Where crypto businesses are most vulnerable to AML risks
James George, Compliance Manager, Compli-Serve SA
Crypto assets have, for a long time, caught the eye of criminals and their enablers, exploiting this newly emerging, and therefore lightly regulated, area of financial services. Crypto assets, however, are certainly on the radar of the regulator locally, just named as financial products.
And regulators worldwide are taking a far greater interest in the crypto sector’s compliance in anti-money laundering (AML) and combating the financing of terrorism (CFT) legislation. A new industry report by RiskScreen identifies the top risks facing crypto asset service providers (CASPs). There will be growing regulatory pressure to comply with best practice as this popular asset class continues to grow.
Worldwide, criminals laundered as much as £6.4bn worth of cryptocurrency in 2021, reports blockchain data company Chainalysis. Several billions in crypto assets have also been recovered by authorities but the risk of money laundering remains high.
The Financial Action Task Force (FATF), no stranger to South African shores with the threat of joining its Grey List, has put forward crypto asset guidance, with the last update in July last year clarifying virtual assets and licensing of service providers and how the latest FATF Standards apply. Though this is still a work in progress, it goes a long way to formalising compliance in the sector and the FATF has gone one step further and said that countries who do not prioritise crypto asset risks and adopt these Standards will likely be grey listed. The FATF is preparing to conduct annual checks, so this will be an ongoing compliance endeavour – and an important one to help reduce AML and CFT risks in time.
The RiskScreen report states that ‘in theory, one valuable characteristic of blockchains is that they create an accurate and transparent record of the counterparties involved in a transaction. However, in practice some providers have enabled customers to transact without fully identifying themselves, ensuring their behaviours are very difficult to track. The fact that all transactions are digital and never face-to-face adds greatly to concerns in this area.’ The innovative and fast-paced nature of crypto assets has unfortunately meant criminals have also noticed and are always looking for new ways to commit crime.
RiskScreen shared several examples of the AML risks CASPs should be on the lookout for:
Third-party theatrics
Clients who accept payments from unknown third-parties or those who operate on behalf of third parties could be at risk, particularly as identities may be obscured in these transactions.
Anonymous ambitions
Clients working through virtual private networks (VPNs) or using anonymous electronic money services are an obvious risk due to their anonymity. The same is true where privacy-enhancing features are added to crypto transactions.
It is also difficult to monitor or identify transactions where the previous or subsequent deal is a peer-to-peer crypto asset transfer.
(Not) Keeping up with KYC
Multiple small transactions may go under the threshold of Know Your Customer (KYC) requirements, but this can mean crime can creep in, because of neglecting KYC due diligence. It’s always better to know who you are dealing with.
In the dark: Miners and the web
Clients in high-risk crypto asset mining operations or those based in high-risk jurisdictions have been identified by regulators as posing an ‘elevated money laundering risk’. The dark web is of course a cesspool for illicit activity given its unregulated status and is best avoided.
It’s important not only for South Africa as a country to manage money laundering risks and prepare accordingly to avoid grey listing – but for CASPs to do the very same. Weaknesses in your existing compliance framework should be identified as early as possible to avoid falling foul of the regulator, and the recommendations from the FATF need to be properly considered and implemented. These Standards will become locally enforceable so being ready and compliant as early as possible will only help.
