Skip to content

AML and KYC

Abstract

This section describes the need for anti money-laundering (AML) and know your customer (KYC) procedures. Moreover, examples are given and explained on how to utilize these procedures for a blockchain network.

Motivation

KYC and AML are legitimacy checks that are used depending on the purpose of the blockchain network. KYC mechanisms are used to create compliance with laws. Accordingly, the users of the network are to be identified in order to either simply prevent bots or spam or even clearly establish that it is a genuine identity. With a corresponding identity determination, money laundering can also be prevented, for example, when a cryptocurrency is used in the network.

Elaboration

The KYC process used may vary depending on the confidence level of the identification. At a low-threshold level, for example, social media accounts [1] are sufficient for abuse prevention in the network. For other applications, especially identity-based applications such as a self-sovereign identity network, processes are required that can establish identities on the basis of ID cards or other official documents (with the help of the issuer). When using a currency in the network, identification as well as logging of transactions is required for applicable money laundering laws.

KYC vs. AML

The terms Anti-Money Laundering and Know Your Customer are often combined together or used interchangeably which is not entirely correct. While both are risk-based approaches to money laundering Anti-Money Laundering is a comprehensive set of processes, regulations and rules that together cohesively combat money laundering, terrorism funding and other financial crimes such as identity fraud. KYC is a process that only identifies and authenticates the customers of financial institutions and other companies based on their perceived risk profile.

Financial Action Task Force (FATF)

The Financial Action Task Force (FATF) which is the global money laundering and terrorist financing watchdog recommends that the risk-based approach to counteracting money-laundering and terrorism-financing also applies to all direct and indirect virtual asset service providers (VASPs).

(With 200 countries commited to implementing them, the FATF has developed the FATF Recommendations, or FATF Standards. Recommendations of the FATF usually have either already been or will be implemented as a minimum AML/KYC standard by the respective countries and regulators. Although there might be deviations and goldplating FATF recommendations provide a very good overview over the international current AML standards and upcoming developments).

Virtual Asset Service Providers (VASPs)

According to FATF virtual asset service provider means any natural or legal person who, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

  • exchange between virtual assets and fiat currencies;
  • exchange between one or more forms of virtual assets;
  • transfer of virtual assets;
  • safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and
  • participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

Depending on their particular financial activities, VASPs include:

  • Virtual Asset exchanges and transfer services;
  • some Virtual Asset wallet providers, such as those that host wallets or maintain custody or control over another natural or legal person’s Virtual Assets, wallet(s), and/or private key(s);
  • providers of financial services relating to the issuance, offer, or sale of a Virtual Asset (such as in an ICO);
  • and other possible business models

In order to manage and mitigate the risks emerging from virtual assets, countries should ensure that

  • VASPs are regulated for AML/CFT purposes;
  • licensed or registered and subject to effective systems for monitoring and ensuring compliance with the relevant measures;
  • competent authorities should take the necessary legal or regulatory measures to prevent criminals or their associates from holding, or being the beneficial owner of, a significant or controlling interest, or holding a management function in, a VASP;
  • countries should take action to identify natural or legal persons that carry out VASP activities without the requisite license or registration, and apply appropriate sanctions;
  • countries should ensure that VASPs are subject to adequate regulation and supervision or monitoring for AML/CFT and are effectively implementing the relevant FATF Recommendations, to mitigate money laundering and terrorist financing risks emerging from virtual assets.
  • VASPs should be subject to effective systems for monitoring and ensuring compliance with national AML/CFT requirements.
  • VASPs should be supervised or monitored by a competent authority, which should conduct risk-based supervision or monitoring.

FATF Recommendation 10

Specifically, FATF issued in Recommendation 10 that

  • VASPs should design Customer Due Diligence (CDD) processes to help them in assessing the AML/CFT risks associated with covered Virtual Asset activities and customers.
  • CDD must be performed in the context of establishing a business relationship or while carrying out occasional transactions for non-customers with a value greater than USD 1,000 or EUR 1,000.
  • CDD comprises identifying the customer and applying a risk-based approach to verifying the customer’s identity using reliable and independent information, data or documentation.
  • where the customer is not a natural person, the customer’s beneficial ownership must be determined.
  • the CDD process also includes understanding the purpose and intended nature of the business relationship, where relevant, and obtaining further information in higher risk situations.
  • Ongoing due diligence of the customer relationship must be performed and transactions must be scrutinised.

FATF Recommendation 16

Under FATF Recommendation 16 when a VASP conducts a transfer of Virtual Assets on behalf of a customer, it is required to:

  • obtain and hold accurate (i.e. verified for accuracy) originator information, including customer name and wallet address, as well as other data such as physical address, date of birth or other specified alternatives;
  • obtain and hold beneficiary information, specifically the customer name and wallet address; and
  • transmit the originator and beneficiary information to a receiving VASP (or other obliged entity, such as a financial institution), if any.
  • Originator and beneficiary information must be screened to ensure that transactions with designated persons and entities (e.g. those subject to financial sanctions) are identified, reported to competent authorities and subject to freezing measures.

Internal references and dependencies

Dependent on: Organisation – Goals, Accountability

References to best practice, examples

List of references to best practice, examples

[1] Rinkeby: Authenticated Faucet https://faucet.rinkeby.io/

Bibliography of selected references

(List of references and literature)


RFC-0321
Contributing authors: Stephan Zimprich, Daniel Theis
Status of this document: work in progress
Last day modified: 2021-05-04