Governmental regulators want to know more about how risk and compliance work with virtual currencies — here’s specifically what they ask.
IdentityMind has spoken to government regulators on three continents about virtual currency. These conversations are usually initiated because a client wants IdentityMind to confirm to their regulators that they are serious about anti-money laundering (AML). Occasionally, it’s because regulators proactively reach out after hearing that financial institutions (FIs) are utilizing IdentityMind for AML compliance and want to learn about IdentityMind as a company.
Listed below are the 10 most common questions about virtual currency AML that government regulators ask IdentityMind, and the responses we provide. This insight will provide a helpful roadmap for anyone who has to present to any government regulators, as the questions asked are similar across jurisdictions. These questions are from conversations with the financial regulators of Bermuda, Colombia, and the United States, the three geographies we’ve spoken with most recently.
General Virtual Currency AML Compliance Questions:
Question 1: Who is IdentityMind?
IdentityMind is a digital identities platform that focuses on risk and compliance. Our platform falls within the regulatory technology (RegTech) solutions category. We began in 2013, and have been working with banks, exchanges, money service businesses, digital marketplaces, and FinTechs in general FIs since then. We’re headquartered in Palo Alto, California, with offices across North America, Latin America, Europe, and Africa. To date, we’ve worked with over 75 virtual currency exchanges and more than 200 ICOs or STOs.
Question 2: How does IdentityMind work?
- For KYC, these solutions involve sanctions and politically exposed person (PEP) screening, name and address validation, identity data validation, national identification validation, and document verification.
- For transaction monitoring, these solutions involve alerting clients to suspicious dollar amounts, suspicious timing, suspicious behavior, or suspicious virtual currency addresses.
Question 3: Do you make decisions on behalf of your clients? Are FIs outsourcing this activity to you?
IdentityMind provides FIs with information. It does not, however, create any AML policies on the behalf of an FI, nor does it decide which customers they should onboard, when to file reports on suspicious behavior, etc.
Please do not tell any governmental agency that IdentityMind will do this for you, as it’s against our policy, and most importantly it will put your FI under grave regulatory suspicion. IdentityMind does, however, refer FIs to industry experts such as Koi Compliance, whose ongoing partnership with IdentityMind enables them to develop risk-based AML policies and effective IdentityMind configurations by drawing upon deep product and compliance knowledge. While FIs remain ultimately responsible for compliance obligations, advice and staff resources from Koi Compliance can help FIs conserve limited in-house compliance resources for the making of informed, high-level decisions.
KYC / Onboarding Questions
Question 4: How are you meeting local regulatory requirements?
This is the real question, and even if it’s not the first question asked, it’s the most important one. We respond by walking through:
- What the country’s AML requirements are. It’s critical to know because they vary by country and use case. You obviously need to know the requirements of the country you’re speaking to. Canadian non-face-to-face validation requirements are very different than CIP in the United States, and it’s crucial to show you understand the requirements of the regulator you’re speaking with, even if it’s not where you are based.
- What the IdentityMind platform provides for onboarding (KYC) potential customers and how they monitor their customers and their transactions once the customer is allowed to use the platform.
The key is to show that crypto FIs can and do follow the same regulation as traditional FIs, and maybe even more.
Question 5: How do you ensure that customers signing up really exist? (e.g. How do you ensure this is not a synthetic identity?)
IdentityMind discusses how we address validation through public records when possible, how we validate national IDs, and how we can validate government-issued documents in nearly every country in the world.
Question 6: How do you ensure people can’t create accounts with stolen identities?
We utilize biometric technology, including comparing selfies with a validated government-issued document. We recently had a government complain to us that while their real government documents aren’t very good, their fake government documents are. What we can do about that is use biometrics to ensure the person applying is the person in the document. Moreover, if FIs want to go beyond a simple selfie, there are additional liveness tests, where the applicant is not only compared against the picture but has to move or blink to prove that they are in front of the camera.
Question 7: How do you tell if funds are coming from a bad person or a bad act?
This question is asked many different ways, but the term to use when speaking with a government official is “source of funds.” The way we do this includes adverse media to ensure the potential customer is not a known bad person and a platform that allows you to interact with the customer that will permanently store any information they give you.
Question 8: How do you stop people from creating multiple accounts? How do you stop people from taking over multiple accounts?
IdentityMind’s platform alerts FIs if it detects an individual creating, or attempting to access, multiple accounts (account takeover). How it does this is eDNA™, which is a digital representation of an individual combining digital attributes (e.g.email address, phone, devices, social network, IP geolocation), physical attributes (e.g. name, billing and shipping addresses, government-issued identifiers — like SSN, national IDs, passports), payment information (e.g. credit cards, bank accounts, digital wallets), biometric data (selfies), and behaviors (access, logins, payments).
Transaction Monitoring Questions
Question 9: How can you tell if virtual currency coming in are tainted or connected to malicious actors?
IdentityMind has a four-part solution process that ensures:
- IdentityMind clients are not directly involved with any sanctioned bitcoin addresses.
- IdentityMind clients are alerted to second or third connections to high-risk addresses.
- IdentityMind clients are notified if a customer has been associated with high-risk addresses.
- IdentityMind clients can perform a look-back to see the risk of clients they’ve already worked with.
Question 10: Can IdentityMind clients set thresholds on the dollar amount customers are transacting?
IdentityMind’s platform enables our clients to have a risk-based platform where they can set thresholds by dollar amount, geography, and these thresholds can be different based on if a new or established client. Therefore, transactions coming from specific places or over certain dollar amounts can be flagged for review. For instance, in the US, compliance officers will often set thresholds at certain dollar amounts to comply with FinCEN’s SAR thresholds, while in Switzerland, the Money Laundering Reporting Office Switzerland (MROS) has different dollar amount thresholds.
IdentityMind has spoken with regulators all over the world, and while virtual currency is fairly new and met with skepticism, all their inquiries have been reasonable and fair. Moreover, by speaking with them in a positive manner, with preparation, and good responses that show that virtual currency doesn’t mean any loss of AML, KYC or transaction monitoring oversight and that in certain ways this oversight can be more stringent than it is for legacy FIs, the results will most likely be positive. Regulators can be your biggest advocates with law enforcement and obtaining banking relationships, as long as you provide them the information and rationale to do so.