Once you’ve performed a risk assessment and created a BSA/AML Program and related policies, you’ve laid a foundation of strong compliance for your cryptocurrency money services business (MSB) — but you’re not done yet.
Surveillance and monitoring refers to one of the most essential ongoing bitcoin compliance activities. While the AML Program and risk assessment only need be updated annually (or when significant changes are made to your operation), surveillance and monitoring is a daily activity.
We’re continuing our series of crypto compliance 101 posts to help cryptocurrency business owners understand the regulatory landscape, its nuances, and what steps need to be taken to strengthen their compliance.
Keep in mind, we also offer free consultations to help cryptocurrency businesses make sure their AML compliance is built to satisfy all federal and state regulatory requirements.
Today the focus is on surveillance and monitoring, or transaction monitoring. This includes an explanation of what “red flags” are, how they’re used, and what they typically look like. If you’ve heard these terms before and question what they mean in a practical setting, you came to the right place.
We’ll cover suspicious transaction reporting at a later date, but earmark the idea of reporting in your head for now, since that is what you will have to do when you spot suspicious activity.
Surveillance and monitoring explained
Surveillance and monitoring refers to the routines and procedures deployed by financial businesses, including banks, MSBs, and money transmitters, that identify and flag activity that is unusual, suspicious, or potentially criminal.
In short, it’s the practice of monitoring transactions and determining which, if any, are abnormal.
Still with us? Let’s look at an example from a popular TV show.
There is a scene in an early episode of the Netflix crime drama Ozark wherein the main character, portrayed by Jason Bateman, attempts to withdraw several million dollars from his bank account.
He is immediately pulled into a safe deposit room, searched, and interrogated by authorities. Though he insists that he merely needs the money for a business opportunity, he is questioned about the legality of the opportunity and asked whether he is under duress.
In this scene, the authorities are trying to establish whether or not he is withdrawing his money for legal or illegal purposes for a simple reason — while it’s not illegal to withdraw such a sum, it is highly unusual.
It’s not every day someone walks into a bank and tries to leave with millions of dollars and, as the authorities in the scene suggest, legal business opportunities aren’t generally going to require such a substantial investment in cash right up front.
(For what it’s worth, the suspicions of the authorities prove correct. While they allow Bateman’s character to leave, he needs the money to pay off a drug cartel.)
Though dramatic and fictional, this is a perfect example of surveillance and monitoring doing its job. Though Bateman’s withdrawal takes place in a traditional bank, cryptocurrency businesses need to practice a similar kind of transaction monitoring.
For businesses in cryptocurrency (ATM operators, exchanges, and more), compliance issues will arise without strong and effective transaction monitoring. Like we mentioned above, good compliance isn’t simply a matter of writing an AML Program and throwing it into a file cabinet. There are day-to-day responsibilities, and monitoring for suspicious activity in your transactions is one of the biggest.
Does this mean that you need a human being to manually look at every transaction in real-time and make a guess whether or not the activity is suspicious?
Not at all. That’s what red flags are for.
What are red flags?
Red flags are hypothetical scenarios that could indicate suspicious activity in transactions. Basically, they are a series of thresholds that tell you “if a transaction looks like this, it might be suspicious.”
Since red flags enable you to identify potentially illicit activity, they will form the basis of your surveillance and monitoring policy. A strong policy will include the red flags unique to your institution in detail, giving your employees a list to refer to as they monitor transactions.
How often do red flags occur?
You will likely see activity that could be considered suspicious or unusual multiple times a week, even daily.
However, if a red flag is triggered, it doesn’t automatically mean that the transaction it flags is criminal. A red flag simply warns you, your employees, and your BSA Compliance Officer, that suspicious activity has occurred and requires further investigation, and possibly reporting to the proper authorities.
Still, your ability to spot red flags is critical to the compliance of your business, and sends a positive signal to regulators and authorities that you’re running a responsible business.
Who should be watching for red flags?
Every employee of your business should be trained to spot suspicious or unusual activity. When such activity is spotted, it should be sent up the flagpole to the BSA Compliance Officer immediately.
Suspicious activity might result in enhanced monitoring of the customer in question, further investigation, or an official report to the authorities. It depends on the specific regulations governing your business, and what your AML Program requires.
No matter what, it’s the BSA Compliance Officer’s responsibility to review the activity and determine what to do, and if reporting is required, to do so in a timely manner.
Red flag example from an everyday scenario
Even though red flags will be unique to each business, it might help you to see what one actually looks like.
Here’s a scenario.
Let’s say you operate a single cryptocurrency ATM that accepts U.S. dollars for bitcoin. You had a customer make five separate transactions of about $2,500 each over the course of two weeks.
That could potentially be suspicious. Why? Larger transactions often need to be reported to the authorities, even if they’re entirely legal. Your customer might be “structuring” transactions to avoid that required report, in an effort to keep their money “off the grid” for whatever (potentially illicit) reason.
Thus, you should have a red flag that accounts for this sort of behavior. It might look like this:
Routine Name: Cryptocurrency Address/Customer – Volume
Alert Routine Threshold: Four (4) or more transactions in a 15-day period; transactions initiated with cash; same cryptocurrency address, same name, and/or same tax identification number; individual denominations between $2,000 and $3,000.
Description: Customer transacts multiple exchanges of lower U.S. dollar-denominated cash amounts for cryptocurrency, which aggregates to a substantial sum of money.
Depending on your operation, you could have anywhere from a dozen to a hundred (or more) separate red flags, so there’s no one-size-fits-all list of red flags for cryptocurrency we can give you that will apply to every business.
Red flags will always be unique to the business model of each cryptocurrency operation, and will be constantly evolving based on regulatory guidance and criminal activity.
Simply put, money launderers will find new ways to structure transactions and hide illicit activity, so red flags need to keep evolving to spot such activity.
Key takeaways for bitcoin compliance
When developing red flags for your business, it is important to consult with a professional who understands the nuances of regulatory compliance. This includes reporting thresholds that are required by federal and state law, as well as routines tailored to every hypothetical instance of suspicious or unusual activity your business model might see.
Since it’s such a critical aspect of your day-to-day compliance, you can’t afford to guess. Contact BitAML for a free consultation today to get started on a path toward robust AML compliance.