18 May Token Risk Analysis: A Best Practice For Bitcoin Compliance
Robust risk analysis of the coins offered by money services businesses, including bitcoin ATMs, is an industry best practice that will eventually become a formal AML compliance requirement.
When you started your business, you probably didn’t think too much about the “risk profile” of the tokens you offer.
And who can blame you? After all, unless you’re operating a cryptocurrency exchange, you might not even be transacting in anything other than bitcoin.
But if you’ve thought about adding altcoins like Litecoin and Ethereum to your suite of services, or even privacy coins like Monero, you will need to incorporate coin risk analysis into your AML compliance procedures.
Is it required?
For cryptocurrency exchanges, it’s more or less an expectation, even if it’s not written in stone (yet).
But as bitcoin compliance requirements continue to take shape at federal and state levels, risk analysis of the coins themselves will eventually become a feature of regulatory compliance for all business types in the cryptocurrency space, including ATM/kiosks.
As with everything in AML compliance, we advise businesses to play it safe and stay ahead of the regulatory curve.
This post will explain how coin risk analysis works, and why your business should waste no time adopting it as a best practice now.
What is coin risk analysis?
Coin (or token) risk analysis refers to a process undertaken by a financial institution in the cryptocurrency industry, the goal of which is to analyze the risk level of the coins that the business does or plans to offer.
It’s a process that is largely undertaken by large cryptocurrency exchanges, which offer hundreds if not thousands of distinct coins on their platforms.
However, more small-to-medium scale bitcoin money services businesses (MSBs) and money transmitters are adopting a similar process, particularly when they expand their service offerings (i.e., introduce altcoins like Litecoin or Ethereum to their customers).
We’ve also referred to coin risk analysis as “cryptocurrency due diligence” in previous blog posts that focus on exchanges and how they select the coins they offer in an AML compliant manner.
How does it work?
Effective coin risk analysis provides a formal evaluation and approval process for the coins that the business in question offers to consumers.
Coins are evaluated against both relevant state and federal financial laws as well as the company’s own unique risk profile and individual mission and values.
As such, while comprehensive coin risk analysis must address all relevant financial laws, the process is always somewhat bespoke in that businesses each have their own goals and unique makeup. This is why it’s wise to involve a lawyer in the coin review and vetting process.
If you have questions or thoughts on this topic, we’d love to hear what you think. Contact our compliance experts at BitAML anytime.
After the risk analysis is complete, the business in question will determine whether or not to offer it to consumers.
It’s important to complete this entire process before offering a coin; even “testing” a new coin with your market should not occur without a coin risk analysis. Otherwise, you may expose your business, your customers, and the greater cryptocurrency market to an elevated (and unnecessary) level of risk.
Best practices for coin risk analysis for all business models
Many of the same best practices that benefit crypto exchanges will also apply to more modest operations, including “solopreneurs” managing a single bitcoin ATM.
When analyzing a new coin, the first (and arguably most important) step is to determine whether or not that coin intersects with securities, money transmitter, or any other relevant U.S. financial laws.
Relevant to this step is the definition of a security according to the Securities & Exchange Commission (SEC).
The definition of a security, per the 1933 Act, §2(a)(1) is as follows:
“Any note, stock, treasury stock, security future, security-based swap, bond, debenture, evidence of indebtedness, certificate of interest or participation in any profit-sharing agreement, collateral-trust certificate, preorganization certificate or subscription, transferable share, investment contract, voting-trust certificate, certificate of deposit for a security, fractional undivided interest in oil, gas, or other mineral rights, any put, call, straddle, option, or privilege on any security, certificate of deposit, or group or index of securities (including any interest therein or based on the value thereof), or any put, call, straddle, option, or privilege entered into on a national securities exchange relating to foreign currency, or, in general, any interest or instrument commonly known as a ‘security’, or any certificate of interest or participation in, temporary or interim certificate for, receipt for, guarantee of, or warrant or right to subscribe to or purchase, any of the foregoing.”
Is cryptocurrency a security?
Most mainstream cryptocurrencies like bitcoin are not considered securities by the SEC. If your coin risk analysis determines that a cryptocurrency is a security, then you’ll need to go through some extra steps, including potentially registering with the SEC.
That’s a headache you don’t want or need, so we often advise our clients to simply avoid offering any coins they determine to be a security (or, similarly, an “administer” according to FinCEN).
It’s easiest to simply not offer them, though if you have any doubts, you should consult legal counsel for a determination.
Determining whether a cryptocurrency is a security (using the Howey Test)
The Howey Test was developed in the 1940s and is used to this day to determine whether a form of financial transaction can be considered a security.
As such, the test applies to transactions of cryptocurrency, and is a critical feature of coin risk analysis.
“It’s important to complete this entire process before offering a coin; even “testing” a new coin with your market should not occur without a coin risk analysis.”
The Howey Test is comprised of four main criteria. If a transaction meets all four, the SEC considers it a security. They are as follows:
- There is an investment of money
- The investment is in a common enterprise
- There is an expectation of profits
- Any profit comes from the efforts of others (including third party promotional efforts)
A simple consumer purchase of bitcoin would not qualify, because bitcoin is widely understood to be a replacement for or alternative to fiat currency, at least according to the SEC chairman.
However, some coins are more ambiguous. The highest-profile example is Ethereum, with critics and even some former regulators opining that it should be classified as a security (the SEC thus far has not taken an official stance on this matter).
The relevant point is that just because bitcoin is not considered a security doesn’t mean that other popular altcoins won’t be. Each coin your institution wants to offer needs to pass your coin risk analysis.
Other considerations (privacy, demand)
Let’s say the coin you want to offer does not meet all four Howey Test criteria. That’s it, right? Can you go ahead and start offering it?
Not so fast.
We mentioned that depending on your business model, risk profile, mission and values, etc., you’ll want to apply a bit more scrutiny to each coin, albeit the answers you’re looking for here are more qualitative and unique to your institution.
Though determining a coin’s status as a security or administer is a critical first step, you’ll also want to do some other analysis as well, including but not limited to:
- Basic market research to determine the demand for the coin
- A blockchain security audit
- A cybersecurity review
You’ll also want to factor in your institution’s values and appetite for risk. Some businesses simply do not want to offer so-called “privacy coins” because of the risks involved.
For instance, a business conducting transactions in an urban market may find the potential risks associated too great. A business in a rural market may feel differently.
What happens if you get this wrong?
There have been many high-profile stories in recent years of individuals facing charges and fines in the hundreds of thousands for operating “unregistered exchanges” and offering coins considered securities by the SEC without the proper registration or disclosures.
Though firms like EtherDelta and BitFunder were arguably swept up in a larger “crackdown” on fraudulent ICOs by the SEC, it should demonstrate how seriously the agency takes institutional due diligence into the tokens they offer.
Key takeaways for business owners
As cryptocurrency continues to grow in popularity and wider mainstream adoption, there will be more demand for more coins from the financial institutions that offer them, even down to the solopreneur who operates a single ATM.
To remain competitive and compliant, coin risk analysis should be implemented and practiced sooner than later.
BitAML is an AML consulting firm that specializes in bitcoin compliance, but blog posts like this are not a substitute for legal advice. If you have questions about token analysis, consult with your lawyer for more information. For any other questions about bitcoin compliance or AML compliance in the cryptocurrency space, get in contact with us here.