When it comes to understanding compliance, it’s easy to get lost in a sea of legalese and confusing jargon. A lot of newcomers to the space are often overwhelmed by the amount of stuff you need to know and keep track of in order to be successful.
And that’s just traditional finance. It gets even more complicated and murky when you apply compliance to cryptocurrency, where many businesses are expected to follow the basic financial regulations, though with the added bonus of ambiguous guidances and arbitrary caveats that can vary from state to state.
If you’re in the crypto space, we do not advise navigating these waters alone (the price, as recent headlines suggest, is extraordinarily high). Regulators do hold cryptocurrency businesses to extremely high standards, with little room for error. The high expectations of regulators, coupled with the lack of clarity on what is expected of cryptocurrency businesses, leave the industry’s entrepreneurs in a tough spot.
But don’t worry, you’re in the right place. Understanding the basics of compliance in cryptocurrency and familiarizing yourself with the terminology will give you a hand-up out of that spot, and help you run a better, more compliant business.
This blog post is one of the first in a series where we’ll be covering the basics of compliance. And you can’t cover the basics of compliance without discussing the four pillars of BSA/AML, which are foundational to every cryptocurrency operation’s compliance program. This is the bedrock, the foundation of compliance, so this is as good a place as any for you to start!
So without further ado, let’s get started.
What Are The Four Pillars Of BSA/AML Compliance?
The four pillars of BSA/AML lay out a framework which helps businesses adhere to the Bank Secrecy Act (BSA) and other anti-money laundering (AML) protocols. These four pillars are becoming especially important for businesses in the cryptocurrency space.
Why?
Because several agencies are already considering tightening regulations on the industry.
The IRS, for instance, has expressed interest in launching an international consortium to crack down on cryptocurrency crime. The Financial Crimes Enforcement Network (FinCEN) is also eyeing cryptocurrency businesses’ AML departments.
As the name suggests, the pillars comprised of four core elements. These four elements are as follows:
- A designated compliance officer
- Internal controls
- Formal AML training of personnel
- Independent testing of your BSA/AML program
Let’s break these down one by one and explain how each element fits into a cryptocurrency operation.
1. A Designated Compliance Officer
The first pillar of BSA/AML compliance is a designated compliance officer. This compliance officer should be an experienced professional who can identify the elements of your business plan that present BSA/AML risks. Not only should the officer be able to identify these risks, but he or she should also be able to mitigate them.
So what are some specific steps your compliance officer should be taking?
Your compliance officer has a duty to provide basic BSA/AML training to everyone within your organization. The officer must also ensure that your BSA/AML monitoring tools are up-to-date and effective for your business. If those tools don’t meet those basic standards, the officer must find suitable replacements.
Good compliance officers should also know how to identify some common signs of money laundering. If, for example, your officer notices several large cash transactions on new accounts, that activity should raise a red flag.
2. Internal Controls
This second pillar is arguably the hardest to perfect for some businesses. That’s because internal controls must be specific to individual businesses. Ideal internal controls factor in things such as:
- Geographic location
- Products and services
- Customers and entities
An effective BSA/AML program examines each of these factors (and others) to mitigate risk. In order to understand how businesses can use these factors to reduce risk, let’s take a look at a theoretical example.
Imagine that you’ve just opened a cryptocurrency exchange in the city of Chicago. Many of your clients are foreign and offshore corporations.
Now think about how this information would affect your company’s internal controls.
Big cities are often hubs for criminal enterprise activity. As a result, you’ll have to take more steps to secure your exchange than an entrepreneur whose exchange is based in a rural area.
Further still, the cryptocurrency market has caught the attention of many cyber criminals. For this reason, you’ll have to jump over more hurdles than a traditional financial institution (like a bank) which deals with physical currency.
And, of course, you’ll also have to remember that your customers are located offshore. Your AML program will have to factor in the risk of dealing with currency in their geographic locations.
3. Formal AML Training Of Personnel
The third pillar highlights the importance of educating personnel on AML procedures. As we said earlier, your compliance officer is responsible for providing basic BSA/AML training to those within your organization.
So if you already have a compliance officer, you’re halfway there.
Keep in mind that every employee doesn’t have to be an AML expert. Training should be tailored to the employees’ roles within the company. Even so, employees should be able to identify potentially suspicious activity and know how to report it.
Furthermore, employees should receive some form of training on an annual basis at a minimum.
4. Independent Testing Of Your BSA/AML Program
Here’s the thing:
You might have the most brilliant compliance plan in the world. According to the fourth pillar, however, your compliance strategy is only as a good as a third party says it is.
Consequently, your business should set up an annual BSA/AML compliance review with a third party. This third party will test the effectiveness of your program’s tools and protocols against the BSA/AML risks we discussed earlier. BitAML often serves in this capacity by performing audits of cryptocurrency businesses.
The Controversial ‘Fifth Pillar’
In financial compliance, you might occasionally hear reference to a “fifth pillar” of BSA/AML.
In 2016, FinCEN issued a rule titled the “Customer Due Diligence Requirements for Financial Institutions” (or CDD Rule, also often called the “final rule”). This rule, which took effect in May 2018, amends Bank Secrecy Act regulations in an effort to provide more financial transparency to prevent companies from becoming havens for money laundering.
It’s an important and complicated rule, worth an entire blog post all on its own. But the reason we mention it here is because the rule is sometimes referred to as the “fifth pillar” of BSA/AML.
FinCEN’s final rule is absolutely essential to a company’s financial compliance. But whether or not it counts as a “fifth pillar” of BSA/AML is a more or less an academic matter. Still, it exists, so if you ever hear of a “fifth pillar” or “five pillars of BSA/AML,” this is the missing fifth they are talking about.
Together They Stand, Divided They Fall
The four pillars of BSA/AML symbolize a perfectly supported structure (read: compliance program). Together, these four pillars will support that structure. If even a single pillar is weak or missing, that structure collapses in on itself. Regulators consider the weakness or absence of just one pillar to render all other pillars useless.
The bottom line is this: the most important thing to remember about the four pillars is that you absolutely need all four of them for compliance to work.
Strive to make the four pillars the foundation of your cryptocurrency business. We encourage you to reach out to us for a free consultation. Our cryptocurrency compliance experts are always ready to help you get and stay compliant.
