You might be good at getting your compliance in tip-top shape ahead of an annual review, but could your business pass a surprise examination today?
Cryptocurrency businesses that emphasize a culture of compliance are businesses that are built for the long haul. But what does it mean to practice good compliance every day?
It starts with the understanding that good compliance isn’t a one-and-done responsibility. You don’t create policies and procedures to protect your business and industry from financial criminals only to throw it all into a filing cabinet and never think about it again.
But even businesses with good compliance can have trouble fully implementing a living, breathing philosophy of compliance that is evident in everything they do every day.
Here’s the truth…
In a nascent industry like cryptocurrency, where the rules are constantly in flux and regulators are sometimes prone to implementing more intense scrutiny on businesses, entrepreneurs can’t simply rest on their laurels.
While annual audits and independent testing are important elements of a functioning financial institution, nothing can replace daily examination of your internal processes. This is what we mean when we talk about a culture of compliance.
Can your AML compliance pass a pop quiz?
What if your business was selected for a surprise examination by federal or state regulators right now? What grade do you think you would get?
This isn’t some hypothetical — surprise examinations happen all the time, and we expect the trend to increase (especially when the SEC more or less comes out and says so).
You want your cryptocurrency business to be prepared to pass any surprise examination at the state or federal level. To pull this off, you’ll need to test yourself constantly, if not daily in some cases.
Implementing daily compliance testing is easier said than done, so we’ve put together a list of eight places you can start. These are items that independent auditors and regulatory examiners will be looking for, and though this list is no replacement for an annual audit or independent testing, it should help you get the ball rolling on establishing robust internal testing and monitoring.
8 internal testing tips for cryptocurrency financial institutions
#1 Look at your BSA/AML Program as a whole
You can start by evaluating the overall integrity and effectiveness of your BSA/AML Program.
This program gives you the 30,000-foot overview of your compliance, and can help give you a big-picture understanding of which policies and procedures you deploy most often, and which may require a revisit (whether they need to be updated or sunsetted altogether).
A few questions to ask yourself during this process that may lead into the other points on this list include:
- Are any of these policies outdated?
- When was the last time we updated our procedures?
- Do my employees understand the purpose of each policy and procedure, or is there a knowledge gap somewhere?
From here, you will have a much better understanding of which individual parts require a closer look. But even policies and procedures that seem strong can require an update in light of new regulation, or create vulnerabilities for your business. Leave no stone unturned.
#2 Look at your records
Evaluating policies and procedures pertaining to BSA/AML reporting and recordkeeping requirements is critical, since auditors will ask you to produce any number of records during an examination.
They expect your records to be comprehensive, detailed, and organized so that they can be easily and quickly called up for review. Good recordkeeping is one of the best ways for you to send a signal that your organization values a culture of compliance.
A few questions to consider:
- Are our records clearly maintained?
- Are our records sufficiently detailed (i.e. all fields filled out)?
- Do any records seem incomplete, or need to be revisited?
- Are the records well-organized and easy to find within minutes?
You may find some other useful tips in our blog post on records retention.
#3 Know Your Customer/Customer Due Diligence (KYC/CDD)
Your KYC/CDD policy and procedures are mission-critical elements of sound institutional compliance. As such, evaluating their implementation and maintenance is key to your organization’s overall picture of health.
Financial criminals can be incredibly sophisticated and are always looking for new ways to exploit otherwise legitimate systems, including cryptocurrency businesses with robust compliance.
This means that your KYC/CDD will need to be evaluated and updated often, and regulators will be looking for innovative ways you are protecting the industry from money launderers and your customers from scam activity.
For more on this topic, please review our blog posts on KYC/CDD for cryptocurrency businesses, and a more recent post with updated tips you may find useful.
#4 Look at your transactions
Your institution’s transaction activity is arguably the most important data set you possess when it comes to enforcing your AML Program and associated procedures.
Watching for red flags in transaction activity is a frontline responsibility, and your institution’s ability to monitor and respond effectively is crucial.
A few questions to consider include:
- Are our red flags catching enough suspicious activity?
- Are our red flags up to date?
- Do we observe new potentially suspicious trends that require new red flags?
You may also find our blog posts on surveillance and monitoring for cryptocurrency MSBs and red flags no crypto business should miss helpful.
#5 Your staff’s capabilities
Compliance training for all employees is an annual requirement, as well as an immediate requirement for all newly-hired employees. But like everything else within the world of compliance, employee training isn’t just a check-the-box activity.
Of course, you need to record your annual one-hour training sessions for all staff, but there’s also a lot of on-the-job compliance training that should be making its way back to your staff training program.
You may find surprising knowledge gaps on your team; maybe some frontline employees haven’t been trained on how to use specific red flags properly, or certain updates to institutional compliance weren’t circulated to the team. Constantly ask yourself:
- Is our staff adequately trained in AML compliance?
- Does every employee understand their role in institutional compliance?
- Is our training updated constantly with the latest trends?
You may find our blog post on AML training for cryptocurrency businesses helpful. BitAML also provides up-to-date annual BSA/AML training as a service.
#6 Suspicious activity screening
This point goes hand-in-hand with point #4, but bears its own entry. Every cryptocurrency money services business/money transmitter has its own systems for identifying potentially suspicious activity.
As a sole proprietor of a single bitcoin ATM, you may have some combination of red flags you check manually and software applications that assist (but do not replace) KYC on your machine. If you operate a cryptocurrency exchange, you have enterprise-wide solutions for identifying suspicious activity.
Every business is going to be different, due to the business model, customers and geographies served, and any number of other risk factors.
The important thing is to make sure that your systems, whether automated or manual, for identifying potentially suspicious activity are constantly updated.
#7 Suspicious activity reporting
Following on from the last point is your system for reporting suspicious activity that does arise.
To put it bluntly, suspicious activity reporting (SAR) is an area where many crypto businesses have some room for improvement. Sound SAR policy requires internal reporting through a chain of command and a formal reporting period. With so many steps, it’s easy for balls to get dropped.
You may find lapses in your SAR process or discover that an employee assigned to filing doesn’t have the bandwidth to do so in a timely manner. A few questions to consider:
- Do we have a formal process for SAR filing?
- Does it work?
- Are SARs filed timely and complete?
Like we said, this is a tough one for many businesses, but we cannot emphasize its importance enough. If you need more insight, you can read our blog post on SAR filing, or reach out for a consultation at the end of this post.
#8 The final question: How have you responded to any deficiencies in the past?
Demonstrating the ability to identify deficiencies (if any) and implement solutions send a clear signal to examiners that your institution is striving to create and maintain a culture of compliance.
Throughout your continual internal testing, be sure to document (in writing) identified shortcomings and any steps you have taken to address them.
Doing so will reflect well on your institution during the course of an examination.
Key takeaways for cryptocurrency businesses
When it comes to compliance, an ounce of prevention is worth a pound of cure.
Baking a few painless, routine self-checks into your day-to-day means your business won’t need to consider the worst-case scenarios, like fines or other potential sanctions or consequences.
AML compliance is constantly changing, especially in a new industry like cryptocurrency. Because of this, be sure to update your AML Program consistently and document the updates. As you grow and the regulatory landscape develops and changes, you’ll need to continue testing and updating to keep up. Documentation of this process will show your company’s good-faith effort to comply with regulations, which may help during a regulatory examination or audit at some point in the future.
When you consistently test and monitor your AML compliance program, you’ll never risk being behind the curve.
We’re always available to help. Reach out to BitAML here.