About Cryptoassets and Controls|Plus IT

About Cryptoassets and Controls

By: Ilian Vasco

In previous instalments, we have discussed the approaches used in different jurisdictions to the treatment of virtual assets. To date, the most popular adoption is a risk-based approach that imposes requirements on virtual asset providers similar to those imposed on the financial sector (due diligence, licence to operate, accounting, suspicious transaction reporting). A complete ban on virtual assets has also been shown to be a latent option with fewer headaches for regulators.

Ideally, a virtual asset provider should apply all preventive measures contained in FATF Recommendations 9 to 21. The same applies to financial and non-financial entities involved in this market. Some of the less obvious elements of these recommendations are reviewed below:

Occasional Transactions

In addition to applying Due Diligence (DD) to all regular customers, it is also required for occasional customers who transact amounts in virtual assets above 1000 Euros or Dollars in cash or by transfers, where there is suspicion of money laundering or where false identification data is presumed. Of course, the criteria for "occasional" should be determined by each entity.

Identification and verification information

Usually identifiers such as physical address, date of birth, official identification number, among others, are used. However, in this context there is an urgent need for additional information that can range from IP address with an associated timestamp, geolocation, device information, virtual wallet addresses, hashing.

It is highly advisable to consider digital identification options that meet the criteria of independence and trustworthiness proposed by the FATF in its guidance on the use of digital identity.

Risk Profiles

A profile should be constructed from the information obtained to drive the risk-based approach (higher, lower scrutiny of transactions or termination of the relationship). At the customer level it is possible to consider the nature and volume of business activity, origin of virtual assets deposited or, at the segment level; customers with similar transactional volume using a specific virtual asset. Either way, these profiles should be updated on a regular basis.

Blacklists

It should be noted that OFAC has already included digital currency addresses in the SDN list. This means a new field to consider when cross-checking information, assigning similar importance to name matching. In addition, obliged entities could generate and share their own lists, e.g. when a participant refuses to continue operating due to the requested due diligence requirements.

Maintenance Records

Obliged entities must keep records of transactions and due diligence information for up to 5 years. Here, information concerning the identification of customers and beneficiaries takes on greater importance compared to the traditional financial market. It is not enough to keep public keys[1]It is not enough to rely on blockchain records alone. Although the authorities may be able to trace transactions back to a specific wallet, it may not be possible to easily link it to a natural person, which is why the additional information kept by virtual asset providers is necessary to link it to a real person.

Licences

Countries such as the United States, the United Kingdom and Mexico have a legal framework that requires operating licences for virtual asset market participants. Logically, in addition to applying for a licence, obliged entities should verify whether their sending or receiving counterparty has a trading licence.

Transmission of information

Obliged entities in this market must obtain, maintain and transmit the information associated with their counterparty on the originator and beneficiary of the transaction, as well as refrain from processing transactions with incomplete information.

Although the FATF is technologically neutral, it presents some useful technologies when conducting this requirement in real time; they are based on the use of public and private keys of cryptography: SSL/TLS connections; X.509 certificates; APIs, among others.

Many aspects of the prevention system that obliged parties must apply, such as the identification and treatment of PEPs, the degree of due diligence applicable, continuous monitoring, among others, are missing. We have decided to leave them aside because they are the ones that are most similar to the traditional financial market, while emphasising that they are no less important.

[1] In cryptoassets we can understand the public key as a kind of bank account, which is used to receive coins. While the private key is used to sign and send coins.

← Digital Fraud in the Time of COVID-19

Summary: FATF Digital Identity Guidance - Relevant Aspects →

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
yt-remote-connected-devices	never	These cookies are set via embedded youtube-videos.
yt-remote-device-id	never	These cookies are set via embedded youtube-videos.

About us

Fraud prevention

AML compliance

ABOUT US

COMMUNITY

SUPPORT

FRAUD PREVENTION

AML

RESOURCES

About us

Fraud prevention

AML compliance

COMMUNITY

SUPPORT

Test

Testing no more

We respect your privacy.