Managing risk in AML programs

Same same, but different

Asaad Faquir, Tom Lazard
| 8/12/2022
Fin Crime Managing Risk in AML

Given the rapid changes in the crypto asset world, organizations should update their AML programs to mitigate risk.

For those not familiar, the phrase “Same same, but different” refers to the description of two things that appear largely similar but are also very different. Take, for example, the similarities and differences between a Belgian Malinois and a German Shepherd. Or, in the financial crime prevention world, consider the similarities and differences between fiat currency and crypto assets when it comes to managing risk in anti-money laundering (AML) programs.

The base principles of managing risks related to source, volume, and movement remain the same whether referring to fiat or crypto assets. But the exact mechanics are nuanced enough that existing programs definitely need to be updated.

Keep informed
Sign up to receive the latest insights on strengthening your financial crime program.

AML programs in the brave new world 

In general, professionals in the Bank Secrecy Act (BSA)/AML universe are experienced at understanding and managing source, volume, and movement risks of fiat currency. Based on decades of compliance with BSA/AML and USA PATRIOT Act requirements, experienced financial crime professionals know how to ask about and analyze their customers’ sources of funds. And thanks to leaps in technology over that same time period, specialists are also highly competent when it comes to tracing fiat funds as they flow through financial services organizations. Whether through automated clearing house (ACH), cash, check, or wire, financial crime professionals are well positioned to follow the money in the traditional, centralized finance world. However, as crypto and digital assets take flight (even during the so-called “crypto winter”), many organizations are inadequately prepared to manage the associated source, volume, and movement risks in a new way. Why is that?

Overall, a high degree of misunderstanding aligning to the source, volume, and movement risk of crypto assets on chain exists, along with a substantial amount of misinformation about how on-chain risk management works. Clarifying both the misunderstandings and the misinformation about on-chain transactions, therefore, is a first step toward identifying gaps that can be addressed in AML programs.

Blockchain is observable

First, blockchain transactions are pseudonymous not anonymous. This means that transactions conducted on chain are always 100% observable, but precisely who is conducting the transactions isn’t known publicly. That reality makes BSA/AML professionals understandably leery, but only before reconsidering the phrase, “Same same, but different.”

Bad actors are readily identifiable on chain, not by name but by their public key. As a result, numerous blockchain transaction analytics firms have stepped up to help identify public keys demonstrating nefarious activities and provide risk indicators to support BSA/AML processes.

Blockchain is immutable

Second, the blockchain is an immutable record. Once a transaction takes place on chain, it is observable and reviewable forever, as are all the transactions that came before and all the transactions that come after. From a BSA/AML perspective, the immutable record offers a tremendous advantage over current monitoring practices, where specialists can see money only when it moves into or out of organizations but not beyond that field of vision.

Blockchain is knowable

Third, one more time – and louder this time for the people in the back because it’s that important – the blockchain is an immutable record. The blockchain is always current to transactions that have been conducted, which means that the amount of crypto assets in a given wallet is always known and knowable. As such, there is no way for under-the-table transactions to take place to inflate or obfuscate the amount of crypto and digital assets in a specific wallet.

Mitigating risk

Now, true financial crime professionals see that a trade-off is being made here from a risk perspective. That concern is entirely valid, but this change in risk perspective can be effectively managed by taking a few actions, including:

  • Identifying your current crypto asset risk exposure. At this point, no financial services organization in the United States is absent from exposure to the crypto and digital asset universe, whether indirectly through customers on- and off-ramping crypto asset funds through the bank or directly through products, services, and partnerships. At a minimum, specialists should be keyword searching transactions, keeping in mind that many crypto asset exchanges operate under a doing business as (DBA) name and might have a different name in the ACH funds transfer world. (For example, the Kraken exchange is the DBA name for Payward, Inc.)
  • Adding crypto asset questions to the know your customer (KYC) and customer due diligence. In addition to seeing which customers are currently sending or receiving money from a crypto assets exchange, which is reactive risk management, financial services organizations should proactively manage risks for new customers by determining whether or not they currently interact with crypto and digital assets. Buying or selling these assets doesn’t make a customer high risk, but there is more risk present than with someone who doesn’t.
  • Updating overall BSA/AML risk assessment to account for crypto and digital asset risk. Whether or not it is a product your organization is directly involved with, the amount of involvement that your customer base has with the crypto markets is a relevant risk factor for the organization.

At minimum, all financial services organizations should leverage their existing risk mitigation processes as outlined here. These three activities can help organizations have a deeper understanding of their exposure to the crypto and digital asset world and allow for increased safety for all by alerting specialists to risks off chain. By knowing who customers are before they go on chain and have reduced visibility, organizations can have a better sense of the risks involved.

To take risk mitigation a step further, organizations can:

  • Partner with an on-chain analytics provider. On-chain analytics providers support an effective next step. These firms are purpose built to take the risk mitigation frameworks for transaction monitoring that we know and trust in the fiat world and support the adaptation into the crypto world.
  • Join and participate in 314(b) information sharing. The crypto and digital asset world is home to a large and growing number of so-called “compliant exchanges” (those with effective KYC/AML controls) that are able and willing to engage in the information sharing process. When fiat transactional risk data is combined with an analytics provider’s on-chain risk indications and a compliant exchanges KYC data, new money laundering typologies can be uncovered, suspicious activity reports can be filed, and criminals can be prosecuted.

The transactional universe

Crypto assets and transactions on the blockchain create different risk exposure for traditional fiat financial services organizations. However, crypto asset risk mitigation tactics also have some benefits over current fiat risk mitigation strategies.

For on-chain transactions, literally the entire transactional universe can be seen in fine point detail. But, admittedly, specialists can’t know for sure that a particular wallet belongs to a particular person. But is that different from the traditional off-chain world, where professionals know the customer but have limited line of sight into their transactional universe outside of the four walls of the organization?

In reality, both the on- and off-chain worlds are based on trust and managing the risks of the unknown, so it’s “same same.” But because it’s a new way of transacting, it’s also “different.”

Earning trust

In the end, it’s about trust. Financial crime professionals can enhance the financial services ecosystem's ability to trust by learning more about this new asset world and by taking the opportunity to lead and integrate appropriate risk mitigation strategies.