In mid-June, the Australian government closed its consultation on ‘Modernising Australia's anti-money laundering and counter-terrorism financing regime’.

‍

This consultation offers the government an exciting opportunity to significantly improve the effectiveness of Australia’s response to economic crime and illicit finance. An important part of the consultation considers the breadth of digital currency activities that should fall under the regulatory framework. TRM believes that all nations should fully implement the FATF standards on virtual assets including the travel rule to close off loopholes to illicit actors who choose to exploit digital currencies for their own gain. We welcome the suggestions set out in the consultation and look forward to supporting the Australian government in the next phase of their AML/CFT regime. 

‍

Read the full TRM Labs response below.

‍

‍

Our Response

Overview

TRM Labs supports the alignment of AML/CFT frameworks around the world with the FATF Standards. Consistent and well implemented AML/CFT standards reduce loopholes which can be exploited by illicit actors to profit from their activities. Aligning standards on digital asset exchanges is especially important. As this sector grows it must be protected from risk, supervised proportionally and supported in using the latest technology to meet regulatory objectives. Thus, TRM welcomes this consultation from the Australian Government on how to better incorporate the digital currency ecosystem under the Australian AML/CFT regime.  

TRM specialises in identifying and tracing fraud and financial crime across digital assets. We work with partners around the world including regulators, supervisors, FIUs, law enforcement agencies and the private sector. Accordingly, this response will focus on the proposed expansion of AML/CFT requirements for digital currency exchanges, and will share our data-driven insights on how this sector can effectively be supervised to mitigate financial crime risk. 

The consultation proposes a much needed and significant uplift to the AML/CFT regime. For this to be successful, the regulated sectors and especially the Tranche 2 sectors, who have never been regulated before, will require considerable support whilst they navigate the construction of policies and procedures and reach a desired level of effectiveness. To ease this process, we encourage robust public-private engagement in order to find best practices together. 

Consultation Questions 

Consultation question: Regulation of digital currency exchanges

14. What are the benefits and challenges of expanding the AML/CTF obligations to a broader range of digital currency-related services?

Expanding AML/CTF obligations to a broader range of digital currency-related services would have several benefits for increasing the effectiveness of Australia’s AML/CFT regime. Below we explore the benefits and challenges of expanding AML/CFT obligations to a broader section of the digital currency sector. 

Benefits of expanding regulations for digital currency exchanges 

The benefits that can be derived from expanding the regulatory perimeter predominantly stem from the interconnectedness of the digital currency ecosystem and the transparency of data which create actionable insights for regulators, law enforcement and compliance professionals. These differ dramatically from traditional finance where insights are siloed within single organisations. 

Criminal networks are particularly skilled and agile at finding jurisdictions, venues and institutions with lower barriers, such as regulations limited to certain transactions (digital currency-fiat) to launder their ill gotten gains. Expanding AML/CTF obligations to a greater number of centralized digital currency services will make it harder, costlier and riskier for bad actors looking to facilitate illicit activity within or through Australia. 

The consultation proposes expanding the perimeter to include “exchanges between one or more other forms of digital currency.” TRM supports this proposal; in our analysis of money laundering conducted using digital currencies, it is common for transactions between digital currencies to be exploited. This exploitation can occur in several ways including by moving funds across blockchains and the use of nested exchanges.  

‍

Case Study: Chain Hopping

The explosive growth of cross-chain bridges has made cross-chain transfers much faster and easier. The use of cross-chain bridges experienced a greater than 90% growth surge during the end of 2021. Chain-hopping is an effective money laundering technique as it makes it harder for services like centralized exchanges to detect whether incoming funds are tied to illicit activity, which they would normally freeze or report to law enforcement. TRM is able to seamlessly trace the flow of funds across blockchains in one graph in order to mitigate this risk.

In November 2021, decentralized finance protocol bZx announced that one of their developers was the victim of a phishing attack, enabling the attacker to gain control of the developer’s wallet and bZx’s Binance Smart Chain and Polygon deployment protocol. The attacker drained approximately $55 million from wallets on the Binance Smart Chain, Polygon, and Avalanche blockchains before bZx was able to take action. After gaining control of the funds on those chains, the attacker used at least four cross-chain bridges to move the stolen cryptocurrency to the Ethereum blockchain.

Further information: https://www.trmlabs.com/post/trm-phoenix-solves-crypto-investigators-chain-hopping-problem 

‍

Case Study: Nested Exchanges

Nested exchanges do not directly custody clients’ digital assets. Instead, they feed off the infrastructure of a large, global cryptocurrency exchange to conduct their transactions. Nested exchanges often take advantage of the greater liquidity and lower transaction costs of big, multi- national exchanges while presenting customers with a custom-made interface obscuring the connection to the larger service.

Nested services can present significant risks to the regulated entities whose infrastructure they share. According to TRM research, nested exchanges create a disproportionate level of risk and are often linked to sanctioned jurisdictions. TRM is happy to share further information with the Australian government on nested exchanges on a bilateral basis.  

In late 2021, OFAC took action against a nested crypto exchange called SUEX.io, a concierge cryptocurrency exchanger incorporated in Czechia but operating in Russia. Using its relationship with a large exchange, and access to cash from unknown sources, SUEX was able to convert the illicit monies of its clients to physical cash at an alarming scale. 

As a blockchain intelligence provider that works with some of the world’s largest crypto exchanges to help them identify emerging risks such as these, TRM has been studying the on-chain shape and behavior of nested exchanges since early 2020. Today, TRM users leverage this unique capability, known as Ownership Analytics, to identify parasite exchanges and other nested entities operating on their platforms.

Broadening the regulatory perimeter also presents new possibilities for control measures that leverage innovative technologies such as blockchain analytics, which can be used both by regulators and the private sector. Due to the nature of public blockchains, their transparency, immutability and permanence, investigators, with the use of tools like TRM, are able to conduct provenance tracing to assess the source and destination of funds. By expanding the regulatory remit, a greater number of transactions would be captured, creating benefits for supervision of the sector and the overall effectiveness of the AML/CFT regime. 

‍

Case Study: Strengthening Supervision

Supervisors typically rely on documentation and data provided by regulated institutions in discharging their supervisory duties and reviewing the adequacy of an entity’s AML and other controls. While this is an important feedback loop, it is often not possible for the information to be provided on a real-time basis. Sampling of data for supervisory review can also result in inadvertent blind spots. Blockchain intelligence can improve the supervisory process by equipping regulators with a level of transactional risk transparency not previously available. 

Consider a hypothetical scenario in which a regulator examines an institution with a similar on-chain profile to Bitzlato, the Hong Kong-registered cryptocurrency exchange recently identified by FinCEN as a primary money laundering concern for its connection with Russian illicit finance.

Blockchain intelligence could reveal a number of material, risk relevant data points that are not apparent from policies, procedures or alert samples. For instance, the regulator might observe that, despite it purporting to do KYC, test accounts and transactions with the exchange reveal that the institution in fact collects no documentation whatsoever at onboarding.

Image. KYC Levels can serve as an indicator for how much documentation an entity actually collects at onboarding, irrespective of written policies

If the regulator wanted to sample transactional activity, blockchain intelligence can give it the ability to begin its review with transactions that carry the most severe risk, with counterparties directly connected to ransomware, scams, darknet markets or other cybercrime services. Moreover, the regulator could ascertain whether those high risk transactions represent a systemic facilitation of illicit activity indicative of control failures, or are merely one-off instances.

Image. On chain transactional risk indicators provide data on how much illicit activity is flowing through an entity.

Finally, the regulator could also use transactional and counterparty data to assess the true jurisdictional footprint of the exchange’s customer base. For instance the exchange may claim not to permit Australian customers to onboard. However, an assessment of its counterparty flows may show up numerous transactions with Australian exchanges, therefore bringing the exchange under the jurisdiction of Australian regulations.

Such insights could also be applied to an initial regulatory review that signals to examiners where to zoom in and focus resources - a more efficient alternative to blind sampling or reliance on written policies.

And while it is still early, there may be another positive byproduct of regulators’ use of blockchain intelligence. Historically it was not uncommon in AML-related enforcement actions for a regulator merely to infer that money laundering or high risk activity took place because of the lack of sound control processes. This focus on process risk by regulators has at times frustrated private sector institutions who posited that process risk did not necessarily equate to financial crime risk.

Today, blockchain intelligence tools can enhance regulators’ ability to identify high risk transactions and customers and focus their efforts where actual illicit finance is present, in addition to conducting control evaluations. As the New York Department of Financial Services stated in a recent enforcement action that specifically called out instances of control gaps leading to suspicious activity, the process deficiencies are not “merely theoretical”.

Image. Summary of the benefits of blockchain intelligence for increasing the effectiveness of digital currency service provider supervision 

‍

Case Study: Asset Recovery 

Increasing the regulatory perimeter also increases the opportunity for asset recovery. The case of Bitfinex provides a good example of how the properties of the blockchain and an expanded regulatory parameter can increase the opportunity for asset recovery. 

US law enforcement agencies traced stolen funds from the 2016 Bitfinex hack leading to arrests and a $3.6 billion seizure - the largest in US history. The thieves moved the funds through an on-chain labyrinth of laundering techniques including the use of fictitious identities, automated transactions, the use of a variety of exchanges and darknet markets, mixing services, privacy coins and chain hopping. Using blockchain intelligence and inter-agency collaboration, US law enforcement were able to establish the flow of funds and ultimately recover them. 

Further insights can be found here: https://www.trmlabs.com/post/trm-talks-breaking-news 

Challenges of expanding AML/CFT regulations for digital currency exchanges  

Any newly regulated sector is likely to present challenges. TRM works with governments and regulators around the world who are implementing AML/CFT regimes for digital currencies and helps them overcome these challenges. Below are a list of the common challenges we have observed and how these can be overcome:

• Guidance - When expanding the regulatory perimeter, it is essential that this is accompanied by appropriate guidance for the sector. This guidance must extend across every stage of the compliance lifecycle beginning with clear guidance on how to gain authorisation (e.g. from the UK Financial Conduct Authority and the Monetary Authority of Singapore) under the AML/CFT regulation. Post authorisation guidance must be tailored to the specific needs of the industry allowing them to meet the same compliance requirements but whilst leveraging the power of new technology and the native properties of distributed ledger technology to do so. For example, pre-execution payments have become commonplace in the sector (unlike traditional finance) and guidance should be tailored to allow for compliance models that facilitate these payments whilst meeting regulatory obligations (e.g. from the New York Department of Financial Services). The final element of effective guidance for the digital currency sector is timeliness. Risks, and opportunities to mitigate them,evolve at an unparalleled pace. It is thus essential that guidance in the form of alerts or similar can be issued.
• Public private partnerships (PPPs) - PPPs have been shown to have a significant impact on improving the effectiveness of AML/CFT controls - the Australian Financial Crimes Exchange (AFCX) is one such example of this. However, digital currency businesses are not always involved in these partnerships. By ensuring that digital currency businesses are included in these initiatives, lessons learnt from more established regulated sectors can be more readily shared. In partnerships such as the AFCX, involving digital currency businesses can be especially useful for tackling problems such as fraud and scams, which often have a digital currency nexus In addition, by bringing together the traditional and digital financial sectors in regular engagement it is more likely that problems such as debanking are minimised.
• Supervisory capacity building - Supervisors often require a significant uplift in training and tools to effectively monitor the digital currency ecosystem. This includes fundamental and regular training across multiple teams, including those who may not directly supervise digital currencies but may come into contact with them. Teams will also require the necessary blockchain intelligence tools to analyse on chain activity. It is also important that capacity is built at law enforcement agencies who must have the ability to identify digital asset artifacts on the front line of their work. Furthermore, the judicial system must also be suitably upskilled to process cases that involve digital assets. This upskilling across the entire anti-financial crime supply chain (from compliance officer, to supervisor, regulator, law enforcement and tax authorities) is significant and requires considerable investment. 

‍

Consultation questions: Modernising travel rule obligations

16. What are the benefits and challenges for financial institutions in applying the existing travel rule obligations? 

17. Would the proposed model assist in addressing these challenges? 

At TRM, we collaborate with travel rule solution providers and digital currency businesses that aim to implement the travel rule in accordance with FATF Standards. There remain a number of key challenges to the effective implementation of this FATF Recommendation, specifically: 

• Lack of a consistent data standard - Unlike traditional finance who have an established mechanism for exchanging information via the SWIFT system, there is no one single data standard for the exchange of information between digital currency businesses. 
• Fragmentation of solutions -  The above challenge has led to several travel rule providers offering different data standards, which may not interchange information between themselves in an effective manner. This fragmentation can require digital currency businesses to employ multiple solutions, which increases the cost of compliance. 
• Interoperability - The fragmentation in data standards has in some cases reduced the interoperability between travel rule solution providers. In addition, mechanisms built for the implementation of the travel rule by traditional financial institutions tend not to have the  capability to ingest information from solutions built for digital currencies.  For traditional financial institutions who wish to process digital currency transfers they will need to augment their ingestion infrastructure to avoid a bifurcated process.
• Verification of information - For entities currently implementing the travel rule, verifying the information they receive to a high level of confidence has been a challenge. This can be particularly challenging when conducting counterparty VASP due diligence and establishing that a VASP is where it claims to be and is performing the appropriate anti-financial crime checks on their users.

At TRM, we help customers overcome the challenge of verifying information by leveraging our Know Your Vasp (KYV) tool, which allows customers to establish with a high degree of confidence that the VASP they are interacting with is who they say they are and to what extent they pose a financial crime risk. 

• Sunrise issue -  Problems in conducting counter party VASP due diligence are compounded by the level implementation of the travel rule around the world. Many countries have yet to implement the travel rule, resulting in firms operating in those countries not having the infrastructure in place to collect, transfer and store such information. 

If the Australian Government decides to apply the travel rule to the digital currency sector, we hope that it will participate in international regulatory dialogue (at FATF and related forums) and public-private engagement to overcome these challenges and apply the travel rule in a uniform, efficient and effective fashion.

‍

Further Resources 

Compliance in the second age of digital assets  

May 2023. Available at: https://hub.trmlabs.com/crypto-compliance-whitepaper

Best practices for digital asset seizures 

June 2023. Available at: https://www.trmlabs.com/post/best-practices-for-digital-asset-seizure-in-the-field 

‍