Last year saw multiple crypto firms collapse, investors suffered large losses, and the number of overall cryptocurrency transactions fell; at the same time, illicit use of cryptocurrencies hit a record high with an estimated $20.1 billion worth of transactions.
Behind the increase was a rise in illicit transactions involving companies targeted by US sanctions. Moreover, transactions associated with sanctioned entities increased more than 100,000-fold in 2022 making up 44% of illicit activity that year. [1]
In light of these figures, it is imperative that compliance professionals are able to identify red flags that might highlight potential crypto money laundering risks. While these risks share many features with traditional money laundering red flags, compliance professionals must understand the red flags specific to cryptocurrencies.
Cryptocurrency Risks And Red-Flag Indicators
In September 2020, the Financial Action Task Force (FATF) released a report highlighting red-flag indicators of money laundering and terrorist financing aimed at virtual assets. [2]
These indicators are grouped into six categories:
- transactions
- transaction patterns
- anonymity
- senders or recipients
- source of funds or wealth, and
- geographical risks.
Let’s take a look at each of these red flag indicators in more detail, focusing on what they include and the standout contributors for each.
Transactions
Despite the nature of cryptocurrencies being very different from traditional fiat currency, the strategies employed by fraudulent users to launder money often resemble traditional methods. FATF highlighted several types of cryptocurrency transactions that could indicate money laundering may be taking place.
- Structuring transactions in small amounts or in amounts just under-reporting thresholds.
- Making high-value transactions in a short period or in staggered or regular patterns.
- Depositing funds suspected as stolen or fraudulent into crypto wallets.
- Transferring virtual assets to jurisdictions that have non-existent or weak AML/CFT regulation or a jurisdiction that has no plausible relation to where the customer lives or conducts business.
- Withdrawing virtual funds without any in-between transactions, especially if the withdrawals incur fees, or converting the assets into multiple different assets that incur fees, especially if there is no logical business explanation.
Transaction patterns
Money laundering through virtual assets can often be identified through irregular, unusual, or uncommon transaction patterns, such as:
- New accounts are opened with large initial deposits that are traded away shortly afterward.
- New accounts are funded with amounts that do not appear consistent with the user’s profile.
- Transactions involving multiple assets or accounts with no logical business explanation.
- A number of crypto transactions result in a loss of money due to account fees.
- Repeated exchanges of fiat money to cryptocurrency without logical business explanation.
- Small amounts from numerous virtual wallets are instantly relocated or removed.
Anonymity
These red-flag indicators draw from the vulnerabilities of the underlying technology surrounding virtual assets, specifically the anonymous exchanges between cryptocurrency consumers.
Money laundering behavior that takes advantage of the anonymous nature of cryptocurrencies may show the following characteristics.
- Moving assets from a public, transparent blockchain, such as Bitcoin, to a centralized cryptocurrency exchange and then on to a private or anonymous coin.
- Transactions by customers that involve multiple cryptocurrency types, in particular those that involve highly anonymous currencies that incur additional, unjustifiable fees.
- A significant volume of peer-to-peer transactions involves mixing services without justification.
- Customers that operate as unregistered or unlicensed service providers for other users on peer-to-peer cryptocurrency sites may charge higher fees to their customers than traditional, licensed exchanges.
- The use of decentralized exchanges to transfer assets across borders.
- Funds entering cryptocurrency wallets from IP addresses associated with the darknet or similar software allows for anonymity and encryption.
- Multiple, unrelated virtual wallets controlled from the same IP address.
- Sending funds to or receiving funds from service providers with weak or non-existent CDD/KYC processes.
- The use of virtual currency ATMs/kiosks in high-risk locations where increased criminal activity frequently takes place.
Senders or recipients
These red-flag indicators focus on the behaviors of either the sender or recipient of illicit transactions. The indicators can be further categorized as outlined below.
During account creation
- Creating multiple accounts under different names to circumvent restrictions.
- Transactions from non-trusted IP addresses or IP addresses from sanctioned jurisdictions.
- Users whose internet domain registrations are in different jurisdictions to the one in which they reside or a jurisdiction with weak controls.
During customer due diligence
- Incomplete or insufficient KYC information or the customer declines to provide documents upon request or information regarding the source of funds.
- Customers supply forged documents as part of the onboarding process.
- The sender/recipient lacks knowledge about the transaction, source of funds, or client relationship.
Profile
- Customer credentials are shared by another account.
- Discrepancies between the customer’s IP address and the IP from which transactions are initiated.
- Customer details appear on public forums associated with illegal activity.
- A customer is known via public information to law enforcement for criminal activity.
Potential money mules or scam victims
- Senders seem unfamiliar with crypto technology.
- A customer is significantly older than the average user and is engaging in a large number of transactions.
- Potentially vulnerable customers dealing in high-risk transactions.
- A customer purchases a large amount of assets which is inconsistent with their financial profile.
Other unusual behavior
- Customer regularly changes their personal details.
- A customer tries to enter a platform from multiple different IP addresses in a short period of time.
- The language used in transaction message fields indicates illicit activity could be present.
- A customer repeatedly conducts transactions with certain individuals at a significant profit or loss.
Source of funds or wealth
These are red flags that relate to the source of funds or wealth potentially being linked to criminal activity.
- Transactions originating from or sent to online gambling services.
- Transactions with accounts are known to be linked to fraud, extortion, ransomware schemes, darknet marketplaces, illicit websites, or sanctioned addresses.
- Significant deposits that are out of profile with an unknown source of funds.
- Large deposits into virtual wallets are immediately withdrawn as fiat currency.
- A virtual wallet linked to multiple credit/debit cards that are known to withdraw large amounts of fiat currency frequently.
- The majority of a customer’s wealth is derived from crypto investments or initial coin offerings (legitimate or fraudulent).
- Funds are received directly from mixing services or wallet tumblers.
Geographical risks
Criminals will often move funds across borders, typically to jurisdictions with weak or no AML/CFT regimes or cryptocurrency guidelines. Red flag indicators related to this activity include:
- Customer funds deriving from or that are sent to a different jurisdiction than the one in which the user is located
- Customers using cryptocurrency services located in high-risk jurisdictions with limited or no AML regulations in place, and
- A customer relocating their workplace to a high-risk jurisdiction with limited or no AML regulations in place.
The Future
The cryptocurrency landscape is unpredictable, and the red flag indicators identified by FATF are constantly evolving. It is vital that compliance professionals consider the recommendations, indicators, information, advisories, or circulars from local regulator bodies or law enforcement, as well as always bear in mind the following.
- A risk assessment should be conducted to establish a firm’s needs and threats.
- A robust CDD process should be in place to verify a customer’s identity and any potential risks associated with that customer.
- Customers should be screened against sanctions lists.
- Ongoing monitoring is vital for ensuring a customer’s risk profile has not changed.
- Individuals and firms should regularly review guidance and updates surrounding the red flags associated with cryptocurrencies.
Written by Jon Prentice
This article was first published by the International Compliance Association (ICA), the leading professional body for the global regulatory and financial crime compliance community. For more information on the benefits of becoming an ICA member, including access to the ICA’s complete content library of articles, videos, podcasts, blogs, and e-books, visit: Become an ICA Member – Application Form (int-comp.org)
References:
[1] Chainalysis, The 2023 Crypto Crime Report, February 2023
[2] Financial Action Task Force, ‘Virtual Asset Red Flag Indicators of Money Laundering and Terrorist Financing’, September 2020