Emerging trends in cybersecurity

Cryptocurrency and money laundering: why understanding fraud is critical


Cryptocurrencies can make it easier for fraudsters to obscure the source of criminal proceeds and are increasingly becoming the preferred currency of cybercriminals, from purchasing illicit goods using Bitcoin as a payment method to ransomware attacks where payments by Bitcoin are demanded. This trend is more prevalent because cryptocurrency offers a combination of anonymity, ease of use and the ability to circumvent international borders and regulations, in essence, to launder the ill-gotten proceeds.

The advanced fraudster or money launderer using Bitcoin may use both Bitcoin mixing services and Bitcoin exchanges. Bitcoin mixers typically provide customers with a newly generated bitcoin address to make a deposit. The Bitcoin mixing service pays out other Bitcoins from its reserve to Bitcoin addresses supplied by the customer after deducting a mixing fee. Some randomness is applied to the frequency and amount of payments/fees to create a guise of legitimacy. Bitcoin mixing services allow fraudsters to conceal the origin of their ill-gotten proceeds, disassociating them from the criminal activities to cash out safely using a Bitcoin exchange, which is designed to convert Bitcoins to spendable money anonymously.


Many cryptoassets are volatile and, more likely than not, present a risk for financial institutions as exposures increase. Bitcoin, Ethereum, Litecoin, Dash and other coins can be some of the riskiest assets a bank could hold. So, it is not surprising that regulators are trying to unpack and get a handle on this “virtual currency.” One regulatory body describes cryptoassets — which it calls virtual currency — as “a digital representation of value that functions as a medium of exchange, a unit of account, and/or a store of value,” other than a representation of the U.S. dollar or a foreign currency. Cryptocurrency is a digital asset that uses cryptography to secure transactions digitally recorded on a distributed ledger, such as a blockchain, in units typically referred to as coins or tokens.

National Cryptocurrency Enforcement Team

On October 6, 2021, Deputy Attorney General Lisa O. Monaco announced the creation of a National Cryptocurrency Enforcement Team (NCET) to tackle complex investigations and prosecutions of criminal misuses of cryptocurrency — particularly crimes committed by virtual currency exchanges, mixing and tumbling services — and money laundering infrastructure actors. Under the supervision of Assistant Attorney General Kenneth A. Polite Jr., the NCET will combine the expertise of the Department of Justice Criminal Division’s Money Laundering and Asset Recovery Section (MLARS), Computer Crime and Intellectual Property Section (CCIPS), and other sections in the division, with experts detailed from U.S. Attorneys’ Offices. The team will also assist in tracing and recovering assets lost to fraud and extortion, including cryptocurrency payments to ransomware groups.

Money laundering

On January 1, 2021, as part of overriding President Trump’s veto of a defense spending bill, Congress enacted the Anti-Money Laundering Act (“AMLA”), which amended the Bank Secrecy Act (BSA) for the first time since 2001.

The AMLA, like other regulatory initiatives, comes from several prior legislative attempts to reform various specific aspects of the Bank Secrecy Act (“BSA”), including the Corporate Transparency Act of 2019, the Illicit CASH Act of 2020 and the STIFLE Act of 2020. A vital purpose of the AMLA is to expand coordination and information sharing among administering agencies, examining agencies, law enforcement agencies, national security agencies, the intelligence community and financial institutions.

The AMLA has numerous substantive provisions that appear to address weaknesses in the U.S. approach to anti-money laundering/countering the financing of terrorism (“AML/CFT”), including the absence of corporate beneficial ownership reporting requirements at the national level. The U.S. has been criticized by, among others, the Financial Action Task Force (“FATF”) for the absence of beneficial ownership reporting requirements at the national level. FATF has described the absence as a “significant gap” and a “serious deficiency” in the U.S. AML regime. Access to beneficial ownership information has also long been a goal of federal law enforcement and national security officials. AMLA also focuses on the use of reasonably designed risk-based programs that embrace innovation and embed technology.

Also, the AMLA contemplates several new mechanisms for sharing BSA-related information, emphasizing the utilization of data, metrics, statistics and analytics. Three of these mechanisms are as follows:

  • Threat pattern and trend analyses of BSA reports: The Treasury Department’s Financial Crimes Enforcement Network (FinCEN) will be required to publish threat pattern and trend information to provide meaningful information about the preparation, use and value of suspicious activity reports (SARs) and other reports filed by financial institutions.
  • Strengthening the feedback loop on BSA reports: The Department of Justice will be required to submit to the Department of the Treasury an annual report on the use of data derived from financial institutions reporting under the BSA, to be used for specified purposes that include enhancing feedback and communications with financial institutions. Notably, this report’s specific purpose will be to provide more detail in Treasury’s semiannual report to the financial services industry on suspicious activities.
  • SAR sharing with foreign branches, subsidiaries and affiliates: Two provisions in the AMLA aim to facilitate cross-border sharing of SARs and suspicious transaction information within financial institutions. Financial institutions will be prohibited from establishing or maintaining any operation located outside the United States for the primary purpose of BSA compliance due to these provisions.
Also, notable
  • The AMLA reiterates that financial institutions should implement reasonably designed risk-based programs that “direct its resources to its higher-risk customers and activities, consistent with the risk profile of a financial institution.”
  • The AMLA’s expansion of the BSA’s purpose to include “establish[ing] appropriate frameworks for information sharing among financial institutions, their agents and service providers, their regulatory authorities, associations of financial institutions, the Department of the Treasury and law enforcement.”
  • The adverse consequences of “de-risking” — generally understood in the AML/CFT context to mean financial institutions’ terminating or restricting business relationships with clients or categories of clients to avoid, rather than manage, risk.
Bank Secrecy Act and cryptocurrency

One notable reform of the AMLA is that it revised the BSA to include cryptocurrency and other digital assets within its scope. However, noticeable absent from the AMLA are the terms “bitcoin,” “crypto business,” “virtual assets,” or “digital currency.” Instead, the AMLA uses the language contained in existing guidance from FinCEN regarding “value that substitutes for currency.” If there is a continued omission of these critical terms, a footnote should be added to detail specific examples of what may qualify as a “value that substitutes for currency.”

Specifically, Section 5312 of the BSA (“Definitions and application”) has been amended so that the definition of “financial institution” includes “a business in the exchange of currency, funds, or value that substitutes for currency or funds” and “a licensed sender of money or any other person who engages as a business in the transmission of currency, funds, or value that substitutes for currency.” It also revises the definition of “money instrument” to include “value that substitutes for any monetary instrument.” In addition, Section 5330 of the BSA (“Registration of money transmitting businesses”) now provides that money transmitting includes any business that transmits “currency, funds, or value that substitutes for currency.”

Therefore, virtual currency businesses that essentially serve as money transmitters must now register with FinCEN. Likewise, antiquities dealers, consultants and advisors now qualify as “financial institutions” under the new BSA definition.

Though FinCEN has repeatedly said that cryptocurrency and other digital assets fall within the scope of the AML regulatory regime, the recent revisions through the AMLA set out that reality. Consistent with the BSA’s theme, these revisions reflect Congress’s concern. Although the use and trading of virtual currencies are legal, fraudsters, including transnational criminal organizations, seek to exploit weaknesses in the global financial system. They do this by using substitutes for currency, including emerging payment methods such as virtual currencies, to move illicit funds.


Financial institutions would be required to report certain types of customer information to FinCEN on any transaction of cryptocurrency worth over $10,000 made on their platforms involving an unhosted wallet, sometimes referred to as a self-hosted or non-custodial wallet, which is usually controlled by an individual and bypasses the financial institution and its controls. This type of transaction reporting would have to be done within 15 days. Banks and financial technology companies (fintechs) would also be required to keep records for any such transaction over $3,000 and provide that information to law enforcement upon request.

The transaction amounts of $3,000 and $10,000 align with other AML reporting requirements placed on financial institutions by the BSA.

Among the information financial institutions would have to collect includes:

  • certain transactions or the type of cryptocurrency used;
  • the time of the transaction;
  • the assessed value of the transaction in U.S. dollars;
  • any payment instructions received by the financial institution’s customer;
  • any form relating to the transaction;
  • the name and physical address of “each counterparty” to the financial institution’s customer; and
  • any other information that “uniquely identifies the transaction, the accounts, and, to the extent reasonably available, the parties involved.”
Boards and compliance officers

The board of directors is ultimately responsible for the bank’s AML compliance and should oversee senior management and the compliance officer in implementing the bank’s board-approved AML compliance program.

Based on the AMLA and recent trends, boards and compliance officers should immediately consider the following:

  • Conducting AML and sanctions risk assessments. Understanding risk is critical in developing and modifying an AML program. FINRA’s 2021 Examination Priorities and the Office of Foreign Assets Control’s 2019 guidance on compliance commitments emphasize the importance of conducting risk assessments and updating them based on independent testing results and any changes in size or risk profile. This assessment should include an evaluation of customers, products, services, and geography. The risk assessment is usually the first thing the regulators ask for when something goes wrong and will illustrate the company’s general understanding of risk.
  • Revamping customer due diligence. Regulators will more likely than not expect companies to enhance their customer due diligence process to determine who could be using “fronts” or hiding behind shell companies. Why? Those names and business ties will be more readily available because corporations, limited liability companies and similar U.S. entities, as well as those same foreign entities that register to do business in the United States, will be required to submit, as part of the company formation or registration process, a report to FinCEN that includes specific identification information for each “beneficial owner.” A beneficial owner is defined as any individual who (a) exercises substantial control over an entity or (b) owns or controls 25% or more of the ownership interests of an entity. Several exclusions exist, including an individual acting as an agent for another individual and an individual acting solely as an employee.
  • Reviewing the whistleblower program. AMLA establishes a whistleblower reward program for suspected violations of the BSA. The program is similar in some ways to the whistleblower program at the Securities and Exchange Commission (“SEC”): tipsters who provide original information that leads to an enforcement penalty of more than $1 million would be eligible for a reward as high as 30% of the collected total. Also, reporting tips would allow that individual to claim anti-retaliation protections included under AMLA. Specifically, in the event of a violation of these provisions, the whistleblower can file a complaint with the Department of Labor and seek recourse in federal district court if it is not adjudicated within a certain period.
  • Building a case for better resources and technology. The right compliance system must be equipped with the requisite capabilities and use the latest technology tools to monitor transactions and identify suspicious activities. Regulators expect the use of the most sophisticated detection technology that an organization can afford and manage.
  • Updating policies and procedures. Poorly written or inadequate policies and procedures were frequently cited by the SEC and FINRA as a root cause of other issues within the AML program. Considering the aforementioned combined with the recent pandemic (i.e., remote work environment), a review of policies, procedures and processes are strongly suggested. Throughout this exercise, red flags indicative of fraud, specifically money laundering or terrorist financing, should be identified.

While there has been much focus on using cryptocurrency to launder money, it is essential to remember and not to lose focus that “cash” is still the preferred medium for money launderers.

There needs to be a change in thinking, bringing “fraud” into the conversation regarding regulatory compliance and specifically money laundering. Those that genuinely understand money laundering will know it’s a tool a fraudster uses to execute their plan. This is why understanding the Triangle of Fraud Action (see below) is vital when analyzing an anti-money laundering program.

  • The act
  • The concealment
  • The conversion of illegally gained proceeds (i.e., “dirty money”)

Triangle of Fraud Action

Even better, combining the Triangle of Fraud Action (“What based”) along with the Fraud Pentagon (“Why based”) creates the Advanced Meta-Model of Fraud™ and this becomes the basis for not only analyzing the anti-money laundering program, but also for developing programs, controls and oversight that can now be designed with greater precision to reduce risk and enhance the likelihood of meeting specific objectives.

Remember, anti-money laundering programs are based on “five pillars” that a system of internal controls, policies, and procedures and not understanding fraud could expose your organization.

5 Pillars of AML

Lastly, we noted a theme of a failure to conduct adequate independent AML testing from reviewing recent enforcement actions. Under FINRA rules, an independent function (e.g., internal audit or a qualified third party, like Baker Tilly ) should conduct an annual review of the program. Many don’t realize that reviews conducted by the compliance team will not satisfy the requirement.

Baker Tilly’s team of experienced financial crime and compliance professionals can help with most issues financial institutions face today – such as risk assessments, drafting or enhancing policies and procedures, the selection of technology, customized training at all levels, tuning of models, lookbacks, investigations, compliance reviews and internal audits. We are the thought leaders who are the practicing professionals needed on your team.

To learn more about financial crime or how Baker Tilly can help, contact our team.

Jonathan T. Marks
Diverse work environment where employees want to stay
Next up

Creating a work environment where employees want to stay