Back to the source

The UK’s latest National Risk Assessment (NRA), published in December 2020, identified that the risk of money laundering through cryptoassets has increased since 2017 (when the previous risk assessment was released). Tellingly, the risk of money laundering through cryptoassets is currently assessed as medium whereas in 2017 the word ‘cryptoasset’ did not even feature in the NRA. 

The rise of cryptoassets

One reason for the new appreciation of the money laundering risk associated with cryptoassets is that the cryptoasset ecosystem has developed rapidly since 2017. More cryptoassets are on the market and growth in the trade of non-fungible tokens (NFTs) – one of a kind collectible digital assets representing everything from virtual Hermès Birkin bags to Damian Hirst prints – is but one example. Additionally, there has been an increase in anonymity-enhanced cryptoassets and a proliferation of peer-to-peer (P2P) online platforms for the acquisition of cryptoassets as well as online exchanges. Adding to the risk is the uneven regulation of cryptoassets around the world with some jurisdictions regulating heavily, and others not at all.

Since 2017, however, understanding on the part of the authorities in the UK and elsewhere of how cryptoassets can be used for both legitimate and illegitimate purposes has also improved. In September 2020, the Financial Action Task Force published a comprehensive report on Virtual Asset Red Flag Indicators for the first time. The report highlighted the innovation and efficiency associated with cryptoassets but noted that “their distinct features also create new opportunities for money launderers, terrorist financiers, and other criminals to launder their proceeds or finance their illicit activities. The ability to transact across borders rapidly not only allows criminals to acquire, move and store assets digitally, often outside the regulated financial system, but also to obfuscate the origin or destination of the funds and make it harder for reporting entities to identify suspicious activity in a timely manner”. 

Despite the heightened money laundering risk, the use of cryptoassets as an alternative to traditional fiat currency (government-issued currency) continues undampened and it’s not uncommon for cryptoassets to be used in satisfaction of all or part of the funds of a transaction in the UK. In 2021, the Financial Conduct Authority estimated that some 2.3 million people in the UK hold cryptoassets, representing a 400,000 rise from the previous year. This suggests that more transactions are likely to involve the use of cryptoassets in time, raising questions about the extent to which law firms should be conducting source of funds checks in discharge of client due diligence (CDD) obligations now and in the future.

Source of funds checks

Under regulation 28 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), regulated legal professionals are obliged to carry out CDD at the start of a business relationship. This necessarily will entail obtaining information on the  client and the purpose and intended nature of the business relationship. Understanding the client’s financial position and the origins of the funds to be applied to a particular transaction will be paramount. Although the MLR 2017 only impose an express legal requirement to carry out source of funds checks on high-risk clients, for example politically exposed persons (PEPs) as per regulation 35(5), in practice legal professionals are expected to conduct at least some source of funds checks on a client even if the money laundering risk has not been assessed as high. 

In support of this approach, the Legal Sector Affinity Group (LSAG) guidance expressly refers to the need for source of funds checks at 6.17, noting that it is a “fundamental aspect of holistic CDD”. In line with the risk-sensitive nature of  CDD, the greater the money laundering risk that is posed by a client, then the more involved source of funds checks will have to be.  

Understanding source of funds requires at least some understanding of where the funds to be applied to a particular transaction come from. Identifying that the funds have come from a bank account will be insufficient and getting to the bottom of the provenance of the funds, supported by independent documentation, will be essential. All of this is clearly set out in the LSAG guidance, but what the current version of the guidance does not address is how practically to approach source of funds checks when cryptoassets are concerned. 

Checks on digital assets

The lacuna in the current LSAG guidance in relation to cryptoassets should not be taken to mean that source of funds checks are not required whenever a client discloses that they intend to use cryptoassets as part of a transaction. It would be an oversight to ignore source of funds in this situation or to put them in the ‘too hard’ basket. The expectation that source of funds checks will be carried out in discharge of CDD requirements, particularly where a client is high risk or a PEP, remains. In light of the prominence given to the money laundering risk associated with cryptoassets in the NRA and by the Financial Action Task Force, it is important for practitioners to ensure that efforts are made to identify the source of cryptoassets as part of CDD.

In approaching this task, as a starting point, practitioners should not be deterred when a client says they intend to rely on cryptoassets to fulfil a transaction. Inevitably, the use of cryptoassets will be a factor relevant to assessing a prospective client’s money laundering risk given that there are widely recognised concerns that such assets can be exploited by criminals or used to launder money. Every firm’s appetite for risk will naturally differ but the mere fact that a person has invested in cryptoassets is not of itself reason to either de-risk an existing client or avoid commencing a relationship altogether. Cryptoassets are increasingly entering the mainstream. Where a firm has properly assessed a client’s risk and is content to proceed, the focus should instead be on carrying out proportionate CDD to mitigate that risk and prevent money laundering. In the absence of any guidance, some tips are provided below. 

What assets are held?

In practical terms, the prospective client should be asked to provide information on the precise cryptoassets they hold, the cryptoassets they intend to apply to the transaction and the proportion of the sum that will come from such assets. Some cryptoassets are well-known (such as Bitcoin and Ethereum) while others are less so and may separately be associated with high levels of anonymity, use by criminal actors or darkweb transactions which are known for their criminality. 

As with any CDD information obtained from the client, a lawyer should request supporting documents and assess the information provided on cryptoassets against other information known about the client and by reference to reputable open-source material. This will assist in understanding the concerns, if any, that attach to a particular cryptoasset. It would be a mistake to assume that well-known cryptoassets do not pose a money laundering risk. The National Crime Agency’s National Strategic Assessment of Serious and Organised Crime, published in 2019, noted that Bitcoin, the most well-known and widely used of cryptoassets, “continues to dominate in relation to dark web marketplace transactions, cyber-dependent and cyber-enabled crime. However, there has been growing uptake of privacy-focused alternatives, such as Monero and ZCash”. Europol, in its report Cryptocurrencies: Tracing the Evolution of Criminal Finances, published in 2021, has also identified Dash as another privacy-associated cryptoasset that has popped up in illicit activity. Where a client holds cryptoassets that are recognised as having a high degree of privacy, CDD should extend to assessing whether the client’s explanation for choosing that particular cryptoasset makes sense given what is known about the client and their profile. 

How were the funds acquired?

Enquiries should also be made into how the prospective client’s cryptoassets came to be acquired, when they were acquired and the time period over which they have been held. Cryptoassets can be obtained in multiple ways including by mining, through Initial Coin Offerings (ICOs), cryptoasset gambling platforms, exchanges or P2P platforms. An ICO will involve the sale of a new cryptocurrency to investors in exchange for money and they are typically unregulated. A cryptocurrency exchange is an online financial services provider that enables users to purchase or convert cryptocurrency using either cryptocurrency or traditional fiat currency (such as sterling). In the UK and in European jurisdictions, these providers are regulated and are subject to anti-money laundering requirements, including CDD and the duty to report suspicious activity. Regulation, however, is uneven in other parts of the world and some countries have no or sparse oversight. Additionally, some exchanges have publicly had the finger pointed at them by law enforcement authorities for alleged involvement in money laundering activity. As part of CDD, it will be important to understand where the exchange is based and whether it is subject to regulation or has been the subject of any adverse allegations. 

Separately, P2P platforms enable the trade and acquisition of cryptoassets directly between two counterparts without an intermediary such as a regulated exchange. There are no CDD requirements as the counterparts directly contact each other. Use of an unlicensed or unregulated mode of cryptoasset acquisition is likely to indicate a higher risk of money laundering given the lack of oversight. As part of CDD, enquiries should be made of the client as to why the cryptoassets were acquired in this way and the lawyer should assess whether their explanation makes sense. 

How are the assets stored?

It is also good practice to understand the manner in which the cryptoassets are stored by the client. Cryptoassets may be stored in a variety of ways but the most common way is via a hosted custodian wallet. Custodian wallet providers are regulated in British and European jurisdictions and it will be important to consider whether the provider is a reputable one. Storage of cryptoassets in an unregulated way such as via an unhosted wallet could suggest a desire to avoid scrutiny for some reason. 

What is the source of funds?

Finally, where a client has invested in cryptoassets using traditional fiat currency (such as sterling), source of funds checks should extend to identifying the provenance of the funds applied to the original investment. Where, for example, the funds derive from professional salary or the sale of shares or other property, this should be corroborated by independent documents and, if available, information from third parties such as accountants, tax advisers or other solicitors in the conventional way. All efforts made to understand the source of cryptoassets to be applied to a transaction should be the subject of file notes, with such notes and supporting documents providing an audit trail for the acquisition of cryptoassets forming part of CDD. 

Your obligations

In time, as the cryptoasset ecosystem further matures and cryptoassets continue to appear in transactions, it can be expected that guidance will be issued on how law firms should be conducting source of funds checks. In the meantime, it is important not to mistake the current lack of guidance as meaning that source of funds checks do not apply to cryptoassets. The obligations in the MLR 2017 and expectations in the LSAG guidance remain. Documented efforts should be made to understand the provenance of a client’s cryptoassets regardless of the size of the transaction in case a firm is ever called upon to explain the CDD approach. Just as with conventional source of funds checks, reluctance on the part of a prospective client to discuss how their cryptoassets came to be acquired and provide supporting documents will be cause for unease. If the refusal to explain is maintained, a firm may find itself in a situation of being unable to complete CDD and having to cease the relationship in line with regulation 31 of the MLR 2017. The cryptoasset world is ever-evolving, but it is important to remember that the CDD duties remain the same.