Often within our training sessions, we facetiously refer to cryptocurrency as “poof” money…as in “poof!” it’s out there, but you can’t touch it and you can’t feel it…the metaphysical version of its hard coin counterpart. However, the creation and use of cryptocurrency has been growing in staggering numbers. Our local ACAMS chapter recently hosted an event solely dedicated to exploring cryptocurrency through discussion of its origin and risks, to how it should be incorporated into your customer due diligence. Let’s just start with some numbers to substantiate this “poof” money. A Compliance Manager for Bittrex, one of the main crypto coin exchanges in the industry, sat on a panel discussion and explained that Bittrex alone had over 250 different coins (i.e. 250 different cryptocurrencies!) on their exchange…and over 4 million registered customers. CoinBase, a close competitor, has over 11 million customers. So, while you may be scratching your head and talking to yourself in circular arguments about how cryptocurrency actually works, there are A LOT of people out there who are regularly purchasing, selling and exchanging virtual coins.
How does – or should – cryptocurrency factor into your due diligence processes? For the past few years, we have been recommending our clients include a question about whether a customer engages in cryptocurrency. What happens when a customer responds in the affirmative? Here are a few suggested follow-up questions:
- Do you plan to invest or exchange coins, or use them for purchasing goods or services?
- What cryptocurrencies do you intend to use?
- What exchange do you primarily use?
The answers to these questions could indicate levels of risk. Two of the main exchanges mentioned here are Bittrex and CoinBase, but there are other – and lesser known – exchanges out there. If your customer is using a main exchange, it would be considered lower risk than if they are using another exchange that is perhaps not as well established in the industry or as strongly focused on regulatory compliance. The type of currency also matters. Bitcoin is one of the most well-known coins and there are several others of similar caliber, but as you might imagine with hundreds of coins in circulation, there are those that could be less well known. While the coin type itself may not present direct risk to your institution, it could indicate the customer’s intentions. Some of the bad actors will exchange one crypto for another over and over, essentially layering their transactions to try to cover the trail of funds.
You’re likely thinking, “But how will I know?” Great question. This is an area where a lot of independent research is going to come into play. You’ll have to get familiar with the main exchanges and the main coins. Another option is to engage in information sharing practices under Section 314(b) of the USA PATRIOT Act. You can leverage the knowledge and expertise of others who are similarly registered. And guess who else can be registered to share information with you? Virtual currency exchangers! If you had a question about a coin, its origins, prevalence and use, you could reach out to a registered exchanger to get more information.
The amount of monitoring and due diligence these exchanges are required to undertake is significant – think of your AML rules on steroids – because they are dealing with millions of customers that they never meet. In reading that statement, you are likely wondering about their CIP methods. Interestingly enough – and in the spirit of utilizing innovative approaches – some of the exchangers are using selfies. We kid you not. In addition to gathering required CIP information and pulling ChexSystems reports, they also require the customer to send them a selfie, holding their ID and the customer must also include the name of the exchange on the picture. They require the date and the written name of the exchange because – get this! – there are actually places on the dark web where you can purchase selfies of people holding their IDs. What? Ever feel like you are Alice Through the Looking Glass? In any case, we thought this was an innovative way to verify your customer’s identity if you aren’t meeting them in person.