Crypto anti-money laundering: how to prevent each step in a 3-step process.
Before I explain in detail how crypto anti-money laundering works, I want to elaborate more on why you should care about money laundering through crypto and read this article. When I speak with compliance “experts” in the crypto industry, they are quick to point out that I am wasting time right now advocating for crypto anti-money laundering. I was surprised that even high-level employees from well-known big firms claim that money laundering in crypto is not an issue since, by current estimates, the use of cryptocurrencies for money laundering accounted for just 0.05% of all cryptocurrency transactions volume in 2021, and it is only falling on a year-to-year basis!
Unfortunately, many “professionals” are prone to statistical bias that can be formulated like “there are lies, big lies, and statistics.” When I spoke with people from the industry, not a single person could concisely describe the math behind the numbers apart from “identified problematic wallet addresses”. Let me explain the numbers and explain why you should not rely on statistics. The numbers in question directly relate to cybercrimes, so nobody can calculate how much is being laundered precisely. To illustrate this point, here is a graph from the report of Chainanalysis:
The above “value received” concerns simply transactions for the sake of transactions that are often conducted without any underlying exchange. In the cryptocurrency sphere, there are quite many transfers that do not have any economic rationale (e.g., moving value between different own wallets) and are not linked to any business or individual’s relationships – this leads to the estimation of 0.05% being pure speculation by crypto evangelists.
Let’s look at another graph from a newer report on the same topic by Chainanalysis:
You can probably see the similarities between the two graphs in all years apart from 2020, which is fluctuating a bit (FYI, it’s because of the delay with the identification of wallets as being “problematic”). Basically, these two graphs provide the same information but under a different umbrella- one states that funds relate to the value received by some illicit actors another that the value refers to the funds that are instantly laundered. Moreover, knowing that most of the current intelligence sources are collating this information based on the automatically provided data and there are quite many exchanges with lax KYC process (NB: according to CipherTrace study, 56% of 800 market maker exchanges have very minimal to no KYC at all) this is not very reassuring.
Also, whilst speaking about crypto money laundering Chainanalysis accounts only for those transfers that relate from initially identified problematic addresses, which had some crypto linked to cybercrime or alike. Now you think, if I’m so sceptical about this report so why do I refer to these statistics? Because they are still the best collated on this topic. Even those provided by Elliptic would not differentiate much and would still be subject to the same criticism. Their overview tries to track the main typologies in cybercrime directly related to cryptocurrency rather than accounting for crypto money laundering itself and that is another issue with such reports.
Regardless of my thoughts on this matter, I believe there is a problem that needs solving – for all those who will start comparing cash or traditional financial system and money laundering/illicit activity in that sector- we’re trying to solve problems here and not point fingers at each other, so please, sit down, relax, and bear with me for a bit longer- next, we have solutions and not the kind of rainbows and unicorns where we all hold our hands and look confidently into tomorrow knowing that our children will have the possibility to live in a world free of crimes, famine, wars, plagues, etc.
P.S. on another note, for those who are interested in understanding the real level of crypto money laundering compared with fiat currency, I would advise you to read the following article. As well, an interesting source is Europol’s paper which also has a link to a report which estimated that about one-quarter of the total dollar value of transactions in Bitcoin is associated with illegal transactions.
Measures for a successful crypto anti-money laundering programme
Now I am sure that next time somebody starts telling you fairy tales about 0.05%, you know what to say, but let’s get back to the main topic.
Following up on the discussion of different steps of money laundering in our previous article (if you missed it, I would advise you to read it here: Cryptocurrency money laundering risk: the best explanation of a 3-step process), it is apparent that there may not be a single solution on how to prevent crypto money laundering. It is important to note that because of different steps in money laundering itself there are different measures to spot one or the other activity allowing to take corresponding actions. So whilst designing a crypto anti-money laundering programme if we speak about identification and initial KYC (that somehow quite many believe to be the one and only measure that virtually axes all money laundering risks related to cryptos), it will mostly counter the first step i.e. placing. There are other solutions too, such as on-chain monitoring solutions which are aimed to counter the second step i.e. layering. Lastly, limits for payouts and identification of all previous activity prior to exchange of the crypto to fiat is primarily aimed to prevent the third step i.e. integration. Now I will dive into a bit more detail on how one or the other step should be approached and what could be done to prevent crypto money laundering.
Step 1- Customer due diligence/Know-your-customer
Customer due diligence (or “CDD” for short) is recognised as one of the main measures in crypto anti-money laundering, and rightly so! Without initial identification, you cannot ascertain that your prospective client will not engage in a dubious activity. During the customer due diligence process, the firm must perform two things:
- identify the entity posing as a prospective client (i.e. obtain information on the identity and supporting documentation), and
- verify the information provided by the prospective client during the identification.
These two steps broadly help to ascertain whether the prospective client will be likely to engage in money laundering or not.
The information collected will depend on the type of the client, but for private individuals it will most commonly involve ID and proof of address. The documents containing these data will need to be verified for authenticity. Since we’re speaking about cryptos, it will be most probably carried out via the help of a document and biometric verification provider. In this regard, such firms as SumSub, Ondato, or APLYiD will work their magic and conduct the check of the person against the photo on the ID whilst he/she will be filming a short video. Moreover, they will have a possibility to collect the proof of address and validate the authenticity of that document by looking for the signs of tampering. As a follow-up step, they will perform screening of the person against sanctions/PEPs/adverse media to ensure that the person in question does not pose any unexpected risk. Following these checks, depending on the workflow, either the person will be approved for the account opening automatically or it will go for further review by the AML department where they will check occupation/business activity and purpose of account opening. Incidentally, it is always advisable to have a human involved as it will ensure higher accuracy and ease of mind for the MLRO (who, knowing the burden of compliance, probably has problems sleeping).
Above I’ve described a usual set of steps that are undertaken to verify the person. Nevertheless, it may be more complex in cases where the private individual poses more risk or it relates to a corporate entity. In such instances, there will be requests for additional documents which would ascertain other aspects, such as the source of funds and wealth, financial reports, business plan, good standing, etc. Notably, with private individuals, this part is quite often left out because of the “friction” that reduces client conversion and quite many providers perform only the steps described in the above paragraph (if perform them at all in the crypto sphere). With corporate entities, there is always a more complex process where identification and verification concern other authorised representatives/UBOs and the standing of the entity.
Now, after you broadly know this process, have in mind that quite often you can see the classification of the exchanges by crypto intelligence providers according to their initial CDD practices. When the exchange is considered to be with good standards it will have such initial steps.
Already it should be apparent that I’ve been speaking about custodial wallets and not private unhosted wallets. This is because of the breadth of the issue- at present, there is no solution to ensure that each person will be verifying his/her wallets (subject to the global oversight and imposition of requirements to have your ID placed on a separate blockchain which will link with the private wallet address…). Whilst transacting with such entities exchanges are taking specific actions to try to identify the owner of the wallet by requesting screenshots, making penny transfers from them, etc. not really the best solutions- but what can you do about it? That’s why apart from initial CDD there are other solutions that can be utilised to minimise the risks- for instance, some prominent exchanges have themselves prohibited withdrawals to unverified private wallets. The latter approach is understandably taken to lower the compliance costs that are elevated due to countries around the globe implementing additional crypto anti-money laundering requirements for P2P transfers as a consequence of FATF guidance on dealing with unhosted wallets.
Step 2- Monitoring of activity or how to spy on your clients
Now let’s look at how custodial wallet providers can act as gatekeepers for crypto anti-money laundering purposes. Firstly, it is important to emphasise that customer due diligence is an ongoing obligation rather than a one-off exercise that is performed at the initiation of the relationship. The ongoing CDD revolves around identifying whether the information that was initially collected corresponds to the truth and whether there isn’t any trigger event prompting to conclude the opposite. This is carried out by verifying the information on an ongoing basis and reviewing the activity of the clients.
When we are speaking about crypto anti-money laundering, the main point would be monitoring wallet addresses with whom the transfers of crypto are undertaken by a particular client. To do so the exchanges are employing what is known as on-chain monitoring solutions such as provided by Crystal, Elliptic, or Chainanalysis. Each such provider gathers the information and allows tracking the transfers on the blockchain and evaluating where “value” went from one person to another. Of course, not all of the cryptocurrencies can be tracked and each solution will have one or the other strong sides. For instance, Crystal will provide you with a perfect evaluation and visual representation of one particular wallet and will stand above Elliptic in terms of the visualisation of breakdown whilst Elliptic can be better in terms of tracking a singular transfer of value (NB: here I’m speaking about my personal preferences and in no way I’m saying that one or the other would be better).
Apart from the on-chain monitoring itself, with the Travel Rule becoming mandatory around the globe, such solutions as Notabene’s TR Now can help facilitate sharing of information regarding the originator/beneficiary between the exchanges. The latter point will add at least some confidence that the VASP sending/receiving cryptos knows with whom their client is dealing. Nevertheless, in most instances, only the names of the parties to the transaction will be known and no underlying rationale. Hence, if we would look at it from a conventional compliance perspective- there is an impossibility of establishing the purpose of the transfers. This leads to the issue that all transactions that are carried out with cryptos will remain under a veil of mystery…
Following up on the above and moving a bit further from the concentration on the clients themselves, the exchange in question can employ such providers as VASPnet that is collating information regarding the regulated status of other exchanges. By doing so, you will ensure that there is no overwhelming activity related to unregulated exchanges that can be problematic. From both a regulatory and compliance perspective this is very important for a successful crypto anti-money laundering programme.
There are certain solutions to how crypto transactions can be monitored. Nevertheless, as briefly noted whilst discussing layering, the criminals are aware of the capabilities of monitoring and henceforth rely on mixers and privacy wallets. Unfortunately, there are no concrete solutions that would allow monitoring transactions in all instances. Because of the problems, part of the activities/transactions are being prohibited by the exchanges themselves- e.g. those with decentralised exchanges, mixers, private wallets, etc. basically everything that is seen as high risk by centralised exchanges. Moreover, if official investigations will be undertaken- such parties as operators of high-risk services will be compelled by the authorities to disclose the information in their possession and more robust investigation with the help of on-chain monitoring solutions will be undertaken.
Step 3- Checks on the final steps
For a successful crypto anti-money laundering programme, providers need to counter the last step as well- i.e. integration. Here it is important to note that the solutions discussed as related to step 2 will facilitate this to a certain extent. Nevertheless, VASPs, specifically those that interact with fiat currencies (since it would complete the cycle and it is much easier to spend fiat currency than cryptos), should have additional measures to prevent criminals from having a possibility of utilising their proceeds of crime. To do this, the limits could be imposed – meaning that whenever the person wishes to convert their cryptocurrencies to fiat or to spend above a certain threshold, he/she is precluded from doing so without triggering the alert. The alert itself would notify the compliance personnel working at an exchange and would prompt them to make a review of the activity of such a client. This would lead to further questioning and investigation of all activity and possibly termination of the relationship/freezing of assets and possibly report to the national financial intelligence unit. Moreover, apart from the thresholds, the VASPs compliance department should perform a review of the activities of the clients on an ongoing basis (this will be handy for step 2 as well). Such steps would hamper enjoyment of the proceeds of crime and potentially could lead up to the investigation that would ultimately prevent further crimes from materialising.
The above concerns the steps that could be undertaken on the side of the VASPs themselves and it should be noted that the list of measures is far from being exhausted- they are simply some examples of how practically it could be structured. You should note that each programme must have both appropriate software and well-trained personnel to be successful.
How can PSP Lab help with crypto anti-money laundering?
If you are not sure how to structure your crypto anti-money laundering programme or whether that which you have adheres to the regulatory requirements and provides sufficient safeguards feel free to reach out to us. We know the practicalities of crypto anti-money laundering and can enhance your compliance with both additional training and streamlining of the implementation of different solutions.