Annette Fong Head of Compliance Solutions
Cryptoassets – Believing the money laundering impact
“If you don’t believe it or don’t get it, I don’t have the time to try to convince you, sorry.” — Bitcoin’s purported founder Satoshi Nakamoto
“I believe... I believe... Even though it's silly, I believe” says Susan from a Miracle on 34th Street
According to the Q4 2019 CipherTrace Cryptocurrency Anti-Money Laundering Report , for 2019, the total of cryptocurrency-related frauds and thefts was US$4.5 billion including: US$370.7 million lost in exchange thefts and hacks and US$4.1 billion of losses stemming from fraud and misappropriation of funds.
Chainalysis reported that it traced US$2.8 billion in Bitcoin that moved from criminal entities to exchanges, noting that – “Once a criminal has a pile of illicitly-gained cryptocurrency sitting in a wallet, the next question they have to answer is, How am I going to turn this into cash without getting arrested? The need to launder funds is the common thread amongst all the forms of crypto crime we analyse”.
This means stealing cryptocurrency from unsuspecting users, avoiding law enforcement, laundering that money and finally finding an avenue so that the currency is spent in the real world, is a believable scenario.
Stages of Money Laundering
Regulators have raised concerns about the risks of cryptoassets in relation to money laundering and terrorist financing as cryptoassets can be leveraged in the following ways:
- Placement – such as opening crypto accounts anonymously online. Cryptocurrencies can be purchased with cash or other types of crypto (altcoin). Online cryptocurrency trading exchanges have varying levels of compliance with regulations regarding financial transactions. Legitimate exchanges which follow regulatory requirements for identity verification and sourcing of funds are anti-money laundering (“AML”) compliant. Other exchanges may not be as AML compliant and this non-compliance allows crypto money laundering to take place.
- Layering – digital coin offerings have the veneer of anonymity and the potential for abuse such as by participating in unregistered Initial Coin Offerings (“ICO”). Generally, crypto-based transactions can be followed via the blockchain. However, once a dirty cryptocurrency is in play, criminals can use an anonymising service to hide the funds' source, breaking the links between transactions. Often, the main excuse for illicit hiding activities is the argument that using anonymising service providers protect personal privacy. This can be accomplished either on regular crypto exchanges or by participating in an ICO, where using one type of coin to pay for another type, can obfuscate the digital currency's origin.
- Integration – such as purchasing legitimate items through assets such as Bitcoin. The point at which you can no longer trace dirty currency back to its criminal origins is the integration point - the final phase of currency laundering. A simple method of hiding the proceeds of crime is to present it as the result of a profitable investment or currency appreciation. This can be very hard to disprove in a market when the value of any given altcoin can change by the second. Another example is where cryptocurrency is demanded as a payment form for criminal activity.
Elliptic published a paper on “Bitcoin Money Laundering: How Criminals Use Crypto (And How MSBs Can Clean Up Their Act”  illustrating some of the most prominent cryptocurrency money laundering cases involving one or more of the following practices:
Due to these concerns, the EU Fifth Money Laundering Directive (“5MLD”) specifically addresses the risks around cryptoassets and discusses how to mitigate them. 5MLD puts forward the need for increased due diligence processes for crypto exchanges and custodian wallets handling certain types of cryptoassets.
As at 10 January 2020, the Financial Conduct Authority (“FCA”) is the authority supervising AML compliance for certain cryptoasset businesses. The FCA is tasked with ensuring that these businesses adhere to the respective anti-money laundering and counter-terrorist financing (“AML/CTF”) legislation, including the 5MLD and the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2019.
Cryptoassets businesses carrying on the following activities will fall within scope:
- Cryptoasset exchanges;
- Cryptoasset ATMs;
- Peer to Peer Providers;
- Custodian Wallet Providers;
- Issuers of new cryptoassets (e.g. ICOs or Initial Exchange Offerings); and
Those publishing open source software such as non-custodian wallet providers.
All UK cryptoasset businesses are required to register with the FCA from 10 January 2020 and by 10 January 2021. These businesses must comply with the money laundering requirements from 10 January 2020, irrespective of whether they have registered or not with the FCA.
Cryptoasset businesses carrying on the activities listed below are captured within the scope of registration :
Cryptoasset activityAs described in the Statutory Instrument
Cryptoasset exchange provider (including Cryptoasset Automated Teller Machine (ATM), Peer to Peer Providers, Issuing new cryptoassets, e.g Initial Coin Offering (ICO) or Initial Exchange Offerings).a firm or sole practitioner who by way of business provides one or more of the following services, including where the firm or sole practitioner does so as creator or issuer of any of the cryptoassets involved, when providing such services. (a) exchanging, or arranging or making arrangements with a view to the exchange of, cryptoassets for money or money for cryptoassets, (b) exchanging, or arranging or making arrangements with a view to the exchange of, one cryptoasset for another, or (c) operating a machine which utilises automated processes to exchange cryptoassets for money or money for cryptoassets.
Custodian Wallet Providersa firm or sole practitioner who by way of business provides services to safeguard, or to safeguard and administer:
• cryptoassets on behalf of its customers, or
• private cryptographic keys on behalf of its customers in order to hold, store and transfer cryptoassets, when providing such services.
For existing business operations which already carry on cryptoassets activity before 10 January 2020, they may continue unregistered but are required to sign up for FCA supervision by 10 January 2021 or terminate all activity. The FCA also requires that existing Financial Services and Markets Act firms, e-money institutions and payment services business who are undertaking cryptoasset activity apply for registration by 10 January 2021.
Whether or not they register, all UK cryptoasset businesses will be supervised by the FCA and the FCA will take immediate action where such firms fall short of compliance with the money laundering requirements or threaten market integrity. The FCA will actively supervise the cryptoassets businesses in the same manner and approach as faced by other authorised businesses within the FCA's regulatory scope. The FCA will actively supervise the cryptoasset businesses in the same manner and approach as faced by other authorised businesses within the FCA's regulatory scope. Last year alone, the FCA issued fines totalling £392,303,087 and has already issued fines totalling £2,865,400 this year for AML failures. Additionally, cryptoasset businesses exhibiting higher risk will be subjected to a “more intrusive” level of scrutiny than others.
As part of their supervisory assessments, the FCA will require cryptoasset businesses to implement policies and procedures in order to mitigate any AML/CTF risks. Cryptoasset businesses may be required to produce these for inspection if requested by the FCA. The FCA advises cryptoasset businesses to carry out their own evaluation of risk controls to confirm suitability of business activities. This also includes appointing a member of the board to ensure adherence to AML/CTF policy.
AML/CTF compliance is not the only risk related to the cryptoasset businesses. Due to lack of visibility in customer accounts and payment networks of cryptoasset activities, other risks include:
- Sending and receiving money to and from a virtual asset service provider (“VASP”) without knowing it;
- Hosting illicit money service businesses;
- Sending money to sanctioned entities, individuals, and blockchain addresses (e.g. failing to abide by economic and trade sanctions imposed on nations such as Iran and North Korea); and
- Unwittingly facilitating terrorist financing.
For these reasons, it is important that all cryptoasset businesses believe that the AML/CTF threat is real and take steps to ensure that they are compliance with the law and regulations rather than waiting to be convinced. Key dates are as follows:
Step 1: 10 January 2020
FCA Gateway opened for businesses to submit applications for entry to the register. A business must comply with the money laundering regulations (“MLRs”) in relation to cryptoasset activities. FCA assume powers to supervise and enforce under the MLRs. New businesses need to be registered before they can carry out any cryptoasset activity.
Step 2: 30 June 2020
The latest date for applications to register from existing businesses if they want to receive a priority review to check that they are ready to be determined for registration.
Step 3: 10 January 2021
Any existing business not registered must cease trading.