28 Jan Cryptocompliance 101: Do You Need A Risk Assessment? In Crypto, The Answer Is Yes
Investing in cryptocurrency is uniquely risky. Its value fluctuates unpredictably, your transactions aren’t insured, and they’re practically irreversible.
Just like it’s important for people like you and me to understand crypto’s risks before making our first purchase of bitcoin, it’s infinitely more important for entrepreneurs to understand the complex inherent risks of starting a business in the cryptocurrency space.
If you’re starting (or currently running) a cryptocurrency money services business (MSB) or money transmitter, do you know what your risk profile is? Do you know how vulnerable you are to money laundering and other financial crimes? If you operate a chain of cryptocurrency kiosks, do you know the unique risk profile of the city or cities they’re located in? Do you have an anti-money laundering (AML) program, and other policies and practices to help mitigate that risk?
When it comes to cryptocurrency compliance, many business owners we talk to aren’t exactly sure where to start. We always tell them the same thing.
Start with a risk assessment.
We’re continuing our series of cryptocompliance 101 posts to help cryptocurrency business owners understand the regulatory landscape, its nuances, and what steps need to be taken to strengthen their compliance. Today’s topic is extremely important to the ongoing compliance health of a crypto operation – the annual risk assessment.
What is a risk assessment?
Risk assessments are absolutely critical for cryptocurrency MSBs. It’s often the first step in designing compliance procedures that protect your business from financial crime, and keep you in the good graces of federal and state regulators.
In short, it is one of the most important tools you can use to keep your cryptocurrency business not only compliant but viable for the long haul.
Other businesses in the financial sector perform risk assessments, but crypto MSBs are unique for a couple of reasons.
One is that there is often little guidance from federal and state regulators about how cryptos should operate. Without clear guidelines, crypto MSBs are in a tough spot; they are expected to develop compliance protocols that adhere to key pieces of legislation like the BSA or USA Patriot Act, yet figure out how to apply traditional finance compliance to a unique and emerging model.
This leads into the second way crypto MSBs are unique in the eyes of regulators. Generally speaking, regulators tend to view emerging technologies as posing a higher level of inherent risk. Crypto transactions are, after all, fast, anonymous, and irreversible. Though crypto transactions are undeniably secure thanks to blockchain technology, they’re completely decentralized, meaning there’s no federal insurance organ to appeal to if your digital funds are lost or stolen.
A risk assessment is a crypto MSB’s way of playing ball with state and federal regulators, despite not having clear guidance on how they should operate. It is also essential operating intel that informs business owners of their risk profile — where their business is vulnerable — which enables entrepreneurs in the space to develop risk mitigation strategies and strong compliance procedures that protect their customers and their livelihood.
Bottom line, a risk assessment tells you, the business owner, what can go wrong with your business, how likely it is things can go wrong, and how much risk you’re able to tolerate if you continue to operate.
Is it required?
Pursuant to U.S. legal and regulatory requirements, regular risk assessments are vital components of effective compliance.
That said, risk assessments are not explicitly required of financial institutions, including MSBs in the crypto space. However, operating without an understanding of your risk profile is kind of like driving at night without your headlights on.
Your business might be incredibly vulnerable to money launderers and terrorist financiers, and if you don’t have robust protocols in place to identify and report suspicious activity, then you open yourself up to a myriad of problems — reputational damage, loss of business, fines, even jail time.
I can’t emphasize this enough — the best way to know what kinds of procedures you need to put in place to protect your business is by performing a risk assessment.
What does a risk assessment include?
In order to provide business owners with an overall understanding of the risk profile of their MSB with regard to money laundering and terrorist financing, risk assessments should focus on a few key areas.
A well-developed risk assessment includes:
- An evaluation of the adequacy and appropriateness of the policies and controls established by the business in order to comply with regulations and mitigate risk.
- Identification of significant risk gaps or weaknesses in the business.
- Recommendations to help the business improve its compliance procedures.
A risk assessment should also make recommendations as it pertains to the trending direction of risk and, where appropriate, recommendations on where the business can strengthen controls to manage its risk.
A risk assessment analyzes two kinds of risk: inherent risk, and residual risk. It also analyzes the mitigating controls in place to help a business manage its vulnerabilities.
- Inherent risk is the risk profile of your crypto MSB absent mitigating controls, or, how much risk you’re exposed to if you do nothing about it.
- Residual risk is how much risk remains after factoring in your mitigating controls, or, the amount of risk you have to tolerate regardless of what you have done about it.
- Mitigating controls are things like your policies, AML program, protocols for reporting suspicious activity, and other practices that help you manage your risk profile and exercise good compliance.
To put it simply, a risk assessment is going to look at how risky your crypto MSB is before you do anything about it, what you can do about it, and then the risks you should still be aware of even if you do everything you can to protect yourself.
Who, what, and where
This might lead you to ask how a risk assessment calculates your risk profile in the first place.
A thorough risk assessment will look at things like your business strategy and operating model. If you run a bitcoin ATM that accepts cash, that will have an influence on your risk profile. If you accept in-person transactions, that will as well.
It will also look at three key areas:
- Your customers: If you’re B2C or B2B, if your customers are U.S. citizens or not, your customers may pose a risk to your business.
- Your services: Again, your operating model, and the risks that it exposes you to.
- Your location: If you run your business in a big city, especially one that is designated a HIFCA or HIDTA, you will have a higher risk profile.
Your location also matters if you are in a state where specific regulatory guidance has been handed down to cryptos. If there are regulatory expectations in your state that you are not compliant with, it will increase your risk profile.
The key takeaway here is that a risk assessment will analyze your business across these dimensions: what you offer, who your customers are, and where you’re operating. It will then tell you your risk profile and make some recommendations for lowering your risk.
How do I know if I need a risk assessment done?
If you are running a cryptocurrency exchange, a network of ATMs, or any business that could be considered an MSB or money transmitter, you should get a risk assessment done at least once a year, or any time significant changes have been made to your business (you expand into a new area, offer a new service, etc.).
Even if your business has been operating for months and has never had one done, it is an invaluable undertaking and should be done as soon as possible.
Otherwise, you could be an unwitting target for money launderers and terrorist financiers. If agencies like FinCEN or the IRS start tracing criminal transactions to you, and they find that you lack sufficient compliance to combat financial crime then you, too, could be held liable.
Treat it like your dentist or your annual physical and just get it done.
Who should perform a risk assessment?
It is not advisable to try and perform a risk assessment on your own. You will need an objective and learned analysis from professionals who understand regulatory nuance, the unique operating model of crypto MSBs, and the profile of financial crime within the space.
Contact BitAML today for a free consult and we can help you figure out if your business should perform a risk assessment, and other strategies for strengthening cryptocurrency compliance.