Posted by Brian Monroe - bmonroe@acfcs.org 04/09/2021
Special ACFCS Exclusive Contributor Report: Three ways compliance professionals can use AML, AI, contextual investigations and more to better protect their institutions from the growing threat of crypto crime
The skinny:
- The volatile crypto sector has in recent months captured more interest, legitimacy, value and mainstream acceptance, with high-profile tech leaders like Tesla founder Elon Musk jumping on board – setting up an eventual clash with compliance teams.
- That’s because along with crypto coins like Bitcoin eclipsing the $60,000 mark the volatility and opportunity has also attracted the attention of scammers, fraudsters and money launderers looking to enrich coffers, dupe the unwary and buy and sell illicit items on shady darknet markets.
- Not surprisingly, the intersection of virtual assets, crypto exchanges and banks – the physical on-road and off-road where digital dollars convert to physical dollars and vice versa – means anti-money laundering (AML) professionals, regulators and investigators must be just as crafty and creative as criminals.
- In this piece, we will dissect what global counter-crime and compliance watchdog groups say when it comes to understanding and uncovering crypto crime risks and red flags along with innovative strategies to stop them, from AI to contextual investigations and more.
By Garima Chaudhary
Head of Financial Crime & Compliance Management Solution Consulting – Americas, Oracle
April 9, 2021
With editing and minor content additions by ACFCS VP of Content, Brian Monroe
The volatile crypto sector has in recent months captured more interest, legitimacy, value and mainstream acceptance, with high-profile tech leaders like Tesla founder Elon Musk jumping on board – setting up an eventual clash with compliance teams.
That’s because along with crypto coins like Bitcoin eclipsing the $60,000 mark – that coin alone has flirted with a $1 trillion market cap – the volatility and opportunity has also attracted the attention of scammers, fraudsters and money launderers looking to enrich coffers, dupe the unwary and buy and sell illicit items on shady darknet markets.
Not surprisingly, the intersection of virtual assets, crypto exchanges and banks – the physical on-road and off-road where digital dollars convert to physical dollars and vice versa – means anti-money laundering (AML) professionals, regulators and investigators must be just as crafty and creative as criminals.
In this piece, we will dissect what global counter-crime and compliance watchdog groups say when it comes to understanding and uncovering crypto crime risks and red flags along with innovative strategies to stop them, including:
- Unleashing the power of artificial intelligence
- Graphing and visual analytics
- Advanced entity resolution techniques
- Multi-dimensional risk monitoring
- Human experience-infused and data-driven contextual investigations.
But first, some of the basics. What is the proper way to even describe a crypto coin?
As per the Financial Action Task Force (FATF), the terms Cryptocurrency, Virtual Currency and Virtual Asset (VA) all refer to a digital representation of value that can be digitally traded and functions as a medium of exchange.
But even though a VA can be considered a unit of account; and/or a store of value, it is not a “fiat currency” aka “real currency,” or is what we all have in our wallets: a currency backed by a country or, in times past, a physical asset, like gold.
VAs and related services have the potential to spur financial innovation and efficiency, but their distinct features also create new opportunities for money launderers, terrorist financiers and other criminals to launder their proceeds or finance their illicit activities.
That is chiefly due to their “pseudo anonymous” nature and that many countries are still in the process of creating fincrime compliance laws, regulatory exam structures and enforcement processes around the raucous and roiling crypto space.
Just in 2020, VAs around crypto thefts, hacks, and frauds totaled $1.9 billion.
Fraud is the dominant cryptocurrency crime, followed by theft and ransomware. In the United States, cryptocurrency exchanges – entities in many jurisdictions considered “financial institutions” and “money services businesses” and subject to anti-money laundering (AML) compliance rules – sent $41.2 million worth of Bitcoin directly to criminals in 2020.
How Organized Criminals are Exploiting VA: Common Red-Flags & Risk Indicators
The types of offences reported related to VAs include Money Laundering (ML), the sale of controlled substances and other illegal items (including firearms), fraud, tax evasion, computer crimes (e.g. cyberattacks resulting in thefts), child exploitation, human trafficking, sanctions evasion, and Terrorist Financing (TF).
Among these, the most common type of misuse is illicit trafficking in controlled substances, either with sales transacted directly in VAs or the use of VAs as a ML layering technique.
The second most common category of misuse is related to frauds, scams, ransomware, and extortion.
More recently, professional ML networks have started exploiting VAs as one of their means to transfer, collect, or layer proceeds. Below are key red-flags and risk indicators for VAs (source).
1.) Irregularities observed during account opening, customer due diligence (CDD) processes or high-risk profiles: Transactions initiated from non-trusted IP addresses, IP addresses from sanctioned jurisdictions, or IP addresses previously flagged as suspicious.
Or trying to open an account frequently within the same virtual asset service providers (VASP) from the same IP address.
Incomplete or insufficient know-your-customer (KYC) information, or a customer declines requests for KYC documents or inquiries regarding source of funds or has provided forged documents.
Or the customer name or address appears on public forums associated with illegal activity by law enforcement due to previous criminal associations.
a.) Source of funds or wealth:
- Transacting with VA addresses or bank cards that are connected to known fraud, extortion, or ransomware schemes, sanctioned addresses, darknet marketplaces, or other illicit websites.
- VA transactions originating from or destined to online gambling services.
- The use of one or multiple credit and/or debit cards that are linked to a VA wallet to withdraw large amounts of fiat currency (crypto-to-plastic), or funds for purchasing VAs are sourced from cash deposits into credit cards.
- Lack of transparency or insufficient information on the origin and owners of the funds, such as those involving the use of shell companies or those funds placed in an Initial Coin Offering (ICO) where personal data of investors may not be available or incoming transactions from online payments systems through credit/pre-paid cards followed by instant withdrawals.
- Bulk of a customer’s source of wealth is derived from investments in VAs, ICOs, or fraudulent ICOs, etc.
2.) Profile of potential money mule or scam victims: Sender does not appear to be familiar with VA technology or significantly older than the average age of platform users and opens an account and then quickly engages in large numbers of transactions, suggesting their potential role as a VA money mule or a victim of elder financial exploitation.
3.) Size and frequency of transactions: Structuring VA transactions (e.g. exchange or transfer) in small amounts, or in amounts under record-keeping or reporting thresholds, like structuring cash transactions.
Making multiple high-value transactions in short succession, such as within a 24-hour period. Transferring VAs immediately to multiple VASPs, especially to VASPs registered or operated in another unrelated or high-risk jurisdiction.
4.) Geographical risks: Customer’s funds originate from, or are sent to, an exchange that is not registered in the jurisdiction where either the customer or exchange is located.
Or customer utilizes a VA exchange or foreign-located transfer service in a high-risk jurisdiction lacking, or known to have inadequate, AML/CFT regulations for VA entities, including inadequate CDD or KYC measures.
5.) Anonymity:
- Transactions by a customer involving more than one type of VA, despite additional transaction fees, and especially those VAs that provide higher anonymity, such as anonymity-enhanced cryptocurrency (AEC) or privacy coins.
- Transactions making use of mixing and tumbling services, suggesting an intent to obscure the flow of illicit funds between known wallet addresses and darknet marketplaces.
- Users entering the VASP platform having registered their Internet domain names through proxies or using domain name registrars (DNS) that suppress or redact the owners of the domain names. These services prevent investigators from uncovering the physical region of the individual engaging in the transaction.
- Users entering the VASP platform using an IP address (e.g. Alpha Bay) associated with a darknet market or other similar software that allows anonymous communication, including encrypted emails and virtual private networks (VPNs).
- Transactions between partners using various anonymous encrypted communication means (e.g. forums, chats, mobile applications, online games, etc.) instead of a VASP.
- Many seemingly unrelated VA wallets controlled from the same IP-address (or MAC-address), which may involve the use of shell wallets registered to different users to conceal their relation to each other.
Graphing Vital to Understanding Cryptocurrency Ecosystem – Solution Snapshot
The ability to transact across borders rapidly not only allows criminals to acquire, move, and store assets digitally often outside the regulated financial system, but also to obfuscate the origin or destination of the funds and make it harder for reporting entities to identify suspicious activity in a timely manner.
These factors add hurdles to the detection and investigation of criminal activity by national authorities.
Since VA transactions are irreversible, it is critical to assess client activity in real time prior to money laundering, fraud or other crimes occur – as the act becomes a potential futile forensic exercise rather than a proactive defense preventing the legitimizing of ill-gotten gains.
One of the best ways to create a stout AML program, bolster investigations and be seen as a true “effective” ally is to chart out some of the steps where compliance, cryptocurrency and criminal activity converge, including reviewing and risk ranking entities, adding critical context to cases and monitoring potential illicit activity in several dimensions at once.
Data visualization, leveraging graphs and seeing intersection points with fincrime program duties can be vital in understanding what can feel like a complex, anonymous and irreversible ecosystem of virtual value, international transactions and brick-and-mortar banks – the nexus where fiat funds and crypto coins change hands.
1.) Entity resolution: The client might be leveraging multiple types of VAs, mixers or tumbling services, therefore, it is crucial to resolve entities with internal & external information to understand the full, holistic AML risk profile.
Graph analytics can be a game-changer for entity resolution.
Graph matching can provide a holistic view of all matched entities by various attributes, such as name, IP address, email, and dark web links. The ability to unify data by bringing together entities from multiple internal and external data sources in real time to create a single entity view across the enterprise is a powerful, highly sought-after goal.
As well, entity resolution using graphs will enhance anonymity understanding around users entering the VASP platform using an IP address associated with a darknet or other similar software that allows anonymous communication, including encrypted emails and VPNs.
Such a stratagem can also help connect seemingly separate transactions between partners using various anonymous encrypted communication means (e.g. forums, chats, mobile applications, online games, etc.) instead of a VASP.
Graph entity resolution approaches can also help find multiple seemingly unrelated VA wallets controlled from the same IP-address (or MAC-address), which may involve the use of shell wallets registered to different users to conceal their relation to each other.
2.) Multi-dimensional real-time monitoring: Looking at single risks or red-flags (aka single dimension monitoring) has proven to be inefficient in assessing overall risk, and can generate high false-positives.
More innovative monitoring approach should consider all relevant areas, such as client risk (inherent risk), activity risk (red-flag patterns, dark web), geographical risk (including trusted vs non-trusted IPs) and high-risk entities (negative news, Politically Exposed Persons, sanctions) holistically.
Leveraging graphing programs for multi-dimensional risk scoring will provide holistic entity risk views despite the need for typically complex and required underlying profile information.
Monitoring models/algorithms should calculate risk levels based on associating suspicious addresses and wallets. Also, these efforts should leverage in the risk profiles and transactional scores available global exchanges, ATMs, mixers, gambling services and known criminal addresses.
Once considered and tabulated, these models should assign risk levels to activities in as close as possible to real-time related to suspicious addresses and wallets.
3.) Contextual investigations: Organizations can leverage powerful graph analytics to connect the dots between cryptocurrency ecosystems using internal and external data, providing a holistic representation of networks that uncover hidden patterns.
Investigators can click through entities and their connections—represented as nodes on the graph model—to analyze networks and suspicious activities.
For example, investigators can bring in additional information while investigating many seemingly unrelated VA wallets controlled from the same IP-address (or MAC-address), which may involve the use of shell wallets registered to different users to conceal their relation to each other.
At the same time, artificial Intelligence (AI) should be leveraged to enhance human expertise through recommendations and next-best actions while also helping analysts gain situational awareness and learn institutional best practices.
Once detected by a ML model designated by the investigator as a true positive, previously detected organized criminal cases can be leveraged to make recommendations for new evidence in a graph.
This way, organizations can be ensuring collective learning.
About the author: Garima Chaudhary
Garima Chaudhary, Head of Financial Crime & Compliance Management Solution Consulting – Americas, Oracle
Chaudhary is an author, speaker and thought leader with more than 15 years of experience in financial crime, compliance, risk, business and IT strategies.
She has advised a broad range of financial institutions globally on their financial crime compliance journeys to transform, improve efficiency and effectiveness and drive value.
Chaudhary leads a team of subject-matter-experts to help institutions meet their financial crime, compliance and operational risk requirements through innovative technologies, including Machine Learning/Artificial Intelligence and Graphing.
A hallmark of her success is a consultative approach focusing on problem solving and delivering practical, tactical results with the power to streamline Know-Your-Customer, Anti-Money Laundering, Sanctions, Enhanced Due Diligence, Investigations, Regulatory Reporting and Fraud programs.
Her passion is the realization that millions of people around the world are losing lives or continue to suffer due to the devastating impact of drug crimes, human trafficking, sex exploitation, wildlife trafficking and modern-day slavery.
Chaudhary is also driven to grow in her knowledge and understanding of a diverse and ever-changing field and potential transformative technologies, such as artificial intelligence, machine learning and others, because she believes financial crime compliance professionals have the power to fight these crimes and contribute to a safer world.