The “Travel Rule” – Can Cryptocurrency Comply?

Article by SIAPARTNERS

The Travel Rule marks a major change when it comes to virtual asset compliance and may fundamentally alter how Virtual Asset Service Providers (“VASPs”) operate in the future. To prepare for the future, Crypto exchanges must apply a risk-based approach, in addition to having clearly defined policies

On March 15, 2019 at a Blockchain Symposium, FinCEN’s Director Kenneth A. Blanco made an announcement on the Travel Rule: “It applies to (Convertible Virtual Currency)  CVC and we expect you to comply, period”.  He added that “FinCEN, through delegated examiners at the Internal Revenue Service (“IRS”), has been conducting examinations that include compliance with the Funds Travel Rule since 2014. In fact, to date it is the most commonly cited violation by the IRS against MSBs engaged in CVC money transmission”.

Mr. Blanco’s comments followed FinCEN’s release, in May 2019, of its long-awaited guidance on the application of existing Anti-Money Laundering (“AML”) rules, including the Travel Rule, to virtual currency businesses.

Further, during its June 2019 plenary, the Financial Action Task Force (‘FATF”), the G20’s financial crimes watchdog, issued FATF Recommendation 16 requiring Virtual Asset Service Providers (“VASPs”) to share Personal Identifiable Information (“PII”) and Know-your-customer (“KYC”) data between transacting sender and receiver users before executing the transaction. VASPS include Cryptocurrency Exchanges, Bitcoin ATMs and Custody Providers.

The AML Act of 2020 broadens the definition of “financial institution” under the BSA to now include businesses that exchange or engage in the transmission of cryptocurrency. For almost a decade, FinCEN has been clarifying which cryptocurrency business models qualify as Money Transmitters and as such must follow the Travel Rule. In 2011, FinCEN issued a final rule stating that Money Transmitters are “persons accepting and transmitting value that substitutes for currency”, such as CVCs. Following that statement, in 2013 FinCEN issued Guidance on Virtual Currencies and Regulatory Responsibilities stating: only “exchangers” and “administrators” of CVCs, and not “users”, are Money Transmitters. This statement serves as a advisory for cryptocurrency firms to comply with the FinCEN Travel Rule.

Bank Secrecy Act Travel Rule

Back in January 1995, the Board of Governors of the Federal Reserve and FinCEN jointly issued a Rule for banks and other nonbank financial institutions, relating to information required to be included on funds transfers. The Rule is comprised of two parts – the Recordkeeping Rule, and what’s come to be known as the Travel Rule. The Recordkeeping Rule requires financial institutions to collect and retain the information that in turn, per the Travel Rule, must be included with a funds transfer and passed along – or “travel” to each successive financial institution in the funds transfer chain.

Travel Rule Information Requirements

Information Requirements:

  1. The transmitter’s name;
  2. The transmitter’s account number;
  3. The transmitter’s address;
  4. The identity of the financial institution;
  5. The amount transferred; and,
  6. The date of transfer.

In contrast to FATF’s guidance, FinCEN clarified that the recipient’s financial institution should retain the same information as the originator to the extent that the information has been provided by the originating money service business. The differences between the FATF and FinCEN guidance are limited, aside from the transaction thresholds: $1,000 (FATF) and $3,000 (FinCEN).

When the Travel Rule was originally enacted for bank-to-bank transfers, the information required under the rule was substantially the same as the information already required to execute the wire transfer. Originally, the most significant feature of the Travel Rule was not the collection of any additional information, but rather the requirement to transfer that information to the recipient and the requirement to retain it in case of subsequent government inquiries.

Challenges for Blockchain and the Travel Rule

Cryptocurrencies, like Bitcoin, that settle transactions on a blockchain have unique challenges regarding Travel Rule compliance in part due to the lack of counter-party information in blockchain.

It should be noted that under the FATF and FinCEN Travel Rules, compliance is only required where funds are transferred on behalf of a client or customer between two VASPs, or between a VASP and a financial institution.

The issue emerges because VASPS often have limited information on the counter-party without which they cannot distinguish which transactions fall under the Travel Rule. For a virtual currency transaction, all that is required to execute the transaction are the virtual currency addresses of the originators and beneficiaries.

Recent Developments in relation to the Travel Rule

On October 23, 2020, the Board of Governors of the Federal Reserve System and FinCEN issued a joint Notice of Proposed Rulemaking (“NPRM”) soliciting public comment on proposed amendments that seek to modify the existing Recordkeeping and Travel Rules by:

On December 18, 2020, FinCEN, issued a NPRM that would require banks, cryptocurrency exchanges and MSBs to collect Know Your Customer data on anyone transferring cryptocurrency worth $3,000 or more to or from a private wallet. The NPRM would impose new requirements that banks and MSBs must gather, maintain, and report information about customers engaging in virtual currency transactions with unhosted wallets. The NPRM would also impose these same requirements on transactions with hosted wallets held by a financial institution that are not subject to the BSA and are located in a foreign jurisdiction on the so-called FinCEN “Foreign Jurisdictions List.”

FinCEN has not issued any follow up information on these NPRMs.

Industry Initiatives

There is still no clearly defined approach for “Travel Rule” compliance in the cryptocurrency industry. The industry has responded with various initiatives such as:

Risk-based Approach
Cryptocurrency-based companies are building regulations into their AML platforms with API-centered solutions. Risk-based approaches are adopted to freeze or deny transactions that do not comply with AML / KYC regulations. Notably, most blocked transactions originate from Unhosted wallets.

Distributed Ledger Technology
Other “Travel Rule” compliance systems, such as OpenVASP and TRISA – which are open source, rely on Distributed Ledger Technology to exchange end-to-end encrypted messages between “trusted” VASPs.

Standardized Communication
The InterVASP working group, which is comprised of leading international associations representing VASPs as a coalition of trade bodies, presented the IVMS-101 in May 2020 which is the newly adopted messaging standard for communication between VASPs.

Conclusion – How the Travel Rule Effects the Crypto Space

The Travel Rule marks a major change when it comes to virtual assets and may fundamentally alter how VASPs operate in the future. To prepare for the future, Cryptocurrency exchanges must apply a risk-based approach, in addition to having clearly defined policies and procedures. Specific examples include the following.

The key to compliance with the Travel Rule is a strong due diligence or KYC process that gathers the key information at customer on-boarding. Also, blockchain analytics software exists that can help identify risk related details about the destination – owners of the cryptocurrency wallet address.

Alternatively, some exchanges have sought to comply by restricting outbound transfers that trigger the travel rule to wallets that are already owned by the customer, rather than by anyone else, so that the exchange or wallet provider can rely on information they have already collected.

 

Conflicting Risk Appetites: A Surefire Recipe for Due Diligence Disasters

Article by Sandra Erez

 

CDD and KYC have been baked into AML compliance for two decades now, yet enforcement of money-laundering violations continues to accelerate. How is it that penalties from a highly regulated environment are not able to serve as a bulwark against the corporate (and human) appetite for profit?

Know Your Customer … But to Thine Own Self Be True

Almost every move we make is determined by a risk assessment. From jet-skiing without a life jacket to parking momentarily in a no-parking zone, our daily decisions are made weighing risk against benefit. While we often think we have all the information and skills to assess the situation, many of us zoom past the red flags, muffle the warning beeps on our risk radar and speed ahead anyway – only to take a long, hard fall later for not erring on the side of caution.

Some of us simply can’t fight this aspect of human nature.

When it comes to assessing the risk of money laundering in the financial sector, the highly calibrated risk-assessing processors can seem just as inadequate. Despite having years of practice for firms to get it right, we are privy to an endless parade of financial institutions mired in the astonishing magnitude of their muddled customer due diligence (CDD). In 2020, banks worldwide paid a collective $15.13 billion in fines for a range of compliance failures.

 

As BuzzFeed News revealed last fall with the publication of the FinCEN Files, banks look the other way while processing trillions of dollars in suspicious transactions and often ignore their own employees’ warnings.

Don’t Rain on My Parade: Poking Holes in the AML Compliance Umbrella

A scandal can serve as a good scare tactic in that it sends fear shivering through boards of directors, reminding them that AML noncompliance can be a risky business in a shifting sea of regulatory enforcement. Every time huge fines rain down from thunderous regulatory skies on an errant firm, compliance officers in organizations in the same sector suddenly remember to huddle under their colorful “tick the box” compliance umbrellas so they can hire more compliance staff and scribble new AML policies. Too often these will be forgotten when the media storm passes and the ice water in management’s veins begins to thaw.

What’s more, it’s clear that these punitive actions are not translating into lessons learned. AML fines have accelerated steadily over the past two decades. The period between 2008 and 2018 saw $26 billion in fines, while 2019 alone saw $10 billion. There is no reason to believe this trend will reverse any time soon.

It appears there is a huge disconnect between “compliant” CDD controls and the ability to assess the money-laundering risk off the back of that process. The resolution to that quandary requires a deep dive into the swirling vortex of the CDD black hole.

Conflicting Risks Can Sink Ships

Grounded in a risk-based approach, AML legislation best practice places high importance on the CDD process as a primary gatekeeper in the prevention of financial crime. If the due diligence is done right, both at onboarding and in an ongoing fashion, it can help safeguard against money launderers looking to secure a haven for their illegal activities.

But although financial institutions may be putting their best foot forward to stay compliant with AML and CDD regulations, the same faulty human decision-making processes (miscalculating risk when focusing on an immediate outcome) is replicated when it comes to CDD execution. Employees and employers alike are interested in swiftly onboarding clients, which means lowering customer drop-out rates while potential gains pour unobstructed (and more quickly) into the company coffers. And skipping cyclical ongoing monitoring checks means less people to man the company decks, less friction with the existing clients and perhaps even higher personal ratings from their direct supervisors sharking the waters for big fish.

In short, the KYC/CDD process is vulnerable both at the staff level where people (by their nature) are prone to breaking rules and err in their haste to get the job done, as well as on the board/management level where the human appetite for greed and power will always directly conflict with organizational risk appetite.

So as long as the lure of lucrative transactions waxes louder than the lure of the police sirens, there needs to be a human-friendly, intuitive CDD safety net in place so the slippery fish can’t slip through any holes.

Paying the Price of the Disconnect in the Murky CDD Process

In an infinite fintech sea rife with financial crime, onboarding and monitoring clients is at once a Sisyphean and thankless task – with plenty of room for error throughout. Diligence doers participating in different parts of the CDD process often come to the table with varying levels of responsibility, differing skill sets and maybe even opposing incentives for doing their jobs. Yet they are expected to work seamlessly in tandem over time, often without a centralized repository to house documentation and communications between them.

At the same time, the difficulty in accurately assessing the multiple, intertwined layers of risk, (client, product, geographic and transactional) can become even more overwhelming when inconsistent verification standards within the firm result in poor-quality datasets. Add that to a lack of a standardized decision tree in place to generate the risk ratings, and once again, the CDD process can end up being highly subjective – leaving the guy at the helm to sheepishly present the regulator with a justified audit trail of abhorrent CDD incompetence.

And finally, the faint of heart (and those individuals disdainful of sophisticated CDD solutions) should note that all this careful and detailed investigation is being carried out against the backdrop of dynamic global sanctions changes, emerging legislation, missing documentation, client identity falsifications and pressure from the client (and the firm) to keep the money moving in one direction – all under the leer of a looming regulator. Yikes!

UBO or UFO? Go with the Flow!

Weighing the risks against the benefit under stringent AML controls means asking the right questions in order to avoid doing completely unnecessary checks. But at the same time, it also means knowing when not to cut corners (like not bothering to investigate source of wealth or source of funds. The only way to achieve that delicate balance is to implement a data-rich, centralized solution that is inherently customizable to any firm’s specific workflow while providing built-in best practice checks and balances to fit relevant business environments and jurisdictions. Guiding and leading with automatic prompts and triggers enables staff adhering to a risk-based approach systematically with minimum effort.

The quintessential tool would be anchored in conditional logic, where the relevant queries and requests for information would appropriately unfold during the CDD process as the system is dynamically generating an overall risk rating. In addition, the supervisors can be flagged to initiate changes, approve or disapprove, as well as oversee the weighting of the individual risk ratings as necessary at any point in time. The strategically placed prompts, calls for action, reminders and flag triggers act as a bulwark against the typical KYC/CDD obstacles – namely, human beings.

Know Your Risk … of Not Having a Conditional Logic-Based CDD Lifeboat in Place

As the rising tide of money-laundering crime engulfs regulators across the globe, they are digging in and clawing their way to the top by upping the ante. Penalties can now include not only fines, but also other enforcement measures, like firms being barred from taking on new clients or being restricted in certain areas of business.  Jurisdictions such as the U.K. have expanded the businesses subject to a regulatory framework to include accountancy practices, law firms, estate agents, art dealers and cryptocurrencies while virtual assets are starting to come under a regulatory framework in the EU. No one is safe from their oversight – from the little accounting firms to those offshore lounging on their yachts!

As for you, the casual doer of diligence wandering around bewildered in the CDD maze, beware: The ultimate responsibility for onboarding that risky client is on you and your firm. Perhaps in addition to verifying your clients, you should verify your need for a risk-based CDD solution before someone high up goes head over heels overboard.

The Other Side of the Digital Coin: Central Bank Digital Currencies and Sanctions

Article by Kayla Izenman

As the economic benefits of central bank digital currencies emerge, so does one of their major downsides: an opportunity to avoid sanctions imposed by governments.

Almost every day it seems a new form of digital money emerges, often touted as the next hot idea. But with so many governments indicating interest in these developments, central bank digital currencies (CBDCs) might actually be a technology to change the world.

WHAT IS A CBDC?

A CBDC is a digital form of currency issued by central banks, which often have a monopoly over the issuance of currency within their own state’s territory. As a currency it is different from traditional reserves or settlement accounts, which are the established way for central banks to issue their ‘physical’ currencies. Although evidently inspired by cryptocurrencies such as Bitcoin, CBDCs are more like cash. While Bitcoin and Ethereum prices fluctuate wildly and could lose their value entirely, CBDCs are backed by a government, and are legal tender in the country in which they are issued. Thus, it is easiest to conceptualise them as digital banknotes, despite being inspired by decentralised cryptocurrencies. And although not an absolute necessity, many CBDCs are based on distributed ledger technology – decentralised databases managed by multiple participants or nodes – which is the technological infrastructure underpinning blockchain and cryptocurrencies.

CBDC models do vary by jurisdiction, and can be broadly grouped into two main types: wholesale and retail/general purpose. It is worth noting that most countries discussed are creating retail CBDCs (those widely available and targeted at payments between individuals and businesses).

Design choices also vary: CBDCs can be token-based or account-based. The former draws more from typical cryptocurrency models, using private and public key pairs similarly to Bitcoin. The latter requires each user to hold an account with the central bank, with transaction approval dependent on identity verification. It seems that most CBDCs will adopt the latter model.

GLOBAL INTEREST IN CBDC USE

A 2020 survey conducted by the Bank for International Settlements found that ‘80% of the world’s central banks had already started to conceptualise and research the potential for CBDCs’. Perhaps this is no surprise given the declining use of cash, spurred on by the coronavirus pandemic and the necessity of contactless payments.

Even before the pandemic, cash use was already declining in many advanced economies, a trend that has worried central banks, which aim to foster public access to and trust in central bank money. A CBDC has the potential to address this trend and help countries in a variety of ways, including fostering financial inclusion by expanding the number of people who have access to banking services and by enhancing the effectiveness of monetary policy. For citizens, a digital banknote could perhaps be the safest form of money.

CBDCs are no longer just theoretical. In late 2020, the Bahamas launched the Sand Dollar; China is in the news frequently for its progress with the digital yuan; and the EU, the UK and the US have all indicated their interest in exploring their own CBDCs.

This domestic focus is also coupled with international ambitions, as many countries aim to improve cross-border payments through CBDCs. While there are debates over the best ways to ensure CBDC interoperability, there is a strongly held belief that CBDCs can benefit the global economy. But herein lie the international security risks, especially when looking at the effectiveness of financial sanctions.

EFFECT ON SANCTIONS

Many countries face various sanctions regimes from the US and the EU, or those mandated through UN Security Council resolutions. Countries sanctioned heavily by the US show particular interest in CBDCs, and some have even explicitly stated their intention to evade US sanctions through popularising their own CBDC.

China is the most notable of these, especially given its progress and success in this space with the digital yuan, also known as DC/EP (Digital Currency/Electronic Payment). In November 2020, Beijing announced that almost $300 million had been spent using DC/EP in four million domestic transactions. The aim is for broad circulation by 2022 with an intention to test DC/EP at the 2022 Beijing Winter Olympics.

Russia, Venezuela and Iran, all facing US sanctions, have also shown various levels of interest in CBDCs. In March, Moscow said that the first prototype of a Russian CBDC will be launched in late 2021. Venezuela’s President Nicolas Maduro has long tried to popularise the Petro coin, claiming that the pre-sale alone raised $3.3 billion. These numbers are unconfirmed and the Petro is largely seen as a failure. Meanwhile, Iran is also conducting research.

DETHRONING THE DOLLAR

It is easy to understand why any government would be interested in a CBDC. For US-sanctioned countries, though, there might be additional long-term benefits to investing in this technology. Currently, the US can exert power over these countries due to the ubiquity of the dollar – as of 2019, approximately 88% of all foreign exchange trades were backed by the dollar. Widespread adoption of CBDCs could reduce the dollar’s domination, lessening the power of US sanctions.

Multiple US-sanctioned countries have specifically listed decreased dependence on the dollar as part of their motivation for creating a CBDC. Russia’s central bank said that a digital ruble could help mitigate the risk of sanctions. Chinese state media claimed in 2020 that ‘sovereign digital currency provides a functional alternative to the dollar settlement system and blunts the impact of any sanctions’. Iran’s President Hassan Rouhani specifically proposed a cryptocurrency-related payment system among Muslim countries to cut regional reliance on the dollar. When announcing the Petro, President Maduro claimed the coin would ‘help to overcome the financial blockade’.

Washington is aware of these motives. In March 2018, then-President Donald Trump bannedUS companies and citizens from dealing with Venezuela’s Petro coin. More recently, US officials, speaking on condition of anonymity, told the Bloomberg news agency that the Biden administration is ‘eager to understand how the digital yuan will be distributed, and whether it could also be used to work around US sanctions’.

Another function of CBDCs is the ability to oversee and monitor citizens and financial transactions. Any account-based CBDC potentially allows tight control by the central bank over the finances of the users. While this will be helpful in identifying illicit activity, it also means that the central bank can see exactly what citizens are doing to an extent previously unimaginable in traditional finance.

The type of anonymity used in the centralised CBDC models means that both parties in a transaction would likely be anonymous to the public but visible to the central bank. CBDCs therefore offer less privacy than cash, a feature that may add to their appeal in authoritarian countries.

WHAT IS NEXT?

One of the biggest unresolved questions concerns the level of infrastructure compatibility between the different CBDC models that are emerging. The long-term impact of a CBDC like DC/EP cannot be understood until there is some ability to exchange the CBDC for other fiat currencies – successful internationalisation of any currency (physical or digital) is near impossible without exchange options.

Furthermore, what impact might CBDC conversion into other digital currencies have? For example, if China allowed conversion from DC/EP to cryptocurrencies, would this enable a new sanctions evasion route for North Korea, a country already known for its cryptocurrency expertise? It seems unlikely that China’s CBDC would engage with decentralised cryptocurrencies, especially given Beijing’s bans on the technology, but it is possible.

Sanctioned countries are far from the only jurisdictions interested in this technology, and the interoperability of CBDCs applies equally to the UK’s potential Britcoin or the digital euro – perhaps even more so given these countries’ centrality to international trade. Yet as with any promising innovation, anticipating the potential for abuse will be an important consideration as this technology proliferates.

 

“And the Award for the Most Disastrous Third-Party Risk in 2020 Goes to …”

Article by Atul Vashistha

Without a doubt, 2020 was a blockbuster year for risk and disruption – but by evaluating the shortcomings of risk practices, we can enable proactive strategies that can significantly improve business continuity and resiliency for whatever happens next.

“And the Award for the Most Disastrous Third-Party Risk in 2020 Goes to …”

Imagine if there were an annual award show for risk. Of course, due to the pandemic, the award show would have to be virtual – but if there were such a show, the pinnacle award would be for the Most Disastrous Risk of the Year.

Hands down, the award for 2020 would go to location risk. In case you aren’t familiar with location risk’s body of work, it includes events specific to a geographical location: natural disasters such as hurricanes, earthquakes and disease outbreaks; social unrest including riots and strikes; political instability resulting from high-level corruption or a coup; terror attacks, whether physical or cyber; and macroeconomic conditions like high inflation and high unemployment.

All kidding aside, this is detrimental because most organizations’ third-party risk management programs ignore location risk altogether. During 2020, their almost laser-like focus on financial and cyber risks left businesses uninformed and behind the eight ball, struggling to keep up with the rapidly changing risk landscape. In fact, during the pandemic, financial and cyber risks were actually lagging indicators.

As the pandemic gained steam, there were countless leading indicators, which – if known early enough – could have been used to improve business continuity and resiliency.

Financial and Cyber Risks: Lagging Indicators

Let’s take a look at COVID-19’s cascading risk scenario to further explain why financial and cyber risks were actually lagging indicators during the pandemic. When the crisis started, the first business continuity risks arose as China’s government enacted restrictions to stop the spread of the disease. Next came government regulations risk in other countries from shutdowns, border closures, travel bans, etc. Then entered people risks, as a pandemic is foremost a health risk. Risks of wide-scale absenteeism grew due to individuals either contracting the disease themselves or having to care for family members who were ill. Some locations were significantly more vulnerable due to weak health care infrastructure.

After people risks came remote-work requirements and lockdowns that were stricter and longer in some locations than in others. In many areas, this was a challenge due to poor internet infrastructure and a shortage of laptop computers. With people forced to work from home on unsecured networks and personal computer equipment, cybersecurity risks increased.

As the pandemic continued long-term and economies constricted to different degrees in different locations, financial cracks finally began to show with third parties. With a reactionary approach that relied on monitoring changes in only financial or even cyber risks, businesses were late to prevent a cascading downfall.

The 3 Resiliency Lessons Learned

If COVID-19 has a silver lining, it’s the opportunity to learn from our risk management shortcomings and advance our risk management practices to ensure greater future resiliency. Our experience during the pandemic brought into focus three critical lessons:

  1. Resiliency requires monitoring location risk. Unfortunately, as many enterprises ignored location risks in their TPRM program, they were left in the dark about the locations from where services were provided. They didn’t understand the inherent weakness and vulnerabilities of each location and were ill-informed when their location’s risk landscape changed, forcing them to manage risk reactively.
  2. Resiliency requires monitoring risk continuously. During 2020, the foundation of the majority of risk management programs were legacy processes like point-in-time assessments, due diligence and onboarding. Because most organizations lacked continuous monitoring capabilities, they were forced to rely on data collected months before the pandemic. As the risk landscape rapidly evolved and changed with each new day, this stale data was unhelpful and at times counterproductive for risk mitigation efforts during the pandemic.
  3. Resiliency requires monitoring risk across broad frameworks. A global crisis such as COVID-19 presents the unique challenge of cascading risks. Global business supply chains are hyperconnected, and managing business continuity during the unprecedented disruptions without a guidebook was difficult. There’s only one way to effectively predict what comes next when faced with a cascading risks scenario, and that’s through continuous monitoring of broad risk aperture.

The Risk Horizon for the Rest of 2021

The global effects of the pandemic are far from over. Although some countries are making progress on vaccinating their citizens, many countries are at a financial and health care infrastructure disadvantage. The longer the virus continues, the greater the chance that mutations could result in variants that could reduce the efficacy of our current vaccine protocols. Vaccinated travelers to foreign countries could bring variants home, re-igniting the problems we faced in the early days of the pandemic.

Beyond location risks, others to consider include:

  • People risks will continue to remain high. Talent well-being in terms of physical, mental and emotional health should be a high-priority focus in 2021. Talent is always a resource constraint, but it’s especially so in a pandemic.
  • Cyber risks will continue to increase as companies adopt more permanent remote and distributed working models.
  • Financial risks could rise. As the crisis is prolonged, we could see greater negative impact to revenues. This poses a tremendous financial risk, especially for small- and medium-sized companies without a strong enough balance sheet to get them through the crisis.
  • Regulatory and compliance risks will rise as regulators add new regulations to address the distributed and non-physical work environments of “work from anywhere.”
  • Supply-chain disruption risks got a lot of attention during the pandemic as enterprises realized they lacked view beyond their third parties. Effective mitigation of supply chain disruption risks requires a deep view to the Nth parties of the supply chain.
  • ESG risks have become a hot topic in the last six months. Failure to incorporate ESG risk monitoring will leave companies susceptible to compliance and reputation risks at their own enterprise level and throughout their supplier network.

Advancing Risk Management through Automation

When we are finally able to get COVID-19 under control globally, we must consider the possibility that the virus is only a “practice pandemic.” The next one could be worse in terms of mortality rate and business disruptions.

As it’s impossible to predict with certainty where the next global crisis will come from, enterprises must incorporate continuous monitoring capabilities across a broad risk aperture to enable the early warning system that continuity and resiliency requires. Unfortunately, today’s risk landscape is so vast that continuously monitoring risk is beyond human capabilities. The good news: there are risk solutions in the market that leverage automation to enable continuous monitoring that allows internal risk teams to move away from spending time on risk identification efforts to focus instead on risk mitigation.

For the increased volume of risk findings that may result, cutting-edge risk solutions have leveraged further advances in AI, data science and machine learning to automate a significant portion of risk actions required. Internal risk teams can focus on only the most critical risk mitigation efforts that require human intervention and effort. Incorporating today’s automation in TPRM programs can enable continuous monitoring across a broad risk aperture to provide a current and comprehensive view of an enterprise’s risk landscape.

Looking Ahead, Proactively

Eventually, we will move beyond the pandemic, but our dynamic risk landscape is here to stay. Proactive risk management can achieve continuity and resiliency going forward, but it will require enterprises to move to risk management practices that include continuous monitoring across a wide risk aperture, including location risk.

Fortunately, humans don’t have to do it alone. Today’s automation capabilities enable risk teams to stay ahead of the rapidly changing risk landscape effectively and cost efficiently. Early warning from leading indicators and automated risk-mitigation actions will enable risk teams to do more with less, and enterprises will experience improved business continuity and resiliency facing whatever new risk is next on the global horizon.

World’s largest crypto exchange under federal investigation

Article by Meera Narendra

Following allegations surrounding money laundering and tax violations, Binance Holdings Ltd., is facing a federal investigation by the Internal Revenue Service and the U.S Department of Justice.

According to Bloomberg, government officials have been seeking information from people who have insight into Binance’s business dealings and exploring possible money-laundering and tax-related offenses by both the exchange’s staff and customers.

The investigation comes after a report by Chainalysis, a blockchain forensic firm, traced $2.8 billion worth of illicit bitcoin on exchange and trading platforms, of which $756 million went through Binance.

The crypto exchange said: “We take our legal obligations very seriously and engage with regulators and law enforcement in a collaborative fashion. We have worked hard to build a robust compliance program that incorporates anti-money laundering principles and tools used by financial institutions to detect and address suspicious activity.”

Concerns have been raised regarding cryptocurrencies being used to conceal illegal transactions and those ”who’ve made windfalls betting on the market’s meteoric rise are evading taxes,” Bloomberg reported.

The cyber-attack against Colonial Pipeline Co, which triggered fuel shortages across the Eastern U.S. resulted in the company paying the hackers a $5 million ransom in intracetable cryptocurrency within hours.

Binance is also currently under investigation by the United States Commodity Trading Futures Commission (CTFC) for allowing U.S. investors to buy and sell derivatives.

Treasury deputy chief says reviewing costs, benefits of U.S. sanctions

Article by David Lawder

U.S. Treasury Deputy Secretary Wally Adeyemo told securities industry executives on Wednesday that the Treasury will weigh the costs and benefits of financial sanctions to ensure that they remain a strong and viable foreign policy tool.

In a statement following a meeting with the Securities Industry and Financial Markets Association (SIFMA), the Treasury said Adeyemo gave the group an update on his review of Treasury sanctions policy, saying that sanctions “have become the tool of first resort” to address national security and international economic challenges.

“He explained that while this tool has resulted in notable successes, it has also created unanticipated challenges,” Treasury said without naming specific cases.

“The Deputy Secretary stressed that moving forward, and as the United States faces a changing international order, the Treasury Department is assessing the costs and benefits of sanctions use in each case with an eye towards ensuring they remain a strong, viable option for policymakers in the years and decades to come.”

By David Lawder, Reuters, 21 April 2021

Accountants advised on how to write better SARs

Article by Accounting Web

The NCA and OPBAS have published guidance for accountants on preparing “clear and concise” Suspicious Activity Reports (SAR). David Winch summarises what a ‘good quality’ SAR looks like.

Not the most snappy title, but the latest “Guidance for anti-money laundering supervisors on submitting better quality Suspicious Activity Reports” published this month is mercifully brief and readable.

It’s been prepared by the National Crime Agency (NCA) in conjunction with the Office for Professional Body Anti-Money Laundering Supervision (OPBAS) with the intention of helping accountants and lawyers improve the quality of the SARs which they submit.

Clear and concise

It’s not rocket science. The key point is that your SAR is going to be read initially by someone who knows nothing about your firm, nothing about the person about whom you are reporting, nothing about what you are hoping or expecting the authorities might do after receiving your SAR and – let’s be frank – probably understands very little about accounts, tax or company law.

It’s likely for this reason that acronyms and jargon should be avoided as the recipient might not understand and they’re open to misinterpretation.

So you need to give them enough background to understand who you suspect, what you suspect them of having done (or failed to do), what your connection is to the suspected person and suspicious events, and why this is an issue which should interest the authorities.

Aside from the most basic advice – “Punctuation should be used” – and please DON’T HIT CAPS LOCK – the guidance asks that SARs be clear and concise and structured in a logical format.

A brief chronological summary of events will be useful and the SAR glossary codes can save time for the writer as well as the reader. A quick XXF4XX tells the reader immediately that you are reporting a suspicion of personal tax evasion.

Of course you will not be in a position to, for example, quantify the amount involved in a suspected fraud – but you probably can give an order of magnitude which gives the reader a better understanding of the issue.  The more focussed and relevant information you can supply, the better.

Reason for suspicion

The suspicion element needs to be explicit. But with characters limited (8,000 characters on SAR Online and 30,000 using email bulk encryption), it advises you to focus on the five Ws: who, what, where, when and why.

  • Who is involved?
  • How are they involved?
  • What is the criminal property?
  • Where is the criminal property?
  • When did the circumstances arise?
  • Why is there suspicion?

If you’re needing to submit a SAR have a read of this new guidance HERE and use the appropriate glossary codes which you can find HERE.

Then get that SAR submitted and get back to remunerative work!