The cryptocurrency market saw some big shifts in 2021, and regulators took notice. As we enter 2022, expect a much more engaged regulatory presence than ever before. Here are some of the trends to get ahead of this year.
The crypto space has changed a lot over the past year, and that’s putting it mildly.
Just a few years ago, your typical crypto business owner had probably launched a handful of kiosks at their nearest population center, and for the most part, their state regulators didn’t have much of an opinion on how they conducted business.
Fast forward to now.
New business models have emerged, and their markets are growing rapidly. In addition to the kiosk and exchange markets, the largest in the industry, there are now crypto lenders, crypto hedge funds, NFT minters and traders, and more.
Mainstream adoption of crypto seems more feasible than ever, with large legacy institutions from international banks to megacorporations like Walmart exploring opportunities.
As we begin the new year, many states are actively working on cryptocurrency regulation, with some, like California for example, experimenting with surprisingly innovative frameworks.
And it doesn’t stop there. The current administration, all the way at the very top, is making crypto a priority in 2022.
Like we said, a lot has changed.
Welcome to 2022. While we won’t make any predictions (this is the year crypto goes mainstream!), it’s safe to say that crypto’s days as a niche market are coming to an end. And that has big implications for AML compliance.
Business owners need a strong compliance foundation on which to respond to forthcoming regulations from their states as well as the federal government. But they also need to be proactive in identifying suspicious activity, self-policing to the degree they are capable in order to create a fair marketplace, and practice a culture of compliance at their institution every day.
That starts with implementing an AML Program. If you’ve been operating without one, you’re out of time. Get it in place now.
If you do have an AML compliance program, but haven’t updated it or its associated policies and procedures in over a year, now would be a good time to do that.
This blog post is for you. In it, we’ll summarize the three biggest trends that emerged over the past year that have an implication for your institutional crypto compliance.
While there’s no substitute for independent testing in the form of annual third-party AML reviews, you and/or your BSA Compliance Officer should make sure that the following trends are reflected in your AML Program as we head into 2022.
1. Cybersecurity
While hackers have always been a concern in the cryptocurrency market, the volume of high-profile thefts increased dramatically during the COVID-19 pandemic.
Hackers have targeted major firms, stealing millions and revealing huge gaps in the security of even some “name-brand” vendors in the market.
With this trend, the topic of cybersecurity jumped several spots in line to become one of the foremost issues in the crypto space (we’ve written at length about the topic ourselves).
Hacks have become increasingly sophisticated, and no business is too small to become a target. When security is compromised, it not only damages business operations, it also negatively impacts the trust of your customers, the effects of which are both hard to measure and potentially irreversible.
So what’s the solution?
Developing a cybersecurity policy for your institution is a great place to start. But where the rubber really meets the road is in regular cybersecurity testing.
Hiring independent testers to “hack” your security regularly, but at a minimum annually, will reveal any potential deficiencies in your operations, and help you keep pace with the evolving methods of financial criminals.
Innovation in financial crime isn’t slowing down, so neither should you.
2. Consumer Protection
We’ve been strong advocates of consumer protection in the cryptocurrency space for a long time.
Implementing robust consumer protection policies and protocols has been less a hard requirement and more a best practice in the space to date. While regulators have certainly made no secret of their growing concerns with consumer protection in crypto, businesses focused on the issue have been doing so proactively in the interest of good business, and in an effort to self-regulate the market.
That is coming to an end.
Consumer protection is a priority of regulators, and businesses that have been resting on their laurels in this regard are in danger of falling behind. The Consumer Financial Protection Bureau (CFPB) is in the midst of an inquiry into the fee structures of various financial services. While crypto isn’t specifically mentioned, there’s no reason to think they’ll somehow be an exception.
A good place to start? Implementing disclosures that warn customers about scams and other crimes they may become targets of in cryptocurrency, as well as the unique features of the crypto market, such as the irreversibility of transactions and the volatility of the currency’s value.
Ensure that any fee structures are transparently disclosed, that customers have clear methods for consumer feedback, and that any such consumer feedback is recorded appropriately.
These simple measures will go a long way toward protecting the institution as well as your customers and addressing the concerns of regulators.
3. Ransomware
Regulatory concerns about ransomware scams in the cryptocurrency market have increased dramatically, especially in recent months.
Though somewhat related to the issues of cybersecurity and consumer protection, ransomware deserves explicit focus in this list for two reasons: One, because it has big implications for day-to-day compliance responsibilities like transaction monitoring, and two, because FinCEN has explicitly issued an advisory on the issue (which you can read here).
Ransomware attacks have expanded in recent years, with scammers increasingly asking for cryptocurrency in their schemes.
To help mitigate this trend, we advise businesses to implement specific red flags for ransomware and associated payments into their surveillance & monitoring policy (a series of red flags is included in the FinCEN Advisory linked above – start with those!).
This will require more than adding one or two red flags to your routine and calling it a day; ransomware is an emerging typology and will require a dedicated and focused entry into your transaction monitoring practices.
Key takeaways
If it’s been some time since your last independent third-party AML review (18 months or more), we strongly advise you to set one up immediately. As the regulatory headwinds change rapidly in the coming years, now would be an ideal time to get that “check-up.”
BitAML can perform one, or if we created your AML Program, we can recommend an independent reviewer.
Reach out to us today for any questions about your institutional AML compliance, or to set up an independent AML review here.
