This year, the research team at Chainalysis found that illicit activity in crypto reached an all-time high in 2022. Why? One big factor is economic sanctions. 44% of illicit transaction volume came from activity associated with sanctioned entities, in a year when OFAC launched some of its most ambitious crypto sanctions yet.
Managing sanctions has always presented unique challenges for the various operators in the space, including traditional financial institutions (TradFi), money service businesses (MSBs), and now virtual asset service providers (VASPs). Having a mature sanctions compliance program in place is a necessary, but never perfect, approach to protecting your institution. For those in the cryptocurrency space, the stakes have never been higher.
In this blog, I’ll break down the fundamental elements of crypto sanctions compliance, including:
- Know Your Customer (KYC)
- Transaction Monitoring
- Continuous data improvements
- Taking context into account
- Industry coordination
In the following sections, I’ll offer comparisons between TradFi and crypto to show how, while similar in some aspects, there are unique challenges and opportunities presented to those developing sanctions compliance programs in crypto.
Sanctions compliance: The fundamentals
There once was a time where the responsibility of a sanctions compliance officer was to simply check names in a transaction or onboarding document against a printed out piece of paper containing the Office of Foreign Assets Control Specially Designated Nationals List (better known as the OFAC SDN List).
Today, firms utilize list management teams to integrate extensive lists to enhance their controls, including OFAC 50% lists, country data, IP blocking, and other unique methods to flag customer and transaction-related sanctions risk. They must ask questions like: what lists / internal data need to be screened, and how often? What vendors should be used? How do we measure a strong versus weak alias? What’s the percentage threshold of a name match needed to flag a hit?
While much of this applies to crypto, a key differentiator in crypto is the use of blockchain analysis tools such as Chainalysis Know Your Transaction (KYT) and Reactor, which compliance teams at financial institutions and cryptocurrency businesses alike, use to meet their sanctions compliance obligations. Cryptocurrency businesses like exchanges use KYT to apply risk-based alert settings and receive alerts if their customers are transacting with illicit services. It’s safe to say, whether in crypto, or TradFi, this can be a challenging undertaking, and one that requires a team of skilled experts.
KYC due diligence and IP blocking controls are quite similar between TradFi and VASPs. Effective controls will help identify exposure to sanctioned entities and those attempting to access a platform from a sanctioned jurisdiction. Continuous monitoring of these controls is an integral part of this process.
Historically, TradFi assessments of a new customer for sanctions exposure is often done through conducting independent due diligence, as well as a “Sanctions Questionnaire,” which requires a potential customer to fill out the percentage of their business involving sanctioned countries or entities. The ultimate assessment is heavily dependent on the prospective customers’ honest efforts to be transparent.
In crypto, TradFi institutions can assess a crypto company’s risk through the transparency of the blockchain instead of just relying on a customer email response.
The graphic above highlights the exposure of the VASP Bitzlato, which was recently subject to the first use of FinCEN Section 9714 order. With just one click of a button, a user can assess that at least 16.23% of Bitzlato’s received funds is exposed to sanctioned entities based on current Chainalysis data, which improves over time (more on that later). This can make for an easy risk-based assessment by a TradFi institution to determine whether this crypto prospect is worth onboarding.
With the right education and processes, TradFi has the opportunity to assess crypto companies in a way that simply wasn’t available before blockchain analytics.
Implementing effective list management and Know Your Customers’ Customer (KYCC) controls are integral parts of the transaction monitoring process for both crypto and TradFi. However, crypto businesses have to manage a different, unique set of challenges, including clustering, direct/indirect exposure, supporting continuous data improvements and new asset coverage. Many of these challenges can be supported by the use of blockchain analytics, including systems like KYT.
In crypto, clustering is an algorithmic method to determine a collection of addresses controlled by a single entity. When it comes to sanctions screening, it can most closely be compared in TradFi to OFAC’s 50% Rule, where the ultimate goal is to flag entities (TradFi) or wallet addresses (crypto) that belong to the extended network of an entity subject to sanctions.
OFAC includes cryptocurrency addresses as identifiers in sanctions designations and provides guidance for the virtual currency industry. However, these lists are not comprehensive, similar to sanctions designations outside of crypto. While just a few crypto addresses may be included as identifiers in a designation, a sanctions compliance team is still responsible for any additional addresses that are owned by that sanctioned entity. This is where blockchain analytics can capture this risk efficiently. The benefit of clustering can turn just a few addresses in a designation into hundreds of thousands, if not millions – creating an instant equivalent to 50% list screening, without nearly as much manual oversight.
Take Hydra, the darknet market for example. OFAC included more than 100 cryptocurrency addresses as identifiers in its designation; however, Chainalysis data boasts well over 6 million addresses affiliated with the now-defunct entity, which are immediately at a users’ fingertips for screening. This automation is a key advantage in crypto-related screening.
Direct vs. Indirect exposure
In TradFi, only activity that’s processed through that institution is reviewable; a bank only knows the activity of its clients and their direct counterparties. Whereas in crypto, analysts can see not only who their clients are interacting with, but who those third parties are interacting with, and so on. Analysts can leverage both direct and indirect exposure, and assess the relevance of that information to their VASP.
Direct exposure to a sanctioned entity or an entity located in a sanctioned jurisdiction is a relatively straightforward assessment.
In the above case, there’s no question that this exchange’s customer has directly sent funds to Garantex, an OFAC SDN. If the exchange is subject to U.S. jurisdiction and the transaction occurred after their designation, this is a clear sanctions violation that requires regulatory reporting.
What about indirect exposure? If intermediaries exist between your exchange and the sanctioned entity, a sanctions compliance team must assess the relationship between intermediaries.
The example above highlights how this can quickly become complex. What is the difference between the direct exposure to Garantex, and multiple intermediaries in between? The consistent approach thus far is to see if there’s truly a relationship between the funds sent by the sanctioned entity, and those received by the exchange.
While regulation has not yet specified how to manage this type of exposure, it is a challenge VASPs are required to face, and can often be time consuming. This can ultimately lead to over-compliance, which can stifle a growing customer base, or non-compliance, which can lead to increased regulatory risk. Drawing the right line in the sand is difficult and companies in this space would benefit from further regulatory guidance around indirect exposure.
Continuous data improvements
Blockchain analytics firms are consistently identifying new data and enriching their entity and asset coverage. This means it’s possible for unidentified parts of services to exist on the blockchain, undiscovered, either because insufficient information is available or an entity actively moves their infrastructure to avoid detection. Therefore, it’s also possible an exchange interacted with an entity subject to sanctions prior to the date of attribution, similar to a TradFi institution unknowingly engaging with a sanctioned entity using shell companies.
When a TradFi institution identifies a sanctions incident, they can block/reject funds and report to OFAC. However, the transaction details are only available to that institution, the counterpart institution involved in the transaction, and the regulators with which the report has been filed.
The crucial difference in crypto is that the underlying information sits transparently on the blockchain for all to see – and that matters when it comes to risk assessments and regulatory reporting, which leads us to our next section on context.
Taking context into account
Because VASPs cannot stop inbound funds, transactions from a sanctioned entity to a VASP may look like a violation based on the blockchain alone. However, those funds may have actually been frozen and reported to OFAC by that VASP before ever reaching the customer’s account. Therefore, the concept of receiving exposure should only be contextualized so far that one is aware of the actions the VASP took upon receiving those funds. With regards to outbound funds, the date in which an entity was designated, and the date those addresses were flagged in blockchain analytics, are also important factors.
For transactions which have slipped through the cracks (again, a reminder compliance programs can be great, but never perfect), the firm has an opportunity to file a Voluntary Self-Disclosure (VSD). This is ultimately a chance for a firm to explain why, when and how the violation happened, and how they remediated the issue. Clear reporting and actionable remedial steps is what truly drives successful sanctions compliance programs, as well as the potential opportunity for receiving a more favorable outcome from OFAC.
Private-public partnerships create an opportunity for the industry – including VASPs, TradFi, blockchain analytics companies, regulators and law enforcement – to communicate openly about where regulation and guidance can advance the industry.
Just as important, the transparency of the blockchain presents a new opportunity in private-private partnerships. While blockchain analytics companies have unique insights, VASPs have access to data that may be unique to them. Working together, VASPs and blockchain analytics companies can coordinate to make the ecosystem a safer place.
The crypto advantage: Looking forward
While crypto certainly has a unique set of challenges in sanctions compliance, there are also endless opportunities in automation and efficiency. Thanks to the transparency and immutability of the blockchain along with the help of education, regulation, blockchain analytics, and industry coordination, all companies in this space can work together and build towards a safer ecosystem.
Andrew Fierman is the Head of Sanctions Strategy at Chainalysis, Inc.. The views and opinions expressed in this thought piece are those of the author in his personal capacity and do not reflect the views and opinions of Chainalysis, Inc.. This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. The author makes no representations as to the accuracy or completeness of the information herein.