On 27 July 2020, the Joint Money Laundering Steering Group (JMLSG), which comprises UK financial services industry trade bodies, published new sectoral guidance for cryptoasset exchange and custodian wallet providers regarding compliance with money laundering obligations. The Guidance provides an outline of the money laundering risks posed by cryptoassets and how cryptoasset firms can mitigate such risks.
Money-Laundering Risks of Cryptoassets
A 2020 study by the UK’s National Crime Agency reported that UK based criminals are identifying new ways of using virtual assets such as cryptocurrencies for money laundering purposes. Paragraph 22.33 of the Guidance outlines specific money-laundering risk factors posed by cryptoassets that include:
- increased privacy – certain cryptoasset systems provide the ability for transactors to carry out transactions without being fully identified (although the Guidance notes that this is less likely to apply to public blockchains);
- the cross-border nature of cryptoasset transactions – cryptoasset transactions can cross several jurisdictions, which can reduce the ability of regulators to oversee and supervise the application of anti-money laundering controls;
- decentralisation – this means there is no central server or service provider that has overall responsibility for identifying users, monitoring transactions, reporting suspicious activity or acting as a contact point for law enforcement; and
- innovation – cryptoasset innovations can give rise to new types of financial crime not posed by traditional payment and financial services products.
The Financial Action Task Force (FATF) has called on its members to regulate cryptoassets to reduce the risk this new medium may be used for financial crime. As a result, in the EU (including for the moment the UK), the Fifth Money Laundering Directive requires Member States to act. The Guidance is designed to reflect resulting changes introduced by 2019 amendments to the UK Money Laundering Regulations 2017 (MLRs). The amended MLRs – which go further than the Directive – bring cryptoasset exchange and custodian wallet providers within the scope of the UK’s anti-money laundering regime. Businesses carrying on cryptoasset activity need to have been compliant with the MLRs from 10 January 2020. The Guidance is designed to assist cryptoasset exchange and custodian wallet providers to comply with the MLRs by taking a risk-based approach to cryptoassets.
Mitigating the Risks
In order to mitigate the risks, the Guidance explains that firms should carry out a thorough risk assessment, which includes (see paragraphs 22.36-38), for example, considering:
- customer risk – firms should take a holistic view of the information obtained from their customer due diligence checks in order to prepare a customer risk profile;
- product risk – the risk assessment should consider the features of the actual cryptoasset that customers may use during the transaction and the risks associated with that product; and
- transaction risk – the blockchain on which the transaction is taking place should be analysed to ascertain its risk profile.
Once all relevant risks have been assessed, the Guidance identifies a number of measures to mitigate these risks (see paragraphs 22.41-60):
- the introduction of transaction limits, including limits on the total value of privacy coins that may be held, stored, transferred or exchanged;
- the use of time delays before certain automated and manual transactions can be carried out with a view to restrict the rapid movement of funds;
- the prohibition of transfers to third parties where details relating to the transaction, such as names involved, do not match; and
- carrying out customer due diligence, know-your-client checks, blockchain analysis, properly evidencing the source and destination of the funds and complying with ongoing monitoring obligations.
Impact on Cryptoasset Businesses
Although the JMLSG’s Guidance is not legally binding, once approved by the UK Treasury, UK courts will take into account a firm’s compliance with the Guidance when determining if it has committed a money laundering offence. Moreover, for businesses regulated by the Financial Conduct Authority, the regulator will take the Guidance into account when investigating breaches of its rules. For example, the requirement to have systems and controls to identify, assess, monitor and manage money laundering risk. Therefore, compliance provides firms with some legal protection over their anti-money laundering arrangements. As such, we recommend that cryptoasset businesses should review the Guidance and assess if they are compliant. If they are not, they would be wise to update their policies, procedures and staff-training regimes as necessary.