Cryptocurrency businesses that emphasize a culture of compliance are businesses that are built for the long haul. But what does it mean to practice good compliance every day?
It starts with the understanding that good compliance isn’t a one-and-done responsibility. You don’t create policies and procedures to protect your business and industry from financial criminals only to throw it all into a filing cabinet and never think about it again.
But even businesses with good compliance can have trouble fully implementing a living, breathing philosophy of compliance that is evident in everything they do every day.
Here’s the truth…
In a nascent industry like cryptocurrency, where the rules are constantly in flux and regulators are sometimes prone to implementing more intense scrutiny on businesses, entrepreneurs can’t simply rest on their laurels.
While annual audits and independent testing are important elements of a functioning financial institution, nothing can replace daily examination of your internal processes. This is what we mean when we talk about a culture of compliance.
What if your business was selected for a surprise examination by federal or state regulators right now? What grade do you think you would get?
This isn’t some hypothetical — surprise examinations happen all the time, and we expect the trend to increase (especially when the SEC more or less comes out and says so).
You want your cryptocurrency business to be prepared to pass any surprise examination at the state or federal level. To pull this off, you’ll need to test yourself constantly, if not daily in some cases.
Implementing daily compliance testing is easier said than done, so we’ve put together a list of eight places you can start. These are items that independent auditors and regulatory examiners will be looking for, and though this list is no replacement for an annual audit or independent testing, it should help you get the ball rolling on establishing robust internal testing and monitoring.
You can start by evaluating the overall integrity and effectiveness of your BSA/AML Program.
This program gives you the 30,000-foot overview of your compliance, and can help give you a big-picture understanding of which policies and procedures you deploy most often, and which may require a revisit (whether they need to be updated or sunsetted altogether).
A few questions to ask yourself during this process that may lead into the other points on this list include:
From here, you will have a much better understanding of which individual parts require a closer look. But even policies and procedures that seem strong can require an update in light of new regulation, or create vulnerabilities for your business. Leave no stone unturned.
Evaluating policies and procedures pertaining to BSA/AML reporting and recordkeeping requirements is critical, since auditors will ask you to produce any number of records during an examination.
They expect your records to be comprehensive, detailed, and organized so that they can be easily and quickly called up for review. Good recordkeeping is one of the best ways for you to send a signal that your organization values a culture of compliance.
A few questions to consider:
You may find some other useful tips in our blog post on records retention.
Your KYC/CDD policy and procedures are mission-critical elements of sound institutional compliance. As such, evaluating their implementation and maintenance is key to your organization’s overall picture of health.
Financial criminals can be incredibly sophisticated and are always looking for new ways to exploit otherwise legitimate systems, including cryptocurrency businesses with robust compliance.
This means that your KYC/CDD will need to be evaluated and updated often, and regulators will be looking for innovative ways you are protecting the industry from money launderers and your customers from scam activity.
For more on this topic, please review our blog posts on KYC/CDD for cryptocurrency businesses, and a more recent post with updated tips you may find useful.
Your institution’s transaction activity is arguably the most important data set you possess when it comes to enforcing your AML Program and associated procedures.
Watching for red flags in transaction activity is a frontline responsibility, and your institution’s ability to monitor and respond effectively is crucial.
A few questions to consider include:
You may also find our blog posts on surveillance and monitoring for cryptocurrency MSBs and red flags no crypto business should miss helpful.
Compliance training for all employees is an annual requirement, as well as an immediate requirement for all newly-hired employees. But like everything else within the world of compliance, employee training isn’t just a check-the-box activity.
Of course, you need to record your annual one-hour training sessions for all staff, but there’s also a lot of on-the-job compliance training that should be making its way back to your staff training program.
You may find surprising knowledge gaps on your team; maybe some frontline employees haven’t been trained on how to use specific red flags properly, or certain updates to institutional compliance weren’t circulated to the team. Constantly ask yourself:
You may find our blog post on AML training for cryptocurrency businesses helpful. BitAML also provides up-to-date annual BSA/AML training as a service.
This point goes hand-in-hand with point #4, but bears its own entry. Every cryptocurrency money services business/money transmitter has its own systems for identifying potentially suspicious activity.
As a sole proprietor of a single bitcoin ATM, you may have some combination of red flags you check manually and software applications that assist (but do not replace) KYC on your machine. If you operate a cryptocurrency exchange, you have enterprise-wide solutions for identifying suspicious activity.
Every business is going to be different, due to the business model, customers and geographies served, and any number of other risk factors.
The important thing is to make sure that your systems, whether automated or manual, for identifying potentially suspicious activity are constantly updated.
Following on from the last point is your system for reporting suspicious activity that does arise.
To put it bluntly, suspicious activity reporting (SAR) is an area where many crypto businesses have some room for improvement. Sound SAR policy requires internal reporting through a chain of command and a formal reporting period. With so many steps, it’s easy for balls to get dropped.
You may find lapses in your SAR process or discover that an employee assigned to filing doesn’t have the bandwidth to do so in a timely manner. A few questions to consider:
Like we said, this is a tough one for many businesses, but we cannot emphasize its importance enough. If you need more insight, you can read our blog post on SAR filing, or reach out for a consultation at the end of this post.
Demonstrating the ability to identify deficiencies (if any) and implement solutions send a clear signal to examiners that your institution is striving to create and maintain a culture of compliance.
Throughout your continual internal testing, be sure to document (in writing) identified shortcomings and any steps you have taken to address them.
Doing so will reflect well on your institution during the course of an examination.
When it comes to compliance, an ounce of prevention is worth a pound of cure.
Baking a few painless, routine self-checks into your day-to-day means your business won’t need to consider the worst-case scenarios, like fines or other potential sanctions or consequences.
AML compliance is constantly changing, especially in a new industry like cryptocurrency. Because of this, be sure to update your AML Program consistently and document the updates. As you grow and the regulatory landscape develops and changes, you’ll need to continue testing and updating to keep up. Documentation of this process will show your company’s good-faith effort to comply with regulations, which may help during a regulatory examination or audit at some point in the future.
When you consistently test and monitor your AML compliance program, you’ll never risk being behind the curve.
We’re always available to help. Reach out to BitAML here.
Preparing Your AML Policy (if you haven’t already) for Your Crypto Startup Getting Down to Business As a crypto startup, you've likely gone through a
Understanding the evolving aspects of crypto KYC in the digital asset industry In the evolving realm of cryptocurrencies, such as Bitcoin and Ethereum, the traditional
Navigating the Complexities of DeFi Compliance DeFi, or decentralized finance, has caught the attention of the public with its disruptive potential in the financial sector.