Who has the match? Anti-money laundering and cryptocurrency

Combining Anti-Money Laundering (AML) considerations with cryptocurrency technology is akin to adding gasoline to a bonfire. It is a hot topic on the mind of every member of the global financial services industry. How are we to regulate and manage a new technology that seems to feed into the hands of money launderers?

As AUSTRAC grapples with the need to keep ahead of criminal activity, the industry must continue to grow and expand its AML infrastructure. While guidance was released by AUSTRAC in April 2022 directed at digital currency exchange providers (DCEPs), the remainder of the industry should not become complacent to the increase in reform and growing focus on the impact of crypto on broader AML procedures.

The current regulation of AML and cryptocurrency

Those in the cryptocurrency industry are readily familiar with the requirement for DCEPs to be registered and regulated by AUSTRAC. Since 2018, DCEPS have been required to adhere to AML obligations such as maintain an AML Program and conducting Know Your Customer (KYC) reviews of their clients. Not only does this protect the business operations of these exchanges from criminal activity (or attempt to limit the exposure), but it also increases public, consumer, and stakeholder confidence.

There are not too many facilities as susceptible to money laundering activity as cold, hard cash. However, cryptocurrency comes close if AML infrastructure breaks down, being vulnerable to money laundering at three key stages:

1. Placement: conversion of fiat (e.g. AUD) into a digital currency.
2. Layering: a transaction of that digital currency into a cryptocurrency or transfers between exchanges.
3. Integration: reintroduction of the laundered money into goods, services, or fiat.

In April 2022, AUSTRAC released guidance for DCEPs to assist their understanding and identification of money laundering or criminal behaviour at risk of occurring through their platforms.

The tinder: Indicators of money laundering

DCEPs currently maintain extensive AML procedures in an attempt to limit criminal activity. But the industry must remain vigilant to new opportunities for money laundering activity to occur through cryptocurrency. Unfortunately, the decentralised, anonymous nature of cryptocurrency means that all transactions outside of regulated exchanges are largely immune to regulatory or AML oversight.

It takes significant resources and sophistication for DCEPs to identify and monitor indicators of money laundering activity. AUSTRAC’s guidance provides an informative and useful insight to some of the challenging indicators DCEPs must be cognisant of, as well as potential consequences of a failure to implement AML procedures. For example, DCEPs need to monitor for financial, behavioural, and account activity indicators on each and every account, including:

• the use of cryptocurrency ATMs for unusual or regular withdrawal;
• customers who provide inconsistent explanations as to the source of funds or source of wealth that are used for the purchase of digital currencies;
• chain-hopping (i.e. moving between currencies or exchanges);
• the existence of multiple accounts linked to the same IP address; or
• a record of multiple or inconsistent IP addresses for the same account.

Interestingly, AUSTRAC identified a key indicator of money laundering behaviour as high-volume cryptocurrency transactions by elderly individuals. Indicators such as these are critical additions to Part A of AML Programs and Risk Assessments. We are actively working with our DCEP clients to ensure their AML Programs and Risk Assessments are updated to comply with and reflect the AUSTRAC Guidance.

Programs and Risk Assessments must also reflect the increased risk of purchases in illicit products using cryptocurrency, terrorism financing through peer-to-peer transfers, scamming, tax evasion, and production of ransomware through cryptocurrency transfers.

The smoke: Challenges with crypto & AML

Practical challenges for DCEPs

DCEPs must use extraordinary resources to ensure they don’t become unwitting accomplices to criminal activity at all stages of the money laundering. They must monitor their accounts for the extensive list of indicators published by AUSTRAC. At first instance, they are exposed to facilitating placement of laundered funds if onboarding KYC procedures are insufficient. Throughout, they are exposed to facilitating the layering of funds if transaction monitoring procedures miss a key indicator, such as unusual IP address activity. Finally, they are exposed to facilitating the introduction of laundered funds back into the Australian market.

Money launderers are aware of the vulnerabilities in cryptocurrency transactions, with DCEPs in their crosshairs. DCEPs must maintain constant vigilance in defending their client base. DCEPs face the incredible challenge of monitoring every account and every transaction in completeness.

The non-regulated space

Exchanges are not the only avenue for people to invest in the blockchain blockbuster. DAOs, NFTs, cryptocurrency transactions outside of exchanges, and other blockchain inventions are constantly expanding the realm of possibilities for money laundering. One must wonder how AUSTRAC is going to regulate NFTs which hold an arbitrary, subjective value in conjunction with holding unique information. It remains unclear how Australia will look to regulating exchanges of NFTs or purchase of NFTs that operate on a decentralised, anonymous platform. How will they monitor both the information contained within the NFT (e.g. the image itself) and the transfer of funds through NFTs?

It appears even the NSW Government is taking measures into their own hands, announcing this week potential reforms giving power to police to ‘confiscate unexplained wealth from criminal gangs and ban the use of encrypted devices’ often used for wallet storage of cryptocurrency.

Industries outside of crypto

If you are not investing in digital assets like cryptocurrency or NFTs, why should you consider how they are regulated? This answer is rather simple: money and standards. In the first instance, the money being transferred in, out, and through these systems is easily filtered into the general economy. As has been very evident in the recent crypto-market crash; there remains little distinction now between the every-day economy, the share market, and the crypto market. A crash in crypto due to money laundering will readily flow through to everyday practice. Likewise, we must consider the risk of allowing laundered funds to enter the Australian market.

Otherwise, one must consider how the tech-advanced, new-age standards applied to cryptocurrency regulation will flow through to the traditional financial services. How far will tracking of ATM, IP, VPN, and other technology savvy ideas flow through to traditional services? It is entirely reasonable to expect that traditional financial services should expect an increase in AML regulation. Public and regulatory expectations will rise with the flames of the cryptocurrency bonfire. Expect to feel the heat.

Breach reporting

DCEPs limited to cryptocurrency products are not yet required to hold a form of financial services licence. However, one must consider how AML links to the ordinary breach reporting regime under an AFSL. Currently, the breach reporting regime captures the AML regime through civil penalties. If an AFS holder breaches their AML Program, they have breached a civil penalty. If this can be linked to a relevant core obligation, such as the obligation to act efficiently, honestly, and fairly, they are required to report the incident to ASIC. DCEPs will face a significant challenge in balancing their AML obligations in such a difficult, moving, and changing environment if they are faced with such severe reporting obligations. Refer to our previous article on cryptocurrency regulation and licensing.

What next?

AUSTRAC, DCEPs, and most of the general public want to douse the fire that is money laundering activity. The challenge we face is balancing commerciality against the decentralised, autonomous, and seemingly boundless world of cryptocurrency. The indicators outlined by AUSTRAC are of critical importance, though extensive, which generates a challenge for DCEPs who face a seemingly endless pool of potential risks. While they grapple with meeting the appropriate hurdles to defend against money laundering, others should watch on. It is likely that as expectations grow in one industry, AML standards will lift across the field.

Grab your water cans.

Come join us online for our final seminar on ‘Cryptocurrency and the Law: Risk, Pitfalls, and Safeguards’ on 27 June 2022 at 12.30pm. Register here: Registration – Cryptocurrency and the Law.

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.

Authored by:
Taylor Greene, Solicitor