Elliptic has seen a number of inquiries from banks hoping to get on board with virtual asset service providers (VASPs) – such as cryptoasset exchanges – and wanted to understand compliance considerations. The key question for any bank that wants to enter VASP is: what is the starting point?
In this article, we will provide some thoughts on best practices for VASP due diligence. Although this process will depend on each bank’s own risk appetite, internal processes and the position taken by their central bank or prudential regulator, these general principles can be applied by all financial institutions.
Activities
There are several activities in which a bank can be involved in VASP:
- Banks open a client’s cash account for the exchange of cryptoassets. This is where the client of the bank is a cryptoasset exchange, but the account can somehow be identified as an account for the client’s money. The key point is that it is therefore separate from the money or assets of the crypto-asset exchange in the event of insolvency – so insolvency is remote. This obligation will become more relevant when the EU’s MiCA Market Regulation comes into force, as Article 63 of that regulation will require cryptoasset exchanges to hold client funds in a bank and that the account can be identified as separate from the exchange’s own funds. . There are certain exceptions to this requirement, such as where the exchange is also a payment services or e-money firm or holds client funds through such a firm.
- Banks open an account in the name of the cryptocurrency exchange himself. The difference in risk between this activity and opening a customer bank account as noted above is marginal, but the central bank may decide that there is enough of a difference to allow one over the other. This could happen, for example, as the central bank reviews the bank’s systems and controls and learns about the bank’s exposure to crypto-asset exchanges.
- The bank may offer a link to the exchange on its website. This is not necessarily involved in arranging or executing a crypto-asset transaction, but merely making this functionality available through your own site. The actual crypto-asset activity will be done on the exchange’s website, but the fiat will be transferred from the bank to the crypto-asset exchange to complete the transaction. The risks here begin to stray into the purview of jurisdictional legislation. For example, Regulation 14A of the UK Money Laundering Regulations covers where there is “contracting […] with the aim of exchanging crypto-assets for money or money for crypto-assets”. So this would technically cover this type of editorial-like activity. The UK’s Financial Conduct Authority (FCA) would have to consider whether all the other elements of the tests, such as the business test, are met to require FCA registration – for example, whether this activity (introduction) is carried out through a business and what risks this business model presents to investors – before deciding whether FCA registration is required. There may be other issues to consider, such as whether the referral constituted a promotion of a crypto-asset and, if so, whether the jurisdiction had any obligations in this regard.
- The bank engages in custody primarily to benefit its institutional and/or high net worth clients. Buyers may want to diversify their investment options (see the recent tie-up between BlackRock and Coinbase). This may result in the bank potentially engaging in typical registrable crypto-asset activity and therefore may need regulatory approval from its AML/CTF supervisor, as well as requiring a green light from its prudential or central bank supervisor. Consideration should also be given to what capital liabilities the bank may have if these assets are on its books or those of group entities – so an examination of the impact of group consolidated supervision may be required. A bank may wish to consider the capital treatment proposed by the Basel Committee on Banking Supervision (BCBS): Second Consultation on the Prudential Treatment of Exposure to Cryptoassets.
- The bank decides to carry out trading activity on behalf of its clients – therefore it itself acts as a crypto-asset exchange. This rarely happens now, but could be a more significant use case in the future.
Considerations
So, given the first two options above, where the bank specifically does not do any crypto-asset activity, where should the bank start?
Each bank decides on this – based on its risk appetite and internal processes. Some of the risks are financial and reputational. Financially, there are risks if the stock exchange decides to withdraw all its money from the bank, and the bank relies too much on this cash flow for other banking services, for example making loans.
But there are also reputational and other financial risks if the stock market becomes insolvent or is subject to negative media, sanctions violations, fraud or cyber hacks. Any of these events could lead to a domino effect resulting in financial risk if customers withdraw funds or if law enforcement officials investigate whether they somehow enabled, or question what other party’s due diligence checks were carried out to meet regulatory obligations.
A bank’s assessment of whether it should engage in a cryptoasset exchange will include a traditional counterparty risk assessment, but must also include on-chain counterparty risk using blockchain analytics tools. Some considerations may include:
- Think of the cryptoasset exchange business as having similar risks to a correspondent bank. Therefore, you not only need to understand the risks of the entity itself, but also:
– jurisdiction in which it operates;
– jurisdictions in which they are registered;
– are there negative media?
– who is the management team?
– who are the controlling parties and ultimate beneficial owners?
- The bank should also assess the exchange’s internal processes for both fiat and cryptocurrency in terms of customer onboarding – in other words, they know your customer (KYC) or due diligence processes. Therefore, the assessment of sources of income and funds and continuous monitoring; how is the stock market dealing with sanction lists and are the jurisdictions they have concerns about the same as yours? In addition to the usual KYC and transaction monitoring tools for fiat, the exchange must also use block analysis tools to identify the source and destination of funds, verify wallets, verify sanctions, and generally monitor transactions in relation to cryptoasset transactions.
- In addition, the bank should also use counterparty risk assessment tools for block analysis. They usually provide a risk assessment for the cryptoasset exchange itself. This score would then feed into the overall assessment of the counterparty’s risk assessment. Elliptic’s Discovery is able to help banks assess the risk of financial crime when dealing with cryptoasset exchanges. Discovery looks at both onchain and offchain data – off-chain data includes, for example, whether an exchange trades privacy coins or accepts Russian rubles as currency – which may be exposed to Russian entities that violate EU sanctions. Of course, this will all depend on the bank’s risk appetite.
- A bank may have its own counterparty or correspondent banking risk assessment questionnaires, but if not, it may wish to use or incorporate the Wolfsberg questionnaire into its due diligence assessment. This should be adjusted for cryptoassets.
- A bank – depending on its own and the central bank’s risk appetite – may want to ask more intrusive questions. Some may find these questions unnecessary or going too far, but others may be relevant. for example:
– What liquidity or capital requirements does the stock market have, if any – even if it is self-imposed?
– What types of instruments and services do they offer to clients? This can be used if there are concerns about the complexity of the products being offered. For example, recent issues related to Celsius collateralized loan products. This can also be related to what stress testing they do on the products and whether it specifically applies to the extreme stress market.
– It is also important that compliance and operations staff receive appropriate training. At least some basic understanding of cryptoassets and the risks they present would be helpful so that they have a minimal understanding that can be expanded upon for staff who need more knowledge.
Regulation Financial Services Global