Five Companies Share Best Practices for Developing Risk-Based Compliance Programs for Crypto Products

(Note: this conversation originally appeared on the Blockdata Blog)

Alongside Caitlin Barnett from Chainalysis, four additional executives from the RegTech ecosystem joined in the discussion to offer their perspectives.

• Marc Temple, Global Development Director of RiskNarrative at LexisNexis Risk Solutions, a data and analytics solution for financial crime risk management.
• Matt Van Buskirk, co-founder and CEO at Hummingbird, a platform for customer knowledge, case management, investigations, and regulatory reporting.
• Lana Schwartzman, Head of Regulatory and Compliance at Notabene, the first crypto pre-transaction decision-making platform.
• Peter Singer, Deputy CCO and BSA/AML Officer at Fireblocks, a digital asset management suite and blockchain development platform for businesses.

Note: Responses have been edited and condensed for clarity.

Blockdata: How can risk assessment criteria identify, categorize, and prioritize the specific risk profiles of transactions, customers, and counterparties?

Caitlin Barnett, Chainalysis: A risk assessment is designed to incorporate relevant metrics and create a quantitative view as to how a company assesses its BSA/AML risk exposure. Common risk factors to take into account are geographic, customer, product/service, asset, transaction, and sanctions risks. For example, if a business were to offer a new product related to cryptocurrency, the business would need to evaluate all potential associated risks and identify what controls can be put in place to mitigate them.

Marc Temple, LexisNexis: Both regulated and unregulated businesses should be utilizing technology further to review and update their risk assessment criteria and continuously reassess risk profiles amidst new information and emerging trends. A 'single customer view' of risk and a unified score across KYC, Fraud, and AML allows businesses to understand their exposure more holistically and adapt as needed.

Matt Van Buskirk, Hummingbird: Have a strong marriage between your systems: KYC/EDD, Crypto forensics, Transaction Monitoring, and Compliance Case Management. The goal is to build a tech stack that allows for the streamlined, real-time flow of information across software.

Regtech has evolved enormously in the last decade, and new solutions offer a level of modularity that allows you to connect all these systems via easy integrations. The capabilities inherent in cryptocurrency make risk assessment a data-science exercise with predictable and measurable results.

Lana Schwartzman, Notabene: Crypto-specific risk assessments must go further than traditional financial compliance programs by analyzing transaction patterns, conducting thorough customer diligence and continuous monitoring, and updating based on regulatory developments.

The Travel Rule – introduced by the Financial Action Task Force in 2019 – enables companies to reduce exposure to sanctions and illicit transactions. It provides virtual asset service providers (VASPs) with transaction-level counterparty and sanctions insights, allowing them to identify if clients transact with sanctioned entities, wallets, or jurisdictions before the transaction happens. Maintaining compliance requires evaluating a transaction's associated sanctions and counterparty risks across centralized exchanges, self-hosted wallets, smart contracts, lightning networks, and DeFi platforms. Allocating resources to higher-risk areas requires a risk-scoring methodology that accounts for all these factors.

Peter Singer, Fireblocks: As a starting point, the risk assessment must identify which products are offered, where, to whom, through which channel, and using what payment method.

Blockdata: How can organizations use technology solutions to streamline real-time monitoring and suspicious activity reporting?

Caitlin Barnett, Chainalysis: One of the unique features of Chainalysis is that our solutions enable our customers to conduct real-time monitoring. This allows compliance officers to quickly identify potential suspicious activity and promptly file suspicious activity reports.

Marc Temple, LexisNexis: Utilizing technology such as 'risk orchestration' provides a 360° view of risk across the customer lifecycle – onboarding, ongoing screening, on and off-ramp transaction monitoring, through to offboarding – helps optimize financial crime and fraud prevention efforts. Consolidating all information in one platform – where suspicious transactions and entities can be identified, reported, and mitigated – negates the swivel-chair approach to investigations across multiple systems. The RiskNarrative platform from LexisNexis Risk Solutions is an effective and cost-efficient solution. It's provided via a single API and has all the tools for risk detection and mitigation. A platform of this nature can enable crypto firms to act quickly and effectively when there are any macroeconomic, market, or specific regulatory changes.

Matt Van Buskirk, Hummingbird: Crypto provides much more – and more trackable – information than traditional financial systems. It's the opposite of a haven for crime and fraud: AML professionals dealing with crypto transactions have more tools at their disposal. Blockchain forensics tools, coupled with strong transaction monitoring and CRM data, can be plugged into a modern compliance platform to show everything required for investigating AML, fraud, and more. Investigators can see financial transaction data, associated geographical and relationship information, wallet addresses, and other key factors. Crypto offers the ability to assess risk beyond the direct customer interaction with your company. The Blockchain allows you to see activity at a far deeper level.

Lana Schwartzman, Notabene: Technology solutions like Notabene's SafeTransact can streamline real-time pre-transaction monitoring and suspicious activity reporting. With the implementation of the Travel Rule, companies can proactively investigate customers and counterparties before a transaction reaches their exchange.

Peter Singer, Fireblocks: Real-time monitoring can stop and prevent fraud or suspicious activity before it happens. Dozens of solutions are available for everything from liveness checks for identity verification, geofencing, proxy controls that prevent VPN connections, and suspicious device checks.

Blockdata: How can organizations ensure risk assessment and management practices align with industry best practices and regulatory expectations?

Caitlin Barnett, Chainalysis: Regulated financial institutions undergo annual AML audits which are conducted either by internal audit teams or third-party consulting firms. Audit teams will review all relevant policies and procedures, including Risk Assessments, to identify potential gaps. In addition, there are a number of industry groups that share best practices and have thoughtful discussions on this exact topic.

Marc Temple, LexisNexis: Firms must ensure they can adapt quickly to remain compliant with constantly evolving regulations and differing jurisdictional obligations. There is no 'one size fits all' approach that truly suffices, hence why we partner with other industry-standard 3rd party vendors to supplement our proprietary toolkit for fraud and financial crime compliance. Technical agility and industry collaboration are key to ensuring best practices.

Matt Van Buskirk, Hummingbird: Utilizing the robust ecosystem of partner vendors available (and their associated practice area expertise) will support your creation of modern, tech-forward compliance practices. This works best when companies are committed to providing compliance and risk teams with dedicated data science and engineering resources so that vendor capabilities can be leveraged to maximum effect without exceeding budgetary or resource constraints.

Lana Schwartzman, Notabene: Embedding the Travel Rule within risk assessment processes strengthens sanctions programs, AML, and counter-terrorism financing frameworks by considering inherent risks and mitigation controls based on national regulators and industry practices. Importantly, consolidating all compliance vendors (EDD, CDD, KYC, KYB, Travel Rule) under one provider can create a single point of failure. Diversifying compliance stack vendors is recommended. The operational intricacies of Travel Rule compliance require working with dedicated specialists; it shouldn't be treated as an add-on program.

Peter Singer, Fireblocks: Independent, third-party BSA/AML program audits from firms specializing in those areas. Ensure the chosen firm is appropriate for the size of the organization and transaction volume. Don't be afraid to reach out to colleagues for recommendations.

Blockdata: How can organizations stay informed about changing cryptocurrency regulations and implement timely updates?

Marc Temple, LexisNexis: As regulatory frameworks are released globally (e.g., MiCa, VARA), ensure advisory both internally and externally to navigate obligations. We'd suggest following knowledgeable subject experts who continually publish material, often freely on social media.

That said, we have a team of consultants with experience across traditional financial services and cryptocurrency who work with our customers to build effective compliance strategies.

Matt Van Buskirk, Hummingbird: Several crypto trade associations (e.g., the Blockchain Association, the Chamber of Digital Commerce), specialist podcasts, and other news sources cover the intersection between crypto, law, and politics. Companies should remember that RegTech partners are scrutinizing these topics just as closely (if not more!). It's okay to request a briefing or information session.

Lana Schwartzman, Notabene: Leverage regulatory engagements, join industry groups and associations, and sign up for regulator bulletin boards for manual updates. For example, Notabene stays up to date through active involvement in industry associations like CryptoUK, Blockchain Alliance, Chamber of Digital Commerce, ACCESS, Crypto Valley, Canadian Blockchain Consortium International Association for Trusted Blockchain Applications (INATABA), and Global Digital Finance.

On the other hand, Notabene's Crypto Compliance solution automatically applies new regulatory requirements to transactions. The regulatory and compliance team monitors new regulations to be translated and encoded into the system. The product team continuously monitors and updates criteria so that Compliance Officers don't have to, and the customer success team assists clients with the incremental rollout of the travel rule in multiple jurisdictions, allowing clients to focus on business growth.

Peter Singer, Fireblocks: Joining groups such as the Blockchain Association and the MSB Association are great starting points. I've found both their people and papers are invaluable in keeping up with the onslaught of news about the actions and position statements of Congress, state legislatures, and regulatory agencies. RegTech solutions work well for some organizations.

Blockdata: How can organizations collaborate and share anonymized transaction data with industry peers to identify and combat potential risks?

Caitlin Barnett, Chainalysis: In the U.S., regulated entities can participate in 314(b) information sharing. In addition, many working groups share typologies and other emerging risks that businesses are seeing and potential measures to prevent or identify them.

Marc Temple, LexisNexis: Collaboration is key, but so is data protection and privacy to ensure no personal identifying information is shared. LexisNexis Risk Solutions holds and maintains a global consortium of fraud data and attributes of transactions, IP addresses, email addresses, and devices. Contributing customers aren't only in the crypto industry but across banking, payments, and e-commerce; thus providing a global network of anonymized transaction data for other businesses to leverage. Coupled with the capabilities of Blockchain Analytics makes for a formidable risk detection solution.

Matt Van Buskirk, Hummingbird: Regulators understand the value of information-sharing and have developed channels for institutional sharing, but they are limited by law and technological infrastructure. Blockchain can solve this problem and help create a true "mission first" infrastructure that allows for industry-wide sharing of secure and anonymized customer and transaction data while protecting privacy.

Peter Singer, Fireblocks: Anonymized transaction data isn't overly useful and various laws regarding customer privacy exist that inhibit transparency. Organizations should apply for information sharing through 314(b), a section of the USA PATRIOT Act that allows covered financial institutions to share information. Know Your Transaction (KYT) providers have risk scoring to identify transactions that may be outside of an organization's risk tolerance.

Blockdata: How can compliance departments establish secure information-sharing channels with law enforcement and regulators?

Caitlin Barnett, Chainalysis: Many regulators have encouraged open dialogue with their licensed entities. Cryptocurrency regulators specifically have acknowledged that this ecosystem is changing rapidly, making open communication necessary for effective regulation. Compliance departments can respond to law enforcement requests and should file suspicious activity reports to help foster relationships with various agencies.

Matt Van Buskirk, Hummingbird: Law enforcement and regulators are most concerned with enforcing existing laws. We shouldn't expect them to create innovative ways to share and access intelligence. Financial institutions, exchanges, and RegTech companies all have the responsibility to design products and services that account for the needs of law enforcement and regulators, thus creating holistic financial products.

Lana Schwartzman, Notabene: Participating in specialized programs like the FinCEN Exchange and the Illicit Virtual Asset Notification (IVAN) platform. Formalized in 2020, the FinCEN Exchange is a voluntary public-private partnership – involving law enforcement, national security agencies, financial institutions, and FinCEN – that provides insights and intelligence. FinCEN organizes briefings on illicit finance and national security threats through the IVAN program. Financial institutions may be invited when they have relevant information or capabilities.

Peter Singer, Fireblocks: Private sector partnerships are key for agencies to do their jobs, but compliance departments should understand that working with the government is an asymmetrical relationship. Feeding information to various agencies doesn't mean they'll reciprocate the same type of intelligence. Unfortunately, most of their knowledge cannot be shared with the private sector.

Blockdata: How can organizations demonstrate their compliance commitment to potential banking partners, increasing the likelihood of successful onboarding and strong relationships?

Caitlin Barnett, Chainalysis: Banking partners want the assurance that compliance measures will be effectively implemented. It's obviously important to have the appropriate policies and procedures put in place in order to obtain a banking relationship; however, it is sometimes even more important to show the banking partner the team behind the policies and procedures. Having regular check-ins can bring another level of comfort and build rapport.

Matt Van Buskirk, Hummingbird: Treat compliance as a core necessity from the start, not an afterthought. Proactively building a strong compliance program will always be the best way of impressing regulators and is a prerequisite for conversations with potential banking partners. Crypto institutions are well-positioned to develop strong, tech-forward compliance programs because they are free from the headache of paper-based processes or physical currency.

Lana Schwartzman, Notabene: Ensure full compliance with all relevant local, national, and international regulations, including AML and KYC laws. Appointing a Chief Compliance Officer with experience in the crypto industry is vital, as is implementing stringent AML/KYC procedures, using blockchain analytics tools, and conducting independent annual reviews of the compliance and sanctions programs.

Robust cybersecurity measures, compliance education for employees and customers, and cooperation with regulators all help to demonstrate commitment. Crypto companies should share regular reports on their compliance activities, including any third-party audits and actions taken to address identified issues. Adopt a code of ethics with high behavioral standards and update it regularly. Active participation in the industry and community will build trust and pave the way for successful relationships.

Peter Singer, Fireblocks: Compliance teams play an integral role in banking relationships. Be prepared to share more information than you're used to, and answer questions as completely as possible. Choose your bank carefully. There are several that I steer people toward or away from when asked.

Blockdata: Which records and policies will regulators typically request to assess a compliance program's effective implementation?

Caitlin Barnett, Chainalysis: Regulators will request a number of different records and policies when assessing the effectiveness of a compliance program. Some examples of the types of policies that will be requested and assessed are BSA/AML Policy, BSA/AML Risk Assessment, Sanctions Policy, and Asset Listing Frameworks. During examinations, regulators will test the effectiveness of these policies by comparing them to real-world examples. For example, a regulator may review an onboarding procedure against an actual customer record to determine whether or not the procedure was followed correctly.

Marc Temple, LexisNexis: All regulated jurisdictions require provisions for KYC/identity verification during sign-ups and withdrawals, ongoing AML screening in line with regulatory guidelines, and that VASPs keep records of all transactions, reporting any suspicious ones as they are detected. An inedible audit log of all the aforementioned can help to ensure regulatory satisfaction.

Matt Van Buskirk, Hummingbird: Aside from the traditional policy and procedure documents, crypto companies can provide context from blockchain data sources to support decisions for customer risk rating. A comprehensive audit trail offers regulators certainty that operational procedures are being followed.

Lana Schwartzman, Notabene: Regulators review various policies and procedures, including risk assessments, Know Your Customer (KYC), Customer Due Diligence (CDD), Enhanced Due Diligence (EDD), transaction monitoring, suspicious activity reporting, consumer protection policies and reports of prior annual independent assessments. Notabene has recently observed increasing requests for Travel Rule policies and procedures. They also look at the knowledge and expertise of the Compliance Officer, the team, and company-wide training.

Peter Singer, Fireblocks: Banks will ask for your BSA AML KYC policy, OFAC compliance, anti-bribery and anti-corruption policy, training program, program audits, prohibited business list, risk assessment, and sometimes the resumes of your head of compliance and or BSA AML Officer.

Blockdata: How can compliance programs address the challenges of cross-border cryptocurrency transactions and varying international regulations?

Marc Temple, LexisNexis: We often see VASPs cease operations in one country or begin in another. It's in the interest of all regulated crypto firms to stay on the right side of regulators, and overall for the crypto/DeFi space to move further into the mainstream. Firms must use appropriate technology to determine customer locations and the regulatory framework their operations fall under. A multi-jurisdictional approach must consider requirements across different crypto hot spots.

Matt Van Buskirk, Hummingbird: Cross-border transactions present one of the largest challenges for financial crime prevention in traditional finance. Bad actors can move money between correspondent banks in different jurisdictions with different shell companies, making it nearly impossible to trace the true provenance of funds. Cryptocurrency transactions offer a powerful solution to this problem. Blockchain's permanent ledger records every transaction on the chain, giving compliance teams an edge for tracing funds when equipped with the right tools.

Lana Schwartzman, Notabene: Incorporating Travel Rule compliance mitigates these risks by adhering to various jurisdictional requirements and thresholds while providing sanction screening for counterparties.

However, jurisdictional differences in implementing the FATF's guidance can create compliance pitfalls. For example, Estonian VASPs aren't required to collect and transmit beneficiary names, but other jurisdictions require this information for deposits. Canada requires VASPs to collect and transmit beneficiary physical addresses for withdrawals and receive them for deposits, adding friction to the process, especially when the originator doesn't know the recipient's address.

Tools like Notabene's SafeConnect help compliance officers handle these discrepancies. SafeConnect's secure widget adapts to the transaction thresholds and data collection rules of a company's registered jurisdiction. It also dynamically detects the jurisdiction of the transaction counterparty, ensuring cross-border compliance.

Peter Singer, Fireblocks: As a non-exhaustive starting point, organizations need to have an effective KYC program in place, a good tech stack that includes KYT and VASP identification at a minimum, IP address identification and geofencing, and qualified staff.

Blockdata: Which certifications and training can help compliance officers prepare for their role?

Caitlin Barnett, Chainalysis: Compliance officers are required to undergo annual compliance training. In addition, there are a number of certifications and training programs available to compliance officers. Chainalysis offers certifications that cater to all experience levels, from cryptocurrency beginners to seasoned investigators.

Matt Van Buskirk, Hummingbird: The ACAMS has a robust certification program and strong curricula around crypto compliance. Many blockchain analytics vendors offer specialized training programs for performing blockchain investigations.

Lana Schwartzman, Notabene: Certifications from organizations like the Association of Certified Anti-Money Laundering Specialists (ACAMS) and the Association of Certified Financial Crime Specialists (ACFCS) are essential. Notabene offers a Travel Rule Compliance Certification for the latest training on this regulation. Blockchain analytics certifications can enhance their expertise.

Peter Singer, Fireblocks: CAMS and CFE certifications are gold standards that can be helpful. Reading about various cases or failures that have made the headlines is also a great way to understand what was missed or could have been improved. Don't be afraid to ask questions or to seek input from others with more experience, I routinely do so. You don't need to have all the answers; you just need to know where to find them.