On July 19, crypto exchange Gemini became the first virtual asset service provider (VASP) to receive approval from the Central Bank of Ireland. The registration will allow the firm to offer cryptocurrency trading services in Ireland with the bank’s stamp of approval that it meets high anti-money laundering and anti-terrorist financing (AML/CFT) compliance standards.
However, other VASPs were less fortunate. On 11 July, the bank issued a bulletin outlining widespread AML/CFT compliance gaps among VASPs applying for registration in Ireland.
Although focused on Irish VASPs, the Central Bank’s bulletin offers important lessons for VASPs everywhere. It outlines common AML/CFT compliance pitfalls to avoid when seeking regulatory approval – failings that have hampered VASPs elsewhere, including the UK. Here we highlight three key areas from the central bank bulletin that all VASPs should keep in mind when designing their cryptocurrency compliance frameworks.
Insufficient risk assessments
The main omission identified by the central bank was related to the assessment of the risk of money laundering and terrorist financing (PM/TF).
Risk assessments are at the core of AML/CFT compliance. As stated in the bulletin: “An effective AML/CFT control framework is built on an appropriate AML/CFT risk assessment that focuses on specific AML/CFT risks arising from the firm’s business model.” This risk assessment should guide the firm’s AML/CFT control framework to ensure that strong controls are in place to mitigate and manage the specific risks identified through the risk assessment.”
However, the Central Bank of Ireland found that some VASPs had not carried out any assessment of the specific PN/TF risks they faced. Among those VASPs that performed a risk assessment, the bank identified a number of deficiencies. These include failing to document the results of their risk assessment, failing to explain their risk assessment methodology and failing to take into account previous regulatory guidance in their risk assessment.
The consequences of these deficiencies can be significant. For example, a VASP that does not understand the specific PN/TF risks it faces is not in a position to ensure that its transaction monitoring systems are properly calibrated to detect and assess those risks.
At Elliptic, we work closely with our VASP clients and financial institutions to enable them to implement effective risk-based controls. This includes providing a range of best-in-class training and education services that equip compliance teams with the knowledge and skills they need to design compliant risk management frameworks for crypto products and services.
Poor customer due diligence (CDD) practices.
Another common shortcoming relates to deficiencies in customer due diligence (CDD).
According to the Central Bank of Ireland bulletin, a number of VASPs were unable to identify PN/TF risks among new clients present before onboarding them. In addition, some VASPs did not regularly update or review CDD information that could have enabled them to identify and assess new risks that may have emerged after onboarding.
This is another fundamental lack of compliance that leaves VASPs exposed to PN/TF risks, and this will always bring regulatory disapproval.
One way VASPs can strengthen their CDD practices is to implement effective wallet screening capabilities that allow them to identify potential financial crime risks that customers pose.
For example, by using a wallet verification solution like Elliptic Lens, a VASP can identify whether a new customer poses a risk of concern. Powered by our industry-leading dataset, Elliptic Lens enables VASP to assess whether the crypto wallet a user wishes to withdraw funds to is controlled by illegal or high-risk actors.
Similarly, using our transaction monitoring solution Elliptic Navigator, VASPs can identify high-risk transactions that may warrant a review of a customer’s account. If the client’s transactions involve exposure to illegal actors such as cybercriminals or darknet markets, this may trigger a review of CDD information and may lead to a reassessment of the client’s risk rating.
Incorrect screening of sanctions
Finally, the Central Bank of Ireland bulletin points to a more specific area of concern: compliance with sanctions. Russia’s invasion of Ukraine and North Korea’s increasingly bold attempts to steal cryptoassets have deepened regulators’ concerns about the potential for evasion of sanctions through cryptocurrencies.
Regulatory and sanctions authorities – such as the US Treasury’s Office of Foreign Assets Control (OFAC) – expect VASPs to be able to identify wallets linked to sanctioned actors so they can block prohibited transactions. VASPs must therefore have access to wallet screening capabilities that enable them to identify blacklisted wallets, supported by robust policies and procedures that guide compliance staff on how to conduct screening and how to escalate identified sanctions.
According to the central bank, some VASPs fail in this regard. The bulletin states that: “Several firms did not document the frequency of financial sanctions screening, how the firm screens (including what, if any, software it uses), and the steps the firm would take in the event of financial sanctions. ”
At Elliptic, many of the largest global VASPs use our wallet verification capabilities to identify and block potential transactions with individuals and entities on OFAC, EU, United Nations and other sanctions lists. Our team of subject matter experts also works to advise our clients on best practices in cryptoasset sanctions compliance, enabling VASP compliance teams to position themselves for success with sanctions regulators.
Any VASP seeking regulatory approval must incorporate strong compliance practices and cannot afford to fall behind on these key components of an AML/CFT risk management framework.
Contact us to learn more about how Elliptic’s compliance solutions can empower your team for success.
Key takeaways
- Ensure that you have performed a PN/TF risk assessment and that your cryptocurrency monitoring and verification solutions are configured to address your company’s specific risks.
- Ensure that you use wallet review and transaction monitoring capabilities to detect high-risk indicators among your customers that may impact CDD results.
- Ensure that you use wallet verification to detect activity with sanctioned actors and that your verification solution is supported by robust sanctions compliance policies and procedures.
Financial Services EMEA Crypto Businesses