Guide

Sanctions Compliance for Crypto Businesses

This guide will help to understand the Crypto Industry's specific challenges, how to identify red flags and implement best practices for a comprehensive compliance process.

Thorsten J Gorny
,
October 6, 2021

Sanctions & AML Screenings: The Basics

Before we get into the specifics of how the crypto industry is affected by Sanctions and AML screenings, it is necessary to understand what these are in general.

Understanding AML

AML stands for Anti-Money Laundering and refers to all the regulations enacted by international and regional government authorities to prevent financial crimes. These policies specifically target money laundering and terrorist financing to prevent them from happening – and catch those involved with these illegal activities.

All organizations that are within the jurisdiction of AML laws are required to comply with them. This may require businesses to establish a compliance department and implement Know-Your-Customer (KYC) and sanctions screening processes.

A sanction is a measure taken by a regulatory agency or government towards another country, coalition, regime or person due to violations of international law. They will also be applied to criminals and members of terrorist organizations to prohibit them from doing business in a particular country or sector.

Part of AML compliance involves verifying that the customers you are doing business with are not subject to any sanctions and ensuring that your company can adequately assess the risk of working with them.

 

What are Sanctions Screenings?

An AML screening is a key component of these regulations, as they help companies identify high-risk customers and respond appropriately. The risk assessment process involves verifying that potential and existing customers are not on a sanctions list, wanted list, or show up on adverse media data. It can also identify PEPs, or politically exposed persons, who put your organization at a higher risk.

A business must gather identifying information about its customers to perform an AML screening. That includes their full name, date of birth, address, and other data that can help confirm their identities and complete the screening.

Once that information is collected, the business will use an AML screening tool to scan sanctions lists from relevant jurisdictions. The sanctions list identifies individuals, entities, and groups that are subject to a sanction.

For example, a business in the U.S. would need to confirm that their existing and potential customers are not on the OFAC sanctions lists and other applicable watch lists. The European Union maintains a consolidated list of anyone subject to financial sanctions, and watchlists like the one managed by Interpol identifies criminal fugitives.

The lists include a lot more than the name of the individual, though. You will find aliases, recent locations, details about the sanction, and other ancillary data. As such, it can be difficult to complete the process manually – the data is always changing and being updated.

Although the primary goal of the screening is to check whether a customer appears on a sanctions list, it is also important to consider whether they are affiliated with an entity or individual on the list. 

When Must Businesses Perform AML Screenings?

A company is required to perform a sanctions screening during the onboarding and know your customer process. As the business relationship is established, you must collect information about the client and ensure that they do not appear on any list of prohibited individuals.

While this is the most common time AML screenings are performed, it is not the only time that regulated businesses must implement them. Any time a transaction is performed or a risk level of a customer changes, a sanctions screening should be done. Likewise, these compliance efforts should be applied to employees and other business partners they are working with.

 Purpose of Sanctions Screenings

There are three main objectives of AML screenings:

  1. Performing a Risk Assessment
  2. Ensure Compliance with Sanctions
  3. Protect Your Organization from Regulatory Fines

By understanding the risk associated with a particular customer, your business can do a better job of monitoring transactions and addressing red flags early on. Individuals that appear on a sanctions list are high-risk, so it often makes sense to avoid doing business with them altogether.

A politically exposed person (PEP) for example has a high-risk customer profile compared to the average person. Since they can exert government influence, they have more opportunities to be involved with corruption, bribery, and other financial crimes.

That means that businesses like financial institutions must carefully screen each customer to ensure they comply with all applicable regulations – and avoid putting their organization at risk of being used to facilitate financial crimes.

 

The Importance of Sanctions & AML Screening for the Crypto Industry

Anti-money laundering regulations do not just apply to banks and other traditional financial institutions – these regulations must also be followed by firms involved with cryptocurrencies.

Legal Requirements

Perhaps the most significant reason the crypto industry needs to focus on and improve sanctions and AML screenings is that it is legally required. Governments and other regulatory authorities have started to focus on the use of cryptocurrency to commit financial crimes and fund other illegal activities – and they have implemented additional oversight to address it.

The Office of Foreign Asset Control, or OFAC, has made it clear that ensuring cryptocurrency is not used to evade sanctions is a top priority. They intend to leverage their authority to counter the use of digital assets for illegal activities.

OFAC has expressed that any U.S. person that engages in crypto transactions is responsible for confirming that their exchanges do not violate sanctions. The regulator has already taken steps to bring enforcement actions against providers that fail to screen their customers against sanctions and watch lists – and they expect to have more involvement as the industry evolves.

For instance, OFAC has cracked down on crypto transactions involving blocked persons and Specially Designated Nationals (SDNs). They have identified digital currency addresses known to be tied to these individuals and created a public list, so organizations can more easily screen for this activity.

The restriction on these transactions also includes exchanges that indirectly benefit SDNs. That means that if an SDN or blocked entity is involved or benefits from a cryptocurrency transaction is executed, the crypto firm could face fines and penalties. Even transacting with entities 50% or more owned by an SDN will result in a sanctions violation.

The property of a blocked person, and any assets that they have an interest in, will continue to be sanctioned regardless of how many times it is transferred away from them. Crypto providers should be alerted to chain hopping, tumblers, and other methods used to obscure the true parties involved in the transaction.

What happens if the crypto address is not linked to a blocked person when the exchange is facilitated? In this scenario, the transaction could be considered a sanctions violation if that address becomes linked to an SDN later. OFAC sanctions are strict - and they expect firms to take steps to identify these individuals regardless of how much they attempt to evade the system.

Although there is still some ambiguity and unanswered questions about the regulation of some crypto transactions, an effort must be made to ensure that organizations are following sanctions laws. That means that, at a minimum, firms should be implementing a KYC and Sanctions screening process to identify high-risk individuals.

Sanctioned Regions and Countries

You may be wondering, what are the consequences of failing to comply with AML regulations? Aside from fines and penalties, government agencies may block individuals from transacting on a platform – or with a particular digital asset – altogether.

In 2018, a U.S. Executive Order was signed to prevent users from exchanging or dealing with crypto that was issued by, for, or on behalf of the Venezuelan government. This action was driven by the launch of their sovereign digital token, the Petro, which was designed by Maduro's regime to get around U.S. sanctions.

This is just one example of why sanctions screenings are crucial to the crypto industry. If businesses want to continue operating and grow in the future, they must comply with AML requirements.

That also means understanding the sanctions regions that apply based on the countries you operate in. Many nations use sanctions against the import of goods and services to curb illegal behavior and prevent the corruption of their financial systems, so transactions with these regions should be strictly avoided or at least closely monitored, depending on how comprehensive the sanctions are.

A recent example for the violation of Sanctions is BitPay, a company that enables merchants to accept payments via cryptocurrencies. They received a fine of almost half a million dollars by OFAC for repeatedly violating sanctions programs. BitPay executed transactions from their merchant's buyers with names, phone numbers, IP addresses, and other identifying data that indicated they resided in sanctioned jurisdictions.

During their investigation, OFAC determined that BitPay did not do their due diligence to screen the location of their ultimate customers: the buyers that were transacting with the merchants on their platform.

It is important to note that this penalty could have been significantly more severe, but OFAC gave BitPay credit to implement measures that will prevent sanctions violations in the future. For example, they must block IP addresses that appear to come from Iran, Syria, North Korea, and Cuba – these users can’t even be allowed to connect to the website, much less make payments.

Similarly, the company must launch BitPay ID, which is a new customer identification process. Any merchants who want to process invoices of $3,000 or more must provide proof of identification to move forward. It is not an optional request, and failing to provide the appropriate information will block the transaction.

BitPay will even need to check the physical and email addresses of the merchant’s customers if the data is provided. If they note that the customer belongs to a sanctioned jurisdiction, they must prevent the invoice from being completed.

Again, there is still much to be addressed by OFAC and regulators when it comes to sanctioned countries and regions. Is a person in the U.S. violating sanctions when a user in a restricted country validates their transaction on the platform? They can't control how transactions are validated in the blockchain, so how would they trace and prevent this from happening?

There is much complexity in this issue, but the key is that cryptocurrency providers must stay ahead of guidance and regulations to prevent fines and penalties.

Protect Your Organization

As if complying with legal requirements and avoiding sanctions violations were not enough reasons for AML to matter to the crypto industry, firms must also consider how these processes can protect their organization.

Imagine what would happen to a company's reputation if news came out that they were aiding money launderers and terrorists through their platform? That would surely push many users away and encourage them to take their business elsewhere.

Crypto providers will also need to think about insurance implications. Many insurers have previously agreed to pay out claims for ransomware payments – but now they are unwilling to reimburse companies due to the extensive cost of rebuilding the blockchain and recovering lost data.

Even more concerning is that OFAC has designated companies like SamSam, Cryptolocker, and Dridex to be directly associated with malware. As such, any ransomware payments to these firms are strictly prohibited.

 

Specific Challenges for the Crypto Industry

There are many challenges that businesses in the crypto industry face when trying to comply with AML and sanctions screening requirements.

For starters, accurately and efficiently performing sanctions screenings are difficult regardless of the industry.

Sanctions lists can change almost every day, as many regulatory bodies around the world leverage these measures to impede the actions of high-risk entities and individuals. Companies that offer cryptocurrencies must manage sanctions lists that are constantly evolving – people and businesses are added and removed almost daily.

Sanctions have also become more complex. They were originally imposed on organizations and countries, but now they can be applied to individuals or specific sectors of the economy. Likewise, the number of authorities that can issue sanctions is increasing. This means it is even more difficult to keep track of all the watch lists and ensure you are following the law.

The crypto industry faces even more challenges in addressing sanctions screening and anti-money laundering compliance. The transaction monitoring process is intricate, and cybercriminals are developing increasingly complex strategies to launder money.

Here are some of the biggest hurdles that firms in the crypto sector must overcome:

Fast Transaction Speeds

Cryptocurrency transactions rely on blockchain technology and other computer devices to execute. Unlike traditional exchanges that may take time to complete, a transaction made with a digital token can be finalized in less than a few seconds.

This presents criminals and money launderers with an opportunity to move significant volumes of illicit funds very quickly. They will attempt to stay ahead of measures enacted to monitor transactions, and the faster processing speeds associated with crypto can often facilitate that.

That means that businesses must improve their screening and monitoring efforts in order to keep up with the pace of transactions happening.

High Levels of Anonymity

Another aspect of cryptocurrency that makes sanctions screenings and AML compliance difficult is the high levels of anonymity that the sector is known for.

When you go to the bank or use a credit card, all your information is available to the authorities and financial institutions. The banks can trace the transaction back to you using your bank account number - which shows your name, address, and other unique identifiers.

On the other hand, users can complete cryptocurrency transactions without disclosing these details. By carrying out exchanges anonymously, high-risk individuals can evade the standard monitoring procedures imposed at traditional institutions.

Not only does the lack of information make it nearly impossible to perform sanctions screenings and implement Know-Your-Customer (KYC) procedures, but it also presents an opportunity for criminals to engage in money laundering.

Similarly, the anonymity provided by crypto transactions allows for the use of money mules. People can use third-party individuals as money mules – which means they make transactions on their behalf so that they don't attract unwanted attention.

The fact that users can remain anonymous is one of the biggest appeals to cryptocurrency. Firms in this industry must balance their compliance requirements with ensuring that they retain a customer base.

Increased Potential for Structuring

The increased potential for structuring is another challenge in the crypto industry. Structuring refers to breaking up large transactions into smaller ones to avoid the scrutiny of regulators.

For instance, the Bank Secrecy Act requires that financial institutions report any transaction that exceeds $10,000. Criminals can use structuring to break up transactions into smaller chunks to avoid getting flagged and having a currency transaction report submitted.

Cryptocurrencies make it easy to structure transactions and engage in money laundering. Businesses in this sector must be aware of this risk and consider this for their screening process.

Regulatory Unfamiliarity

It is also essential to consider the challenges associated with regulatory unfamiliarity. The industry is new and different, so legislators and governments have not developed uniform rules and best practices for these businesses.

When you combine this with the fact that crypto transactions are more complex than those that occur in traditional financial institutions, you have uncharted territory for AML compliance. As such, regulators and businesses alike must adapt to changes in the risk landscape – and there is broad legal divergence.

 

Red Flags: How is Money Laundered Through Cryptocurrencies?

One of the reasons that implementing an effective sanctions screening and AML process is crucial for businesses in the crypto industry is that money can easily be laundered through them.

It is estimated that the amount of fraud, thefts, and hacks that occurred in the crypto industry totaled more than $1.4B – in the first six months of 2020 alone. In other words, cryptocurrencies will pose a significant threat to the integrity of financial systems if these issues are not addressed.

Regulators have imposed compliance requirements to help crypto providers detect and prevent these threats. Likewise, it helps them ensure that they cooperate with authorities when they become aware of emergent criminal methods.

The Financial Action Task Force (FATF) has issued new guidance on red flags and money laundering schemes relating to cryptocurrency. They put together this report based on internal investigations they conducted – the idea is to help companies learn from the red flag indicators they identified so they can better respond to these risks.

Let’s review some of the most prevalent red flags in the crypto industry:

Minimal Customer Due Diligence

One of the biggest red flags in crypto is taking advantage of minimal customer due diligence to avoid identification requirements. Criminals will often seek to exploit the fact that cryptocurrencies are anonymous. By trading on unlicensed platforms, proxies, or with privacy coins, they can mask their identities completely.

For instance, any crypto user that has evaded attempts to provide identifying information – or denied those requests completely – should be flagged. Simply put, accounts that are making transactions with inadequate customer due diligence pose a threat to the business.

This anonymity creates another red flag called money muling. Criminals may take advantage of vulnerable consumers that are not familiar with the technology and use them to carry out transactions for money launderers. They may not realize they are being used as mules, and it can be tough for crypto firms to detect.

Geographical Risk

Another red flag that is tied to the anonymity factor of crypto is the geographical risk. It is easy for users to transfer money in and out of high-risk jurisdictions or even exchange currency in a country where they do not reside.

The use of VPNs, or virtual private networks, to access crypto services is a red flag that should be considered. This could indicate that the user is trying to mask where they live to evade regulatory requirements or sanctions screenings.

Likewise, a criminal may try to anonymously manage several crypto wallets from the same IP address or provide credentials that are shared with another account. Other risks exist if a user transacts with CVC addresses that are linked to illicit activities like ransomware, extortion, or more.

High-Frequency Transactions

High-frequency transactions are also a red flag that money laundering could be occurring. Any time that there is transactional behavior or a large volume of exchanges occurring over a short time, it is a red flag. This also includes quickly depositing and withdrawing funds from an account that was just recently opened.

A user that engages in more transactions than the average person could also be involved with structuring. By deliberately breaking up larger trades into smaller amounts, criminals can avoid triggering currency transaction reporting thresholds.

This red flag is the same as what would trigger a bank alert when done with cash – making multiple transactions under the $10,000 reporting minimum could indicate that money laundering or illegal activities are occurring.

What about making several high-value exchanges in a short timeframe? Behavior like this can also be a red flag, especially when it is done in a regular pattern and the user has long periods with no additional activity afterward. Ransomware cases may look just like this!

Spreading Assets Between Various Providers

Instead of making many transactions under the reporting threshold on one platform, other criminals may choose to make various exchanges on multiple platforms. This is also an attempt to evade regulators and hide the true nature of the transactions.

They can deposit cryptocurrency with one platform, then immediately withdraw them and move them to another virtual asset provider. Another red flag includes converting one type of cryptocurrency into multiple other digital tokens – shifting assets around in this manner should trigger additional scrutiny.

Setting up an AML Process

Now that you understand the importance of sanctions screening and AML processes in the crypto industry, let’s get into the best way to set them up. The key is to develop policies and procedures to address red flags and prevent money laundering from occurring.

The first step is to understand the risks your business is exposed to and the applicable regulations that you must comply with. Cryptocurrency service providers are now under the scope of most of the existing AML and counter-terrorist financing regulations, so you must prepare appropriately.

As most of these laws require you to implement a risk-based customer due diligence program and transaction monitoring measures, you should start there. The goal is to develop a process that can identify the money laundering risk that each of your users presents.

To comply with regulations, you must use a risk-based approach. It is the only way to avoid expensive fines and penalties for non-compliance and ensure that you can detect and prevent money laundering risks.

Implement a Know Your Customer Process

The next step is to implement KYC procedures. During the onboarding process, each crypto firm should collect identifying information about its customers. For instance, consider the following data:

  • Name
  • Address
  • Date of Birth
  • Copy of Driver’s License
  • Social Security Number
  • Aliases
  • Occupation
  • Other Identifying Information

The goal is to gather accurate and comprehensive data so that you can perform sanctions screenings and assign them a risk level.

The KYC process should be ongoing, too, so you can ensure that the risk assessment you initially made remains accurate throughout the business relationship. This, combined with transaction monitoring, will help crypto firms understand user identities, their financial history, and what red flags they should be on the lookout for.

Focus on Screening and Monitoring

Once you gather sufficient information about each customer, leverage that data to screen them against Sanctions and PEP lists - also monitor their activity regularly.

While the initial screening will help you develop a risk profile and determine the appropriate level of due diligence required, things can change over time. That’s why it is so crucial that you continue to monitor their crypto transactions and behavior. Likewise, you should review adverse media stories and changes on relevant watch lists to ensure that you maintain the right risk profile for every user.

Consider crypto transactions that are unusual for a particular user or indicate suspicious behavior like structuring. Implementing an effective transaction monitoring system will help you detect various attempts to launder money or commit other financial crimes.

Remember that the process must keep up with the speed and anonymity that cryptocurrency is known for. By accurately identifying these red flags, you can prevent people from concealing their identities and engaging in illegal activities. 

Leverage Technology

As you set up your AML screening process, make sure to leverage technology wherever possible. Like we mentioned, there are many hurdles that crypto firms must overcome to complete sanctions screenings – that includes the speed of transactions and the constantly evolving regulatory environment.

Smart technology can simplify your transaction monitoring efforts and help you collect the data you need to implement your AML process. Doing so will help you capture all the red flags we discussed and ensure that you detect and report suspicious activity right away.

About sanctions.io

sanctions.io is a comprehensive Anti-Money Laundering solution with a simple to integrate API which companies can use to continuously scan their clients and business partners against the most important Sanctions & Crime Lists. Start your 7 Day FREE TRIAL right here.

You can read sanctions.io's Ultimate Sanctions Screening Guide to learn more about sanctions screening.


New Sanctions Screening Guide
Download our FREE Sanctions Screening Guide and learn how to set up an effective sanctions screening process in your organization.
New Case Study
Discover how technology companies streamline global sanctions compliance with sanctions.io
Thorsten J Gorny
Thorsten is Co-founder & CEO of sanctions.io. He has worked for more than 15 years in the tech industry with focus on bringing ideas to life, and building great teams and products. At sanctions.io he is mainly responsible for Business Development, Growth and Strategy.
Enjoyed this read?

Subscribe to our Newsletter right now and never miss again any new Articles, Guides and more useful content for your AML and Sanctions compilance.

Success! Your email has been successfully registered for our newsletter.
Oops! Something went wrong while submitting the form.