Most of the ground to be covered by the proposed EU AML Authority is familiar territory. Anti-money laundering (AML) practices are well established. But in the burgeoning world of cryptocurrency trading, the challenge of identifying true asset owners is altogether different, as the UK regulator has learned. The Financial Conduct Authority has been forced to extend its temporary registrations regime for existing crypto asset businesses because ‘a significantly high number of businesses are not meeting the required standards under the Money Laundering Regulations.’1
As interest in cryptocurrencies continues to grow, so too will the efforts to develop the safest and the most secure ways to purchase, trade and hold these still-new assets. But the pseudonymity associated with cryptocurrencies provides the perfect opportunity to launder money, making them attractive to criminals. Analysis suggests that 2.8 billion US dollars were laundered in 2019 using crypto exchanges, and that the total is bound to increase.2 The industry’s proven inability to live up to the AML compliance expectations met by the rest of the financial services sector remains a significant hurdle.
The various platforms and apps that enable traders to buy, sell and exchange cryptocurrencies against fiat currencies or other crypto currencies all have different rules, as do the many decentralised exchanges that allow for peer-to-peer cryptocurrency transactions. These pose a particular challenge for regulators who must overcome the sector’s wildly inconsistent approach to AML. Rules around the different ways to buy, hold and trade are fragmented and often confusing. They differ between countries and regulatory bodies.
Biometric verification and authentication technologies must be an important part of the solution. Verification is the initial identity check during the onboarding process and authentication is the reconfirmation that the person in control of the account is the same as the originally verified.
Once, like cryptocurrencies themselves, these tools were confined to the realms of science fiction. Now they are used by millions of people daily to access their smart devices and to authenticate access to crucial goods and services. Think about border control: Facial recognition is now the fast-track route to cross international boundaries at home and abroad.
Many financial institutions have already turned to biometrics to verify customer identities. By anchoring a customer’s digital identity to a real person at account creation, regulated companies have a solid assurance of their real identity. Many customers prefer the approach; more than half would prefer to use document and biometric checks when opening a bank account.3
Customer identity and access management lets organisations easily and accurately verify and then reauthenticate that individuals are who they say they are. In addition, supporting AML and know your customer (KYC) requirements helps them manage customer permissions to give identified individuals access to digital services, applications and products. It covers customer experience, scalability, security and privacy, as well as regulatory compliance.
Identity solutions are centred around two elements: a customer’s government ID, which is unique to an individual, and a selfie of their face, which they can never lose. These provide solid confirmation of their identity while empowering customer self-service to enjoy greater access with less friction. Document and biometric verification also bring higher KYC confidence. By comparing a customer’s ID with their facial biometrics, one can be assured that they are who they say they are, right from when they sign up. The audit trail includes a reference point for your customer’s real identity, which can then be used to tiea user back to an account later in their identity lifecycle.
Customers can reauthenticate at high-risk moments. All they need to do is provide a selfie. Using the new picture, their facial biometrics will be compared to the ID used to create the account. A match provides a high degree of certainty that the interaction is genuine, not fraudulent. Therefore, it offers a high level of security and remains an easy process for customers. There is no need to fall back into higher friction solutions like knowledge-based authentications (KBAs) or call-centres, or quick but-lower security solutions like two-factor authentication.
It is easy to understand why cryptocurrency firms are struggling to comply with AML measures. Most existing regulations—even relatively up-to-date ones—were designed for a different era, one where authentication typically relied on usernames and passwords, KBA or even call centres. Those solutions are much less appropriate for organizations that exist almost entirely in the digital world.
Cryptocurrency firms should adopt biometric verification, as well as authentication at high-risk moments, to gain a much better understanding of their customers’ identities. More importantly, regulators could recognize and include biometric data as part of any new or developing regulatory regime v for cryptocurrency firms. If border controls in Europe now trust facial recognition for allowing access to countries, and the technology is sufficient to comply with AML regulations, then surely regulators could consider its adoption to strengthen AML procedures.
- ‘Temporary Registration Regime extended for cryptoasset businesses,’ Financial Conduct Authority, 3 June 2021, https://www.fca.org.uk/news/press-releases/temporary-registration-regime-extended-cryptoasset-businesses
- ‘Criminals laundered $2.8 billion in 2019 using crypto exchanges, finds a new analysis,’ MIT Technology Review, 16 January 2020, https://www.technologyreview.com/2020/01/16/130843/cryptocurrency-money-laundering-exchanges/
- ‘Customer attitudes to digital identity,’ Onfido, 23 November 2020, https://onfido.com/resources/reports-whitepapers/customer-attitudes