FinCEN Director Kenneth A. Blanco pointedly warns traditional banks to understand their exposure to crypto in keynote remarks.
Anyone who runs a cryptocurrency financial institution can tell you that getting a business account at a traditional bank is incredibly difficult.
Banks are, as a rule, skeptical of the cryptocurrency space for many of the same reasons as law enforcement and regulators — new technologies pose an increased risk for the potential for money laundering, fraud, and other forms of financial crime.
As such, most traditional financial institutions refuse to bank crypto. Those that allow exceptions do so under extremely narrow and specific circumstances, and with many additional layers of scrutiny than usual.
By taking such a strong, black and white stance against crypto, traditional banks have managed to limit their risk exposure.
Or so they think.
The truth is that banks are grossly underestimating their exposure to crypto. What’s more, FinCEN has noticed.
In this blog post, we’ll explain:
- The data on bank exposure to crypto
- FinCEN’s warning to banks
- Our recommendations for banks
Needless to say, if you work in AML compliance for a traditional financial institution, you’ll want to follow this story.
How exposed are banks to crypto, really?
Banks do not support crypto as a matter of policy. But the policies and protocols in place to limit their exposure may not be as effective as banks assume.
According to a recent report*, all of the top 10 U.S. retail banks support, knowingly or otherwise, illicit cryptocurrency MSBs, including crypto exchanges.
The report concluded that the “increasingly intertwined nature” of banks and cryptos proved one of the major trends of the year — a year which featured losses from fraud, misappropriating of funds, hacks, and thefts totaling $4.5 billion.
Let that sink in: 2019 was both a banner year for financial crime in the cryptocurrency space, and also a year where every major bank in the U.S. showed serious risk exposure to the crypto space.
The report estimated that “a typical large U.S. bank processes billions annually in undetected cryptocurrency-related transfers.”
It also called the presence of crypto-related banking in traditional financial institutions “pervasive” and “often unnoticed.”
Then, 2020 saw a major regulatory enforcement action against a bank for “extensive failures” in crypto AML compliance.
The Office of the Comptroller of the Currency (OCC) sent a cease and desist order to M.Y. Safra Bank in what was widely seen as the first-ever such enforcement action against a U.S.-based bank (M.Y. Safra Bank is headquartered in New York City).
The order cited inadequate AML practices for “Digital Asset Customers (DACs)” (read: cryptos), as well as a lack of AML controls including surveillance and monitoring and customer due diligence. Customers supported by Safra included exchanges, BTMs, ICOs, virtual OTCs, and others.
This is all to say that regulators have taken notice of a lack of robust AML compliance when it comes to crypto businesses, and it doesn’t end with Safra.
In fact, time for banks is running out to implement stronger crypto AML protocols and to truly, accurately measure their own risk exposure to the nascent industry.
At least, that’s the takeaway we got from recent remarks delivered by FinCEN Director Kenneth A. Blanco.
Blanco warns banks at ACAMS AML virtual conference
It’s not a story we’ve seen much reporting on, but it’s one that every AML compliance employee in a traditional bank can’t afford to miss, in our opinion.
At the ACAMS AML Conference in September, Director Blanco gave a keynote speech in which he very pointedly warned banks that future examinations will look for exposure to cryptos.
In a section on cyber threats, Blanco noted that exchanges aren’t the only groups with risk exposure related to cryptos, and that even traditional banks need to understand their true level of exposure as well.
He said, “banks also need to be asking themselves, ‘What baseline controls do we have in place to identify customers? Do we have institutional or peer-to-peer virtual currency customers? How does our financial institution interact with emerging payment systems? Do we have the tools we need to identify and report potentially suspicious activity occurring through our financial institution?’ All of these questions go back to the policies and procedures in place to mitigate risk.”
“If banks are not thinking about these issues, it will be apparent when examiners visit,” he cryptically warned.
Given the amount of exposure security analysts like CipherTrace have uncovered in the traditional financial sector, as well as regulatory interventions in the form of the OCC Letter, and remarks like these from FinCEN Director Blanco, banks have precious little time to get their crypto AML compliance regimes in order.
So what should banks do?
BitAML’s takeaways for banks
Banks are facing a two-part problem:
- They need to understand what their actual exposure to crypto is
- They need to implement stronger AML controls ASAP
Banks need to assume that their exposure to crypto is dramatically higher than they think, and understand that the amount of time they have to get an accurate picture of their exposure and implement robust countermeasures is running out.
Current controls are anemic and ineffective. Word-based searches for “crypto” and one-paragraph policies prohibiting banking of cryptos aren’t protecting banks. Cryptos are more sophisticated than banks think, and massage language to get around existing controls. This is simply a failure of KYC.
Our take? The toothpaste is out of the tube at this point.
There’s no going back. Crypto is here to stay, there will be more iterations not fewer, and it’s time to start learning this stuff.
We’ve started to consult with some banks and financial institutions and have found that even those open to banking crypto are still woefully underprepared. There are a lot of unknowns and unseens, and banks need to work with experts in crypto to gain better visibility in these areas.
Why? Because they can’t hope to apply countermeasures if they don’t understand their exposure.
We urge banks to maintain existing controls, but to take fast action to apply additional steps so that they can affirmatively say to FinCEN examiners (and others) that they know their customer and financial dealings when it comes to crypto customers.
Some good info-gathering steps include:
- Hire a blockchain forensics company
- Proactively review localbitcoins, P2Ps, and others to gauge exposure
- Seek out specialized training for crypto AML compliance
BitAML and ACFCS are engaged in such trainings as we speak. Learning to detect and review P2P transactions is a critical tool for traditional banks, and a major first step toward assuaging regulators in light of Director Blanco’s remarks.
If you’re interested in learning more about compliance resources for banks, you can schedule a free consultation with BitAML here.
*CipherTrace’s Cryptocurrency Anti-Money Laundering Report published in Q4 of 2019.