red 
The Office of the Comptroller of the Currency (OCC) – the main US federal banking supervisor – issued its first consent order involving a crypto-asset bank on April 21. The order was issued due to deficiencies in anti-money laundering (AML) controls against Anchorage Digital Bank, which in January 2021 became the first crypto company to receive a national trust bank charter from the OCC.
Top banks and financial institutions are increasingly launching crypto products and services – from JPMorgan to Goldman Sachs to Deutsche Bank, as well as small and medium-sized banks.
As financial institutions enter the crypto-asset sector, they must be careful about meeting the expectations of banking regulators. Therefore, the OCC’s Crypto Consent Order is essential reading for compliance teams at all banks considering how to deal with cryptoassets.
A closer look at the account offers important lessons that compliance teams should consider if their banks want to successfully launch crypto products and services without regulatory repercussions.
It all starts with education
One important area of focus in the consent order relates to education and training. The order requires Anchorage to develop and implement a comprehensive anti-money laundering training program for relevant compliance personnel.
This may seem simple, but when it comes to implementing a successful crypto-asset compliance framework, it is necessary for banking staff to acquire certain specific knowledge and skills.
First, banking compliance personnel must have an understanding of the basic technical concepts related to crypto and blockchain. This includes understanding the different types of cryptoassets, the technical differences between them, and the features and characteristics of the blockchain. Bank compliance staff who do not understand these basic concepts are unlikely to be successful in detecting and mitigating risk.
Second, compliance personnel require an understanding of specific regulatory developments and licensing requirements related to digital assets. While basic AML requirements and sanctions apply to crypto-asset businesses, regulators have issued specific guidelines regarding digital assets that bank staff must understand.
For example, regulators in the United States, Hong Kong, the United Kingdom and other jurisdictions have previously issued guidelines outlining how financial institutions should approach managing the risks associated with crypto-assets.
Similarly, jurisdictions such as Singapore, Abu Dhabi and the UK have established crypto-specific licensing and registration regimes. Understanding these regulatory requirements is essential for compliance teams working in any multi-jurisdictional institution.
Finally, compliance teams at financial institutions require staff with the technical expertise to use crypto-specific compliance tools and datasets. Compliance solutions related to digital assets use blockchain analytics – based on data from open public ledgers of cryptoasset transactions. Using these compliance solutions requires special skills and training to interpret and analyze this data.
As it stands, compliance teams at most banks are generally under-skilled when it comes to crypto education.
In a survey conducted by Elliptic earlier this year of around 100 compliance professionals from financial institutions, only 15% said their staff were highly skilled in identifying financial crime risks related to cryptoassets. Similarly, approximately 70% of respondents indicated that their compliance staff do not receive regular training related to digital assets.
Transaction Monitoring: Red Flags and Unhosted Wallets
In addition to the training, the OCC order also requires Anchorage to fix its transaction monitoring program.
This may seem typical of previous regulatory actions taken by the OCC and other regulators, but there is a crypto twist. The order sets out two areas where banks are expected to consider crypto-specific factors in the design of their transaction monitoring program.
The first of these is about detecting crypto-specific red flags. Specifically, the order states that monitoring systems should “adequately monitor money laundering, terrorist financing and other illicit financing risks, red flags/typologies […]”.
Other regulatory and standard-setting bodies have also emphasized the need for compliance teams to identify cryptocurrency-specific typologies and red flags. In September 2020, the Financial Action Task Force (FATF) published a report on red flags related to cryptoassets.
Among the red flags the FATF points out are the use of privacy-enhancing services for money laundering and the risks posed by crypto-asset exchange services with poor anti-money laundering controls. In April 2022, the Australian government also published guidelines on the criminal use of cryptoassets – including financial and behavioral indicators of suspicion.
In the eyes of the OCC, financial institutions must ensure that their transaction monitoring systems are calibrated to detect these crypto-specific indicators.
Another area of focus for monitoring transactions in the consent order relates to controls on non-hosted wallets. Unhosted wallets are cryptoasset wallets that are fully controlled by private individuals, where a third-party institution has no control over the user’s ability to transact with that wallet. This is the key innovation at the heart of cryptoassets: users can hold and send digital assets independent of financial institutions.
In the guidance it issued regarding the cryptoasset, the FATF explained what it considers to be the risk associated with unhosted wallets: since anyone can access an unhosted wallet without verifying their client’s knowledge, transactions involving unhosted wallets present higher risk factors for money laundering. , terrorist financing and sanctions evasion.
When clients of a regulated business send funds to or from non-hosted wallets, the regulated business should have processes in place to identify those risks.
This expectation is clearly reflected in the OCC’s consent order, which indicates that a transaction monitoring program must include “processes to effectively identify transactions involving non-hosted wallets.”
I’m getting serious
The OCC’s consent order provides a clear blueprint for how banks can satisfy regulators when it comes to engaging with cryptoassets. Although issued by a U.S. regulator, banks located anywhere can draw important lessons from the OCC’s compliance order that they can apply to their compliance programs.
Training and education is essential, and all financial institutions should begin educating their staff on cryptocurrency compliance. A number of crypto compliance certification programs exist on the market and can provide a foundation for staff training.
Even financial institutions that do not necessarily intend to handle or offer crypto-asset products and services in the near or medium term should educate their compliance teams.
As digital assets become more widely accepted, even financial institutions that do not themselves handle crypto assets will still face exposure to crypto-related risks, such as clients whose source of wealth is derived from cryptocurrencies. Having a thorough understanding of cryptoasset markets, regulation and compliance controls can enable staff to more easily identify and manage these risks.
Financial institutions should also work proactively to ensure that their transaction monitoring capabilities enable them to detect crypto-specific red flags, typologies and risk categories of transactions, such as those involving unhosted wallets.
Where a bank offers crypto-asset products and services, this will likely involve leveraging blockchain analytics capabilities to detect exposure to high-risk entities and counterparties. If a bank does not handle cryptocurrency itself, it should have the ability to detect cryptocurrency-related risks among its fiat currency transactions — for example, transactions in US dollars, sterling or euros executed on behalf of a cryptoasset service provider.
As an increasing number of banks engage in the crypto-asset sector, those that work proactively to meet the expectations of leading regulators will be in the best position to successfully navigate this new world powered by Bitcoin.
Compliance with Financial Services Regulations
