From Intention to Action: Next Steps in Preventing Criminal Abuse of Cryptocurrency

Abstract

Cryptocurrencies pose challenges for the anti-money-laundering and counterterrorist financing (AML/CTF) regime. In principle, they can lessen reliance on financial intermediaries, such as banks, and enable users to transact pseudonymously or anonymously. An estimated 99% of cryptocurrency transactions take place through centralised exchanges, which can be subjected to AML/CTF regulation in a manner similar to traditional banks. Capitalising on this opportunity, the Financial Action Task Force (FATF) has mandated that virtual asset service providers (VASPs) should comply with a panoply of financial crime rules reminiscent of those that apply to traditional financial institutions. As states work on implementing the updated FATF Recommendations, it is not enough to diligently copy the FATF’s new requirements in domestic regulations. While the FATF Recommendations provide a framework for addressing cryptocurrency-related financial crime risks, domestic regulators need to make several key choices about the scope of AML/CTF regulation as applied to cryptocurrency businesses; support VASPs’ compliance efforts; and provide a credible deterrent for those VASPs that choose to abdicate their AML/CTF responsibilities. The appetite for engagement on these issues is demonstrated by several consultations launched by national governments over spring and summer 2019, such as those in the UK and Singapore. In the US, the Financial Crime Enforcement Network, the country’s regulator and financial intelligence unit, published a detailed guidance on ‘certain business models involving convertible virtual currencies’ in 2019. It stands out as a helpful example for other countries, but not necessarily the model to follow in all respects. This paper aims to support domestic authorities that will regulate VASPs and supervise their compliance with AML/CTF regulations in identifying the next steps they should take to effectively prevent criminal abuse of cryptocurrency. This includes action in the following areas: • Policing the regulatory perimeter. Whether a state wishes to regulate VASPs based overseas and, if so, what nexus is required between the VASP and the state in question, is a context-specific decision that should be taken based on: * The state’s interest in preventing its residents from accessing unregulated VASPs. * Its practical ability to enforce AML/CTF regulation against overseas VASPs. * Potential regulatory burdens on VASPs required to be registered in multiple jurisdictions. Once the decision is taken, regulators should use a wide range of intelligence to identify VASPs subject to their regulation, including through liaising with law enforcement agencies and encouraging registered VASPs to report, in confidence, potentially non-compliant peers. • Clarifying the definition of VASPs. While some businesses clearly fall within the five categories of VASP activities listed by the FATF, other business models can present regulators with some uncertainty. This is particularly so in the case of peer-to-peer (P2P) exchanges, which have the potential to weaken the role of centralised VASPs and so blunt the effect of governmental regulation. Although the predominance of centralised VASPs mitigates these concerns for now, drawing a justified line between regulated and unregulated activities is essential both as a matter of principle (to ensure that like activities are treated alike) and to anticipate possible displacement of illicit activity towards unregulated businesses. This paper argues that: * Whether a given business holds customers’ funds in custody should not be the determinative criterion for deciding whether it is subject to AML/CTF regulation as a VASP. Persons with meaningful control over P2P exchanges should bear AML/CTF obligations even if they do not hold funds in custody. This includes, for instance, persons who can unilaterally restrict access to the exchange or discontinue its operation. * Mixers should be subject to AML/CTF obligations and face regulatory or law enforcement action in cases of non-compliance, although such obligations should not extend to persons who merely develop mixing software protocols. * Regulators should keep their approach to AML/CTF regulation of cloud-mining companies under review. • Supporting compliance efforts. To facilitate VASPs’ AML/CTF efforts, regulators should: * Engage with VASPs to devise appropriate arrangements for complying with the ‘wire transfer’ requirement. * With support from law enforcement, consider arrangements for sharing the indicators of suspicion with VASPs to mitigate the inefficiencies of VASPs relying solely on their in-house experience, which inevitably varies across VASPs. • Creating a credible deterrent. To create a credible deterrent from non-compliance, states should take law enforcement and regulatory action against non-compliant VASPs or, when such action is not feasible, consider arrangements for sharing information about non-compliant VASPs with other regulated businesses to protect them from financial crime risks. • Addressing developments in anonymity. In the longer term, states need to consider technological advances that can render cryptocurrency transactions untraceable on a public blockchain, including the potential uptake of privacy coins or mixing protocols. To mitigate their risks, it is important that VASPs collect and analyse sufficient information about their customers’ activity, and the type of coin used may indicate the need for higher customer due diligence. Going forward, monitoring of the scale of criminal misuse of privacy coins and mixed transactions would help ensure that VASPs can make informed decisions as to the risks involved and their responses.