A recent post by RegTech firm Arctic Intelligence has detailed what virtual asset service providers can do to help de-risk cryptocurrency.
One of the first key steps for VASPs is to complete a proper business risk assessment. This, Arctic claims, is the cornerstone of the AML/CFT programme and is the mainstay of AML/CFT regulatory requirements.
Arctic explained, “This sets the tone and demonstrates how the VASP uses its controls to mitigate the financial crime risks specific to its business, based on its operational model.” VASPs should also ensure a summary of the BRA results is available for distribution to banking partners if requested.
The company cited comments made by PXP Financial CFO Jonathan Bell on de-risking, who advised companies to communicate fully and clearly with banks and to purposefully set about building a positive relationship. Bell commented, “If somebody is reviewing the information you’re providing and has big question marks or would say that there are lots of things missing, that does not get the relationship off to a good start. I think it is about trying to build that trust and confidence at the very early stages.”
VASPs should also make sure the BRA reflects the criteria listed in the local AML/CFT regulations that must be complied with, as well as explaining the controls used in a way that makes it clear which regulatory requirement they are intending to meet.
Arctic continued that when explaining your BRA, crypto firms should ensure the person presenting has a firm knowledge about how the BRA was conducted and the measures you describe to mitigate such risks.
Thirdly, companies should ensure there is evidence the VASPs board has seen, discussed and approved the BRA, including any recommended actions to improve or bolster controls. This, Arctic underlined, demonstrates to banking partners that the body responsible for overseeing the business is serious about mitigating financial crime risks and is prepared to make
Third, ensure there is evidence the VASP’s Board has seen, discussed and approved the BRA, including any recommended actions to improve or bolster controls. This demonstrates to banking partners that the body responsible for overseeing the business is serious about mitigating FC risks and is prepared to make the investment needed to keep those risks in check.
The final recommendation by Arctic is that VASPs should make sure the BRA results reflect the way the AML/CFT compliance programme and business model operate in practice. The risk appetite or residual risk result of the BRA should be reflected in the types of customers, countries and products and services offered by the companies.
In addition, a VASPs customer acceptance policy should clearly show which types of customers must be subject to enhanced due diligence and which ones exceed the risk appetite of the business.
Arctic concluded, “While VASPs are at the early stages of their AML/CFT regulatory journey, there is much they can learn from the experience of European FinTechs. Compliance measures may involve different technology and innovative controls, but at the end of the day, VASPs should it be able to demonstrate how they have come to understand their financial crime risks and the ways in which they address them. The lessons learnt by FinTechs in Europe should be leveraged where possible, and this includes taking the time and investing the effort needed to produce a practical and explainable BRA.”
Find the full post here.