AML/BSA Compliance for Bank Crypto Activities

Key Requirements:

BSA REQUIREMENTS FOR BANKS

- File for cash transactions >$10,000
- Same-day aggregation required
- Customer identification required

- File for suspicious transactions ≥$5,000
- No threshold if suspect terrorist financing
- Cannot disclose filing to customer

- Verify customer identity
- Maintain records
- Check against terrorist lists

- Written policies and procedures
- Designated compliance officer
- Employee training
- Independent testing

FinCEN and Crypto:

• 2013: Virtual currency exchangers are money transmitters
• 2019: Clarified that certain crypto activities require MSB registration
• 2020-2024: Enhanced focus on crypto compliance

Five Pillars of AML Compliance:

1. Written Policies and Procedures

2. Designated Compliance Officer

3. Employee Training

4. Independent Testing

5. Risk-Based Customer Due Diligence

---

Example:

Traditional Wire:
FROM: John Smith, Acct 12345678, Chase Bank
TO: Jane Doe, Acct 87654321, Bank of America
AMOUNT: $50,000

XRP Transaction:
FROM: rN7n3473SaZBCG4dFL83w7a1RXtXtbk2D9
TO: rLNaPoKeeBjZe2qs6x52yVPZpZ8td4dc6w
AMOUNT: 50,000 XRP
```

The Challenge:
Who owns those addresses? Where did they get the XRP? What's the purpose?

The Solution:

• Cluster addresses to identify entities
• Track transaction flows
• Flag high-risk addresses (sanctioned entities, darknet markets, scam addresses)
• Provide risk scores for transactions

How It Works:

BLOCKCHAIN ANALYTICS PROCESS

1. ADDRESS CLUSTERING

1. ENTITY IDENTIFICATION

1. TRANSACTION TRACING

1. RISK SCORING

The Travel Rule (FinCEN Rule 31 C.F.R. § 1010.410):

• Obtain and retain originator information (name, address, account)
• Obtain and retain beneficiary information (name, account)
• Include information in transmittal order
• Pass information to next institution in chain

Traditional Implementation:
Wire transfers include originator and beneficiary information in SWIFT messages. Banks pass the information automatically.

Crypto Challenge:
Blockchain transactions don't inherently include identity information. The "travel rule" requires off-chain communication of customer data between institutions.

• FATF (international body) requires travel rule for crypto (since 2019)
• Various solutions emerging (TRUST, Sygna, Notabene, others)
• Implementation uneven across jurisdictions
• Creates compliance complexity for cross-border crypto

---

FinCEN Guidance on Crypto Suspicious Activity:

FinCEN has identified specific red flags for crypto transactions:

• Multiple rapid transactions just below reporting thresholds

• Transactions with no apparent business purpose

• Frequent transactions with high-risk jurisdictions

• Use of mixing services or tumblers

• Transactions immediately following conversion from/to fiat

• Reluctance to provide required information

• Multiple accounts under different names

• Structuring deposits/withdrawals

• Unusually complex transaction patterns

• Business model inconsistent with activity

• Addresses associated with darknet markets

• Addresses associated with ransomware

• Addresses on OFAC sanctions list

• Transactions with known scam addresses

• Sudden large transactions inconsistent with history

When to File:

• Transactions involving known bad actors
• Transactions with no apparent lawful purpose
• Transactions inconsistent with customer profile
• Patterns suggesting layering or structuring
• Any transaction that raises suspicions

SAR Content for Crypto:

• Wallet addresses involved
• Blockchain (Bitcoin, XRP, Ethereum, etc.)
• Transaction hashes
• Exchange information (if known)
• Blockchain analytics findings
• Narrative explaining suspicion

Office of Foreign Assets Control:

• SDN (Specially Designated Nationals) list

• Country-based sanctions

• Sectoral sanctions

• Tornado Cash (mixing service) - August 2022

• Various individual addresses

• North Korean, Russian, Iranian linked addresses

• Customer addresses

• Counterparty addresses

• Transaction addresses

---

For Any Bank Crypto Activity:

CRYPTO AML PROGRAM REQUIREMENTS

POLICIES AND PROCEDURES
├── Crypto-specific AML policies
├── Customer onboarding procedures
├── Transaction monitoring procedures
├── SAR filing procedures for crypto
└── Sanctions screening procedures

TECHNOLOGY
├── Blockchain analytics tool subscription
├── Integration with transaction monitoring
├── Sanctions screening capability
├── Wallet/address database
└── Transaction tracing capability

PERSONNEL
├── Crypto-trained compliance staff
├── Analysts understanding blockchain
├── Investigation capability
└── Escalation procedures

OVERSIGHT
├── Board-level approval
├── Risk assessment including crypto
├── Independent testing including crypto
└── Regulatory examination readiness

Enhanced Due Diligence for Crypto Customers:

• Source of crypto funds explanation
• Wallet address ownership verification
• Transaction history review
• Enhanced monitoring thresholds

Challenge with Crypto Companies:

• Understanding the company's own AML program
• Assessing downstream customer risk
• Monitoring for nested money laundering
• Evaluating jurisdiction risk

Crypto Transaction Monitoring System:

MONITORING APPROACH

REAL-TIME SCREENING
├── OFAC sanctions check
├── High-risk address check
├── Velocity alerts
└── Threshold alerts

BATCH ANALYSIS
├── Blockchain analytics integration
├── Pattern detection
├── Network analysis
└── Historical transaction review

ALERT INVESTIGATION
├── Risk-based prioritization
├── Analyst investigation
├── Documentation requirements
└── SAR determination

REPORTING
├── SAR filing when warranted
├── CTR filing for cash equivalents
├── Management reporting
└── Regulatory reporting

---

Investment Required:

ESTIMATED CRYPTO AML PROGRAM COSTS

Initial Setup:
├── Blockchain analytics tool: $100K-500K/year
├── System integration: $200K-1M
├── Policy development: $100K-300K
├── Staff training: $50K-150K
└── Testing and validation: $100K-200K
TOTAL INITIAL: $550K-2.1M

Ongoing Annual:
├── Analytics subscription: $100K-500K
├── Compliance staff (3-10 FTE): $300K-1.5M
├── Ongoing training: $25K-75K
├── Independent testing: $50K-150K
├── System maintenance: $50K-200K
└── Regulatory exam support: $50K-150K
TOTAL ANNUAL: $575K-2.6M

Economic Calculation:

• Minimum compliance investment: $500K+ initial, $500K+ annual
• Requires revenue to justify investment
• Small programs may not achieve profitability
• Creates minimum scale threshold

The Vicious Cycle:

1. Crypto companies need banking
2. Banks require extensive AML due diligence
3. Crypto companies may lack traditional compliance infrastructure
4. Banks decline relationship or impose costly requirements
5. Crypto companies struggle to meet requirements
6. Banks exit relationships at first sign of trouble

Breaking the Cycle:

• Licensed in multiple jurisdictions
• Robust AML programs
• Regular independent audits
• Regulatory relationships

These companies can obtain banking because they've bridged the compliance gap.

---

XRPL AML Advantages:

• All transactions publicly visible
• Complete transaction history available
• Deterministic finality (no double-spend risk)
• Account-based model (easier to track than UTXO)

Analysis Capability:

• Address clustering and identification
• Transaction tracing
• Risk scoring
• Exchange identification

Current Ripple ODL Compliance:

• Licensed money transmitters/payment providers
• Subject to local AML requirements
• Ripple provides compliance tools and support

Bank ODL AML:

• XRP-specific transaction monitoring
• Integration with XRP blockchain analytics
• Travel rule compliance for XRP transfers
• SAR filing capability for XRP transactions

Stablecoin AML Considerations:

• Customer identification
• Transaction monitoring
• Suspicious activity reporting
• Sanctions screening

NYDFS Requirements:

• Robust AML program requirements
• Regular examination
• Transaction monitoring requirements
• Compliance reporting

---

AML compliance is table stakes for bank crypto engagement. Unlike capital rules (which affect economics) or regulatory permissions (which enable activity), AML requirements are non-negotiable and apply to all crypto activities. Banks must invest significantly in blockchain analytics, compliance personnel, and monitoring systems. This investment creates scale thresholds—small crypto programs may not be economically viable. For XRP and RLUSD, the analysis capability exists (blockchain analytics support XRPL), but banks must still build the programs, train the staff, and accept the ongoing compliance burden.

---

Assignment: Develop an assessment framework for evaluating a bank's crypto AML program readiness, and apply it to a hypothetical bank scenario.

Scenario:
Regional Bank Y ($15B assets) is considering offering crypto custody services to institutional clients. The bank has a mature AML program for traditional banking but no crypto-specific capabilities.

Requirements:

Part 1: Readiness Assessment Framework (400-500 words)

• Policy and procedure requirements
• Technology requirements
• Personnel requirements
• Governance requirements

For each category, identify specific items that must be in place before launch.

Part 2: Gap Analysis for Bank Y (300-400 words)

• What Bank Y likely has in place
• What Bank Y needs to add
• Estimated investment required (initial and ongoing)
• Timeline to readiness

Part 3: Risk Assessment (200-250 words)

• Key AML risks in crypto custody
• How custody differs from payments for AML purposes
• Specific monitoring challenges for institutional custody

Part 4: Implementation Recommendations (150-200 words)

• Prioritized action items

• Build vs. buy recommendations for technology

• Staffing recommendations

• Key success metrics

• Comprehensiveness of framework (30%)

• Quality of gap analysis (25%)

• Risk assessment accuracy (25%)

• Practical recommendations (20%)

Time investment: 2-3 hours
Value: Develops ability to assess AML readiness—applicable to evaluating any bank's crypto capabilities

---

1. BSA Framework (Tests Foundation Knowledge):

Under the Bank Secrecy Act, which requirement applies to bank crypto custody services?

A) Banks are exempt from BSA for custody-only services
B) Banks must implement customer identification, transaction monitoring, and suspicious activity reporting
C) Banks need only file Currency Transaction Reports for crypto
D) BSA applies only to crypto exceeding $100,000

Correct Answer: B

Explanation: BSA requirements apply fully to all bank crypto activities, including custody. Banks must implement Know Your Customer (KYC), monitor transactions for suspicious activity, and file SARs when warranted. There is no custody exemption (A is wrong). CTRs apply to cash transactions; crypto monitoring requires SARs (C is incomplete). There's no $100K threshold (D is wrong).

---

2. Pseudonymity Challenge (Tests Understanding):

What is the fundamental AML challenge that crypto's pseudonymity creates?

A) Crypto transactions cannot be traced
B) Blockchain addresses don't inherently identify the humans behind them, requiring additional analysis and tools
C) Crypto transactions are completely anonymous
D) Banks cannot process crypto transactions

Correct Answer: B

Explanation: Crypto transactions ARE traceable (A is wrong)—every transaction is recorded on public blockchains. The challenge is that addresses (like "rN7n3473SaZB...") don't identify the person behind them. Blockchain analytics tools address this by clustering addresses, identifying known entities, and tracing transaction flows. Crypto is pseudonymous, not anonymous (C is wrong)—patterns can reveal identity. Banks can process crypto with proper compliance (D is wrong).

---

3. Compliance Costs (Tests Practical Knowledge):

Why do AML compliance costs create barriers to bank crypto engagement?

A) AML compliance is optional for crypto activities
B) Banks must invest significantly in blockchain analytics, compliance personnel, and monitoring systems—creating minimum scale thresholds below which programs aren't economically viable
C) AML costs are fixed regardless of program size
D) Banks can use traditional AML systems for crypto without modification

Correct Answer: B

Explanation: Crypto AML requires specialized tools (blockchain analytics: $100K-500K/year), trained personnel, system integration, and ongoing monitoring. These costs are largely fixed—a small program costs almost as much as a large one. This creates minimum scale thresholds: revenue must justify compliance investment. AML isn't optional (A is wrong). Costs scale somewhat but have high fixed component (C is partially wrong). Traditional systems need crypto-specific augmentation (D is wrong).

---

4. Travel Rule (Tests Specific Knowledge):

What challenge does the "travel rule" create for crypto transactions?

A) Crypto transactions are prohibited from traveling across borders
B) Banks must physically transport crypto assets
C) Financial institutions must share originator and beneficiary identity information, but blockchain transactions don't inherently include this data—requiring off-chain communication
D) The travel rule exempts crypto transactions

Correct Answer: C

Explanation: The travel rule requires financial institutions to pass customer information (name, address, account) with fund transfers ≥$3,000. Wire transfers include this in SWIFT messages automatically. Crypto blockchain transactions don't include identity data—only addresses. Institutions must communicate this information off-chain, using emerging protocols (TRUST, Notabene, etc.). Cross-border crypto isn't prohibited (A is wrong). No physical transport required (B is wrong). The rule applies to crypto (D is wrong).

---

5. XRP AML Capability (Tests Applied Knowledge):

What is the current state of AML compliance capability for XRP transactions?

A) XRP transactions cannot be analyzed for AML purposes
B) Major blockchain analytics providers support XRPL, enabling address identification, transaction tracing, and risk scoring
C) XRP is exempt from AML requirements
D) Only Ripple can perform AML analysis on XRP

Correct Answer: B

Explanation: Blockchain analytics firms (Chainalysis, Elliptic, TRM Labs, etc.) support the XRP Ledger. They can cluster addresses, identify known entities (exchanges, services), trace transaction flows, and assign risk scores. This enables AML compliance for banks handling XRP. XRP transactions are analyzable (A is wrong). XRP is not exempt (C is wrong). Third-party analytics firms provide tools, not just Ripple (D is wrong).

---

For Next Lesson:
Lesson 11 will examine third-party risk management requirements—how banks must evaluate, contract with, and monitor crypto service providers. Understanding third-party risk explains why banks conduct extensive due diligence on crypto partners and why not all crypto firms qualify.

---

End of Lesson 10

Total words: ~5,300
Estimated completion time: 50 minutes reading + 2-3 hours for deliverable