Performing the cryptocurrency financial crime risk assessment. Criminals are trying to exploit crypto technology; hence, the crypto activity’s traceability is a very important control for anti-financial crime purposes. To some degree, it has successfully and effectively mitigated using cryptocurrencies for certain types of financial crime. Therefore, it is also vital that you know the financial crimes your company might accidentally be capable of facilitating. It is also crucial to ensure you have the systems, controls, and procedures in place to mitigate these financial crime risks, which is where the cryptocurrency risk assessment comes into play.
Cryptocurrency Financial Crime Risk Assessment
The different types of risk assessments. In practice, you can often see that there are multiple levels of risk assessments that are being conducted periodically. Some are being done annually, some may be done ad-hoc in the event of specific situations, and others are even performed continuously based on observations and monitoring done on customers.
Here are three examples of different types of common risk assessments:
- First of all, there are enterprise risk assessments, which are usually conducted on an annual basis. This type of risk assessment involves identifying all the major risk categories. Those can range from system risks, cyber security risks, operational risks, fraud risks, HR risks, market risks, financial risks, and regulatory risks. Each risk category can then be broken down to identify the same exposure for each category.
- Secondly, the financial crime risk assessment is usually the most important for anti-financial crime professionals and has been discussed in this lesson. The financial crime risk assessment is usually also performed annually, specifically focusing on the money laundering risks. Categories such as the geography of customers, the type of customers you onboard, the products we offer, and the distribution channels available are inspected.
- Lastly, there are certain types of customer risk assessment. This risk assessment category usually comprises various criteria for calculating customers’ risk scores. It also includes geography, customer type, activity, and even their blockchain or general cryptocurrency transaction history, in case this information is available.
The different benefits of the risk assessment. Financial crime risk assessments are a regulatory requirement for many organizations, especially financial institutions. The risk assessment can guide the entire setup and ongoing development of your anti-financial crime framework.
In particular, there are four ways in which a cryptocurrency risk assessment can help your organization develop and improve its existing anti-financial crime framework in the sphere.
- First, a risk assessment can serve as a map of vulnerabilities. It’s essential to understand how criminals might seek to misuse a specific product or service that you are offering or even your entire organization. It is inevitably much better to proactively identify and address these potential vulnerabilities instead of discovering when it’s too late, potentially facing regulatory, civil, or even criminal scrutiny.
- Secondly, a risk assessment is also a resource plan. Once you understand where the vulnerabilities lie, you can consider the controls you need to tackle them, which is perfectly in line with a risk-based approach. This approach can allow you to devise a good strategy to combat these risks and divide the potentially scarce resources that your organization has available. Ask yourself questions like “What kind of external tools are worth an investment?” and “What skills do my AML analysts need?”.
- Thirdly, a risk assessment can be a development strategy. Particularly in a fast-paced sector like engaging in cryptocurrencies, your growth and innovation as an organization is a regular and probably almost daily activity. There are always new things that you need to think about. Your anti-financial crime risk assessment can help guide these efforts. For example, what new coins do you want to list on your exchange? You can use your risk assessment for this. The risk assessment can aid these types of decisions that you need to make as an organization.
- Lastly, your risk assessment should also serve as a dialogue. A couple of years ago, J.P. Morgan stated that they didn’t want anything to do with cryptocurrencies. However, and quite recently, they have changed that. Something like that should be reflected in your risk assessment. The risk assessment should be updated frequently, ideally every year. It should serve as an evolving dialogue to reflect your insights and feedback from senior management, auditors, consultants, and other stakeholders.
What should be covered in the cryptocurrency financial crime risk assessment? You want to cover five different risk areas: customers, products, transactions, geographies, and delivery channels.
- Firstly, ask the following questions at the customer level to understand this risk: What type of transactions are they doing? What is the volume of transactions that they’re doing? Customers’ risk profiles can be at a customer level or a cluster level. A cluster, in this regard, refers to group addresses that may be associated with your customer.
- Secondly, there’s the risk that the product itself might pose. Contemplate what crypto assets are being used, whether you’re storing private keys or just facilitating a transfer.
- Thirdly, there is the transaction risk. The risk of a transaction is established by analyzing the blockchain and obtaining transaction information. For some cryptocurrencies like Bitcoin, this is a bit easier to analyze because the information is readily available. For others, such as Monero, this is probably not the case.
- Next, there is the geographical risk. Geographical risk is quite a common risk factor. This risk should relate to where the customer is based. If you’re not referring to Bitcoin or Ethereum, maybe you’re referring to a different type of crypto asset; who invented that crypto asset? Where are they based? Where was it founded? If you are a bank, or you’re an OTC trader, and you’re looking to onboard a crypto exchange, or you’re looking to establish a new relationship there, you might want to know where that exchange is based.
- Lastly, there is the delivery channel risk. Your company might operate online. You might be a bank that has some exposure to cryptocurrency. You might be a crypto ATM provider. All of these things should be understood because they pose different risks.
Once you’ve identified those key risk areas and worked out where to look for your risks, there are a few key elements in your risk assessments that you should keep in mind. The risks you talk about in the risk assessments should be specific to your business, which is a key element of your anti-financial crime framework.
In addition to being specific to your business, the risk assessment should also be in a format that makes sense. For example, an Excel spreadsheet that shows all your calculations for the different risks and which areas you regard as particularly risky. This measure is one of the easiest ways to keep track of these risks in a way that makes sense not only to yourself as the company but also to the regulators.
You also need to assess these financial crime risks across multiple different scenarios. Look at the likelihood of the risks and their impact on your business if they do happen.
In addition, you want to cover the controls you have in place to mitigate these risks and their effectiveness. The key is understanding that you might say you have all of these systems and controls in place, but if they’re not effective, then they’re not going to mitigate any of the risks.
As a result of those systems and controls, you will then be able to calculate the residual risk after considering the measures you have in place to mitigate the risks.
Following determining the risk areas, let’s go one level deeper and look at the financial crime risk categories.
- Firstly, within the risk area of customer risks is the risk category of non-face-to-face customer onboarding. Most entities have to deal with customers without really seeing them and rely on the information that the customer provides. While many vendors on the market offer all sorts of customer authentication and Know-Your-Customer, or KYC, solutions, you have to accept that there is a potential error rate that you have to accept. In essence, nobody can guarantee that they will verify the authenticity of documents with 100% accuracy and ensure that the customer you onboard is exactly who they claim to be. There is always some degree of risk. You can come up with many ways to onboard a customer, throw in a lot of controls, and perform a lot of checks, but balancing the mitigating measures with an organisationally feasible and potentially even user-friendly approach is the biggest challenge. You want to keep the criminals away from your organization. Still, you also don’t want average customers to find it difficult to open an account or engage in a relationship with your organization.
- Secondly, and within the risk area of transaction risk, is the specific risk category of cryptocurrency transactions risk itself. Blockchain transactions don’t work the same way as SWIFT transactions in the fiat world. You do not have the remitter information, and you do not have the beneficiary information, so identifying where the money is coming from and where it is going can pose a challenge. You want to ensure that you precisely understand the mechanics of cryptocurrencies.
- Thirdly, and within the risk area of product or service risk is the risk category of fraud risk. Cryptocurrencies and blockchain are still quite new for a lot of people. It can be observed that criminals target vulnerable customers unfamiliar with either blockchain technology or cryptocurrencies themselves. The criminals usually promise their targets lucrative gains. Ultimately, they become victims of these schemes because they don’t understand with whom they are dealing.
When doing your risk assessment, you want to think of the risk itself. For example, the risk is that a customer becomes a victim of a scam and purchases cryptocurrencies to make a scam-related payment. So, this likelihood is quite a likely scenario because crypto scams are quite common. The impact of the risk on this scenario could subsequently be noted as moderate.
As a next step, the inherent risk of this scenario should be calculated. Let’s say you determined that this is medium risk. As an organization, you will be aware of these risks, which means you might have some systems and controls in place to stop this kind of thing from happening.
Controls could include capturing client information and monitoring or blocking deposits to known high-risk wallets. You might also have certain transaction monitoring rules and transaction limits. These controls might be quite effective. Once you consider these controls, your inherent risk might very well drop down to a low or medium residual risk, depending on your risk model.
Final Thoughts
The cryptocurrency industry is both new and growing in popularity. It is rapidly expanding, and it is not as well regulated as mature industries. Criminals exploit the industry to launder money. It is the responsibility of organizations to detect and report suspicious crypto transfers. There are still serious unanswered questions about the sector’s money laundering risks, and regulators have begun to take anti-money laundering measures in the crypto industry.
