Cryptographic addresses can be created anytime, by anyone, anywhere. How does a crypto business build its Know your customer (KYC) program and determine asset provenance?
A KYC program focuses on verifying the identity of customers and sufficiently understanding their background andrisk profile.
FinCEN considers crypto exchanges to be MSBs, subjecting them to existing banking regulations related to AML, Customer Identification (CIP), KYC, transaction monitoring, and various financial reporting requirements.
Crypto businesses should look to establish AML programs similar to those of traditional financial institutions and MSBs, including but not limited to Customer Onboarding and KYC processes, transaction monitoring for suspicious activity, and OFAC/Sanctions screening capabilities.
AML Compliance programs, including KYC programs for the crypto business' customer base, are being tailored to address the unique risks and challenges of the crypto market. This will be essential to detect real suspicious activity while avoiding inefficiencies and compliance fatigue.
The major crypto providers are actively looking to strengthen their AML programs, including KYC and transaction monitoring, and if not, they should be. This could include, for example, requiring information about expected transactions and counterparties, or source of wealth analysis and enhanced due diligence for high-risk customers. Transaction monitoring systems should also not be limited to solely monitoring fiat transactions of crypto customers, but be designed to address the unique risks of their crypto transaction activity as well.
The underlying encryption features of blockchain technology can allow for higher degrees of privacy and anonymity for certain cryptoassets.On one hand, counterparties in a crypto transaction are identified not by names or account numbers, but by cryptographic addresses that can be created at any time, by anyone, anywhere. The contrary to that perception, however, is in the blockchain itself, wherein all addresses and their transactions involved are preserved and accessible by anyone, anywhere.
Many major exchanges have undertaken the collection of KYC information and are now an important source of data for the identification of a large percentage of addresses for certain cryptoassets. However, there will continue to remain a sizable percentage of addresses that are not exchange customers or have no available KYC information. Further, emerging cryptographic mechanisms including zero-knowledge proofs (ZKP), ring signatures, and other privacy-centric approaches may impact an organization's ability to determine cryptoasset provenance.
It is important to acknowledge that a degree of anonymity does not mean that transactions are inherently illegal or malicious. Anonymity presents a unique challenge to KYC programs, specifically the requirement for organizations to maintain the ability to identify and monitor the provenance of customers' cryptoassets, the parties they are transacting with, and their overall crypto transaction activity.
Crypto businesses can take advantage of the underlying blockchain technology to analyze and determine the provenance of customers' cryptoassets. Such analysis is not easy but can be aided by the use of third-party data providers. The analysis can enable traceability of cryptoassets and identify if given crypto address may have been involved in foul play. While there are ways a fraudster can intentionally distort or confuse the history of the assets (e.g., using services such as 'tumblers' or 'mixers'), sophisticated data analytics could identify instances in which these programs were used and can assign an appropriate risk rating for transactions. Using these data providers and other blockchain features, crypto businesses can start to build a view of the provenance of customers' cryptoassets over time. This will also have to be balanced with a crypto business's need for protecting competitive intelligence.
Standard practices around determining cryptoasset provenance (e.g., number of 'hops' to look back within the blockchain) are yet to be established, and organizations will need to consider this risk as part of the buildout of their KYC.
There are still a number of open questions about how institutions should apply existing regulations to crypto transactions:
Are cryptoassets physical? Financial institutions are required to file a currency transaction report (CTR) for physical cash transactions of more than $10,000. Crypto by definition is not physical, but it is still treated and used as cash by some.
Do cryptoassets travel? The Travel Rule, predominantly designed for wire transactions, requires financial institutions to provide certain information to the institution accepting the transaction, but the decentralization and anonymity of cryptoassets may impede compliance with the rule.
What about Office of Foreign Assets Control (OFAC) and Sanctions obligations? The OFAC is considering adding crypto addresses to its list of persons or entities that are sanctioned or blocked from financial activity.
Do crypto trading platforms need a license? New York State requires virtual currency businesses to obtain a BitLicense that set extensive AML, cybersecurity, and fraud rules. Other states have similar but less extensive licensing requirements. It remains to be seen if this idea will be adopted federally.