To operate as a cryptocurrency money services business (MSB)/money transmitter, you need to complete the registration process through the Financial Crimes Enforcement Network’s (FinCEN’s) online platform. Part of the registration process includes the agreement with regulatory guidelines and adherence to certain requirements to maintain compliance.
One of those requirements is the implementation of an anti-money laundering (AML) program. Your program needs to include a reporting system that tracks suspicious activity or details of transactions over $10,000. Your program must be reviewed periodically and include four main elements:
- Policies, procedures, and internal controls that comply with the Bank Secrecy Act (BSA).
- A compliance officer responsible for maintaining compliance with the BSA and AML policies and procedures.
- Ongoing and relevant training on a wide variety of BSA/AML topics.
- An audit of your AML compliance program at least once a year.
That last one always seems to be a challenge for cryptocurrency businesses large and small, and it’s no small wonder. Many financial auditors lack experience with cryptocurrency as a technology, and thus valuable resources are spent educating the auditor about how crypto works so they can actually do their job.
As such, some stones go unturned. In our experience working with cryptocurrency MSB/money transmitters, we’ve seen prior audits that include many of the same compliance vulnerabilities.
Here are the top three mistakes during a cryptocurrency audit we see pop up most frequently so that when it’s time to audit your AML compliance again, the outcome is as helpful to your financial institution as possible.
Mistake #1: Not Reviewing MTL For Each State You Do Business In
You need to review money transmitter licensure (MTL) for each state you do business in. Because the states lack a uniform definition of what a money transmission is, requirements may vary.
For instance, California defines “money transmission” as selling or issuing payment instruments, selling or issuing stored value, or receiving money for transmission. Connecticut defines money transmission as engaging in the business of receiving money or monetary value within or outside the United States for transmission through payment instrument, wire, facsimile, electronic transfer, issuing stored value, or some combination of these methods.
As a result, those states may have different requirements for MTL.
As a cryptocurrency business, you need to be properly licensed to transmit money in a state. Otherwise, you can face significant fines, penalties, and time in prison for evading anti-money laundering laws. In one case mentioned in the South Florida Business Journal, a mobile payment site was fined over $500,000 for operating as a payment processor in Florida without an MTL.
Although many states adopt a “no action” stance on cryptocurrency, that can quickly change, often without warning. As a result, regularly contacting state regulators for updates on potential cryptocurrency legislation is necessary. Your annual audit is a great time to take care of this issue.
Mistake #2: Not Receiving Actionable Recommendations For AML Compliance
In order to be effective, your audit needs to include actionable recommendations.
The reason for having an annual audit by a qualified third party is to test your cryptocurrency AML compliance program, identify weaknesses, and recommend corrective actions to ensure compliance with the BSA. An audit evaluates the overall effectiveness of your AML policies, procedures, and processes.
The auditor performs risk-based transaction testing to evaluate your cryptocurrency financial institution’s adherence to recordkeeping and reporting requirements. Examples include Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs).
The auditor also reviews your employee compliance training for accuracy and thoroughness, assesses the adequacy of your suspicious activity monitoring, and reviews your processes for Know Your Customer (KYC) requirements. Further, the auditor evaluates your automated systems and IT, employees’ adherence to compliance policies and procedures, and management’s efforts to resolve compliance violations or deficiencies identified in previous audits. The auditor then delivers a final report and recommendations for improvement.
Audit feedback needs to include as much detail as possible on what’s working well and what needs to improve. Starting with the most severe vulnerabilities and moving toward the least severe, your audit feedback should break down clear recommendations for improvement of the AML compliance program and associated policies.
Mistake #3: Auditor Lacks Knowledge Of Cryptocurrency AML
We’ve seen numerous annual reviews performed by qualified, licensed compliance auditors with significant experience in finance… but almost no knowledge of cryptocurrency as a technology or business model.
A fundamental understanding of cryptocurrency’s capabilities and how businesses are built around it directly affects the recommendations auditors make.
As mentioned, we have also have seen significant time and effort go to waste when business owners have to educate an auditor on how cryptocurrency works. If you don’t work with an auditor experienced not just with financial compliance, but also cryptocurrency itself, key deficiencies in your crypto AML program can be missed. You might find yourself in legal trouble.
Perform your due diligence and find an auditor with knowledge of and experience with crypto and all other necessary qualifications for your annual audit.
Key Takeaways For Crypto Businesses
The points above, in summary:
Regularly review money transmitter licensure (MTL) for each state you do business in. Laws and regulations are not uniform and often change (without warning).
Your audit needs to include actionable recommendations. Starting with the most severe improvement, detailed feedback needs to include what’s working well and how you can improve.
Your auditor needs experience in and knowledge of cryptocurrency, along with other qualifications, to ensure your cryptocurrency compliance program is adequate.
When the time comes for your annual audit, you need a knowledgeable company with experience auditing cryptocurrency MSB/money transmitters. The auditors at BitAML have these qualifications and more.
If it’s coming time for your next annual audit, you can reach out today for a free consultation.