Skip to Content



Cryptocurrency compliance: Is your financial institution ready for added scrutiny?

August 25, 2022 Article 4 min read
Authors:
Joshua Beardsley
As cryptocurrency continues to gain wider adoption, regulators are increasing their focus on illegal activity. Is your compliance program tailored for cryptocurrency risk? Here’s how to prepare.
Man in a suit signing paperwork.According to CNBC, one in five adults in the United States has invested in, traded, or otherwise used cryptocurrency, and adoption continues to expand. Based on this increase in usage — and following some high-profile money laundering cases involving cryptocurrency — regulators are looking more closely at market participants and how they identify and prevent illegal behavior. Did the banking customer who put money into a cryptocurrency account and withdrew substantially more just happen to invest in crypto at the right time and strike it rich? Or did they engage in something more questionable? Does your institution understand the transactions being made to and from cryptocurrency accounts? Can they be tracked as traditional expected banking behavior?

Compliance risk is increasing for small and midsize banks, credit unions, and community banks that haven’t yet adapted their compliance infrastructure for cryptocurrency, and in many cases monitoring systems need to be adjusted to account for changes in behavior. In extreme cases, failing to meet the enhanced due diligence requirement for anti-money-laundering (AML) and know your customer (KYC) regulations can result in unwanted scrutiny from regulatory authorities and expose institutions to legal action.

Three steps to successful compliance monitoring

A well-executed cryptocurrency compliance program builds on existing AML/KYC requirements. Follow these steps to review and update your compliance program.

1. Review KYC requirements and normal transactional behavior of your customers

The more you know about your customers, the more likely you can face regulatory scrutiny for known risks. Understanding your customer base — who they are, what they do, where their money is coming from, and their transactional patterns — is the foundation of KYC. The requirements were relatively straightforward to meet until cryptocurrency came along. Today, there’s a large population of people typically aged between 18 and 45 representing a wide variety of salary ranges who are buying and selling cryptocurrency. Their investing activities have expanded outside of traditional products such as exchange-traded or mutual funds, and in some cases have produced outsized returns that can challenge even the most sophisticated monitoring algorithms. For example, a customer could have invested $500 in Ethereum seven years ago and the cryptocurrency investment could be worth $250,000 today. If that customer liquidated their account would your compliance program correlate it and justify the transaction to a regulator?

There’s a large population of people typically aged between 18 and 45 representing a wide variety of salary ranges who are buying and selling cryptocurrency.

2. Calibrate your transaction monitoring program for variables associated with cryptocurrency

Is your transaction oversight and monitoring thorough enough to flag unique activity around cryptocurrency? In some institutions, cryptocurrency behaviors are skewing monitoring, resulting in a loss of predictability as to what the customer is doing. Failure to adjust transaction monitoring can expose your organization to new patterns of suspicious behavior and risk of financial penalties for not addressing them. The reality for most institutions is they need to calibrate monitoring programs to stay in compliance. Optimization not only makes bad activity visible, but it can create efficiencies by cutting down on unproductive alerts.

The reality for most institutions is they need to calibrate monitoring programs to stay in compliance.

3. Maintain close oversight and surveillance on new activities

Most of the time, the customer’s cryptocurrency transactions are fine, other times they’re not. To ensure your institution can justify them to regulators, surveillance should be optimized to look for:

  • Unusual sources of funds: This includes sources of crypto assets that can be linked to illicit activity. For example, funds may be transacted from a platform that has minimal AML or KYC oversight raising a possible red flag about the origin of the funds. Or a single crypto wallet could be tied to multiple banks and credit cards suggesting a group of people could be using one wallet to move funds around.
  • Suspicious transaction patterns: Money laundering risk is often associated with the pattern of transactions taking place. For instance, a customer may transfer multiple times without a commercial explanation or make high-frequency transactions of large sums from multiple wallets into one account during a single period.
  • Risks within specific jurisdictions: In geographical areas with poor AML or KYC regulations and a lack of preventive measures, opportunities exist that are often exploited by criminal groups. Larger amounts of suspicious transaction patterns or dubious fund sources are often associated with these higher-risk jurisdictions.
  • Transaction frequency & size: Transaction frequency and size also needs to be monitored closely as it may also be used as a disguise for illicit activities. Clearing transactions at amounts just below reporting thresholds, consecutive high-value transactions within a single, short period of time, or fast transfer of deposits from regulated jurisdictions into unregulated jurisdictions are potential causes of concern.

Other areas to consider

If your institution is in the early stages of adopting a cryptocurrency compliance program, ask these questions:

  • Compliance interpretation: Does your organization understand the current compliance interpretation and guidance for cryptocurrency providers, facilitators, exchanges, participants, and clients?
  • Policy & procedures: Are the current policies and procedures robust enough to address new customer types/active traders? Do new ones need to be developed?
  • Analysis of new products & services: What new products and services does your institution offer today? What compliance impacts do they have on the institution? Do you have a format for new business initiatives around cryptocurrencies?
  • Independent testing: Is the compliance program appropriate for the current customer base, service offerings, and risk appetite for the institution?
  • Training & development: Is your team equipped to view, understand, remediate, and address new customer/product risk?

Reviewing the soundness of your KYC/AML compliance program will provide peace of mind for all market participants and ensure your financial institution can stand up to regulatory scrutiny. To find out more about our cryptocurrency services, give us a call.

Reviewing the soundness of your KYC/AML compliance program will provide peace of mind for all market participants.

Related Thinking

September 27, 2022

Overdraft regulation: Risks extend beyond the fines

Article 2 min read
July 14, 2021

Right-size your BSA/AML model risk management

Article 1 min read
May 6, 2020

Fintech partnership risk: A checklist for financial institutions

Article 5 min read