KYC: Know Your Crypto

Conversations with members reflect a need to screen for sanctioned accounts and illicit activity. Here are some options.

With no end in sight to the war in Ukraine and sanctions on Russia, corporates eyeing cryptocurrency opportunities are asking pressing questions about screening and investigating counterparties in transactions involving crypto.

• At a recent meeting of NeuGroup’s digital assets working group, one member expressed concerns that an NFT his company had sold could be resold to someone in Russia, with a portion of the proceeds headed back to the corporate, which receives royalties on all resales.
• Peers with cryptocurrency experience offered clear advice: Companies setting up digital wallets to make or receive crypto payments, even in small amounts, should have a defined compliance process to prevent payments to or from sanctioned and blacklisted parties in Russia and beyond.
• It’s not simple. A member who works at a cryptocurrency business said screening cryptocurrency payments “is the hardest challenge, even for us. Sanctions is a very hard problem to solve since there are no usernames or no logins, just a wallet.”

Crypto compliance basics. Tools employed directly by the corporate or a third party will screen payments by analyzing all data from the address associated with the crypto wallet, which is publicly accessible on the blockchain.

• Wallets that have confirmed interaction with sanctioned regions, or any suspicious activity, are flagged, as are all the addresses that interact with that wallet.
• So if a corporate is considering a transaction with a wallet the tool flags as connected to Russia, for example, the company would have the opportunity to investigate the wallet and, if necessary, cancel the transaction.
• But it’s not always so straightforward: some wallets are flagged for activity that could be linked to money laundering, so it’s up to compliance team investigators to look into the counterparty, not always an easy task.

Three compliance options. Here are three options for corporates in need of crypto compliance requiring screening and investigation:

1. Use third-party screening tools and minimal expansion of a compliance team. A company’s current compliance team can work directly with cryptocurrency screening tools from vendors including Chainalysis and TRM Labs. Members and experts say this option makes most sense if the corporate’s use case for crypto requires processing relatively few transactions (e.g., monthly payments to a contractor or a small batch of NFT sales). Also if the company wants to minimize risk and cost by controlling compliance itself.
   • This option may not require much—if any—expansion of a large corporate’s compliance team, which will investigate flagged wallets among other tasks.
   • One member stressed that not all tools are the same, so don’t settle for a less reliable solution to cut costs. If worst comes to worst and the tool fails, you’re going to want to tell regulators you used one of the top names in the industry.
     
2. Use third-party screening tools and start building a much bigger compliance team. This one’s for companies starting a new, customer-facing cryptocurrency business with potentially hundreds of thousands of payments. “If cryptocurrency is going to be a large-scale arm of the business, that will require aggressive expansion of the compliance team—even with a tool,” one member said.
   • Another member estimates that some companies will need “a few thousand” investigators using third-party tools and other means to vet all transactions flagged as sanctioned or suspicious.
   • A former compliance head at a cryptocurrency exchange told NeuGroup Insights that a corporate could also outsource the cryptocurrency compliance work to a dedicated compliance team, similar to a shared service center, but the cost would “still be in the millions.”
     
3. Find a third party that will assume full compliance responsibility. Some members are searching for third parties that will take on the entire compliance process, including screening and investigations. For example, one company is in negotiations to set up an interim wallet where all payments would be vetted by an NFT marketplace before being transferred to the company.
   • Corporates can also work with consulting firms like Deloitte, which can train a corporate’s compliance team or provide staff that will take on the process. Either way, consultants are a more expensive option.
   • Tim Davis, who leads the blockchain and digital assets practice for Deloitte’s Risk & Financial Advisory business, said, “We start by working with the business, understanding its regulatory requirements, then work up. We could have Deloitte in a co-source role directly assisting with monitoring cryptocurrency screening tools and investigating any red flags; or we can help to train staff hired by the company.”
   • Filling cryptocurrency compliance roles can be difficult, in part because it’s foreign territory to those who only have experience in traditional finance. “The tools available are great, but each company will need people who know what they’re looking at,” Mr. Davis said.