AML and cryptocurrencies background and threats to effective AML

Transcription

1 AML and cryptocurrencies background and threats to effective AML Giles Dixon, CBP Senior Consultant, Cryptocurrencies, Financial Services Advisory Grant Thornton Canada

2 The challenges blockchain technology currently presents for AML professionals exist now but are scantly addressed. Source: When two worlds collide

3 Some background Although definitions of virtual currency vary depending on source, the definition below can give us a good idea Virtual currency is a digital representation of value that functions as a medium of exchange, a unit of account, and/or a store of value*. Cryptocurrencies like bitcoin are a form of virtual currency that use cryptography and encryption techniques to regulate the generation of units of the currency and verify the transfer of funds, operating independently of a central bank. Although cryptocurrencies operate like currency, they do not have legal tender status. In Canada, bitcoin is considered closer to a commodity in the eyes of certain regulators such as the OSC and others. *Source: IRS Notice

4 Where did it all start? October 31st, 2008, a whitepaper, Bitcoin: A Peer-to-Peer Electronic Cash System was posted by an individual / group of individuals / entity called Satoshi Nakamoto. The whitepaper how Bitcoin would work Over 9 pages, the word anonymous is only mentioned once The paper describes a new way of exchanging value without the need for a trusted third party or intermediary The public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone. This is similar to the level of information released by stock exchanges, where the time and size of individual trades, the "tape", is made public, but without telling who the parties were. Source: Bitcoin: A Peer-to-Peer Electronic Cash System 4

5 Where did it all start? Satoshi Nakamoto? The unknown person or people who designed bitcoin and, as part of its implementation, the first Blockchain. Or perhaps 5

6 Source: Thomson Reuters, October 2017 Cryptocurrency - legal or illegal? Recently banned 6

7 AML Regulation Governments around the world are beginning to grapple with the broad range of regulatory challenges presented by the virtual currency ( VC ) world. A report by the Bank for International Settlements categorizes the measures taken to date as follows: a) Imposing restrictions on regulated entities for dealing with virtual currencies; b) Adopting legislative/regulatory measures, such as the need for exchange platforms dealing with VC to be subject to regulation as money remitters, or the proposed regulation of VC intermediaries in some jurisdictions for AML/ATF purposes; c) Publishing statements cautioning users about risks associated with VC and/or clarifying the position of authorities with respect to VC; and d) Monitoring and studying developments. But that is changing! This year, we have started to see some jurisdictions going public with more firm regulatory stances on specific areas of the virtual currency world - Australia, Switzerland and Japan are some examples.but the landscape is still very much developing. 7

8 Amendments to Canada s AML legislation (not yet in force) In June 2014, Canada published drafts (which were further amended in 2015) to amend its AML/AFT legislation to treat persons and entities engaged in the business of dealing in VCs as money service businesses ( MSBs ): Paragraph 5(h) of the Act was replaced by the following: (h) persons and entities that have a place of business in Canada and that are engaged in the business of providing at least one of the following services: foreign exchange dealing, remitting funds or transmitting funds by any means or through any person, entity or electronic funds transfer network, issuing or redeeming money orders, traveller s cheques or other similar negotiable instruments except for cheques payable to a named person or entity, dealing in virtual currencies, or any prescribed service; Under the same list of services, (h.1) also includes persons and entities that do not have a place of business in Canada, that are engaged in the business of providing the above listed services. 8

9 Effective AML and the challenges of moving from real world to virtual AML Defences Need to Evolve No AML Regime Know your customer / know your digital customer Monitoring / vetting crypto transactions Investigation and reporting Identifying and assessing risk Counterparties Digital Relationship Monitoring 9

10 AML Continuum Points to consider No AML Regime Know your customer / know your digital customer Monitoring / vetting crypto transactions Investigation and reporting Identifying and assessing risk Counterparties Digital Relationship Monitoring Challenges / Threats / Points to consider Applying Canada s AML rules Those coming to us are being proactive in getting their AML regime to a place where it needs to be but often they do not have much in place today it needs to be built rather than enhanced. It is important to understand each organization s interpretation on new nomenclature being born in this industry e.g. verified / un-verified. Also important to understand the fundamentals of different types of offerings / products / coins available and what they do / what makes them unique. Bitcoin is just one. Understand, for each specific organization, the possible flows / entry and exit points different for each. Does the organization operate with an unverified customer base? What portion of their business is made up of this type of customer? How easy is it for customers to enter the virtual world? Consider the network around the business (and the risk presented) e.g. counterparties, franchisees etc. Consider why someone would use an ATM vs. an exchange vs. other forms in to the virtual world e.g. Flexepin. What is it about a particular exchange or crypto currency that means customers use them? E.g. arbitrage? Anonymity? What is the legitimate business story? Need an approach to assessing risk of new technologies as they emerge current regulatory requirement very much applies here. 10

11 AML Continuum Points to consider No AML Regime Know your customer / know your digital customer Monitoring / vetting crypto transactions Investigation and reporting Identifying and assessing risk Counterparties Digital Relationship Monitoring Challenges / Threats / Points to consider Applying Canada s AML rules Naturally, the pseudo-anonymous nature of crypto makes knowing your customer a (potential) challenge Verified (in the virtual world) does not always mean I know who my customer is! KYC controls not being applied consistently (primarily in the case of the ATM world) for each customer. These organizations have grown quickly, and in some cases are only now considering their AML programs. Large back book of un-verified customers to understand. There is a challenge of compliance capacity. The trade off / conflict (in some parts of this industry) between compliance and commercial is real. Understand what verified actually means. What functionality do these customers have? (we ll explore this some more shortly) How does this translate to being able to know who their customers are? Is there a legacy book of un-verified customers and if so, what controls does the organization have in place to mitigate against the risk this poses? To what extent does the ID documentation collected reflect the standards expected of similar organizations such as MSBs this can be challenging in a digital realm. 11

12 AML Continuum Points to consider Let s explore the concept of unverified and verified a bit further. We have typically seen the following customer make up at VC exchanges. It is important to note the model described below differs from exchange to exchange: Customer Base Make Up Customer Typical functionality allowed Current KYC (needs enhancement) Typical % of customer base Unverified Cryptocurrency deposits allowed no limits Cryptocurrency withdrawals - limited Many moving to no withdrawals model Name Address Country of residence Phone number C. 90% Verified Deposits allowed VC and FIAT (FIAT limited) Withdrawals allowed VC and FIAT (limited) All of above Proof of address Government ID C. 10% Verified (Higher) Some exchanges offer a higher level verification option Larger limits allowed on deposits and withdrawals All of above Government ID Social Insurance Number Source of funds 12

13 AML Continuum Points to consider No AML Regime Know your customer / know your digital customer Monitoring / vetting crypto transactions Investigation and reporting Identifying and assessing risk Counterparties Digital Relationship Monitoring Challenges / Threats / Points to consider Applying Canada s AML rules The list of counterparties at any given VC operator can be long. Exchange A and Exchange B may be in exactly the same business and dealing with exactly the same coins, but each have very different controls in place. This is important as a number of exchanges provide services to one another which help them, in turn, provide service to their customers. Many other types of virtual businesses are involved too each bring their own challenges from an AML perspective such as miners and wallet providers, developers. Counterparty due diligence is crucial. Consider the due diligence that is undertaken on the counterparty what has been done, if anything? How do the counterparty s controls compare? Scrutinized? Does the counterparty have experience in the industry? In the crypto world, almost anyone can play. Has there been anything in the media which would reflect negatively on the counterparty? Do individuals at the counterparty have a history of enforcement? Where is the counterparty located? How is the organization financially? Are they stable? 13

14 AML Continuum Points to consider Let s consider one example of a counterparty network from the perspective of a crypto currency exchange. Exchange B Buying Exchange A s coins / tokens to sell to their customers. Exchange offers wallets that support Exchange A s coins / tokens. Independent Wallet Provider Offers wallets that are enabled to support Exchange A s coins / tokens. Exchange C Exchange A is buying liquidity from Exchange C. What controls do they have in place on their exchange? Crypto Exchange A Protocol Developers Miners Mine the coins / tokens that eventually end up at Exchange A. How have they funded their operations? Other Banks? MSB The MSB is used as an intermediary to receive virtual currency, exchange for fiat and transfer funds to the bank accounts of other related parties They maintain the protocol on which Exchange A s platform sits. Are they designing the protocol with ML risks in mind? Customers have linked their bank account to Exchange A and are depositing funds from their account in exchange for Exchange A s coins / tokens. 14

15 AML Continuum Points to consider No AML Regime Know your customer / know your digital customer Monitoring / vetting crypto transactions Investigation and reporting ` Identifying and assessing risk Counterparties Digital Relationship Monitoring Challenges / Threats / Points to consider Applying Canada s AML rules The blockchain is (potentially) a tool which can help us all. Every transaction ever undertaken is recorded and visible on the network. The challenge is knowing how to make sense of it all. Technologies such as tumblers and mixers have been seen to be one of the main ways of laundering funds in the virtual realm. Should the focus be on large volumes / large frequency prioritized over low dollar values? Some VC operators are better than others - for the vetting of cash at B-ATMs are weak. More needs to be done. The notion of ring-fencing is becoming possible. Need to think about the right parameters to apply- do we need full KYC at $1 or at $500? Consider IP address KYC and monitoring. The infrastructure is easily there for the monitoring to occur, these 'fintech' companies are built in a way that using and monitoring data is part of their DNA. Can I decide to facilitate some of your transactions but not all? What about an environment where AML is built in from the start i.e. blockchain with all required controls and capability built in from inception - anonymity completely removed while benefits of the blockchain still exist. 15

16 AML Continuum Points to consider Let s explore further how this plays out in an example scenario we can quickly start to see why and where risk exists 2 Subsequent VC deposits made from other exchanges. Virtual World (Exchange or wallet provider) 3 Customer is unverified. All funds sent to verified wallet at another exchange where customer has used a false identity. Real World 1 Dollars deposited at ATM no KYC undertaken; Exchanged for bitcoin and deposited in to bitcoin wallet at an exchange. 4 Funds withdrawn out in to banking system. Illicit Funds 16

17 AML Continuum Points to consider No AML Regime Know your customer / know your digital customer Monitoring / vetting crypto transactions Investigation and reporting Identifying and assessing risk Counterparties Digital Relationship Monitoring Challenges / Threats / Points to consider Applying Canada s AML rules How do we know who we are dealing with in an on-line world? How much do we need to know? Some of the monitoring tools are too expensive for the more traditionally built AML programs. The blockchain monitoring tools available can be helpful but they are still learning / building their profiles with time. Easier world for nominees? At a more fundamental level, is the capacity there to learn, understand, and effectively implement virtual monitoring? Think of a future where there is ready access to know your digital footprint in a way never contemplated in the nonvirtual world. Central ID repositories that sit on the blockchain are potentially where we are heading. Now more than ever we are required to work together with people who bring the skills and experience needed to tackle the challenge whether this be subject matter, technological, or otherwise. 17

18 AML Continuum Points to consider No AML Regime Know your customer / know your digital customer Monitoring / vetting crypto transactions Investigation and reporting Identifying and assessing risk Counterparties Digital Relationship Monitoring Challenges / Threats / Points to consider Applying Canada s AML rules No reporting yet of crypto currency transactions by Canadian players that we are aware of. This is being discussed and contemplated. Investigations are on the rise by regulators around the globe. The SEC is increasing scrutiny on ICOs with more than a dozen companies under investigation in the US. Quebec government s chief data scientist recently announced opinion on money laundering through bitcoin. Need to build reporting framework. 18

19 Where next from here? We as AML professionals must embrace the technology for what it is and learn more in order to better understand its opportunities and threats from an AML perspective; More is needed (and understanding will help) to put the right structures in place; This falls on us as AML professionals and practitioners, but also those operating in the industry; We should move away from considering the real and virtual world as two independent worlds; We need to integrate our thinking and approaches otherwise we create opportunities for illegal funds/owners of those funds to flourish; Not a one size fits all approach. 19

20 Thank you. Please feel free to get in touch to discuss further. Giles Dixon, CBP Senior Consultant, Cryptocurrencies, Financial Services Advisory Grant Thornton Canada E: Tel: +1 (416) Cell: +1 (647)