It’s all just a little bit of history repeating itself: How Business Risk Assessments Could Help to Reduce the De-Risking of the Crypto Currency Sector
In 2021, a Select Committee was set up in Australia to receive evidence on the country’s role as a technology and financial centre. Several different topics were canvassed, for which a variety of stakeholders made written submissions. One of these topics was the evolution of the cryptocurrency sector and the service providers who support them. The Committee also requested evidence about de-risking or “de-banking” – and the experience of FinTechs, and in particular, virtual asset services providers (VASPs), in trying to access banking services in Australia. The Committee’s final report was published in October 2021 and its findings make for useful reading by all VASPs as they begin their activities as AML/CFT regulated entities.
Back in Time – FinTechs and De-Risking
Sadly, this is the not the first time the FinTech community had come up against challenges when it comes to accessing banking services. Way back in 2013-16 in Europe, banks and regulators were discussing the potential financial crime (FC) risks posed by this group of new and exciting innovative businesses. At that time, the big concern from an FC perspective appeared to be FinTechs’ primary means of delivering their services. Their online or non-face-to-face delivery model was assumed to present greater FC vulnerabilities than the traditional face to face service model used by conventional retail banks.
The speed at which FinTechs harnessed technology to deliver their services required that, in many respects, both banks and European FC regulators quickly chase after them to keep pace with and understand how their operating models might make them susceptible to misuse by criminals. In some instances, banks were reported to perceive that the cost in terms of time and regulatory expense involved to ensure these risks were understood and mitigated, did not make commercial sense when it came to their bottom-line. Some European FinTechs eventually found themselves unable to set up a simple trading bank account or would be notified that their existing bank account was being closed.
FinTechs and AML Compliance
Certain European FinTechs did give pause for concern. Investment by a few of them predominantly focused on programming or product design staff, with an emphasis on the “customer experience”. Conducting know your customer (KYC) and other due diligence (CDD) was seen as the prickly friction that was just the opposite of a great customer onboarding journey. Resourcing of compliance teams was minimal, and controls were developed to deal with emerging risks on an “as and when time allowed” basis. Sometimes, the FC risks themselves were not apparent until it was too late.
Early European FinTechs that scaled their operations sometimes did so without also considering the impact this would have on existing AML/CFT controls. This meant that FinTechs would sometimes fall behind or fail to fully complete KYC and CDD checks of new customers. Some required support from external KYC or transaction monitoring services to catch-up or to remediate customer KYC and CDD information. Importantly, some banks were concerned about AML/CFT compliance culture: Did FinTechs really understand the kind of FC risks to which they could be exposed? Were some of them adopting the approach of “forgiveness is easier than permission”, instead of checking to make sure their compliance programme included all measures needed to comply with the AML/CFT regulations?
While most European FinTechs were serious about AML/CFT, one of their big challenges was in demonstrating this in a clear manner. Business risk assessments (BRA) were often requested by banks to gain assurance about Fintechs’ AML/CFT programmes. In some instances, insufficient time was devoted to completing a BRA that really reflected the FinTech’s business and the specific FC risks to which it was exposed. And as the old saying goes, “you never get a second chance to make a first impression”. Based on these initial BRAs, some banks were left unconvinced that establishing a business relationship with FinTechs fell within their FC risk appetite.
Fast forward to 2021-2022. Most European FinTechs are now more savvy, sophisticated and advanced in terms of their AML/CFT compliance experience and the tools they use to detect and prevent FC. Some have established strong partnerships and working relationships with their banks. There may still be the odd speed bump, but these relationships have changed and no longer are all FinTechs automatically branded as too “high risk” to support.
One of the other key developments has been BRAs. FinTech BRAs have rapidly evolved to become a credible tool of assurance and transparency. European FinTechs recognise how a clear, explainable BRA helps to alleviate banks’ concerns about whether they really understand their FC risks faces and seriousness with which they take their AML/CFT regulatory obligations.
History Repeating Itself – Lessons Cryptos Can Learn from the Early FinTech Experience
Last year, several Australian VASPs reported to the Select Committee encountering ‘… significant obstacles in setting up and running its business activities from the existing major banking providers’ and that ‘the current state of play was that major Australian banks will not do business with digital asset companies”. While de-risking is a complicated topic, the same FC-related themes seen 7 – 9 years ago in Europe also appear in the Committee submissions about VASPS and the wider cryptocurrency industry.
For example, one submission identified a possible reason for de-risking VASPS: “On reason – We believe it’s likely due to a lack of internal understanding and risk management processes on how to assess risk associated with start-ups in the Blockchain and crypto sector”. One the banking side, a bank explained that one of the reasons for not offering bank accounts to VASPS as, “… [the bank] may hold concerns around an entity’s management of Anti-Money Laundering or Counter Terrorism Financing (AML/CTF) requirements or their capability to meet these requirements. This could include a lack of evidence about how the entity will meet their requirements, or an entity may not have sufficient processes to monitor who their customers are”.
A third submission to the Committee identified banks’ lack of understanding about the controls used by VASPS to detect and prevent FC, and suggest that, “We believe a greater effort by banks to engage and understand this type of technology is key to banks better targeting the financial crime risks relating to crypto (rather than taking a blanket ban approach to all crypto businesses”.
So, what can VASPs, both in Australia and elsewhere, learn from the FinTech experience as they start their AML/CFT regulatory journey?
First, complete a proper BRA. This is the cornerstone of the AML/CFT programme and the mainstay of AM/CFT regulatory requirements. This sets the tone and demonstrates how the VASP uses its controls to mitigate the FC risks specific to its business, based on its operational model. And ensure a summary of the BRA results is available for distribution to banking partners, if requested. During a webinar on de-risking hosted by Banking Circle last year, Jonathan Bell, Group CFO at PXP Financial, advised businesses to communicate fully and clearly with banks and to purposefully to set about building a positive relationship. “If somebody is reviewing the information you’re providing and has big question marks or would say that there are lots of things missing, that does not get the relationship off to a good start. I think it is about trying to build that trust and confidence at the very early stages,” Jonathan said. Make sure the BRA reflects the criteria listed in the local AML/CFT regulations that must be complied with. And explain the controls used in a way that makes it clear which regulatory requirement they are intended to meet.
Second, when explaining your BRA, ensure the person presenting has a solid knowledge about how the BRA was conducted and the measures you describe to mitigate those risks. In the same Banking Circle webinar, another speaker noted, “When asked for a presentation about your business, present it as if it’s going to the Chief Compliance Officer, because ultimately that is the only person you need to get a green light from.”
Third, ensure there is evidence the VASP’s Board has seen, discussed and approved the BRA, including any recommended actions to improve or bolster controls. This demonstrates to banking partners that the body responsible for overseeing the business is serious about mitigating FC risks and is prepared to make the investment needed to keep those risks in check.
Finally, make sure the BRA results reflect the way the AML/CFT compliance programme and business model operate in practice. The risk appetite or residual risk result of the BRA should be reflected in the types of customers, countries and products and services offered by the business. A VASP’s customer acceptance policy should clearly show, on a risk-basis, which types of customers must be subject to enhanced due diligence, and importantly, which ones exceed the risk appetite of the business.
While VASPs are at the early stages of their AML/CFT regulatory journey, there is much they can learn from the experience of European FinTechs. Compliance measures may involve different technology and innovative controls, but at the end of the day, VASPs should it be able to demonstrate how they have come to understand their FC risks and the ways in which they address them. The lessons learnt by FinTechs in Europe should be leveraged where possible, and this includes taking the time and investing the effort needed to produce a practical and explainable BRA.
Artic Intelligence has published other articles on the benefits of completing a BRA, which you can find here. If you work with a VASP and are just starting on your AML/Regulatory journey, Arctic can assist you in setting conducting and maintaining a clear and concise BRA to support your future banking partnerships.
Follow us on LinkedIn and Twitter for a daily dose of financial crime news across the globe.