By Jesse Mudaliyar
Introduction
The emergence of cryptocurrencies has fundamentally transformed the concept of currency, extending and reshaping the global financial landscape. The inherent anonymity and decentralized structure of cryptocurrency transactions have made them particularly vulnerable to money laundering and other illicit activities. The yet to be fully evolved regulatory framework on cryptocurrencies, has created openings for financial criminals to exploit this burgeoning market. Inadequate Anti-Money Laundering (AML) regulations and oversight have enabled wrongdoers to leverage on the anonymity and decentralized nature of cryptocurrencies for nefarious purposes. Consequently, the crypto market has witnessed a surge in money laundering activities, terrorism financing, bribery, and fraud and many other financial crimes.
Over the past decade, there has been a proliferation of high-profile financial crimes involving cryptocurrencies, ranging from various forms of Ponzi schemes to a concerning uptick in money laundering operations. In response and in an attempt to combat these activities, regulators, financial institutions, and law enforcement agencies are mandated to implement Anti-Money Laundering (AML) and Know Your Customer (KYC) policies.
This article aims to assess the significance of these AML and KYC policies and the role they play in ensuring the legitimacy and integrity of the cryptocurrency market.
Cryptocurrency Trading
The surge in popularity of cryptocurrency trading has been remarkable over the last decade. Since the introduction of Bitcoin in 2009, the cryptocurrency trading landscape has undergone a transformative evolution. According to reports, in 2013, there were only 66 types of cryptocurrencies available. Today, the number has soared to over 10,000,[1] a testament to the burgeoning interest in cryptocurrencies. These digital coins are generated through blockchain or peer-to-peer technology, employing advanced cryptographic techniques.
Distinguishing themselves from conventional fiat currencies issued by governments worldwide, cryptocurrencies lack physical form. Instead, they exist as strings of data in the digital realm. Furthermore, cryptocurrencies operate without the oversight of a central authority or governing body, such as a central bank, which typically regulates the issuance and circulation of traditional currencies. Because they aren’t sanctioned by any government entity, cryptocurrencies do not hold the status of legal tender.
Despite not being officially recognized as legal tender on the global economic stage, the potential impact of cryptocurrencies on the financial landscape is too significant to be overlooked. Simultaneously, the underlying blockchain technology, which serves as the backbone of cryptocurrency creation, has created fresh investment avenues for traders to explore and leverage.
Anti-Money Laundering (AML) and Know Your Customer (KYC) Policy?
Anti-Money Laundering (AML)
Traditionally Anti-Money Laundering (AML) encompasses a set of procedures and practices undertaken by financial institutions and regulated entities to prevent financial crimes. This entails activities such as scrutinizing customer profiles and their transactions, maintaining meticulous records, and promptly notifying AML authorities in cases where money laundering is suspected, among other measures.
In cryptocurrency, anti-money laundering (AML) encompasses the laws, regulations, and practices designed to stop criminals from converting illegally obtained cryptocurrencies into fiat currencies. Currently, the Financial Action Task Force (FATF)[2] sets the standards for AML laws globally.
The FATF is a 39-member body which sets international standards to ensure that national authorities can effectively go after illicit funds that are proceeds from crimes. The FATF began publishing guidance on cryptocurrency AML in 2014, and policymakers in FATF’s member jurisdictions quickly took action. In 2019, the Financial Action Task Force (FATF) finalized an interpretative note for Recommendation 15, which modifies and supplements the existing recommendation to provide clarity on how FATF standards apply to activities involving virtual assets/cryptocurrencies. This note extends the regulatory requirements already in place for other regulated products. Following consultations with private sector actors, the Interpretation Note text was officially adopted as part of the FATF Standards in June 2019.
As a result of this new recommendation, virtual assets and Virtual Asset Service Providers (VASPs) will be subject to full regulation in terms of money laundering prevention and counter-terrorist financing, similar to any other financial product. Today, several regulatory bodies have codified most of FATF’s cryptocurrency AML recommendations into law.
Essentially, AML regulations require financial institutions to monitor customer transactions for suspicious activity which might indicate money laundering or other financial crimes, and to report these transactions in a timely manner. At the same time, they also require financial institutions to verify their customers’ identities through processes known as Know Your Customer (KYC).
Know Your Customer (KYC)
In financial transactions, verification process would require that customers provide organizations and businesses with certain credentials for identification. It is then on the organisations and businesses to ensure that such submitted credentials are not fake and that customers are who they say they are.
KYC is the procedure of gathering information about a customer and confirming their identity. The specific details required for identity verification can vary depending on the jurisdiction. Typically, businesses are mandated to acquire, at a minimum, the name, date of birth and address of their customer.
For Crypto, KYC refers to the set of identity verification procedures required by law for Virtual asset service providers (VASPs)[3]. This process includes collecting personal information such as name, address, and government-issued identification documents. KYC is a basic expectation that holds financial institutions accountable for conducting due diligence and understanding the nature of their customers. In adopting KYC checks, institutions can assign a risk value to individuals or entities and flag potentially dangerous accounts and transactions upfront. These processes are crucial as they equip law enforcement agencies with the ability to link seemingly anonymous cryptocurrency addresses to real-world entities in cases where these addresses are linked to illicit activities. This significantly enhances the ability to track and investigate criminal activities within the cryptocurrency space.
For traditional finance, valid credentials include ID card validation, face verification, biometric authentication, and proof of address such as a copy of a recent utility bill. In the cryptocurrency industry, KYC requirements are less standardized. Most crypto exchanges require that new customers share their full legal name, date of birth, government-issued ID, and up-to-date address information during onboarding, but this varies according to where the exchange operates and what services it provides.
In October 2021, FATF in its updated guidance for member jurisdictions, clarified that NFT marketplaces[4], Decentralized Finance protocol (DeFi protocols)[5], and stablecoin providers, depending on what activities they engage in, may also be obligated to implement KYC procedures.
How does KYC work in cryptocurrency?
KYC programs generally have three components: customer identification, due diligence, and continuous monitoring.
- Customer Identification Program (CIP): Customer Identification Program (CIP) is a crucial framework implemented by financial institutions to verify the identity of their customers. It relies on dependable and impartial data to ascertain that the customer’s claimed identity aligns with reality. In the case of individuals, this typically involves gathering essential information such as the client’s legal name, date of birth, and address. Additionally, it often necessitates the verification of supporting documents like a driver’s license or passport. For business entities, the CIP may require the submission of pertinent documents such as business licenses and articles of incorporation. These measures collectively establish a robust system to ensure that financial institutions are dealing with legitimate and accurately identified customers, thereby helping to mitigate the risks associated with fraud and illicit activities.
- Customer Due Diligence (CDD): This is a critical process undertaken by financial service providers to evaluate the potential risks associated with a new client or business relationship. This assessment involves a thorough examination of various factors, including background checks, customer surveys, and a review of the client’s transaction history. By employing these measures, financial institutions are able to assign risk ratings that determine the level of scrutiny and monitoring that an account will undergo. This approach enables them to allocate resources and attention to higher-risk accounts while also ensuring compliance with regulatory requirements. Ultimately, CDD plays a crucial role in safeguarding the integrity of financial systems by identifying and mitigating potential risks associated with clients or business relationships.
- Continuous Monitoring: This is a process of consistently and actively reviewing transactions for potential signs of criminal activity. This practice involves a real-time or regular examination of financial transactions to identify any suspicious or anomalous behavior. In the cryptocurrency realm, VASPs have a legal obligation to engage in continuous monitoring. When they detect any activities that raise suspicion, they are mandated to file Suspicious Activity Reports (SARs) with the appropriate law enforcement agencies. This reporting mechanism serves as a vital tool in the fight against financial crimes and helps authorities investigate and mitigate illicit activities within the virtual asset space.
Evolving Regulatory Environment for Cryptocurrencies
Recently, efforts to regulate Cryptocurrencies moved to the top of policy making agenda. Some Countries decided to embrace and recognise crypto assets as a legal tender, while others regard crypto assets as personal property[6].
In Japan, cryptocurrencies are recognised as legal property under the Payment Services Act (PSA). Crypto exchanges in the country must register with the Financial Services Agency (FSA) and comply with AML/CFT obligations.
In the United Kingdom, there are no cryptocurrency-specific laws. The country considers cryptocurrency as property (not a legal tender), and crypto exchanges must register with the U.K Financial Conduct Authority (FCA).[7] However, there are cryptocurrency-specific reporting requirements relating to KYC, AML and Combating the Financing of Terrorism (CFT). Cryptocurrency exchange and custodian wallet providers must comply with the reporting obligations implemented by the Office of Financial Sanctions Implementation (OFSI). These Crypto firms are to notify the OFSI as soon as possible if they know or have reasonable suspicion that a person is subject to sanctions or has committed a financial sanctions offense.
Cryptocurrency is legal in most of the European Union (EU) however, exchange governance depends on individual member states. The EU’s Fifth and Sixth Anti-Money Laundering Directive (5AMLD and 6AMLD) have come into effect, tightening KYC/CFT obligations and standard requirements[8]. The Markets in Crypto-Assets Regulation (MiCA) 2023, establishes clear crypto industry conduct and introduces new licensing requirements.
Invariably, countries under the Gulf Cooperation Council (GCC) are recognizing the importance of AML and KYC regulations in the realm of virtual assets and are actively working towards implementing and enforcing these measures to deter illicit activities and promote a safe and transparent environment for cryptocurrency-related transactions. For example, the Saudi Arabian Monetary Authority (SAMA) has established AML and KYC[9] regulations for businesses engaged in cryptocurrency trading in Saudi Arabia. These requirements mandate the implementation of policies, procedures, and controls to ensure compliance with AML and KYC regulations.
Similarly, in Qatar, the Qatar Financial Centre Regulatory Authority (QFCRA)[10] has issued regulations specifically for cryptocurrency exchanges and related services. These regulations encompass licensing requirements as well as AML and KYC obligations. However, the Qatar Financial Centre Regulatory Authority (QFCRA) implemented a ban on all virtual asset services within the Qatar Financial Centre (QFC), except for digital asset services related to token securities.
In October 2018, FATF announced that it would be recommending member countries apply the Travel Rule, a longstanding compliance requirement for traditional financial institutions, to virtual assets like cryptocurrencies and VASPs like exchanges. The Travel Rule requires VASPs and financial institutions to obtain, hold, and transmit specific originator and beneficiary information immediately and securely when transferring virtual assets.
The Travel Rule is a key AML/CFT measure that enables VASPs and financial institutions to prevent terrorists, money launderers, and other criminals from accessing wire transfers to move their funds (including virtual assets), and to detect such misuse when it occurs.[11] Specifically, these requirements ensure that basic originator and beneficiary information is available to law enforcement authorities to detect, investigate and prosecute terrorists or other criminals, and trace their assets; financial intelligence units to analyze suspicious or unusual activity; and ordering, intermediary and beneficiary VASPs and financial institutions to identify and report suspicious transactions, and to freeze funds and prevent transactions with sanctioned persons or entities.
Implementing AML and KYC Policies – Challenges and Criticisms
Anonymity of Cryptocurrency Transactions: AML and KYC policies or regulations have been put in place to aid the prevention of identification fraud, financial crimes, and money laundering. However, the anonymous nature of cryptocurrency transactions makes it difficult to successfully execute KYC regulations.
The anonymity inherent in cryptocurrency transactions, facilitated by wallet addresses, poses a significant challenge to enforcing KYC regulations. This makes it difficult to trace the source and destination of transactions, hindering efforts to identify parties involved in potentially suspicious activities.
Varying Levels of Transparency: Different cryptocurrencies and blockchain networks have varying levels of transparency. This diversity complicates the task of tracking transactions across different blockchains, making it challenging for regulators and financial institutions to monitor and identify suspicious activities that involve multiple cryptocurrencies or blockchain networks.
Global Nature of Cryptocurrency Exchanges: Many cryptocurrency exchanges operate globally and must adhere to diverse AML and KYC regulations across different countries. This diversity can make it challenging for exchanges to implement a uniform KYC process for all clients. Staying up-to-date with the latest AML and KYC regulations worldwide requires significant effort and resources.
Lack of Standard Identification Procedure: Unlike traditional banking institutions, which often rely on government-issued identification documents, cryptocurrency exchanges may need to explore alternative methods for verifying customer identities. This could involve combining various forms of identification, including government-issued ID, biometric data, and even social media accounts.
Unregulated Exchanges: Some cryptocurrency exchanges operate in regions where they are not subject to AML regulations. This creates opportunities for criminals to exploit these platforms for money laundering and other illicit activities.
Privacy concerns: Privacy concerns are paramount in KYC processes, where sensitive customer information is collected. It’s imperative for businesses to uphold their clients’ privacy, ensuring that data is securely stored and shielded from unauthorized access. Neglecting these precautions could leave users vulnerable to privacy breaches, potentially leading to identity theft, financial harm, or reputational harm.
As KYC procedures entail an expanding collection of personal information, there’s a growing apprehension about potential misuse. This encompasses the risk of businesses or third parties engaging in activities like selling customer information to advertisers, employing it for targeted marketing endeavours, or even sharing it with malicious entities. Vigilance in safeguarding customer data is crucial to maintain trust and compliance with privacy regulations.
Recommendations
Creating adequate legal frameworks for AML and KYC in the cryptocurrency space is important for preventing illicit activities while ensuring compliance with regulations. The following recommendations may be instructive.
- Governments should establish clear and comprehensive regulatory guidelines specifically tailored to the unique characteristics of cryptocurrencies.
- Implement mandatory compliance requirements for cryptocurrency exchanges, wallet providers, and other service providers. This includes verifying the identity of customers, monitoring transactions for suspicious activities, and reporting any suspicious transactions to the relevant authorities.
- Implement systems for real-time transaction monitoring to detect suspicious activities, such as large transactions, unusual patterns, or transactions involving high-risk jurisdictions.
- Invest in technological solutions such as blockchain analytics tools and artificial intelligence to enhance AML and KYC capabilities and improve the effectiveness of regulatory efforts.
- Promote international cooperation and coordination among regulators and law enforcement agencies to address cross-border challenges associated with cryptocurrencies and money laundering.
Conclusion
In conclusion, navigating the diverse regulatory landscapes for AML and KYC across jurisdictions poses a significant challenge for financial institutions with a global presence. The establishment of a unified regulatory framework for AML and KYC presents a compelling solution. Such a framework would fortify defences against criminal exploitation, as KYC requirements would become more standardized and resistant to evasion. The commendable efforts of organizations like FATF in setting international standards, with member countries gradually integrating them into their regulatory frameworks, mark a positive step towards this goal. The widespread adoption of these standards, excluding regions that prohibit cryptocurrency transactions, promises to streamline the enforcement of AML and KYC policies across multiple jurisdictions, enhancing the overall integrity of the financial system.
Jesse is Vice President, Senior Managing Counsel, EASTERN EUROPE MIDDLE EAST AFRICA at Mastercard
[1] https://explodingtopics.com/blog/number-of-cryptocurrencies
[2] https://www.fatf-gafi.org/en/the-fatf/what-we-do.html
[3] FATF defines VASPs as the following: A Virtual asset service provider (VASP) means any natural or legal person who is not covered elsewhere under the Recommendations and as a business, conducts one or more of the following activities or operations for or on behalf of another natural or legal person:
– the exchange between virtual assets and fiat currencies;
– the exchange between one or more forms of virtual assets;
– transfer of virtual assets;
– safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and
– participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset. (FATF. 2021b, p. 109)
[4] NFT marketplace is an online platform where non-fungible tokens, mints and the likes are transacted Read more: https://www.coindesk.com/tech/2021/07/12/nft-marketplaces-a-beginners-guide/
[5] https://www.blockchain-council.org/defi/defi-protocols/
[6] https://b2binpay.com/en/countries-which-allow-cryptocurrency-as-legal-payment-method/
[7] https://sumsub.com/blog/all-you-need-to-know-about-uk-crypto-regulations-2023-guide/
[8] https://www.idenfy.com/blog/eu-anti-money-laundering-directives-amlds/
[9] https://www.tookitaki.com/blog/challenges-implementing-aml-compliance-saudi-arabia-tookitaki
[10] https://www.qfcra.com/wp-content/uploads/2022/07/QFC-VASPS-ALERT-pdf.pdf
[11] https://sanctionscanner.com/blog/financial-action-task-force-fatf-travel-rule-140