When you decide to start a cryptocurrency business, there are very specific AML compliance tasks that you need to take care of before you open your doors.
You’ll need to perform a risk assessment and implement an AML compliance program that satisfies the pillars of the Bank Secrecy Act (BSA) including appointing a BSA Compliance Officer, establishing internal controls, implementing formal AML training for yourself and any employees, and scheduling independent testing of your AML compliance program.
Once these and other federal and state regulations are met to the best of your ability, you’re ready to launch your startup.
But after you hit the one-year mark and your business begins to mature out of its startup status, your compliance needs will change.
With 12-18 months behind you (and your business continuing to grow), it will become necessary to regularly test and monitor your crypto AML program and procedures. Compliance is a real-time, living and breathing process, so there’s no set-it-and-forget-it way to monitor it.
Cryptocurrency businesses should design these internal compliance monitoring processes based on their profile and own unique experiences, but there are some general best practices to observe.
Here are three common testing and monitoring mistakes we see most often across all business types once they hit that 12-18 month milestone of business operation. Be sure you don’t fall behind by avoiding these errors.
Adequate Oversight Is Lacking
One of the biggest mistakes you can make is to think AML compliance is a paper-only feature of your financial institution. Some business owners create robust compliance policies that then get filed and never see the light of day again; The program is simply never put into practice.
Despite the relative strength of an AML compliance program, it isn’t doing your business any good sitting in a file cabinet.
Money laundering is a serious issue, and AML policies have to not only be written but implemented every minute of every day. As a money services business, you have an obligation to avoid facilitating financial crime, which means knowing who you’re serving and having strategies in place to mitigate or manage suspicious behavior.
Some money transmitters are resistant to Bitcoin compliance and other regulations because they feel that cryptocurrency should be a private, fungible resource. Unfortunately, the regulators don’t see things that way. They have concerns about criminal activity and consumer protection, and are increasingly turning their gaze to the industry.
As a money services business/money transmitter, you need to comply with the regulations enforced by FinCEN and other federal and state regulators. That means there should be someone making sure your AML compliance policies are enforced every day. Regulators want to see support for compliance from the very top of the company all the way to front-line staff.
As a result, you need to have someone who is responsible for testing – going back over records to ensure they’re up-to-date, no fields were missed, and all documentation is easy to access.
Missing A Second Set of Eyes
People are, well… human. That means that no one individual should be solely responsible for compliance monitoring.
Testing and monitoring is a regular occurrence, not a once-a-year audit. As a result, there are many, many details that need to be reviewed. Records should be double-checked to ensure nothing was missed, there are no suspicious red flags, and that records kept are easy to find.
If there is something that’s missed, your “second pair of eyes” should have the authority to update or report any concerns, just like the initial tester. Having multiple people keep your testing and monitoring compliance in order will also help prevent bottlenecks if someone is off work or leaves the company.
If you want to avoid falling behind, have multiple people working together to keep your compliance monitoring up-to-date.
Also, be sure to document fanatically so that you can avoid the classic (and inconvenient) “I thought he/she took care of that!”
A common saying is, “If it isn’t documented, it didn’t happen.”
Red Flags Are Not Regularly Updated
Testing and monitoring of cryptocurrency AML should help you reinforce your transactional red flags.
Typically, any unusual activity or transactions should be recorded and reported to the BSA Compliance Officer. The officer can decide if a SAR needs to filed or if FinCEN should be notified. But those red flags should be modified over time, and good compliance monitoring will enforce that.
Let’s say when you launched your cryptocurrency business as a startup, you identified 15 potential red flags to monitor transactions for. As your business continues to grow, you might realize that the red flags you have don’t capture enough suspicious activity and that there should be three more.
Or, perhaps a flag is catching too many users. You realize it’s too strict, or it needs to be split into multiple separate flags.
Tuning your red flags – and documenting the process of doing so in your AML program – is vital to keeping your AML compliance in order and ready for any kind of audit or inspection.
Let Your AML Compliance Grow With Your Company
Setting up your crypto AML policy is a lot of work, especially when you’re also trying to launch a business. As your business matures, you’ll probably have similar growing pains to most startups. You want to provide services, maintain your tech, provide excellent customer service, and make sure your employees are well-trained, happy, and working well together.
However, you can’t let those goals distract you from the fact that you’re regulated as a financial institution. That means that as you grow you can’t overlook compliance. You’ll need to prioritize testing your processes regularly and taking compliance monitoring seriously after those first 12-18 months.
Be sure you document the testing and monitoring you do. This will help you if regulators discover compliance mistakes in the future. No need to overthink your recordkeeping. It doesn’t need to be fancy; all you need is a simple log that shows your updates.
Compliance Monitoring Is Not An Independent Audit
Another important distinction to make is that good testing and monitoring do not replace the need (really, the requirement) of an independent annual audit.
Your regular internal testing serves as a mini-self-audit of sorts, and will help to prepare you for an annual audit from a compliance professional or an examination from regulators. In both cases, examiners will appreciate and take note of the proactive processes you have created for your cryptocurrency business. You are less likely to be operating with compliance deficiencies as well.
Simply put, good testing and monitoring is one of the best ways to keep your institutional compliance healthy and thriving with your business.
Key Takeaways For Crypto Businesses
A brand new cryptocurrency business is required to create a robust AML compliance program before its grand opening. However, as you grow out of that startup status, you’ll need to regularly monitor your AML processes and modify them on the fly.
You’ll almost certainly need to make adjustments over time, and you will need to document those changes, even in a simple log. Your unique operating experience is needed to tune your compliance processes (within federal and state regulations, of course).
Appointing a qualified BSA Compliance Officer to oversee testing and monitoring, using a second pair of eyes on reports and records, and tuning red flags regularly based on new business learnings, are all commonly lacking from effective compliance monitoring, so be sure to include them in your process.
If you want that second pair of eyes but for your entire AML program, be it before you launch, in your first year, or anytime after, we can help. Our compliance experts will review your AML program and help you identify any gaps.