On April 28, 2022 the New York Department of Financial Services (“NYDFS”) issued its Guidance on Use of Blockchain Analytics, a document directed to all virtual currency business entities that either have a NYDFS Bitlicense or are chartered as a limited purpose trust company under the New York Banking Law. The Guidance emphasizes “the importance of blockchain analytics to effective policies, processes, and procedures, including, for example, those relating to customer due diligence, transaction monitoring, and sanctions screening.”
The NYDFS is stressing the role of blockchain analytics in anti-money laundering (“AML”) compliance because “virtual currencies such as Bitcoin and Ether can be transferred peer-to-peer directly from one individual or entity to another pseudonymously, absent the use of a regulated third party (e.g., between non-custodial wallets, or self-hosted wallets that allow users to maintain control of their private keys). . . . [T]hese wallet addresses are typically pseudonymous, with nothing on the face of the transfer tying back to the originator, beneficiary, or underlying beneficial owners.”
Given the potential compliance challenges presented by such characteristics, the NYDFS wants virtual currency entities to leverage the fact that virtual currencies also enable provenance tracing because “the blockchain ledger’s immutability typically allows a historical view of a virtual currency transmission between wallet addresses, providing the opportunity for greater visibility into transaction lineage than is typically found with traditional, fiat funds transfers.”
The Guidance provides that, ultimately, all risk mitigation strategies must account for an entity’s business profile to assess risk across types of virtual currencies and effectively address the specific characteristics of any particular virtual currency involved. If a virtual currency entity chooses to outsource its control functions to third-party service providers rather than use only internally developed blockchain analytics, it must have “clearly documented policies, processes, and procedures with regard to how the [third-party] blockchain analytics activity integrates into the [entity’s] overall control framework consistent with the [entity’s] risk profile.”
Augmenting KYC Controls
According to the Guidance, virtual currency businesses should consider – for the purposes of complying with Know-Your-Customer requirements – “using products and services that allow their users to obtain identifying information (e.g., location of a wallet address on a specific exchange for custodial transactions) that ties directly to the pseudonymous on-chain data, particularly in combination with customer-provided information.” Citing to FinCEN’s May 9, 2019 Advisory on Illicit Activity Involving Convertible Virtual Currency, the Guidance states that such products and services “typically can identify wallet addresses associated with an institution . . . as well as known high-risk wallet addresses such as darknet marketplaces[.]” However, “such tools may not be able to identify underlying owners, including ultimate beneficial owners, and may have limited attribution capability, absent further ‘off-chain’ verification methods integrating customer-provided data.” Ultimately, regulated entities must have “policies, processes, and procedures to assess counterparty exposure for virtual currency funds transfers[.]”
Conducting Transaction Monitoring of On-Chain Activity
Citing FinCEN’s March 7, 2022 alert regarding increased vigilance by financial institutions for potential Russian sanctions evasion attempts, the Guidance provides that virtual currency businesses must “have policies, processes, and procedures for the tracing of transaction activity for each type of virtual currency the entity supports and the flow of funds through the blockchain for any inbound or outgoing activity (often described as ‘provenance tracing’ or ‘transaction tracing’)” in order to report potential suspicious activity. Moreover, virtual currency businesses should have “appropriately tailored transaction monitoring coverage against applicable typologies and red flags, identify deviations from the profile of a customer’s intended purposes, and address other risk considerations as applicable.” Documentation should describe case management and escalation processes, and should focus, among other things, on the customer’s source of funds.
Conducting Sanctions Screening of On-Chain Activity
Finally, the Guidance observes that AML compliance policies must be designed to identify virtual currency addresses or other identifying information associated with sanctioned individuals and entities listed on the SDN List, or located in sanctioned jurisdictions. The Guidance quotes OFAC’s Sanctions Compliance Guidance for the Virtual Currency Industry: “Transaction monitoring and investigation software can be used to identify transactions involving virtual currency addresses or other identifying information (e.g., originator, beneficiary, originating and beneficiary exchanges, and underlying transactional data) associated with sanctioned individuals and entities listed on the SDN List or other sanctions lists, or located in sanctioned jurisdictions.” As we have blogged, U.S. sanctions and their attempted evasion is an extremely “hot” topic right now, particularly in regards to the use of high-value assets to try to evade sanctions involving Russia.