Starting a new business in crypto is risky. It’s a new industry built on new technology. New industry means unclear regulatory expectations, and new technology means an increased inherent risk for criminal activity.
On top of the usual risks of starting a new business in a new industry, crypto entrepreneurs must also consider the unique risks involved with buying, selling, and exchanging cryptocurrency.
We’re not just talking about price fluctuations.
We’re talking about things like money laundering and fraud. And we’re talking about protecting your business, and the health of the cryptocurrency ecosystem as a whole, from financial criminals.
Financial institutions, including those in the crypto space, perform an a risk assessments in order to understand the risk profile of their institution and to create and implement anti-money laundering (AML) policies and procedures to mitigate that risk.
Given the risks of new industry and new technology intimated above, risk assessments are absolutely critical tools for crypto businesses.
In this post, we’ll cover the three things every risk assessment needs to focus on:
- Where you do business
- Who you do business with
- What you’re selling
Only by taking a close look at all three can cryptocurrency businesses fully understand the complex risks associated with their unique operations, and begin to implement policies to mitigate those risks.
Do All Crypto Businesses Need A Risk Assessment?
Risk assessments aren’t a strict requirement of financial institutions, but there’s a catch.
While cryptocurrencies like bitcoin, Litecoin, and Monero are not, strictly speaking, money, financial regulations that apply to businesses in traditional finance (banks, et al.) also apply to businesses in crypto that are considered money services businesses or money transmitters by the Bank Secrecy Act (BSA) and subsequent regulatory amendments.
(If that paragraph was a lot to take in, we recommend doubling back and checking out our posts on how to know whether your cryptocurrency business is an MSB in the eyes of regulators and BSA/AML for crypto business explained.)
If you can’t get to previous posts right now, we will save you some time; most likely you are an MSB money transmitter if you run a cryptocurrency business and thus expected to follow these regulations.
Here’s the problem.
The BSA and related regulatory guidances don’t offer turnkey, one-size-fits-all solutions to businesses including cryptocurrency MSB money transmitters. They outline legal compliance expectations that prevent businesses from becoming havens for money laundering, terrorism financing, and drug money.
Complicating matters further, each state has its own priorities and guidelines for MSB money transmitters.
Figuring out how to comply with those expectations is the job of your BSA Compliance Officer (a required role per the BSA), and the most straightforward, painless way to begin this process is by assessing risk.
What’s the bottom line?
- Risk assessments aren’t strictly required, BUT…
- Crypto businesses are expected to follow federal and state financial regulations
- This is complicated, and a risk assessment is by far the best way to figure it out.
Don’t Get This Part Wrong
It might be tempting to think that certain business models will have similar risk thresholds.
This couldn’t be further from the truth.
An operator of a single bitcoin ATM in New York is going to have a dramatically different risk profile than the operator of a single bitcoin ATM in Wyoming.
Imagine how much more complicated it gets when you start adding more ATMs in different states, or offering different coins, or changing the business model in a way that purposely or inadvertently opens you up to an international customer base…
No, every risk assessment will be different, because every business is different. No two businesses in the same city will have the same kind of risk threshold.
Remember too that a risk assessment is designed to tell you your business’ risk level, which informs you of what policies and procedures you need to put in place to mitigate that risk.
A risk assessment should not downplay risks in order to get a “better score” or attempt to lower a risk rating. It’s not about working toward a “desirable” level of risk, but rather getting an accurate snapshot of the kind of risk you’re facing so you can manage it effectively.
3 Things All Risk Assessments Should Focus On
When putting together your risk assessment, there are three main things you should think about. Geographic Locations (where you do business), Customers and Entities (who you do business with), and Products and Services (what you’re selling).
Good risk assessments are complex analyses of a particular business model guided by these considerations.
Remember that no two cryptocurrency businesses will have the same risk profile; even if they look superficially similar, one seemingly minor difference can have vast risk implications.
Taking a look at risk across these three dimensions will help you understand the unique risks your cryptocurrency MSB money transmitter needs to address in your AML compliance.
1. Geographic Locations (Where You Do Business)
Where you conduct business operations has a huge effect on your risk profile. Operating a single crypto ATM in a small town likely won’t carry some of the same risks of operating in Chicago, for instance.
Generally speaking, the bigger the city, the more potential for risk. Bigger cities have the population size and infrastructure to support financial crime. They potentially expose businesses to an international customer base that must be factored in. They also could be located within a HIFCA or HIDTA, areas of concern for drug trafficking and financial crime by authorities.
Even a business headquartered and mostly operating in a small town with a single out-of-state kiosk in a big city will have a completely different risk profile than if that big city kiosk isn’t part of the business model.
Crypto exchanges and other international cryptocurrency businesses have even more risk to contend with given the remote nature of their operation.
Bottom line, where you do business is a major factor in calculating your risk.
2. Customers And Entities (Who You Do Business With)
Where you do business and who you do business with go hand in hand.
If you run a crypto ATM, you’re not open for business for just anyone who decides to walk up. You will have certain KYC protocols that help you identify potentially illicit activity. These protocols will require certain identification and verification methods for every customer and will require you to block potential customers or refuse transactions based on certain behaviors.
Just as big cities open your business up to risk, so do the potential customers that transact with you. Some may be drug dealers or human traffickers trying to find a way to launder their funds and disguise the purpose of their transactions.
Additionally, you may offer your services to non-individual customers. Let’s say you operate in Colorado, and legal cannabis business owners become a significant customer base.
Legal cannabis entrepreneurs are cash businesses; while operating within state law, they are not allowed access to the traditional financial system and seek alternate stores of value, including cryptocurrency.
Transacting with this industry is legal at the state level, but will come with its own risks and reporting requirements to consider.
This is just one example. There are more risks associated with customer types than you think!
3. Products And Services (What You’re Selling)
Lastly, the nature of your business itself poses certain risks you must consider.
We’ve mentioned before that ATM operators and crypto exchanges have different risk profiles based on where they operate and who their customers are. But the difference between their respective business models themselves contributes to the risk. Crypto exchanges by nature offer services at least nationally, if not internationally, to millions of potential customers.
A crypto ATM operation might be limited to one town, or 2-3 states, or to only a few thousand potential customers.
Also, the kinds of products offered will have drastic implications for risk. If you offer bitcoin only, you will have a different risk calculation than if you offer multiple coins. If you offer so-called “privacy coins,” that will have an effect on risk. Also, if you offer services to customers in person, that will have an effect on risk.
Even the smallest of decisions you make about the structure of your cryptocurrency business will have an effect on your risk profile. We often run into business owners who will extend their operations to another state, or offer a new coin, and assume that with all else being equal, it shouldn’t change their risk profile much.
Often it does. It’s always best to include the BSA Compliance Officer in these matters.
Key Takeaways For Crypto Businesses
The best way to understand the risk profile of your cryptocurrency business is to perform a risk assessment.
Though not strictly required by law, it’s strongly encouraged. Why? Because only a risk assessment will give you the intel you need to develop policies and procedures that help your institution mitigate that risk and stay in the good graces of regulators.
For help putting together a comprehensive risk assessment that leaves no stone unturned, or to update an existing risk assessment to reflect a change in business structure, size, or location served, you can contact BitAML for a free consultation.