Corruption & Crypto.
We see climbing statistics in the number of suspicious activity reports (SARs) filed by actors in the digital assets space, a sign that the industry is maturing and AML/CFT controls are being implemented by more actors. However, last month FinCEN specifically requested financial institutions to focus their AML efforts on detecting the proceeds of foreign public corruption, identified as a priority for the U.S. government. The 2022 U.S. National Money Laundering Risk Assessment published in February 2022 reiterated corruption as a primary money laundering threat. What does this mean for crypto?
In the U.S., the Foreign Corrupt Practices Act (FCPA) makes it unlawful to offer or pay money (or anything of value, including, rather obviously, any digital assets) to foreign government officials in order to obtain or retain business. Many other countries have similar legislations, and most AML/CFT regimes cover laws against bribery, misappropriation, and embezzlement of public funds by or for the benefit of a public official.
For the Cayman Islands, the National Risk Assessment 2021 Report which was published in March 2022, also emphasized the threat of foreign corruption, discussing recent enforcement actions. Although most of the corruption cases involve the traditional financial system, it is a useful reminder that with the increased adoption of digital assets, businesses in the crypto and virtual assets space need to familiarize themselves with the corruption risks, and also with the concept of Politically Exposed Persons (PEPs).
The importance of the risk is highlighted by a constant stream of high profile cases of (former) government leaders and relatives with significant assets (generally abroad), inconsistent with their income levels and businesses. Very recently, the sanctions against Russia have brought into public focus the fact that corruption patterns can be more ingrained in certain countries.
As always, the starting point is to look at international standards. The Financial Action Task Force (FATF) issued specific guidance regarding PEPs, defined as individuals entrusted with a prominent public function, or who are family members or close associates, who due to their influence and position are at higher risk for money laundering, corruption and bribery, etc. It is generally accepted that risks associated with PEPs require additional anti-money laundering / counter-terrorist financing (AML/CFT) measures before entering business relationships. This is therefore a risk to be addressed via the KYC/AML onboarding process.
In theory, good KYC/AML service providers would have access to public records and databases of PEPs, and identify potential name matches for manual review and enhanced checks. In addition, there are several classifications of PEPs based on position, power and influence, which would allow an accurate assessment of the risk levels.
In practice, it is the responsibility of the business (and in particular the Board of Directors) to ensure that KYC/AML service providers accurately identify PEPs. No automated system is perfect, since they are all based on algorithms (generally, fuzzy logic with name matching). Systems cannot identify that the individual going through the KYC/AML onboarding process is a close connection of a PEP, for example, unless there is publicly available information linking the two to a sufficient degree. Use of commercially available databases is neither required by the FATF nor considered sufficient in itself, without any additional checks. Screening for PEPs, therefore, becomes a complex process.
The FATF recommendations are that proactive steps should be taken, such as assessing on the basis of several criteria, risk profiles, business models, verification of KYC information, and independent research, to determine whether a customer or a beneficial owner is a PEP.
But what does this mean from a Risk-Based Approach (RBA) perspective?
Training Staff on PEPs. Not every business would have exposure to PEPs. Crypto and digital assets, as novel technologies, have not [yet] been adopted by all population groups. However, we see interest and adoption of crypto in several countries which struggle with being excluded from traditional financial systems due to de-risking by foreign banks, or countries which are attempting to raise their economies by being early adopters. El Salvador has become famous in the digital assets space by making BTC legal tender in September 2021, despite adverse stances from the International Monetary Fund (IMF) and the World Bank. In April 2022, the Central African Republic did the same, and Panama announced that it will accept BTC as well as several other cryptocurrencies for payments, alongside fiat.
Country Risk Ratings. In addition to typical PEP training (aka, what is a PEP, how to manually review a potential hit and what red flags to watch for), businesses should use the country risk ratings, and even create a specific “corruption” index score to be used as part of a risk matrix. However, the same as with the KYC/AML onboarding process, it’s the quality of the data points that counts, and sometimes publicly available indexes do not accurately reflect the situation on the ground. From an RBA perspective, it’s worth preparing enhanced country risk profiles internally for high volume markets.
Additional Data Points. In addition to the rather standard questions included as part of the onboarding process, i.e. are you a PEP or closely associated with one, additional information can be useful, such as the nature of occupation, contact details on file, as well as beneficial ownership information.
Enhanced Due Diligence (EDD). Foreign PEPs should always be rated high risk. Whereas what exactly enhanced due diligence (EDD) means is very different from one case to another, EDD generally implies obtaining more information about the person, business relationship, and plans, taking steps to establish source of wealth and source of funds, and cross-referencing with publicly available sources, as well as establishing escalation processes and increased monitoring.
FinTech, crypto and virtual assets businesses including recent models like DeFi, NFT, Web3, and Metaverse projects, present higher risks from a money laundering and terrorism financing (ML/TF) perspective because the industry is still at an early stage and/or rapidly evolving. Rather than pointing fingers at startups for not having the level of compliance and monitoring of big banks, we believe that compliance specialists and regulators should return to first principles and work with the industry to improve compliance models generally. We see crypto and blockchain as an opportunity to build better systems, including with respect to AML/CFT.
FinCEN in its recent advisory also noted the following “red flags” of foreign corruption:
The Securities and Exchange Commission (SEC) announced that the Crypto Assets and Cyber Unit (formerly Cyber Unit) in the Division of Enforcement will grow to 50 positions.
France approved Binance to be a regulated digital assets service provider.
California now has its own Blockchain Executive Order. The first goal is to create a transparent and consistent business environment for companies operating in blockchain.
The premier of the British Virgin Islands (BVI) was replaced while his potential involvement with drug smuggling and money laundering is being investigated.
OFAC expanded on the Russian sanctions to cover accounting, trust and corporate formation services, as well as management consulting sectors, in or involving the Russian Federation.
As the virtual assets industry is on the brink of mainstream adoption, the demand for services in this space far exceeds the capabilities of the traditional compliance providers. The difficulty to date has been that industry veterans have had neither the benefit of practical examples of how regulators will assess the servicing of virtual assets, nor do they have in house expertise or experience to confidently risk asses virtual asset engagements and build out the controls to mitigate associated risks. Additionally, the volatility in the asset class causes trepidation in traditional investment circles. We have established service lines across the specialist functions of compliance, internal audit, risk and advisory, with a focus on enhancing compliance and risk management solutions available to Investment Funds, Managers, Service Providers, and other participants in the virtual asset sector. We collectively bring over 75 years of experience in traditional legal, accounting and compliance services to the financial services industry, with recognised industry leaders and pioneers in developing solutions for virtual asset ventures in Cayman Islands, BVI and across the globe.
© Provenance Group. All Rights Reserved