Risk Assessment: Back to Basics

By Meredith Beeston (FINTRAIL Solutions) and Allison Spagnolo (FINTRAIL Solutions).

Adopting a risk-based approach is the foundation of best-in-class anti-financial crime practice. Your anti-financial crime (“AFC”) risk assessment should be one of the cornerstones of that practice.

While financial crime risk professionals are familiar with the AFC risk assessment, also known as the Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) risk assessment in the U.S., it can be easy to underestimate its true value in the risk management framework. Risk assessments often feel like a chore or little more than a check-the-box exercise to please your regulator. The AFC risk assessment, however, is one of the most powerful tools you have to reduce your exposure to financial criminals and should be designed to grow and evolve to match any new vulnerabilities. A properly-executed AFC risk assessment will close gaps in your compliance program and identify the appropriate policies, procedures and controls that should be implemented to protect your firm and your customers. To help you design a risk assessment of your own, we’ve gone “back to basics” and drawn on our experience with FinTechs to unpack the fundamentals of a modern and effective risk assessment . This post will explore features common to all AFC risk assessments and offer practical advice about how to design one for your company.

What is an AFC Risk Assessment?

In most jurisdictions, AFC risk assessments are indeed a regulatory requirement. The U.S. Bank Secrecy Act (“BSA”), the EU’s 4th Anti-Money Laundering Directive (“4MLD”), and the Financial Action Task Force (“FATF”) all require periodic internal risk assessments. Consider, though, that this particular regulatory requirement can also be an opportunity to meaningfully guide your entire AFC framework and not just a task to complete to avoid regulatory displeasure.

AFC risk assessments also serve as:

  • A map of vulnerabilities: It is important to understand the ways in which a criminal might seek to misuse your product. It is much better to proactively identify and address potential vulnerabilities instead of discovering them as part of a “post-mortem.”

  • A resource plan. Once you know where your vulnerabilities lie, you can consider the controls you need to tackle them, giving you the opportunity to better strategize how to divide up your company’s finite resources. For instance, which RegTech products are most worth the investment? What skills do you need in your next AML analyst? The answers to these questions will be resolved in the risk assessment.

  • A development strategy. In the FinTech sector, growth and innovation are a daily feature of the business. Your AFC risk assessment can and should guide these efforts - helping you select which jurisdictions are best for expansion, which product features offer the most potential with the least risk, and which customer segments to market to next.

  • A dialogue. Much like your company itself, your AFC risk assessment has to evolve. It should change to reflect insights and feedback from your senior management, auditors, consultants, banking partners and regulators. Each risk assessment - and its results - offers an opportunity to dialogue with relevant stakeholders about the future of the AFC risk assessment, resourcing and compliance program.

How do I Create an AFC Risk Assessment?

At their core, AFC risk assessments can be summarized in one essential formula:


Let’s break down each of these factors in a bit more detail.

Inherent Risk

Inherent risks are the financial crime risks you face before you apply any of your existing (or if you’re just starting off, planned) AML controls. At a high level, your inherent risks generally fall into three categories:

  • Who your customers are

  • What geographies you serve

  • Your unique product and delivery features

Then, you will need to develop criteria or questions about the specific financial crime risks your company and customers are exposed to in each area. While it is important to initially consider the broad categories of financial crime risk (e.g., money laundering, terrorist financing, and fraud), you will likely want to generate more granular questions. For instance, if you offer a prepaid card targeting students, you will want to specifically address the risk of money mule activity occurring on your platform. In another example, if you offer a direct debit service, you will want to consider how vulnerable your product is to transaction laundering.

You should be able to analyze the data you gather across your company. While many FinTechs we deal with have a single office or product, over time, your approach to gathering data to establish inherent risk will need to evolve. For instance, for a FinTech with branches in Europe, the United States and Asia, instead of asking, “Are you aware of any high risk or medium-high risk-rated customers in a branch’s customer population?,”  the risk assessment should ask, “Provide the number of high-risk customers in each branch.”

Where appropriate and where the information is available, the risk assessment should also seek volumes (i.e. with respect to transaction data and SAR data). This will help to accurately reflect financial crime exposure.

Based on the responses in the inherent risk portion of the risk assessment, an inherent risk score is generated. It is typically along the “Low,” “Medium,” and “High” spectrum. There is no one-size-fits-all calculation of the inherent risk score, and some institutions will develop simple scoring while others will create complex weighting systems. The key is that your methodology is clearly explained and can be replicated when you update your risk assessment.

Control Effectiveness

Control effectiveness refers to the capacity of the specific processes and systems you have in place to mitigate each identified risk. As with inherent risk, granularity is important here. The control effectiveness portion of the risk assessment should be tailored, so that each relevant control is assessed against the corresponding risk, and impartial, so that controls are accurately represented in their effectiveness. For instance, if the control effectiveness topic is “Payment Alert Investigations” and the inherent risk is related to the processing of a sanctioned payment, you may want to consider: “Do the procedures covering alert handling address what documentation should be collected to support the investigation of sanctions screening payment alerts?”

As with inherent risk, you want to allow for as much impartiality as possible in assessing control effectiveness, and to rely on clear data when it is available (such as false positive rates, rates of false IDs that pass KYC, etc.).

It is important to have an understanding as to whether each control effectiveness topic has meaningfully addressed each inherent risk, both precisely and with a wider understanding of your overall control landscape. If you have multiple products or branches, you may want to be able to draw comparisons across your company. Like with inherent risk, there is no one way to measure control effectiveness; the key is that your methodology is clear, objective and justifiable.

Residual Risk

Residual risk is the risk that remains once all your controls are in place. In other words, it is what you are left with after identifying inherent risk and applying your mitigating control effectiveness. It is unlikely that residual risk will be “Low” across the board, but that is normal and expected. Your residual risk score will help shape the broader financial crime risk appetite of your business. Knowing this risk level gives you the opportunity to consider issues such as whether your company is comfortable with a “Medium” residual sanctions risk when expanding into certain jurisdictions.

Case Study

AFC risk assessments are designed to be complex and comprehensive, so it is not possible to provide an in-depth breakdown of an example here. However, even through the brief case study below, you can see why completing an AFC risk assessment provides a clear benefit to a FinTech:


A FinTech planning to offer individuals an app-based foreign exchange service, loaded through debit cards and bank transfers, decides to conduct an AFC risk assessment prior to going live with its pilot.

Risks and Vulnerabilities

The FinTech discovers a range of inherent risks to which it is exposed, with particularly alarming scores linked to potential sanctions evasion, attempted payments to sanctioned individuals or companies, financing acts of international terrorism through purported charitable donations, and money laundering connected to narcotics or human trafficking.

Managing Risks

The FinTech uses the inherent risk analysis to shape its controls in order to obtain an acceptable level of residual risk. The controls are designed to go beyond comprehensive monitoring and screening and robust KYC and adverse media checks. The company also limits the geographic scope of its product to non-sanctioned countries with lower levels of money laundering/terrorist financing risk, and designs its expansion plan so that geographic risk is added only incrementally. This increases confidence in the product, which allows it to be signed off by all relevant stakeholders.

Things to Remember

Here are a few key lessons to take away:

  1. AFC risk assessments are not “out of the box.” They should reflect the nature, size and scale of your business. If your business is just starting up, you can start with a simple risk assessment!

  2. AFC risk assessments should make sense. There is no need for over-complicating the questions or the scoring. You want to be able to communicate it easily across your company.

  3. AFC risk assessments evolve. While this is certainly true as it relates to your business growth, it is likewise true in relation to the evolving typologies that criminals try. If you learn about an emerging risk from a reliable source, consider adding it to your next risk assessment.

  4. AFC risk assessments do not result in perfect scores. You will never have zero risks. Rather, it is more important to be aware of the risk levels you do have and develop a comfortable risk appetite in response.

  5. AFC risk assessments are all about the details. Be sure the risk assessment is as useful to you as possible, keeping in mind all the ways it can add value beyond a simple regulatory requirement.

Help and Resources

If you have any other questions related to your AFC risk assessment or how to execute it, do not hesitate to reach out to FINTRAIL Solutions in the U.S. or FINTRAIL in the UK. If you are interested in further improving your risk assessment, here are a few key resources to consider:

  • The Wolfsberg FAQs on Risk Assessments: These Frequently Asked Questions are in-depth responses to common risk assessment inquiries. Remember, though, the risk assessment format and methodology that will work best for you will depend on your company’s unique characteristics (e.g., size, scale, and overall offering).

A Modern Curse - Fentanyl and FinCrime

Matthew Redhead & Krista Tongring (FINTRAIL Solutions)

As close partners of FINTRAIL Solutions are aware, we have been concerned about the impact of fentanyl - a powerful and highly addictive opioid used legally for the relief of extreme pain, but also produced and sold illegally - since early last year. The illegal use of the drug is at epidemic proportions in North America, and based on Canadian government warnings, we highlighted to clients and collaborators the potential financial crime risks that the burgeoning trade in the drug posed directly to FinTechs and their customers. 

 As professionals in risk management, it is easy to look at issues like fentanyl and treat them as technical problems alone: risks to be identified and mitigate. However, the fentanyl epidemic highlights the underlying human tragedies that often drive the financial crime we seek to tackle. Overdoses of illegal fentanyl are reported to have killed the singers Prince and Tom Petty,[1] while the US Centers for Disease Control and Prevention (CDC) reported in December 2018 that fentanyl is now one of the main drugs involved in overdose deaths across the US.[2]

 This blog post is the first in a series which will look at the social causes and contexts of financial crime. The aim is to look at the problem in the round - its character, causes and impact - to help remind us why it is not only important to fight the financial crime the problem engenders, but also consider the reality for people who are caught up in these illegal trades - the mules, the users and the small time dealers, who, in truth, are victims too.


The Fentanyl Problem

Fentanyl is an opioid: a category of drug that suppresses feelings of pain in the brain, whilst also engendering states of relief and relaxation. In its legally manufactured form, it is usually prescribed for extreme, chronic pain, and is rated as being up to 100 times stronger than a sister opioid, morphine. Legitimate fentanyl is usually taken as a patch, lozenge or injection, but care has to be taken, as there is a very real risk of overdose and death.[3] Fentanyl can also be illegally sourced, either through the theft and diversion of legitimate supplies, or the purchase of synthetically produced illegal variations, usually coming as a white powder that can be ‘cooked’ and injected, snorted or ingested, either on its own, or in combination with other illegal drugs, especially cocaine and heroin.[4]

Even in the legal variety of the drug is extremely dangerous, and is classified in the top category of most countries’ controlled substance schedules.[5] Indeed, the drug is so powerful that in August 2018 it was used in Nebraska to execute Carey Dean Moore by lethal injection,[6] and has allegedly been banned on some drug supplier websites on the darknet, according to a 2018 report by the UK paper The Guardian.[7]


The Market 

There is little doubt that the current epicentre of the fentanyl epidemic is North America. In the US, the drug has had a devastating effect; in a recently published report from December 2018, the US Centers for Disease Control and Prevention (CDC) stated that, as of 2016, fentanyl is now linked to 29 percent of all overdose deaths.[8] Overall, more US citizens were killed by all opioids - of which fentanyl is most prominent - than were killed by guns or car accidents.[9] This CDC chart of opioid related deaths in the US gives some indication of the dramatic rise of the problem, and fentanyl’s role within it.

Figure 1  - Synthetic Opioid Drug Poisoning Deaths, per 100,000 of US Population 2011-2016, (Source CDC) [10]

Figure 1 - Synthetic Opioid Drug Poisoning Deaths, per 100,000 of US Population 2011-2016, (Source CDC)[10]

 In Canada, the problem is equally significant. In June 2018, the Canadian authorities reported that over 4,000 Canadians had died from opioid overdoses in 2017, a new record, of which 72% were fentanyl or pseudo-fentanyl analogs.[11] Outside of North America, there has also been a reported rise in deaths by fentanyl in Australia,[12] New Zealand[13] and the UK[14] over recent years, although rates do not yet appear to have reached US levels. The EU Monitoring Centre for Drugs and Drug Addiction states on its website that fentanyl is a more marginal problem in the EU, affecting primarily Estonia, Germany, Belgium and Austria. However, EU statistics show that opioids as a class are becoming a greater problem in Ireland, France, Italy and Portugal.[15]


The Mechanics of the US Trade

The DEA and Department of Homeland Security (DHS) believe that the primary source of the illicit versions of the drug is China - one of the most popular terms for a range of fentanyl analogs is in fact ‘China White.’ Laboratories run by Chinese organised crime gangs produce high volumes of fentanyl, which are then marketed to other transnational traffickers, including the Mexican cartels, who move the drugs into North America. Fentanyl flows across the Pacific to Canada and Mexico via mail order services and smuggling, where it is often mixed with other drugs, and then smuggled into the US via the north eastern and south eastern borders.[16] The drug often comes in a powdered form, or disguised as the tablet forms of legal pharmaceuticals, such as oxycodone and hydrocodone.[17] 

Figure 2  – Fentanyl Routes into North America (Source DEA) [18]

Figure 2 – Fentanyl Routes into North America (Source DEA)[18]

The secondary source, and one of growing significance, is Mexico itself. In 2016, the DEA reported its suspicion that the Mexican cartels were ‘branching out’ into the production of fentanyl, using imported precursor chemicals from the US and China.[19] Over the last year this assessment has been confirmed by busts in Mexico, including one in December in the capital, that have revealed the existence of cartel-managed fentanyl labs.[20]


The mixture or ‘cutting’ of fentanyl with other drugs, such as cocaine or heroin, makes the combined hybrid drug even stronger and more addictive, and further help us understand why its market is so sustainable. First, selling fentanyl keeps the costs of the traffickers and pushers down, because a small amount, though dangerous and potentially toxic, is relatively easy to produce and ship, yet has extreme potency. Second, the potency of the drug, especially when combined with other narcotics, means that users become quickly and highly dependent, ensuring that the suppliers have a captive market. Some of the strongest markets for fentanyl are in US states that already have high rates of opioid addiction.  This is borne out by a DEA report indicating that many of the younger users of fentanyl turned to the drug once they could no longer obtain and/or afford illicit pharmaceutical opioids.[21]


The prospects of breaking this market in the short-term appear bleak. The problem has become so great that the US President, Donald Trump, has pressured his Chinese counterpart, Xi Jinping, to take action against the Asian end of the trade, most recently at the November/December 2018 G20 summit in Argentina. Although President Xi was supportive, it is likely to take some time before practical action occurs.[22] Moreover, recent Canadian requests to China for similar help have been less warmly met, largely because of ongoing disputes over the return of Chinese fugitives to Canada.[23] As long as the Canadian and Mexican gateways to the US remain open, the scourge of fentanyl in North America is likely to continue.


Fentanyl, FinCrime & FinTechs

What role then for FinTechs?

For the last five years, there has been media ‘hype’ about the roles that FinTech platforms might play in the purchase of illegal drugs. Payments providers have been put out of business because their platforms have allowed individuals to buy illegal items unimpeded. In 2013, for example, the US Department of Justice (DoJ) closed Liberty Reserve, a digital payment processor, for facilitating the sale of drugs and child pornography, while cryptocurrencies are of particular current concern. In June 2018 the US media reported a DoJ enforcement action named ‘Operation Dark Gold,’ to stop the darknet sales of drugs using Bitcoin and other cryptocurrencies. [24]

 Our clients’ experience tends to be more prosaic than some of these more sensational media cases. As a recent FinTech FinCrime Exchange (FFE) survey of UK FinTechs demonstrated, most financial crime typologies experienced in the UK cryptocurrency sector were around varieties of customer fraud (Link to report here). Nonetheless, we still believe that FinTechs have a responsibility to take these issues seriously. There are potentially striking indicators that, in combination, should raise concern (see breakout box), and we would urge all FinTechs working in payments services, retail accounts, prepaid cards and crypto transmission and exchange providers to give them due attention in their financial crime investigations.


●      Unusual Chinese transactions: Customers buying items from China, especially where this does not fit with the customer transaction profile or nature of businesses, along with multiple unconnected payments to a single individual in China;

●      Unusual health products: Firms offering apparently pharmaceutical or health products who demonstrate other unusual indicators such as those listed here;

●      High use of currency exchanges: Multiple payments from global currency and cryptocurrency exchanges, usually in small amounts; and

●      Tags and nicknames: Payments including nicknames such as Apache, China Girl and China Town, or precursor references such as NPP or ANPP.


For more details, contact FINTRAIL Solutions at contact@fintrailsolutions.com


At the same time, the case of fentanyl drives home the need for FinTechs to take a longer term view too about the types of business they are doing. As regular readers of the FINTRAIL and FINTRAIL Solutions blogs will know, we recommend some basic prevention methods that include active risk assessment and defined risk appetite. We have found that its critical for FinTechs to take basic risk management seriously from the beginning - asking themselves questions about the vulnerabilities of their product and the risks that opens them up to. If you think your company is vulnerable, then take action. Get the basics right. Because it is in no one’s interest to facilitate the sale of a drug like fentanyl.


If you would like to know more about how FINTRAIL Solutions and how we can help you and our business better manage financial crime risks, please contact us at contact@fintrailsolutions.com.


The Authors

Matthew Redhead is a financial crime risk and intelligence specialist, who has undertaken a range of senior operational, change management and leadership roles in financial services, consultancy and government. He works with FinTechs and challengers to build responsive and smart compliance frameworks that encourage innovation whilst minimising risk. 

Krista Tongring oversees a variety of compliance issues and investigations for clients including AML, trade compliance and anti-corruption matters. Previously, she had an accomplished career at the U.S. Department of Justice having most recently served as the Acting Section Chief at the Drug Enforcement Administration Office of Compliance. She led policy discussions and developed strategies to implement new and revised policies. She also worked to establish a more efficient policy review process. Ms. Tongring spent a significant portion of her career as a federal prosecutor where she investigated and prosecuted complex criminal matters, including racketeering, money laundering, abusive trust and other tax matters, international organized crime, criminal asset forfeiture, and violations of the Bank Secrecy Act. 

[1] https://www.rollingstone.com/music/music-features/musics-fentanyl-crisis-inside-the-drug-that-killed-prince-and-tom-petty-666019/

[2] https://www.cdc.gov/nchs/data/nvsr/nvsr67/nvsr67_09-508.pdf

[3] https://bnf.nice.org.uk/drug/fentanyl.html; https://adf.org.au/drug-facts/fentanyl/

[4] https://adf.org.au/drug-facts/fentanyl/

[5] https://www.dea.gov/drug-scheduling; https://napra.ca/nds/fentanyl; https://www.gov.uk/government/publications/controlled-drugs-list--2/list-of-most-commonly-encountered-drugs-currently-controlled-under-the-misuse-of-drugs-legislation

[6] https://www.independent.co.uk/news/world/americas/carey-dean-moore-fentanyl-capital-punishment-death-penalty-nebraska-execute-a8491671.html

[7] https://www.theguardian.com/society/2018/dec/01/dark-web-dealers-voluntary-ban-deadly-fentanyl

[8] https://www.cdc.gov/nchs/data/nvsr/nvsr67/nvsr67_09-508.pdf, p.1

[9] https://www.centeronaddiction.org/the-buzz-blog/we-asked-you-answered-did-guns-car-crashes-or-drug-overdoses-kill-more-people-2017

[10] https://www.cdc.gov/nchs/data/nvsr/nvsr67/nvsr67_09-508.pdf, p.4

[11] https://globalnews.ca/news/4282699/canada-opioid-death-statistics-2017/

[12] https://www.theguardian.com/science/2018/may/13/he-was-gone-fentanyl-and-the-opioid-deaths-destroying-australian-families

[13] https://www.newsroom.co.nz/2018/09/03/220753/drug-cartels-dealing-illicit-prescription-drugs-eye-new-zealand

[14] https://www.theguardian.com/society/2018/aug/06/fentanyl-drug-deaths-rise-nearly-third-england-wales

[15] http://www.emcdda.europa.eu/html.cfm/indexEN.html

[16] https://www.hsdl.org/?view&did=797265, p.70

[17] http://facethefentanyl.ca/?page_id=15

[18] U.S. Drug Enforcement Administration, “Counterfeit Prescription Pills Containing Fentanyls: A Global Threat,” July 2016, 3. https://www.dea.gov/docs/Counterfeit%20Prescription%20Pills.pdf.

[19] https://www.hsdl.org/?view&did=797265, p.65

[20] https://www.washingtonpost.com/world/the_americas/mexico-raids-lab-producing-fentanyl-in-capital/2018/12/12/fd21ee18-fe55-11e8-a17e-162b712e8fc2_story.html?noredirect=on&utm_term=.06db3fad0ad1

[21] https://www.dea.gov/sites/default/files/2018-10/PA%20Opioid%20Report%20Final%20FINAL.pdf, p.28

[22] https://edition.cnn.com/2018/12/01/politics/fentanyl-us-china-g20-talks/index.html

[23] https://globalnews.ca/news/4658188/fentanyl-china-canada-diplomatic-tensions/

[24] https://www.theverge.com/2018/6/27/17509444/dark-web-drug-market-money-laundering-hsi-dark-gold

Peril or Promise? Prospects in the US Cryptocurrency Sector

Cryptocurrencies and their underlying Blockchain software (‘crypto’) have come under increasing attention from agencies and regulators as sources of potential financial crime and regulatory risk in recent years, despite their potential to stimulate further innovation and growth in the economy. The US experience has been a leading example of this, with some federal level agencies seeking to combat money laundering, terrorist financing, sanctions evasion and fraud risks amongst those who use and promote crypto, whilst others seek to encourage its future development. 

Some US FinTechs fear that this paradoxical mix of support and attack will deter the growth of the sector. However, this paper is more optimistic. US firms involved in, or curious about, crypto can do much to mitigate the risks they face without facing sensational dangers. As a recent FinTech FinCrime Exchange (FFE) White Paper on the UK crypto sector indicated, financial crime risks in the crypto sector are actually much like those in fiat currencies, with similar typologies and patterns - especially in terms of customer fraud. We concluded therefore that a financial crime framework, based on a robust and bespoke risk assessment, is the most reliable way to tackle potential misuse whilst also demonstrating a compliant approach to the authorities. 


Fintechs to law enforcement: Let’s be partners, not adversaries

As the fintech industry continues to grow in the United States, so do the opportunities for criminals to exploit systems meant to foster innovation.

With that in mind, a trade group in the United Kingdom called the FinTech FinCrime Exchange has expanded here to promote collaboration between financial entrepreneurs and law enforcement officials. Their goal is to develop best practices in risk management that would minimize the use of financial technology to support illegal activities.

“When we heard what was going on in the U.K. and the Netherlands, we thought there was tremendous opportunity to really build on that in the U.S.” said Julie Myers Wood, the CEO of Guidepost Solutions and a co-founder of Fintrail Solutions.

Fintrail, a financial crime consultancy company, helped to create the trade group in 2017. The organization boasts 80-plus members in the U.K. and the Netherlands. The digital-only banks Monzo and Revolut and the payments software developer Stripe are some of the more recognizable companies participating in the group.

With U.S.-based fintechs facing the same challenges as their counterparts overseas, the xchange said it was natural to expand to America. It held a kickoff event Thursday in New York, which will serve as its U.S. central hub. Robert Evans, Fintrail’s CEO and co-founder, said the organization will create a chapter in San Francisco early next year, and then add outposts in emerging fintech hubs such as Chicago. The organization also wants to establish chapters throughout Asia and Europe.

“Over time, what we want to do is create a global network of fintech compliance professionals to fight financial crime,” he said.

Screenshot 2018-11-12 at 12.06.57.png

(From l.) Daniel Burnstein, senior managing director, Guidepost; Angel M. Melendez, special agent in charge, Homeland Security Investigations at the U.S. Department of Homeland Security; Scott Rembrandt, acting deputy assistant secretary for strategic policy, Office of Terrorist Financing and Financial Crimes U.S. at the Department of the Treasury; and Julie Myers Wood, Guidepost Solutions CEO and Fintrail Solutions co-founder.

One pillar of the organization’s plan is to establish better lines of communication between fintechs and state and federal authorities.

Representatives from the U.S. Department of the Treasury and the U.S. Department of Homeland Security attended the event Thursday as the trade group hosted panel discussions focused on criminal threats to the U.S. fintech industry.

“It’s important to have that trust and collaboration between regulators and startups,” Angel Melendez, special agent in charge of Homeland Security Investigations at the U.S. Department of Homeland Security, said during a panel discussion.

“We’re really out there to find the worst of the worst. We’re not here to disrupt the financial sector. We’re here to protect it,” he said.

Some government officials still have misconceptions about how fintechs operate, Wood said before the event. She mentioned Silk Road, the now defunct online black market where bitcoin was used to purchase illegal drugs and firearms. Its notoriety has led to heightened scrutiny of cryptocurrency related fintechs, she said.

“I think for some law enforcement, that’s what stuck in their head,” Wood said about Silk Road. “Part of our job is to convince regulators to look beyond that.”

On the other side, Wood said fintechs need to understand how law enforcement authorities think about their businesses. “What am I going to do so that I don’t run into a roadblock that causes my business to shut down?” she said.

When Wood asked Melendez which areas Homeland Security monitors, he said the department “looks at every crime under the sun.” However, Melendez identified three areas Homeland Security is especially interested in: child exploitation, human trafficking and the opioid epidemic.

Some of that activity is happening in New York. Criminals have used cryptocurrencies to exchange funds related to such crimes there, Melendez said.

“Those are the most nefarious of the crimes,” Melendez said. “Hopefully, this does stir something in your stomach. Innovation is important, but you have to be responsible with your innovation.”

Daniel Burstein, senior managing director for Guidepost, said the compliance offer at a fintech company needs to act as an extension of law enforcement. “As a compliance officer, you’re in a law enforcement role,” he said. “You should consider yourself everyday as a partner of law enforcement.”

Burstein added that while no company will stop bad actors “100% of the time,” the appropriate compliance controls need to be in place to ensure any platform is safe and being used for the right reasons.

“If you want to know what keeps me up at night, it’s exactly these things,” he said.

Originally published here:


PayThink The digital payment crime threat portends a fintech/regtech alliance

Digital payments remain vulnerable to abuse by financial criminals seeking to make fast payments and undetected payments through the financial system.

There are multiple ways in which digital payments can be used by those laundering money, committing fraud, or financing terrorism. What are some of the risks fintechs should be thinking about, and what are the ways to mitigate them?

Because financial crime risks, properly mitigated, are in fact business opportunities, fintechs that take this seriously can give themselves a competitive advantage over those that have not done so.


Here are some notable examples and typologies we have come across in our own work and research:

Transaction laundering. In transaction laundering, criminals set up an internet store that purports to sell legitimate goods but is in fact laundering funds or selling illicit goods. These fake stores are onboarded by unsuspecting merchant processor systems, which process the transactions in good faith. Recent research by EverCompliant, a cyberintelligence firm, suggests that transaction laundering for the online sales of products and services in the U.S. for all financial services (of which fintech is only a part) reaches over an estimated $200 billion a year, with $6 billion going on illicit goods.

Buyer/seller collusion. As these figures suggest, there is often no underlying trade taking place. In these instances, there is likely to be collusion between the “buyers” and “sellers.“

Authorized pushed payment fraud. This crime occurs when fraudsters mislead consumers or businesses through false documentation, or manipulation through social-engineering techniques, into sending a digital payment to an account that appears to be legitimate but is in fact controlled by the fraudster.

Synthetic identify fraud. In “traditional” identity fraud, the criminal steals the credentials of a real individual. In synthetic identity fraud, the criminal starts with some authentic stolen credentials. In the United States, these are often Social Security numbers, especially those from economically “dormant” individuals such as children and senior people, which are then synthesized with fake information on addresses, age, etc., to create a new identity. According to research published in May, synthetic identity fraud resulted in $820 million in credit card losses in 2017, up from $580 million in 2015, with further rises expected in the future.

Terrorist financing. Terrorism experts have suggested for some time that online stores could be used as fronts by terrorist groups, and the March 2018 conviction of a U.S. citizen, Mohamed Elshinawy, has provided an example of this. Elshinawy, a self-professed member of the Islamic State, was believed to have received more than $8,000 from Islamic State facilitators via PayPal, ostensibly for sales of printers through his eBay account. The funds were intended to support operations in the United States, including possible attacks.

These kinds of crimes raise two key financial crime risks for fintechs in the digital payments sector: genuinely knowing your customer (KYC) and identifying unusual patterns in transactions.

Regulation technology, or regtech, is an important means of addressing these issues. There are an increasing range and variety of sophisticated online/virtual document verification firms that can test document validity through a range of techniques, from visual analysis to verifying against publicly available information and "scraping" from social media. Other firms have focused on the second problem, developing transactional monitoring tools, some using machine learning, to seek to identify unusual patterns of transactions.

However, before turning to technology, any firm working in the fintech sector should undertake a customer risk assessment during onboarding. Such an assessment should use factors that are relevant to the customer type and business model, to ensure it assesses credible indicators of risk. An assessment also provides an invaluable future benchmark for whether account and client conduct can be considered "normal," and should be regularly refreshed as the relationship continues.

Moreover, fintech employees themselves need to understand what financial crime might look like "in the moment." Even if regtech tools can identify potential “alerts,” these need to be investigated internally before possibly filing a suspicious activity report. When it comes to customer due diligence and KYC, often simple in-house investigatory measures can help. For example, a Google search of the client’s payment details or static information, such as an address, might also appear on other sites for other, completely unrelated and possibly questionable businesses.

In terms of transactions, there are common red flags that digital payments fintechs should be aware, including:

Turnover mismatch. At the opening of an account, it is common to ask the client what kind of turnover is likely in the account. Substantial differences in the expected pattern of use are worthy of investigation.

Payments incommensurate with business. Accounts might receive funds that do not appear realistic in light of the goods supposedly being traded. For instance, an online bookstore is likely to receive payments well below the $100 mark, and anything above that level would be anomalous.

Possible payment “structuring.” Accounts might receive a large amount of similar-sized funds, possibly in, or close to, round figures. This might be indicative of the "structured" payments of illicit funds in smaller batches, to avoid suspicion.

High/low velocity of payments. Short periods of high-velocity payments, or alternatively long periods of account dormancy, or alternating periods of both, are potentially indicative of an account not being used for the trading of goods, which would be likely to show a more random pattern.

Frequent cross-border transactions. Numerous cross-border payments from different jurisdictions might also be of concern, especially when those jurisdictions, such as known tax havens, might be considered higher risk from a financial-crime perspective.

None of these individual indicators should be sufficient on its own to show an elevated risk. However, in increasing combination, they should be of concern to any digital payment provider. The key question that needs to be asked is whether this makes sense, and if it does not, act accordingly. Combining this information, with that gathered at onboarding and during the life cycle of the customer, is key to helping to establishing and sifting out the potentially unusual from the downright suspicious.

Originally published here:


Regulators Are Catching Up With The Crypto Boom

As published in Forbes, September 27, 2018. Authored by Julie Myers Wood.

Say goodbye to the under-regulated era of cryptocurrency. While crypto trading on the more mainstream exchanges is fueling the market, it’s also bringing greater scrutiny from regulators, as shown by the recent report by the New York State Attorney General’s office (OAG) on crypto exchange abuse, The Financial Action Task Force (FATF) announcements about upcoming crypto standards, and warnings to investors. And as guidance emerges and enforcement actions increase, crypto exchanges will, slowly but surely, start to look a lot more like other regulated financial markets.  Just last month, the Financial Crimes Enforcement Network (FinCEN) announced that it now receives over 1,500 suspicious activity reports (SARS) on crypto a month now.

In the early years, crypto-trading occurred through a fragmented network of exchanges around the world, largely between anonymous parties. But it was the 2016-17 boom in Bitcoin, Ethereum, and Litecoin that really brought crypto trading to the attention of regulators.

As it stands, the current shifting regulatory landscape for cryptocurrencies in the U.S. is still very confusing. State and federal regulators are struggling to keep pace with the innovations in cryptocurrencies, and the speed to which trading has taken off.

An administrator or exchanger of cryptocurrency is a money services business (MSB).  MSBs are considered financial institutions under the Bank Secrecy Act. This, in turn, means that they fall under the FinCEN’s oversight. The Securities and Exchange Commission (SEC) considers some cryptocurrencies and Initial Coin Offerings (ICOs) as securities, and therefore subject to securities regulations. The U.S. Commodity Futures Trading Commission also views virtual currencies as commodities.  At the same time, the Financial Industry Regulatory Authority (FINRA)just recently filed its first enforcement action against an individual for marketing an unregistered cryptocurrency security.  And those are just the federal agencies—the New York State Department of Financial Services (DFS), by way of example, regulates virtual currency activities through its BitLicenses and trust company charters.  If that all sounds complicated, that’s because it is.

Shifting regulatory landscape

So, how should crypto exchanges navigate such a complex and shifting regulatory landscape?

Global crypto exchanges must develop and implement robust compliance programs covering a wide range of topics.  And yet, for just about any crypto exchange overseeing billions in assets, maintaining exhaustive compliance programs is both time-consuming and expensive.  Risk-based choices that must be made can be chancy in the absence of clear guidance and without a long history of regulatory interpretations and legal precedent.

Nonetheless, certain basic actions are clear.  This begins with creating and implementing basic Know-Your-Customer requirements. But exchanges also need to implement robust anti-money laundering (AML), fraud prevention, and sanctions screening controls. Crypto exchanges whose compliance programs fail to meet regulators’ expectations will face the risk of costly enforcement actions. Just last year, FinCEN announced a significant fine against the BTC-e exchange and the owner of the BTC-e for violating AML laws, while the U.S. Department of Justice later filed criminal charges against BTC-e’s owner.

In developing their financial crime program, exchanges should think creatively about how to effectively incorporate tools into compliance and operations. As business grows and the volume of transactions increases, it will be increasingly difficult to keep up with any alerts relating to customer transactions and performing sufficient checks with respect to onboarding new customers and monitoring existing customers.

Another key area that must be a focus is market manipulation.  Exchanges must create and implement a robust policy and corresponding framework designed to combat market manipulation.  Market manipulation can take many forms, including trader and bot activity to artificially inflate prices (as indicated by price momentum and volume), and the failure by some trade engines who do not properly control the placement of matching orders opposite buy/sell orders.

Cybersecurity is also an ongoing, and ever-changing challenge, in which failures can take a heavy toll. Just take a look at Mt. Gox, which now faces claims of over $1 billion in lost cryptocurrency, after its own bankruptcy. Crypto exchanges are still a high priority target for hackers. Hackers put a premium on personally identifiable information (PII), such as social security numbers, making the safeguarding of customer and transactional data pivotal. Assembling a cybersecurity team is an important factor in keeping your exchange compliant.  In addition to mitigating risk, a robust cybersecurity program may even be required by relevant regulations depending on where the exchange operations.  The NYS DFS has issued specific cybersecurity requirements for all entities it regulates—some of those requirements include risk assessments, designating a chief information security officer (CISO), and incident management plans.

Where we go from here

It can seem like government regulations move at a snail’s pace compared to the speed of innovation in cryptocurrencies. While regulators continue to work through existing and future regulations, and we await new global FATF standards, exchanges can consider participating in a self-regulatory organization (SRO), such as the newly formed Virtual Commodity Association.  There are many unanswered questions as exchanges grow, and the potential of SROs to help address issues and provide guidance is significant.  We have one such example already—in June of this year, the CFTC announced that it is simplifying certain obligations imposed on an SRO when carrying out financial surveillance program for futures commission merchants.

To grow business and be competitive, exchanges will have to put in place compliance programs that are not only compliant with applicable regulations but will also protect them from financial crimes that can cause irreparable reputational damage.  These compliance programs must be reliable and flexible, and constantly updated to meet the evolving requirements by federal agencies. Using robust, sophisticated tools that can automate transaction monitoring, customer screening, and certain facets of onboarding and transactions, along with setting up appropriate interfacing, will allow exchanges to devote appropriate compliance personnel and resources to the riskiest facets of the exchange and its customers.  Such programs will go a long way in reassuring both regulators and verified investors that crypto trading is a legitimate financial market and that their under-regulated days are in fact a thing of the past.

Geopolitics and Cryptocurrency

Cryptocurrencies have been a controversial topic in the FinTech space and wider financial sector in recent years.  Despite a reputation for higher financial crime risk, their increased popularity makes them difficult to ignore and financial institutions are looking for compliant ways to engage.  With evidence to suggest that sanctioned governments are using cryptocurrencies, a robust and responsive risk approach is necessary.

Korean Cryptocurrency

The divisions between north and south are complex, but at first glance it would seem South Korea leads when it comes to the FinTech sector, and more specifically cryptocurrency trading.  Along with Japan, they are regional leaders and South Korea is home to some of the world’s largest crypto-exchanges, including Bithumb and Upbit, with a disproportionate volume of trade passing through its markets.

There has appeared in recent months to be the potential for a thawing of international relations for North Korea, which has been under UN sanctions since 2006, and US sanctions from as far back as 1950.  In recent weeks there have been renewed calls from Kim Jong Un’s regime for an end to US sanctions, following the North Korea-US summit in June, where Donald Trump suggested an agreement could be reached.  But with latest UN reports suggesting the Kim regime is continuing to build their nuclear military capability, a lifting of sanctions is unlikely to happen soon. This makes any North Korean involvement in the relatively borderless market of cryptocurrency trading a cause for concern.  

As sanctions persist, the decentralized, interconnected and potentially anonymous nature of cryptocurrencies offers a portal into the international economy.  It is a way to circumvent economic restrictions that hold the country in poverty, and to continue to fund the country’s nuclear programme which is estimated to cost 30% of the country’s GDP.  Despite the hardship of ordinary people, Kim is himself worth an estimated $5 billion. An unsurprising fact, as North Korea is among the most corrupt in the world, currently 171 out of 180.  Much of Kim’s wealth is rumoured to be held overseas, making the illicit movement of funds a high priority and the under-regulated alternative of cryptotrading very attractive.  The difficulty of tracing the source of virtual funds, especially when trading involves private coins that anonymise the seller and buyer, is compounded when digital assets are exchanged for legal tender.  The dollars, euros or pounds can be entirely without trace of their suspicious origins.

The regime has also allegedly turned its hand to simple theft of cryptocurrencies.  Utilising established cyber capabilities, witnessed in such devastating international cyber attacks as 2017’s WannaCry ransomware attack, North Korea is the main suspect behind at least three successful hacking attempts of cryptocurrency exchanges within the past year. This includes the security breach of the Japanese exchange Coincheck in January, where an equivalent of $530 million worth of coins and tokens was stolen. It is uncertain how much of this reached North Korea, although some estimate the regime was in possession of $200 million worth of Bitcoin and other cryptocurrencies as of March 2018.

Russia’s Crypto Measures

Along with ongoing talk of a national Russian cryptocurrency, the CryptoRuble, that could potentially evade sanctions, another example of the growing interplay between state-sponsored financial crime and digital assets can be seen in Russia’s alleged meddling in the 2016 US election.  Last month, as part of the ongoing Special Investigation led by Robert Mueller into Russian active measures to influence the outcome of the election, 12 Russian nationals were indicted for hacking email accounts affiliated with Hillary Clinton, using cryptocurrencies in an attempt to cover their tracks.  

The perceived anonymity of cryptocurrencies made them the means of choice for facilitating this cross-border criminality.  However, in this case, they were in fact the means by which the criminals were identified. In the indictment, conspirators were identified using the same pool of bitcoin funds to purchase infrastructure that was used for the hacking, such as a virtual private network (VPN).  They also raised funds through bitcoin mining.

It also detailed how they obscured the origin of bitcoin they received:

‘this included purchasing bitcoin through peer-to-peer exchanges, moving funds through other digital currencies, and using pre-paid cards.  They also enlisted the assistance of one or more third-party exchangers who facilitated layered transactions through digital currency exchange platforms providing heightened anonymity.’

As the indictment shows, attention to the mechanisms of virtual currency trading is increasingly relevant to the crime itself.  They laundered ‘the equivalent of more than $95,000 through a web of transactions structured to capitalize on the perceived anonymity of cryptocurrencies’.  The growing awareness and recognition of the intricacies of the cryptomarket by authorities, means the same will be expected of financial institutions. It was noted the 12 Russians used a mix of currencies including US dollars so the border between fiat and cryptocurrencies needs to be understood as an institution that believes itself to deal only in one or the other, is likely exposed to both.

Practical Steps for FinTechs

With over 1500 cryptocurrencies currently in circulation, a first step for a FinTech engaging with cryptocurrencies is to be aware of the relative risk of different cryptocurrencies, with the highest risk being private coins and of course coins created by sanctioned entities, such as Petro coin by Venezuela.

Weak KYC and verification processes on signing up for an account with a crypto-exchange is an important factor.   Weak KYC can be deliberately aimed at encouraging wider adoption, with minimal identification required, often with an ideological basis of preserving the anonymised freedom of the virtual realm.

Geography is central to assessing financial crime risk.  While the majority of exchanges have some restrictions in place for the jurisdictions they serve, usually in line with international sanctions, others such as Russian crypto-exchange Simex will allow a North Korean citizen to sign up for an account.

Regulatory status of a crypto-exchange is a particularly fast evolving risk factor.  There is a global move towards both self-regulatory organisations and the establishment of regulatory authorities.  However it is evident that exchanges with lower levels of regulation often have more users and more coins on offer. A lack of oversight that makes these platforms more vulnerable to financial crimes like money laundering, terrorist financing and yes, sanctions evasion.


While cryptocurrency trading continues to shift and adapt to geopolitical trends, FinTechs are excellently placed to respond to changes as they emerge. A comprehensive understanding of the unique financial crime risks surrounding cryptocurrencies and how this is situated in its political landscape will allow firms to assess both the individual customer and their virtual funds in their full context.  Cryptocurrency trading is one weapon in the cyber arsenal of hostile states such as North Korea and this dimension of risk from sanctioned entities should be included by any FinTech looking to deal with crypto funds. As seen in the case of Russian active measures, proper controls can go far in tracing criminal use of cryptocurrencies, and - with the accuracy and permanence of digital transaction data - perhaps even more so than traditional currencies.


Unravelling The Complexity Of Multi-Jurisdictional KYC

Scaling up is a natural part of any FinTech’s journey. This typically involves the exciting opportunity of offering your product or services in new jurisdictions overseas. However, this growth comes with significant regulatory and practical know your customer (‘KYC’) complexity that may expose you to regulatory risk.

Here are some factors to consider when adjusting your onboarding policies and procedures to support customers from new jurisdictions:

Onboarding Portal

You may think setting up in a new country just means copying and pasting your current onboarding portal into another language. Unfortunately, it’s not that simple. Some countries may have different legal entity types or have entity types that do not translate directly. There are also different types of identification numbers in some countries that are given to sole traders and businesses, so make sure to request the correct number. Be careful to ensure your initial KYC questions are clear in all languages on your websites and apps to prevent customer confusion.


UK Joint Money Laundering Steering Group (‘JMLSG’)  guidance recommends asking for an individual’s name, date of birth and address. But be aware, some countries require more information! In half of the countries we’ve looked at, national identification numbers, like social security numbers, were required. Place of birth and nationality were other common identification asks in other countries. This could require several operational changes, from rewriting some of your procedures, to redoing parts on your onboarding portal.

Verification of Companies

In the UK, many FinTechs will verify the identities of legal entities against Companies House. However, there is no registry for sole traders. In other countries, it is important to check if there is a register for sole traders that should be used for verifying identities as part of KYC, as around two-thirds of countries we’ve looked at had some searchable registry of sole traders. Furthermore, other countries’ corporate registries may not be as easy to navigate as Companies House--requiring you to purchase certain documents or existing as one of multiple company registries. Third party providers should be checked to ensure they are accessing data directly from your jurisdictions’ registries. Understanding verification options for companies and sole traders is important for simplifying your operations.


In the UK, a primary government-issued photo ID includes a passport, identity card, driving license, biometric residence permit or firearms license. However, in several countries, a drivers licence is not actually considered a primary form of photo ID for compliance purposes. For secondary documentation, while a document from a bank or utility provider may be acceptable in the UK, this is not always the case in other jurisdictions.

Beneficial Ownership

While the 4th MLD made it a requirement for countries to have a publicly-accessible beneficial ownership registry, this is still slowly being implemented in some countries. Of the EU/EEA countries we’ve checked, a UBO register was only available a little more than half of the time. Many countries outside of the EU have shown very little progress on the issue of a publicly-accessible registry of beneficial owners. Not being able to refer to a public registry of beneficial owners may add unforeseen operational costs and considerations that should be taken into account to ensure a smooth rollout.


JMLSG clearly outlines requirements for identifying a legal entity’s directors and senior management when commencing a business relationship. However, the vast majority of countries we’ve checked do not have explicit policies around the identification of directors. Some may include directors in their definition of beneficial owners, however. This ambiguity could lead you to having to rethink your AML/CTF standard operating procedure on who to identify.


When information is not easily available to verify through eKYC or checks against a registry, you may need to request certified documentation. Be sure to know the professional bodies of accountants and solicitors in each jurisdiction you operate in order to check the status of whomever has certified your customer’s documents. This will help you avoid any operational hiccups down the line.

Expanding your business into new countries or regions is really exciting, but is not a simple or risk-free process. The amount of nuance and complexity involved in each jurisdiction highlights the need for assessing the financial crime and compliance risks posed in each jurisdiction where you plan to operate. Not only is it important to check for regulatory differences that may create operational challenges in different countries, but also to check areas for higher corruption, identity fraud, money laundering and terrorist financing risks in order to determine whether you need to rethink any parts of your KYC policy.

If you ever have any questions on or need any assistance with managing the financial crime regulatory landscape of a new country or jurisdiction, don’t hesitate to get in touch for more information.

Managing A Financial Crime Or Regulatory Crisis

Dealing with a financial crime crisis - whether that be a backlog of suspicious reporting that has built up, facing de-risking by a partner or finding out that a sanctions process has been working ineffectively - can be an especially stressful time for clients, particularly if the issues could lead to regulatory intervention, potential losses or the restriction of banking or payments facilities.

This is not to mention the obvious and negative impacts that such a crisis can have on customer trust and the potential reputational impact; in many cases, it can be a matter of survival for the business and brand, where trust is hard won but so easily lost.

So, we wanted to share some insight on how our team approaches these tasks to help readers be better prepared and have a head-start if you find yourself in the position of crisis managing a response to financial crime issues.

  • Understand the nature of the problem. This sounds like an obvious place to start but it is absolutely critical to everything that follows. If you do not genuinely understand the root cause of the issue your are facing, it makes it very difficult to put in place a response that is effective and proportionate. So for example, if you are dealing with a significant up-tick in fraud or failings in AML or sanctions controls, you need to efficiently and effectively understand the nature of the problem so you can identify the core contributing factors and develop a proportionate response.

  • Develop a considered plan of action. Once you have identified the root cause/s of an issue, you need to ensure that you develop a response plan that is action focused and targeted on addressing those specific items as well as factoring in any linked or dependency tasks. For example, it is pointless implementing a new tool or process unless you train those involved in using the tool, otherwise you may just make things worse by increasing operational risk. It is worth bearing in mind that you must be able to demonstrate to your stakeholders that tangible action has been undertaken.  

  • Mobilise effectively. This covers not only how you engage the services of and mobilise external parties but also those internal stakeholders or your support network. This is a careful balancing-act against the needs of normal daily business. Depending on the nature of the issue, segregating resources to focus on the crisis can be most effective. Our view of mobilisation is making sure all those involved very clearly understand the issues at hand and are aligned to the common goal of solving the problem, and that those involved have the commensurate level of accountability and authorisation from senior management. This is no time for egoes or political wranglings.

  • Ensure transparency. We often get asked ‘what should we say to our bank partner’ or similar. Our advice is always the same and that is you should be transparent. In a crisis scenario, you are aiming to maintain the trust you have built with all your stakeholders and transparency and openness are key values underpinning trust. We can confidently tell you from experience that one of the fastest ways to make a difficult situation even worse is by developing an opaque strategy with your partners - when they find out, trust goes out of the window, making the situation far worse. Instead, communicating the issue, along with regular situation reports and plans for resolution will really help to continue the trust you’ve worked so hard to earn.

  • Accurate and effective communication. This needs to focus on the communication intra-team  but also the flow of information to wider internal and external stakeholders. In our view there is a big difference between communicating and communicating effectively. We define effective communication as ensuring the content is received, understood and a behaviour influenced, i.e. action is taken. Accuracy in communication and information is important in a crisis scenario and at times is an area that can suffer from the impact of stress. There are times when a 70% solution on time is going to be better than 90% that is late but accuracy becomes really important when you start to communicate with stakeholders, especially those externally. Accurate and simple communication (underpinned by high quality and accurate information) creates a sense of confidence that the situation is in-hand and under control.

  • Continuous Evaluation. Once you have expended effort developing a response to the issue or crisis and have started to execute, it is vital to constantly evaluate progress and impact. Has anything changed? If it has, what are you going to do about it, how and when? The re-evaluation should be ongoing but it is also a critical process once you get to a point you have achieved your objectives and exited the crisis management situation. A wash-up and/or de-brief is a vital activity as it captures lessons learned and facilitates organisational learning.

The FINTRAIL team has developed deep expertise supporting international banks, FinTech, payments and regulated sectors in response to financial crime or regulatory crisis scenarios, drawing on our capabilities across financial intelligence & investigations, compliance advisory, technology, legal and communications. Our multidisciplinary response team can mobilise rapidly in support of a client crisis, providing executive level guidance and peace-of-mind while also delivering operational impact, all backed up by a support network and follow-on technical capacity as required.


Cryptocurrencies: Getting Serious About Financial Crime Risk Management

Key Points

1. Global policymakers have set their sights on cryptocurrencies, signalling that tackling the related financial crime risks is a major security priority

2. With the adoption of the Fifth Money Laundering Directive (5AMLD), cryptocurrency exchanges and wallet providers across the EU will soon face direct regulatory scrutiny and must ensure that they have appropriate financial crime risk management frameworks in place

3. In countries such as the US, where crypto-related AML/CTF regulation has already been in place for some time, regulators have indicated that they will intensify scrutiny of crypto businesses

4. Banks and other financial institutions are also facing pressure from regulators to manage their exposure to cryptocurrencies and related risks

5. The foundations for implementing a successful risk-based approach to cryptocurrencies rests on several pillars: conducting thorough risk assessments; defining risk appetite; cultivating staff competency and subject matter expertise; developing robust governance arrangements; developing, deploying and testing bespoke tools; and collaborating with industry peers 

6. In this briefing, FINTRAIL explores how companies can successfully manage cryptocurrencies’ unique financial crime risks in an innovation-friendly manner


The EU’s adoption of the Fifth Money Laundering Directive (5AMLD) in July 2018 marks an important moment for cryptocurrency businesses across Europe. By January 2020, EU member states must bring crypto exchanges and custodial wallet providers within the scope of their anti-money laundering and countering the financing of terrorism (AML/CFT) regulation. 

The so-called ‘Wild West’ environment for crypto businesses is coming to an end.

5AMLD will put the EU’s crypto industry on par with peers in the US, where the Financial Crime Enforcement Network (FinCEN) clarified in 2013 that crypto exchanges are subject to AML/CFT regulation. Many in the EU’s crypto industry have attempted to get ahead of the curve. 

Even prior to 5AMLD’s adoption, some crypto businesses across the EU had implemented AML/CFT policies and procedures, demonstrating their intention to be responsible actors. Europol has noted that, even absent formal regulation to date, many crypto exchanges across the EU, ‘aim to comply with AML requirements regarding customer due diligence and transaction monitoring . . . [and] many have shown themselves to be willing and capable of supporting [law enforcement] investigations.’  

5AMLD nonetheless marks a turning point. EU crypto exchanges and wallet providers can’t merely be compliant on paper or on a voluntary basis any longer. They will soon be expected to demonstrate to regulators that they are actively managing their financial crime risks in a proportionate and effective manner. Failure to do so could mean fines or other penalties for crypto businesses that fail to meet regulators’ expectations. 

In countries where crypto-related regulations are already in place, such as the US, signs point to a climate of intensifying regulatory scrutiny. In March of 2018, FinCEN issued guidance stating that the exchange of Initial Coin Offerings (ICOs) falls within its remit. In April 2018, New York’s Attorney General’s Office launched an inquiry into the accountability and transparency of crypto exchanges, requesting that thirteen major crypto exchanges disclose information about the nature of their compliance frameworks, including their AML/CFT programmes.

‘Treasury’s FinCEN team and our law enforcement partners will work with foreign counterparts across the globe to appropriately oversee virtual currency exchangers and administrators who attempt to subvert U.S. law and avoid complying with U.S. AML safeguards 1.’

- Acting FinCEN Director Jamal El-Hindi, July 2017 

It’s not only crypto exchanges that are coming under the microscope. Regulators are putting increasing pressure on all financial institutions to manage cryptocurrency risks. In June 2018, the UK’s Financial Conduct Authority (FCA) published a letter to firms in which it set out its expectation that banks and other financial institutions should evaluate and manage the crypto-related financial crime risks they face. 

Beyond the US and Europe, from Canada to Japan to Australia and beyond, regulators are taking a closer look at the nature of cryptocurrency risks and how the financial sector is managing them. The Financial Action Task Force (FATF) is currently reviewing the applicability of global AML/CFT standards to cryptocurrencies, demonstrating the renewed will of global policymakers to tackle the perceived risks. 

‘The global regulatory environment for virtual currencies/crypto-assets is changing rapidly. This may make it challenging to ensure a consistent global approach, which could increase risks. Given the highly mobile nature of virtual currencies/crypto-assets, there is a risk of regulatory arbitrage or flight to unregulated safe havens.’

- FATF Report to the G20 Finance Ministers and Central Bank Governors, July 2018 

In this environment, it may be tempting to find quick fixes and to address new risk management challenges with old compliance solutions. Unfortunately, the same old approaches won’t work. Cryptocurrencies present unique financial crime risk management challenges that warrant unique solutions. A thoughtful risk-based approach to cryptocurrencies requires thinking outside the box. 

In this briefing paper, we share our thoughts about how firms in the crypto industry and in the broader financial sector can meet the challenge. 

The Crypto Industry

Crypto businesses need to keep in mind that ‘compliance’ is not just about ticking boxes. 

Best practice in AML/CFT is about thoughtfully managing risk. A well-calibrated risk-based approach can allow a crypto exchange or wallet provider to establish a truly comprehensive financial crime risk management framework that protects the integrity of its business, reduces exposure to financial crime and mitigates regulatory risk. 

We’ve identified five key areas that can help a crypto business build a best-in-class risk management framework. 

#1 Assessing Risk

A well-designed risk based approach starts with a thorough financial crime risk assessment. For crypto businesses, a risk assessment that takes account of the unique features and challenges of crypto products and services is essential. What’s more, it is important to develop a risk assessment framework that is scalable and can be used to evaluate changes in risk exposure as a company grows.  

Current regulatory guidance, such as the UK’s Joint Money Laundering Steering Group (JMLSG), sets out factors to consider when undertaking a firm-wide risk assessment:

Geography – Crypto businesses should assess risks related to where they are located and where they offer services. For example, is a crypto exchange registered in a jurisdiction with a strict regulatory environment, and how does this operating environment impact its risk profile? Is the platform accessible from jurisdictions subject to international sanctions? Is the service available in countries with high levels of terrorist financing?  

Customers – A crypto business should also consider whether factors about its specific customer base could impact its overall risk profile. For example, does it have any customers who are politically exposed persons (PEPs)? If so, who are those PEPs and does their source of wealth present any red flags? Are customers who are nationals of countries associated with high levels of human trafficking creating accounts in large numbers, and if so, do those accounts present signs of unusual activity?

Product – A crypto business needs to consider how any product features might impact its risk exposure. Does the product enable the rapid conversion of fiat currency to crypto in a way that might prove attractive to money launderers? Is the product vulnerable to high value money laundering, or do its features present a risk of lower-value money mule activity that can be pervasive but difficult to detect? 

Delivery channel – A crypto business also needs to think carefully about the risks related to how customers access its product or platform. Is it only accessible online? Or does the product involve Bitcoin ATMs or other physical infrastructure that customers can use?

In addition to assessing these general risk categories, crypto businesses should think carefully about the money laundering and terrorist financing risks that their specific offerings present. For example, whether they provide an online exchange service, a crypto ATM network or crypto prepaid cards, crypto businesses will face unique money laundering typologies and criminal vulnerabilities that are highly specific to their business type. Recent cases suggest that criminals are becoming savvier in exploiting a diverse range of crypto-related products and services, seeking out platforms that allow them to engage in increasingly complex money laundering schemes. Developing bespoke risk management solutions requires understanding these typologies in detail. 

Crypto business should also assess the financial crime risks around the types of cryptocurrencies they provide. For example, privacy coins with high levels of anonymity such as Monero may present unique risks and challenges. It may prove challenging to monitor customer activity where these coins are present. Crypto exchanges that offer privacy coins to customers need to be aware of the resulting impact on their risk profile. 

It’s important to remember that a risk assessment process should be supported by a sound methodology that enables a company to understand the evolution of its risks over time. This should include:
• Developing a logical approach to measuring inherent and residual risks; 

• Ensuring risk assessment findings are thoroughly documented and presented clearly to senior management; and

• Having processes in place for updating the risk assessment, in whole or in part, when new business lines and products are launched, geographical expansion occurs or other trigger events arise. 

‘Risk management generally is a continuous process, carried out on a dynamic basis. A money laundering/terrorist financing risk assessment is not a one-time exercise. Firms must therefore ensure that their risk management process for managing money laundering and terrorist financing risks are kept under regular review.’ 

- JMLSG, Guidance for the UK Financial Sector, December 2017 

#2 Defining Risk Appetite

When a business understands its risks, it can decide which risks it finds acceptable, and those it finds too high. 

A financial crime risk appetite statement can allow a crypto business to scale and develop new products and services in a thoughtful manner that ensures commercial goals are achieved without taking on excessive risk. As the Financial Stability Board has indicated 2, a good risk appetite statement can achieve several goals, including:

• Setting quantitative measures that track exposure to key risks, enabling proactive mitigation of risks before they become unacceptably high;

• Establishing limits to risk taking so that staff have a clear understanding of unacceptable risks;  

• Defining staff members’ roles and responsibilities for mitigating risks; and

• Providing a baseline against which assurance functions can test that systems and controls are enabling the company to operate within its risk appetite. 

By clearly defining the levels of risk they are willing to assume, a company’s senior management can establish a clear ‘tone from the top’ and foster a strong company culture. Failure to do so can result in a lax risk management environment that leaves the company exposed to reputational and regulatory risk. 

‘A sound risk culture will provide an environment that is conducive to ensuring that emerging risks that will have material impact on an institution, and any risk-taking activities beyond the institution’s risk appetite, are recognised, escalated, and addressed in a timely manner.’

- Financial Stability Board, Principles for An Effective Risk Appetite Framework, November 2013 

#3 Building a Compliance Team and Governance Arrangements

A strong company culture on financial crime is only possible if supported by a competent and effective team of suitably qualified AML/CTF compliance professionals. 

‘One of the most important controls over the prevention and detection of money laundering is to have staff who are alert to the risks of money laundering/terrorist financing and well trained in the identification of unusual activities or transactions which may prove to be suspicious.’ 

- JMLSG, Guidance for the UK Financial Sector, December 2017 

Even the smallest crypto companies should ensure that they have adequately experienced staff who understand financial crime risks, regulatory requirements and appropriate control measures. To this end, it is important to make sure that staff have received appropriate training. As the UK’s JMLSG3  advises, training should include ensuring staff awareness of:

• The company’s risks, as identified in its financial crime risk assessment;

• The company’s financial crime policies, procedures, systems and controls;

• AML/CTF regulatory requirements applicable to the company, and the consequences of breeching those requirements; 

• The types of high risk customers the company encounters, and enhanced due diligence (EDD) measures that are in place to manage them; and

• Red flag indicators of suspicious activity specific to the company’s product and service offerings, and procedures for filing suspicious activity reports (SARs). 

Larger companies should think carefully about how to structure their compliance functions so that risks are managed appropriately, and to ensure that senior management can monitor those risks over time. Compliance teams should be suitably resourced and visible within the company. 

This may be accomplished, in part, by establishing financial crime risk committees that are comprised of senior risk and compliance staff and that review key management information to assess the effectiveness of controls and identify emerging risks. Robust governance arrangements can ensure that risk management functions are on the front foot against financial crime and are not merely reactive.  

#4 Choosing and Tuning Tools

To be effective, a financial crime compliance team must be more than just impressive-sounding titles. Compliance functions must develop and utilise effective AML/CTF policies and procedures whilst having access to systems and controls that are proportionate to the risks their business faces. 

Policies and procedures should be developed with the aim of mitigating a company’s risks as identified in its risks assessments. This could include, for example, having in place specific EDD measures for identifying customers’ source of wealth where less transparent products or services are used. 

Financial crime systems and controls – such as identification and verification tools, transaction monitoring systems and sanctions screening solutions – should be appropriately calibrated to ensure a firm can operate within its risk appetite. 

Bitcoin ‘track and trace’ forensic tools have also been developed and are already assisting many crypto industry participants in identifying and managing risks. 

These systems and controls should be subject to regular audit and testing to ensure they mitigate key risks and meet regulatory expectations.  As JMLSG notes4 , effective systems and controls are generally characterised by factors such as:

• Alignment with regulatory requirements and expectations; 

• Appropriate resourcing; and

• Competent staff operating the controls. 

Whether a company chooses to undertake internal or external audit, it needs to be able to demonstrate that systems and controls are compliant whilst also enabling it to manage its risks in practice.  

#5 Working with Partners

Strength is in numbers, and crypto businesses can bolster their defences against financial crime by sharing information with their industry peers. 

At FINTRAIL, we’ve co-founded the FinTech Financial Crime Exchange (FFE), a partnership of over 50 UK FinTech companies, including several of the UK’s leading cryptocurrency firms. 

Through the FFE, crypto and other FinTech companies can share information on financial crime typologies they encounter and best practices for prevention and deterrence. 

Proactive involvement in industry partnerships, self-regulatory organisations and other similar platforms can enable a company to stay on the front foot against financial crime. 

Out of Many, One? — The Future of U.S. FinTech Regulation

Not for the first time, the federal government and states are at odds over the future regulation of FinTech.

On July 31, 2018, the Office of the Comptroller of Currency (OCC) at the U.S. Department of the Treasury (DoT) announced it would begin accepting applications from FinTechs for special bank charters, which would allow them to operate nationally. But individual states and inter-state organizations are strongly opposed. The Conference of State Bank Supervisors (CSBS), which brought an unsuccessful lawsuit against the OCC last year to stop the charter being introduced, has declared that it is ‘a regulatory train wreck in the making.’

The irony is that both sides of the debate want greater consistency. The key difference is determining who should drive the change. As this battle continues, how can U.S. FinTechs approach this complex regulatory landscape, protect themselves and their customers from financial crime, and change potential risks into competitive advantages?

No Single Framework

Part of the difficulties FinTechs face while navigating the U.S. regulatory environment are not only the different layers of government — state and federal — but also the lack of one single type of FinTech. Digital payments firms, for instance, are seen as money service bureaus (MSBs) under the federal Banking Security Act (BSA) and have to register both with the Financial Crime Enforcement Network (FinCEN) at the DoT, as well as gain a state license. Cryptocurrency exchanges are also considered MSBs, because they transmit funds, but initial coin offerings (ICOs), where a new cryptocurrency is offered in return for investment in the startup, is considered a form of security and is subject to the Securities Act and Securities Exchange Act, regulated by the Securities and Exchange Commission (SEC). The table below provides a simplified view of financial crime risks, regulations, and the FinTech sectors that might be affected.

US BLOGPOST 2-01.jpg

What Do Both Sides Want?

First, the states are keen to see licensing for FinTechs remain in their hands, and there have been collective moves to increase alignment and streamlining across the states for all forms of non-bank financial activity. CSBS’s ‘Vision 2020’ reinforces this with what it calls is “a series of initiatives…to modernize state regulation of non-banks, including financial technology firms.” The program aims to ensure that by 2020, there will be an integrated state licensing and supervisory system across all 50 states. This includes the redesign of Nationwide Multistate Licensing System (NMLS), the core technology platform used by state bank regulators, the introduction of a Fintech Industry Advisory Panel, harmonization of state supervision, and education programs to improve bank and non-bank interaction.

According to the recent DoT report, ‘Nonbank Financials, Fintech, and Innovation,’ the federal government wishes to see financial innovation continue, but within a more consistent regulatory framework. The report suggests a range of possibilities, such as state alignment through ‘model laws’, license harmonization, FinTech/Financial Service provider partnerships, as well as the OCC ‘special bank’ charter. Indeed, the OCC itself has said that the special charter is only one option, and it is conceivable that a hybrid approach might develop over time, through negotiation between the states and the federal government. All sides seem to want to get to the same destination, but have varying views about who should be in charge.

What does this mean for Financial Crime Risk?

From the perspective of identifying, managing and mitigating financial crime risks in the U.S. FinTech sector, there are plenty of positives in these developments. Variations in types of regulation between jurisdictions can create vulnerabilities in a system that can abet money launderers. Federal legislation apart, if one state has significantly less demanding requirements for company licensing than another, then it could become a portal through which criminal funds are most easily ‘placed’ in the financial system — stage one of the money laundering cycle. And from there, the funds can be ‘layered’ — sent through multiple accounts in the financial system (stage two) — before being ‘integrated’ into a seemingly legitimate account (stage three), quite possibly in a state with higher licensing requirements. If there is greater and more demanding standardization, and more consistent application of the standards, this should then help to reduce financial crime risk overall.

How should FinTechs respond?

However, it is important that FinTechs do not interpret this positive trend in the wrong way. Improved and consistent regulation can reduce some of the niches in which financial criminals can operate. However, it does not eliminate financial crime risk, because, as experience has shown, those who launder criminal funds, evade sanctions and tax, and finance terrorism, are amongst the most creative people in the world.

So rather than becoming caught up a traditional compliance ‘tick box’ culture, or following regulatory battles, FinTechs should focus first on the actual financial crime risks themselves. Regardless of the final outcome of the tug of war between the states and the federal government, FinTechs must consider how to manage their risks in this area, in the best interests of themselves and their clients. This isn’t just good for risk management and compliance — it is also good for business.

FinTech firms should consider a simple four step approach:

  1. Undertake a financial crime risk assessment. This is essential to knowing your key vulnerabilities and then being able to measure your efforts to reduce them over time. This requires challenging assumptions, testing vulnerabilities, and working in detail to understand the precise extent and nature of money laundering and other risks to which it could be exposed.

  2. Understand financial crime typologies. Make use of available typologies studies related to certain offences, to understand potential exposure and assess whether any unknown risks do in fact exist. Given the anonymous character of many transactions on online platforms, FinTechs should pay special attention to the risks from different types of fraud, such as synthetic identity fraud.

  3. Tailored systems. Seek to build systems and processes that are specifically designed for the risks FinTechs are likely to face. For example, although all financial institutions are subject to U.S. sanctions laws, providers involved in cross-border transactions should give higher priority to screening for potential evasion. A risk focused approach is more likely to create a healthy and proactive compliance culture.

  4. Create indicators and use data: FinTechs should leverage the skill they have in utilizing data to decipher indicators of specific money laundering risks. They should continue using these indicators and supporting data as key performance indicators on a regular and scheduled basis. This is invaluable for managing risk and makes the process of future conversations with auditors and regulators considerably easier.

Understanding and implementing this process is key to stopping financial crime in its tracks and helping transform risks into opportunities.

Published in………