Stay Ahead in Crypto AML: Must-Have Compliance Elements
A Crypto AML & Sanctions Compliance Program (“CCP”) is a specific compliance program tailored to the unique characteristics of crypto assets. The main difference between an AML & Sanctions compliance program in traditional finance and the crypto Industry is the focus on self-regulation and implementation of internal controls to ensure compliance with existing laws, regulations, and good practices.
An effective CCP is based on five main pillars: (1) Internal Policies and Controls, (2) Crypto AML & Sanctions Compliance Audits, (3) Designated compliance officer, (4) Employee Training, and (5) Customer Due Diligence.
Let's take a look at each one of them!
1. Crypto AML & Sanctions Internal Policies and Controls
A Firm’s policies, procedures, and internal controls play a primary role in an effective CCP. A well-written policy sets all the parameters to prevent the company from illegal activities such as money laundering, terrorist financing, and other identified risks. To do so, internal controls are placed to ensure that the company complies with all applicable laws, rules, and regulations.
Internal controls for a crypto Firm include due diligence on customers, counterparties, or any other relationship applicable to the company, transaction monitoring, suspicious activity reporting, personnel training, etc.
Transaction monitoring is a complex and crucial control for businesses offering crypto services. It allows the detection of unusual activity by analyzing and investigating the compromised funds' origin and subsequent flow. For an easy and more understandable way to follow transactions, especially in the blockchain space, Firms can rely on Transaction Monitoring software to detect suspicious activity.
Tip: When suspicious activity is identified, the CO must report it to the relevant regulatory body as stipulated in the Firm’s CCP.
2. Crypto AML & Sanctions Compliance Audits
Crypto AML & Sanctions Compliance Audits (“Audit”) aim to test the adequacy of AML, sanctions, and consumer controls within an organization to determine whether they are appropriate. Therefore, this implies inspecting the organization’s policies and procedures. While this may be performed internally, it can also be done externally. Both types of Audits should have objective views of the company’s practices and a determination of the accuracy of the reported operations, policies, and procedures.
It is important to note that Audits are legally required for some types of Crypto Asset Firms, such as Exchanges. The U.S. Securities and Exchange Commission (“SEC”) has emphasized the importance of auditor independence: “Auditors are critical gatekeepers that must employ a robust system of quality control to ensure faithful adherence to professional standards.” With this in mind, it is a good practice for Crypto-Asset Firms to include Independent Audits in their Compliance Programs.
Tip: The SEC has advised not to see Rule 2-01 and auditor independence with a “check-list mentality.” According to them, all items listed under this rule are necessary but insufficient to achieve auditor independence.
3. Designated Compliance Officer
The Board of Directors(“BoD”) appoints the Compliance Officer (“CO”), or designee, to oversee the CCP as well as to be responsible for implementing its AML & Sanctions strategies and policies.
In many jurisdictions and depending on the Firm’s size in revenue terms and its legal structure, the CO might:
Hold a Senior Management Level position;
Have a functional reporting line to the BoD.
Be considered an independent party to ensure their responsibilities are carried out objectively and unbiasedly.
Be held personally accountable for any misconduct that falls within the Firm’s AML & Sanctions regime.
Tip: There is no golden rule to appointing a CO; every jurisdiction has its own technical requirements and specifications.
4. Crypto AML & Sanctions Employee Training
Just as it is necessary to have a well-structured AML & Sanctions compliance policy, procedures, and internal controls, in the same way, all Firm members must be aware of all the rules in place to prevent illegal activities that may harm not only the Firm but also them as individuals. This is where maintaining a continuous and up-to-date training program is important. Besides understanding policies and internal controls, training helps employees understand new regulations and laws related to crypto and the consequences that could come if they are not followed.
Successful training programs walk employees through realistic situations they could experience on any given day, applying ethics and compliance to the company's and regulatory bodies' regulations. Based on an internal risk assessment, an organization defines a given period of time in which this process should happen.
Tip: The general recommendation is to train new hires, including ongoing training on an annual basis to all staff members, with the necessary controls in place to ensure that it can be completed on time by all the employees to whom it applies.
5. Customer Due Diligence
In previous years, this final Pillar used to be part of the Crypto AML & Sanctions Internal Policies and Controls, but due to its regulatory relevance in past years, it is now considered an independent component of the CCP.
There are many AML and Sanctions risks that a Firm may be exposed to when onboarding new customers, which is why companies must ensure that Customer Due Diligence policies and procedures are included in their CCP. Customer Due Diligence (“CDD”) is “the act of collecting and identifying information to verify a customer’s identity and more accurately assess the level of criminal risk they present.”
There are types of Customer Identification Programs and Know your Customer activities that companies may adopt to mitigate risks that should include:
Identification of Ownership structure;
Understanding core business operations;
Transaction Monitoring and/or Wallet Screening;
Identification of Politically Exposed Persons (PEPs); and
Identification of Negative News
All these items should help the Firm assign a risk rating to the prospective customer according to the risk appetite they are willing to be exposed to.
Tip: The CCP should describe the type of customers that may need to go through a Due Diligence process, and at which point during the process of the business relationship they should do it. It is important to note that customers with higher risk ratings should go through more thorough due diligence processes (i.e., Enhanced Due Diligence) that may include re-screenings every so often.
By: Armando Martin, Sr. Associate, Maria Fernanda Romero, Associate, and Maria Fernanda Risco, Associate, at Canaria Consulting LLC.
Canaria Consulting LLC is a boutique consultancy specializing in developing, enhancing, and maintaining regulatory compliance programs for virtual currency firms. Canaria Consulting was founded to help virtual currency firms meet their regulatory obligations in a way tailored to the unique characteristics of virtual currency and decentralized blockchain technologies.