Skip to content

4 good reasons why crypto businesses should complete an AML/CFT business risk assessment


If you work for a cryptocurrency business (“business”), chances are you’re in the process of becoming or have recently been authorised by a financial services regulator. If you’re fortunate enough to have already been authorised, you may have been required as part of that process to submit an AML/CFT business risk assessment (“BWRA”). Depending on how long you’ve been operating, you might already have a BWRA where you’ve assessed the types of financial crime (“FC”) risks to which the business could be exposed, and the controls needed to reduce those risks. And, based on our conversations with crypto businesses, you may have used that traditional tool – the Excel spreadsheet – to calculate and record your BWRA’s results.

Now let’s say your BWRA is done and dusted. You may have even been required to amend it as part of the authorisation process to change some elements of the BWRA that your local AML/CFT regulator felt did not meet the regulatory requirements. So, job done until next year when the AML/CFT regulations say you’ll need to review it, right?

Not so fast. This is the mistake that businesses new to the AML/CFT landscape often make.  Ordinarily, at this point in these sorts of articles, what follows is a detailed description of the regulatory requirements around BWRAs, the formulas used, the risks to be assessed and the controls used to mitigate those risks. There is usually a reference made to the regulatory consequences if you fail to complete a BWRA and keep it up to date.

This is not that one of those articles. Instead, we want to highlight four (4) good (i.e. practical) reasons why businesses, now referred to in AML/CFT regulations as virtual asset services providers (“VASPs”), should take the time and invest the effort to complete and a BWRA and keep it up to date.

Bon Appetit – Your BWRA and Risk Appetite

Completing a BWRA is not just about FC risks and controls but understanding how much FC risk your business is happy to work with.  If your business claims to have a “zero tolerance” for FC, how does that translate in terms of the types of customers you accept, the products you promote and the jurisdictions you accept business from? What does this mean in terms of the sorts of controls you apply and when it will exit a relationship?

Completing a BWRA allows the business to set a baseline for its risk appetite, rather than forcing managers to undertake the time-consuming task of dealing with customers on a case-by-case basis, each time elevated FC risks are present.  It also ensures that customers who are a “no go” for the business, are not accidentally onboarded, due to a lack of clarity around where its risk appetite begins…. and ends.

Your BWRA is your Platform to Justify Tech Spend, Resource Asks and other Financing Requests

In the “old days”, an AML/CFT compliance function could obtain financing for its activities by claiming that dire consequences would arise from the AML/CFT regulator if more money was not spent on extra people or additional technology. This was especially persuasive where a business had received a bad report from their AML/CFT regulator following an onsite visit, or worse, was ordered to implement specific measures to improve its AML/CFT compliance framework. Some senior compliance leaders we’ve spoken with have noted that in the past, their senior management were only willing to spend money on AML/CFT compliance if the regulator forced them to do so.

Fast forward to the present day. Banks and other regulated institutions understand that it pays to pro-actively identify areas where controls need improvement or adjustment, rather than wait for the regulator to come calling. A solid BWRA that includes a clear roadmap describing work needed to bring controls up to an acceptable level, demonstrates the business has evaluated where resources are most needed to address the greatest FC risks. It provides AML/CFT teams with logical justification where those changes involve financial investment.

Making sure these items are tracked (and completed!) once approved, allows the business to plan resourcing across the different teams (i.e. IT, integration, AML/CFT, customer onboarding etc) who may need to be involved and prioritise, from a financial perspective, the measures necessary to ensure that risks stay within its risk appetite. 

Your BWRA is your “Validation Source” for AML/CFT Discussions

A well-thought-out BWRA that is kept up to date is essential when it comes to discussions about your AML/CFT programme. This applies whether those discussions happen with members of management or an external party, such as a bank or a payment provider with whom you want to open an account.  Sending pages and pages of policies, procedures, PowerPoint presentations of operating models etc. as evidence that you have an AML/CFT compliance programme, forces an external stakeholder to try and interpret whether your AML/CFT programme is well thought out and relevant. In some cases, we have seen this backfire where external parties end up forming the view that the business has a greater exposure to FC risks, than is actually the case.

Providing key stakeholders with a BWRA summary gives them with a clear and concise view of the threats the business has assessed and how they are mitigated. Moreover, it demonstrates the seriousness with which the business takes the detection and prevention of FC. Most importantly, it allows the business to keep discussions about AML/CFT concerns focused on how it prevents FC rather than the extent to which it understands its FC risk exposure.

Your BWRA acts as your Diviner of Emerging Risks

Hopefully, over time, your business will be successful! It may grow organically, acquire other VASPs or expand its service offerings outside of the crypto space. The business may venture into new product offerings or widen its customer base globally. The business may increase the size of its customer base – and with it the proportion and types of FC risks that will need to be addressed.

Other changes may also happen to the environment in which the business operates – 5 years ago few articles appeared around ransomware and hacking – today it is considered one of the higher risks for VASPs. This means that controls first used to detect and prevent FC might need some TLC or even replacement to scale with the business.

Your BWRA, when maintained in the right way, can act as a diviner of emerging risks that can arise from these types of changes.  Setting a baseline criterion for when it’s time to review the data used to conduct the BWRA can help the business to identify risks and vulnerabilities early and allow it to deal with them before actual FC manages to take place.  It allows the business to spot where new FC risks is creeping up, allowing it to address them as soon as possible, not just waiting once yearly only to then discover the risk has grown and not been effectively controlled.

Concluding Comments

Completing a BWRA offers several benefits to VASPs, beyond placing a “tick in the box” for one of their AML/CFT requirements. When maintained in an effective way, a BWRA can support a business in its growth, by providing it with the means to plan for and respond to FC risks that might compromise those plans. Harnessing good technology to complete and maintain a BWRA is a great way to do so. Artic Intelligence offers hosted Risk Assessment platforms to support your BWRA activities, helping you to ensure your BWRA is a contributing asset towards your business’ future success.  Our solutions centralise and aggregate risk assessment content and produce defendable, evidence based reports ready for your board and regulator.

Follow us on LinkedIn and Twitter for a daily dose of financial crime news across the globe.

Posted in , ,