by Jonathan J. Rusch

Over the last several years, one of the persistent concerns of law enforcement and regulatory agencies has been the growing use of cryptocurrencies as a vector for money laundering and terrorist financing (ML/TF). For example, a 2020 report by a blockchain analysis company traced $2.8 billion in Bitcoin that moved from criminal entities to exchanges in 2019[1] – a substantial increase from about $1 billion in 2018.[2]

As one indication of the depth of those concerns, in 2019, the leaders of the Commodity Futures Trading Commission, the Financial Crimes Enforcement Network, and the Securities and Exchange Commission issued a joint statement “to remind persons engaged in activities involving digital assets of their anti-money laundering and countering the financing of terrorism (AML/CFT) obligations under the Bank Secrecy Act (BSA).”[3] To underscore the importance of compliance with those obligations, the U.S. Department of Justice has been prosecuting a stream of criminal cases against various individuals for using cryptocurrencies to launder illegal proceeds.[4]

These actions leave no doubt about the seriousness of law enforcement and regulatory agencies’ commitment to requiring compliance with AML/CFT requirements regarding digital assets. What law enforcement and regulators have not previously provided, however, is a clear and detailed statement of the “red flags” that financial institutions should recognize and incorporate into their AML/CFT programs, for more timely and accurate identification of crypto-related activity with ML/TF connections.

A recent report by the intergovernmental body that sets international AML/CFT standards, the Financial Action Task Force (FATF), has now filled that gap. The report set forth six categories of ML/TF red flag indicators associated with “Virtual Assets” (VAs).[5] In compiling these red flag indicators, the FATF drew on four categories of data: (1) more than 100 case studies contributed by jurisdictions from 2017 to 2020; (2) the findings of the FATF Confidential Report on Financial Investigations Involving Virtual Assets (June 2019); (3) the published FATF report on Virtual Currencies Key Definitions and Potential AML/CFT Risks (June 2014); and information on the misuse of VAs that was available in the public domain.[6] 

The six categories of red flag indicators are as follows.

Red Flag Indicators Related to Transactions

The report first calls attention to the fact that “red flags traditionally associated with transactions involving more conventional means of payment remain relevant to detecting potential illicit activity related to VAs.”[7] It therefore focuses on five indicators, similar to a number of red flags in the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual,[8] pertaining to the size and frequency of transactions. These include:

• • Structuring of VA transactions (e.g., exchange or transfer) “in small amounts, or in amounts under record-keeping or reporting thresholds, similar to structuring cash transactions”;
  • Making multiple high-value transactions (a) “in short succession, such as within a 24-hour period,” or (b) “in a staggered and regular pattern, with no further transactions recorded during a long period afterwards”; and
  • “[D]epositing funds from VA addresses that have been identified as holding stolen funds, or VA addresses linked to the holders of stolen funds.”[9]

Red Flag Indicators Related to Transaction Patterns

Similar to the first section on transactions, the report calls attention to eight red flags that “illustrate how the misuse of VAs for ML/TF purposes could be identified through irregular, unusual, or uncommon patterns of transactions.” The first three red flags pertain to transactions concerning new users, including:

• • Conducting a large initial deposit to open a new relationship with a VA service provider (VASP), “while the amount funded is inconsistent with the customer profile”; and
  • “A new user attempt[ing] to trade the entire balance of VAs, or withdraw[ing] the VAs and attempt[ing] to send the entire balance off the platform.”

The other five indicators are associated with transactions concerning all users, including:

• • Transactions “involving the use of multiple VAs, or multiple accounts, with no logical business explanation”;
  • Making frequent transfers “in a certain period of time (e.g. a day, a week, a month, etc.) to the same VA account” (a) by more than one person; (b) from the same IP address by one or more persons; or (c) concerning large amounts; and
  • Converting “a large amount of fiat currency into VAs, or a large amount of one type of VA into other types of VAs, with no logical business explanation.”[10] 

Red Flag Indicators Related to Anonymity

The next group of red flags draws “from the inherent characteristics and vulnerabilities associated with the underlying technology of VAs.” In particular, this group focuses on a variety of technological features that “increase anonymity and add hurdles to the detection of criminal activity by [law enforcement agencies.”[11] Because of the variety of those features, this section of the report sets out fourteen indicators, including:

• • Transactions by a customer “involving more than one type of VA, despite additional transaction fees, and especially those VAs that provide higher anonymity, such as anonymity-enhanced cryptocurrency (AEC) or privacy coins”;
  • Transactions “making use of mixing and tumbling services, suggesting an intent to obscure the flow of illicit funds between known wallet addresses and darknet marketplaces”; and
  • Receiving funds from, or sending funds to, “VASPs whose CDD or know-your-customer (KYC) processes are demonstrably weak or non-existent.”[12]

Red Flag Indicators About Senders or Recipients

Similar to the FFIEC BSA/AML Examination Manual red flags list, the report also specified a range of indicators “relevant to the profile and unusual behavior of either the sender or the recipient of the illicit transactions.”[13] Because of the range of such actions that could indicate ML/TF laundering activity, the report lists 19 relevant indicators, divided into five categories.

The first subcategory, irregularities observed during account creation, includes four indicators (e.g., creating separate accounts under different names “to circumvent restrictions on trading or withdrawal limits imposed by VASPs”).

The second subcategory, irregularities observed during the CDD process, comprises three indicators (e.g., incomplete or insufficient KYC information, or a customer declining requests for KYC documents or inquiries regarding the source of funds).

The third subcategory, profile, includes four indicators, including a customer providing identification or account credentials (e.g., a non-standard IP address, or flash cookies) shared by another account.

The fourth subcategory, profile of potential money mule or scam victims, comprises four indicators (e.g., the sender “does not appear to be familiar with VA technology or online custodial wallet solutions”).

Finally, the fifth subcategory, other unusual behavior, includes four indicators (e.g., a customer “tr[ying] to enter into one or more VASPs from different IP addresses frequently over the course of a day”).[14]

Red Flag Indicators in the Source of Funds or Wealth

Drawing on examples from cases that jurisdictions submitted to the FATF, the report warned that “the misuse of VAs often relates to criminal activities, such as illicit trafficking in narcotics and psychotropic substances, fraud, theft and extortion (including cyber-enabled crimes).” The eight indicators in this category pertain to the source of funds or wealth linked to criminal activities, including:

• • “Transacting with VA addresses or bank cards that are connected to known fraud, extortion, or ransomware schemes, sanctioned addresses, darknet marketplaces, or other illicit websites”;
  • A customer’s funds being “sourced directly from third-party mixing services or wallet tumblers”; and
  • The bulk of a customer’s source of wealth “is derived from investments in VAs, ICOs, or fraudulent ICOs, etc.”[15]
    

Red Flag Indicators Related to Geographical Risks

The final group of “red flags “emphasises how criminals, when moving their illicit funds, have taken advantage of the varying stages of implementation by jurisdictions on the revised FATF Standards on VAs and VASPs.” Again drawing on cases that jurisdictions reported, the report stated that “criminals have exploited the gaps in AML/CFT regimes on VAs and VASPs by moving their illicit funds to VASPs domiciled or operated in jurisdictions with non-existent or minimal AML/CFT regulations on VAs and VASPs.”[16]

The four indicators in this category include:

• • A customer’s funds “originat[ing] from, or [being] sent to, an exchange that is not registered in the jurisdiction where either the customer or exchange is located”;
  • A customer utilizing “a VA exchange or foreign-located MVTS in a high-risk jurisdiction lacking, or known to have inadequate, AML/CFT regulations for VA entities, including inadequate CDD or KYC measures”; and
  • A customer sending funds “to VASPs operating in jurisdictions that have no VA regulation, or have not implemented AML/CFT controls.”[17] 

Takeaways

Lawyers counseling financial institutions on AML/CFT compliance, as well as in-house compliance counsel in the financial sector, should read the report closely, with particular attention to the specific audiences that the FATF indicated would benefit from its issuance, namely:

• • “virtual asset service providers, financial institutions, and designated non-financial businesses and professions, and other reporting entities,” whom the report can help “detect and report suspicious transactions”;
  • “financial intelligence units, law enforcement agencies, prosecutors and regulators,” to whom the report provides information useful in analyzing “suspicious transaction reports or [in] monitor[ing] compliance with anti-money laundering and counter-terrorist financing controls”[18]; and
  • “reporting entities[]” whose “application of a risk-based approach to . . . Customer Due Diligence (CDD) requirements” the report can facilitate.[19]

Although the FATF red flags list does not have direct regulatory effect on individual financial institutions, the report sends a strong signal that over time FATF will expect jurisdictions to incorporate the red flags list into their domestic regulations, and financial institutions to incorporate them into their AML/CFT compliance programs.

For those reasons, lawyers in the AML/CFT space should advise financial institutions that they should review the report with care and see how those red flags can best be incorporated throughout their AML/CFT compliance programs. Potential areas of attention could include CDD programs, investigation of potentially suspicious activity relating to VAs, and preparation and submission of Suspicious Activity Reports, as well as appropriate training for first-, second-, and third-line staff responsible for AML/CFT matters.

In its conclusion, the report counseled competent authorities that they may provide private sector entities “with the indicators and information most relevant for that jurisdiction,” such as using the information in the report “to prepare their own advisories to relevant reporting entities.” At the same time, it advised that it “should not be intended for use as a regulatory tool for compliance and examination purposes, or as a checklist when supervising private sector institutions as not all indicators are applicable to all jurisdictions or all institutions.”[20]

Nonetheless, financial institutions should be mindful that over time various jurisdictions are likely to make use of the report in incorporating its red flags into their regulatory examination and review processes, and that U.S. and United Kingdom financial regulators have demonstrated their willingness to impose substantial financial penalties when firms persistently ignore AML-related “red flags.”[21] 

Footnotes

[1] See CHAINALYSIS, THE 2020 STATE OF CRYPTO CRIME (Jan. 2020), https://go.chainalysis.com/rs/503-FAP-074/images/2020-Crypto-Crime-Report.pdf (PDF: 5.55 MB).

[2] See Michael del Castillo, Cryptocurrency Crimefighter Chainalysis Becomes First Blockchain Company To Make Next Billion-Dollar Startups List, FORBES (July 16, 2019), https://www.forbes.com/sites/michaeldelcastillo/2019/07/16/cryptocurrency-crimefighter-chainalysis-joins-next-billion-dollar-startups/#619a9341ace0.

[3] Public Statement: Leaders of CFTC, FinCEN, and SEC Issue Joint Statement on Activities Involving Digital Assets (Oct. 11, 2019), https://www.sec.gov/news/public-statement/cftc-fincen-secjointstatementdigitalassets.

[4] See e.g., Indictment, United States v. Yinyin, No. 1:20-cr-00052-TJK (D.D.C., indictment unsealed Mar. 2, 2020), https://www.justice.gov/opa/pr/two-chinese-nationals-charged-laundering-over-100-million-cryptocurrency-exchange-hack; Indictment, United States v. Harmon, No. 19-cr-00395 (D.D.C., indictment unsealed Feb. 11, 2020), https://www.justice.gov/opa/pr/ohio-resident-charged-operating-darknet-based-bitcoin-mixer-which-laundered-over-300-million; U.S. Department of Justice, Release (July 22, 2020), https://www.justice.gov/usao-cdca/pr/oc-man-admits-operating-unlicensed-atm-network-laundered-millions-dollars-bitcoin-and.

[5] FINANCIAL ACTION TASK FORCE, VIRTUAL ASSETS RED FLAG INDICATORS OF MONEY LAUNDERING AND TERRORIST FINANCING (Sept. 2020) (hereinafter FATF VA REPORT), http://www.fatf-gafi.org/media/fatf/documents/recommendations/Virtual-Assets-Red-Flag-Indicators.pdf (PDF: 1.07 MB).

[6] See id.

[7] Id. at 5.

[8] See Federal Financial Institutions Examination Council, Bank Secrecy Act/Anti-Money Laundering Examination Manual, Appendix F: Money Laundering and Terrorist Financing “Red Flags” (last accessed Sept. 21, 2020), https://bsaaml.ffiec.gov/docs/manual/10_Appendices/07.pdf (PDF: 162 KB).

[9] FATF VA REPORT, supra note 5, at 5-6.

[10] Id. at 7-8.

[11] Id. at 9.

[12] Id. at 9-10.

[13] Id. at 12.

[14] Id. at 12-15.

[15] Id. at 15.

[16] Id. at 17.

[17] Id.

[18] Financial Action Task Force, Release: Virtual Assets Red Flag Indicators of Money Laundering and Terrorist Financing (Sept. 14, 2020), https://www.fatf-gafi.org/publications/fatfrecommendations/documents/virtual-assets-red-flag-indicators.html.

[19] FATF VA REPORT, supra note 5, at 3.

[20] Id. at 19.

[21] See, e.g., New York State Department of Financial Services, Consent Order Under New York Banking Law §§39 and 44, In the Matter of Deutsche Bank AG (July 6, 2020) ($150 million penalty), https://www.dfs.ny.gov/system/files/documents/2020/07/ea20200706_deutsche_bank_consent_order.pdf (PDF: 625 KB); Financial Conduct Authority, Final Notice, Barclays Bank plc, No. 122702 (Nov. 25, 2015) (£72,069,400 penalty), https://www.fca.org.uk/publication/final-notices/barclays-bank-nov-2015.pdf (PDF: 366 KB).

Jonathan J. Rusch is Principal of DTG Risk & Compliance, a consulting firm specializing in corporate compliance issues, and a Senior Fellow of the Program on Corporate Compliance and Enforcement at New York University School of Law.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.