Drafting a Risk-Based Anti-Money-Laundering Policy.
Several cryptocurrency service providers need to provide an Anti-Money-Laudnering (AML) and Know-Your-Customer policy. These policies are required in order to reduce the risk that the service is used by criminals and terrorists to hide the origin of the funds and to launder money used in criminal activities, and use it to buy legitimate assets such as real-estate, shares in businesses or cryptocurrencies.
Background: AML Laws. Everyone remembers Al Capone; most people remember that he went down for tax evasion. People, however, don't get the connection between the two. Until the 1980s, many criminal organizations had a way to avoid being detected: the funneled their money through legitimate businesses and then continue to make a profit off these funds. Therefore, instead of putting cash in basements and using cash for everything, the criminal organizations decided to step into legitimate businesses and put their profits in the financial system.
This was done partially because the banks were complicit and that during the day banks had more of an obligation for secrecy, where they did not provide any information or reporting to governments about what happens inside the bank.
During the 1980s, the US continued with the war against drugs and tried to forfeit drug funds which were held by banks. In order to do so, legislation was required and the Money Laundering Control Act was passed; defining that funds which resulted from specific criminal activities and that their origin is hidden may be defined as money laundered. The act made it an offense to disguise the origin of funds.
The FATF (Financial Action Task Force) was established in order to cooperate internationally, as criminal organizations tried to hide the source of funds while going through different states and establishing shell corporations.
The basics of AML laws is that financial institutions should regulate and reduce their complicity with money laundering. This is done in two steps. The first is identifying and knowing your customer (KYC); meaning that there are no more things like shell corporations or straw men; following the KYC process, a source of wealth and source of funds inspections are made. In such inspections, the financial institution has to review where the actual money came from, and what is the source of the client's wealth. Later, anti-money-laundering procedures are meant to be taken to ensure that the money is not used in order to hide criminal activities (such as selling a used car to a drug dealer and depositing the funds in a bank account).
Why Are AML/KYC rules to important to crypto? The reason that most business which relate to cryptocurrencies have a bad reputation and that banks and regulators require that crypto services do KYC/AML inspections is somewhat related to bad press. There are a lot of different studies that show different numbers, but the overall range of claims is that between 44 percent and less than 1 percent of bitcoins are used for illicit purposes (you can find other numbers if you want). This is somewhat related to the Ross Ulbricht arrest and sentence where the legendary Silk Road kingpin was found, arrested and sentenced for his involvement in other illegal activities.
So, basically, yes, criminals are like other people and they use money. Criminals also use water to drink by the way. The usual banker or regulator also reads the paper with these articles and, being a conservative, says "well, I can't let that money come into our system". So, whenever they hear about a new and exciting crytpocurrency-related startup, they flag it for AML. In Israel, for example, banks have been reluctant to allow crypto exchanges to open bank accounts (this issue is now in appeal before the supreme court) and the Israeli bitcoin association has published even a guide to deal with Israeli banks.
The thing is, that in most cases, the persons involved with money laundering were the banks themselves. People tend to forget that... but, the first time Wiklileaks were introduced to the public was back in 2007, when Wikileaks published a full list of a Swiss bank (Julius Baer) which were hiding assets in offshore accounts. In Israel, the second largest bank, Leumi was fined for allowing US customers to hide their assets from the United States government.
What makes crypto-services so different from other services? well, banks and regulators believe that crypto services offer greater anonymity (which is male-cow-feces) and that they are used for illicit affairs. Trying to persuade them otherwise might result in a huge effort that will be barren, so it is better just to comply.
Who needs an AML/KYC policy? this differs from jurisdiction to jurisdiction, but under the Israeli Supervision of Financial Services Act (Regulated Services), any service that allows the exchange of one financial asset with another (meaning, crypto-to-crypto && crypto-to-fiat), as well as lending services, credit services and similar financial tools. If your business just receives crypto as a payment method, then you are not required to receive a license nor are you required to have an AML/KYC policy.
KYC Basics: How to. The basis of KYC is actually to know your customer. This means that you need to identify that: (i) he is who he says he is; for a person this means that you need to verify him against at least one identifying document, and for a corporation to find out who are the actual shareholders (in KYC-speak, "Ultimate Beneficiary"); (ii) where he lives; this means that you need a proof-of-residency (i.e utility bill, or some other form) and to make sure that it's not just a bill; (iii) make sure that there are no other people who control this account; the fact that the person in front of you says he is the owner of the account or shareholder of the company usually means nothing if the company's website says that there are other managers or in other reports there are people who used this person as a strawman. There should be an efficient link between this person and the account; (iv) make sure that the person is not blacklisted; run that person's name against lists of known criminals like trulioo or OpenSanctions; and (v) make sure your client is not from a proscribed country, meaning one of the countries that have sanctions against them for terror support.
Please note that under the Israeli Ordinances (upcoming, Hebrew ) there may be some exemptions and states where you need not to identify your client; these are mainly smaller activities), but please consult your lawyer.
These are the mere basics of the KYC policy. After you're done with this, you can go forward with the rest of your policy. These checks should be made for every person who you wish to provide financial services to, be it a token purchase, airdrop or crypto-to-crypto exchange.
AML Basics: Detect: After you've done with knowing-your-customer, you need to detect his activity. The first thing you need to make sure is that his funds are from where he says they are. If the client is depositing fiat from a bank account, you need to make sure that this bank account is listed as that client's name. If he is depositing from a cryptocurrency wallet, please make sure that he is the owner of this wallet by requiring him to sign a transaction. After this, you need to verify the incoming transfer's source of funds; you can do so by learning the blockchain and analyzing it yourself, or by buying services from companies like Chainalysis or Eliptic. Chainalysis or Eliptic can give you insights about where the funds originated from: if they transferred via a mixer, a dark market, or used by a malware/scam wallet.
After you've detected the origin of the funds, you need to make sure that they are not used for malicious purposes.
AML :Prevent: AML prevention is as important as detection. This means that after you've converted a financial asset to another financial asset, you need to make sure that they are not complicit or involved in any money-laundering event. For example, let's say I've filled out a lottery ticket and won a hefty sum. Now, a person comes to me and offers me cash to buy my lottery ticket. Then. he goes to the lotto station and gets the reward in cash, pays the taxes, and deposits the funds in his bank account. Now, I want to deposit my funds. I can't go to the bank, so I buy bitcoin. Then, I go to an exchange and run to the bank to deposit fiat back, hiding the origin and telling my bank that the funds are because I made a big bang with bitcoin. If you are the crypto-exchange and you identify a transaction that has no business logic; meaning, buying bitcoin with cash, and then cashing out (no gains, no losses) then you know that this might be a fraudulent transaction and you should choose on whether to report to the relevant authority or to block this transaction due to AML suspicion.
Now, lack of business logic is just one red indicator. There are other indicators which may show that some person is involved in money laundering; commencing with just sending cryptocurrency to known dark-web-market addresses, and ending with heavy exchanges. A money laundering expert should draft a specific policy based on your business and needs.
AML: Deter. having a good AML policy also deters criminals. If your token issuance (ICO, or Speculative Cryptocurrency Allotment Method, SCAM) has a good AML policy, then people who have profits that originated from crimes will not use your service, as they fear of getting caught. If your token sale accepts cash, not just crypto, and people can come to you and get tokens for cash, no questions asked, then you might not deter criminals in the same sense. Having a deterring policy also makes you more in-line with banks. You can approach each bank and ask to make a compliant policy with that bank's own policy for funds which originate from it. Some states are more sensitive to gambling related activities while some are more sensitive for drug-related. You need to adapt.
Cooperation with authorities. KYC/AML also means that your crypto-business is not anonymous. It means that you do need to report to the relevant authorities. Recently, it was published that Bits of Gold, an Israeli exchange, entered into an agreement with the tax authority to share the list of its whales in order to make sure that there are no known tax evasions.
These are the main basics; please make sure that each service you run is AML/KYC compliant and that you consult a professional to do your AML/KYC policy.