The rise of bitcoin and other virtual currencies poses new challenges in the fight against money laundering and terrorist financing (ML/TF). With virtual currencies, users can make global payments that are beyond the control of financial regulators and security authorities.¹ In addition, there is a growing risk of terrorist financiers evading state surveillance and tapping into these new sources of funding.

The following article describes the vulnerabilities faced by businesses dealing with virtual currencies and outlines the regulatory developments by the Financial Action Task Force (FATF) and the EU. In addition, it sets out initial insights from the ongoing policy discussion in Germany based on the results of a recently published study. Finally, it presents key points from the European Banking Authority’s (EBA) revised ‘Risk Factors Guidelines’ on the newly integrated due diligence requirements linked to virtual currencies.

Virtual Currencies and Fundraising

Recent evidence demonstrates that terrorist groups and their supporters have become increasingly familiar with new technologies. Terrorists use innovative technology that lacks regulation to launder money or try to find new sources of finance, as several recent examples of fundraising by terrorist groups illustrate.² Although this new threat is still at an early stage of its development, the technical capabilities and capacities of terrorist groups close to the Islamic State of Iraq and the Levant (ISIL) or Hamas, for example, are progressing rapidly. There have been several reported cases of terrorist groups using automatic address-generating software for virtual currency wallets to call for donations. None of these new addresses, which have not yet received payments, can be found on the blockchain.

As recently as August 2020, the US government announced that it had seized about 2 million USD in bitcoin and other types of cryptocurrency from accounts that had sent or received funds in alleged financing schemes for three foreign terrorist organisations: al-Qaeda, ISIL and Hamas’ paramilitary arm, the al-Qassam Brigades.³

Consequently, the long-held assumption that bitcoin may not be suitable for illegal activities due to traceability or lack of liquidity needs to be questioned. Various technical means are available for virtual currency users to conceal financial flows and protect themselves against forensic analysis of blockchain, such as the use of anonymising services called ‘mixers’ or ‘tumblers’. Furthermore, virtual currencies known as ‘privacy coins’ allow increased technical protection and encryption of the identity of the sender and the recipient of funds.

Regulatory Measures

In mid-2019, governments agreed on a joint response at the FATF level, the international standard-setter in the field. On 7 July, FATF completed a review of the implementation of its revised standards on virtual assets and virtual asset service providers. The report finds that, overall, both the public and private sectors have made progress in implementing the revised FATF standards.⁴

Published in June 2019, FATF’s Interpretive Note to Recommendation 15 on New Technologies (INR.15) clarifies the FATF’s previous amendments to the international standards related to virtual assets. It also describes how countries and obliged entities must comply with the relevant FATF Recommendations to prevent the misuse of virtual assets for ML/TF as well as the financing of proliferation.⁵ On the same day, FATF published the ‘Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers’—building upon FATF’s 2015 guidance paper—to support providers of virtual asset products and services in understanding and complying with their anti-money laundering/counter-terrorist financing (AML/CTF) obligations.⁶

The new FATF Recommendations aim for effective regulation of virtual exchanges, the crucial interface between the sphere of virtual currencies and fiat currencies. Therefore, AML/CTF standards that apply to traditional financial transactions should, in as far as possible, also cover blockchain-based financial services. Ultimately, the plan is to put an end to anonymous virtual transactions. The wire transfer rule, also called the ‘Travel Rule’, requires states to take precautions to ensure that virtual asset service providers (VASPs) monitor and share customer data among themselves and with the relevant government authorities.⁷ Both governments and companies have one year to comply with the new rules.

In the EU, the adoption of the new FATF Recommendations coincided with the need to implement the latest EU anti-money laundering (AML) directive, the Fifth AML Directive (5AMLD), which extends AML/CTF rules to virtual currencies, among others, and aims to cover all the potential uses of virtual currencies. The rules will now apply to entities that oversee the holding, storing and transferring of virtual currencies. These new actors will have to identify their customers and report any suspicious activity to their local financial intelligence unit (FIU).⁸

The 5AMLD recognises that the inclusion of providers engaged in exchange services between virtual currencies and fiat currencies, as well as custodian wallet providers, will not entirely address the issue of anonymity attached to virtual currency transactions. A large part of the virtual currency environment will remain anonymous because users can also transact without such providers. To combat the risks related to anonymity, national FIUs should be able to obtain information allowing them to link virtual currency addresses to the identity of the owner of a virtual currency.⁹

The German Approach

In Germany, new legal rules on virtual assets came into force on 1 January 2020.¹⁰ Virtual currency companies are now obliged to fulfil know your customer (KYC) requirements and report suspicious transactions to the German FIU. Germany and other countries seem to be on the right track to prevent the practice of anonymous virtual transactions, which pose serious security risks. However, it should be noted that a legal, yet unregulated virtual payment system still exists. Thus, additional regulation is required, particularly for the use of unhosted wallets.

Countries like Germany continue to face the difficult task of keeping up the pace with developments in virtual products and technology. Therefore, it is essential to increase the expertise and technical capabilities available to German regulatory authorities. The overlap of responsibilities between various German authorities in the area of AML/CTF should be reduced and ideally eliminated. The relevant functions, including prosecutorial responsibilities, expertise and capacity, should be pooled and integrated where possible.

In March 2020, Berlin Risk¹¹ and the Counter Extremism Project (CEP)¹² published an in-depth study on the exposure of virtual currencies to terrorist financing, which encourages German regulators to pay attention to and demand more efforts from virtual companies in terms of regulatory compliance and testing emerging industry practices. The study encourages both sides to cooperate and find an appropriate way to comply with the new FATF rules. Furthermore, the study encourages investigating authorities and VASPs to form public-private partnerships to develop typologies and indicators for terrorist financing methodologies and potential asset storage operations in the field of virtual transactions.

EU Supervisory Guidance

At the EU level, the supervising authorities are also keen to improve standards in this area. In February 2020, the European supervisory authorities (ESAs) launched a consultation process for the revision of the ‘Risk Factors Guidelines’ and published the revised draft guidelines.¹³ The ‘Risk Factor Guidelines’ were first referred to in the Fourth AML Directive (Articles 17 and 18[4] on customer due diligence) as those are factors that obliged entities should consider when assessing the ML/TF risk associated with individual business relationships and occasional transactions.

Since the publication of the original guidelines, the 5AMLD entered into force on 9 July 2018. The 5AMLD introduced several changes that warranted a review of the ‘Risk Factors Guidelines’ to ensure their ongoing accuracy and relevance. In its revised version, the EBA proposed key changes, including new guidance on compliance with the provisions on enhanced due diligence related to high-risk third countries. New sectoral guidelines have been added to crowdfunding platforms, corporate finance, payment initiation services providers (PISPs) and account information service providers (AISPs), and for firms providing activities of currency exchange offices. Guideline 9 (sectoral guideline for retail banks) and Guideline 13 (sectoral guideline for regulatory crowdfunding platforms) refer to risk factors linked to virtual currencies.

According to the draft of revised guidelines, issuing or holding virtual currencies remains largely unregulated in the EU―besides those entities that are engaged in exchange services between virtual currency and fiat currencies as well as custodian wallet providers (which are obliged entities under the 5AMLD)―thus increasing the ML/TF risks.

Given this background, the guidelines recommend that when entering into a business relationship with customers that provide services related to virtual currencies, firms should, as part of their ML/TF risk assessment of the customer, consider the ML/TF risk associated with virtual currencies. In particular, firms should consider (among others) the following as virtual currency businesses:

• Operating as a virtual currency trading platform that affects exchanges between fiat currency and virtual currency
• Operating as a virtual currency trading platform that affects exchanges between virtual currencies
• Operating as a virtual currency trading platform that allows peer-to-peer transactions
• Providing custodian wallet services
• Arranging, advising or benefiting from ‘initial coin offerings’ (ICOs)

In guideline 13, the draft of the revised guidelines refers to risk factors linked to crowdfunding service providers (CSPs), specifically those linked to product, service and transactions, when the CSP allows payments through the crowdfunding platform in virtual currencies or when the investor of the project owner transfers virtual currencies. The guidelines also note that CSPs should pay particular attention to jurisdictions known to provide funding or support for terrorist activities or where groups committing terrorist offences are known to be operating, and jurisdictions subject to financial sanctions, embargoes or measures (e.g. issued by the EU or the UN) related to terrorism, terrorist financing or proliferation.

Virtual Assets Due Diligence—What Is in the New Toolbox?

To mitigate the risk attached to virtual currencies and VASPs, the EU’s draft ‘Risk Factors Guidelines’ note that simplified due diligence measures are not sufficient. The draft also provides minimum steps that should be part of any CDD procedure:

• Begin the dialogue with the customer to understand the nature of the business and the ML/TF risks it poses.
• In addition to verifying the identity of the customer’s beneficial owners, carry out due diligence on senior management to the extent that they are different, including consideration of any adverse information.
• Understand the extent to which these customers apply their own customer due diligence (CDD) measures to their clients either under a legal obligation or on a voluntary basis.
• Establish whether the customer is registered or licensed in a European Economic Area member state or in a third country and evaluate the adequacy of that third country’s AML/CTF regime.
• Find out whether businesses using ICOs in the form of virtual currencies to raise money are legitimate and, where applicable, regulated.
• Where the risk associated with such customers is increased, banks should apply enhanced due diligence measures.

At present, the virtual industry faces the task of finding the right mix of expert CDD analysts and investigators as well as technological solutions to operationalise these new compliance standards and establish appropriate know your customer (KYC), CDD and reporting procedures. Although the 5AMLD is technology neutral and firms may choose to use electronic or documentary means, or a combination thereof, to evidence their customers’ identity, obliged entities must make sure that this evidence is based on data or information from reliable and independent sources.¹⁴

Although many fintechs are developing in-house solutions to meet these requirements and to protect their organisations against ML/TF risks, several regtech solutions have entered the market. For example, Facepoint¹⁵ offers a facial recognition-based solution for mitigating the risks of terrorist financing that supports this process as non-face-to-face onboarding of new clients increases. Chainanalysis,¹⁶ a virtual currency transaction monitoring solution, supports the ML/TF monitoring process over time.¹⁷ Although these tools are essential components of any AML program when dealing with virtual currencies, it is important to understand the solutions ‘abilities’ and limitations in order to apply adequate controls around their operationalisation.

Outlook

As discussions around the appropriate level of regulation of virtual assets continue and the regulatory framework evolves, the first guidance to support organisations in undertaking mandatory risk assessments and subsequently putting in place risk-based CDD procedures has been drafted by the EBA. In line with its new mandate, the EBA has taken steps beyond those outlined in the 5AMLD to support financial institutions in understanding the risk factors attached to their business. These guidelines should support organisations in undertaking their risk assessment and applying adequate controls. As the business models of financial institutions become more technology-based, the toolbox used by AML professionals also needs to be adapted and relevant training needs to be provided to those working on assessing the customer risk linked to virtual assets.

Jennifer Hanley-Giersch, CAMS, managing partner, Berlin Risk Advisors GmbH, Berlin, Germany, jennifer.hanley@berlinrisk.com

1. Jennifer Hanley-Giersch, “Regulating a Game Changer—Europe’s Approach to Cryptocurrencies,” ACAMS Today, 26 June 2018, https://www.acamstoday.org/regulating-a-game-changer-europes-approach-to-cryptocurrencies/
2. Cryptocurrencies as Threats to Public Security and Counter Terrorism, Berlin Risk, 14 May 2020, https://www.globalriskaffairs.com/2020/05/1465/
3. Charlie Savage, “U.S. Seizes Bitcoin Said to Be Used to Finance Terrorist Groups,” The New York Times, 13 August 2020, https://www.nytimes.com/2020/08/13/us/politics/bitcoin-terrorism.html
4. “12-Month Review of the Revised FATF Standards on Virtual Assets and Virtual Asset Service Providers,” FATF, June 2020, https://www.fatf-gafi.org/media/fatf/documents/recommendations/12-Month-Review-Revised-FATF-Standards-Virtual-Assets-VASPS.pdf
5. “International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation,” Financial Action Task Force, June 2019, http://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF Recommendations 2012.pdf
6. “Virtual Assets and Virtual Asset Service Providers,” Financial Action Task Force, June 2019,
   https://www.fatf-gafi.org/media/fatf/documents/recommendations/RBA-VA-VASPs.pdf
7. “International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation,” Financial Action Task Force, June 2019, https://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF Recommendations 2012.pdf
8. “Directive of the European Parliament and of the Council amending Directive (EU) 2015/849 on the prevention of the use of the Financial System for the Purposes of Money Laundering or Terrorist Financing, and Amending Directives 2009/138/EC and 2013/36/EU, The European Parliament and The Council of the European Union, 26 April 2018,
   http://data.consilium.europa.eu/doc/document/PE-72-2017-INIT/en/pdf
9. Ibid.
10. “Gesetz über das Aufspüren von Gewinnen aus schweren Straftaten,“ Bundesministerium der Justiz und für Verbraucherschutz, https://www.gesetze-im-internet.de/gwg_2017/GwG.pdf
11. Cryptocurrencies as Threats to Public Security and Counter Terrorism, Berlin Risk, 14 May 2020,
    https://www.globalriskaffairs.com/2020/05/1465/
12. Ibid.
13. “Draft Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on customer due diligence and ML/TF risk factors (JC 2019 87),” European Banking Authority, https://eba.europa.eu/calendar/draft-guidelines-under-articles-17-and-184-directive-eu-2015849-customer
14. “Consultation Paper, Draft Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions (‘’The Risk Factors Guidelines’’), amending Guidelines JC/2017/37,” European Banking Authority, European Securities and Markets Authority, European Insurance and Occupational Pensions Authority, Joint Committee of the European Supervisory Authority,
    https://eba.europa.eu/sites/default/documents/files/document_library/Publications/Consultations/2020/Draft Guidelines under Articles 17 and 18%284%29 of Directive %28EU%29 2015/849 on customer/JC 2019 87 CP on draft GL on MLTF risk factors.pdf
15. Facepoint, https://www.facepoint.co/
16. Chainalysis, https://www.chainalysis.com/
17. See reference to other tools. Jennifer Hanley-Giersch, “Regulating a Game Changer—Europe’s Approach to Cryptocurrencies,” ACAMS Today, 26 June 2018, https://www.acamstoday.org/regulating-a-game-changer-europes-approach-to-cryptocurrencies/