Nested cryptocurrency wallets and ‘correspondent’ exchanges: new tricks for an old dog

11 min readFeb 4, 2020

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

For all the innovation the virtual asset space has brought to bear on the financial services sector, the two environments do occasionally share — perhaps unexpectedly — certain similarities in how they operate. More than that, we are beginning to see these similarities exploited in familiar ways by those few bad actors looking to use cryptocurrency for illicit exploitation.

One of these comparisons pertains to how criminals use correspondent banking networks in the fiat (regular money) world for purposes of money laundering. Similar behaviour is arguably emerging in the virtual asset space. This article attempts to explore the emergence of the virtual equivalent of correspondent networks and explains the implications and possible solutions for anti-money laundering professionals.

🌎 A gateway to the world 🌎

In the early 19th century, an emerging global trade required businesses to have access to foreign markets and the ability to move money across borders. This was a challenge, however, as the infrastructure connecting financial institutions around the world was lacking. Historically, there were limitations on geographic expansion by banks, reducing their ability to facilitate the movement of value internationally without opening branches abroad.

The solution was to establish a set of channels and relationships that could connect the world financially, known today as ‘correspondent banking’. Correspondent banking is the provision of banking services by one bank (the correspondent bank) to another bank (the respondent bank). Correspondent banks act as intermediaries between banks in different countries and play an essential role in economies around the world, enabling local banks to carry out cross-border transactions[1] to markets beyond their own geographic reach[2]. A local bank in Costa Rica, for example, that has received instructions from one of its customers to wire funds to a bank account in Japan with which is does not have a connection, could do so with the help of a correspondent bank in the middle, helping to route the transaction and bridge the connection between the two banks.

🐦 A cuckoo in the nest 🐦

But what does this have to do with the virtual asset industry? The answer lies in what is known as ‘nested accounts’. In fiat money terms, nested accounts — or “nesting” — is where a respondent bank provides downstream correspondent services to its customers, and processes these transactions through its own correspondent account. In the example shown below, person A is a customer of Bank ABC (the respondent bank) — a local domestic bank located in their country of residence. Bank ABC has a relationship with a correspondent bank for purposes of facilitating international transactions.

When person A requests a wire payment be made from their account to an account at a foreign bank, it is Bank ABC who makes the request for the transaction to the correspondent bank. Person A is never known to the correspondent bank. Their account is essentially ‘nested’ behind the Bank ABC.

This is a normal part of correspondent banking. It requires, however, the correspondent bank to conduct enhanced due diligence (“EDD”) on the respondent bank as they are effectively processing transactions for individuals or entities for which they have not conducted due diligence themselves. And herein lies the risk from a money laundering perspective. Nested accounts, and the individuals or entities behind them, are only known by the respondent banks that service them. This opens the door to several potential money laundering scenarios.

Consider an individual residing in a sanctioned country looking to move funds in to the U.S. Knowing it would be impossible to move these funds directly using the banking network in their country, they set up an account in a non-sanctioned country that they know would be willing to accept their deposit and which has correspondent banking relationships with the U.S. From here, the individual simply instructs that bank (the respondent bank in this case) to move the funds on their behalf, through the network, with the correspondent bank never knowing their identity.

₿ 💵 Virtual asset service providers 💵₿

So how does this scenario manifest itself in the virtual asset industry? By far the most common way that people buy and sell cryptocurrency today is through so called virtual asset service providers (“VASPs” — otherwise known as cryptocurrency exchanges). Of the different types of exchanges, centralized cryptocurrency exchanges represent the lions share in terms of popularity and trading volume. Centralized exchanges facilitate the exchange of virtual currencies and earn revenue from transactions taking place on their platform[3]. Examples of popular exchanges include Coinbase, Binance, Bitfinex, and a number of other platforms. Many of these exchanges experience large daily trading volumes by their users, who utilize such platforms for their deep liquidity, security and user experience. Studies have shown that the top 10 exchanges made up 60% of total trading volume of the crypto market. Historically, the top 25 exchanges have even accounted for up 90% of total market volume[4].

In order to benefit from the functionality these platforms offer, a customer will typically be required to create an account which they can fund with either fiat money and / or virtual currency. To fund an account with virtual currency, a user must operate a cryptocurrency wallet from which they can send funds to the exchange. For purposes of explanation, a cryptocurrency wallet is a software program that enables users to send and receive digital currency and monitor their balance. If you want to use Bitcoin or any other cryptocurrency, you will need to have a cryptocurrency wallet[5].

Historically, centralized cryptocurrency exchanges operated in a largely unregulated environment, with many providing services to customers with little or no procedures in place to verify who their customers were. To the aspiring money launderer, this was potentially an opportune avenue through which to layer the proceeds of crime, offering a platform where funds can be deposited, exchanged and withdrawn with little or no questions asked. But this is changing. Cryptocurrency exchanges are increasingly being captured by many existing or updated AML (anti-money laundering) regulations around the world. This means they must operate and maintain AML programs including identifying and verifying customers, monitoring customer behavior and submitting suspicious activity reports or equivalents to jurisdictional authorities such as FinCEN. A number of the major exchanges mentioned operate with such controls, or versions of them, and have done for some time. Not only are they now subject to traditional know-your-customer (“KYC”) obligations, the tools employed by some exchanges nowadays to scan, monitor cryptocurrency and report transactions for suspicious activity are becoming more prevalent.

Therein lies the challenge for the money launderer. VASPs offer attractive levels of liquidity, convenience and speed, but increasingly do not provide the anonymity required. Enter the nested cryptocurrency wallet.

♻️ Nested wallets and respondent exchanges ♻️

We are beginning to see the crypto equivalent of nested accounts and correspondent — respondent relationships emerging. While such arrangements bring with them legitimate benefits for their users, they also present new anti-money laundering considerations for the industry.

There are now several ‘instant exchanges’ around the globe. These platforms operate by setting up accounts on multiple major cryptocurrency exchanges under their own name, thereby gaining access to each exchange’s functionality, liquidity and coins on offer. Individuals can set up an account at the instant exchanger, and benefit from the ability to access various coins and exchange rates without the need to open accounts at multiple exchanges. It is analogous to hotel booking websites that aggregate all hotel room rates and offers under one platform, saving you the need to shop around multiple individual hotel brands to find the best deal. Examples of instant exchanges include Coinswitch, Changelly, and ChangeNow.

Many of these platforms never require their users to verify their identity or even open an account, offering them the ability to exchange pairs of funds with no limits. The example below illustrates one method of how funds are exchanged through an instant exchange platform:

1. An individual visits an instant exchanger platform and selects the cryptocurrency pair they would like to exchange. For example, the user has Bitcoin which they would like to exchange for Litecoin. They are presented with an aggregated list of exchange rates on offer across multiple major centralized exchanges with which the instant exchange platform has an account. The individual selects a desirable exchange rate from the list presented to them;

2. The instant exchange platform then generates a wallet address for the individual to send their Bitcoin to. The address provided is controlled by the instant exchanger and crucially, is not located on the major exchange where the exchange will eventually take place. The individual sends the bitcoin from their cryptocurrency wallet to the wallet address provided by the instant exchanger;

3. Once received, the instant exchanger sends the bitcoin from their wallet to the account they hold at the major exchange which has been selected for the exchange and conducts the exchange to Litecoin on that platform;

4. The instant exchanger then returns the newly exchanged funds back to the customer, and the process is complete — often in a matter of minutes.

This is an appealing option for someone looking to clean their ill-gotten crypto. Firstly, the instant exchange platform has not collected any identifying information from the customer, or indeed any information which would allow their identity to be verified. They often only require a cryptocurrency wallet address (the unique identifier of the customer’s cryptocurrency wallet) in order to know where to send the customer’s funds once they have been exchanged on their behalf.

Secondly, the process happens in a matter of minutes, and is an effective way of breaking the money trail and layering the customer’s money. This is due to the way that centralized exchanges handle customer crypto funds. A recent article by Peter Warrack published on ACAMSToday.org explains this concept[6]. The process of depositing and exchanging funds on a centralized exchange results in them being pooled together and mixed with other customer’s funds. It is therefore highly unlikely that a customer would ever receive back the same cryptocurrency they have deposited, effectively breaking the money trail, ridding them of their criminal proceeds, and providing back ‘cleaned’ cryptocurrency.

The example above of an individual using an instant exchange platform resembles, in many respects, the notion of nested accounts referenced earlier in the correspondent banking network. In this scenario, the major centralized exchange is the entity executing the trade on behalf of customers of the instant exchange platform, in the same way that correspondent banks do for their respondent bank relationships. Additionally, the major centralized exchange does not know the individual or entity for whom they are conducting the exchange. They are interacting with the instant exchanger as a customer, not the user sitting behind the instant exchanger with their nested cryptocurrency wallet.

🕵️‍♂️ Spotting the intruder 🕵️‍♂️

Happily, there is a growing body of knowledge and technological capability at hand that can help identify this type of activity. Initiatives such as Project Participate[7] have compiled extensive and ongoing research on the indicators of suspicious activity in a crypto context and is a highly recommended source of information to help guide compliance professionals on the behavioral indicators they should be aware of.

Furthermore, a recent ACAMS Today article titled, “Virtual Assets: Calibrating the Compass of Suspicion”[8] talks to a number of typologies that are appropriate in this context. An operator of a centralized cryptocurrency exchange that is being utilized by an instant exchange platform would likely see a high and consistent volume of deposits followed shortly by an exchange of funds and a request to withdraw those funds from the exchange. This in itself is not necessarily suspicious but should be considered alongside other indicators. For example, using certain blockchain analytics tools, it is possible to view the amounts deposited at the instant exchange platform and even to observe whether there is direct or indirect exposure to sources such as Darknet marketplaces, mixing services, gambling sites, wallets known to be involved in illegal activities, and/or theft or ransomware reports. Commercially available blockchain analytics tools such as Chainalysis, Blockchain Intelligence Group, Crystal, CipherTrace, and Elliptic can help visualize this type of activity.

Recognizing that not everyone will have access to such tools, organizations should work to design policies and controls that allow them to further understand their customer, in this case, the instant exchanger, and the profile of the instant exchanger’s customers. There is useful guidance in a fiat context from standard setters such as The Financial Action Task Force (FATF) and the Wolfsberg Group which can help here. They recommend enhanced measures and controls that correspondent banks should implement when looking to understand more about their respondent bank relationships. There are many parallels with this guidance that could be adapted to a virtual context. For example, FATF’s ‘Correspondent Banking Guidance’ states:

When entering into a business relationship, as a first step, the correspondent institution should identify and verify the identity of the respondent institution, using reliable, independent source documents, data or information;
Additionally, the correspondent institution should gather sufficient information to understand the purpose and intended nature of the correspondent banking relationship with the respondent institution. This includes understanding what types of customers the respondent institution intends to service through the correspondent banking relationship and how it will offer services (e.g. through nested relationships)[9];
Correspondent institutions, in assessing the risks of their respondent, must ensure that the assessment is sufficiently robust to consider all the relevant risk factors. By doing so, the different levels of inherent risks are clearly understood and appropriate controls applied to each, ensuring the effective management of these risks.

These are a few of many practical examples of guidance which can be translated into the policies and controls of a cryptocurrency exchange; the equivalent of the correspondent bank in this situation.

Summary

For all the innovative leaps forward this space brings, the virtual asset industry presents new and previously unseen financial crime considerations for us to comprehend. This article has attempted to raise awareness of a unique type of business that is emerging in this space, and has sought to make a link to what it means for compliance professionals.

Much knowledge is being built and documented around how to effectively combat criminal activity in the virtual asset space and yet, for all its intricacies, there are several parallels that can be drawn between this world and the well-documented fiat money laundering typologies. It is important that we as compliance professionals understand where these areas of crossover exist and translate this thinking in to policies and controls that are relevant for a virtual context. When seeking to identify, manage and mitigate virtual asset money laundering risk, part of the solution is nested within our existing understanding of how money is laundered outside of the virtual realm.

……

Authors:

📝Giles Dixon, CBP, CCI, BA, Senior Manager, Virtual Asset Risk Advisory, Grant Thornton LLP (Canada)

📝Peter Warrack, CAMS, CBP, CCI, CFE, CEO Blocktrain AML Solutions Inc.

……

👉LINKEDIN: www.linkedin.com/in/gilesdixon

……

[1] https://www.acamstoday.org/de-risking-and-financial-inclusion/

[2] https://core.ac.uk/download/pdf/6608801.pdf

[3] https://medium.com/haloplatform/centralized-versus-decentralized-whats-the-best-crypto-exchange-for-you-d71fdd89ac6

[4] https://drive.google.com/file/d/1lTsD7du_D-mOR9x28faNnoY3sbnc7Cx8/view

[5] https://blockgeeks.com/guides/cryptocurrency-wallet-guide/