Same rules, new game: Crypto assets and financial crime

One distinguishing element of crypto assets – the underlying blockchain technology – creates unique challenges when it comes to risk management. The pseudonymity of participants has, in the past, been used by criminals to conduct illicit activity, such as buying and selling illegal goods.

However, blockchain technology also has features that can enhance stakeholders’ ability to detect historical activity patterns, allowing for the enhanced prevention of future financial crime. Whenever a transaction is done on a blockchain, an immutable record is created. All transactions conducted with crypto assets are recorded on a blockchain, which creates a unique and valuable trail of evidence.

With physical representations of currency (such as paper money and coins, bearer shares, or paper certificates representing stock ownership) or with existing digital products and services (such as automated clearing house or wires), the digital paper trail moves through each financial services organization encountered, which means that a laundry list of organizations must cooperate to form a complete story. Crypto assets are different, as they allow for a more complete record via blockchain technology. In addition, each transaction is tied to a digital wallet address, an important identifier that can help officials identify and tag bad actors.

Crypto assets and movement and source risk

To the extent unique financial crime risks with crypto assets exist, they generally relate to movement, fraud, and source risk. In terms of movement risk, once the value has moved out of fiat currency (by definition a government-regulated store of value) and onto a blockchain, risk is introduced. While the blockchain creates an immutable record and the amount of value that is moved is visible to the public, the speed at which transactions can move is something that financial services organizations find difficult to comprehend, which is a direct result of the movement risk.

One example of movement risk and illicit activity is the “investment rug pull,” in which a developer attracts investors to a new crypto assets project but then takes the funds and shuts down the protocol. Blockchain technology also provides a new means of layering funds, which can allow a money launderer to use a series of transactions to create layers between the criminal source of illicit funds and the cash itself.

In terms of source risk, while public wallet addresses are useful, as is the ability to see the flow of funds from end to end, it is not always possible to discern the source of value as it transfers around the blockchain. This fundamental struggle is caused by two things, each of which have been highlighted by recent headlines of prominent crypto asset exchanges. First, poor on-ramp controls by both crypto asset exchanges and banks can allow ill-gotten fiat currency to enter the cryptosphere. Second is the limited ability to understand why crypto assets move from one wallet to another. In a traditional fiat environment, companies sending consumers money generally is accepted, as in the form of a paycheck or refund. The type of transfer dictates the source and risk of the transfer. However, since all crypto asset transfers are just crypto asset transfers, the meaning of the transfer – and therefore the source of the value of the transfer – is cloudy at best.

Regulatory oversight

In recent months, regulators have signaled heightened interest in the financial crime risks inherent in crypto assets and blockchain technology. To date, however, clear authority of crypto assets has not yet been established. Part of the difficulty has been that crypto assets do not fit neatly within existing categories of assets. Regulators and other stakeholders have not yet reached consensus on whether crypto assets should be considered a security, commodity, or something else. Adding complexity, different types of assets will likely need different approaches.

Pinpointing the best regulator for crypto assets has thus been difficult. Legislation proposed in June 2022, the Responsible Financial Innovation Act, recommends that the Commodity Futures Trading Commission (CFTC) and the Securities and Exchange Commission (SEC) have regulatory authority. However, in November 2021, the President’s Working Group on Financial Markets discussed the possibility of stablecoins being regulated through depository institutions, illustrating the challenge of identifying the best regulator.

Additional questions arise in considering issues around consumer protection. For example, who will own regulation of and over which crypto assets: the SEC, the CFTC, the Office of the Comptroller of the Currency, the Federal Reserve, or another agency altogether?

Financial crime and risk management fundamentals

To proactively demonstrate an understanding of the risk at hand, U.S. organizations need to develop and implement a strong, stable, anti-money laundering (AML) rubric from which to operate, starting with the Bank Secrecy Act of 1970 (BSA) and updated through the USA Patriot Act of 2001. The principles-based approach that includes enterprise risk management, risk-based customer diligence, suspicious activity monitoring, investigations, and reporting applies to crypto assets as it does to fiat currency. These efforts, in addition to market technologies that enable visibility into on-chain transactions and the required additional investigatory capabilities, provide a solid basis for monitoring suspicious activity and for fighting financial crime.

Nonetheless, the world of crypto assets is entrepreneurial, innovative, and fast-paced – and for many participants in the crypto asset market, it has been demonstrated through recent failures that risk management has not been a priority. Sound, sustainable business decisions can be forgotten in the effort to get more users or additional revenue booked for the next funding round. However, heightened regulatory scrutiny will force companies to establish more thorough risk management practices.

Risk exposure

The most important actions companies can take to manage risk from crypto asset exposures are to, first, identify their current exposure. All financial services organizations should be updating their overall BSA/AML risk assessments to account for crypto asset risk. The risk assessment provides support to financial services organizations to quantify the level of exposure to the crypto asset universe, whether indirectly through customers or directly through products, services, or partnerships. Understanding that exposure is foundational to effectively managing risk.

Next, financial services companies should enhance their current controls, including adding crypto asset questions to their know-your-customer and customer due diligence efforts, targeted monitoring for on-chain transactions, and sanctions screening. Organizations also need to proactively manage risks by monitoring which customers are sending or receiving money through a crypto assets exchange, as these activities can increase the risk that customers pose and might be indicative of additional activities intended to disguise the relationships between two or more parties.

In general, the organizations’ controls and systems’ ability to distinguish between good and bad actors is improving. Organizations that monitor transactions for hallmarks of problematic behaviors are maturing, and they are identifying noncompliant actors more quickly. Additionally, novel data points, like IP addresses, are now being used to help better know the customers and their physical locations to reduce concerns of sanctions evasion and fraud.

Setting up an ecosystem

In many ways, the ability to fight financial crime aligning to crypto and digital assets or on-chain transactions is better, cleaner, and more consistent than with fiat currency – with the notable exception that exactly who is conducting crypto asset transactions is not always known. For the traditional financial services industry, which relies on personal interactions and face-to-face verification of identity, it will take time and effort to get comfortable with the realities of transacting on blockchains without “knowing” their customers. But knowing the customer by name is less important than the behavior and transaction patterns that raise red flags about potential criminal behavior.

In addition to considering risk management, financial organizations have a lot to think about, including how to marry on-chain and off-chain transactions and customers as well as how to use partnerships with financial technology companies and other startups to set up an ecosystem that will be safe for customers and create a delightful experience.

Recent data suggests that while many people in the U.S., and even globally, are interested in crypto assets, the number of active users is still relatively small. While the market is in its infancy, financial services companies have a unique opportunity to drive adoption while also preparing for a future in which crypto assets are much more pervasive. To accomplish this and to operate optimally, systems, processes, and data streams need to be brought up to speed.