Virtual currencies: are we missing a trick? Insights from the Basel AML Index 2023
Our recently released Basel AML Index 2023 says that countries need to supercharge their efforts to understand the evolving financial crime risks of new technologies – especially cryptocurrencies and other virtual assets.
Global performance in this area has been plummeting ever since the FATF strengthened its Recommendation 15 on New Technologies, covering virtual assets and virtual asset service providers (VASPs). According to our analysis, average levels of compliance with this Recommendation have now dropped to the second weakest of all 40 Recommendations.
We argue that getting regulation, supervision and enforcement right is the only way to foster a thriving FinTech industry while protecting financial integrity, consumers and investors.
Cryptocurrencies and other virtual assets keep many financial crime professionals up at night. There are billion-dollar scandals and scams, rollercoaster-style volatility and indications that organised crime groups are using cryptocurrencies to hide and launder illicit funds.
Terrorist groups including Hamas are known to have received funding via cryptocurrencies, while others are taking advantage of cryptocurrencies to circumvent sanctions, gain revenue through hacks and cyber scams, and fund nuclear weapons programmes.
Are countries too relaxed or simply being cautious, as one may expect with any new and complex phenomenon? Perhaps they are just unsure how to regulate and supervise this fast-evolving industry? And is law enforcement up to the task?
The risks are high, and so is the uncertainty in the sector. However, there are reasons to be cautiously optimistic.
- First, because despite the fact that the crypto market is booming in terms of the number of transactions and their overall value, the percentage of criminal funds flowing through blockchains is decreasing constantly. While crypto’s first years saw nearly 20 percent of Bitcoin’s daily activity moving through illicit online markets like Silk Road, in 2022 illicit activities were estimated to represent less than 1 percent of the total transaction volume.
- Second, because regulations are becoming stronger and more harmonised in the world’s major financial centres.
- And third, because initial enforcement successes point at the huge potential to trace illicit financial flows and recover stolen funds.
What data do we have?
The main source of data on countries’ performance in regulating the crypto industry for AML/CFT purposes comes from the FATF.
In 2018, the FATF extended its Recommendation 15 on new technologies to specifically include virtual assets and VASPs.
Of the 161 jurisdictions assessed by the FATF from December 2017 until September 2023, the results for Recommendation 15 are concerning. Only 12.5 percent are evaluated as “compliant”; many more (20.5 percent) are “non-compliant”.
Average global performance in technical compliance is just 43 percent. This is well below the average across all 40 Recommendations (65 percent) and the second lowest after the non-profit sector. And performance has worsened significantly compared to our analysis in 2021 when the global average was at 63 percent.
Some of this dramatic fall was caused by this year’s assessment of fifty new jurisdictions, but more than 30 percent of jurisdictions already included in 2021 were downgraded as a result of FATF follow-up reports.
What makes for good performance?
Low levels of compliance with Recommendation 15 are especially high in places with the most to gain from innovative financial technologies, including the speed and low cost of transactions on the block- chain. Sub-Saharan Africa and South Asia, where many people remain excluded from the traditional financial sector, are currently languishing at the bottom of the list with 19 percent and 25 percent compliance respectively.
The few countries that are doing well in Recommendation 15 have common characteristics:
- They identify and assess ML/TF risks related to new technologies, including crypto, through national and sectoral risk assessments.
- They have specific, binding and enforceable obligations for reporting entities (such as banks and non-financial businesses and professions) to manage and mitigate the ML/TF risks of new technologies.
- Supervisory authorities apply a risk-based approach to supervising new technologies and proactively seek to identify and assess ML/TF risks in relation to new business practices and
- Financial institutions establish risk mitigation measures to reduce ML/TF risks identified in new business practices and products.
Regulators and supervisors who have had less exposure to crypto would do well to learn from their more advanced peers.
Regulation and supervision: trial, error and improvement
While nobody – other than the criminals – benefits from having VASPs that are unregulated and unlicensed, it is also natural for countries to be unsure and hesitant about how to regulate and supervise the fast-evolving crypto ecosystem:
First, because virtual assets are by nature a complex field that is highly volatile and evolving fast.
Second, because the risks seem both very large and very remote. The infamous collapse of crypto exchange FTX wiped out billions of dollars in virtual assets. Yet its collapse shook only the crypto industry, leaving the traditional financial sector that is still the backbone of the global economy unscathed.
Third, because of the unintended consequences of regulating and enforcing too loosely or too tightly, or with measures that don’t fit the industry’s nature and needs. Experiences such as Estonia’s highlight the difficulties in designing regulation that will foster innovation and growth of Fin-Tech companies while keeping consumers and investors safe.
Perhaps as a result of this uncertainty, countries are experimenting with a wide range of ways to regulate and supervise the crypto industry.
This experimentation is natural and a good thing – as long as the authorities evaluate and learn from those experiments, share experiences internationally, and consult closely with the private sector and other stakeholders to ensure the rules are fit for purpose.
Flipside of the "simple licensing process" in Estonia
In 2017, Estonia became one of the first EU member states to enact legislation that regulates and controls cryptocurrencies. It introduced a simple licensing process and provided favourable tax regimes for virtual assets companies. The crypto market boomed in the country: by mid-2021, there were 650 active authorisations of VASPs.
However, after examining the market, the authorities found that simplified regulations were often misused. Some companies provided false corporate information:
some businesses registered board members/directors without their knowledge or consent;
employees of these businesses submitted falsified CVs;
identical business plans were copied from one online website, using poor-quality machine translation.
Many applications were submitted through the same providers of legal services or company services.
To correct this and ensure only legitimate businesses were operating as VASPs, Estonia quickly introduced new legislation strengthening AML requirements for VASPs.
Since the new legislation came into force on 15 March 2023, authorisations for 189 companies were revoked for non-compliance. Almost 200 VASPs voluntarily closed down. By 1 May 2023, only 100 active VASPs remained registered and operating.
The case shows the challenges of getting regulation right. Ultimately Estonia only wants to encourage legitimate companies that will protect customer and investor funds and not increase its risks of money laundering and terrorist financing.
Reasons to be optimistic
Despite the bleak picture seen in the data, some developments are encouraging:
First, regulation is becoming stronger and more joined up. In the EU, the new Markets in Crypto-Assets (MiCA) regulation aims to create a comprehensive framework for regulating crypto assets within the bloc. VASPs (called CASPs in the regulation) will need to be licensed in their host country, to adhere to AML/CFT regulations like other financial institutions and to operate more transparently by, for example, providing potential investors with detailed information.
In parallel, the Transfer of Funds Regulation will ensure that transfers of cryptocurrencies – like other transfers of funds – will contain information about the sender and receiver of the funds. This implements the so-called “travel rule” of the FATF Recommendation 15, a key weak spot according to the FATF’s latest review on the matter.
Regulations like MiCA will reduce the risks of regulatory arbitrage or “regulator shopping”, at least within the EU. As always, the crux will be in how effectively the legislation is implemented and in the resources and knowledge of supervisors and law enforcement. Also crucial, of course, is whether other regions follow suit with equally robust and harmonised regulation.
Second, major enforcement successes by some countries show the huge potential of catching organised criminals and recovering assets. These will hopefully act as a deterrent for other criminals tempted to misuse cryptocurrency for illegal purposes.
The US seized a staggering USD 3.6 billion in Bitcoin in connection to the 2016 Bitfinex hack – the largest ever financial seizure. The UK has reformed its laws to make it easier to confiscate cryptocurrencies linked to crime after recovering over USD 370 million in crypto in 2022. Other countries are seeing their first major recoveries of crypto assets, with more and more cases in the pipeline.
Looking into the crypto ball
Poor performance is a concern, but also to be expected given the growth and complexity of the crypto industry globally. And there is also reason for optimism.
Few can predict how the crypto industry will evolve and the exact implications for preventing money laundering and terrorist financing. But the data is clear: countries at all stages of the FATF evaluation process need to invest serious, immediate attention and resources in understanding and addressing the risks posed by virtual assets and other new technologies.
Partly for the sake of meeting FATF standards – but mostly for the sake of fostering positive financial innovation while preventing further misuse for criminals and protecting customers and investors.
More from the Basel AML Index
- Find out about the Basel AML Index, view the latest Public ranking and find out whether your organisation is eligible for a free Expert Edition account at our website: index.baselgovernance.org.
- See the Basel AML Index 2023 press release.
- Watch Malcolm Wright speaking about the regulation of virtual assets at the Basel AML Index online launch event.