History repeating itself: How business risk assessments could help to de-risk the cryptocurrency sector

It’s all just a little bit of history repeating itself: How business risk assessments could help to reduce the de-risking of the cryptocurrency sector

Introduction

In 2021, a Select Committee was set up in Australia to receive evidence on the country’s role as a technology and financial centre. Several different topics were canvassed, for which a variety of stakeholders made written submissions. One of these topics was the evolution of the cryptocurrency sector and the service providers who support them. The Committee also requested evidence about de-risking or “de-banking” – and the experience of FinTechs, and in particular, virtual asset services providers (VASPs), in trying to access banking services in Australia. The Committee’s final report was published in October 2021 and its findings make for useful reading by all VASPs as they begin their activities as AML/CFT regulated entities.

FinTechs and De-Risking

Way back in 2013-16 in Europe, banks and regulators were discussing the potential financial crime (FC) risks posed by this group of new and exciting innovative businesses. At that time, the big concern from an FC perspective appeared to be FinTechs’ primary means of delivering their services. Their online or non-face-to-face delivery model was assumed to present greater FC vulnerabilities than the traditional face to face service model used by conventional retail banks.

The speed at which FinTechs harnessed technology to deliver their services required that, in many respects, both banks and European FC regulators quickly chase after them to keep pace with and understand how their operating models might make them susceptible to misuse by criminals. Some European FinTechs eventually found themselves unable to set up a simple trading bank account or would be notified that their existing bank account was being closed.

Lessons Cryptos Can Learn from the Early FinTechs

Last year, several Australian VASPs reported to the Select Committee encountering  ‘… significant obstacles in setting up and running its business activities from the existing major banking providers’ and that ‘the current state of play was that major Australian banks will not do business with digital asset companies”. While de-risking is a complicated topic, the same FC-related themes seen 7 – 9 years ago in Europe also appear in the Committee submissions about VASPS and the wider cryptocurrency industry.

So, what can VASPs, both in Australia and elsewhere, learn from the FinTech experience as they start their AML/CFT regulatory journey?

  1. Complete a proper BRA. This is the cornerstone of the AML/CFT programme and the mainstay of AM/CFT regulatory requirements.
  2. When explaining your BRA, ensure the person presenting has a solid knowledge about how the BRA was conducted and the measures you describe to mitigate those risks.
  3. Ensure there is evidence the VASP’s Board has seen, discussed and approved the BRA, including any recommended actions to improve or bolster controls. This demonstrates to banking partners that the body responsible for overseeing the business is serious about mitigating FC risks and is prepared to make the investment needed to keep those risks in check.

Finally, make sure the BRA results reflect the way the AML/CFT compliance programme and business model operate in practice. The risk appetite or residual risk result of the BRA should be reflected in the types of customers, countries and products and services offered by the business. A VASP’s customer acceptance policy should clearly show, on a risk-basis, which types of customers must be subject to enhanced due diligence, and importantly, which ones exceed the risk appetite of the business.

Source: Arctic Intelligence

Interested in this topic? Register now to hear Arctic Intelligence speak at the Fintech 21 Forum

Read more

Leave a Reply

Your email address will not be published.

Join Fintech Connections receive newsletter & our event promotion

"*" indicates required fields

This field is for validation purposes and should be left unchanged.