Crypto-Asset Activity Risk and BSA/AML Regulatory Awareness

While the crypto-asset¹ industry has continued to grow post-pandemic,² the past couple of years have also been characterized by several notable challenges. In 2022, the industry saw the collapse of the major crypto exchange FTX, along with stablecoins TerraUSD and Luna. Additionally, a bitcoin address was recently added to the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) list last year. Moreover, the March 2023 failure of Signature Bank³ cast additional light on the potential that crypto business-related risks may pose to insured depository institutions.

Because certain crypto exchanges lack transparency and have obscure ownership, these assets are increasingly being utilized for criminal activity, including fraud, scams, ransomware attacks, money laundering and illicit financing. This is supported by Bank Secrecy Act/Anti Money Laundering and Terrorist Financing (BSA/AML and TF) trends in Suspicious Activity Report (SAR) data. According to a report issued by the Government Accountability Office, the number of SARs referencing virtual currency-related terms quadrupled from 2017–2020 to nearly 42,800⁴. Additionally, an increasing number of victims of confidence fraud and romance scams reported being pressured into “investment opportunities” utilizing cryptocurrency. Moreover, many ransomware attacks have involved cryptocurrency. More details can be found in the FBI’s 2021 Elder Fraud Report and in the 2021 report from the Institute for Security + Technology’s Ransomware Task Force, Combating Ransomware – A Comprehensive Framework for Action: Key Recommendations.

This increase in criminal activity utilizing crypto-assets has garnered the attention of banking regulators. In August 2022, the Board of Governors of the Federal Reserve System (Board) issued SR Letter 22-6: Engagement in Crypto-Asset-Related Activities by Federal Reserve-Supervised Banking Organizations. This guidance acknowledges that while crypto- assets present innovation opportunities for banking organizations, they also pose potential substantive risks related to safety and soundness, consumer protection, and financial stability. BSA/AML is prominently highlighted in that guidance. In January 2023, an interagency Joint Statement on Crypto-Asset Risks to Banking Organizations (federalreserve.gov) was issued, further outlining crypto-asset risks to banking organizations. The statement highlights several risks. Bank management should refer to the guidance to learn more about the identified risks.

As with any new business line, banking organizations are expected to have appropriate systems, effective internal controls and risk management processes in place prior to engaging in the activity. For crypto-related activities, it is especially important for this to include a strong BSA/AML risk management framework. Effective Know Your Customer, Customer Due Diligence and Enhanced Due Diligence procedures are critical to the identification and ongoing monitoring of higher risk and more complex customers. Bank management should avoid a siloed approach regarding high-risk customers, concentrations and complex exposures to riskier customers, activities and/or markets. In other words, it is important to acknowledge that customer relationships can be multifaceted and layered. Understanding your customers’ activities and external relationships is paramount to fully assessing exposure to crypto markets and assets.

Currently, the SAR form does not contain a box to check that specifically highlights crypto-asset-related activity. As a result, it is important to thoroughly detail such activities within the body of the SAR. Additionally, the term “CVC FIN-2019-A003”  should be referenced in SAR field 2 (Filing Institution Note to FinCEN) in accordance with the FinCEN Advisory, FIN-2019-A003, May 9, 2019.

Regulatory agencies are closely monitoring crypto activities and continuing to assess whether or how current and proposed crypto-asset-related activities can be conducted in a legally permissible and safe and sound manner by banking organizations. Therefore, banking organizations should engage in robust discussions with their applicable banking regulators prior to engaging in any crypto-asset-related activities as per Supervisory Letter 22-6 Engagement in Crypto-Asset-Related Activities by Federal Reserve Supervised Banking Organizations.

If your institution has any questions related to crypto-assets and how to address within your BSA/AML program, please reach out to your supervisory relationship team or contact us.