The Joint Money Laundering Steering Group (JMLSG) recently published a new section to Part II of its Anti Money Laundering/Counter Terrorist Financing (AML/CTF) guidance for the financial services sector. The new section, referred to as ‘Sector 22’, contains sectoral guidance specific to cryptoasset exchange providers and custodian wallet providers (collectively ‘cryptoasset firms’), and considers the Money Laundering and Terrorist Financing (Amendment) Regulations 2019.
The new guidance provides practical support to cryptoasset firms in terms of implementing the main requirements relevant to AML regulations, particularly focusing on risk management, customer due diligence (CDD), monitoring, record keeping, dealing with suspicious transactions and sanctions screening.
We have outlined five key takeaways to help you make sense of the new guidance:
1. Scope
In line with regulation 14A of the Money Laundering, Terrorist Financing and Transfer (Information on the Payer) Regulations 2017 (the MLRs), the following services are in the scope of the guidance requirements:
- The exchange of fiat currency for cryptoassets or vice versa
- Exchanging one cryptoasset for another
- Operating cryptoasset ATMs
- Safeguarding or administering cryptoassets of customers
- Safeguarding or administering private cryptographic keys on behalf of customers
2. Risk Management
In a similar way to other obliged entities under the scope of the MLRs, cryptoasset firms should identify and address risks at a business wide level in the following areas:
- The geographical locations in which they operate
- The types of clients they deal with
- User transactions
- Products offered
- The delivery channels used to provide the service to their clients
When reviewing risks posed by clients, firms should take into consideration:
- The client’s legal entity type
- The geographical risk
- The industry in which they operate (where relevant)
- The type of services they use
An assessment should be made to determine the risk rating for a client and used to decide the level of due diligence, monitoring and other internal controls on a risk-sensitive basis. Cryptoasset firms should specifically consider the following risk factors:
- Privacy or anonymity: the ability offered by some providers to transact on an anonymous basis
- Cross-border nature: the open nature of the activity allows links with several high-risk jurisdictions
- Decentralised nature: the absence of a central service provider who oversees users’ activity
- Segmentation: the complex structure of some transactions and processes involving several firms and jurisdictions
- Digital nature: non-face-to-face relationships are often a source of risk
- Acceptability: the wider adoption of cryptoassets as a way of payment increases the risk of these assets being used for illicit activities
- Immutability: transactions cannot easily be altered or retrieved which makes it difficult to return misappropriated assets
- Convertibility: the free convertibility of cryptoassets into fiat currency or other assets helps to mask transactions
- Innovation: new products may provide space and opportunity for new types of financial crime to grow
3. Customer Due Diligence (CDD)
Cryptoasset firms must apply CDD measures to all business relationships and to occasional single or linked transactions of EUR 15,000 or more. However, for exchange providers operating ATMs, CDD measures must be applied to all transactions. Firms should use a combination of measures to fully identify and monitor their clients, these include:
- Know your customer (KYC): to identify and verify a client’s identity and the nature of the relationship
- Blockchain analysis: helps providers to assess and mitigate the risk of transactions
- Evidence of source and destination of funds: must be collected and analysed when transactions present a high risk of money laundering or terrorist financing
- Ongoing monitoring: must occur for all transactions and relationships to identify potential suspicious activity
Simplified Due Diligence (SDD) could be applied for business relationships or transactions with a low degree of risk of financial crime. Cryptoasset firms are also required to undertake Enhanced Due Diligence (EDD) for high-risk relationships and transactions. In addition to the conventional recommended EDD measures, cryptoasset firms should:
- Corroborate the identity information received from the customer with information available from third-party databases or other reliable sources
- Search the internet for corroborating activity information consistent with the customer’s transaction profile
- Trace the customer’s IP address
- Request data relating to transaction and trading history
4. Record Keeping
Cryptoasset firms must keep the following records for at least five years:
- Information relating to the identification and verification of relevant parties
- Public keys of relevant parties
- Addresses or accounts involved
- The nature and date of transactions
- Amounts transferred
Keeping records in the blockchain or other type of distributed ledger is not sufficient.
5. Suspicious transactions and Sanctions screening
Under the Proceeds of Crime Act (POCA), cryptoasset firms are required to restrict users’ actions, freeze assets/funds and report suspicious transactions to the National Crime Agency (NCA). In addition, firms should regularly screen their clients against the relevant sanctions lists available, in line with the jurisdictional coverage of their operations.
Cryptoasset firms need to consider these requirements when preparing their AML/CTF risk frameworks and setting their internal controls. This is indeed a crucial element of the Fifth Money Laundering Directive (5MLD) registration application with the FCA, mandatory for all cryptoassets providers in the UK, and firms should ensure they address these areas to properly demonstrate to the regulator how they are meeting the relevant obligations under the MLRs.
If you have any questions or require support with a 5MLD registration application, or to build your financial crime risk and controls framework, please get in touch with our experienced team.
Contact Us
To view the JMLSG guidance click here.
Related resources
All resourcesWebinar: Vulnerable Customers: What you need to know
Prudential considerations for Payment Service Providers: Navigating the impact of the new APP Fraud Policy
Capital Markets Newsletter - October 2024
HMRC vs FCA: as money laundering supervisors of payments firms