangers to have a state license.

Montana is the only state that does not have money transmitter laws; therefore, there is no regulation regarding virtual currencies. Wyoming amended its Money Transmitter Act to provide an exemption for virtual currency, which allows entities to engage in these transactions without licensing requirements. Arizona, Georgia and Illinois are currently the most progressive states. As such, these states have allowed cryptocurrencies as payment for state taxes.

What financial institutions should be doing now to understand the risks

As virtual currency administrators and exchanges are considered MSBs and need to be registered with FinCEN, financial institutions need to fully understand the AML/BSA requirements of an MSB. Since financial institutions will have to rely on the administrators’ or exchangers’ AML/BSA policies and procedures to determine that monitoring and reporting suspicious activity are sufficient, financial institutions need to understand the gaps that could put them at a higher risk.

Before onboarding an administrator or exchanger, financial institutions should ensure virtual currency administrators and exchangers are registered with FinCEN and licensed with the appropriate state if required. Financial institutions should conduct a comprehensive risk identification and assessment, establishing mitigating controls to reduce the risk. A risk assessment should fully assess the purpose of the account, anticipated activity, types of products offered by the MSB, and locations and markets served by the MSB.

Some mitigating controls to consider include identifying MSB relationships and the risk posed by these relationships, ensuring they are appropriate based on monitoring and reporting systems in place by the financial institution and conducting adequate and ongoing due diligence. The Federal Financial Institutions Examination Council suggests that financial institutions may, based on their individual risk assessment of the MSB, review the MSB’s BSA/AML program as necessary.4

Until there are federal regulations in place, financial institutions should take every precaution to reduce their risk by implementing unique policies and procedures based on their individual BSA/AML risk assessment. Financial institutions should also develop programs and conduct training aimed specifically to understanding virtual currency transactions. By establishing strong know your customer and enhanced due diligence procedures, identifying transactions that may be out of pattern for that customer will be more noticeable. Financial institutions can alleviate their risks while being virtual currency administrators and exchangers by building a sound BSA/AML program with constant transaction monitoring and risk-based procedures.

1Application of FinCEN's Regulations to Persons Administering, Exchanging, or Using Virtual Currencies (March 2013), Financial Crimes Enforcement Network
2Cryptocurrency derivatives (June 2018), Financial Conduct Authority
4Bank Secrecy Act Anti-Money Laundering Examination Manual, Federal Financial Institutions Examination Council.