What are the AML compliance requirements for bitcoin ATM operators?
Cryptocurrency businesses, including bitcoin ATM or kiosk operators, must design and implement AML policies and procedures aligned with federal and state regulatory compliance obligations just like any other financial institution.
Entrepreneurship in the cryptocurrency space can be incredibly rewarding. However, with opportunity comes challenges, and for cryptopreneurs, BSA/AML compliance is a big challenge.
We’ve been developing a series of articles about bitcoin compliance for money services businesses (MSBs) that explain compliance basics for aspiring crypto entrepreneurs, and we recommend that you take some time to catch up on the entire series here.
We also offer free consultations to help cryptocurrency businesses make sure their AML compliance is built to satisfy all federal and state regulatory requirements.
But today, we’re focusing on the compliance basics specifically for bitcoin ATM operators, or BTMs.
If you’re trying to open your first crypto ATM, it’s critical that you read and understand the compliance rules that apply to all financial institutions, including your MSB. And if you’re already working in the cryptocurrency space, this article is a must-read refresher.
Basic compliance requirements for bitcoin ATMs
All financial institutions (including your cryptocurrency MSB) must adhere to the regulations of the Bank Secrecy Act (BSA) and rules related to anti-money laundering (AML).
These laws outline specific duties that MSBs are required to follow to assist law enforcement agencies and the government in detecting and preventing money laundering and terrorist financing.
BSA regulations are administered by a part of the U.S. Department of Treasury called the Financial Crimes Enforcement Network (FinCEN).
In addition to following all relevant federal laws related to AML compliance, as a bitcoin ATM, you’re also required to follow relevant state laws in the states where you operate. Since these laws vary from one state to another, it’s essential that you work with a compliance professional when you develop your AML compliance program to ensure your business can protect itself from financial criminals and avoid regulatory scrutiny.
Here we’re focusing on federal laws, particularly the BSA/AML program bitcoin ATM operators must develop to stay compliant. Your BSA/AML program must include five things (referred to as the five pillars):
- A designated BSA Compliance Officer
- Internal controls specific to your business model
- AML training
- Independent testing of your BSA/AML program
- Customer due diligence
Let’s tackle each pillar individually to get a better understanding of what bitcoin ATM operators have to do to stay in compliance with BSA regulations.
A designated BSA Compliance Officer
The first step you need to take to stay compliant with BSA regulations is to designate a BSA Compliance Officer who is responsible for your overall compliance program. It’s essential that the BSA Compliance Officer has the appropriate expertise, authority, and resources to succeed in the role.
The BSA Compliance Officer is responsible for developing, implementing, and maintaining your compliance program (including required reporting) as well as selecting tools, hiring, and training staff.
Importantly, the BSA Compliance Officer must understand and evaluate your bitcoin ATM operation’s overall risk level and be capable of making decisions based on that risk. Therefore, having a clear understanding of the signs of money laundering is essential for the person in this role.
Internal controls specific to your business model
The second pillar of BSA/AML compliance is specific to your bitcoin ATM operation and involves developing adequate policies, procedures, and processes to meet all BSA requirements.
For example, you must have policies, procedures, and processes in place to:
- Identify high-risk operations and update your risk profile on an ongoing basis
- Identify and report suspicious activities and take corrective action
- Identify a BSA Compliance Officer
- Monitor changes to regulations and make changes to the compliance program as needed
- Perform customer due diligence (CDD)
- Ensure duties are segregated and dual control mechanisms are in place so compliance tasks are effectively separated between employees
- Provide the necessary supervision for employees who handle transactions or complete tasks regulated by the BSA or other governing entities
- Train employees to understand their responsibilities and all compliance policies, procedures, and processes
- Monitor employee performance as it applies to BSA compliance
Bottom-line, internal controls are put in place to lower your bitcoin ATM operation’s risk, and they’re required by law. Therefore, take the time to develop comprehensive internal controls, and be aware that doing so may require working with a compliance firm that has expertise in this area.
All employees must be thoroughly trained in BSA/AML compliance. Keep in mind, training isn’t a once-and-done activity. Ongoing training (annually at a minimum) is necessary to ensure every employee understands the current laws and all policies and procedures in your BSA compliance program.
Furthermore, training should focus on accountability and risk with thorough training materials and discussions about money laundering and terrorist financing.
Employee training should be tailored to each role and explain how performance will be monitored as well as the penalties for noncompliance. These penalties could come into play when an employee fails to adhere to internal controls as part of the BSA compliance program or fails to meet regulatory requirements.
Independent testing of your BSA/AML program
The fourth pillar of BSA compliance focuses on the quality of your BSA/AML program. If your program doesn’t cover all the bases, it won’t effectively reduce your risk or protect consumers.
Independent testing of your BSA/AML program is required to ensure the program meets regulatory requirements and gives you the opportunity to update and improve your policies and procedures in light of new regulations or criminal activity.
To that end, your BSA/AML program should be tested by a third party on an annual basis (at a minimum). The test should evaluate the program’s risk assessment, reporting requirements, recordkeeping requirements, CDD policies, training, employee performance in terms of following the program’s policies and procedures, and all other aspects of the program.
Customer due diligence
The fifth pillar of a BSA compliance program was added in May 2018 to mitigate risks associated with shell companies and anonymous companies. It involves developing risk-based procedures for conducting customer identification and due diligence.
Specifically, FinCEN identifies the four elements of CDD as:
- Verification of customer identity
- Identification and verification of beneficial ownership
- Understanding the nature and risk of customer relationships in order to develop a customer risk profile
- Monitoring to report suspicious behavior and maintain and update customer information based on risk
While verification of customer identity is covered in other BSA compliance program pillars, the fifth pillar hones in on beneficial ownership of a legal entity customer (defined under the Rule as owners who directly or indirectly own 25% or more of a legal entity’s equity interest or meet the control threshold of having significant authority to control, manage, or direct the legal entity).
In a nutshell, the fifth pillar requires that your bitcoin ATM operation’s compliance program includes policies, procedures, processes, and training for employees to identify beneficial owners of a legal entity customer, verify that information, understand the risks related to beneficial ownership, and report suspicious activity related to it.
Key takeaways for bitcoin compliance
Developing an effective BSA/AML compliance program is a challenging process that requires identification of a BSA Compliance Officer, developing internal controls, training employees, independent testing, and customer due diligence.
BSA/AML compliance can be overwhelming for bitcoin ATM operators, but it’s absolutely essential to do it right, even if you only own one ATM. The penalties for noncompliance are too big to get it wrong.
Keep in mind, most ATM manufacturers include software that makes compliance easier, but software alone is not rigorous enough to cover all of your AML bases, nor is it a substitute for a BSA/AML Program in the eyes of regulators. No matter what is included in your ATM software, you still need a comprehensive compliance program by law.
Whether you’re currently operating or thinking about launching your first bitcoin ATM, you’ll need a BSA/AML Program to keep your business compliant with current regulations and rules. If you’re wondering how to get started, or want to make sure your compliance is up-to-date, you can always contact us for a free consultation to learn more.