On 27 July 2020, the Joint Money Laundering Steering Group (JMLSG), which comprises UK financial services industry trade bodies, published new sectoral guidance for cryptoasset exchange providers and custodian wallet providers regarding compliance with money laundering obligations. The Guidance provides an outline of the money laundering risks posed by cryptoassets and how cryptoasset firms can mitigate such risks.
Money-Laundering Risks of Cryptoassets
A 2020 study by the UK’s National Crime Agency reported that UK based criminals are identifying new ways of using virtual assets such as cryptocurrencies for money laundering purposes. Paragraph 22.33 of the Guidance outlines specific money-laundering risk factors posed by cryptoassets that include:
- increased privacy – certain cryptoasset systems provide the ability for transactors to carry out transactions without being fully identified (although the Guidance notes that this is less likely to apply to public blockchains);
- the cross-border nature of cryptoasset transactions – cryptoasset transactions can cross several jurisdictions, which can reduce the ability for regulators to oversee and supervise the application of anti-money laundering controls;
- decentralisation – this means there is no central server or service provider that has overall responsibility for identifying users, monitoring transactions, reporting suspicious activity or acting as a contact point for law enforcement; and
- innovation – cryptoasset innovations can give rise to new types of financial crime not posed by traditional payment and financial services products.
Legislative Background
The Financial Action Task Force (FATF) has called on its members to regulate cryptoassets to reduce the risk this new medium may be used for financial crime. Additionally, the EU’s Fifth Money Laundering Directive, which has been implemented in the UK via amendments to the Money Laundering Regulations 2017 (MLRs), requires Member States to act. The Guidance is designed to reflect changes introduced by the MLRs, which go further than the Directive by bringing cryptoasset exchange providers and custodian wallet providers within the scope of the UK’s money laundering regime. Businesses carrying on cryptoasset activity need to have been compliant with the MLRs from 10 January 2020. The Guidance is designed to assist cryptoasset exchange providers and custodian wallet providers comply with such compliance by taking a risk-based approach to cryptoassets.
Mitigating the Risks
In order to mitigate these risks, the Guidance explains that firms should carry out a thorough risk assessment, which includes, for example, considering:
- customer risk – firms should take a holistic view of the information obtained from their customer due diligence checks in order to prepare a customer risk profile (paragraph 22.36);
- product risk – the risk assessment should consider the features of the actual cryptoasset that customers may use during the transaction and the risks associated with that product (paragraph 22.37); and
- transaction risk – the blockchain on which the transaction is taking place should be analysed to ascertain its risk profile (paragraph 22.38).
Once all relevant risks have been assessed, the Guidance identifies a number of measures to mitigate these risks:
- the introduction of transaction limits, including limits on the total value of privacy coins that may be held, stored, transferred or exchanged (paragraph 22.41);
- the use of time delays before certain automated and manual transactions can be carried out with a view to restrict the rapid movement of funds (paragraph 22.41);
- the prohibition of transfers to third parties where details relating to the transaction, such as names involved, do not match (paragraph 22.41); and
- carrying out customer due diligence, know-your-client checks, blockchain analysis, properly evidencing the source and destination of the funds and complying with ongoing monitoring obligations (paragraphs 22.42 – 22.60).
Impact on Cryptoasset Businesses
Although the JMLSG’s Guidance is not legally binding, once approved by the UK Treasury, UK courts will take into account a firm’s compliance with the Guidance when determining if it has committed a money laundering offence. Moreover, for businesses regulated by the Financial Conduct Authority, the regulator will take the Guidance into account when investigating breaches of its rules. For example, the requirement to have systems and controls to identify, assess, monitor and manage money laundering risks. Therefore, compliance provides firms with some legal protection over their anti-money laundering arrangements. As such, we recommend that cryptoasset businesses should review the Guidance and assess if they are compliant. If they are not, they would be wise to update their policies, procedures and staff-training regimes as necessary.