Cryptocurrencies can make it easier for fraudsters to obscure the source of criminal proceeds and are increasingly becoming the preferred currency of cybercriminals, from purchasing illicit goods using Bitcoin as a payment method to ransomware attacks where payments by Bitcoin are demanded. This trend is more prevalent because cryptocurrency offers a combination of anonymity, ease of use and the ability to circumvent international borders and regulations, in essence, to launder the ill-gotten proceeds.
The advanced fraudster or money launderer using Bitcoin may use both Bitcoin mixing services and Bitcoin exchanges. Bitcoin mixers typically provide customers with a newly generated bitcoin address to make a deposit. The Bitcoin mixing service pays out other Bitcoins from its reserve to Bitcoin addresses supplied by the customer after deducting a mixing fee. Some randomness is applied to the frequency and amount of payments/fees to create a guise of legitimacy. Bitcoin mixing services allow fraudsters to conceal the origin of their ill-gotten proceeds, disassociating them from the criminal activities to cash out safely using a Bitcoin exchange, which is designed to convert Bitcoins to spendable money anonymously.
Many cryptoassets are volatile and, more likely than not, present a risk for financial institutions as exposures increase. Bitcoin, Ethereum, Litecoin, Dash and other coins can be some of the riskiest assets a bank could hold. So, it is not surprising that regulators are trying to unpack and get a handle on this “virtual currency.” One regulatory body describes cryptoassets — which it calls virtual currency — as “a digital representation of value that functions as a medium of exchange, a unit of account, and/or a store of value,” other than a representation of the U.S. dollar or a foreign currency. Cryptocurrency is a digital asset that uses cryptography to secure transactions digitally recorded on a distributed ledger, such as a blockchain, in units typically referred to as coins or tokens.
On October 6, 2021, Deputy Attorney General Lisa O. Monaco announced the creation of a National Cryptocurrency Enforcement Team (NCET) to tackle complex investigations and prosecutions of criminal misuses of cryptocurrency — particularly crimes committed by virtual currency exchanges, mixing and tumbling services — and money laundering infrastructure actors. Under the supervision of Assistant Attorney General Kenneth A. Polite Jr., the NCET will combine the expertise of the Department of Justice Criminal Division’s Money Laundering and Asset Recovery Section (MLARS), Computer Crime and Intellectual Property Section (CCIPS), and other sections in the division, with experts detailed from U.S. Attorneys’ Offices. The team will also assist in tracing and recovering assets lost to fraud and extortion, including cryptocurrency payments to ransomware groups.
On January 1, 2021, as part of overriding President Trump’s veto of a defense spending bill, Congress enacted the Anti-Money Laundering Act (“AMLA”), which amended the Bank Secrecy Act (BSA) for the first time since 2001.
The AMLA, like other regulatory initiatives, comes from several prior legislative attempts to reform various specific aspects of the Bank Secrecy Act (“BSA”), including the Corporate Transparency Act of 2019, the Illicit CASH Act of 2020 and the STIFLE Act of 2020. A vital purpose of the AMLA is to expand coordination and information sharing among administering agencies, examining agencies, law enforcement agencies, national security agencies, the intelligence community and financial institutions.
The AMLA has numerous substantive provisions that appear to address weaknesses in the U.S. approach to anti-money laundering/countering the financing of terrorism (“AML/CFT”), including the absence of corporate beneficial ownership reporting requirements at the national level. The U.S. has been criticized by, among others, the Financial Action Task Force (“FATF”) for the absence of beneficial ownership reporting requirements at the national level. FATF has described the absence as a “significant gap” and a “serious deficiency” in the U.S. AML regime. Access to beneficial ownership information has also long been a goal of federal law enforcement and national security officials. AMLA also focuses on the use of reasonably designed risk-based programs that embrace innovation and embed technology.
Also, the AMLA contemplates several new mechanisms for sharing BSA-related information, emphasizing the utilization of data, metrics, statistics and analytics. Three of these mechanisms are as follows:
One notable reform of the AMLA is that it revised the BSA to include cryptocurrency and other digital assets within its scope. However, noticeable absent from the AMLA are the terms “bitcoin,” “crypto business,” “virtual assets,” or “digital currency.” Instead, the AMLA uses the language contained in existing guidance from FinCEN regarding “value that substitutes for currency.” If there is a continued omission of these critical terms, a footnote should be added to detail specific examples of what may qualify as a “value that substitutes for currency.”
Specifically, Section 5312 of the BSA (“Definitions and application”) has been amended so that the definition of “financial institution” includes “a business in the exchange of currency, funds, or value that substitutes for currency or funds” and “a licensed sender of money or any other person who engages as a business in the transmission of currency, funds, or value that substitutes for currency.” It also revises the definition of “money instrument” to include “value that substitutes for any monetary instrument.” In addition, Section 5330 of the BSA (“Registration of money transmitting businesses”) now provides that money transmitting includes any business that transmits “currency, funds, or value that substitutes for currency.”
Therefore, virtual currency businesses that essentially serve as money transmitters must now register with FinCEN. Likewise, antiquities dealers, consultants and advisors now qualify as “financial institutions” under the new BSA definition.
Though FinCEN has repeatedly said that cryptocurrency and other digital assets fall within the scope of the AML regulatory regime, the recent revisions through the AMLA set out that reality. Consistent with the BSA’s theme, these revisions reflect Congress’s concern. Although the use and trading of virtual currencies are legal, fraudsters, including transnational criminal organizations, seek to exploit weaknesses in the global financial system. They do this by using substitutes for currency, including emerging payment methods such as virtual currencies, to move illicit funds.
Financial institutions would be required to report certain types of customer information to FinCEN on any transaction of cryptocurrency worth over $10,000 made on their platforms involving an unhosted wallet, sometimes referred to as a self-hosted or non-custodial wallet, which is usually controlled by an individual and bypasses the financial institution and its controls. This type of transaction reporting would have to be done within 15 days. Banks and financial technology companies (fintechs) would also be required to keep records for any such transaction over $3,000 and provide that information to law enforcement upon request.
The transaction amounts of $3,000 and $10,000 align with other AML reporting requirements placed on financial institutions by the BSA.
Among the information financial institutions would have to collect includes:
The board of directors is ultimately responsible for the bank’s AML compliance and should oversee senior management and the compliance officer in implementing the bank’s board-approved AML compliance program.
Based on the AMLA and recent trends, boards and compliance officers should immediately consider the following:
While there has been much focus on using cryptocurrency to launder money, it is essential to remember and not to lose focus that “cash” is still the preferred medium for money launderers.
There needs to be a change in thinking, bringing “fraud” into the conversation regarding regulatory compliance and specifically money laundering. Those that genuinely understand money laundering will know it’s a tool a fraudster uses to execute their plan. This is why understanding the Triangle of Fraud Action (see below) is vital when analyzing an anti-money laundering program.
Even better, combining the Triangle of Fraud Action (“What based”) along with the Fraud Pentagon (“Why based”) creates the Advanced Meta-Model of Fraud™ and this becomes the basis for not only analyzing the anti-money laundering program, but also for developing programs, controls and oversight that can now be designed with greater precision to reduce risk and enhance the likelihood of meeting specific objectives.
Remember, anti-money laundering programs are based on “five pillars” that a system of internal controls, policies, and procedures and not understanding fraud could expose your organization.
Lastly, we noted a theme of a failure to conduct adequate independent AML testing from reviewing recent enforcement actions. Under FINRA rules, an independent function (e.g., internal audit or a qualified third party, like Baker Tilly ) should conduct an annual review of the program. Many don’t realize that reviews conducted by the compliance team will not satisfy the requirement.
Baker Tilly’s team of experienced financial crime and compliance professionals can help with most issues financial institutions face today – such as risk assessments, drafting or enhancing policies and procedures, the selection of technology, customized training at all levels, tuning of models, lookbacks, investigations, compliance reviews and internal audits. We are the thought leaders who are the practicing professionals needed on your team.
To learn more about financial crime or how Baker Tilly can help, contact our team.