How do I start a cryptocurrency or bitcoin business? Crafting a business plan is usually step #1, but in a fraught and ambiguous regulatory landscape, entrepreneurs in the space must focus on AML compliance first.
There are no shortage of blog posts or “ultimate guides” out there that will walk you through starting a bitcoin business from your basement, in your spare time, with next to no money, and so forth. This blog post isn’t one of them.
That’s because most of these posts, helpful though they may be in some ways, almost always miss the critical first step in the process of launching a cryptocurrency startup.
We wrote this article because missing this first step can completely undermine your new startup and damage you professionally, financially, and even legally.
That first step is AML compliance, and yes, it’s that big of a deal.
This article is also not a step-by-step guide to creating and implementing an AML compliance program that satisfies your obligations to federal and state regulatory agencies. That’s not a one-size-fits-all process that you can hack together alone.
Instead, this post will do what so many articles on starting a bitcoin business do not: offer a broad, but complete overview of AML compliance obligations for businesses operating in the cryptocurrency space.
It contains the fundamental knowledge of financial compliance you will need and the questions you need to be asking before you begin operations.
Let’s get started.
Why AML compliance is key for cryptocurrency business
There’s plenty of good advice out there for seeking investment, doing market research, and operating a cryptocurrency business model, be it a bitcoin ATM, exchange, lender, or something else.
We’re here to provide the lesson that is so often missing:
Compliance should be baked into your business plan from day 1.
It’s true that it’s not uncommon for businesses in this industry to focus on product and revenue in the beginning and treat compliance as an afterthought.
But cryptocurrency businesses that have taken their AML compliance obligations seriously are among the most successful in our space. Those who haven’t have faced catastrophic failure on almost every level.
Make no mistake: the most successful businesses, including the leading exchanges responsible for widespread, mainstream adoption of crypto, have one thing in common: Top-shelf compliance built into the business plan from day 1.
It’s not something that can be bolted on later.
We’re not being hyperbolic or driving a hard sell here, either.
Spend some time Googling headlines about “bitcoin compliance” or “cryptocurrency compliance” over the last few years. You likely won’t be surprised to see stories about major criminal operations being shut down; but there are also plenty of stories of otherwise well-intentioned entrepreneurs, SMB to international in scale, facing legal consequences for sloppy or nonexistent compliance.
We don’t want to be too dour. The point here isn’t to scare you away from the industry.
If you want to start a bitcoin business, you should!
It’s an exciting, growing industry with yet-untapped potential and enormous opportunities.
But like starting any business, you have to do it smart. You have to do it right.
We’re here to point you in the right direction when it comes to those first steps in starting your cryptocurrency or bitcoin business. If you have more questions or need help building AML compliance into your business plan, you can reach out to us at the end of this post.
Is AML compliance required for all bitcoin business models?
It’s a question we hear often. “How do I know AML compliance is required of my business?”
It is a complex question because there are few laws and regulations specific to cryptocurrency, and most consist of memo-style guidance issued by agencies like FinCEN. In a perfect world, cryptocurrency would have its own regulatory framework built to reflect the technology and its unique attributes.
“Cryptocurrency businesses that have taken their AML compliance obligations seriously are among the most successful in our space.”
Instead, cryptocurrency businesses are expected to comply with financial regulations currently in place that govern the traditional financial sector (i.e. banks). Most of this regulation is decades old. It was never meant to apply to technology like cryptocurrency.
As such, applying these regulations to crypto has caused confusion and sometimes a great deal of pain for entrepreneurs in the space.
But even though the question is complex, in truth, the answer is pretty straightforward.
This is because AML compliance is required of all cryptocurrency businesses that are considered Money Services Businesses (MSBs) or Money Transmitters by FinCEN in order to mitigate bitcoin money laundering and other financial crime.
Which business models are considered MSBs/money transmitters? We wrote an entire post about that here, but to summarize, basically all of them.
There are narrow exceptions. If you’re mining cryptocurrency for your own benefit, for instance, no AML compliance is required (though you will need to pay taxes on the crypto when converted into cash).
But if you operate one or more bitcoin ATMs, an exchange, a lender, a hedge fund, or any business model that transacts cryptocurrency including traditional retail services offering bitcoin as a payment option, you will need AML compliance policies and protocols specific to cryptocurrency.
Compliance questions when starting a bitcoin business
In many cases, some of the foundational questions you will be asking about your business in those early planning stages are the same questions you will need to consider for your startup’s AML compliance:
- Who are my customers?
- What am I offering them?
- Where do I do business?
These are questions every entrepreneur asks when putting together a business plan, but they are also the critical points of focus that compliance professionals will analyze in something called a risk assessment.
A risk assessment is the first step in building robust AML policies and protocols because it is the market research and business analysis portion of the process.
It looks closely at customers, products and services, and your geographic location to determine how vulnerable you are to exploitation by financial criminals including money launderers, drug dealers, and financiers of terrorism.
Risk assessments are not explicitly required by any law or regulation but have become a standard operating procedure for financial institutions and a best practice prescribed by AML compliance professionals because of how valuable they are in shaping compliance policy.
“Compliance should be baked into your business plan from day 1.”
Like we said up top, compliance is not a one-size-fits-all. Each business model, depending on its location, the markets it serves, the customers it attracts, and the products and services it offers, will have an entirely unique risk profile.
Though there are compliance basics every MSB/money transmitter must adhere to, stronger protocols will be required of some businesses depending on the jurisdictions they do business in and the risk level they face.
The only way to understand your risk profile is to perform a risk assessment. We often say that without one, you’re driving at night with the headlights off.
Having a qualified compliance professional prepare a written risk assessment is the critical first step to building a compliant business model.
Once the risk assessment and business plan are complete and you move into launch mode, however, there are several more compliance steps you must take before you open your doors for business.
The basics of bitcoin compliance that need to be in place from day 1
Once a risk assessment is complete, you need to take what you’ve learned from the process and develop an AML program and associated policies and protocols. The program must be implemented for use before your business launches and serves its first customer.
But where do you start?
Start with the pillars of BSA/AML compliance.
The pillars of BSA/AML compliance refers to a framework of four to five “pillars” on which businesses should build robust AML compliance. It is absolutely crucial for your compliance to include these pillars.
Think of the pillars as the foundation of a house. Each pillar must be strong in order to maintain the house’s structural integrity. To wit, regulators consider failure or insufficiency of a single pillar to mean that the entire BSA/AML program has failed.
This means that no matter how strong the rest of your pillars are, the failure or absence of one pillar means the entire AML Program is effectively worthless.
Let’s walk through each pillar and what they mean in practical terms for a bitcoin business:
Pillar #1: A designated BSA Compliance Officer
Your institution will need to appoint a qualified BSA Compliance Officer to satisfy this pillar.
The BSA Compliance Officer is responsible for maintaining and ensuring the implementation of your AML compliance program. This role should be designated to a qualified professional who understands BSA/AML compliance requirements and allocated the appropriate resources to execute the day-to-day responsibilities of the job.
Some of those day-to-day responsibilities include developing, maintaining, and enforcing your AML program and its policies, required reporting for suspicious or potentially suspicious activity, and overseeing frontline staff.
Some of the overarching responsibilities include the ability to continuously evaluate the changing risk profile of your business and make decisions based on that risk.
The BSA Compliance Officer must also have a clear understanding of money laundering and be able to identify signs of potentially suspicious activity in transactional data your protocols may be missing.
In smaller, “solopreneur” business models, you as the owner will need to serve in this role. Though this is not ideal, to serve this role adequately, you will need, at minimum, the appropriate training and resources to execute the responsibilities of the role as satisfactorily as a seasoned compliance professional.
Pillar #2: Internal controls
Internal controls refers to the policies and procedures in place to meet the compliance requirements of the BSA. More than any other pillar, your institution’s internal controls will be completely custom to your cryptocurrency business and its unique risk profile.
Simply put, these are the brakes you put in place to mitigate the risks identified at the risk assessment stage.
Some of the areas internal controls should address include:
- Updates to your institution’s risk profile
- How changes are made to the compliance program and when
- Identification of suspicious activity
- Actions to be taken when suspicious activity is identified
- Know Your Customer, Customer Due Diligence, and Enhanced Due Diligence policies
This is a complicated pillar to get right, but as we said, the failure of any single pillar compromises the entire AML program.
Therefore, take the time necessary to develop your internal controls and ensure that they satisfy the BSA and address the unique risks identified in your institution’s risk assessment.
Pillar #3: AML training of all employees
Every employee your cryptocurrency business hires will need to undergo BSA/AML training on a regular basis.
It is absolutely critical to day-to-day operations that each employee understands their obligations to your institution’s AML compliance and the role they serve therein.
Training is not a one-and-done activity, and should be performed annually at a minimum to keep pace with changing laws and regulations as well as institutional changes to compliance policies and procedures.
For the “solopreneurs,” AML training is still a required pillar, though you will need to solicit a compliance professional outside of your organization to administer a workshop for you. Businesses with more employees will typically have AML training organized and performed by the BSA Compliance Officer.
Pillar #4: Independent testing
Your BSA/AML program is only as good as a qualified third party says it is.
Think of this pillar as an annual report card for your AML compliance. Designed to simulate regulatory examination, independent testing will look at every policy and procedure associated with your BSA/AML program, testing them for efficacy and, ideally, offering suggestions for improvement.
This is an area of AML compliance that should be performed by a qualified compliance professional outside of your organization.
The same way you don’t (or at least, shouldn’t) perform your own home inspection to save money when buying a house, nor should you perform testing of your own compliance. It won’t work.
You need an objective pair of eyes in order to guarantee this pillar’s strength.
Pillar #5: Customer due diligence
The fifth pillar is a more recent addition to the framework, but just as essential as the core four.
It requires more specific customer due diligence protocols for verifying customer identity in order to identify beneficial ownership of a legal entity customer (defined as direct or indirect owners who control 25% or more of a legal entity’s equity interest or who meet other thresholds).
While there as been confusion about how much the fifth pillar applies to cryptocurrency businesses, rest assured that it does according to FinCEN and must be accounted for in your AML policies and procedures. How, specifically, you collect the information required will depend on your business model and risk profile.
Key takeaways for starting a cryptocurrency business
Ending on a lighter note, we want to re-emphasize the many positive aspects of business within the cryptocurrency industry. The industry is still in the early years of writing its own story; there’s a lot of opportunity for creative entrepreneurs excited about building a business from the ground up, and lucrative successes still to be had.
But if you want to start a cryptocurrency or bitcoin business, it has to be built on a foundation of sound AML compliance.
With an overall trend of rapid growth coupled with the increased regulatory scrutiny that naturally follows, businesses in the cryptocurrency industry will only succeed on the basis of their ruthless, daily commitment to their AML program, policies, and protocols.
If you are interested in joining the industry as a business owner, or you have begun operations and need to play compliance catch-up, you can reach out to us with questions here.
BitAML is an AML compliance firm specializing in the cryptocurrency space that has been recognized for its unique approach to building AML programs and sound, ethical consulting on matters of regulatory compliance.