Policy & Regulation

Banks Need to Understand Their Cryptocurrency Exposure Even If They Don’t Take Custody of Cryptocurrency

Recent developments in the United States suggest regulators are preparing for continued digital asset adoption, and expecting financial institutions to understand their exposure and mitigate associated risks. Over the past several months in the United States, the Office of the Comptroller of the Currency (OCC) clarified that national banks may provide digital asset custody services to customers and engage in certain stablecoin activities, the Wyoming Division of Banking issued its first special purpose depository institution (SPDI) charter to make Kraken the first cryptocurrency exchange regulated as a bank, and the Conference of State Bank Supervisors (CSBS) unveiled a single set of supervisory rules so that cryptocurrency firms can more easily expand across the country.

All of these developments mean banks and other financial institutions have the opportunity to move into an emerging asset class with growing popularity, particularly among younger consumers. However, recent remarks from Kenneth A. Blanco, the Director of the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), suggest that even banks with no intention of expanding their businesses into cryptocurrency need to understand the space and monitor their customers’ interactions with it in order to fulfill their regulatory obligations.

Last month, Director Blanco spoke at the ACAMS Virtual Las Vegas Conference, covering topics such as scammers’ efforts to take advantage of the Covid-19 crisis and his agency’s response. But most notable in his remarks was the time he spent on why all banks need to be aware of their exposure to cryptocurrency, and the risk they take on by ignoring it. Specifically, he said: “One issue that continues to come up during these discussions relates to mitigating risks associated with emerging payment systems, including virtual currency. To be clear, [virtual currency] exchanges are not the only ones with crypto risk exposure. These risks are not unique to money services businesses or virtual currency exchangers; banks must be thinking about their crypto exposure as well.”

The director’s words indicate a traditional bank can be held responsible for illicit cryptocurrency activity carried out by its customers that the bank facilitates, even if the bank itself doesn’t provide custody for cryptocurrency. For example, if a customer wires funds from their bank account to a cryptocurrency exchange, purchases cryptocurrency, and then, say, sends that cryptocurrency to a sanctioned individual or darknet marketplace, the bank’s exposure to that risk might be troubling to regulators. Similarly, if a customer extorts others in ransomware schemes, accepts cryptocurrency for ransom payments, and then cashes out his cryptocurrency earnings at an exchange that wires funds to his bank account, he could be exposing his bank to risk. Below, we’ll discuss how banks can prepare to incorporate cryptocurrency into their compliance programs.

Understanding cryptocurrency exposure and risk as a bank

As Director Blanco went on to note in his speech, banks assessing their cryptocurrency risk first need to ask themselves if they have any way of identifying current customers who use cryptocurrency.

Some banks may not think any of their customers use cryptocurrency. In fact, when we polled a group of investment professionals a year ago, nearly one third estimated that none of their customers transact with cryptocurrency businesses. Banks such as Wells Fargo have outright banned their customers from sending funds to cryptocurrency businesses, which could lead them to believe that very few or even none of them are doing so. However, we believe this is unlikely. A recent poll from the financial consulting firm Cornerstone Advisors suggests that 15% of Americans have purchased cryptocurrency in some form, with another 11% saying they plan to in the near future. We also know from other polls that younger consumers are even more likely to have purchased cryptocurrency. It therefore seems improbable that any bank with a substantial customer base wouldn’t have at least some customers who are transacting with cryptocurrency businesses. Banks reporting 0% cryptocurrency adoption amongst their customers likely aren’t getting the full picture, and could face problems with regulators down the road.

So, if banks accept that at least some of their customers are likely buying cryptocurrency, how do they take a targeted approach to managing the associated risk? The first step is to learn about the most popular cryptocurrency exchanges. Exchanges are the primary on and off-ramps between cryptocurrency and fiat, and likely the most common places their customers would send funds to buy cryptocurrency. Banks need to create a system to detect exchanges in their SWIFT messages, ACH payments, and debit card transactions. The top cryptocurrency exchanges are constantly evolving, so banks also need to monitor them in real time for such a program to be effective. If banks started screening for these businesses in their customers’ activity today, they’d inevitably find cryptocurrency-related transactions they didn’t previously know were happening. From there, they should assess the risk of those transactions based on their current anti-money laundering policies, checking for transactions that suggest suspicious activity.

In the longer term, banks need to individually assess each exchange with which their customers transact, as well as any other cryptocurrency businesses customers are funding from their bank accounts. For starters, they should examine each exchange’s unique business model, compliance program quality, and jurisdiction of operation. But these qualitative factors aren’t sufficient on their own. Banks also need to evaluate exchanges’ compliance effectiveness by measuring their exposure to risky counterparties elsewhere in the cryptocurrency ecosystem. These measurements provide the strongest signal for whether or not a bank should be doing business with a cryptocurrency business, but most banks can’t get this data on their own. They need to partner with trusted data providers who have a deep understanding of the cryptocurrency ecosystem and can show them which cryptocurrency businesses are safe and which should raise alarm bells. As they become more comfortable with the space, banks can also work to establish relationships with the compliance teams at reputable cryptocurrency businesses their customers use most often and work with them to solve issues together.

Banks should get a head start on cryptocurrency

Time is of the essence for banks, as Director Blanco’s remarks clearly indicate that regulators will soon expect them to be able to show how their compliance and AML programs address cryptocurrency activity, and what level of cryptocurrency-related risk they have. Banks would be wise to start gathering that information now, rather than waiting until regulators are demanding it.

While this may be daunting at first, banks’ compliance departments will eventually become fluent in cryptocurrency if they take these steps. After that, who knows what could happen? Banks not currently planning to get involved in cryptocurrency may open up to the idea of institutional adoption as they develop and implement procedures to mitigate cryptocurrency risk.