On September 22, 2021, the New York ACAMS Chapter hosted a virtual event titled Engaging Virtual Asset Clients – An AML Perspective, sponsored by Fenergo. The event was moderated by Drew Bach, Esq., Vice President - BSA Manager, The First National Bank of Long Island & ACAMS New York Chapter Board Member and included the following panelists Edmund Kulakowski, Esq. (Senior Financial Crime Consultant, Fenergo Nirvana Patel (Chief Compliance Officer & BSA Officer, Prime Trust); and Lauren Tinker (Senior Vice President - Global AML Compliance, Citi).
The event opened with a discussion defining two core fundamental terms to carry the audience through the conversation. What are virtual assets, and what is a virtual asset client or virtual assets service provider (VASP)? The panel started with the definition of virtual assets as digital representations of value that can be traded and transferred. Some examples of virtual assets are Cryptocurrencies (e.g., bitcoin); Crypto commodities (e.g., Ethereum); Utility tokens; Security tokens; Non-fungible tokens; and stable coins. Building on this definition, the panel then defined a virtual asset client or virtual asset service provider as a business that exchanges, transfers, administers or custodies virtual assets. Examples of VASPs are Centralized and decentralized exchanges, over-the-counter desks; Virtual-asset-based payment networks; Cryptocurrency ATMs; Custody providers and escrow services; Issuers of crypto coins or tokens; and Wallet providers.
After establishing these core terms, the discussion explored the current state of virtual asset regulations in the US and other countries. The short story is that the legality of virtual assets is all over the map. This sediment is echoed in the recent FATF report that surveyed 128 jurisdictions, which showed various approaches and different stages of legislative action—varying from outright prohibitions to permitting and regulating VASPs that have passed such regulations or introduced regulations. In contrast, some jurisdictions do not have any decisions on how to address VASPs. One of the critical decisions is identifying where in the chain the regulations will step in, on virtual assets themselves, the VASPs, or the financial institutions providing services to the VASPs. Additionally, a popular question from foreign financial institutions is when they may be subject to US law. As we zoomed in to US law, the same issue arose where some states like NY have heavily regulated VASPs while other states (a majority of them) have no regulation or guidance.
As the discussion continued to focus on US law, the panelist shifted their attention to FinCEN's recent proposed rule on applying the travel rule to VASPs and, of course, the AML Act of 2020. The AML Act of 2020 codified existing FinCEN guidance by amending the definition of Money transmission and monetary instruments to include "value that substitutes for currency," which translates to virtual assets. This change solidifies that VASPs are money transmitters. This codification aligns with FinCEN's recent proposed rulemaking, subjecting virtual assets clients to CTR-like filing requirements and the travel rule. These rules will force VASPs to focus on knowing their customers and building systems to retain such information.
Furthermore, VASPs will need to start building the infrastructure to transfer the required information to comply with the travel rule. Similar to how the banks rely on the SWIFT network. A member of the panel pointed out that the Travel Rule Information Sharing Architecture (TRISA) has been working to achieve this goal through the use of a Public Key Infrastructure.
After a thorough discussion defining virtual assets and the current regulatory landscape, the panel began to discuss the actual risks when onboarding these types of clients. One way to look for where the risks lie is to review recent enforcement actions, lawsuits, and other new use cases. Starting with BlockFi, where a few states and the SEC issued cease and desist orders to block them from offering interesting bearing accounts because they would be considered an unregistered security. The panel moved on to a brief discussion but the still-developing situation between Ripple and the SEC. The outcome of Ripple's case may significantly impact the SEC's current regulatory position on cryptocurrency. However, SEC is not the only regulatory body with skin in this game, but also the CFTC has made some significant moves into virtual assets. Specifically, BitMEX, where the CFTC and FinCEN issued them a fine of 100 million dollars for operating an unregistered derivatives exchange and no adequate AML program in place. Similarly, a company known as Binance has caught the attention of the CFTC as well as several other countries.
Of course, the panel would have been remised for not at least briefly discussing one of the most significant breaking use cases of Virtual Assets, which was El Salvador's recognition of BitCoin as legal tender. Many in the international community raised concerns over the volatility of bitcoin and the heightened potential for money laundering.
Now, after discussing definitions, regulatory issues, and various risks, the question remains, how should a financial institution onboard such clients. The key will be to have conversations with the bankers/sales teams who want to do business in this space. Start by defining the financial institution's risk appetite for onboarding these various clients, keeping in mind that the discussion of risk is not just with the AML team but the teams in charge of reputational risks, sanctions, and environmental risks. Given the current regulatory landscape, many financial institutions will treat these clients as MSBs, which means they will collect similar due diligence and use similar monitoring programs. Such as collecting licenses, developing a deep understanding of their business model, and ensuring an AML program is in place. A bank may also want to look for what type of monitoring programs the client has in place, such as engaging a third party for investigations. Also, beneficial ownership will be critical on the KYC side and establishing a risked-based approach, not automatically assessing these clients as high-risk. While on the transaction monitoring side, current systems will need to be modified to address certain inherent risks. For example, if the systems monitor the trade of securities, the systems will need to account for the significant volatility of virtual assets. A common piece of advice came out of this discussion: do not reinvent the wheel but look to existing policies and systems as templates to build solid programs for engaging virtual asset clients.
Although it seems the implementation of specific VASP regulations are a long way off, they are not. Increased government regulation and scrutiny (and subsequent fines) are imminent, so it's best to lay the groundwork now, even if you are not working with a "pure" crypto player.
Collaboration between the VASP industry itself, along with FI's, fintech firms, and the various government regulators, will help prevent a "catch-up game." A significant way to move forward is to embrace technology to address the challenges that a purely digital product will present.
Don't reinvent the wheel - leverage frameworks and parts of your program that apply to MSBs and securities.
Be part of the conversation - if you are in the space or are interested in entering the space, respond to requests for comments and participate in industry groups.
Digitize and automate to align with an industry that is digital and automated
As an FI, be ready. Know your risk appetite and make sure it's clearly documented and communicated within your organization.
Don't do it alone - consider the reputational and environmental risks in addition to AML.
Even if you ultimately decide your appetite is very limited, be prepared for questions and client requests and educate yourself.
Materials from the event can be accessed here.