What We Can Learn from the Binance Settlement
Risk Mitigation Strategies for Banks and Other Financial Institutions
📅 December 7, 2023
Banks and non-bank financial institutions can mitigate their risks when transacting with VASPs. In a 2021 Expert Insight, K2 Integrity highlighted five ways banks can lessen risks associated with cryptocurrencies. These included reviewing best practices for transacting with MSBs, since FinCEN classifies many VASPs, including Binance, as money transmitters that need to comply with regulatory requirements for MSBs; identifying high-risk digital currency customers by updating and strengthening risk assessments and reviewing best practices for these clients; and understanding the needs and compliance challenges of new technologies and services.
When deciding whether to transact with VASPs, banks and financial institutions should also research the platform to ensure the new business falls in line with its risk appetite. Much of this research is similar to due diligence that should be conducted for any other potential counterparty or correspondent account, with emphasis on the following factors.
✔ Location. Is the VASP located in a high-risk or embargoed jurisdiction that achieved poor results on its FATF mutual evaluation or is included on the FATF grey or black list? Is the location known for strategic deficiencies in its AML/CFT regime? Is it known as an offshore secrecy haven? Is the VASP located in close proximity to a jurisdiction known for terrorist financing?
✔ Sanctions status. Is the exchange sanctioned by the United States, UK, or EU? Is the company owned by a person included on these lists? Are any of the digital wallets included on sanctions lists?
✔ Ownership/control structure. Who owns this VASP? Are the company’s leaders real people or shell profiles with little information available about their experience and work history? Do they have a robust online presence that is linked to the VASP or lists the VASP as an employer? Are any owners or managers politically exposed persons (PEPs) or linked to designated individuals or companies?
✔ Know-Your-Customer (KYC) and Customer Identification Program (CIP). What kind of KYC controls are in place at the exchange? If the VASP has little to no KYC for small amounts, illicit actors could use the exchange to structure deposits and launder money. What kind of documentation is required for identity and location verification? What kind of controls are in place to ensure that the VASP’s protocols are being effectively implemented?
✔ KYC history. Financial institutions can also use existing tools to examine the history of the company’s compliance programs. How have KYC and CDD processes changed over time? Have they become more robust? When were their compliance programs implemented? Were they in place when the VASP first started operating?
✔ High-risk transactions. What percentage of transactions in which the VASP is involved is high-risk? Does it process a significant number of proceeds from online gambling activities? Does it offer a high level of anonymity to its customers that can be exploited by illicit actors? Does the VASP offer its customers transactions in privacy coins or allow onramps (deposits of fiat currency into the exchange—whether directly or indirectly through a third-party intermediary—making exchanging cash for cryptocurrency easier for illicit actors)? Does the VASP allow customers to withdraw fiat currency, allowing potential criminals to exchange virtual assets for cash and enabling money laundering?
✔ Adverse media and previous enforcement actions. Before onboarding a VASP, examine media reporting about the VASP. Is it under investigation by regulators? Have there been allegations about sanctions violations or other misconduct? Has the VASP had a finding of violation or a penalty imposed by regulators, and what measures did it take to remediate the causes of its violations?
✔ Banking and financial transactions. What other financial institutions are transacting with or have accounts for the exchange? What sources are sending virtual assets through the exchange, and what is the destination of those assets? Has the exchange processed any criminally linked transactions? Is their number significant? If the exchange detected transactions involving criminal activity, such as ransomware, or dark web activity, have SARs been filed with FinCEN or foreign FUIs? How many SARs have been submitted?
✔ Compliance team. How big is the exchange’s compliance team? Has it grown along with the global risk environment? What are the team’s qualifications and experience? Are the managers of the compliance team experienced in AML/CFT, sanctions, and other financial crimes? Do they have experience designing a compliance program?
New technologies are enabling smoother, more efficient financial transactions. However, digital currencies and other virtual assets also create more challenges and regulatory risks for compliance officers at banks and other financial institutions. Due diligence research should be a robust part of onboarding counterparties in the virtual asset space, but each compliance solution should be tailored to each financial institution’s needs and risk appetite. A new business partner or counterparty that operates as a VASP should prompt an examination and possible update of the institution’s risk assessment.
The mitigation strategies listed in this Expert Insight are not comprehensive, and the virtual assets sector continues to evolve. DOLFIN’s resource on sanctions risks and compliance for virtual assets and VASPs can be a valuable tool to develop additional strategies and address vulnerabilities.
Continue reading about this significant regulatory action in our latest Expert Insight: Binance Settles with Regulators in which we discuss Binance’s violations of US law, including the Bank Secrecy Act and OFAC sanctions.
The report delves into the company’s efforts to obscure its violations and help its VIP customers alter their KYC documents to avoid regulatory scrutiny. In addition, this assessment highlights some of the lessons virtual asset service providers (VASPs) can learn from these recent regulatory actions and possible mitigating strategies financial institutions can use to reduce their vulnerabilities when transacting with companies such as virtual currency exchanges and new financial technologies that can present additional compliance risks.