Global AML Compliance Faces Challenges Relating to Regulator Expertise, the Travel Rule, Decentralized Finance, and “Regulator Shopping”
Today we are very pleased to welcome guest blogger Federico Paesano from the Basel Institute on Governance (“Basel Institute”). The Basel Institute recently issued its Basel AML Index for 2021 (“Basel AML Index”). This data-rich and fascinating annual publication, one of several online tools developed by the Basel Institute to help both public- and private-sector practitioners tackle financial crime, is a research-based ranking that assesses countries’ risk exposure to money laundering and terrorist financing. This year, we will focus on the section of the Basel AML Index which analyzes data from the Financial Action Task Force (“FATF”) on how jurisdictions are responding to money laundering and terrorist financing threats related to virtual assets. The Basel AML Index concludes: “not well at all.”
Federico Paesano is a Senior Financial Investigation Specialist at the Basel Institute’s International Centre for Asset Recovery, and leads its Cryptocurrencies and Anti-Money Laundering Compliance Training. For 14 years, Federico worked for the Italian Financial Police, ending his career as Chief Investigator, leading and conducting judicial and financial investigations, focusing in particular on economic crimes such as corruption and money laundering. In July 2009, he was seconded by the Italian Government to the European Union Police Mission in Afghanistan (“EUPOL”) as Mentor to the Minister of Interior on Anticorruption. Along with Europol and Interpol, Federico and the Basel Institute are co-organizing on December 7–8, 2021 the 5th Global Conference on Criminal Finances and Cryptocurrencies, which focuses on the emerging threat posed by criminals using new payment methods to conceal the proceeds of their crimes. His Quick Guide to Cryptocurrencies and Money Laundering Investigations may be found here.
The Basel Institute is a not-for-profit Swiss foundation dedicated to working with public and private partners around the world to prevent and combat corruption, and is an Associated Institute of the University of Basel. The Basel Institute’s work involves action, advice, and research on issues including anti-corruption collective action, asset recovery, corporate governance and compliance, and green corruption. Money Laundering Watch was pleased to have Gretta Fenner and Dr. Kateryna Boguslavska of the Basel Institute guest blog on the Basel AML Indices for 2020 and 2019.
This blog post again takes the form of a Q & A session, in which Federico responds to questions posed by Money Laundering Watch about the Basel AML Index 2021 and wider debates on the topic. We hope you enjoy this discussion of money laundering risks and virtual assets — which addresses regulators’ frequent lack of expertise, tracing of cryptocurrency transactions, the Travel Rule, the challenges posed by decentralized finance, “regulator shopping,” and more. —Peter Hardy and Andrew D’Aversa
The Basel AML Index analyzes data from the FATF on how jurisdictions are responding to money laundering and terrorist financing threats related to virtual assets, and concludes: “not well at all.” At a high level: why not? And what is the FATF recommending that virtual asset service providers, or VASPs, should do to mitigate money laundering risks relating to virtual assets?
The FATF is paying close attention to how the first jurisdictions to be assessed against its revised Recommendation 15 (“R.15”) on virtual assets and VASPs are doing. It has issued two reports since the final revised Recommendation was published in June 2019. Our analysis of that data raises concerns, since it is likely that the next jurisdictions to undergo an FATF assessment will follow the same downwards pattern.
For example, of the 27 jurisdictions to be assessed or reassessed for compliance with the new R.15, 70 percent (19) degraded their scores. Only 11 percent (3) managed to improve. Moreover, of the 10 jurisdictions assessed with Mutual Evaluation Reports, not a single one was assessed as being compliant. Half were partially compliant, scoring 1 out of 3, and a fifth were totally non-compliant.
At a high level, the first problem is a lack of knowledge and expertise among regulatory and supervisory authorities. This reduces their ability to oversee and guide VASPs as to their obligations. A lack of knowledge is fully understandable, given the fast pace at which the technology is advancing and the slow pace with which public authorities are accustomed to reacting. But this time, they really need to upskill fast as the criminals won’t wait.
The second problem is sluggishness on the part of jurisdictions in implementing AML/CFT obligations on VASPs. Even where these have been transposed into domestic law – which not all jurisdictions are managing to do very well – there have been few investigations and even fewer instances of sanctions. This is not so surprising considering that, as the Basel AML Index shows year after year, many jurisdictions are still struggling to address their risks of money laundering using fiat currencies, never mind cryptocurrencies.
A particular concern is weak implementation of the so-called “Travel Rule”, which is a core part of R.15 (we address the Travel Rule in more detail below). This is in addition to the FATF’s other core recommendations for VASPs, which include an obligation to conduct customer due diligence on transactions over USD/EUR 1,000 and submit suspicious activity reports where appropriate. R.15 also requires jurisdictions to implement a risk-based approach to virtual assets, ensure that VASPs are licensed and registered, and subject them to adequate regulation and supervision.
We want to set the stage to discuss certain findings in the Basel AML Index. You observe in your “Quick Guide” to cryptocurrencies and money laundering investigations that because transactions are permanently recorded in the blockchain, it is “theoretically” easier to follow the digital money — but that the problem of “attribution” remains, i.e., linking transactions and digital addresses to real people in the real world. What techniques are available to try to address this challenge?
The perceived anonymity of cryptocurrencies is one of the main selling points for many users. While Bitcoin was not designed to be anonymous and adopts pseudonyms instead of real identities, some privacy-oriented cryptocurrencies, such as Zcash and Monero, offer greater anonymity. In the last 11 years, great progress has been made in breaking the pseudonymity behind Bitcoin-like cryptocurrencies, while the latter still constitute a headache for crypto investigators. In all cases, it is rarely possible to ask “To whom does this cryptocurrency address belong?” and immediately get a name and address in return.
When requested to obtain information that might help law enforcement to attribute cryptocurrency addresses or transactions to suspects, blockchain analytic companies generally perform “clustering” in the first instance. This means analyzing the blockchain for patterns that help to identify whether the person or entity that owns a particular address also owns other addresses in the blockchain. This can lead to clues that help to deanonymize the real-life owner.
Building on this, it is often possible to trace when an address sends cryptocurrency to a known and regulated entity like a cryptocurrency exchange. Investigators can then subpoena the exchange to obtain information about the customer linked to that transaction.
This was more challenging in the past, when regulation of cryptocurrency exchanges was very weak. Now, the vast majority of exchanges and other VASPs conduct know-your-customer checks of some sort. This means law enforcement can usually obtain enough information to attribute the address or transaction to a real suspect.
Although it is theoretically possible for law enforcement agencies to develop these capabilities, the majority of this attribution work is done by blockchain analytic companies with highly specialized technical expertise.
So let’s discuss the problem of attribution in the context of a financial institution attempting to execute on its AML program. The Basel AML Index states that one area involving significant compliance gaps is weak implementation of the Travel Rule. What is the Travel Rule, and why is it important?
The “Travel Rule” is a core part of the FATF’s standards. It basically says that VASPs should collect information about the originator and beneficiary of transfers of cryptocurrencies, and that this information should “travel” together with the transaction – just as it does for regular wire transfers between bank accounts. The purpose is to improve oversight and monitoring of funds flowing between entities on the blockchain.
The Travel Rule doesn’t apply to funds transferred privately between individuals, but only if they pass through a VASP. This places a substantial burden on these entities to collect the customer’s information and transmit it in a suitable way.
In addition, a major challenge is that there is no standard protocol for transmitting this information, like SWIFT for wire transfers. The OpenVASP protocol is being adopted fairly widely at the moment, but other open-source and proprietary protocols also exist. These issues contribute to the compliance gaps identified in the Basel AML Index report.
Financial regulators in the United States also are focusing on the Travel Rule, particularly in regards to virtual assets. But strong objections have been lodged by industry, focusing on the lack of available and reliable technology to allow financial institutions to determine the counter-parties in virtual transactions. And this problem can be particularly acute in the context of “De-Fi,” or decentralized finance, in which there is a system with, purportedly, no central service exercising control, and therefore no central authority to provide identifying information. What is your response to this? Is it a real-world problem? Either way, how should it be addressed?
First, yes – decentralized finance (De-Fi) is a very real problem and will quickly become even more real. Above, I explained that when suspect funds reach a known entity like a regulated cryptocurrency exchange, law enforcement can request information about the customer from the exchange. With a decentralized exchange, there is no known entity, just connections between private individuals. Who can law enforcement ask or subpoena? Nobody.
Although the field of decentralized finance is exploding, it is not yet very well known or understood. I believe it would be difficult to launder significant amounts of money on decentralized exchanges at the moment. In a few years, though, I predict this will be a major challenge. DeFi will be a key discussion point at our upcoming 5th Global Conference on Criminal Finances and Cryptocurrencies on December 7-8, 2021, which the Basel Institute on Governance is organizing in collaboration with partners at Europol and INTERPOL. I hope we will be able to generate some insights and recommendations there.
To go back to the first question on conducting customer due diligence for users of virtual assets: The process is similar to that for regular bank accounts – passport, proof of residency, proof of income and source of funds, etc. – but financial institutions additionally need to understand and be able to analyze the blockchain.
Those without in-house expertise can outsource some of the work to blockchain analytic companies. These can analyze patterns to flag potentially suspicious transactions and provide risk scores for potential or current customers. For example, if a new customer is linked to transactions that have passed through mixers or other channels designed to obfuscate the origin of the funds, they would get a higher risk score and the financial institution can decide how to deal with this accordingly.
Is it expensive? Well, it is less of a burden for large financial institutions based in wealthier countries than for smaller ones in low-resource settings. This opens up a weakness in the global system, because it is very easy for a cryptocurrency user with illicit purposes to set up an account with a financial institution with lower customer due diligence capabilities and standards.
The Basel AML Index posits that there is a risk of “regulator shopping” in the virtual assets industry. Please explain that. What are the consequences, and what if anything can be done about it? If certain jurisdictions refuse to care about compliance, what does that mean for global compliance?
“Regulator shopping” in the virtual assets industry simply means that VASPs – and those who wish to fly under the radar for whatever reason – simply choose to operate in jurisdictions with weak regulations and oversight. The hyper-global, internet-based nature of virtual assets exacerbates this, as you could be sitting in one country and operating out of another country on the other side of the world.
The reasons why a jurisdiction would deliberately neglect regulation on virtual assets are similar to why we still have jurisdictions with high levels of financial secrecy or a reluctance to establish effective beneficial ownership registers: the virtual assets market represents a huge amount of capital and is likely to grow fast, with consequent benefits for financial institutions and VASPs based in the country.
As the Basel AML Index report warns, “a lack of coordinated and concerted global action may therefore result in some jurisdictions becoming safe havens for illicit activity using virtual assets.”
Some efforts are already being made at regional levels, notably the European Commission’s June 2021 proposal to harmonise AML/CFT legislation in relation to VASPs across all EU jurisdictions. But unless this kind of effort extends to other jurisdictions and regional bodies, it is likely that the illicit activity will simply move to locations with fewer or no controls.
The Basel AML Index also states that, generally, there is a lack of knowledge and expertise among supervisory and regulatory bodies in the field of virtual assets, reducing their ability to oversee and guide VASPs. Others have made this same observation. What knowledge or expertise gaps should be addressed by regulators? What problems does this create for regulators and law enforcement? Conversely, what problems does this create for the virtual asset industry and financial institutions?
This is a bit like the chicken-and-egg problem. Many supervisory and regulatory authorities do not invest sufficient resources in relation to virtual assets, or take capacity building seriously enough, because they don’t see many cases of illicit activity involving cryptocurrencies. But if the jurisdiction has an active community of users and hosts exchanges and other VASPs, it is highly likely that illicit activity exists and is simply going undetected. Perhaps it is less chicken-and-egg, and more like sticking one’s head in the sand.
[I]f the jurisdiction has an active community of users and hosts exchanges and other VASPs, it is highly likely that illicit activity exists and is simply going undetected. Perhaps it is less chicken-and-egg, and more like sticking one’s head in the sand.
This situation is slowly changing as, thanks to the FATF, virtual assets are now included as standard in national risk assessments. And there is pressure to implement the FATF’s standards in domestic legislation in order not to end up on the FATF gray list. Domestic legislation is an essential first step in order to channel greater resources towards building capacity and setting up specialist units.
On the positive side, some supervisory authorities and Financial Intelligence Units (such as in the U.S. and Luxembourg) started to engage early in the virtual assets sphere. These are now managing to analyze the data and investigate cases competently. But without strong leadership and radical action, it will likely take years for other authorities to gain the skills and expertise to assess their risks properly and implement an effective risk-based approach to mitigate them.
So we currently see both extremes: over-regulation where it is not strictly needed and places an unreasonable burden on VASPs, and under-regulation where there is likely a problem that is going undetected or where VASPs would benefit from the authorities’ clear guidance and support.
Much ink has been spilled about the AML risks posed by virtual assets. But in the real world, are virtual assets really riskier in practice than the money laundering risks posed by fiat currency? Is there something about virtual assets — for example, the purported allure of supposed anonymity — that makes them inherently more pernicious, or is all of the stated concern more of a function of lack of understanding and knee-jerk fear by traditionally-minded regulators and law enforcement?
The extent of money laundering risks from virtual assets depends on how you look at the figures. On the one hand, the percentage of illicit activity using cryptocurrencies is estimated to have declined significantly over the last 9–10 years – from as much as 80 percent in 2012 to less than 1 percent now.
But what if you ask: 1 percent of what? The value of the global cryptocurrency market is hitting USD 2 trillion, so even a small percentage relates to billions of dollars of illicit funds.
There is certainly an unwarranted fixation on the risks of cryptocurrencies being used for money laundering or other illicit purposes, when you compare it with other mechanisms to store and exchange money. How many U.S. dollar banknotes are used to facilitate corruption and money laundering? How much activity on the internet is illicit? Both cash and the internet have strong elements of anonymity, yet we don’t propose regulating them out of existence. Virtual assets like cryptocurrencies are just another means to move money around, albeit with some specific characteristics.
It is sensible to take the risks seriously to prevent them becoming a problem in the (near) future, while avoiding knee-jerk reactions that could have potentially negative consequences.
Many of our readers are in the U.S. In your view, how is the United States doing in regards to regulating virtual assets and enforcing violations, but also encouraging this new technology? Do you find that the number of regulators involved — FinCEN, SEC, CFTC, OCC, IRS — helpful or hurtful from a regulatory and enforcement perspective?
The U.S. authorities were well at the forefront of regulating virtual assets when they started to appear on the scene, and FinCEN began providing guidance to VASPs very early on. New York’s BitLicense for businesses involved in virtual currencies was one of the first such licenses. The U.S. was also the first to conduct a major investigation into cryptocurrency-enabled crime: the Silk Road dark market, which the FBI shut down in 2013.
Since virtual assets are now spreading to every sphere, it does make sense for a wide variety of public authorities – from Financial Intelligence Units to tax authorities – to understand how they work and take appropriate steps if suspicious activity is detected. It is generally true, though, that when many different entities are involved in regulation or enforcement of anything (including virtual assets) there is always a risk of confusion or lack of collaboration.
What trends do you see going into 2022? Is the virtual asset glass for AML half-full, or half-empty?
Decentralized finance could be something that tips over the glass on money laundering risks involving virtual assets, although it is too early to tell how that will develop.
We are never going to “win” the war against money laundering using virtual assets, or even money laundering full stop. The key is to continue to work together to make the environment safer for cryptocurrency users, the vast majority of whom have no illicit purposes or links.
Minimizing the number of ways criminals can exploit the system, and effectively enforcing regulations across jurisdictions, depends on how well we share experiences and collaborate on solutions.
Anyone who is interested in being part of those efforts is warmly invited to attend the (free) 5th Global Conference on Criminal Finances and Cryptocurrencies. The first day is open to all, and the second day is reserved for law enforcement and related public authorities. More information is here.