With the passage of the EUs 5th 'MLD' (Money laundering Directive) to include VASPs (Virtual Asset Service Providers) / Crypto firms to ID&V and monitor transactions in line with recording and reporting obligations. There has been a rapid need for fellow Anti Financial Crime practitioners and operating model change agents within 'FS' (Financial Service) to upskill and expand their knowledge. That goes way beyond KYC and alert handling. The evolution of NextGen Tech 'DLT' (Distributed Ledger Technology) has generated a flourish 'DeFi' (Decentralised Finance) ecosystem of Crypto / 'VA's (Virtual Assets) that has paved the way for start-up tech firms to facilitate and offer exchange and safe custody of VA's. These VASPs as a start-up industry, is gaining the traction of transaction trust from a user community, as well as many established FS's (like VISA) and many jurisdictional regulators, that now embeds Crypto within the formal financial system.

A community of knowledge sharers

Considering current and historical wrongdoing. The inherit risks of borderless Blockchain that in many use-cases, abuses pseudonymisation to disguise identity to circumvent AML controls when storing or transferring dirty value, that facilitates illicit harm to people the environment. The good news is 'Anti Crypto Crime' communities, organisations and technologies are now GLOBALLY popping up, responding, and flourishing by offering brilliant FREE webinars, training sessions that in-turn are Masterclasses of refined and continued academic debate. All that have incredibly esteemed panellists and participants, via forum-chat, as a rich knowledge source.

It goes without saying, money laundering does not respect boarders, so I for one am grateful for such a global and borderless response from a group of diverse and talented thought leaders. Highlighting the ongoing challenges of the ramp up and adoption of VAs / NFTs (Non-Fungible Tokens) as a credible asset-class. As well as the technologies AKA Crypto RegTechs, that brings the much-needed confidence and integrity to the DeFi and smart contract marketplace, that again is a borderless ecosystem. That presents a new wave of jurisdictional enforcement problems, as well as operational pain points and accountability tensions that need to be ironed out and ratified , as the ecosystem evolves and compliance frameworks mature to meet sound governance expectation.

Further, these new learnings provide opportunity to be ahead of the curve, with the understanding and application of FATF guidance and the much awaited 'Travel Rule' that is generally cascaded and put into force by sovereign states. As stipulated regulation and legislation, thus deter governmental ignorance, and prevent member states going to grey list during the 'FATF country mutual evaluation' process.

Sanctions and ramifications of non-compliance

As we are all too aware Crypto / VAs can sadly be misused for nefarious activities predominantly with the rise of ransomware. COVID has created a work at home culture, that has expanded the cybercriminals attack surface to exploit certain vulnerabilities. Bad actors who have held many firms siege with ransomware for a ransom. Demands of a ransom always being requested via payment of Crypto. It must be noted that the U.S authorities have taken some lead to tackle this problem. OFAC has designated numerous malicious cyber actors under its cyber-related sanctions program. With over 800 VASPs in 80 countries, it is imperative to screen against OFAC watchlist irrespective of jurisdiction.

If there is any suspicion or evidence that bad 'cyber actors' are extorting ransomware payment may be sanctioned or otherwise have a sanctions nexus. OFAC has designated numerous nefarious cyber actors under its cyber-related sanctions program and other sanctions programs, including cyber criminals and those who facilitate ransomware transactions as a VASP. OFAC has provided clear details for contacting relevant U.S. government agencies -including DEA, FBI, FinCEN and OFAC and has highlighted sanctions risks in on the (US) treasury.gov website. VASP or any entity that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations, therefore putting themselves and the key principles at risk of being placed on the OFAC sanctions list. Which no law-abiding citizen would wish for.

Plausible justification for Crypto

Equally, legitimate rationales such as data privacy and humanitarian, like unbanked refugees who have worked hard and need to store value against oppressive regimes or those who got on the Crypto bandwagon early. As traditional and 'CeFi' (centralised finance) and DeFi converge as a trusted and traceable conduit to transfer value globally. Irrespective, if you are currently working for a FS firm that has an all-out ban on VASPs / Crypto firm onboarding. You simply cannot steer away from the complexities and nuanced affiliation that many AML practitioners will have to consider then opine, when met with a segment of Crypto when investigating both source of funds, wealth, and transaction. I very much doubt any bank will offboard Tesla or Elon Musk's interests, who publicly advocates and invests in virtual assets and coins.

Crypto's SOW

As this emerging breed of Crypto millionaires become HNWI (High Net Worth Individual) type, they will unequivocally have to demonstrate a credible narrative of how they derived their wealth, as they seek to diversify investment and spender (who would not!), that is SO reliant on traditional finance payment networks to procure luxury and high lifestyle living.

As this trend accelerates, there is an imperative discipline for rigorous, verified and validated 'SOW' (source of wealth) memo's that can sufficiently prove Crypto wealth, that is not placed or integrated from cyber-criminality or any other predicated offences, as prescribed within EUs 6th MLD. But, from the good investment of the surge of Crypto value, that will need a forensic and plausible audit trail to appease competent authorities and regulators.

Conclusion

illicit finance, be it proceeds of crime or good value funding wrongdoing like terrorism, unfortunately fuels adverse life changing ramifications, at worst costs lives, as well as conservation and environmental impact. As we all strive to continually improve to be vigilant and be better versions of ourselves. I could not encourage more a wider community of experts or Financial Crime experts to broaden their AML scope within VAs / Crypto. Again, these webinars are FREE and inclusive to all! That affords every AML practitioner, the permission to learn, by getting involved and participating into this evolving, comprehensive and fascinating conversation.

My view is Crypto is not going away, and compliance is a collective zeal, therefore, should be collaborative, never competitive.

This is a guest blog written by James Emin in association with Twenty84 and Raw Compliance.

James Emin is a qualified AML and GDPR compliance Business Analysis and Project Manager. 15 years of experience within Financial Crime, starting as a KYC analyst through to becoming an SME, as a career contractor. Whilst supporting and running change management projects at many leading regulated institutions, was then that he realised technology would be adopting much of the human effort that drove him to be a BA, tech change agent and thought leader. Therefore, he is passionate about nuancing the complexities of illicit value, from storage to borderless transfer and how Fincrime operating models need to be resilient to meet ongoing threats and typologies by using both agile and Value Engineering methodologies to optimise resources. Ranging from Proliferation Finance, FinTech and Regtech which led him to scribe other thesis's.

He holds an International Diploma in Business Analysis (BCS) and is AgilePM, Prince2, GDPR certified at practitioner level.

Raw Compliance provides ​a global platform for compliance professionals, and those interested in compliance, to build a global community to develop new skills, learn from experts, collaborate, network and try new initiatives.

Cryptoassets and cryptocurrencies have been gaining in recognition and awareness in recent times. There are now more than 4,000 cryptocurrencies on the planet, of which Bitcoin is the most well known. Here is a chart of the bitcoin price over the last 12 months (source Coindesk), which shows an increase greater than the factor of six:

Despite this increasing popularity, is there a danger that cryptocurrencies can be used for illegal activities such as fraud, money laundering and terrorist financing?

At one end of the scale is the view that as all transactions occur on a blockchain platform and are visible to all, there is no chance of misuse. At the other end of the scale is the view that just as "where there's muck there's brass", the corollary applies, and someone will always find a way into a system, or to abuse a system. The answer lies somewhere in between.

Cryptocurrencies and Money Laundering

It is possible to obfuscate the ownership of cryptocurrencies, some of which have more privacy features than others. The market has not just seen the rise of cryptocurrency exchanges, but also of mixing and tumbling facilities by which cryptocurrencies are bundled, divided and redistributed amongst different accounts. This makes tracing harder to conduct, but not impossible, as displayed in a Canadian case in 2019 involving seizure of CAD 1.4m of bitcoin, and the seizure by US authorities in 2020 of a USD 1 billion Bitcoin wallet associated with the notorious Silk Road dark web criminal supermarket.

The Financial Action Task Force (FATF) released guidance on VASPs "Virtual Asset Service Providers" (known as Digital Assets in certain countries) in 2019.* Countries are now required to assess and mitigate their risks associated with virtual asset financial activities and providers; license or register providers and subject them to supervision or monitoring by their national authorities. VASPs are subject to the same relevant FATF measures as those that apply to financial institutions. The guidance addresses:

• How do virtual asset activities and VASPs fall within scope?
• How should countries apply the Recommendations in the context of virtual assets or VASPs?
• How do the Recommendations apply to VASPs and financial institutions?

The guidance also includes examples of national approaches to regulating and supervising VA activities and VASPs to prevent their misuse for ML and TF. Cryptoassets are developing rapidly and the FATF guidance was revised a year later.**

The report reviews implementation and sets out:

• how ML and TF risks and the virtual asset market have changed since June 2019;
• progress in implementing the revised Standards;
• the private sector's progress in implementing the revised Standards, including the development of technical solutions for the implementation of the "travel rule";
• issues with the revised Standards and Guidance; and
• next steps regarding virtual assets.

The report finds that both public and private sectors have made progress in implementing the revised Standards. 35 of 54 jurisdictions advised they have now implemented the revised Standards, with 32 of these regulating VASPs and three prohibiting their operation. The other 19 jurisdictions have not yet implemented the revised Standards. While supervision of VASPs and implementation of AML/CFT obligations by VASPs is generally nascent, there is progress. In particular, there has been development of technological solutions to enable the implementation of the "travel rule" for VASPs, even though there remain issues to be addressed by public and private sectors.

The VA sector is fast-moving which means continued engagement between public and private sectors is necessary. FATF has agreed to continue its focus on virtual assets:

• continue enhanced monitoring of VAs and VASPs and undertake a second review of implementation of the revised FATF Standards by June 2021;
• release updated Guidance on VAs and VASPs, addressing stablecoins, anonymous P2P transactions and travel rule implementation;
• promote understanding of ML and TF risks involved in VA transactions and potential misuse of VAs for ML and TF purposes;
• enhance its engagement with the private sector, including VASPs, technology providers, technical experts and academics, through its Virtual Assets Contact Group; and
• continue its program of work to enhance international cooperation.

Cryptocurrencies and Terrorist Financing

Terrorist financing is a different issue to money laundering. It does not cost much to create a significant terrorist incident. The Bali bombing of 2002 killed just over 200 people. The cost for the terrorists to mount the operation was estimated at AUD 25,000 (about GBP 14,000). The attacks in the US in September 2001 killed nearly 3,000 and caused insurance losses of around USD 40 billion. The cost to mount the operation was estimated at USD 400-500,000. The costs of the "War on Terror" since are put at USD 6 trillion. This is just the cost to the US economy.

There is evidence that terrorists are now using cryptocurrencies to finance their operations. Last September French police arrested 29 suspected members of a Syrian related terrorist gang and charged eight of them with terrorist financing. French counter terrorism police alleged widespread anonymous purchase of cryptocurrency coupons from tobacconists across France, which were then credited to accounts opened from abroad by jihadists, who were then responsible for converting them into cryptocurrency on bitcoin purchasing platforms. France as a result has announced compulsory KYC requirements for all crypto companies operating in France, including companies not based in the country. Crypto-to-crypto exchanges will also have to be registered.

Red Flags

So how can you try and spot the misuse of cryptocurrencies? There are a number of red flags to look out for on transactions, which, depending on the circumstances, may lead you to develop a suspicion as to the true provenance of the value involved in a transaction, or the true activities of those involved. Here are the indicators developed by FINTRAC, the Canadian FIU, as an example (taken in isolation, these may be innocent of course, or there may be another legitimate explanation involved):

It is important to note that depending on your business activities, some of these ML/TF indicators may not apply.

• Client portfolio only consists of privacy coins or has a high value in privacy coins (For example, Monero, Dash, Zcash)
• Client transfers Bitcoin in large volumes in exchange for privacy coins (For example Monero, Dash, Zcash, etc)
• Client is unwilling or unable to provide information about the source of privacy coins they once held or currently have
• Virtual currency addresses match addresses on recognized watch lists such as the list of the Office of Foreign Assets Control (OFAC) or law enforcement information
• Many individuals register with the exchange within a short period using a shared address, mobile device, phone number, IP addresses and other common identity indicators
• The client's virtual currency wallet or address is linked to fraudulent activity in media reports and/or cyber security bulletins
• A platform receives unusual or persistent requests from other exchanges/vendors/service providers in respect of a client's deposited funds
• A broker charges abnormally high commission fees compared to the industry standard
• The white paper is of poor quality, incomplete, misleading, and has limited information
• Publicity is created around the initial coin offering (ICO) (advertisements, celebrity endorsements, social media ads), also known as pump and dump ICOs
• The developers are anonymous or information provided about the ICO cannot be verified
• There is no access to the smart contract, to the code or to technical information about the token's creation
• There is no possibility to sell the investment or to exit the project to recover the invested funds
• A series of complicated transfers of funds to multiple addresses or wallets that seems to be an attempt to hide the source and intended use of the funds
• Transactions take place at the same time of day. Transfers from fiat to virtual currency and virtual currency to fiat
• High volume and frequency of transfers between different types of virtual currencies
• Client provides an anonymous email address obtained through an encrypted email service
• Funds are deposited or withdrawn from a virtual currency address or wallet with direct and indirect exposure links to known suspicious sources, including darknet marketplaces, mixing/tumbling services, questionable gambling sites, illegal activities (for example, ransomware) and/or theft reports
• Funds flow through a large number of intermediate addresses in a very short period of time prior to being deposited in a client's wallet, or just after being withdrawn
• Virtual currency passes through mixers/tumblers and is transferred to multiple wallets, where the funds are cashed out
• The virtual currency's funds originated from an over the counter trade broker that advertises its services as privacy-oriented/anonymous
• Virtual currency address has links or hops from a wallet address that has appeared on online platforms indicating support for violent extremism or radicalization (including social media, ads on fundraising sites, sites on TOR or messaging sites)
• The source of funds used for the purchase of large amounts of virtual currencies is unknown
• The email address used in the transaction is linked to advertisements for the sale of virtual currencies on peer to peer exchange platforms. These advertisements may suggest that the client is buying and selling virtual currency on a commercial scale through a business as a non-registered money services business
• The client frequently receives funds from multiple payment processors
• The client makes frequent payments or transfers to companies, post office mailing services or uses money orders from agents of the Crown for the purchase of computer software or hardware

Cryptoassets are here to stay, but just as with non cryptoassets there are good ones and ones which are not so good. Thus you need to assess how to differentiate between them, how each particular cryptoasset ecosystem works, how it can be abused, as well as how to select the ones which work best for you, and avoid getting caught up in cryptocrime.

* FATF Guidance on VASPs
** FATF Guidance on VASPs revised

Following the EU's publication of its proposed Regulation on Markets in Crypto Assets (MiCA) on 24th September, we are delighted to have had the opportunity to write a guest blog for BCB Group on what these new regulations entail, and how Brexit will impact this.

The Build Up

It is now more than a decade since bitcoin was created and some are asking whether the cryptocurrency world will attract some form of specialised regulatory coverage. If so, will it be treated like FX, which in many countries is unregulated as regards trading on a spot basis, but often regulated in terms of derivatives and funds? Will it be bespoke or will some other regime apply?

Legal and regulatory development has lagged far behind technological development in this area. Development of appropriate law and regulation has been sporadic and uncoordinated internationally. Commercially, bitcoin is very much the market leader, but there are now hundreds of cryptocurrencies in issue. Commercial use has started developing and you can now pay school fees, or professional bills in cryptocurrency. There are now ATM machines. Central Banks are debating about introducing their own digital currencies and the Chinese have started their first trial use.

Regulation usually follows the emergence of a new asset class, and cryptocurrency looks like it will be no exception... Click here to read the full blog on BCB Group's website.

BCB Group is Europe's leading provider of business accounts and trading services for the digital asset economy. BCB Group provides accounts and payments processing for the world's largest crypto-engaged financial institutions including Bitstamp, Coinbase, Galaxy, Gemini and Kraken, in most major fiat and cryptocurrencies.

It's no secret that blockchain-based systems are rapidly becoming a part of our everyday lives, not just in a peer-to-stealthy-peer, underground-darkwebs way, but also on a systemic level.

This list by Forbes titled "Blockchain 50: Billion Dollar Babies" illustrates the world's biggest companies like Google, Facebook, JP Morgan Chase, Amazon, and others all working on their own blockchain projects today.

Thanks to the genius of an unnamed coder(s?) known as Satoshi Nakamoto, who created the Bitcoin code, parts of this system were used to fuel thousands of cryptocurrencies, companies, and projects today, none of which would have happened without Bitcoin. Talk about creating your own business!

In fact, very recently was Bitcoin's 12th birthday, a round date that brought about equally round figures for its "CEO" (currently missing in action for over a decade) and early pioneers: bitcoin the token rose in price from tenth of a penny to $15400 apiece, in 12 years it has never been hacked, and now its creator's code is getting implemented all over the world. Not bad for a 12-year-old. But if these are just baby steps, what happens next?

Why are companies becoming more and more interested in blockchain?

This example of HSBC completing the world's first paperwork-free deal using Corda R3 blockchain is one no-nonsense illustration of what IBM.com calls "significant business benefits, including greater transparency, enhanced security, improved traceability, increased efficiency and speed of transactions, and reduced costs".

Transactions that take minutes, not days, fees smaller by several orders of magnitude, ability to provide complete proofs and auditable logs for anyone to see, are just a small snapshot of what blockchain can offer the world's companies today. And this is why in this rapidly developing sphere, the demand for people is desperate.

With over 140 000 000 users in Bitcoin alone according to Bitcoin expert Andreas Antonopoulos, this industry is increasing its sphere of influence at a staggering pace. But for that it needs people – and for people to take crypto seriously, and to trust this industry, there needs to be safety and security in the niche.

In response, more countries across the globe are beginning to introduce crypto regulations. But what does this mean exactly, and how is it likely to affect FinCrime and Compliance recruitment?

Are there regulations already in place?

Governments all over the world are already putting in dramatic efforts to make crypto safe everywhere. This industry is a lot safer than in the early days thanks to law and order (for instance, putting a stop to Silk Road made this sector a lot more secure; improving security mechanisms around Initial Coin Offerings and introducing Initial Exchange Offerings allowed for greater safety of public funds).

In the UK, just a few days ago (at time of publishing), Chancellor Rishi Sunak announced that the government is researching CBDCs as an alternative to cash, and that the Treasury is drafting proposals to regulate private stablecoins. This is a strong indication that the government believes digital currencies can transform financial services, and follows on from three other recent notable moves by the UK regulators in terms of crypto regulation:

• From 10th January 2020 any UK businesses carrying on cryptocurrency activity will have to register with the FCA and have until 10th January 2021 to do so, otherwise they must cease trading.
• The government are currently analysing responses to their consultation around bringing certain crypto assets into the scope of financial promotions regulations, with the purpose of "enhancing consumer protection while continuing to promote responsible innovation."
• Last Month, the FCA announced that the sales, marketing and distribution of crypto derivatives to retail consumers will be banned in the UK, arguing that the ban provides an appropriate level of protection to retail consumers, who are at a high risk of suffering losses from trading crypto-derivatives

Across the world, not only is crypto being affected by the classical banking structures, classical banking structures are employing crypto. Just one example of this happened very recently, when the Reserve Bank of Australia announced that it is planning a proof of concept (PoC) for a wholesale central bank digital currency (CBDC) based on distributed ledger technology (DLT), or more specifically, Ethereum blockchain technology.

"We are aiming to explore the implications of CBDC for efficiency, risk management and innovation in wholesale financial market transactions."

Michelle Bullock, Reserve Bank Assistant Governor

As government interest in CBDCs is increasing, crypto exchanges are also undergoing structural updates in accordance with emerging regulation requirements both from the outside and the inside:

• In many countries around the world crypto exchanges are required to have a license to operate.
• In terms of internal regulation, here's one illustration of having good controls in place: compare a crypto exchange today that makes sure it has a reserve fund to compensate users in case of a hack, and an exchange in the early days of Bitcoin like MT Gox, who didn't have any regulatory framework at all.

A certain balance has to be reached, of course, between users having security and privacy (this example of Coinbase users' indignation about exposure of their private data illustrates the importance of maintaining data integrity). But surely a way out could be put together that would protect users from fraud as much as possible and at the same time allowed them to keep their data their own?

With technologies like zero-knowledge proofs that enable users to confirm authenticity without giving up private data, there seems little doubt that enhanced regulations will be implemented soon.

If blockchain is such a tempting prospect why hasn't the government already fully regulated Crypto?

As many more global companies around the world use Bitcoin and blockchain to vastly improve their businesses, millions more users are joining the network. Since the beginning of the emergence of blockchain technology, governments have introduced regulation to try to minimize the risk of crimes, which were rampant pretty much from the beginning, giving Bitcoin a bad name from the get-go.

Just as dollars can be and are used to sponsor crimes, so can crypto, thanks to the fact that many, if not all, of its features are much more advanced than those of the fiat financial systems. Meanwhile, no-one is banning the USD on those grounds, and it logically follows that crypto shouldn't be seen only as the tools of drug lords and terrorists in just the same way.

Instead, introducing clear and meaningful regulation will put an end to lawlessness and fear associated with crypto for many users (take, for example, 80%+ of ICOs turning out to be scams) and could very well mean the beginning of rapid global adoption for crypto.

Governments are becoming much more accepting of crypto. This is evident when comparing in how many countries crypto was legal 5 years ago and now. In fact, all developed and affluent countries are now allowing crypto in one form or another, and comparatively there aren't many left who don't.

What's left to do?

As more and more governments study and understand Blockchain and its benefits, the crypto eco-system and its main players, it's becoming obvious that the only thing standing behind crypto's indescribable potential for good and a much more fair, simple, and noble world are clear regulations.

Ultimately, it is very likely that cryptocurrencies will become increasingly mainstream in the near future, and this increases both the potential for crime, and the need for regulations across the globe; so it follows that FinCrime and Compliance professionals will see openings for more crypto regulation-specific careers in the future.

Chancellor Rishi Sunak said on Monday:

"We are starting a new chapter in the history of financial services and renewing the UK's position as the world's pre-eminent financial center. [...] Our plans will ensure the UK moves forward as an open, attractive and well-regulated market."

At Twenty84, we are already starting to see an increase in regulatory roles in the Crypto and Digital Assets space. An example of some of the roles that we have seen so far include:

• Head of Risk and Compliance (Crypto)
• Crypto AML Officer
• Crypto Compliance Analyst
• Regulatory Crypto Markets Expert

Twenty84 recently partnered with CryptoUK

CryptoUK is the UK's self-regulatory trade association representing the crypto asset sector. Since their launch in 2018, they have been raising awareness of the need for a supportive regulatory framework for crypto assets in the UK.

At Twenty84 we are increasing our focus on Crypto/Digital Assets regulatory hiring and growing our experience in the sector, so this partnership helps us to understand the skill gaps and requirements in this fast-moving industry, which means we can offer a knowledgeable service to our Crypto and Blockchain clients.

We are excited about the potential to offer plenty of interesting new careers and opportunities to our Financial Crime and Compliance network!

Is this something you would be interested in?

Get in touch to find out about the digital assets / crypto regulation roles we have available, or to discuss the regulatory skills requirements in your Crypto / Blockchain business.