March 27, 2020 | Elliptic

Banks Are Most Likely Exposed to Crypto-Assets Unknowingly

March 27, 2020 | Elliptic

Banks Are Most Likely Exposed to Crypto-Assets Unknowingly

U.S. financial regulators are watching closely to see how financial institutions’ exposure to the crypto-asset industry is affecting their bank anti-money laundering compliance. As the broader public becomes more interested in crypto-assets, some bank customers are seeking ways to fund crypto trading. In this environment, banks need to assess how such activity may touch their current operations and be prepared to mitigate illicit finance risks emanating from these new assets.

Recently, the U.S. Office of the Comptroller of the Currency (OCC) issued a cease and desist order to New York-based Safra Bank. The OCC cited that the bank gave accounts to money service businesses (MSBs) that facilitated crypto-asset trading, but did not address the increased Bank Secrecy Act and Anti-Money Laundering (BSA/AML) risks associated with these accounts.

Safra Bank allegedly did not have sufficient transaction monitoring systems in place even though onboarding these new “digital asset customers” caused its volume of domestic and international wires and ACH transfers to spike. The OCC did not specify the crypto-asset-focused companies involved with Safra, but some details are evident. Press reporting from 2019 shows the bank entered into a partnership with the crypto-asset trading platform San Francisco Open Exchange (SFOX), allowing SFOX traders to maintain FDIC-insured cash accounts at the bank.

A Warning Shot to the Banking Industry

Most compliance officers would consider the Safra Bank case a blatant example of mismanaged expansion into a new, riskier asset class. They might also assume that other banks would never run into this problem since most financial institutions, by company policy, do not service crypto-asset exchanges. However, guidance from financial regulators indicates that simply banning crypto-asset businesses is not a sufficient mitigant of crypto-asset risk exposure.

Also, there are now advancements in technology that probably would have helped Safra Bank address the money laundering risks from its digital asset customers and comply with its Bank Secrecy Act obligations. Servicing the cryptocurrency industry does not have to be a wild west endeavor that throws compliance to the wind.

The U.S. Treasury’s Financial Crime Enforcement Network (FinCEN) expects banks to look for and report suspicious activity relating to virtual assets. In December 2019, FinCEN director Kenneth Blanco noted that his agency saw the number of Suspicious Activity Reports (SARs) about digital currencies rise greatly during that year, mostly because crypto-asset businesses were submitting more SARs. He declared emphatically, “It is important for all financial institutions to ask themselves whether they are reporting such suspicious activity. If the answer is no, they need to reevaluate whether their institutions are exposed to cryptocurrency.” Clearly, FinCEN assumes that banks are now interacting on some level with crypto-assets, even if indirectly.

Instead of assuming that one’s bank has no crypto-asset exposure simply because it lacks formal crypto-asset money service business (MSB) customers, compliance teams are going to have to dig more deeply to assess their risk exposure. The absence of evidence can no longer be seen as evidence of absence. Regulators now expect that financial institutions will leverage innovative technologies to deal with new money laundering risks as part of a comprehensive AML program. For example, in 2018 FinCEN and other US banking regulators issued a joint statement calling on institutions to set up “innovative internal financial intelligence units devoted to identifying complex and strategic illicit finance vulnerabilities and threats.” It is unclear if Safra Bank used blockchain analytics tools to manage its risk when servicing digital asset customers, but it seems unlikely. Such tools, leveraged properly, should have helped the bank better understand the scope of illicit finance risks linked to crypto-asset services.

Banking Crypto Exchanges Not Unheard Of

Crypto-asset businesses need not automatically be off-limits for banks. Some banks are managing to service them without provoking cease-and-desist orders from the OCC. Silvergate, Signature Bank, Metropolitan Commercial Bank, and others have welcomed business clients from the crypto-asset industry. While the majority of conventional financial institutions currently are not so forward-leaning on crypto, the FATF has made clear that de-risking is not a sustainable strategy. FATF calls on banks to evaluate the risks of customers on a case-by-case basis, rather than wholly prohibiting services to broad categories of lawful businesses. Even when considering the Safra bank situation, risk and compliance departments should note that the bank was not cited for allowing any financial crime, but for lacking proper compliance measures to address AML risks.

If a bank is considering engaging crypto-asset businesses, it should do two things. First, assess how any illicit finance involving this new asset class might touch or come near its business infrastructure. Second, the bank should conduct appropriate risk-based due diligence around the crypto-asset businesses. Some of this will resemble what they already do for their other business customers. Compliance teams will need to know the nature of the business, who owns it, and what is the source of funds being deposited at the bank. And since crypto-asset exchanges are also FinCEN-regulated MSBs, the bank should assess whether the exchange has AML and sanctions programs in place. But compliance teams can also consider additional data points. For instance, besides evaluating whether a crypto-asset exchange has a BSA compliance program, a bank should also look at the history of the exchange’s blockchain transactions to evaluate any interaction with wallets associated with illicit activity like darknet marketplaces, sanctioned actors, terrorist organizations, or ransomware.

This is where the case-by-case, risk-based approach comes in. Banks may find that many exchanges, with a clear record of exposure to illicit crypto-assets, are too risky to bank from an AML compliance perspective. However, this may also allow compliance teams to distinguish between ready and not-so-ready businesses to bank. It should also incentivize crypto-asset businesses to further improve their AML controls, knowing that much of their AML hygiene can be assessed through open-source blockchain analysis.

Banks Likely Exposed, Even without Formal Crypto-Asset Customers

For financial institutions that expect to stay unwilling or unprepared to service any crypto-asset businesses, they still, however, need to assess their unwitting or indirect exposure. Here are some common ways in which banks may touch crypto-assets unknowingly:

● Retail customers may request wire transfers to a crypto-asset exchange from their bank account.

● Retail customers may be using their credit or debit card to purchase cryptoassets at online exchanges.

● Retail customers could be using their bank account to operate an unlicensed peer-to-peer crypto-asset exchange, withdrawing and depositing cash to support trading activity.

● Merchant customers may offer options for customers to pay for goods and services in crypto. The merchant may have a digital wallet at a separate crypto-asset exchange unrelated to the bank or it may even use a third-party crypto-asset processor. Some of its customers could be paying with illicit tokens.

● Retail or business customers might be depositing cash they withdrew from a crypto-asset kiosk such as a Bitcoin ATM.

● Customers may use their banks to invest fiat currency into a crypto-asset-based business.

● A customer may run a decentralized exchange that only trades crypto-to-crypto (with no fiat currency involved). However, the customer may sell his crypto at another exchange that trades in fiat and then transfer that fiat currency into his bank.

● The bank may offer merchant-related gift cards that are used to purchase cryptoassets at various exchanges.

Banks Should Formally Assess Their Exposure

To address the possible interaction with digital currencies, banks should conduct a crypto-asset risk exposure assessment. Compliance teams should look specifically at indicators of direct and indirect touchpoints with crypto. It is quite possible that banks will discover they have some exposure and then can take appropriate measures to manage the AML risks. It is also possible that, by de-mystifying crypto-assets and becoming acquainted with blockchain analysis tools, banks may find that some involvement with cryptoasset businesses is no more problematic than servicing other types of MSBs.

Yaya J. Fanusie is a former CIA analyst and is an Adjunct Senior Fellow at the Center for a New American Security, where he focuses on fintech policy issues. Mr. Fanusie also is a consultant for Elliptic, a GDF member, which provides blockchain analysis services.

Read in Elliptic

Issues:

Blockchain and Digital Currencies Cyber Sanctions and Illicit Finance