European Commission released COM(2017) 340 final on 26.6.2017, the Report from the Commission to the European Parliament and the Council on the assessment of the risks of money laundering and terrorist financing affecting the internal market and relating to cross-border activities.
The Report classifies risks (threats and vulnerabilities) on various products with a rating on a scale from 1 to 4 as follows:
1) Lowly significant (value: 1)
2) Moderately significant (value: 2)
3) Significant (value: 3)
4) Very significant (value: 4)
The result for Virtual currencies are:
Threat
Terrorist financing
Conclusions: LEAs have gathered some information according to which terrorist groups may use virtual currencies to finance terrorist activities. However, the use of virtual currencies requires technical expertise which makes it less attractive. Consequently, the level of TF threat related to virtual currencies is considered as moderately significant(level 2).
Money laundering
Conclusions: few investigations have been conducted on virtual currencies which seem to be rarely used by criminal organisations. While they may have a high intent to use due to VCs characteristics (anonymity in particular), the level of capability is lower due to high technology required. Consequently, the level of ML threat related to virtual currencies is considered as moderately significant (level 2).
Vulnerability
Terrorist financing
The assessment of the TF vulnerability related to virtual currencies providers shall take into account the fact that, currently, virtual currencies are not regulated in the EU and that the risks of being misused for TF purposes are only just emerging.
Conclusions: the most important element of vulnerability for virtual currencies providers is the fact that there are not regulated in the EU. They cannot be properly monitored and they cannot report suspicious transactions to FIU. The inherent risk exposure is also very high due to the features of the virtual currencies (internet, cross-border and anonymity). Finally, the sector is currently not organised well enough to receive guidance or relevant information on AML/CFT requirements. Consequently, the level of TF vulnerabilities related to virtual currencies is considered as significant/very significant (level 3/4).
Money laundering
Conclusions: the assessment of ML vulnerability presents commonalities with TF. The most important element of vulnerability for virtual currencies providers is the fact that there are not regulated in the EU. They cannot be properly monitored and they cannot report suspicious transactions to FIUs. The inherent risk exposure is also very high due to the features of the virtual currencies (internet, cross-border and anonymity). Finally, the sector is currently not organised well enough to receive guidance or relevant information on AML/CFT requirements. In that context, the level of TF vulnerabilities related to virtual currencies is considered as significant/very significant (level 3/4).
Mitigating measures
The Commission proposed in its proposal for amending Directive (UE) 2015/849 that virtual currency exchange platforms as well as custodian wallet providers are added to the list of obliged entities under 4AMLD.
The Commission would issue a report to be accompanied, if necessary, by proposals, including, where appropriate, with respect to virtual currencies, empowerments to set-up and maintain a central database registering users’ identities and wallet addresses accessible to FIUs, as well as self-declaration forms for the use of virtual currency users.
The Commission will continue to monitor in the context of the SNRA the risks posed by FinTech/RegTech, crypto-to-crypto currency exchanges, and use of virtual currencies for purchasing of high value goods.
I suggest to read the whole report to acknowledge risks about methodology and global analysis.
I regret for some commentators that bitcoin are not used for terrorism financing and/or money laundering, but cryptocurrencies are not useful for money laundering by design.
The methodology is the following:
Table 2: the threat component (money laundering risks) will be assessed according to a four scale threat level:
LOWLY SIGNIFICANT (value: 1) |
No indicators that criminals have the intention to exploit this modus operandi for ML/TF. The modus operandi is extremely difficult to access and/or may cost more than other options and perceived as unattractive and/or highly insecure. No indicators that criminals have the necessary capabilities to exploit this modus operandi. The use of this modus operandi requires sophisticated planning, knowledge and/or high technical expertise than other options. The threat related to the use of this modus operandi is lowly significant. |
MODERATELY SIGNIFICANT (value: 2) |
Criminals may have vague intentions to exploit this modus operandi for ML/TF. The modus operandi is difficult to access and/or may cost more than other options and perceived as unattractive and/or insecure. Few indicators that criminals have some of the necessary capabilities to exploit this modus operandi. The use of this modus operandi requires planning, knowledge and/or technical expertise than other options. The threat related to the use of this modus operandi is moderately significant. |
SIGNIFICANT (value: 3) |
Criminals have exploited this modus operandi for ML/TF. The modus operandi is accessible and/or represents a financially viable option. The modus operandi is perceived as rather attractive and/or fairly secure. Criminals have the necessary capabilities to exploit this modus operandi. The modus operandi requires moderate levels of planning, knowledge and/or technical expertise. The threat related to the use of this modus operandi is significant. |
VERY SIGNIFICANT (value: 4) |
Criminals have recurrently exploited this modus operandi for ML/TF. The modus operandi is widely accessible and available via a number of means and/or relatively low cost. The modus operandi is perceived as attractive and/or secure. Criminals are known to have the necessary capabilities. The modus operandi is relatively easy to abuse, requires little planning, knowledge and/or technical expertise required compared to other options. The threat related to the use of this modus operandi is very significant. |
Table 4: The vulnerability component will be assessed according to a four scale vulnerability level:
LOWLY SIGNIFICANT(value: 1) | [Within the sector/area considered, deterrence measures and controls exist and are effective at deterring money laundering and financing terrorism. The sector shows a positive organisational framework and a negligible exposure to the risk of ML/TF]. Illustrative assessment criteria: RISK EXPOSURE – No or very limited products, services or transactions that facilitate speedy or anonymous transactions; secured and/or monitored delivery channels; low level of financial transactions; low level of cash based transactions; high quality management of new technologies and/or new payment methods – Very limited volume of higher risk customers; high ability to manage corporate entities or trusts in customer relationships – No or very limited business and customer based in areas identified as high risk; low level of cross-border movements of funds; AWARNESS OF THE RISK VULNERABILITY – Sector concerned shows a satisfactory level of awareness of the ML/TF risks inherent to its sector (evidence based, actions undertaken, training, allocated resources). The sector benefits from a positive organisational framework. – Competent authorities provide a comprehensive ML/TF risk assessment related to the sector and LEAs have a high ability to counter ML/TF risks (a range of ML/TF cases is visible and highly likely to be detected, leading to investigation, prosecution and convictions) – Good ability of the FIU to detect and analyse the risks, to ensure a good functioning of gathering information through STR, in particular through the use of tailor-made indicators and a sufficient amount of resources to actually perform the risk-analysis. LEGAL FRAMEWORK AND CONTROLS – The existing legal framework is commensurate to the risks inherent to this sector. – Controls [defined by the legislation] are effectively applied by the sector. Reliable CDD/identification mechanisms are in place to ensure adequate identification and verification process of a customer. Internal controls are applied by obliged entities in a robust manner (e.g. risk management, record keeping, training). Obliged entities are effectively reporting suspicious transactions to FIUs. – Domestic and international cooperation between AML authorities, in particular FIUs and supervisory authorities, allows a good level of sharing of information => Lowly-significant vulnerabilities. |
MODERATELY SIGNIFICANT (value: 2) |
[Within the sector/area considered, deterrence measures and controls exist and are reasonably effective at deterring money laundering and financing terrorism. The sector shows an organisational framework presenting some weaknesses and/or an exposure to the risk of ML/TF.]. Illustrative assessment criteria: RISK EXPOSURE – Limited products, services and transactions that facilitate speedy or anonymous transactions; mostly secured and/or monitored delivery channels; rather significant level of financial transactions; rather significant cash based transactions; good management of new technologies and/or new payment methods – Few higher risk customers; good ability to manage corporate entities or trusts in customer relationships – Some business and customer are based in areas identified as high risk; rather significant level of cross-border movements of funds; AWARNESS OF THE RISK VULNERABILITY – Sector concerned shows some awareness of the ML/TF risks inherent to its sector (evidence based, actions undertaken, training, allocated resources). The sector benefits from an organisational framework which shows some weaknesses. – Competent authorities provide a reasonable ML/TF risk assessment related to the sector and LEAs have a good ability to counter ML/TF risks (a range of ML/TF cases is visible and likely to be detected, leading to some investigations, prosecutions and convictions – FIU can detect and analyse the risks in certain circumstances, to ensure a good functioning of gathering information through STR, in particular through the use of tailor-made indicators LEGAL FRAMEWORK AND CONTROLS – The existing legal framework covers in major parts the risks inherent to this sector – Controls [defined by the legislation] are applied by the sector but presenting some weaknesses. Reliable CDD/identification mechanisms are in place but do not ensure systematically an adequate identification and verification process of a customer. Internal controls are applied by obliged entities to some extent (e.g. risk management, record keeping, training). Obliged entities are reporting few suspicious transactions to FIUs. – Domestic and international cooperation between AML authorities, in particular FIUs and supervisory authorities, allows a partial sharing of information. => moderately significant vulnerabilities |
SIGNIFICANT (value: 3) |
[Within the sector/area considered, deterrence measures and controls have limited effects in deterring criminal/terrorist abuse of the service. The sector shows an organisational framework presenting very significant weaknesses and/or a significant exposure to the risk of ML/TF.]. Illustrative assessment criteria: RISK EXPOSURE – Significant volumes of products, services and transactions that facilitate speedy or anonymous transactions; few secured and/or monitored delivery channels; significant level of financial transactions; significant cash based transactions; low management of new technologies and/or new payment methods – Significant volumes of higher risk customers; low ability to manage corporate entities or trusts in customer relationships – Major part of business and customer is based in areas identified as high risk; significant level of cross-border movements of funds; AWARNESS OF THE RISK VULNERABILITY – Sector concerned shows limited awareness of the ML/TF risks inherent to its sector (evidence based, actions undertaken, and training, allocated resources). The sector benefits from a limited organisational framework. – Competent authorities provide for a limited ML/TF risk assessment to the sector and LEAs have low capacity to counter ML/TF risks (only some ML/TF cases are visible and unlikely to be detected, leading to few investigations, prosecutions and convictions) – The FIU can detect and analyse the risks only in limited circumstances which allows only a limited functioning of gathering information through STR. LEGAL FRAMEWORK AND CONTROLS – The existing legal framework does not cover the most substantial parts of the risks inherent to this sector. – Controls applied by the sector present significant weaknesses. Few reliable CDD/identification mechanisms are in place and does not allow an effective identification and verification process of a customer. Internal controls are applied by obliged entities with very significant weaknesses (e.g. risk management, record keeping, training). Obliged entities are reporting very few suspicious transactions to FIUs. – Domestic and international cooperation between AML authorities, in particular FIUs and supervisory authorities, allows on few possibilities of sharing of information => Significant vulnerabilities |
VERY SIGNIFICANT(value: 4) | [Within the sector/area considered, there are extremely limited or no measures and controls in place, or they are not working as intended. The sector shows an organisational framework presenting highly significant weakness and/or a high exposure to the risk of ML/TF]. Illustrative assessment criteria: RISK EXPOSURE – Very significant volumes of products, services and transactions that facilitate speedy or anonymous transactions; no secured and/or monitored delivery channels; very significant level of financial transactions; very significant cash based transactions; no management of new technologies and/or new payment methods – Very significant volumes of higher risk customers; no ability to manage corporate entities or trusts in customer relationships – Business and customer are based in areas identified as high risk; very significant level of cross-border movements of funds; AWARNESS OF THE RISK VULNERABILITY – Sector concerned shows no awareness of the ML/TF risks inherent to its sector (evidence based, actions undertaken, training, allocated resources). The sector has no adequate organisational framework to address the ML/TF risks. – Competent authorities don’t provide for any ML/TF risks assessment to the sector and LEAs have no ability to counter ML/TF risks (detection is very difficult and there are very few/no financial or other indicators of suspicious activity. The level of investigations, prosecutions and confiscations is extremely low) – The FIU can detect the risks in very limited circumstances or in no circumstances. LEGAL FRAMEWORK AND CONTROLS – The existing legal framework does not cover the risks inherent to this sector – Controls applied by the sector present very significant weaknesses. No reliable CDD/identification mechanisms are in place and the basic identification and verification requirement process of a customer is not fulfilled. Internal controls are not properly applied by obliged entities (e.g. risk management, record keeping, training). Obliged entities are not reporting suspicious transactions to FIUs. – Domestic and international cooperation between AML authorities, in particular FIUs and supervisory authorities, does not exist or does not allow sharing of information => very significant vulnerabilities |