The prevention of financial crime and money laundering risks. Regardless of the nature of the relationship or virtual asset known as VA transaction, the obliged entities should have in place customer due diligence or CDD procedures that they effectively implement and use. Utilizing this will help identify and verify on a risk basis the customer’s identity, including when establishing business relations with that customer, where they have suspicions of ML/TF, regardless of any exemption of thresholds, and where they have doubts about the veracity or adequacy of previously obtained identification data.
Prevention of Financial Crime and Money Laundering Risks
Like other obliged entities, in conducting CDD to fulfill their obligations under Recommendation 10 of Financial Action Task Force or FATF, the obligated entities should obtain and verify the customer identification/verification information required under national law. Typically, the required customer identification includes information on the customer’s name and additional identifiers such as a physical address, date of birth, and a unique national identifier number like a national identity or passport number.
VASPs are also encouraged to collect additional information to assist them in verifying the customer’s identity depending upon the requirements of their national legal frameworks. Verification of identity is required in the following cases, such as:
- Establishing the business relationship;
- Authenticating the customer’s identity for account access;
- Determining the customer’s business and risk profile; and
- Conducting ongoing due diligence on the business relationship.
Mitigating the ML/TF risks associated with the customer and the customer’s financial activities. Such additional, non-core identity information, which some VASPs currently collect, could include, for example, an IP address with an associated time stamp; geolocation data; device identifiers; VA wallet addresses; and transaction hashes. Verifying customer and beneficial ownership information by VASPs should be completed before or during the relationship.
Based on a holistic view of the information obtained in the context of their application of CDD measures which could include both traditional and non-traditional information. VASPs and other obliged entities should be able to prepare a customer risk profile in appropriate cases. A customer’s profile will determine the level and type of ongoing monitoring potentially necessary and support the VASP’s decision whether to enter into, continue, or terminate the business relationship.
Risk profiles can apply at the:
- Customer level, such as nature and volume of trading activity, the origin of virtual funds deposited, etc.; or at the
- Cluster level, where a cluster of customers displays homogenous characteristics, such as clients conducting similar types of VA transactions or involving the same VA.
VASPs should periodically update customer risk profiles of business relationships to apply the appropriate level of CDD. Suppose a VASP uncovers VA addresses that it has decided not to establish or continue business relations with or transact with due to suspicions of ML/TF. In that case, the VASP should consider making its list of “blocklisted wallet addresses” available, subject to the laws of the VASP’s jurisdiction.
A VASP should screen its customer’s and counterparty’s wallet addresses against such available blocklisted wallet addresses as part of its ongoing monitoring. A VASP should make its risk-based assessment and determine whether additional mitigating or preventive actions are warranted if there is a positive hit.
VASPs and other obliged entities that engage in covered VA activities may adjust the extent of CDD measures to the extent permitted or required by their national regulatory requirements. This extension is in line with the ML/TF risks associated with the individual business relationships, products, or services, and VA activities, as discussed earlier under Recommendation 1.
VASPs and other obliged entities must therefore increase the amount or type of information obtained or the extent to which they verify such information where the risks associated with the business relationship or VA activities are higher, as described in Section III. Similarly, VASPs and other obliged entities may also simplify the extent of the CDD measures where the risk associated with the business relationship of activities is lower.
However, VASPs and other obliged entities may not apply simplified CDD or an exemption from the other preventive measures simply because natural or legal persons carry out the VA activities or services on an occasional or minimal basis. Further, simplified CDD measures are not acceptable whenever there is a suspicion of ML/TF or where specific higher-risk scenarios apply.
Not all virtual asset service providers or VASPs are the same. They vary in size from small independent businesses to large multinational corporations. Similarly, no country’s AML/CFT regime for VASPs is the same, and countries are introducing their measures at different paces. Different entities within a sector will pose higher or lower risks depending on various factors, including products, services, customers, geography, the AML/CFT regime in the VASP’s jurisdiction, and the strength of the entity’s compliance program.
VASPs should analyze and seek to understand how the ML/TF risks they identify affect them and take appropriate measures to mitigate and manage those risks. The risk assessment, therefore, provides the basis for the risk-based application of AML/CFT measures. Regardless of the nature of the relationship or VA transaction, VASPs and other obliged entities should have in place CDD procedures that they effectively implement and use to identify and verify on a risk basis the identity of a customer, including when establishing business relations with that customer; where they have suspicions of ML/TF, regardless of any exemption of thresholds; and where they have doubts about the veracity or adequacy of previously obtained identification data.
As long as global implementation of the FATF Standards on VASPs remains lacking, managing these relationships will pose a continuing challenge. This challenge underscores the importance of implementation and suggests that VASPs will have to consider additional control measures for countries with weak implementation, such as intensive monitoring of transactions with VASPs based in the country, placing amount restrictions on transactions, or intensive and frequent due diligence.
Examples include:
- VASPs restricting VA transfers to within their customer base, such as internal transfers of VAs within the same VASP
- Only allowing confirmed first-party transfers outside of their customer base, such as the originator and the beneficiary are confirmed to be the same person; and
- Enhanced monitoring of transactions.
Otherwise, the VASP may face a tough decision in whether to deal with VASPs based in a country with weak or non-existent implementation.
When establishing a new counterparty VASP relationship, a VASP may obtain information from FATF Recommendations 10 and 13 directly from the counterparty VASP. Under the requirements of those Recommendations, this information should be verified. Examples of potential reliable, independent sources of information for the verification of the identity and beneficial ownership of legal persons and arrangements include corporate registries, registries maintained by competent authorities on the creation of regulated institutions list, registries of beneficial ownership, and other examples mentioned in the BCBS General Guide on Account Opening.
The VASP would need to assess the counterparty VASP’s AML/CFT controls to avoid submitting their customer information to illicit actors or sanctioned entities. It should also consider whether there is a reasonable basis to believe the VASP can adequately protect sensitive information, similar to the process set out in FATF Recommendation 13, sub-paragraph (b), but more risk-based. In practice, such an assessment could involve reviewing the counterparty’s AML/CFT systems and controls framework.58 The assessment should include confirming that the counterparty’s AML/CFT controls are subject to an independent audit (which could be external or internal).
VASPs should have recourse to altered procedures, including the possibility of not sending user information, when they reasonably believe a counterparty VASP will not handle it securely while continuing to execute the transfer if they believe the AML/CFT risks are acceptable. In these circumstances, VASPs should identify an alternative procedure whose control design could be duly reviewed by their supervisors when requested.
Final Thoughts
While financial crime has existed since people first exchanged money for goods and services, technological advancements have changed the attack surface, level of access, and number of opportunities available to cybercriminals. Almost all businesses conduct their operations online, making them easy targets for cybercrime. Criminals are using more sophisticated and stealthy methods to access critical financial data and hide their tracks. To add to the threat, many financial crimes are committed by corporate insiders who have figured out not only where critical data is located, but also how to effectively conceal their nefarious activities.
