Learning From The Ripple Effect—Virtual Assets and Virtual Asset Service Providers

I have always been fascinated by the ripple effect. Throw a stone, preferably large, into an otherwise calm body of water, and the result is striking. Circular waves move out evenly in all directions, rippling outward from the impact of the dropped stone. One particular advantage of having 35+ years in the financial regulatory compliance industry is that you get to see the ripple effect principle at work as certain laws and regulations (the boulders) affect industry after industry due to their compliance impact. By looking at the past, those working with Virtual Assets and Virtual Service Providers can learn a couple important lessons and avoid some common mistakes.

When I was starting my regulatory career with the FDIC in 1987, I was frequently given the assignment of conducting the Bank Secrecy Act (“BSA”) portion of the safety and soundness examination. BSA testing had recently been expanded due to the passing of the Money Laundering Control Act of 1986, which criminalized money laundering and placed greater focus on understanding the source, ownership, and control of money. It also began placing Banks in the crosshairs of a new aspect of focus called regulatory compliance. It was the beginning of a new era. The boulder had been dropped, and Banks were the first to feel the impact.

From 1986 to 1994, much of the BSA/AML focus was on insured financial institutions. However, starting in 1994, the ripple was felt in a new area of financial transactors: money services businesses. By this time, FinCEN (Financial Crimes Enforcement Network), which was created in 1990, would take center stage in the world of financial crimes as it took on expanded enforcement and regulatory authority. The ripple continued to expand into new areas following the devastating events of 9/11 and the resulting legislation of the USA PATRIOT Act. Through PATRIOT, the focus of BSA/AML expanded to new entities, including underground money transmitters. The ripple seemed to emphasize the need for closing gaps in monitoring and reporting identified in the financial markets. Consequently, the ripple would expand over the next 15 years as other industries were identified as part of the potential money laundering activities.  This increased the focus on monitoring and reporting for industries including currency dealers and exchangers, casinos, security brokers and commodity traders, private banking, foreign correspondent banks, and non-bank residential mortgage lenders.

The Ripple Hits VASPs

By 2020, it was clear that ripple effect was beginning to hit the world of virtual assets (“VAs”). FinCEN had identified virtual currencies as an area of review way back in 2013, but it wasn’t really until December 23, 2020, when FinCEN published a Notice of Proposed Rulemaking (“NPRM”) that the ripple had clearly hit those engaged in transacting VAs, namely VA Service Providers or VASPs. Although there is varying interpretation of rules, it is clear that FinCEN and other global regulatory bodies have expectations on VASPs to face the oncoming wave and implement sound BSA/AML practices. The 2020 NPRM focused on convertible virtual currencies (“CVCs”) and digital assets and sent a clear message that FinCEN intended to close this gap like the many others that had emerged over the prior three decades. The proposed rule would create a ripple of requirements for reporting and recordkeeping on Virtual Asset Service Providers (“VASPs”).

It certainly wouldn’t take long for FinCEN to flex on the virtual industry, as it hit BitMEX for $100 million in August 2021 for willful violations of BSA. BitMEX, a convertible virtual currency derivatives exchange that focuses on cryptocurrencies, was found by FinCEN to be lacking in conducting appropriate customer due diligence and allowing customers access to transactional activity without sound monitoring of potential suspicious activity. Both of these weaknesses are central to the requirements for all financial institutions. FinCEN made clear its intent to apply the impact on VASPs as stated by then Acting Director of FinCEN Him Das: “By assessing a $100 million penalty against BitMEX last August, we hope to convey the message that the Bank Secrecy Act applies to institutions dealing in digital assets and cryptocurrency the same way it does to those dealing in fiat currency.” There lies the true measure of the ripple. Essentially, the government was saying you can’t play by your own rules. You’re going to adhere to ours.

We are even now watching the effects of the regulatory compliance ripple on VAs and VASPs. On August 1, 2022 the New York State Department of Financial Services (“NYDFS”) fined Robinhood Crypto, LLC (RHC) for $30 million. A review of SEC cryptocurrency litigations in 2013-2021 notes a rising trend – especially from 2017 – with significant increases in litigation and actions through 2021. The pattern of rising litigations and fines is, interestingly, quite similar to what occurred in the Banking BSA sector from 2003 through 2009 when fines started to rise, often exceeding $100 million and sometimes into the billion dollar range.

Even more telling is what went wrong with RHC, according to NYDFS findings. RHC is the wholly-owned cryptocurrency trading unit of the popular investing app offered by Robinhood Financial LLC. In the complaint filed against RHC, the NYDRS noted “critical failures” with the company’s cybersecurity program. Specifically, the charge of failing to maintain a BSA/AML program “commensurate with the risk profile of the licensee” was cited. NYDFS noted that RHC certified compliance with the New York Transaction Monitoring Regulation for 2019 even though RHC was using manual reporting systems and limited staff to handle 106,000 transactions totaling $5.3 million in activity per day in 2019. This type of language is eerily similar to what you might have read with the fines imposed on insured financial institutions in 2003-2009 and resulted in the massive movement towards automated surveillance monitoring systems.

Will VASPs Learn from Banking?

As the ripple hits VASPs, there is an opportunity to learn from the past. In the early 2000s, many insured financial institutions found themselves being hit by the ripple and finding that they lacked internal capabilities for sound customer due diligence and/or monitoring. This lack resulted in the explosion of CDD/EDD and transactional monitoring systems, which development continues to this day. VASPs will gain the benefit of nearly two decades of AML System deployments. Yet, almost every organization with an AML surveillance monitoring system will quickly recognize their limitations. This can lead some to frequently change systems in a search for the “holy grail” of BSA/AML/CTF compliance. For any new industry facing the ripple, and even those older industries dealing with BSA, there are a few key lessons that can be learned regarding AML Surveillance Systems that can help to avoid some of the common mistakes that have dogged many affected by the ripple.

Lesson One—No System can Mask a Weak Culture of Compliance

One critical lesson to learn is to understand what the automated surveillance monitoring system can and can’t do. No system can overcome a poor culture of compliance. The word “automated” in the term “automated surveillance monitoring system” is a partial misnomer because the system, while designed to output alerts that merit review, merely functions as a tool and does not guarantee or automate a solution. Like any tool, the strength is not in the tool itself but how it is used. In this case, the power of a system lies in the expertise to wield it effectively while supported by a foundation of a sound organizational culture that values compliance.

Consequently, finding the right combination of tools, systems, personnel, etc. and supporting those elements to operate in harmony must begin with a strong focus on achieving a compliance culture. If you could travel back to the 1980s through the 2010s and review insured institutions that failed BSA, you would find in almost every one a poor compliance culture. Metaphorical gaping wounds were patched with a skimpy bandage, and eventually their weakness was exposed. Many of these organizations had expensive surveillance systems. But no system, and no amount of money spent, will cure a weak compliance culture. The lesson for VASPs is that you can’t fake compliance culture for long periods of time. While such culture may run counter to the nature of VAs, if VASPs want to be part of the financial market, they’re going to have to consider what it means to have a strong compliance culture.

Lesson Two—No Need to Reinvent the Wheel

The second lesson to glean from regulatory guidance is that you don’t have to reinvent the wheel. The Financial Action Task Force (“FATF”) has been around since 1989. FATF is the global body that develops and promotes policies to protect the global financial system against money laundering, terrorist financing and the proliferation of weapons of mass destruction. FATF works with many of the leading Financial Intelligence Units (“FIUs”) to develop key practices aimed at achieving their objective. The FATF has already invented the regulatory wheel, and it just makes sense to use it.

For VASPs, FATF has been very responsive. They developed a number of important documents that should be at the forefront when choosing and implementing an automated surveillance monitoring system. Recognizing the unique features of VASPs, FATF has provide meaningful guidance on developing rules or red flags. Organizations that work with VAs would be well-advised to adhere to their guidance and ensure that they have sufficient coverage relative to those flags. Certainly, this would include the September 2020 FATF guide entitled “Virtual Assets Red Flag Indicators” and the June 2022 “Targeted Update on Implementation of the FATF Standards on Virtual Assets and Virtual Asset Service Providers.” Both of these form the wheel and while those involved in VAs and VASPs will need to customize to meet their unique features, the importance of evaluating surveillance and BSA/AML/CTF programs against these guides is critical.

Conclusion

In one sense, those involved in VAs and VASPs are still on the front edge of the ripple. Some have been impacted, but this isn’t to suggest that the wave has passed. If you study the ripple effect, there are multiple waves created by the dropped boulder. It isn’t ever about avoiding the ripples; it is about managing the inevitable ripples. As organizations apply lessons learned from the past, they prepare themselves to not only manage the ripple, but to step up and thrive where others fail.

AdvisX remains committed to working with its VA and VASPs partners to implement sound controls and proper usage of automated surveillance monitoring solutions. We further offer validation and efficiency services for those looking to address best practices and/or regulatory requirements for independent validation. To discuss how we can meet  your organization’s needs, please contact us at info@advisx.com.