Risk-Assessment for Crypto AML Officers

In 2020, Estonia changed its crypto regulations. As a result, Estonian authorities withdrew more than 1200 crypto licenses.

Under the new regulations, all crypto companies must have local AML officers. And as AML officers are also in high demand in other industries (banking, credit, fintechs), it’s a great career choice if you’re into regulatory work.

In this blog post, we’re going to look at some of the assignments the AML officers have to do on a daily basis.

And while I am not covering these assignments in detail, it gives you an overview of what the AML officer needs to do.

Make Sure The Company’s KYC Policies And Processes Are Up To Date

It’s not only about the KYC policies in a sense that what’s written in the AML documentation. It’s also about making sure that the right processes are implemented to identify the clients, store their documents, and monitor their activity.

For example, if you’re joining a company that has been active for a while, you have to make sure that documents of the clients are up to date (not older than 6 months in the first year of the business relationship). Especially, if you’re dealing with business entities. And these documents have to be stored in a way that enables you to access and share the data upon request from the authorities.

But if it’s a new organization, you need to implement the AML processes within the company. And make sure that the company is fulfilling all the regulatory requirements.

Implementing KYC processes means that you’re going to choose suitable KYC software. This software will enable the company to identify clients and authenticate their documents. With consumers, it’s a pretty convenient process (depending on the software you’ll use). However, if you’re dealing mainly with business clients, you’ll need to onboard them mostly manually.

Manual onboarding means that you have to collect the company documents and try to verify these documents (there are software providers that can do checks into different business registries as well) and data via available resources, including Google searches. To what extent you need to do the due diligence depends on the risk level of a particular client. And you need to create a risk profile of the clients as well.

Doing Risk-Assessments

Risk-assessment is a document where you evaluate the risk associated with a client. There are four categories of risk that you need to evaluate:

1. Geographical risk – from where the clients are from (and whether these countries have similar AML regulations and supervision).
2. Communication channel risk – how do you communicate with the clients (face to face, online, phone, etc).
3. Product / Service risk – how big are the risks and how likely are risks to materialize in your services/product category?
4. Client risk – where is the money coming from, are there any negative news or suspicious businesses associated with the person, etc.

For each of these items, we could go into more detail and perhaps we will in one of the future blog posts, but we’ll keep it short at the moment to paint the overall picture of the AML officer’s work.

While creating the risk profile of the client, the AML officer will assign a score for each risk category – how big is the risk and how likely it is that the risk will materialize.

The numerical value assigned to each risk can be from 1-5 or 1-10, or any other range depending on the preference of the concrete AML officer. And once all risks are added up, there will be a total score. And according to that score, you can place the client into a bucket (low, medium, high). And it’s usually better if clients in the “high” bucket, aren’t accepted as clients. But this depends on each company and their appetite for risk.

Notifying The FIU Of Suspicious Activities

In case the AML officer notices suspicious activities, he or she needs to first notify the board of the company, and sometimes also the Estonian FIU, even when the suspicion is removed (in cases of money laundering or terrorist financing is suspected).

There are guidelines you can read to understand the notification requirements and methods in more detail.

The reports that you must submit follow into the following categories:

– suspicion of money laundering;– unusual transaction;– unusual activity;– a mandatory cash transaction report;– suspicion or knowledge of the need to implement an international financial sanction;– suspicion of terrorist financing.

The following explanations are from the official FIU guidelines (we’ve broken the text into smaller paragraphs for easier consumption):

In case of suspicion of money laundering, you have to submit a Suspicious Transaction Report (STR). In cases of suspicion of money laundering, the obliged entity has a reasonable suspicion as to whether the means used in the transaction are or may be of the criminal origin or used for criminal purposes, regardless of whether the suspicion arose solely from that transaction or from the combined effect of previous or related transactions or circumstances.

In cases of suspicion of money laundering, you should apply enhanced due diligence measures to remove the suspicion of money laundering. It should be borne in mind that the application of due diligence measures must not imply to any person suspected of money laundering that the obliged entity has submitted a report to the FIU or intends to do so.

In the event on suspected money laundering, you must not carry out a transaction or establish a business relationship.

In the case of unusual transactions, you must submit an Unusual Transaction Report (UTR). In cases of unusual transactions, the obliged entity has identified an economically unusual or illogical transaction, or the explanations given about the intended transaction are not plausible and indicate a possible connection with money laundering or the concealment of illicit proceeds.

When detecting an unusual transaction, the obliged entity shall apply enhanced due diligence measures in order to obtain justification from the individual about the unusual transaction.

If the explanations cannot substantiate the unusual nature of the transaction with economic or plausible explanations, you must notify the FIU of the unusual transaction but you may carry on with the transaction.

If the suspicion of money laundering or terrorist financing arises in the course of applying due diligence measures, you must submit a report concerning the type of report and be guided by the explanation of that specific type of report.

In the case of unusual activity, you must submit an Unusual Activity Report (UAR). In cases of unusual activity, the obliged entity has detected repeated or ongoing unusual transactions or activities by their business partner or a person they are in a business relationship with.

You have to notify the FIU of the unusual activity but may carry on with the transactions. When detecting unusual activity, the obliged entity shall apply enhanced due diligence measures in order to obtain justification from the individual about the unusual activity.

If the explanations cannot substantiate the unusual nature of the activity with economic or plausible explanations, you must notify the FIU of the unusual activity but you may carry on with your transactions or business relationship.

If the suspicion of money laundering or terrorist financing arises in the course of applying due diligence measures, you must submit the corresponding report and be guided by the explanation of the type of report that has been submitted.

In case a cash transaction exceeds the limit, you must submit a Cash Transaction Report (CTR). You must submit a Cash Transaction Report if a pecuniary obligation of over 32,000 euros is performed in cash, regardless of whether the transaction is made in a single payment or in several linked payments.

You must report any such transaction to the FIU but may carry on with your transactions or business relationship. A credit institution notifies the Financial Intelligence Unit immediately about each transaction of over 32,000 euros made in cash where the credit institution does not have a business relationship with the person participating in the transaction.

In case of a suspicion of terrorist financing or a transaction linked to a high-risk country, you must submit a Terrorist Financing Report (TFR). In cases of suspicion of terrorist financing, if the transaction directly indicates the financing of terrorism, or if there are indicators that a person has criminal ties or is involved in radicalisation, you must submit a report (TFR 2-2.4) to the FIU and must not proceed with the transaction.

In case of a transaction linked to a high-risk country or in case of other unusual circumstances with regard to a high-risk country, you must submit a Terrorist Financing Report (TFR 1-1.6).

You may proceed with your transaction or continue your business relationship but you must apply enhanced due diligence measures.

In case of implementing an international financial sanction or in case of a need to check the corresponding suspicion, you must submit an International Sanctions Report (ISR). The obligation to notify is set out in the International Sanctions Act but the reports are submitted in accordance with the requirements set out in the Money Laundering and Terrorist Financing Prevention Act.

In case of doubt as to the need to impose an international financial sanction, you must not carry out the transaction. The transaction may be carried out subject to written approval by the FIU in accordance with the exemption provided for in the International Sanctions Act.

An International Sanctions Report is the only type of report upon the submission of which the obliged entity has the right to inform the person concerned by the report.

There are also guidelines for how the FIU report has to be formatted.

Conclusion

The work of the AML officer is very important for all crypto companies. And it can also be a very exciting career path for people looking to work as AML officers. Like in any field, there are different levels to the knowledge, experience and value an AML officer can bring to the table.

This blog post was an entry-level introduction to the work of the AML officer. We’ll plan to publish more on this topic in the coming months.