Part 4: Anti-Money Laundering Compliance | CBCP Module 3

4.1 FATF and the Global AML Framework

The Financial Action Task Force (FATF) sets the global standard for AML/CFT compliance. Its recommendations for virtual assets, adopted in 2019 and updated since, have reshaped how jurisdictions regulate cryptocurrency exchanges and service providers.

FATF (Financial Action Task Force)

An intergovernmental policy-making body established in 1989. Sets international standards for combating money laundering, terrorist financing, and proliferation financing. Its recommendations, while not legally binding, are implemented by 200+ jurisdictions.

Key FATF Definitions

Virtual Asset (VA)

A digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes. Does not include digital representations of fiat currencies, securities, or other financial assets covered elsewhere in FATF Recommendations.

Virtual Asset Service Provider (VASP)

Any natural or legal person who as a business conducts one or more of the following activities: (i) exchange between VAs and fiat currencies; (ii) exchange between one or more forms of VAs; (iii) transfer of VAs; (iv) safekeeping/administration of VAs; (v) participation in and provision of financial services related to an issuer's offer and/or sale of a VA.

FATF Recommendations for VAs/VASPs

Key requirements from the updated FATF Guidance (2021):

Recommendation 15: Countries must ensure VASPs are regulated, licensed/registered, and subject to AML/CFT supervision
Recommendation 16: The "Travel Rule" - VASPs must obtain, hold, and transmit originator/beneficiary information
Risk-Based Approach: Countries and VASPs should apply risk-based AML/CFT measures
Sanctions Compliance: VASPs must comply with targeted financial sanctions

Grey List Implications

Countries on the FATF "grey list" face enhanced monitoring and potential banking relationship difficulties. Jurisdictions are assessed on VA/VASP regulatory frameworks - inadequate crypto regulation can contribute to grey-listing.

FATF Mutual Evaluation

Countries are evaluated on VA/VASP regulation effectiveness:

Assessment Area	Evaluation Criteria
Legal Framework	Laws defining VAs/VASPs; licensing requirements; AML obligations
Supervision	Competent authority designated; supervisory powers; inspection regime
Enforcement	Sanctions for non-compliance; prosecution of violations
International Cooperation	Information sharing; mutual legal assistance

4.2 The Travel Rule

The Travel Rule (FATF Recommendation 16) requires VASPs to collect, verify, and transmit originator and beneficiary information for VA transfers. It's the most challenging AML requirement for crypto businesses due to technical implementation complexity.

Travel Rule Requirements

For VA transfers above the applicable threshold (often USD/EUR 1,000):

Originator Information (Sender)

Full name (natural person) or registered name (legal entity)
Account number/wallet address used for the transaction
Physical address, national ID number, or customer identification number
Date and place of birth (for natural persons)

Beneficiary Information (Receiver)

Full name (natural person) or registered name (legal entity)
Account number/wallet address for the transaction

Travel Rule Information Flow

Originator

Customer initiates transfer

Ordering VASP

Collects originator info; identifies beneficiary VASP

Transmission

Sends info via Travel Rule protocol

Beneficiary VASP

Receives and verifies info

Beneficiary

Receives VA transfer

Implementation Challenges

Counterparty Identification: Determining which VASP (if any) controls the beneficiary address
Protocol Interoperability: Multiple Travel Rule solutions exist; need standardization
Unhosted Wallets: Self-custody wallets have no VASP to receive information
Privacy Concerns: Transmitting personal data across borders raises GDPR issues
Sunrise Problem: Not all jurisdictions have implemented Travel Rule simultaneously

Travel Rule Solutions

Solution	Approach	Adoption
TRUST (Travel Rule Universal Solution Technology)	Major exchanges consortium; certificate-based	Coinbase, Gemini, Kraken, etc.
Sygna Bridge	CoolBitX protocol; API-based	Asia-Pacific VASPs
Notabene	Network interoperability layer	Global exchanges, wallets
Veriscope	Shyft Network; blockchain-based	Various global VASPs

Unhosted Wallet Challenge

Transfers to/from unhosted (self-custody) wallets present unique challenges. Some jurisdictions require: (1) enhanced due diligence for unhosted wallet transfers; (2) verification of wallet ownership; (3) transaction limits; (4) reporting of all unhosted wallet transactions.

4.3 KYC and Customer Due Diligence

Know Your Customer (KYC) and Customer Due Diligence (CDD) form the foundation of AML compliance. VASPs must verify customer identities, understand the nature of customer relationships, and monitor for suspicious activity.

KYC Components

Customer Identification Program (CIP): Collecting and verifying identity information at onboarding
Customer Due Diligence (CDD): Understanding the customer's business purpose and expected activity
Enhanced Due Diligence (EDD): Additional scrutiny for high-risk customers
Ongoing Monitoring: Continuous surveillance of customer activity and periodic reviews

Identity Verification Tiers

Tier	Verification Level	Typical Limits	Documents Required
Tier 0	Email only	View only; no trading	Email verification
Tier 1	Basic KYC	Low limits (e.g., $1,000/day)	Name, DOB, address, phone
Tier 2	Standard KYC	Medium limits	Government ID, selfie, proof of address
Tier 3	Enhanced KYC	High/no limits	Source of funds, employment, video verification

Risk-Based Approach

CDD measures should be proportionate to identified risks:

High-Risk Indicators

Geographic: High-risk jurisdictions; FATF grey/black list countries
Customer Type: PEPs; shell companies; trusts with complex structures
Product/Service: Anonymity-enhanced cryptocurrencies; mixer services
Transaction Patterns: Large volumes; rapid movement; structuring
Delivery Channel: Non-face-to-face; third-party reliance

Enhanced Due Diligence Measures

Senior management approval for relationship
Source of funds and source of wealth documentation
Enhanced ongoing monitoring frequency
First transaction verification
Purpose and intended nature of business relationship

Practical Implementation

Modern KYC typically involves: (1) OCR document scanning; (2) liveness detection for selfies; (3) database checks (sanctions, PEPs, adverse media); (4) address verification via utility bills or bank statements; (5) risk scoring algorithms to flag high-risk applications.

4.4 Transaction Monitoring and STR Filing

VASPs must implement transaction monitoring systems to detect suspicious activity and file Suspicious Transaction Reports (STRs) with financial intelligence units. This ongoing obligation extends throughout the customer relationship.

Transaction Monitoring Requirements

Automated Systems: Rule-based and/or AI-powered detection of unusual patterns
Threshold Alerts: Transactions above specified amounts trigger review
Behavioral Analysis: Deviations from expected customer activity
Network Analysis: Connections to known illicit addresses/entities
Manual Review: Human investigation of flagged transactions

Red Flag Indicators

Category	Red Flag Examples
Structuring	Multiple transactions just below reporting thresholds; split deposits/withdrawals
Mixing/Tumbling	Funds routed through mixing services; CoinJoin transactions
High-Risk Addresses	Interactions with known darknet markets, ransomware wallets, sanctioned addresses
Rapid Movement	Immediate withdrawal after deposit; funds passing through quickly
Geographic Risk	VPN usage from sanctioned countries; mismatched IP/stated location
Identity Concerns	Multiple accounts; fake documents; identity theft indicators

Suspicious Transaction Reporting

When suspicious activity is identified, VASPs must file STRs:

STR Filing Process

Detection: Alert generated by monitoring system or staff referral
Investigation: Gather additional information; document analysis
Decision: Compliance officer determines if STR warranted
Filing: Submit to FIU within required timeframe (often 15-30 days)
Tipping-Off Prohibition: Do not inform customer of STR filing

Tipping-Off Prohibition

Disclosing to a customer that an STR has been or will be filed is a criminal offense in most jurisdictions. Staff must be trained on this prohibition. Even hinting at compliance concerns can constitute tipping-off.

Blockchain Analytics Tools

VASPs use specialized tools for crypto-specific monitoring:

Chainalysis: Market leader; KYT (Know Your Transaction) for real-time monitoring
Elliptic: UK-based; covers wide range of crypto assets
CipherTrace: Mastercard-owned; integrated compliance solutions
TRM Labs: Risk assessment and investigation tools
Crystal Blockchain: BitFury product; visualization and tracking

4.5 Building a VASP Compliance Program

A comprehensive AML/CFT compliance program is both a regulatory requirement and a business necessity. This section outlines the essential components for VASPs operating in regulated jurisdictions.

Core Program Elements

Written Policies and Procedures: Documented AML/CFT policies approved by board/senior management
Compliance Officer: Designated individual with authority and resources
Risk Assessment: Enterprise-wide assessment of ML/TF risks
Internal Controls: Systems and procedures to mitigate identified risks
Training Program: Regular training for all relevant staff
Independent Testing: Periodic audits by qualified third party

Compliance Officer Responsibilities

Oversee day-to-day AML/CFT program implementation
Approve or reject high-risk customer onboarding
Review and approve STR filings
Liaison with regulators and law enforcement
Report to board/senior management on compliance matters
Stay current on regulatory developments

Documentation and Record Keeping

Record Type	Retention Period	Content Requirements
Customer Identity Records	5+ years after relationship ends	ID documents, verification records, risk assessments
Transaction Records	5+ years after transaction	Amount, date, parties, account details
STR Records	5+ years after filing	Investigation notes, decision rationale, FIU acknowledgment
Training Records	5+ years	Attendance, content covered, assessment results

Sanctions Compliance

VASPs must screen against sanctions lists:

OFAC SDN List: US Treasury's Specially Designated Nationals list
UN Sanctions: Security Council consolidated list
EU Sanctions: European Union restrictive measures
Local Lists: Jurisdiction-specific designated entities
Blockchain Addresses: OFAC has published sanctioned crypto addresses

Sanctioned Addresses

OFAC has designated specific cryptocurrency addresses associated with ransomware, North Korean hackers, and other sanctioned parties. VASPs must screen both customers AND transaction addresses against these lists. Transacting with a sanctioned address - even inadvertently - can trigger serious penalties.

Regulatory Examination Preparation

Be prepared for regulatory examinations by maintaining:

Current organizational chart with compliance reporting lines
Updated policies and procedures with version control
Risk assessment documentation with supporting analysis
Training records and materials
Sample of KYC files demonstrating compliance
Transaction monitoring rules and alert disposition
STR filing log and supporting investigation files
Independent audit reports and remediation tracking

Key Takeaways

FATF Standards: Set global AML/CFT requirements for VASPs; implementation varies by jurisdiction
Travel Rule: Requires transmission of originator/beneficiary info; technical implementation challenging
KYC/CDD: Risk-based approach; tiered verification; enhanced due diligence for high-risk
Transaction Monitoring: Automated systems plus blockchain analytics; red flag detection
STR Filing: Mandatory reporting of suspicious activity; tipping-off prohibited
Compliance Program: Policies, compliance officer, risk assessment, training, independent testing
Sanctions: Screen customers AND addresses; OFAC has published crypto addresses