Virtual Currency Investigations: A Primer for BSA and Compliance Professionals

Virtual Currency Investigations: A Primer for BSA and Compliance Professionals

Anti-money laundering (AML) investigations involving virtual currency are problematic for investigators. This emerging asset class is expanding at an alarming rate. The regulatory environment is unsettled, dynamic and evolving. The development of investigative tools to address this emerging challenge has decreased significantly. Tracing payments—to and from virtual currency exchanges—and the ability to determine the ultimate source and use of such funds is difficult at best. While virtual currency payments or transactions for investment purposes are not inherently suspicious, virtual currency has been used to commit fraud and conceal or launder the proceeds of illicit activity. This is due to the relative ease of processing transactions and inherent avoidance of AML controls and protocols found in U.S. financial institutions. In most institutions, investigators have a limited skillset to address virtual currency activity. This article seeks to provide guidance to financial institutions, and their AML investigators, in addressing this situation.

Know Your Customer

Expected virtual currency activity and usage is largely missing from most financial institution’s customer due diligence or know your customer (KYC) screenings. This information can benefit investigators to gain insight into their client’s virtual currency intentions.

A virtual currency exchange functions similarly to a bank or securities investment company

Accordingly, financial institutions should consider adding specific questions regarding a prospective client’s virtual currency usage and expected transactional activity to their onboarding KYC questionnaire. This information will greatly assist investigators in reviewing the client’s virtual currency activity and in assessing the client’s inherent risk to the institution. It should be noted that some clients will be less than truthful in describing their intended banking activity during the onboarding process. Such prevarication, if deemed intentional, is a factor to be considered in retain/exit deliberations.

Virtual Currency Exchanges

A virtual currency exchange functions similarly to a bank or securities investment company. Clients have accounts—or wallets—with the exchange into which they can purchase and hold virtual currency, sell the virtual currency on the exchanges trading platform and have the resulting fiat currency paid out. In the U.S., virtual currency exchanges must be registered with the Financial Crimes Enforcement Network (FinCEN) as a money services business (MSB).

Expected virtual currency activity and usage is largely missing from most financial institution’s customer due diligence screenings

Investigators should consider that not all virtual currency exchanges have strong compliance and AML programs. Exchanges that are located in high-risk jurisdictions or have weak AML regulations present higher money laundering and terrorist financing risk. The New York State Attorney General’s Office launched the Virtual Markets Integrity Initiative to protect and inform New York residents who trade in virtual currency. The initiative proceeded from the principle that consumers and investors deserve to understand how their financial services providers operate, protect customer funds and ensure the integrity of transactions. In September 2018, the initiative issued a report that provides a detailed analysis of those virtual exchanges that participated in the initiative, The Virtual Markets Integrity Report.1 The report is a highly informative resource for understanding how exchanges operate.

When an investigator notes patterns consistent with the typical activity associated with a virtual currency exchange but is unable to confirm MSB registration, a suspicious activity report should be filed. It should be noted that MSB registration is required only if the client is acting on behalf of another party. If they are exclusively buying and selling virtual currency for their own account, MSB registration with FinCEN is not required.

The following list includes prevalent virtual currency exchanges:

  • Coinbase*
  • Binance
  • Kraken* (Payward Ventures Inc. DBA Kraken)
  • Gemini* (Gemini Trust Company, LLC)
  • Poloniex*
  • Bitstamp
  • Bitfinex
  • LakeBTC
  • Robinhood*
  • Bittrex*
  • Bitbuy
  • Coinsquare
  • ShapeShift
  • Coinmama
  • Bisq (formerly known as Bitsquare)
  • LinkCoin

It is common for subjects to use multiple virtual currency exchanges to trade in a variety of different currencies

Cases Concerning Client Payments to a Virtual Currency Exchange

For a case involving payment to an exchange, it is important to scrutinize the source of funds and the pattern of payment activity. The following are sources of funds sent to virtual currency exchanges that may indicate potential suspicious activity:

  • Cash deposits—funnel account activity
  • Deposited cash from unknown sources
  • Late night ATM cash deposits—after 10 p.m.
  • Wire transfers from suspicious jurisdictions, high-risk countries or suspicious counterparties
  • Deposits from shell companies possibly indicative of layering activity
  • Deposits which appear to be “pass-through” transactions, but at a volume or frequency not indicative of investor “buy and hold” activity. This may indicate that the client is acting as an exchange.
  • Multiple payments to an exchange consistent with “day trader” activity. This may indicate online gambling activity, especially if the payments are made in even or repetitive dollar amounts.

Cases Concerning Client Deposits From a Virtual Currency Exchange

For a case involving credit from a virtual currency exchange deposited into a client’s account, it is important to scrutinize the use of the funds. The following are potential suspicious uses of funds from a virtual currency exchange:

  • Pass-through cash withdrawals funded by credit(s) from an exchange
  • Wire transfers to suspicious jurisdictions, high-risk countries or suspicious counterparties funded by credit(s) from an exchange
  • Significant real estate purchases or unexplained investments that may indicate the integration stage of money laundering
  • Multiple credits from an exchange, but no history of payments made to the exchange. This may indicate money laundering activity using multiple exchanges or financial institutions, or direct buy/sell activity within the exchange wallet. Use of multiple exchanges could be common due to the manner in which virtual currencies are traded. Clients must own bitcoin or Ethereum to purchase other currencies (alt-currencies) using one of those two coins. Buyers will purchase bitcoin at the exchange they use most—such as Coinbase —and then transfer to an exchange like Kraken with a larger range of tradeable assets. Therefore, the use of multiple exchanges is common among investors who have accounts with five or more exchanges based on the desired ability to invest in different currencies supported by each different exchange.
  • The use of multiple exchanges, while common as described above, may also indicate layering activity to impede any ability to trace the movement of funds. Additional transactional information from the exchange may assist in distinguishing between alt-currency investments and possible money laundering.

Suspicious Activity and Exchange Wallet

Clients of virtual currency exchanges have a wallet with the exchange to hold virtual currency. A wallet is an account with the exchange similar to a bank account for holding virtual currency. The 26-36 alphanumeric digit address of the subject’s exchange wallet is a crucial data element to enable tracing of transactions on the blockchain. Several other service providers such as Chainalysis, CiperTrace, Elliptic and Coinfirm provide tools to help investigators identify illicit actors and risk score wallet addresses to provide a better understanding of the wallet’s transactions and exposure to the dark web. Some exchanges create a separate wallet for each transaction by a client, which compounds the difficulty in tracking transactions. It should be noted that most virtual currency exchanges deal in only a few currencies. As such, it is common for subjects to use multiple virtual currency exchanges to trade in a variety of different currencies. For those virtual currency exchanges that are participants with 314(b), the investigator may be able to review activity taking place within the client’s wallet. It is important for AML investigators to develop relationships with the compliance staff at the exchanges to facilitate information sharing.

The following are indications of possible suspicious activity:

  • Rapid movement of funds or other possible layering activity between virtual currencies or exchanges, inconsistent with investor “buy and hold” patterns.
  • Rapid movement of funds between wallets on the blockchain. This can often be researched through translator websites on the internet. is an excellent resource for the Ethereum blockchain on which most ICOs are active.2 However, other sites, such as, tend to only support the bitcoin blockchain for research.3 Given a wallet address, wallet transactions may be traced “backwards” using the available time stamp and transaction amounts on the website. This way, an investigator can determine how much coin is held in each wallet. If rapid movement of funds is detected, this may be considered suspicious activity. However, exchange wallets are not captured by the blockchain.
  • Sales of virtual currency or payments of fiat currency to suspicious jurisdictions, high-risk countries or suspicious counterparties, if the information can be provided by an exchange.

It is difficult for an investigator to get a wallet address given the understandable reluctance of clients and exchanges to divulge this information. Therefore, it is important to develop close relationships with counterparties at various exchanges.

Issuers of Initial Coin Offerings

Issuers of Initial Coin Offerings (ICOs) may be considered high-risk clients requiring enhanced due diligence monitoring. Enforcement patterns and public statements from the Securities and Exchange Commission (SEC) signify that the SEC considers ICOs as securities and as such are subject to all regulations that govern them. ICOs may be discovered during the opening of new accounts that indicate that the source of funds is from an ICO or when a new business discloses it is developing a new virtual currency. Clients who rely on ICOs issued before SEC due diligence (roughly $100 million) requirements are particularly vulnerable to regulatory risk and enforcement action.

The ICO Alert website has a listing of ICO issuers with links to their respective websites.4 A review of upcoming ICO websites would be prudent to identify the ICO’s principals and determine if an institution has any of them in their client base. The following are red flags concerning ICO issuers:

  • Authorized signers or affiliated key team members with a public history of a failed ICO or financial fraud.
  • The use of funds is not consistent with a fintech startup, e.g., traditional business expenses, payroll, occupancy, utilities, technology vendors, hardware:
    • Personal use or cash withdrawals may be indicative of potential fraud.
    • Transfers of funds overseas―especially to shell companies or to high-risk jurisdictions—which may be indicative of money laundering.
  • The client’s name on the SEC website is established in the SEC’s investor awareness campaign against ICO fraud.5
  • The prospectus or offering memorandum indicates that the purpose of the offering is to support otherwise illegal or illicit activities, e.g., drug trafficking, arms trafficking.
  • The client states that securities laws do not apply to ICOs or otherwise indicates that they are unaware of possible compliance obligations with securities laws concerning their ICO. However, the client should be aware of the subject laws and that their offering may be considered a security. The laws on whether or not an ICO is a “security” are still evolving. Recent court decisions have ruled that an ICO is a security and SEC regulations apply.
  • Recent studies have linked virtual currency and penny-stock malfeasance. Clients with a history of penny-stock companies, or with any company with a history of enforcement actions, should be treated with caution and may be researched through the Electronic Data Gathering, Analysis and Retrieval (EDGAR) database.6

It is important to scrutinize the source of funds and the pattern of payment activity Research Tool is a website used by individuals and businesses to advertise their intent to buy or sell bitcoin in a direct peer-to-peer manner, similar to craigslist.7 does not support any virtual currencies other than bitcoin. On the site, the advertiser may indicate the medium of exchange—in fiat currency—that they will accept, such as “cash deposit at Bank A, B or C.” If the investigator’s financial institution is listed, further research on the site may yield additional information that the investigator may use to identify their client.

In addition, if the bitcoin ask or offer rate is considerably higher or lower than a reasonable market rate, it represents a red flag for possible suspicious activity. Why would any reasonable person pay more than market rate, or sell at less than market rate, if not to obscure illicit activity?

Other Possible Indicators

The proliferation of mobile access to customer checking accounts has revealed a possible indicator of suspicious activity that may warrant an additional investigative step once the investigator begins to believe there may be suspicious activity occurring in a client’s checking account. Cybercrime professionals have identified a pattern regarding possible drug cartel involvement, namely the presence of foreign IP addresses for mobile devices accessing checking account information. In essence, individuals in Latin America are frequently gaining mobile account access to view account balances in U.S. accounts. This indicator has been discovered in the investigation of suspicious pass-through cash and funnel account cash deposits to virtual currency exchange transactions in drug trafficking cases.

This article is meant to assist investigators in the investigation of situations involving virtual currencies and virtual currency exchanges. The listing of red flags and possible indicators of suspicious activity mentioned should be considered only a partial list and will evolve as the virtual currency ecosystem and the regulatory environment continues to develop and evolve.

William Cloninger, CAMS, senior investigator, AML investigations, KeyBank, Brooklyn, OH, USA,

Pawneet Abramowski, chair, MAFI advisory board, Financial Integrity Institute, Case Western Reserve University, Cleveland, OH, USA,

Pamela Calaquian, CAMS, advisory senior manager, Deloitte Transactions and Business Analytics LLP, Princeton, NJ, USA,

Alek El-Kamhawy, senior fellow, Financial Integrity Institute, Case Western Reserve University, Cleveland, OH, USA,

William Casey King, director of the Capstone Project, Yale University Jackson Institute for Global Affairs, New Haven, CT, USA,

Zachary Robock, Esq., Nordson Corporation, Westlake, OH, USA,

William J. Voorhees, CAMS, senior vice president, BSA/AML financial intelligence unit manager, BB&T, Raleigh, NC, USA,

*314(b) participant as of November 20, 2018

Editor’s note: On November 1, 2018, the ACAMS Northern Ohio Chapter, in cooperation with Case Western Reserve University’s Financial Integrity Institute, conducted a symposium on compliance issues regarding cryptocurrency. In the course of discussions, participants expressed the need for guidance in conducting AML investigations involving cryptocurrency. This article was written in an attempt to address this expressed need.

  1. Barbara D. Underwood, “The Virtual Markets Integrity Report,” Office of the New York State Attorney General, September 18, 2018,
  2. Etherscan,
  3. Blockseer,
  4. ICO Alert,
  5. “ICO Howeycoins,” U.S. Securities and Exchange Commission,
  6. “Important Information About EDGAR,” U.S. Securities and Exchange Commission, February 16, 2010,

Leave a Reply