Key takeaways from the ABS’ industry perspective on best practices recommendations on compliance risks with a nexus to digital assets
The Association of Banks in Singapore (ABS) has this month, in collaboration with the MAS, the CAD and Ernst & Young, released a set of ‘best practices’ recommendations from the industry perspective, to help financial institutions (FIs) approach money-laundering (ML), terrorism financing (TF) and sanctions risks in the digital assets space. We summarise the key takeaways for FIs.
What kinds of digital assets are covered?
The recommendations set out a two-step consideration for FIs wondering if a particular digital asset would benefit from additional controls. First, how relevant is the asset from the ML/TF/sanctions angle? The ABS recommends that an asset should be considered relevant so long as it can be traded, transferred, used for payment or used for investment, as it could then be used to store or facilitate the movement of tainted proceeds. Second, to what extent does the asset present ML/TF/sanctions risks? This query can be looked at through three lenses:
- Governance model – Whether the asset is backed by a Government or a consortium of regulated entities, such that it would be subject to regulations. An asset which is not so backed or subject to regulations, or which has a governance model that is partially or fully centralised and allows for anonymity, would present a higher risk.
- Ease of conversion of the asset into or from fiat currency – The greater the ease, the greater the risk, as it allows for quicker conversion into useable funds.
- Extent of public adoption – The wider the public adoption or the easier the facilitation of buying/selling the asset and its conversion to fiat currency, the greater the risk, as it allows for quicker movement of funds.
The recommendations have singled out cryptocurrencies and stablecoins as types of digital assets of particular risk. While the ABS’ recommendations apply equally to other forms of digital assets as well, such as NFTs or transferrable gaming or streaming credits, these other forms are considered less risky based on the 2nd step consideration outlined above (e.g., due to their narrower adoption and the higher barriers of conversion into fiat). Yet other forms of digital assets, such as central bank digital currencies and digital capital markets products tokens, are also considered lower-risk, as these are typically regulated.
“The recommendations have singled out cryptocurrencies and stablecoins as types of digital assets of particular risk.”
Which customers are covered?
The recommendations cover three main types of customer nexus: first, digital payment token services providers (SPs) and other FIs, including non-bank FIs; second, legal entities with a business model that has a nexus to cryptocurrencies; third, natural persons or individuals with sources of wealth/funds related to cryptocurrencies.
The recommendations suggest that cryptocurrencies are “more vulnerable to abuse for criminal activity”, given their anonymity, cross-border nature, lack of identifiers and the potential compromise of wallet/platform security. Hence, in relation to all three categories of customers, the recommendations set out three additional risk angles for FIs to consider, in addition to their regular KYC risk factors. These are:
- Customer risk – In the context of a SP, this would relate to its regulatory status, its use of anonymising or privacy enhancing tools, its extent of implementation of the Travel Rule (referring to FATF’s Recommendation 16, which requires SPs and FIs to collect and share the personal data of a virtual asset transfer’s sender and recipient; implemented in Singapore via MAS’ Notice No. PSN02), and any risks associated with the jurisdiction(s) which the SP is linked to. A possible ‘red flag’ would be where the SP had offered customer accounts in jurisdictions prior to obtaining a licence and refused to provide a legal opinion regarding its lack of licence in that jurisdiction, or where it was not fully transparent regarding its ownership structure and business operations. In the context of a legal entity or individual, this would relate to whether, and presumably the extent to which, their source of wealth or revenue/income is generated from mining, staking or investing in cryptocurrencies.
- Product and services risk – This relates to the customer’s account’s exposure to unregulated exchanges, those which accept privacy coins, have anonymity features, or ‘mixer’ or ‘tumbler’ services, to wallet addresses which have been sanctioned or linked to illegal activity, to unhosted or ‘cold’ wallets which allow an individual to maintain assets outside an exchange, and/or to peer-to-peer transactions (especially those of a crypto-to-fiat nature).
- Geographical risk – This relates to the account’s exposure to cross-border transactions involving jurisdictions with less robust ML/TF oversight, or conversely, which ban cryptocurrencies entirely. In the context of SPs, FIs should query the degree of ML/TF oversight and regulatory enforcement in the jurisdiction the SP operates in, whether it operates in a country that is subject to economic sanctions, and whether it operates in a country known to set up offshore companies. The latter indicator would likely catch a large proportion of SPs.
FIs are recommended to clearly define their customer acceptance criteria, to determine whether a particular client can be onboarded and if so, the appropriate level of due diligence to be applied. For SPs and legal entities in particular, this would involve obtaining additional information from prospective clients about the types and nature of its products, the custodial solutions which it offers, and quality of its regulation, including possible walk-throughs of their ML/TF processes (among other things). For individuals, this would involve a consideration of the FIs’ ability to corroborate the individual’s transactions of cryptocurrencies and the type of custodial solution subscribed to (among other things).
For onboarded customers, FIs are recommended to actively identify those with a nexus to cryptocurrencies for enhanced risk management measures, where necessary.
Finally, the recommendations deal with steps which an FI should take for the ongoing monitoring of fiat cryptocurrency accounts, and give helpful case studies and examples of additional queries which an FI may raise during a system-triggered alert or investigation.
“FIs should expect stepped-up monitoring from authorities in relation to their crypto-related transactions and the adequacy of their crypto-related risk controls.”
The recommendations are a welcome, practical guide to complement Singapore’s suite of regulations applicable to the digital assets space, this time from the perspective of FIs. They also dovetail with the recent amendments to Singapore’s Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act 1992, to lower the scienter threshold for ML to include rash and negligent activity, and to criminalise conduct which assists another to retain criminal proceeds where the assistor failed to take reasonable steps to find out the purpose of the arrangement, the source or destination of funds, or the sender/recipient’s identity and physical location. For the purpose of any ML prosecutions of FIs, this set of recommendations would likely factor into the assessment of the ‘reasonableness’ of any steps taken, or omitted, by the FI in its onboarding or transaction monitoring processes.
The recommendations reflect a widely-held view that the very nature of cryptocurrency renders related transactions inherently riskier than fiat, and hence, FIs should expect stepped-up monitoring from authorities in relation to their crypto-related transactions and the adequacy of their crypto-related risk controls.