INTRODUCTION
In the global battle against financial crimes, the convergence of Financial Technology (fintech) and Anti-Money Laundering (AML) procedures has become critical. As fintech continually transforms traditional financial services, its groundbreaking innovations bring forth both prospects and complexities in upholding stringent AML compliance standards.
The definition and categorization of Virtual Assets (VAs) play a vital role in this context. With the exception of fiat money and stocks, these digital representations of value come in forms, including cryptocurrency, payment tokens, and convertible virtual currencies. Non-fungible tokens (NFTs), known as crypto-collectibles, are unique digital assets used as collectibles. Because of their practical uses and changing functionality, NFTs provide unique classification issues.
The classification of entities engaging in Virtual Assets Service Provider (VASP) activities, encompassing exchanges, transfers, safekeeping, and financial services related to virtual asset offerings, falls under the purview of multiple regulatory bodies within the UAE. These agencies, including the UAE Securities and Commodities Authority (SCA), the Virtual Asset Regulatory Authority (VARA), and others, meticulously supervise and regulate VASPs to ensure compliance with AML/CFT frameworks.
A virtual asset service provider is any person, whether an individual or a company, that engages in any of the following five activities as a business on behalf of other people or businesses (“VASP activities” or “covered VASP activities”), according to the definition given in the AML-CFT Decision, as modified. Please note that the following five listed VASP actions are not meant to be comprehensive; rather, they are meant to serve as samples and descriptions only.
- Exchange between virtual assets and fiat currencies
- Exchange between one or more forms of virtual assets
- Transfer of virtual assets
- Safekeeping or administration of virtual assets or instruments enabling control of virtual assets
- Participation in and provision of financial services related to an issuer’s offer or sale of a virtual asset
The United Arab Emirates’s AML/CFT framework for virtual asset service providers, or “VASPs,” is composed of several regulatory and supervisory agencies. These include the Financial Services Regulatory Authority (FSRA), which oversees VASPs in the Abu Dhabi Global Market (ADGM); the Virtual Asset Regulatory Authority (VARA), which acts as the regulator of VASPs in the Emirate of Dubai; and the UAE Securities and Commodities Authority (SCA), which is the primary regulatory body responsible for licensing and overseeing VASPs at the Federal level and for the UAE’s Commercial Free Zones (CFZs); the CBUAE, which oversees LFIs and RHPs in their capacity as financial service providers to VASPs and non-VASP clients who may engage in virtual asset (“VA”) transactions, and the Dubai Financial Services Authority (“DFSA”), which controls VASPs in the Dubai International Financial Centre (“DIFC”). More information on the legal and regulatory framework for VASPs in the UAE, including references to specific guidelines issued by the aforementioned authorities. Before and during engagements with VASPs, LFIs, and RHPs should consider the relevant jurisdiction and/or asset-specific regulations mandated by the aforementioned supervisory agencies.
THE FINTECH REVOLUTION AND AML LANDSCAPE
Fintech companies have disrupted the financial industry, offering innovative solutions such as mobile payments, peer-to-peer lending, blockchain-based transactions, and automated financial advisory services. These technologies have transformed the way people transact, invest, and manage their finances. However, this rapid evolution has also introduced complexities in ensuring compliance with AML regulations.
UAE LEGAL AND REGULATORY FRAMEWORK FOR VASP’s
In the UAE, the legal and regulatory framework mandates the reporting of suspicious transactions by VASPs to the UAE Financial Intelligence Unit (FIU). Additionally, licenses or registrations from competent supervisory authorities are prerequisites for individuals or entities engaging in VASP activities. Regulators like the SCA, CBUAE, and VARA define and regulate specific VASP activities and provide guidance to ensure adherence to AML/CFT laws.
SCA
The SCA regulates platforms that enable the trading of virtual assets, authorized persons that carry out virtual asset custody services, and virtual asset intermediaries. The SCA defines virtual assets as digital representations of value that can be digitally traded or transferred and can be used for investment purposes and do not include digital representations of fiat currency, securities, or other money. A virtual asset, so defined, is neither issued nor guaranteed by any sovereign state or jurisdiction and fulfills the above functions only by agreement within the community of users of the virtual asset. A full description of regulated activities about virtual assets and virtual asset service providers is provided in Cabinet Resolution No. (111) of 2022 on the Regulation of Virtual Asset Service Providers.
CBUAE
The CBUAE licenses Payment Token Service Providers under the Central Bank’s Retail Payment Services and Card Schemes Regulation.14 Under this regulation, Payment Tokens are defined as a type of Crypto-Asset that is backed by one or more Fiat Currency, can be digitally traded, and functions as a medium of exchange and/or a unit of account and/or a store of value, but does not have legal tender status in any jurisdiction. A Payment Token is neither issued nor guaranteed by any jurisdiction and fulfills the above functions only by agreement within the community of users of the Payment Token. Payment Token Service Providers, in turn, are defined as persons engaged in Payment Token issuing, Payment Token buying, Payment Token selling, facilitating the exchange of Payment Tokens, enabling payments to Merchants and/or enabling peer-to-peer payments, and Custodian Services related to Payment Tokens.
Additionally, under the Stored Values Facilities (“SVF”) Regulation of 2020 (Circular No. 6/2020), the CBUAE licenses and supervises providers of SVFs, defined as facilities (other than cash) used by a customer to store money or “Money’s Worth” and transfer such money or “Money’s Worth” as a means of payment. Under the SVF Regulation, “Money’s Worth” includes “other forms of monetary consideration or assets such as values, reward points, Crypto-Assets, or Virtual Assets.” To the extent that providers of SVFs engage in the VA exchange or transfer activities or other VASP activities, as described in section 1.5 above—including by facilitating companies accepting VA as payment—they fall under the definition of a VASP and must be licensed to operate as such by UAE authorities.
VARA
Under Law No. 4 of 2022 on the Regulation of Virtual Assets in the Emirate of Dubai, a virtual asset is defined as a digital representation of value that can be digitally traded, transferred, or used as an exchange or payment tool or for investment purposes, and any digital representation of any other value as determined by VARA. Virtual assets, so defined, include “virtual tokens,” defined as digital representations of a set of rights that can be digitally issued and traded through a virtual asset platform. VARA, within the scope of the above-mentioned law and Cabinet Decision No. (112) of 2022, and without prejudice to the regulatory powers of the CBUAE and SCA, serves as the regulatory authority for VAs in the Emirate of Dubai responsible for authorizing any entity to undertake VA-related activities, including specifically licensing VASPs to carry out activities related to VAs.
VASPs are defined by this Law as any person authorized by VARA to conduct any activities that require a license from VARA and are subject to VARA oversight, per Article 16 of Law No. 4 of 2022.
OPPORTUNITIES AND ADVANCEMENTS
Fintech innovations offer several avenues for enhancing AML efforts:
1. Onboarding and Identity Verification:
Crypto companies are required to carry out identity verification checks and KYC procedures, just like other regulated entities in the financial sector, in order to ascertain and validate the identification of their customers. Given that once initiated, crypto transactions can take mere seconds to complete, there is increased pressure to get the onboarding piece right. To mitigate risks, crypto firms would do well to consider using a layered approach to identity verification. For example, firms may choose to conduct an examination of identity documents in addition to a video or photo KYC check as a matter of course. It may also be worth considering slowing down the onboarding process by instituting a mandatory 24-hour wait between onboarding and completing transactions. High-risk customers may prompt the firm to undertake other, more evolved due diligence measures.
2. Screening and monitoring:
Even after onboarding a customer, crypto firms must be able to accurately and efficiently monitor their customers for changes. If they have been added to sanctions or watch lists, if there are changes in their politically exposed person (PEP) status, or if the status of any relatives and close associates (RCAs) notably changes, this may necessitate swift action. Additionally, crypto firms would do well to ensure they have the tools needed to detect whether their customers have been involved in adverse media stories, as that might trigger a higher level of scrutiny and monitoring.
3. Transaction Monitoring:
This area of compliance is arguably where crypto firms and traditional banking diverge the most. Brandi Reynolds, Managing Director at Bates Group, a consultancy, and outsourced CCO for eToro USA and Voyager Digital NY, says: “Firms often do not recognize the importance of transaction monitoring, often over-relying on KYC at the expense of other controls.”
Like banks, crypto firms are expected to monitor and understand the transactional behavior of their customers and scan for suspicious activity. However, the speed with which transactions occur and the variety and volume of data transmitted with each transaction, especially when one cryptocurrency is converted into another, can make it challenging to keep pace. In addition, firms must ensure their transaction monitoring tools are tailored and calibrated to ensure proper scrutiny of transactions where cryptocurrencies are cashed out and converted to fiat currency — something traditional banks don’t typically need to prioritize.
It is here where proper segmentation of customers is crucial. Crypto firms should thoroughly examine any personally identifiable information (PII) and leverage behavioral analytics to help profile customers and set rules according to expected behaviors. The more comprehensive a firm’s segmentation, the better able that firm will be to assess the level of risk a transaction poses, whether that risk is due to the customer, the counterparty, or the jurisdictions involved.
EMERGING THREATS
1. Ransomware
Digital adoption has increased cybercrime risks, particularly ransomware attacks. These attacks block access to critical data until victims pay a ransom, often in cryptocurrency. Ransomware attacks increased by 105% globally in 2021 compared to 2020. Regulators are exploring tightening controls to address this threat. High-profile targets include the San Francisco 49ers and Nvidia Corporation. Payments due to ransomware attacks may involve multiple wallet addresses and layering strategies.
2. Sanctions Evasion
Russia’s war in Ukraine and Western sanctions have sparked discussions about crypto evasion. While no evidence exists of Russian individuals using crypto to avoid sanctions, regulators are taking this issue seriously. Crypto firms must screen new customers against sanctions lists, calibrate transaction monitoring protocols, and monitor IP addresses for high-risk transactions. Red flags include rapid transactions involving multiple wallets and anonymity-enhanced cryptocurrencies.
3. Darknet Markets
Online marketplaces for illicit goods and services pose a threat to crypto firms, as participants often use virtual currencies as payment. Bitcoin is currently the most preferred cryptocurrency, but Monero may overtake it in the future. Governments and law enforcement have intensified efforts to disrupt and take down these darknet markets.
4. Fraud
Cryptocurrency fraud is expected to rise as cryptocurrencies become more widely used. A Chainalysis report found that $14 billion was directed to criminal addresses in 2021, nearly double the amount in 2020. Scams and stolen funds were the most common crimes. An emerging scam called rug pull occurs when developers sell tokens to raise capital, leaving investors with losses. Stolen funds accounted for $3.2 billion in 2021, primarily from DeFi protocols.
5. Terrorist Financing
Cryptocurrency assets and DeFi are used in terrorist financing due to their anonymity and ease of cross-border transactions. The fragmented regulatory landscape increases the likelihood of suspicious transactions going undetected. Bitcoin is often used by terrorists, but privacy-enhanced coins like Monero are increasingly seen as more desirable alternatives. Crypto firms should scrutinize transactions involving anonymity-enhanced cryptocurrencies, especially if the portfolio consists of these cryptocurrencies.
6. Geopolitical Unrest
Cryptocurrency mining operations have been disrupted by geopolitical tensions and domestic unrest, particularly in countries like Kazakhstan. High fuel prices and power shortages have led to domestic unrest, prompting Kazakhstan’s government to suspend operations. Crypto firms must be prepared to react to untenable situations and mitigate potential threats, whether directly or indirectly through partner companies or regulatory consequences.
REGULATORY REQUIREMENTS:
Fintech Companies must ensure that their technology governance and risk assessment framework complies with, to the extent applicable, cybersecurity laws, regulatory requirements, and guidelines, including but not limited to –
COMPLIANCE CHALLENGES
While fintech innovations offer promising avenues, they also present unique compliance challenges:
1. Regulatory Complexity
Fintech companies operate in a rapidly evolving regulatory landscape. Complying with diverse AML regulations across different jurisdictions poses a significant challenge, requiring continuous adaptation to stay compliant.
2. Data Privacy and Security
The collection and utilization of extensive customer data by fintech firms raise concerns about data privacy and security. Balancing the need for data access to enhance AML measures while safeguarding customer information is critical.
3. Dynamic Nature of Financial Crimes
Criminals constantly adapt their tactics to exploit vulnerabilities in fintech platforms. Staying ahead of sophisticated money laundering techniques requires continuous innovation and proactive measures.
STRIKING A BALANCE: INNOVATION AND COMPLIANCE
To navigate these challenges, fintech companies must prioritize a holistic approach that integrates innovation with compliance:
1. Collaborative Efforts
Collaboration among fintech firms, regulatory bodies, and traditional financial institutions is essential. Sharing best practices and insights can foster a more comprehensive approach to combat financial crimes.
2. Invest in Robust AML Technology
Continued investment in cutting-edge AML technology, including AI-powered analytics and blockchain solutions, is crucial. This helps in creating more robust defense mechanisms against evolving money laundering tactics.
3. Emphasize Education and Training
Educating employees and stakeholders about AML regulations and emerging risks is fundamental. Training programs ensure a better understanding of compliance requirements and foster a culture of compliance within fintech organizations.
CONCLUSION
Compliance professionals will most likely look back on 2022 as a defining year for crypto. If current trends continue, it is set to mark the point at which the adoption of cryptocurrencies and regulatory reforms collide, leading to a sector that is more regulated, and increasingly mainstream. Regulatory arbitrage will, however, remain one of the biggest challenges crypto firms must grapple with.
Staying ahead of the regulatory curve, alongside smart investments in AML technologies and diverse compliance staff, will set crypto firms up for success. Not only will they have better relationships with regulators and policymakers, but productivity will increase, and customers will trust the products and services they offer more.
To strike a balance between innovation and compliance, collaborative efforts among fintech firms, regulatory bodies, and traditional financial institutions are indispensable. Continued investment in cutting-edge AML technology, coupled with comprehensive education and training programs, forms the cornerstone of a holistic approach to combat financial crimes.
Why Adam Global?
For support in meeting Anti-Money Laundering (AML) compliance needs, reach out to Adam Global. Partnering with a reliable entity like Adam Global enables businesses to confidently navigate the intricacies of KYC and AML compliance. Adhering to the AML Regulations safeguards your business from substantial fines due to non-compliance, allowing you to focus on operations while aiding the global effort against financial misconduct.
Get in touch with us to strengthen your compliance strategy and work on establishing your business.
