The Challenge of Crypto and Financial Crime

There are a variety of risks that need to be considered in the case of crypto—market, regulatory and cyber risks to name a few—but the most lethal is a transaction potentially linked to financial crime, whether suspected or actual. It’s imperative to understand how a risk profile changes through the entire life cycle of the transaction; it could get better with no link or it could get worse. Interestingly, our survey indicates that cryptocurrency risks pose an immediate concern to only 56% of respondents.

The subsequent challenge of further understanding the financial crime risk is then one of monitoring that risk over three very different worlds—traditional finance, crypto and financial crime—and then connecting the dots across those three worlds to highlight activity which gives us cause for concern. Regrettably, there are many different scenarios in how crypto is used, both good and bad, and it’s only through policing the bridges between these three worlds, and monitoring what’s going on inside them, that we gain further insight into whether the circumstances are legitimate or otherwise. For example, a crypto day-trader would be expected to demonstrate that the movement of funds between crypto and fiat happened within a fully regulated perimeter, with proper know your customer (KYC) and anti-money laundering (AML) provisions, suggesting the risk or link to illicit activity was low. However, a scenario where a bank with payments to and from customers’ accounts, which are then transferred into an unregulated crypto exchange and then onwards via a crypto with enhanced anonymity, would give major cause for concern as linkages to illicit activity can happen with ease. While the outcome is different in each scenario, both cases suggest three areas of focus to provide some structure for our risk profiling activity:

1. What crypto is involved in the transaction and how is it being used?
2. What are the related crypto entities?
3. What is the end-to-end regulatory status?

Incidentally, the first point is cited in our survey data with at least half of respondents, amongst other things, highlighting that digital currencies pose a challenge to government in fighting financial crimes.

What is Crypto?

Crypto is a broad term used loosely to describe the technology that has led to a means of transmitting value via a shared or distributed ledger, which can be accessed publicly or, in certain cases, privately. Since this is codable technology, the nature of the value that is captured and transmitted is limited only by the imagination of those who design it. For example, crypto technology can be used to reference digital coins that can act as a store of value, such as bitcoin, or reference existing types of value, such as securities, or money held in conventional bank accounts. Crypto can also reference artwork, for example, non-fungible tokens, or provide access to storage or computing capability, with so-called utility tokens.

In the context of financial crime, and like conventional money, all types of crypto can be used for or linked to criminal activity. However, crypto has some interesting features which make monitoring and detection of wrongful activities easier, as compared to traditional money. Because there is a shared public ledger, crypto is generally traceable, and a transaction history can be compiled which enables attribution of a hygiene rating to transactions. Where criminal activity is proven, or suspected, such as in a hack or a ransomware attack, we can link those events to the related transactions, effectively in perpetuity, such that they will always be tainted with that activity. There are means of obfuscation through tools such as mixers which can conceal a coin’s history, but these are usually detectable and would trigger a red flag.

Alongside bitcoin, the most well-known, there are another 24,000 cryptos, or digital assets, many unique and purporting to exhibit some special features which make them stand out from the rest.¹ In broad terms, crypto segments into stablecoins, utility tokens and exchange tokens. Stablecoins are generally backed by a deposit held in a bank. Utility tokens are used for accessing a service of some kind. Exchange tokens, such as bitcoins, are used for payments, although their volatility can make them attractive to investors. Certain types of crypto can be categorized as enhanced anonymity coins, which as their name suggests, have features which disguise origin and transaction value. Aside from enhanced anonymity coins, digital assets are not completely anonymous; they are, rather, pseudo-anonymous. As soon as they touch an entity which has proper record of customer details, such as a regulated crypto exchange, then it should be possible to attribute identity information to the relevant transactions, provided the records have been held correctly and are accessible.

However, there’s a catch we see with the enhanced anonymity coins. In cryptography, there are lots of ways to anonymize transactions and make them difficult to trace. When cryptography is applied to conceal the identities of originators, beneficiaries and values being transferred, alarm bells need to be sounded. This is not generally the case with bitcoin; because the transaction history is captured on a public ledger, we can develop a profile, or hygiene rating, of bitcoin transactions. Provided we know whether certain of the bitcoins were used for bad things, we can attribute a “badness” rating to those transactions. This is very helpful for tracing activities related to financial crime. This is not the case with enhanced anonymity coins and, if linked to an individual, entity or transaction, should trigger a red flag.

Finally, because this crypto technology is programmable, we see huge growth in innovation in how the technology is developing. For example, the so-called decentralized finance (DeFi) protocols allow one class of asset to be locked in exchange for another class of asset. This ability to swap asset types is very common in traditional finance, hence the reason why DeFi is interesting in providing similar types of services in the world of crypto. However, DeFi protocols also represent a major risk in being able to bridge from one asset to another, one of which may be illicit whereas the other is ostensibly untainted.

Understanding the nature of the crypto involved in a transaction, the extent to which it is traceable and the rationale behind why it is being used is the starting point in assessing a transaction risk profile.

What are Crypto Entities?

Crypto activity is generally centered around exchanges, custodians, wallet providers and issuers. Crypto exchanges, of which there are more than 600 globally, allow parties to buy and sell crypto for other forms of crypto, such as bitcoin or stablecoins, or fiat, such as USD or Euros. Custodians hold crypto on behalf of third parties, very similar to the role of banks in holding deposits for their customers. Wallet providers allow self-custody, where the individual or beneficial owner of the crypto concerned has complete control, as opposed to a custodian, where control in part vests with the custody provider. Issuers, as the name implies, issue crypto currency, the design of which depends on the features the issuer is seeking to exhibit.

There are two other classes of entity which need to be borne in mind—crypto automated teller machine (ATM) operators and crypto miners. Crypto ATM operators allow physical cash to be exchanged for crypto. The risks associated with money laundering should be immediately apparent and, as such, there are strict regulatory frameworks for ATM operators. These essentially provide for the capture of identity and verification information as it relates to cash being exchanged for crypto, and vice versa. For example, in the UK, all crypto transactions executed via a crypto ATM above GBP 150 require KYC verification. The second class of entities are the crypto miners who provide the computer power which runs the crypto network, in return for which the operators receive units of crypto, for example, bitcoins. The computing units themselves are expensive and energy hungry. However, they have the advantage of generating new, or untainted crypto, such as bitcoin, and therefore represent an effective means of converting cash gained via illicit means. That cash is typically deployed to purchase the miner hardware or pay for energy. Dirty cash in, clean crypto out. Crypto miners are also generally unregulated, albeit they are banned in certain countries. For countries where miners are unregulated, this means their activities don’t need to be registered. As such, they represent a potentially invisible bridge between illicit funds and clean crypto. However, to detect this we have the advantage of the public ledger, which allows us to observe the distinctive pattern of transactions a miner generates. This in turn may point to the illicit conversion of funds into untainted crypto. It may also just be an indicator of legitimate mining activity and so research and deeper inquiry is essential through profiling the beneficial owner. Opaque structures, with poor explanations of the source of wealth, usually point to questionable arrangements in relation to the underlying activities. Here, a register of beneficial interests is vital, a point clearly highlighted in the results from our survey.

What is the End-to-End Regulatory Status?

The extent to which crypto is regulated varies country by country and continues to evolve. Some jurisdictions are well down the path of regulating crypto, whereas others have yet to start. Understanding the regulatory status of a particular crypto or a particular entity is an important starting point when considering the overall hygiene of a transaction and the risk of being linked to illicit activity of some kind. Unfortunately, it doesn’t stop there. Being guided by a simple regulatory stamp of approval is generally insufficient. It is important to understand what concerns or issues a regulator may have open with a particular entity and, in the spirit of propriety, its good practice to request from the entity concerned information, such as the latest Money Laundering Reporting Officer (MLRO) report, the last regulatory filing, or policies for onboarding customers. Reducing the risk of financial crime is about detecting and removing gaps in the entire regulatory perimeter, extending across into traditional finance. Any such gaps can have serious consequences. Understanding where the gaps are, and the steps taken to either mitigate or remove the risk entirely, is a core principle of our framework.

Depth and breadth of recordkeeping is essential. Given the ease with which funds can be moved between crypto and fiat, sources of wealth should underpin any risk analysis. Regardless of the structure, the identity and profiles of the beneficial owners need to be understood, extending diligence activities proportionately as necessary. Reference to beneficial ownership registers is again obviously paramount, as evidenced in our survey.

This holistic view of the transaction is essential. Nearly one-third of survey respondents indicate that their companies’ financial crime compliance programs cater to risks associated with cryptocurrencies, with 22% reporting they are planning for future crypto risks. This is encouraging, but there is still clearly work to be done.

Summary

In some ways, with the readable and relatively straightforward public ledger technology, the features for detecting and pursuing illicit crypto activity are superior to those of conventional money. What our survey highlighted, however, was the lack of understanding. One in four respondents stated that the financial crime risk posed by cryptocurrency is a significant concern, and more than 60% of respondents stated that understanding the risks associated with crypto is a key challenge. Given the utility of the technology and features which improve the ability to fight financial crime, especially the moves by central banks to adopt similar forms of the technology, crypto is arguably a form of money that is very much in our future. We need to understand it, the frameworks that make it safe to use and the ever-changing regulatory landscape around it. And with the advent of freely available and sophisticated AI tools which can automate the transfer of crypto and obfuscate its use for illicit activities, sophisticated frameworks to monitor and detect for the risk of illicit activity using this technology will need to become ubiquitous.