Datanamix | AML Sanctions Screening

Guide for the Crypto Industry

Enjoy full access to a comprehensive suite of products and information that will assist you in minimise your credit risk and making more informed decisions.

Sanctions & PEP Data API for the Crypto Industry

The Importance of Sanctions & AML Screening for the Crypto Industry

Comprehensive AML Screening API for the Virtual Currency Industry


Anti-money laundering regulations do not just apply to banks and other traditional financial institutions – these regulations must also be followed by firms involved with cryptocurrencies.


    Legal Requirements

    The crypto industry is required by law to carry out sanctions and AML screenings.

    The Office of Foreign Asset Control (OFAC) has made it clear that the crypto industry must, as a top priority, ensure cryptocurrency is not used to evade sanctions.

    OFAC is committed to using its authority to counter the use of digital assets for illegal activities. In line with this, the body has expressed that any US person, who engages in crypto transactions, is responsible for confirming that their exchanges do not violate sanctions.

    The regulator has already taken steps to act against providers that fail to screen their customers against sanctions and watch lists – and it expects to have more involvement as the industry evolves.

    For example, OFAC has:

    • Cracked down on crypto transactions involving blocked persons and specially designated nationals (SDNs).
    • Identified digital currency addresses known to be tied to these individuals and created a public list, so organisations can more easily screen for this activity.
    • Restricted crypto transactions that involve exchanges that indirectly benefit SDNs. So, if an SDN or blocked entity is involved in or benefits from a cryptocurrency transaction taking place, the firm could face serious penalties.
    • Criminalised transactions with entities that are 50% or more owned by an SDN.

    The property of a blocked person, and any assets that they have an interest in, will continue to be sanctioned regardless of how many times it is transferred away from them. Crypto providers should be alerted to chain hopping, tumblers, and other methods used to obscure the true parties involved in the transaction.



    Q: What happens if the crypto address is not linked to a blocked person when the exchange is facilitated?

    A: The transaction could be considered a sanctions violation if that address becomes linked to an SDN later. OFAC sanctions are strict – and they expect firms to take steps to identify these individuals, regardless of how much they attempt to evade the system.


    Q: What are the consequences of failing to comply with AML regulations?

    A: Aside from fines and penalties, government agencies may block individuals from transacting on a platform, or with a particular digital asset, altogether.




    Although the regulation around crypto transactions is ongoing and dynamic, organisations are required to follow sanctions laws. At a minimum, firms should implement a KYC and sanctions screening process to identify high-risk individuals.

    Sanctioned Regions and Countries: Real-life scenarios


    It is important that organisations understand the sanctions regions that apply, based on the countries they operate in.

    Because many nations use sanctions against imports to curb illegal behaviour and prevent the corruption of their financial systems, transactions with these regions should be avoided or closely monitored, depending on how comprehensive the sanctions are.

    The Venezuelan Petro

    In 2018, a US Executive Order was signed to prevent users from exchanging or dealing with crypto that was issued by, for, or on behalf of the Venezuelan government. This action was driven by the launch of their sovereign digital token, the Petro, which was designed by Maduro’s regime to get around US sanctions.

    BitPay

    In 2021 BitPay – a company that enables merchants to accept payments via cryptocurrencies received a fine of almost half a million dollars by OFAC for violating sanctions.

    BitPay repeatedly violated sanctions programmes by carrying out transactions from their merchant’s buyers with names, phone numbers,

    IP addresses, and other identifying data that indicated they resided in sanctioned jurisdictions.

    During their investigation, OFAC determined that BitPay did not do their due diligence to screen the location of their ultimate customers: the buyers that were transacting with the merchants on their platform.

    It is important to note that this penalty could have been significantly more severe, but OFAC gave BitPay credit to implement measures that would prevent sanctions violations in the future:

    1. BitPay must fully block IP addresses that appeared to come from Iran, Syria, North Korea, and Cuba.
    2. BitPay must launch an ID programme. The company duly launched a new customer identification process, BitPay ID.
    3. Any merchants who want to process invoices of $3 000 or more must now provide proof of identification to utilise BitPay. Failing to provide the appropriate information blocks transaction.
    4. BitPay needs to check the physical and email addresses of the merchant’s customers if the data is provided. Should the customer belong to a sanctioned jurisdiction, the invoice cannot be completed.



    Q: Is a person in the US violating sanctions when a user in a restricted country validates their transaction on the platform? They can’t control how transactions are validated in the blockchain, so how would they trace and prevent this from happening?

    A: There is much complexity involved here, but the key is that cryptocurrency providers must stay ahead of guidance and regulations to prevent fines and penalties.



    Protect Your Organisation


    Aside from the legal requirements, companies that operate in the crypto industry also need to consider how AML Sanctions Screening processes can protect their organisation.

    1. Reputation damage: Imagine what would happen to a company’s reputation if news came out that it had aided money launderers and terrorists through their platform. This would push sers away and encourage them to take their business elsewhere.

    2. Insurance implications: Many insurers have previously agreed to pay out claims for ransomware payments – but now they are unwilling to reimburse companies due to the extensive cost of rebuilding the blockchain and recovering lost data. OFAC has identified companies like SamSam, Cryptolocker, and Dridex to be directly associated with malware. As such, any ransomware payments to these firms are strictly prohibited.

    Specific Challenges for the Crypto Industry



    Fast Transaction Speeds


    This presents criminals and money launderers with an opportunity to move significant volumes of illicit funds very quickly.



    High Levels of Anonymity


    Users can complete cryptocurrency transactions without disclosing personal details.


    Increased Potential for Structuring


    Structuring refers to breaking up large transactions into smaller ones to avoid the scrutiny of regulators.


    Regulatory Unfamiliarity


    The industry is new and different, so legislators and governments have not developed uniform rules and best practices for these businesses.

    Red Flags: How is Money Laundered Through Cryptocurrencies?


    It is estimated that the amount of fraud, theft, and hacks that occurred in the crypto industry totalled more than $1.4B – in the first six months of 2020 alone.

    Cryptocurrencies will pose a significant threat to the integrity of financial systems if these issues are not addressed.

    To better understand and address the threats, the Financial Action Task Force (FATF) conducted an investigation and put together a report on red flags relating to cryptocurrency money laundering schemes.

    Let’s review some of the most prevalent red flags in the crypto industry:

    Minimal customer due diligence


    Red Flag #1
    Companies that apply minimal customer due diligence, for the sake of avoiding identification requirements. Companies that apply minimal customer due diligence, for the sake of avoiding identification requirements.

    Red Flag #2

    Criminals tend to exploit the fact that cryptocurrencies are anonymous. By trading on unlicensed platforms, proxies, or with privacy coins, they can mask their identities completely.

    For instance, any crypto user that has evaded attempts to provide identifying information, or denied those requests completely, should be flagged. Simply put, accounts that are making transactions with inadequate customer due diligence pose a threat to the business.

    Red Flag #3

    This anonymity creates another red flag called money muling. This is where criminals take advantage of vulnerable consumers that are not familiar with the technology and use them to carry out transactions for money launderers.
    Geographical Risk

    Red Flag #4

    Another red flag that is tied to anonymity, is the geographical risk. It is easy for users to transfer money in and out of high-risk jurisdictions, or exchange currency in a country where they do not reside.

    Red Flag #5

    The use of VPNs (virtual private networks) to access crypto services. This could indicate the user is trying to mask where they live to evade regulatory requirements or sanctions screenings.

    Red Flag #6
    Another red flag that is tied to anonymity, is the geographical risk. It is easy for users to transfer money in and out of high-risk jurisdictions, or exchange currency in a country where they do not reside.
    High-Frequency Transactions

    Red Flag #7
    Any time there is a large volume of exchanges occurring over a short time, it is a red flag. This also includes quickly depositing and withdrawing funds from an account that was just recently opened.

    A user that engages in more transactions than the average person could also be involved with structuring. By deliberately breaking up larger

    trades into smaller amounts, criminals can avoid triggering currency transaction reporting thresholds.

    This red flag is the same as what would trigger a bank alert when done with cash – making multiple transactions under the $10 000 reporting minimum could indicate illegal activity




    Q: What about making several high-value exchanges in a short timeframe?

    A: Behaviour like this can also be a red flag, especially when it is done in a regular pattern and the user has long periods with no additional activity afterward. Ransomware cases may look just like this!



    Spreading Assets Between Various Providers

    Red Flag #8
    Any time there is a large volume of exchanges occurring over a short time, it is a red flag. This also includes quickly depositing and withdrawing funds from an account that was just recently opened.

    Red Flag #9
    Any time there is a large volume of exchanges occurring over a short time, it is a red flag. This also includes quickly depositing and withdrawing funds from an account that was just recently opened.

    Setting up an AML Process


    Now that you understand the importance of sanctions screening and AML processes in the crypto industry, let’s get into the best way to set them up. The key is to develop policies and procedures to address red flags and prevent money laundering from occurring.

    The first step is to understand the risks your business is exposed to and the applicable regulations that you must comply with. Cryptocurrency service providers are now under the scope of most of the existing AML and counter-terrorist financing regulations, so you must prepare appropriately.

    As most of these laws require you to implement a risk-based customer due diligence program and transaction monitoring measures, you should start there. The goal is to develop a process that can identify the money laundering risk that each of your users presents.

    To comply with regulations, you must use a risk-based approach. It is the only way to avoid expensive fines and penalties for non-compliance and ensure that you can detect and prevent money laundering risks.



    Address red flags; and

    Step 1: Understand the risks your business is exposed to, and the applicable regulations that you must comply with. Cryptocurrency service providers are under the scope of most AML and counter-terrorist financing regulations, so you must prepare appropriately. The goal is to develop a process that can identify the money laundering risk that each of your users presents.

    Step 2: Use a risk-based approach to comply with the regulations you identified. This is the only way to avoid expensive fines and penalties for non-compliance and ward off money laundering risks.

    Please contact us for more information on our range of services