An explanation of the central aspects of an effective risk management system for Cryptocustody providers and their regulatory obligations.
Cryptocustody is hot topic and still many as it is getting both more lucrative and competitive every day. Still, many in the industry complain about the lack of clarity in terms of regulation covering this specific asset class, which causes serious issues for interested market participants and hampers innovation. Because it blocks access for many providers, which are uncertain about their regulatory obligations, it reduces the proliferation and adoption of blockchain technology.
In particular, in the US the regulatory treatment of cryptocustody remains patchwork. Crypto-assets are essentially regulated by numerous different agencies at federal and state level. For example, crypto-assets that meet the definition under U.S. securities laws of a security are subject to regulation by the SEC.
With regard to commodities transactions or swaps in crypto-assets, it is subject to oversight and rules of the CFTC. Then there is FinCEN, the the U.S. Treasury Department’s Financial Crimes Enforcement Network and American anti-money laundering agency, that considers businesses involved in buying and selling of cryptocurrency to customers or transferring cryptocurrency on behalf of customers to be money services businesses required to register with FinCEN and maintain AML compliance programs and follow other U.S. federal AML requirements though in general terms and as per rules not specific to crypto-assets. And then there is, of course, the state level of the 50 states.
Forward looking regulation
But it’s not all doom and gloom. Switzerland has been at the forefront of blockchain development and has established itself as one of the most accommodating jurisdictions in all coin related things. It’s financial watchdog, FINMA, aims to reduce obstacles to FinTech innovation for years, and thanks to the work of Swiss lawmakers, the little country in the Alps is getting closer to introduce a dedicated Swiss Blockchain Law.
At the same time, the Capital Markets and Technology Association, a Swiss not-for-profit, non-governmental association, has issued its own Digital Assets Custody Standard.
North of the Border
Just north of the border, Germany does not necessarily enjoy the reputation of doing what it can to foster innovation in the blockchain space. For years, lawmakers and regulators have issued documents on the subject, but despite this many questions regarding the application of the decentralized structures of blockchain technology remained unanswered.
Eventually, it came around and in particular with regard to cryptocustody, the German regulator has produced some valuable lessons on how providers ought to operate.
From the regulatory scope of cryptocustody, its relation regarding other regulated activities, and the licensing requirements of cryptocustody, a circular released in March by BaFin addressed a number of aspects.
For this reason, we turn to the Germans for more guidance on another hot topic in respect of cryptocustody that so far has not received the coverage it deserves: Cryptocustody and Anti-Money Laundering.
Digital currencies have long been at the centre of money laundering allegations and organisations that want to provide cryptocustody services first and foremost have to think about how address the reputational risk that stems from dealing with digital assets.
Right in time for the implementation of the EU’s latest instalment in its ongoing saga of AML directives, BaFin, the German financial regulator published a notice on the German Act Implementing the Amending Directive on the Fourth EU Anti-Money Laundering Directive – the law that would transpose EU into the law of the Union’s largest member state. This required changes to German Banking Act (Kreditwesengesetz – KWG). This resulted in the the implementation of cryptocustody activities as a new financial service. BaFin pointed out that as from 1 January 2020, when this legislation entered into force, companies seeking to provide such services would require authorisation from BaFin though transitional provisions would be part of it to smooth the move.
Being regulated by BaFin unmistakably means that cryptocustody providers are also subject to anti-money laundering rules. Not complying with these rules can result in fines and withdrawal of the authorization, just like for any other regulated financial institution.
The BaFin paper focuses on three key elements of anti-money laundering for firms that offer cryptocustody services, its three pillars in the fight against money laundering and terrorism financing: risk management, customer care obligations and suspicious transaction reports.
The first element is obviously an effective risk management framework. What is deemed effective though? According to the BaFin definition – and here it offers valuable guidance for operating in other jurisdictions – risk management is effective if it includes the entire business of the obligated party, the individual risks resulting therefrom are comprehensively taken into account and the internal safeguards derived from these are to be regarded as appropriate with regard to these risks.
Thus if you are responsible for running an institution that carries out cryptocustody activities, you have to prepare an analysis that identifies and assesses the risks of money laundering and terrorist financing for the specific businesses, taking into account, for example, the various risk factors that are already listed in the German Money Laundering Act and its annexes with the usual aspects like high risk countries, certain activities prone to be used for money laundering or specific of the relationship.
BaFin explains that due to the novelty and complexity of the underlying technologies and the different forms of the anonymization potential associated with crypto values, the product risks should be of particular importance. To make sure the risk management framework follows the development of the business, the risk analysis must be documented in a comprehensible manner and regularly checked for the need for an update.
The next step is to risk-appropriate internal security measures based on the risk analysis, with a focus on the elaboration of internal principles, procedures and controls, employee controls and employee training. Naturally, all regulated firms need to a money laundering officer and his deputy in accordance with the rules, which has to be communicated to the regulator.
A crypto custodian can outsource the internal security measures in accordance with rules regarding the outsourcing of control function and has to notify BaFin as part of the license application.
The second pillar concerns customer care obligations and just like all regulated firms parties, a cryptocustodian must perform general due diligence and conduct KYC checks as part of the onboarding process. Given the popularity and cost effectiveness of RegTech propositions that apply video identification in particular for FinTech business, BaFin approves of the method and refers to the dedicated circular it has already published.
Suspicious Activity Reporting
And lastly, as the third pillar, BaFin stresses that the reporting of suspicious activity is one of the central duties of the German Money Laundering Act. The German FIU is the Central Office for Financial Transaction Investigations, which has to be notified and in the German case has a specific reporting portal, though this may differ in other jurisdictions. What does not differ is that each EU member state has an FIU, which provide guidance on the exact reporting mechanism as well as the obligations, in particular what constitutes a suspicious activity.
The Bottom Line
In the end, the AML rules for cryptocustody follow similar patterns traditional financial institutions are well used to. For dedicated cryptocustody providers that have evolved from other crypto activities such as wallet providers or exchanges these mechanisms might present a learning curve though. What is in common for all, however, is the particularly money laundering risk that derives from this kind of activity that favors anonymity and cross-border transactions that are settled in a friction of the time other asset classes require. Addressing these concerns in real life present a steep challenge and regulators like BaFin or elsewhere have made it crystal clear that they are not willing to make allowances for any shortcomings.