On April 28, the New York Department of Financial Services (NYDFS) provided a “Virtual Currency Guidance” update. The guidance is directed towards all virtual currency businesses licensed under 23 NYCRR Part 200 (the New York BitLicense) or limited purpose trust companies chartered under the New York Banking Law (collectively, “VC Entities”).” The guidance mandates VC Entities to employ blockchain analytics to design and implement effective BSA/AML policies, processes, and procedures, including, for example, those relating to customer due diligence, transaction monitoring, and sanctions screening.
The Guidance addressed five key compliance concepts and issues:
Compliance in a virtual currency context should leverage the unique features of blockchain technology. Virtual currencies can be transferred from one individual or entity to another pseudonymously and without relying on a regulated third party. But, at the same time, each and every transaction is immutability recorded on the public blockchain ledger. VC Entities should incorporate this information into their risk assessment and customer due diligence programs to create a more comprehensive view of a given customer’s wallet’s activity and source of funds. VC entities should also note and account for the different types of virtual currencies and effectively address the specific characteristics of any particular virtual currency involved.
Blockchain analytical tools should be included in a VC Entity’s suite of controls. The guidance “emphasizes” the importance of using blockchain analytics tools to enhance existing BSA/AML and OFAC-related compliance controls in three key areas: (1) augmenting Know Your Customer (“KYC”)-related controls, (2) conducting transaction monitoring of on-chain activity, and (3) conducting sanctions screening of on-chain activity. VC Entities without the internal resources to implement these controls should be looking to experienced and qualified third parties to provide these services.
- Augmenting KYC-related controls: As part of their KYC responsibilities, VC Entities must obtain and maintain information regarding, and understand and effectively address the risks presented by, their customers. Blockchain analytics tools allow VC entities to verify information provided by new and existing customers against the pseudonymous on-chain data for the customer’s wallet. (See FinCEN’s Advisory on Illicit Activity Involving Convertible Virtual Currency and OFAC’s Sanctions Compliance Guidance for the Virtual Currency Industry for additional background.) This information should be incorporated into the VC Entity’s policies, processes, and procedures to assess counterparty exposure for virtual currency funds transfers (e.g., beneficiary institutions for outbound transfers).
- Conducting transaction monitoring of on-chain activity: VC Entities must have policies, processes, and procedures for tracing transaction activity for each type of virtual currency the entity supports and the flow of funds through the blockchain for any inbound or outgoing activity. VC Entities can harness blockchain analytics to create a specific risk profile for each currency based on numerous factors, including whether a virtual currency has substantial exposure to a high-risk or sanctioned jurisdictions, is mixed with “tainted” cryptocurrency, is sent to or from darknet markets, is associated with scams/ransomware, and/or is associated with other illicit activity. These processes must describe case management and escalation processes and identify relevant roles and responsibilities across the business and compliance functions, including the VC Entity’s resolution procedures where there are any doubts (e.g., related to source of funds).
- Conducting sanctions screening of on-chain activity: VC Entities should incorporate blockchain analytics into screening processes in order to identify and prevent transactions with sanctioned individuals and entities listed on the SDN List, or located in sanctioned jurisdictions. Relevant location data includes originator, beneficiary, originating and beneficiary exchanges, and underlying transactional data.
Putting It Into Practice: This guidance is the first of its kind to explicitly set forth regulatory expectations for crypto transaction monitoring from a state regulator. Other regulators and law enforcement will likely start looking to this guidance to inform their own best practices for crypto monitoring going forward, and those in the industry would be well served by internalizing and implementing these guidelines, regardless of their jurisdiction. This guidance follows recent promises by the superintendent of the NYDFS to increase engagement with virtual currency businesses (we previously discussed these statements here).