Financial crime and Australia's digital markets

Why do digital currencies need to be regulated from an anti-money laundering and counter-terrorism financing (AML/CTF) perspective?

The growth of digital currencies, in part, due to the nature of the transactions - are quick and anonymous. These attributes are also what make digital currencies attractive to perpetrators of criminal activities. By their nature, digital currencies are designed to bypass centralised banking systems, including across international borders. DCE providers play a critical role in on-boarding and off-boarding fiat currency to crypto and vice versa, but the peer-to-peer nature of the transactions provides limited transparency for DCE providers.

While money laundering and terrorism financing may be regulated effectively at the on-ramp and off-ramp stage, there is an information asymmetry for DCE providers from the moment cryptocurrency is deposited in the first wallet to the moment it reaches the destination wallet. One method implemented to combat this information asymmetry in traditional banking is the Travel Rule which is discussed in more detail below. Regardless of this information asymmetry, the role of DCE providers in complying with their AML/CTF obligations is a challenging but important one.

What are the legal obligations of a DCE provider?

Since 2018, DCE providers have been required to register and enrol with AUSTRAC as a reporting entity under Australia’s AML/CTF regulatory framework.

Registered exchanges are required to implement customer due diligence (CDD) procedures to verify the identity of their customers, submit annual reports to AUSTRAC and to monitor and report threshold or suspicious transactions. Exchange operators are also required to keep certain records relating to customer identification and transactions for up to seven years and to ensure independent reviews of their AML/CTF program are conducted. DCE providers are also required to renew their registration every three years.

The Guide

The Guide assists DCE providers to effectively carry out their obligations by identifying indicators of criminal activity and reporting suspicious behaviour. DCE providers should use a combination of financial indicators and knowledge of their business to monitor, mitigate and manage suspicious activity, including the following:

Identification, verification and profile information

Stolen or fake documentation or insufficient information from a customer should alert DCE providers to potentially suspicious behaviour during the on-boarding process. DCE providers should also be alert to customers acting as agents without disclosing this fact, or corporate customers that have unclear beneficial ownership.  If DCE providers experience difficulty contacting customers who exclusively communicate via email or web chat, in particular those with high privacy features, they may wish to consider conducting further monitoring and assessing  if a suspicious matter report (SMR) needs to be filed.

Source of funds and wealth

DCE providers are encouraged to identify situations where customers have unexplained wealth or where large purchases are inconsistent with the customer’s financial profile. Regular use of cryptocurrency ATMs should also be monitored. Customer requests for higher deposit limits or the provision of altered or low quality documents during on-boarding should also raise red-flags for DCE providers.

Account activity

DCE providers should be vigilant towards patterns including ‘chain hopping’- the movement of earnings through mixer wallets and multiple conversions prior to cashing out. These patterns may indicate an attempt to conceal the source or destination of funds. Public information such as sanctions lists should also be used to establish links between customers and illicit activity.

The use of multiple accounts in conjunction with a high number of different electronic devices, or the use of multiple IP addresses should also raise concerns. The Guide also suggests that customers who appear anxious or impatient, or evasive as to the reason for a transfer should be treated with a higher degree of caution.

Other crime-type specific indicators

Social media and online crowdfunding campaigns linked to ideologically or religiously motivated violent extremism forums may help DCE providers to detect the misuse of DCEs for terrorism financing. DCE providers should also monitor activity in jurisdictions where CDD processes are less stringent or jurisdictions which are considered high risk in terms of terrorism financing.

The Guide also sets out specific indicators for detecting illicit activity via the Darknet, scams and tax evasion.

New developments

Would the Travel Rule work in Australia?

Australia has not implemented the Travel Rule for DCE providers. The Travel Rule is a key AML/CTF control or measure, which mandates that DCE providers obtain, hold and exchange information about the originators and beneficiaries of virtual asset transfers. The mandate aims to combat the transparency issues associated with DCEs. While the Travel Rule has been effectively implemented for other financial institutions, cryptocurrency addresses are pseudonymous which makes this obligation far more challenging for DCE providers. Blockchain Australia identified that there had been challenges within Singapore’s system where applicants faced a ‘lengthy application process’ and ‘a lack of commercial solutions to comply with the travel rule.’

How will proposed amendments help ADI’s?

On 22 March 2022, the Federal Government released a consultation paper regarding a prospective licensing and custody regime for digital assets (Digital Assets Paper). When implemented, the licensing regime will subject all participants to greater obligations than those imposed under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), including:

1. capital adequacy testing;
2. auditing; and
3. responsible person tests.

The current AML/CTF compliance regime will be supplemented by a broader licensing regime, which is likely to be managed and supervised by a number of regulators including APRA, ASIC and the ATO.

In addition to this, from 28 April 2022, the Anti-Money Laundering and Counter‑Terrorism Financing Rules Amendment Instrument 2022 (No. 1) (Cth) (Instrument) exempted financial institutions from registering on the DCE register.

This amendment means that financial institutions (typically banks and authorised deposit-taking institutions (ADIs)) are not required to register as a DCE provider when they are already regulated by AUSTRAC.

ADI’s stand to benefit from these amendments in quite a significant way. In general, it creates an easier route for these entities to be involved in the digital asset economy, and thereby increases the competitive threat posed by these entities to existing DCE operators. It is envisaged that this will drive an increase in crypto offerings and compliance standards across the ecosystem, and thereby an increase in trust, as these financial institutions will already have mature AML/CTF programs and a robust approach to managing risks in the emerging crypto asset market. 

As reform is fast moving, DCE’s and businesses are best placed to consider the potential licensing regime of digital assets. This for example could include:

• conducting a mapping exercise of current use of and exposure to digital assets;
• engaging in the current AUSTRAC Consultation with respect to Chapter 81 of the AML/CTF Rules;
• engaging with the consultation on the design of the digital asset licensing regime that will commence shortly with advice due to Government later this year; and
• being proactive with regulators such as AUSTRAC, APRA, ASIC and the ATO regarding their expectations with respect to digital assets and any guidance released regarding their proposed or further regulation.