Money Laundering and Cryptocurrency: What's the Antidote?

b. Gives power to Financial Intelligence Units to request information from any obliged entity 

c. Focusses on sharing data across borders 

d. Harmonizes the EU approach towards high risk jurisdictions

2. US' Financial Crimes Enforcement Network (FinCEN) Regulations: Designates cryptocurrency exchangers and administrators as 'Money Service Business' as per Bank Secrecy Act (BSA)

Cryptocurrency firms therefore need to: 

• Register with the government to start operations

• Record and report transactions worth more than $10,000

• File suspicious activity reports (SARs) for any transaction that may lead to possible ML, irrespective of the amount of money involved 

• Comply with due diligence standards to verify customer's identity, documenting customer's name, address, date of birth, passport number and presence in sanction list

These regulations are necessary, but are they sufficient? 

Regulatory weak links:

1. In the US, cryptocurrency firms may or may not obtain licenses to operate within a state

2. Countries around the world have adopted varying stances regarding cryptocurrency, ranging from overall acceptance to an outright ban 

These varied jurisdictions create a ground for regulatory arbitrage and make it difficult for the law enforcing agencies to access customer information when source and recipient entities are located in non-cooperative locations.

Operational weak links: Lack of the following:

1. Personnel with in depth technical and legal knowhow from AML perspective

2. Qualified independent auditors who have knowledge and expertise to assess a cryptocurrency system

Technological weak links: Advanced technologies (or lack of them) exacerbate the ML weak links: 

1. Advanced Technologies:

a. Mixer Service: Accepts cryptocurrency from an address, mixes it with a huge pile of cryptocurrency, then sends smaller units of cryptocurrency to a chosen address such that sum of the smaller units is equal to the original amount minus a mixer service fee. As a result of mixing it is difficult to identify the fund origin

b. Anonymizer Service such as The Onion Ring (ToR): Enables users to access website in an anonymous mode. Regulators can only trace the message back to the ToR Exit Node. As a result it is difficult to pinpoint the originating IP

2. Lack of automation in transaction monitoring: With increasing customer and transaction volume, alert volume has grown significantly. This has resulted in an upsurge in the number of head counts required to triage and process alerts

What is the road ahead from stakeholders' perspective?

Regulators: Should promote an environment of partnerships between Financial Institutions (FIs) and cryptocurrency companies. Initially, cryptocurrency firms can focus on their core competency such as technological innovation whereas FIs can focus on operations and investment. Over time, the operational aspects could be outsourced to cryptocurrency firms and FIs can audit them periodically. Factors that should be considered by FIs before getting into joint ventures with cryptocurrency firms are:

• What is the type of cryptocurrency system (closed, unidirectional, bidirectional, centralized, and decentralized)? Decentralized bidirectional cryptocurrencies are most risky 

• Are the cryptocurrency firm or its customers located in a high-risk jurisdiction?

• Does the firm have sufficient licenses, permits?

• Is the exchanger or administrator linked to potentially illicit business such as gambling?

Advantage to FIs: Access to the following:

• Innovative solutions such as DLT, Smart Contract and Robotic Process Automation (RPA) to fight ML 

• Unserved & underserved market segments who are potential cryptocurrency users

Advantage to cryptocurrency companies: Access to the following:

• Funds in running business

• Mentors in understanding ML use cases 

FIs' Operations Team: Focus on:

1. Establishing strong Know Your Customer (KYC) and enhance due diligence by analyzing customer data from web, 3rd party databases, IP addresses, geo locations from multiple devices 

2. Building a strong ML audit competency by training the audit team w.r.t cryptocurrency technology and use cases. Audit team should be able to:

a. Identify the weak links in the cryptocurrency transaction flow 

b. Assess the risk of cryptocurrency operations and the extent to which BSA/AML regulations have been incorporated

Cryptocurrency Firms' Innovation Team: Focus on: 

1. How to identity potential ML transactions? Transactions with any of the following properties should be considered as risky enough to generate SAR:

a. Buying casino chips using cryptocurrency 

b. Transfer of cryptocurrencies to or from exchanges based in high risk geographies

c. Transactions coming out from a ToR exit node

d. Actual volume or amount of transaction much greater in comparison to expected volume or amount

2. How to link the real identity behind wallet(s) and addresses?

a. If a user logs on to two different wallets installed on two different mobile devices, it is possible to know using 'cookie syncing' that two particular devices always connect to DLT from the same network. It can therefore be inferred that same person owns those two devices and therefore two wallets

b. Blockchain Analytics can link addresses using the following rules

• If two or more addresses are inputs to the same transaction, then those addresses are controlled by the same user. For example if one transaction has addresses W1 and W2 as inputs and another has addresses W2 and W3 as inputs then we can conclude that W1, W2 , and W3 belong to the same

• If cryptocurrencies sent from address W1 always end on address W2 then we can infer that W1 and W2 belong to same entity

• If two addresses are shared to buy goods then we can infer that those two addresses are controlled by a single entity

Once an address(s) is identified to be owned by a criminal, any cryptocurrency coming in or going out of that address(s) can be blacklisted or tainted.

3. How to automate alert generation process? 

Machine learning can be leveraged to detect suspicious behavior and classify alerts as high, medium or low risk. Only the alerts with high and medium scores should be used for manual review. This would reduce dependencies on human operators and reduce the total time to triage alerts.

4. How to reduce the systemic cost of KYC?

Smart contract and RPA based KYC can be used to gain efficiency, reduce cost, improve customer experience, and increase transparency during customer onboarding. It allows customers to carry out full KYC process with one FI, and later on to share the result of that KYC with any other FI(s). KYC only needs to be carried out once for each customer, rather than once for each institution working with that customer. Exiting KYC costs—$60 million per year per bank and as per Goldman Sachs' reports, a 10 percent headcount reduction could be achieved with the introduction of smart contract in KYC procedures, resulting in $160 million in annual cost savings.

Saurav Mukherjee is a Fintech consultant with Cognizant  Business Consulting and leads business IT transformation initiatives for major Financial Institutions in the US, UK and India.