By Vincent Gaudel, financial crime compliance expert, LexisNexis® Risk Solutions
The popularity of cryptocurrency has taken the world by storm. In the last few years, regulators have acknowledged the transition of cryptocurrency (crypto) into the mainstream and shaped responses to address the variety of risks associated with its use.
The field of international sanctions is certainly impacted by this paradigm shift, as crypto transactions may run seamlessly and often anonymously across international borders and in an entirely decentralized manner, without the possibility for a third party to block the transaction or freeze the assets.
Financial Crime 2.0
The media and financial regulators have extensively reported on financial crime risks associated with crypto. The Financial Action Task Force (FATF) issued its first guidance in 2014 and has since worked consistently to include virtual currencies in the scope of its 40 recommendations to support countries’ efforts to mitigate the financial crime risks of this emerging payment method.
In the area of international sanctions, the Office of Foreign Assets Control (OFAC) was the first agency to formalize regulatory expectations regarding crypto. Three separate developments occurred in 2018: First, OFAC issued a set of frequently asked questions to clarify that sanctions prohibitions applied to assets and transactions in virtual currencies. Second, the U.S. president issued an Executive Order banning U.S. persons from investing in a virtual currency project from the Venezuelan government. Finally, in late 2018, OFAC designated two Iranian nationals as Specially Designated Nationals (SDNs), including for the first time Bitcoin addresses used by these SDNs to conduct prohibited transactions.
Since then, OFAC has continued this trend to include Digital Currency Addresses (DCAs) to the record of sanctioned persons and entities. It remains the only agency to do so, and as of today, there are several hundred DCAs in the OFAC list. OFAC also warns of the ability of individuals located in countries under comprehensive U.S. sanctions to access crypto services. These concerns were evident in recent settlement agreements reached with crypto platforms: OFAC expects providers of crypto services to implement geolocation controls to block users in sanctioned locales.
In 2021, OFAC went one step further by designating a crypto exchange that served as a conduit for laundering the proceeds of ransomware attacks as an SDN. It also set out a clear sanctions compliance guidance for crypto firms to operate in compliance with U.S. regulations. Similar actions occurred in 2022 against centralized and decentralized mixing platforms, confirming OFAC’s resolve to limit the ability for sanctioned actors to evade sanctions through crypto. However, as the crypto world changes fast, it is likely that further regulatory responses should be expected.
The Central Compliance Challenges of Decentralized Systems
The fundamental concept underpinning anti-financial crime regulations is to apply a risk-based approach that maximizes scrutiny in areas of heightened risk. However, in a crypto context, these areas of risk might prove challenging to assess.
Firstly, identifying customers or parties to a transaction is obviously critical for sanctions compliance. However, it is not always an easy task to put a name behind a crypto address. Crypto service providers need to know who controls a particular digital wallet or address. This is the jumping off point of checking on the involvement of sanctioned individuals.
There is also the issue of blocking malicious actors. Even when finding a sanctioned party, the permissionless nature of the most popular crypto makes them censorship resistant. In other words, if a user retains control over their private keys, no third party can technically block their address. This is a prime source of concern for regulators. In the U.S., requirements will soon apply to transactions involving these so-called unhosted wallets.
Another challenge lies in the global, borderless nature of crypto. Unlike traditional financial routes, blockchain transactions do not keep track of a sender or recipient’s location. Therefore, geographical risk assessment associated to a transaction is virtually impossible. This prompted FATF to recommend treating all crypto transactions as cross border in their 2021 updated guidance.
Finally, travel rule requirements remain a significant challenge for applying AML/CFT standards to crypto transactions. These requirements include sharing identifying information about the parties to a transfer of funds, which is essential to sanctions compliance. However, compliance with the travel rule is by no means an easy task. Regulated service providers need to develop messaging standards and infrastructures since the required identifying information is not found in the blockchain transactions themselves.
The travel rule requirements are a good illustration of the global challenges posed by crypto. More than for any other sector, a coordinated regulatory response is necessary to address the financial crime risks associated to cryptocurrencies. As the U.S., the EU and other jurisdictions continue to develop their regulatory frameworks, FATF’s role will remain critical in fostering a more global adoption of AML/CFT standards for the cryptocurrencies industry.
Balancing Risks and Opportunities
It is no secret that criminals use crypto for illicit activities. Many marketplaces on the dark web require crypto for payment and ransomware attackers often want payments in crypto. There have also been reports of terror networks using crypto to fundraise. However, financial crime existed long before crypto arrived on scene. The extent to which illicit activities can propagate due to the proliferation of crypto remains unclear.
It is worth keeping an eye on where this activity goes in the future. From a business perspective, sound regulations around crypto can prove beneficial. If you’re in business, you need to know where your money is coming from and where it’s going. Increased oversight is a condition to bringing cryptocurrencies further into the mainstream. However, due to their unique features, crypto calls for specific risk management frameworks. By using the latest tools and technologies, businesses can leverage the traceability of the public blockchain and identify the level of risk associated to a particular customer or wallet address. This is critical to prevent misuses by financial criminals, comply with regulations and safeguard a business’ reputation.
From Fad to Fixture
Crypto is not showing any signs of waning popularity. There are definitive signs, however, that efforts are gathering steam to regulate crypto in one form or another, as evidenced by the recent executive order by President Biden. Both international and national regulatory bodies seek ways to root out any illicit activities related to crypto, and a set of sweeping standards aim to achieve this end in the long-term. By using modern technologies and safety measures and keeping up on guidance, businesses can be both compliant with regulations and avoid any potential issues that can come with the decentralized nature of crypto.