Digital asset offerings require enhanced compliance and anti-money laundering processes in financial institutions
The financial services sector has always been at the forefront of anti-money laundering (AML) efforts to prevent this type of financial crime and terrorist financing. The increasing emergence of digital assets, such as cryptocurrencies or tokenized assets, however, requires a risk-sensitive expansion of the existing defense mechanisms of the financial institutions’ risk departments.
Despite some negative incidents (FTX, Terra Luna, etc.) that occurred in the crypto market in 2022, an increasing number of market participants (including crypto exchanges and established financial institutions) are developing digital asset offerings in the background. Notwithstanding the growing demand and enormous potential of DLT and digital assets, compliance and money laundering issues must not be overlooked.
Pseudonymous DLT transactions make it difficult to launch digital asset offerings
The risks that may arise from the introduction of digital asset offerings are primarily related to the nature of distributed ledger technology (DLT) and the transactions that are conducted through it. Assets are exchanged using pseudonymous addresses (alphanumeric strings) that do not allow any direct inference of the sender or recipient of a transaction. Information about these can only be obtained through additional analyses.
Depending on the technology used, there are also ways of conducting transactions anonymously. In the past, despite their transparent mode of operation, cryptocurrencies in particular have been popular vehicles for illegal activities, such as money laundering and terrorist financing, because of the difficulty in inferring background information.
In 2022, potential cases of money laundering arose in particular through asset hopping or chain hopping and were mainly facilitated by three offerings that create a certain anonymity within cryptocurrency trading: decentralized trading exchanges (DEX), cross-chain bridges, and coin swap services.
Due to the increased risk of money laundering, digital assets are considered a high-risk asset class from a compliance perspective. Financial services providers seeking to offer digital assets must therefore ensure that they have robust defense mechanisms in place that include sufficient AML measures and minimize exposure to the associated risks.
Digital asset compliance is a moving target in the dynamic regulatory environment
Regulators around the world are intensifying their focus on restricting money laundering and terrorist financing-related offenses in connection with digital assets and are increasingly holding financial institutions or fintech companies with DLT offerings accountable.
A key aspect of launching digital asset offerings under the new Markets in Crypto-Assets (MiCA) regulation is therefore compliance with anti-money laundering (AML) regulations – including the obligation to “Know Your Customer” (KYC) and their digital asset wallets (Know Your Wallets), and to monitor transactions (Know Your Transaction).
However, in this dynamic global environment, financial institutions are currently dealing with a moving target. A global regulatory framework has yet to be established, the lack of which results in regulatory arbitrage opportunities and gray areas. Implementing strong but flexible AML processes and controls in the digital asset context should therefore be a top priority. Western European countries, such as Germany, Liechtenstein and Switzerland, as well as the EU as a whole, are leading the way in AML compliance with respect to digital assets. Cryptoassets, for example, are currently regulated throughout the EU under the “6th Anti-Money Laundering Directive”, requiring market players to comply with the EU’s AML/CFT framework.
Licensing processes are carried out through national regulators in the EU, either for MSB or for e-money or securities providers. Licensed crypto providers are allowed to offer their services within the EU under the forthcoming Markets in Crypto-Assets Regulation (subject to notification to local regulators) but must establish appropriate policies and processes to ensure cross-border compliance. Switzerland and the UK have similar, increasingly stringent regulatory requirements.
The extension of the FATF’s transfer of funds requirements to include digital assets is also highly relevant for Virtual Asset Service Providers (VASPs ). They must, in particular, comply with the so-called Travel Rule. While the announced requirements have so far only been partially transposed into local law and are not uniform across jurisdictions, the Travel Rule nevertheless poses significant operational challenges for financial institutions.
This rule states that providers are required to record and transmit originator/payer and beneficiary/payee information for all digital asset transfers between VASPs of more than EUR 1,000 or CHF 1,000 in Switzerland. For pseudonymous DLT transactions, this means that digital asset providers have to go to a lot of effort to exchange customer-identifying information such as the names and wallet addresses of the ordering parties as well as the recipients of transfers. Financial institutions intending to introduce digital asset offerings therefore not only face internal challenges. They must also collaborate with other market participants to establish standardized processes and cooperation models for exchanging the relevant information.
First technical approaches can be seen in the form of Travel Rule protocols such as Coinbase’s TRUST, InterVASP, or OpenVASP by SEBA, Sygnum, Lykke and Bitcoin Suisse. All of these protocols aim to provide standardized information exchange in compliance with the Travel Rule. Since there is so far no market standard for the various VASPs due to the multitude of protocols, Travel Rule protocol aggregators, such as Notabene or 21 Analytics, have also positioned themselves on the market, combining several protocols in one interface and ensuring their compatibility.
Ensuring AML compliance through adjustments in customer onboarding and digital asset transfer
Despite all these challenges, the risks in dealing with digital assets can be minimized by implementing appropriate defense mechanisms. In particular, customer onboarding and transfer processes need to be enhanced to include the specifics of digital assets (Figure 1).
As a first step, these enhancements include the derivation of situation-specific risk scores that incorporate customer and token risk. Customer risk is determined on the basis of the assets’ origin. Digital assets enable several forms of asset creation, such as mining/staking activities, trading, or STO/ICO, which are subject to differing money laundering risks.
Additional factors for deriving customer risk can be defined either by other KYC or bank-specific rules. In addition to considering customer risk, determining the token risk is an essential part of risk assessment. For this process, it is necessary to develop a token valuation model that derives a risk score based on various factors (e.g. the number of blockchain addresses involved, tokenomics, ESG factors, etc.). Such a model can either be developed internally or customized to the company’s system landscape with the help of a specialized service provider. The aggregation of the individual scores (and possibly further plausibility checks) results in an overall score, which is then used to derive the onboarding decision. Alternatively, it is also possible to first recognize the token risk at the time of the effective asset transfer.
Risk mitigation measures must also be implemented for digital asset transfers. In addition to ensuring minimum requirements, such as verifying that T&Cs have been signed for the digital assets, one of the tasks is to forensically examine the wallet addresses involved for criminal activity, such as money laundering.
By using a forensic tool, a financial institution can obtain a risk assessment of the likelihood of exposure to these activities. In addition, a counterparty’s transaction history can be traced in detail, which can also reveal attempts at money laundering, for example. Interestingly, a new standard is currently emerging in the market whereby transactions can also be tracked across multiple blockchains.
Financial institutions are thus enabled to make risk-conscious decisions about whether or not to accept the digital assets. If a bank deems the risk acceptable, they perform a final check on the effective transfers, which is to determine the beneficial ownership of a blockchain address (Private Key Control Procedure). This step is necessary to ensure compliance with the Travel Rule requirements mentioned above. However, the target image for this step is currently still being developed on the market, and there are several technical approaches to a solution.
AML compliance – key takeaways and next steps
Regulatory compliance remains one of the greatest challenges when launching digital asset offerings. Nevertheless, we can conclude that the AML compliance risks in dealing with digital assets can be mitigated by well-thought-out defensive measures, allowing financial institutions to enter the digital asset market in a risk-conscious manner. From zeb’s point of view, early consideration of the following compliance-relevant issues is therefore crucial for success:
- In-depth analysis of best market practices for digital asset offerings: creation of an understanding of digital asset risks and measures for their mitigation, analysis and integration in accordance with best market practices for implementation
- Enhancement of existing value creation processes: end-to-end review of existing organizational and functional measures, such as risk management (including money laundering risk analysis), policy management, process definitions and outsourcing management, and their enhancement to include the new areas of responsibility
- Extension of the customer onboarding framework: consideration of customer onboarding as well as setup of digital asset transfers
- Building skills related to digital asset transfers: development of skills to analyze complex digital asset transfer constellations using forensic tools and technical solutions to comply with the Travel Rule requirements
- New role understanding of the Lines of Defense (LoD): close collaboration (both in customer onboarding and in the area of forensic analyses) as a prerequisite for efficient and regulatory-compliant process flows in a dynamic environment