On January 18, the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) took significant action by identifying crypto-asset exchanges as a “primary money laundering concern”.
Invoking new powers for the first time under Russia’s Anti-Money Laundering Act, FinCEN banned crypto exchanges and banks from doing business with Bitzlat, a Hong Kong-registered exchange that the US government claims laundered hundreds of millions of dollars for criminals , including dark web market vendors and ransomware attackers.
The designation places Bitzlato among the notorious companies, earning it the title of primary money laundering concern in addition to the approximately two dozen financial institutions to which FinCEN has applied the same designation under the separate but related USA PATRIOT Act.
The agency’s action against Bitzlat should not be seen in isolation, and should be taken as a warning sign by financial institutions everywhere, not just in the US. Regulators around the world are increasingly focused on detecting and singling out high-risk cryptocurrency exchange platforms that facilitate money laundering. Banks everywhere should have appropriate monitoring controls in place to identify and manage exposure to these high-risk entities.
Beware of fake exchanges
FinCEN’s order singling out Bitzlato and excluding it from the US financial system details extensive money laundering allegations. This view was echoed by Europol and European law enforcement agencies, which participated in the arrest of Bitzlat’s founder, and stated that “ with criminal activities.”
Bitzlat’s alleged behavior is not surprising. Indeed, the exchange is the latest in a long list of Russian-owned and affiliated exchanges that serve the cybercrime ecosystem. Between September 2021 and April 2022, the US Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on three Russian-linked crypto exchanges – SUEX, Chatex and Garantex – that played a similar role in facilitating the laundering of cryptocurrencies in the world of cybercrime.
In 2017, FinCEN imposed a $110 million fine on the BTC-e exchange, which was accused of facilitating more than $4 billion in bitcoin laundering, and whose founder, Alexander Vinnik, is in US custody awaiting trial. Research by Elliptic found that there are more than 400 cryptoasset exchanges located in or serving the Russian market, many of which allow users to set up anonymous accounts.
Weaknesses in the global anti-money laundering and countering the financing of terrorism (AML/CFT) regulatory regime exacerbate these risks. In a report issued in June 2022, the Financial Action Task Force (FATF) stated that none of the 53 countries it surveyed had fully implemented the FATF standards for virtual assets, and that most still required moderate or major improvements to their regulatory regimes.
These implementation gaps mean that higher risk crypto exchange services that facilitate money laundering can operate from a number of countries around the world where inadequate AML/CFT measures may exist.
Risks For banks
Banks may face significant exposure to these high-risk exchanges from a financial crime risk management perspective – some of which they may not even be aware of.
For example, a bank in Europe may have customers who use their euro accounts to buy bitcoins on a high-risk exchange located overseas. In some cases, this could be easily detected, for example, if the trading name of the stock exchange is mentioned in the bank transfer. In many cases, however, this may not be readily apparent. High-risk exchanges often rely on deceptive legal names or other identifiers to disguise their true business purpose, and sometimes operate through complex corporate structures.
BTC-e – before it was taken down by US law enforcement – used the legal name Canton Business Corporation to receive fiat currency bank transfers from customers, and operated through a series of shell companies registered in the British Virgin Islands and the Seychelles, among others locations – structures designed to prevent compliance officers from understanding its true business purposes.
Banks can miss transfers involving these types of high-risk cryptocurrency exchanges if they don’t look for the right signals in their transaction monitoring systems. Under FinCEN’s order on Bitzlato, banks must refuse wire transfers from the exchange, including any of its successor entities — a real problem given recent news that Bitzlato intends to restart its business operations. Identifying this type of activity among wire transfers requires a heightened level of vigilance.
Banks may also face exposure to high-risk exchanges through their correspondents. For example, a bank in Europe can keep an eye on its customers’ direct transfers to or from crypto exchanges; however, one of its correspondents in another part of the world may have less robust controls to manage the risks associated with cryptocurrency.
The European Bank, in turn, could settle euro-denominated payments on behalf of a high-risk exchange that is beyond its risk appetite if it is unaware of those potential risks in its correspondent relationships.
The need for banks to take increased control is also crucial in the context of the collapse of the FTX exchange at the end of last year. Global watchdogs such as the Financial Stability Board (FSB) have issued warnings about the importance of regulation to ensure that risks from the crypto sector do not spill over into traditional financial markets. US banking supervisors issued joint guidance to banks on January 3 warning them of the risks associated with cryptoassets and reminding them of the importance of controlling those risks.
Preparedness is key
These recent warnings from banking supervisors should not be taken as a sign to turn a blind eye or pretend that the risks will disappear by assuming they are not there. Instead, banks’ compliance teams should ensure that their systems and controls allow them to identify and manage any exposure to high-risk cryptocurrency exchanges before regulators become concerned.
Banks can take two initial steps to get ahead of the game.
First, bank compliance teams should build an understanding of the common risk factors that higher-risk crypto exchanges may present – including geographic factors and risks related to the use of anonymization services, such as cryptoasset mixers. These insights can be gained by enrolling compliance personnel in available cryptocurrency compliance training programs, as well as accessing resources outlining relevant indicators published by both cryptocurrency compliance firms and organizations such as the FATF.
Second, banks should systematically monitor crypto risks among their fiat transactions. This should include the integration of comprehensive off-chain data about exchanges – such as their legal names, registration numbers and other identifiers – into transaction verification systems, as well as the use of blockchain analytics data to assess the risks associated with the comprehensive activities of crypto exchanges. Some banks have already started using these datasets in their internal transaction monitoring systems, allowing them to identify exposures to crypto exchanges that might otherwise go undetected.
Third, banks should incorporate these same data indicators into their customer and counterparty due diligence procedures where they intend to allow interactions with crypto exchanges that present an acceptable level of risk – such as reputable, regulated exchanges. Even where the counterparty to a cryptocurrency exchange is deemed to present acceptable levels of risk, the bank should be able to demonstrate to its regulator that it has a clear due diligence process to manage those risks.
Originally published by Thomson Reuters © Thomson Reuters.
Compliance Financial Services Global