Fraud at the Intersection
Unpacking AML in Crypto
Welcome back to MondayMunday and thanks to the 3 new subscribers from the post on Blockchain Infrastructure. Today we are going to change tack and talk about KYC and AML for onboarding users to the blockchain ecosystems. The recent Tornado Cash saga fascinated me into to wanting understand what was happening in this space, lets begin…
I am only touching the surface here and would love to learn more, if you are interested in the space please and want to share your learnings, I would love to chat!
Unpacking Tornado Cash
First let’s start with one of the basic premises of blockchains, they are immutable ledgers in which every transaction can be traced as they are recorded on said ledger. Using blockchain explorers, anyone can see a transaction and the corresponding address it was sent to and from. This open ledger can actually make it more difficult to commit fraud and money laundering as there is a universal view of transactions, as Chainalysis reports, money laundered in crypto represents $33bn compared to the $800bn-$2tn in traditional finance.
Tornado cash is a decentralised protocol that mixes transactions making it near on impossible to detect the source of funds. It does this by taking your funds and putting them into a ‘mixer’, when the other person wishes to withdraw funds they can redeem funds such that you cannot track the source of funds. It provides privacy around sending transactions on the blockchain.
So why did the US government sanction Tornado cash?
Tornado cash was sanctioned as the US government due to it use by the Lazarus Group who are tied to North Korea. The US Department of Treasury’s Office of Foreign Asset Control (OFAC) creates a list of Specially Designated Nationals (SDN), these are individuals whose assets are blocked by the US government and in which it is forbidden for US individuals to interact with due to their suspected links with terrorist or fraudulent activities. Given OFAC’s dictates that crypto assets to fall under financial interaction, they sanctioned Tornado cash and individuals who interacted with it.
This has led to individuals who used Tornado cash being blocked from using DeFi applications if they interacted with Tornado Cash, even it it wasn’t for malicious reasons.
This is despite Tornado Cash creators creating a compliance tool to allows users to generate reports to demonstrate users source of funds when withdrawing from the protocol.
What does this mean for DeFi?
Whilst I do not agree that governments tackling fraud and money laundering in crypto by sanctioning protocols and code is the correct approach (this is a conversation for another blog), It is very clear this is a path regulators are willing to take. If we are to see a world where DeFi / Crypto to interact with traditional finance rails, we are going to need fraud solutions to manage how these two infrastructures work together.
The current regulatory landscape around crypto assets
We have just mentioned OFAC and their ability to sanction protocols, but it might be helpful to take a look at the overarching regulatory landscape around how crypto business are regulated in this regards.
The majority of this stems from Financial Action Task Force (FATF). FATF is a global watchdog for monitoring money laundering and terrorist financing. They create various recommendations for governments to implement in the way they can globally stop money laundering and financial crime. These recommendations are enacted by countries in FATF or in bodies which follow FATF guidance.
These recommendations also provided guidance on how Virtual Asset Service Providers (VASPs) handle Anti-Money Laundering (AML) and Combat the Financing of Terrorism (CFT). This started in 2018 by the initial definition of what virtual assets and virtual asset service providers were, culminating in updated guidance in 2021 implementation of AML / CFT with regards to definitions.
The definitions unpacked
Virtual Asset Service Providers (VASPs).
Any natural or legal person who is not covered elsewhere under the Recommendations and as a business, conducts one or more of the following activities or operations for or on behalf of another natural or legal person:
the exchange between virtual assets and fiat currencies;
the exchange between one or more forms of virtual assets;
transfer of virtual assets;
safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and
participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset
In practice this means any individual or firm holding cryptocurrencies on behalf of users, this means any custodial crypto service is governed under this term. The guidance makes notes to the fact they whilst the technology of DeFi protocols is not governed under a VASP, any entity which has control or significant interest may be deemed a VASP under their guidance.
Recommendations unpacked
The Travel Rule
The Travel Rule dictates that a VASP in order to send money from one-client to another has to verify the other VASP and the ‘Personal Identification Information (PII)’ of the recipient and sender of that virtual asset then sanction screen the individuals (e.g. see if individuals are on OFAC lists).
In the scenario where you are interacting with no VASP (i.e. a sending money to a self hosted wallet) FATF dictates that…
[for] VASPs to observe patterns of conduct, evaluate local and regional risk, review information and bulletins put out by regulators and law enforcement, etc., in order to form their own risk analysis and determine the risk level posed by interacting with unhosted wallets.
This leads us to think there needs to be the creation of a robust compliance workflow mixing how fiat and crypto identities can be linked to verify individuals?
A global look..
Below we can see the stages of compliance with travel rule regulations and implementations of broader crypto regulation.
Regulation in AML/CFT process are going to be implemented and enforced, for the next wave of fintech interaction with crypto, compliant solutions to bridge the two worlds will be needed.
How funds flow from traditional finance to crypto
Despite the ability to natively earn and create cryptocurrencies on the protocol through mining, staking or protocol rewards. The majority of users onboard to crypto through on-ramps. These services allow users to purchase crypto with fiat.
These services make use of composable elements from the fintech and crypto world to work, these take the form of card networks and payment service and data aggregation services in order so users can send fiat and exchange it for crypto in a compliant way.
The combination of card networks, payment gateways, open banking, instant payment networks allow users to send fiat.
OTC / P2P fiat-to-crypto exchanges allow the quick exchange and settlement of fiat to crypto transactions
The final aspect is KYC and fraud. This combines traditional KYC of individuals with advanced fraud detections and blockchain transaction screening to provide a comprehensive overview of a user and if a transaction is fraudulent.
Understanding the FATF compliance process
Given the recommendations from FATF, we understand that VASPs need compliance process to identify who is sending and receiving the money in the case it is a VASP to VASP transfer and determine if they are sending funds to sanctioned individuals. In the case of sending money to unhosted wallets, VASPs have to ensure they have implemented appropriate local and regional risks
Below we unpack the layers that VASPs may go through in order ensure AML/CFT compliance from the base of an individual transferring from fiat to crypto.
Layer 1: Identity and verification
The first step is to KYC individuals. This is usually done with an eKYC provider doing ID and verification (ID&V) checks to see if individuals are real actors and to obtain customer identity information.
E.g. Onfido, Jumio, Veriff, IDnow, Trulio
Layer 2: Sanctions Checking
The next step is sanctions checking information of individuals are not on sanctions lists (like OFACs SDN list) or a Politically Exposed Person (PEP) which deems further investigation into the individual.
E.g. Majority of eKYC and Transaction Monitoring Services implement this within their platform.
Layer 3: Fiat Transaction Monitoring
This layer comprises of real-time workflows and data aggregation in order to understanding in real time if a transaction is fraudulent. It involves the combination of data and sanctions checking to provide real-time insight of fraudulent transactions once a payments made in fiat.
E.g. ComplyAdvantage, SEON, NapierAI
Layer 4: Advanced Fraud Analytics
This layer uses advanced data science techniques and AI to detect fraud, in this demo of Sardine.ai, it is explained as using learnings from previous fraud attempts to train fraud detection models. This can mean from detecting fake emails, un-natural mouse movements which dictate there is a fraudster.
Layer 5: Blockchain Wallet Screening
Blockchain analytics firms screen wallets to understand their source of funds, previous transactions with bad actors and connected wallets to provide a risk score for the wallet user.
E.g. Elliptic Lens, Chainalysis Adress Screening
Layer 6: Wallet Transaction Monitoring
These firms can also monitor transactions in realtime to provide analysis on risky transaction based on smart contracts or wallets they are interacting with.
E.g. Chainalysis KYT, Elliptic Transaction Monitoring, Coinbase Tracer, TRM Labs Forensics and Transaction Monitoring
Layer 7: Reporting and Messaging
To comply with the travel rule there is messaging between VASPs that needs to occur to share information from these various sources to show a transaction hasn’t been fraudulent and to proving proof of compliance.
We are seeing systems come in where they are creating secure workflow systems where VASPs can securely share transaction information in a secure and complaint way.
Putting the pieces together
These solutions used in combination or together provide a holistic view for VASPs to understand who their customer is and how they are interacting in the fiat and crypto world so they can comply with AML. We are seeing blockchain analytics and fraud detection firms combined with the KYC process retroactively create a dual identity tracking for users to link wallet addresses to real world identities when the on-ramp with fiat to crypto.
Fraud and compliance as foundational solutions at the intersection
Going back to Tornado Cash, we can see sanctions and regulation for crypto solutions are going to be enforced for lack of compliance with AML/CFT rules.
We can unpack this to mean any company wishing to operate at the intersection of trad-fi and crypto will need robust compliance solutions in order to act as regulation increases.
So do fraud and compliance platforms become the onboarding solution for Web3?
Given the FATF guidance, we are seeing regulation shape up in such a way any company that wants to offer regulated access to Crypto/DeFi needs a robust solution in order to provide services that bridge these two worlds.
We may see a rise in compliance solutions becoming the platform for building business that intersect crypto and traditional finance.
For example, Notabene act as a compliance wrapper for other services to plug in to providing users with fully compliant but customisable solution.
We can also see this play out with Sardine, they are building risk-free ACH payment settlement and ACH-to-Crypto settlement alongside allowing users to combine KYC and blockchain analytics solutions in order to build fraud-first payments service
To conclude, as regulation stiffens compliance become the next platform plays for building at the intersection of fiat and crypto worlds as they are the only solutions uniquely positioned to manage the regulatory risk with the knowledge on how to comply or detect fraud in both these infrastructures.
As I mentioned, I am at the tipping point of my knowledge on this space and would love to learn more… if you are interested and want to share your wisdom, i’d love to hear your thoughts. Feel free to DM me on LinkedIn and Twitter or reply to this email (If you’d like me to deep-dive on Sardine or Notabene, please shout!)