There is a lot that is unknown when you start a new company, but you can be sure of one item: risk. Though this is true of any new business, businesses dealing with cryptocurrency may have just a bit more than average. The price of bitcoin, for example, is famously volatile, and this could cause a number of problems if not managed properly.
And that’s not all. There are other risks. Running afoul of regulators is a risk. If you own a business regularly engaged in cryptocurrency, you almost certainly have the responsibility to implement an anti-money laundering program. If you aren’t careful, bad actors could exploit your business to launder illicitly obtained cryptocurrency, and this could mean harm to your business’s reputation, fines, or even jail time.
Luckily, more and more compliance professionals are turning their attention to cryptocurrency businesses, and for cryptocurrency entrepreneurs who realize the money laundering risks of operating a business in this area, there are paths to construct a sound anti-money laundering compliance program.
How Do I Develop a Sound Anti-Money Laundering Compliance Program?
You may be wondering, if you or someone you know is one of these cryptocurrency entrepreneurs, how do I get started constructing a sound anti-money laundering compliance program that will minimize my risk of running afoul of the regulators?
The best answer to that is to conduct a thorough risk assessment of your business. The FFIEC BSA/AML Examination Manual (https://www.fdic.gov/news/financial-institution-letters/2021/fil21045.html), which “provides instruction to examiners for assessing bank’s [or most other financial institutions for that matter] BSA/AML compliance program”, lays a great foundation for thinking about exactly what these kinds of businesses, including businesses frequently engaged in cryptocurrency, should be included in a risk assessment.
Why? Well, you see, according to the FFIEC manual, “to assure that BSA/AML compliance programs are reasonably designed to meet BSA regulatory requirements, [financial institutions] should structure their compliance programs to be risk based (emphasis added).” Naturally, it makes sense for such institutions to undertake a process, an analytical process, to assess their risk. Typically, this culminates in a document called a risk assessment.
What is the Use of a BSA/AML Risk Assessment?
The FFIEC manual explains that “[a] well-developed BSA/AML risk assessment assists the [financial institution] in identifying money laundering/terrorist financing and other illicit financial activity risks, and in developing appropriate internal controls (i.e., policies, procedures, and processes).”
Clearly if the FFIEC is any indication, examiners will be pleased if a financial institution undertakes a risk assessment. Guidehouse drives home this message, noting that “state and federal regulators have signaled for years that the cornerstone of an effective AML program is an actionable AML risk assessment.”
How To Conduct a Risk Assessment?
A risk assessment is basically a two-step process. First, you identify the risk categories. Then you analyze the information you obtained while identifying those risk categories.
Key Risk Indicators (KRI) is the phrase used for the areas of weakness, or risk categories, in a cryptocurrency business or other financial institution. It is very important to pinpoint all KRI’s – otherwise, your BSA/AML program might develop insufficient internal controls and, as a whole, will likely be inadequate.
Key Risk Indicators can include the following: 1. Nature, size and complexity of a business, 2. Customer types, including B2B and B2C, 3. Geographic risk, and 4. A number of others (Visit Intercom.help for a more comprehensive list).
Got Data? Analyze It Correctly to Reduce Your Risk
When it comes to the second step of a risk assessment – analyzing data – the FFIEC Manual suggests that a risk assessment should try to examine “transaction data pertaining to the [financial institution’s] activities relative to products, services, customers, and geographic locations.” Obviously, there might be other data that would be important to analyze – it depends on the exact situation. The ultimate goal here is to quantify the risk.
There is no specific format required for a risk assessment, and no particular method is required either, but what has been written so far is generally accepted as a good practice. The goal is to identify risks, then give these risks a rating, such as low risk, medium risk, or high risk. You will likely also want to achieve an overall risk score representing the level of risk the business as-a-whole presents.
Even Risk Ratings Follow a Formula
It would also be a good practice to adhere to the following formula when rating risk: “measure” inherent risk – the risk that your business would have if you didn’t institute any controls. Then, measure the adequacy of the controls you’ve put in place. You will then subtract your controls from your inherent risk to achieve your residual risk.*
Basically, the formula is: “inherent risk – controls = residual risk”.
Examiners will want to look at your risk assessment and thus it is a good practice to have one. A risk assessment sets the stage for your anti-money laundering compliance program. It identifies risks and spells out controls on those risks. If you want to avoid potential penalties for non-compliance that could cripple your business via fines, jail time, or simply harm to reputation, we recommend engaging a proactive compliance professional who understands not only the pertinent regulations, but the nuances of cryptocurrency and your business as well. Compliance measures like risk assessments may not be the first thing you think of when developing your business, but the price you pay for addressing risks up front is a small price compared to what happens if your cryptocurrency business is determined to be insufficiently compliant by the regulators.
The information provided in this article does not, and is not intended to, constitute legal advice; instead, all information, content, and materials provided here are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This article contains links to other third-party websites. Such links are only for the convenience of the reader, user or browser.
*Guidehouse’s Alma M. Angotti notes that for new startups, it sometimes makes sense to do a pro forma risk assessment focused mainly on inherent risks, while also showing regulators controls the business is planning to implement.