An Introduction to the Essentials of Anti-Money-Laundering and Know-Your-Customer in the Age of Cryptocurrency

By Richard A. Forsyth, JD, MBA, AMLCA

02/05/2019

What is KYC and AML?

Know-Your-Customer (“KYC”) and Anti-Money Laundering (“AML”) activities comprise two heads of the financial regulation coin which aims at preventing and catching illegal financial activity. Its purpose is to deprive criminal and terrorist actors from participating in the modern financial system, divesting them of operating funds and assisting in their identification and apprehension.

KYC is essentially concerned with identification of participants in financial streams, including the initial determination of their qualification for financial products and services access, as well as the generation, refinement, and use of financial profiling in order to ascertain the legality of their ongoing financial activities. This means that KYC does not stop at merely reaching an initial conclusion on the veracity of identifying statements and corroborating documentation or evidence for the purposes of onboarding or credit decisioning, but also contemplates getting to know the individual or institution in order to reach a broader understanding of the nature and norms of their financial activities so that unusual activity can more easily be spotted and, when required, reported.

KYC is part and parcel to AML because the latter involves the identification of money laundering. As the US Financial Crimes Enforcement Network (“FinCEN) states:

Money laundering involves disguising financial assets so they can be used without detection of the illegal activity that produced them. Through money laundering, the criminal transforms the monetary proceeds derived from criminal activity into funds with an apparently legal source.[i]

One key to understanding the scope of this definition in a modern context lies in the generic term “financial assets.” This means any means of conveying store of value may be a channel through which money laundering is accomplished. The remainder of this definition is self-explanatory: any attempt to mischaracterize deposits or transactions of such assets in order to avoid legal consequence is money laundering.

Financial services institutions in the US and within the much broader sphere of US banking are required to act as an extension of law enforcement for the purpose of keeping bad actors from using financial channels for illicit activity. This is a challenging responsibility and an activity that bears significant cost for such entities. For those who maintain compliance for significant amounts of time, the costs can still exceed ten percent of an institution’s operating budget; and when problems occur, as they almost inevitably do given enough time, fines levied by regulatory agencies can be sobering: $26 billion in fines has been imposed for non-compliance with AML/KYC, and sanctions regulations in the last decade.[ii]

Upon whom is it requisite?

Financial institutions registered in the United States such as Banks, Credit Unions, Pseudo Banks, and Money Services Businesses (MSBs).

Some Modern Context

The information age has brought most financial products and services to within online access and so the speed and sophistication of money laundering has multiplied astoundingly.

The burden of KYC/AML compliance falls in to two essential preventive categories:

(1) screening individuals in the onboarding process with the intent of prohibiting access to criminals and terrorists, and

(2) analysis and reporting of existing actors who have passed the onboarding process in order to stop malefactors in the act.

Reporting involves the submission of a Suspicious Activity Report (“SAR”) which is submitted to the Financial Crimes Enforcement Network (“FinCEN”), appropriate law enforcement authorities, and certain affiliate institutions.[iii] Such reports concern any amount of transacted funds, including cryptocurrency, where insider criminal activity is observed, criminal activity where $5,000 in total is involved and where an actor(s) can be identified, and illegal transactions involving $25,000 or more regardless of whether any single individual can be identified. A transaction includes a deposit, a withdrawal, a transfer between accounts, an exchange of currency, an extension of credit, a purchase or sale of any stock, bond, certificate of deposit, or other monetary instrument or investment security, or any other payment, transfer, or delivery by, through or to a bank. Institutions are required to submit such a report where money laundering or any other criminal activity is suspected, where potential attempts to evade reporting are observed, or where the transaction(s) have no apparent lawful purpose — a wide scope for a basis of suspicion.[iv] The quality of such reports, particularly in the narrative portion, require judgment and experience and mistakes that needlessly impair the efforts of law enforcement can result in fines and damage to public image.

Additionally, financial institutions are supposed to file a Cash Transaction Report (“CTR”) for cash transactions exceeding $10,000 during a 24-hour period and may be an aggregate if the institutions believe they originated from the same person. Types of currency transactions subject to reporting requirements individually or by aggregation include, but are not limited to, denomination exchanges, individual retirement accounts (IRA), loan payments, automated teller machine (ATM) transactions, purchases of certificates of deposit, deposits and withdrawals, funds transfers paid for in currency, monetary instrument purchases, and certain transactions involving armored car services.[v] Cash Transaction Reporting is much less complicated and can be automated (but monitored) for high volume institutions.

Failure to appropriately and accurately report SARs and CTRs can result in hefty fines, criminal investigation, and civil suit.

When financial institutions become aware that crimes have been committed, it is then their responsibility to cooperate with law enforcement in the process of apprehending and prosecuting bad actors. This may involve ongoing investigations and criminal prosecution.

All the above implies the maintenance of qualified staff, a significant expenditure of manual labor, and exposure by a financial institution to considerable ongoing liability. It is for these reasons that financial institutions place a premium on customer identification, particularly in preventive efforts. It is also why merchants are an extension of financial authorities and institutions in financial transactions.

Issues

The first KYC/AML efforts by institutions were informal and motivated less by compliance and more from personal interests in eliminating losses stemming from illegal activity. Even with the first formal legislation, a large degree of discretion was afforded to financial businesses to determine standards for identification and definitions of what constituted suspicious activity. Best practices exist in the modern era, but institutions still have different standards and this results in too much variance in outcomes. Furthermore, regulators and traditional financial institutions struggle to keep up with modern changes, particularly with cryptocurrency.

Cryptocurrency is a type of digital asset, often organized and secured by a distributed and decentralized public ledger, sometimes called a “blockchain.” Though there are numerous ways to design a cryptocurrency ledger, their basic purpose is to decentralize in part or whole the management and dissemination of financial assets and services. There are hundreds of operating cryptocurrencies around the globe and most of them have uncertain jurisdiction and administration. Though crypto ledger activity is usually made a matter of public access in order to provide a certain amount of transparency to transactions, the transaction data rarely contains any kind of direct identifying information.

However, most cryptocurrency activity operates through third parties who provide “wallet” services, which includes deposit, withdrawal, sending, and receiving functions, but can also involve inter-crypto exchanges and other investment-oriented transactions. Such services normally engage in a certain amount of KYC and even AML enforcement, but standards vary. Within the United States, wallet service providers and cryptocurrency exchanges are usually considered Money Services Businesses (“MSBs”) and must register with FinCEN and the Department of the Treasury, and in some cases the various states’ Departments of Finance, in order to do business and they are fully subject to US and international KYC/AML laws. When cryptocurrency transactions operate through such institutions, a good deal of identifying information can be had; in fact, more than would be typically found in many traditional cash or check transactions, and sometimes superior even to credit and debit card activity because the data can be gathered and analyzed in real-time, owing to the speed of most cryptocurrency ledgers. Compliant exchanges and wallet services typically follow banking procedures with onboarding, requiring at least one government issued ID, a social security number or national ID number, often combined with a picture of the applicant and a declaration of date and time, bank or credit card information and access confirmation, and proof of residence — and they sometimes go even further. When cryptocurrency travels through such channels, there is no challenge to government interests in KYC/AML, and in fact their efforts should even be enhanced.

But Cryptocurrency can also be operated through peer-to-peer streams, making it as anonymous as cash but with the vastly improved portability the internet provides. And some cryptocurrencies have built-in transaction laundering features, making payment chains impossible to ascertain. Furthermore, there are third party institutions that specialize in crypto transaction washing, where digital funds are introduced to an automated mechanism that runs hundreds or thousands of transactions and then returns the funds minus a fee to the original user, effectively destroying the audit trail. Even with metadata analysis, this can cause issues with law enforcement.

AML/KYC enforcement is only requisite for financial services businesses and the typical merchant does not have the means or expertise to extend such efforts appreciably, but it will probably take such an expansion or more to contain the threat of cryptocurrency to law enforcement efforts. What is especially needed for online commerce is an easy, cheap, and efficient way to engage in preventive measures, particularly in the onboarding process.

Public Mismanagement and Private Interest

Government abuse of public trust — as highlighted particularly by the Snowden revelations about Prism, XKeyscore, Echelon, etc.; as well as high-profile data intrusions on entities like the IRS, European Central Bank, JP Morgan Chase, Citigroup, Equifax, and Experian — highlight a growing public demand for improved centralized and decentralized control of data security in the ever-expanding KYC/AML process.

As an example of centralized improvement, the European Union passed new laws in 2016 under the General Data Protection (“GDPR”) omnibus, applicable to the European Economic Area, which notably championed public-friendly concepts like the “right of erasure,” “right of access,” and pseudonymization. This initiative was popular with average Europeans but met with mixed reactions from industries who expect it to raise the costs of doing business in the EU; though luminaries such as Mark Zuckerberg declared it a “very positive step for the internet.” [vi] Similar debates in the US, Korea, and Japan highlight the growing public sentiment that individuals desire greater autonomy with their personally identifying information (“PII”), and that in fact it could better both public and private interests.

Grassroots pressure has given rise to the notion of decentralized digital identity or “self-sovereign identity.” This idea supposes that to preserve rights and to be effective for all parties concerned, each internet user must be central to the administration of identity.

Early advancements such as PGP (1991) and Microsoft Passport (1999) showed the potential of decentralized trust management and “federated identity” but could do little to stem the growing problem of “balkanization”: multiple identities across many platforms with differing standards and persistent problems with centralization and profit motive.

Modern identity solutions owe their start to the Augmented Social Network and their advocacy for “persistent online identity” and the assumption of the right of internet users to control their online identities. Then followed The Identity Commons and the Internet Identity Workshop (“IIW”) community which remain the primary driving forces advancing decentralized identity with initiatives such as OpenID, OAuth, and FIDO. Facebook Connect (OAuth) has become a notably successful user-centric federated authentication process, though their retention of user data and subsequent mismanagement of PII has exposed Facebook to lawsuit, investigation, and erosion of public image.

The final steps towards user-autonomy in a decentralized identity context occurred in 2009 with the introduction of Bitcoin and blockchain by the pseudonymous Satoshi Nakamoto, followed by Moxie Marlinspike in 2012 with his publication called “Sovereign Source Authority.” In his treatise, Marlinspike asserts that individuals have an established right to identity but that national registration destroys personal rights to sovereignty. He views sovereign identity as matter for cryptographic mathematics.

Self-sovereign identity must be transportable to work across multiple sites with user consent and control, which is to say it can’t be locked down to one site or locale. Self-sovereign identity must participate in the larger scheme of law enforcement and healthy commerce, as well as the prevention of ethical abuse by institutions and the promotion of free speech and association.

[i] (December 12, 2018) Retrieved from https://www.fincen.gov/what-money-laundering

[ii] Jaeger, J. (2018, September 26). Report: Financial firms fined $26B for AML, sanctions, KYC non-compliance since 2008s. Retrieved from https://www.complianceweek.com/blogs/enforcement-action/financial-firms-fined-26b-for-aml-sanctions-kyc-non-compliance-since-2008#.XBAxuGhKhaQ

[iii] (February 23, 2011). FinCEN Clarifies Suspicious Activity Report (“SAR”) Confidentiality and Expands SAR Sharing to Certain Affiliates. Retrieved from https://www.morganlewis.com/pubs/fincen-clarifies-suspicious-activity-report-sar-confidentiality-and-expands-sar-sharing-to-certain-affiliates

[iv] (December 11, 2018) Retrieved from https://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_015.htm

[v] (December 11, 2018) Retrieved from https://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_017.htm

[vi] Jaffe, Justin; Hautala, Laura (2018–05–25). “What the GDPR means for Facebook, the EU and you.” Retrieved from https://www.cnet.com/how-to/what-gdpr-means-for-facebook-google-the-eu-us-and-you/