Coinfirm strives to ensure our ecosystem possesses the most up-to-date and concise knowledge to act in accordance with the latest AML/CFT (anti-money laundering/countering the financing of terrorism) compliance requirements in the crypto space to avoid regulatory penalties.
Our Regulatory Affairs has collated the general compliance requirements for those looking to begin operating crypto businesses – or those simply looking to refresh – their need to design and implement an appropriate regulatory compliance framework.
Check Where You Need / Want to be Regulated
Determining the country where your company will need to be regulated may not be so obvious. There are numerous factors to consider and questions to answer:
- Where will your company be domiciled/ registered?
This is the most fundamental question. In most of the jurisidctions, you will need to be regulated in the country of registration.
- What countries will your customers be located in?
Many jurisdictions require crypto businesses to be regulated as a pre-requisite to providing services for their citizens.
- What countries will you be conducting marketing in?
Some jurisdictions go even beyond the country of customers as regulation determinant and expect you to be regulated in the country where you do marketing of your services.
The above 3 questions pertain to your business profile and business development plans.
It is certainly possible to adjust your business development plans to the preferred jurisdictions – in other words choose the country with the most favourable business and legal conditions and decide to expand your business there. However, this poses another set of questions – on how to evaluate crypto business friendliness?
The assumption that countries with no regulations for crypto-assets are the most business-friendly can be misleading. No regulatory requirements may mean lower market entry costs, but in the long-term the risks and costs can be much greater. It is more likely that jurisdictions with no regulations for crypto will finally be forced to have one through actions of international standard setters like the FATF. Additionally, registering in a ‘no crypto regulations’ jurisdiction is a red flag that will most likely be attributed to your business by banks and financial institutions you will want to use for managing your finances.
In choosing the preferred jurisdiction for registration, consider the factors below:
- What is the level of legal certainty around crypto-assets in the jurisdictions you are considering?
Countries with predictable and transparent legal systems are generally easier to conduct business. That is crucial in the context of the crypto industry, where legal frameworks are still being formed in some regions. Registering your business in a jurisdiction that is not clear on what the requirements are for crypto-assets may put you at risk of applying to regulatory frameworks once introduced – whether favourable or destructive for your business. Such changes may bring about additional business costs at the same time of reduced revenue in cases where users from jurisdictions you provide services to with access prohibited when the AML regulatory requirements come into force. On the other hand, choosing a jurisdiction with an existing legal framework for crypto-assets means having clarity upfront on what your obligations will be.
- What are the regulatory requirements for crypto businesses?
Countries with more legal certainty may differ in terms of the scope of the regulatory requirements, and consequently, may increase the financial and operational burden on your business. The differences may seem minor but proper analysis can show significant implications. For example, reporting all transactions above a certain threshold required in some jurisidctions may appear as an easy obligation to comply with; however, depending on the type of your business and number of transactions, the costs burdened may be significant.
Confirm Regulatory Requirements in the Particular Jurisdiction
An obvious step in any business setup, yet with the complexity of regulatory frameworks it should be carried out with care: ensuring the details of all requirements (or the absence of regulatory requirements) are clear.
To start with, it is crucial to understand:
- Which regulatory body (bodies) must your company be registered with?
- Does the country you are registering with require registration and/or licensing? In case of licensing, what are the minimum requirements to obtain the necessary licence?
- What regulatory obligations fall on your business type in this country? Regulatory requirements for crypto businesses can cover similar areas to the traditional financial space, i.e.
- Anti-money laundering and counter terrorist financing obligations (implementing the AML programme, conducting Due Diligence on your clients, suspicious activity identification and reporting etc)
- Sanctions obligations
- Anti-bribery and corruption-related obligations
- Prudential regulation (requirements around holding adequate capital or liquidity, public disclosures. Limits on specific risk exposures etc)
- Market conduct requirements
- Marketing related requirements
The majority of jurisdictions with crypto regulations currently focus on AML/CTF related regulations; however, there are already examples of other areas – e.g. market conduct requirements on crypto business in Gibraltar. Additionally, with MiCA (Markets in Crypto Assets Directive) in the EU coming in the near future, EU-registered crypto businesses will be subject to prudential, market conducts and marketing-related requirements.
Given that the AML requirements prevail, the next steps will focus on the AML-related obligations.
Conduct AML Risk Analysis for Your Business
Most AML regulatory regimes will require you to conduct an AML risk analysis of your business.
What that means in practice is a thorough review of:
- Business activities
- Products offered
- Clients – types, geographies
- Channels of sale
- Other risk areas – e.g. outsourcing arrangements
To identify what potential AML risks your business may be exposed to.
To illustrate that with an example, conducting a crypto custody business only with BTC and ETH with a moderate frequency of trades and large institutional clients presents different AML risks than running a high frequency exchange offering all assets including privacy coins.
It is prudent that your AML risk analysis for the business takes into account national AML risk assessments conducted by the country that your business is exposed to (depending on the type of business this may be: the country of registration, the country of your clients or both). National risk assessments are available publicly, which present the country’s view on what the potential risk areas are from an AML perspective in the assessed jurisdiction.
Design AML Controls
Knowing your regulatory requirements and what potential AML risks you are facing give you the foundation to design effective AML controls.
You must have an AML programme or policies that set out – at a minimum:
- Compliance Officer/Compliance Function/Money Laundering Reporting Officer – explanation of who in your organisation performs these functions and what their responsibilities are
- AML training – setting out the details on how your employees will receive AML trainings on an on-going basis
- Your client acceptance criteria detailing what requirements from prospective clients must meet to avail of your services, whether you have any exclusions to a potential customer base (e.g. not accepting customers from countries subject to comprehensive sanctions)
- Know Your Customer (KYC) onboarding process stipulating what documents and information you will ask your clients to provide before onboarding them
- Ongoing Due Diligence process explaining in what circumstances you will be refreshing your clients’ KYC checks – typically this occurs at regular intervals (1-5 years depending on the client risk) and when a change in the client’s KYC or relationship occurs (e.g. the client changed their Beneficial Owners or applied for a riskier product)
- High-risk clients and PEPs – one of the crucial elements pertaining to KYC and Client Due Diligence is an explanation on what controls you will have around your high risk clients population and how you will handle relationships with Politically Exposed Persons (PEPs)
- Transaction monitoring process laying out how you will monitor your clients’ transactions to spot potentially suspicious activity
- Suspicious Activity Reporting (SAR) process explaining how you manage potentially suspicious activities – i.e. who is responsible for reviewing them, when and how they are reported to the respective FIU
- Record keeping requirements – i.e. how long you will keep your clients’ records
This is the absolute minimum – AML programmes in mature organisations tend to be more robust and detailed. Some organisations choose to cover requirements relating to sanctions compliance and/or anti-bribery compliance within their AML programme. More commonly though, among the largest organisations, there are separate policies and programmes targeting specifically compliance with sanctions and separately dealing with anti-bribery obligations.
Also, bear in mind that some areas in your company will be very much linked to the AML function and ideally your AML controls would stipulate how they are co-operating. Apart from the mentioned anti-bribery and sanctions compliance, there are functions such as fraud prevention that may have a cross-link with AML (e.g. in case of potential fraud case is identified, it may require a filing of Suspicious Activity Report or increase of the client’s AML risk rating etc).
Choose the Right Tools to Support Your AML/CFT Controls
Setting up your VASP, you will have an opportunity to design your AML/CFT controls from scratch and select the right supporting tools to ensure the execution. The choice of software-supporting execution of AML obligations is vast and may appear overwhelming at the start. So what to start with? From our experience, you will need the following software/tools:
- KYC/ CDD – i.e. tools to store your clients’ KYC documents and information – this should be a ‘golden’ source of your customer’s AML-related information as most likely it will be linked to a number of other tools (e.g. sanctions screening or transaction monitoring)
- Sanctions and PEPs name screening – i.e. tools to check – at the time of onboarding and on an ongoing basis that your clients and their connected persons (directors, owners etc) are not on sanctions lists and are not PEPs
- Transaction monitoring – i.e. ongoing monitoring of your clients’ transactions and alerting of high risk, potentially suspicious or unusual activity
- Blockchain address screening – i.e. screening the addresses that your clients send the assets from or to – checking whether their source of assets is not linked to illicit activity or that they do not send assets to an illicit address
Coinfirm’s set of AML tools can support you. We provide a comprehensive suite of tools for blockchain address, transaction and wallet screening.
Implement Your AML Controls
There is a long way between designing AML controls and effectively implementing them.
Effective implementation involves – at a minimum:
- Clear roles and responsibilities – setting out who in your company will be responsible for the respective processes
- Internal audits/controls – having a process that ensures the execution of your AML programme is controlled, e.g. through 4 eye checks process, periodic internal audits, spot checks etc
- Training your staff – apart from the mandatory training for all employees on AML foundations, you need to adequately train your staff for execution of the duties specifically assigned to them
Last, but not least, it is important to bear in mind that your AML programme requires constant re-assessment and updates – AML requirements keep evolving (especially in crypto) and so does your business and your clients. AML controls cannot remain unchanged if their drivers changed.
Our extensive partnership network with law firms such as Stelios Americanos & Co., Silver Miller and Nagel & Associates can help crypto startups attain operating licences across jurisdictions.
Coinfirm was founded with the mission to make the blockchain economy a safer space and to prove the technology promises an improvement to the traditional financial system. And the open-source nature of blockchain means that it is generally easier – and cheaper – to ascertain illicit fund flows.