On-chain and off-chain: consideration for the sector standard

Introduction

The rise of blockchain and virtual assets has provided a new dimension to the financial world with prosthetic benefits and risks. These innovations challenge traditional approaches and regulatory frameworks, especially in the context of Anti-Money Laundering, and Terrorist Financing and Sanction Evasion (hereby the “AML/CTF Applicable Regulation”). The recent NVB Sector Industry Baseline relating to Crypto Asset Service Providers (hereby the “Guidelines”) despite its efforts to ensure clarity and proposed sufficient practices that banks can follow to minimize their risk for violating AML/CTF Applicable Regulation and any reputation risk it lacks clarifications, best practices already established by the banking sector relating to virtual assets and virtual assets related funds and the peculiarities and risk posed by Virtual Assets. This is understandable since the measures described are mainly based on an overview of the existing processes and procedures a bank follows for onboarding and monitoring clients that do not have significant interaction with the virtual assets. However, it is relatively easy to be a normal person in the traditional system while financing terrorism on the blockchain in the evening.

Positioning with the financial crime framework

Regrettably, the pertinent section of the guidelines appears to overlook the current state of Virtual Asset regulation and the compliance status of CASPs with the applicable Anti-Money Laundering/Counter-Terrorist Financing (AML/CTF) regulations.

It’s important to recognize that Virtual Assets and blockchain technology are relatively recent developments, particularly within the financial sector. Consequently, the corresponding regulatory framework is even more recent. CASPs and Virtual Assets have faced challenges stemming from legacy issues and past scandals. It’s worth noting that a significant portion of CASPs initially operated outside the regulatory framework, thereby increasing the risk for banks when establishing business relationships with either individual users or CASPs.

Furthermore, the distinct characteristics of Virtual Assets, such as self-hosted wallets and Decentralized Finance, increase the risk for banks when establishing business relationships with a CASP or individual users and necessitate specific practices that a CASP must implement to ensure the bank of its compliance with the AML/CTF Applicable Regulations. These considerations underscore the importance of thoroughly assessing the risks associated with partnering with a CASP.

Industry baseline

1.1 Risk factors

Relating to the Industry Baseline and the criteria for onboarding a CASPs, there is a need for further clarification relating to the qualitative and quantitative criteria a bank shall take into consideration before and during any business relationship with a CASP. 

When conducting a qualitative assessment, it is imperative to consider additional factors, including but not limited to the following:

1. Group Affiliation: Determine whether the CASPs are part of a larger group and whether this group has subsidiaries or branches in offshore or high-risk jurisdictions.
2. Supervisory Authorities: Identify all relevant competent authorities under whose supervision or registration the CASPs operate.
3. Jurisdictional Considerations: Evaluate whether the CASP has a significant user base originating from jurisdictions and assess whether the bank bears legal liability when receiving funds from such jurisdictions.
4. Inter-CASP Relationships: Ascertain whether the CASP in question provides services to other CASPs and examine the protocols in place to mitigate regulatory risks stemming from third-party CASPs in the context of the bank’s operations.
5. Evaluate the products and services offered by the CASP) to determine if they align with regulatory requirements. Additionally, assess whether the CASP is engaged in providing any “unregulated services. 
6. Anti-Bribery and Corruption Policies: Verify if the CASP has established policies and procedures concerning Anti-Bribery and Corruption.
7. Staffing Expertise: Assess whether the CASP maintains an adequate workforce with the requisite level of experience to effectively perform their roles and responsibilities.
8. Service Provider Ecosystem: Examine whether the CASPs have adequate service providers, including blockchain analytics resources, to ensure compliance with Source of Funds, Source of Wealth, and Transactional Flow Record requirements, especially concerning self-hosted wallets and Decentralized Finance.
9. Scams and Ransomware Policies: Determine whether the CASPs have implemented policies and measures to address scams and ransomware threats that may not be explicitly covered by the AML/CTF Applicable Regulation.
10. Assessment of whether the CASP possesses a robust information security infrastructure capable of mitigating the risk of data breaches or, even more critically, the theft of end-users assets.

Moreover, there is substantial evidence to suggest that the presence of multiple factors within the Guidelines table can independently determine the risk classification of a client. For instance, involvement, whether direct or indirect, with privacy coins and technologies designed to enhance anonymity may, by definition, raise red flags for numerous traditional financial institutions. Considering the use of such technologies and their inherent capacity to hinder the traceability of funds and their origins, such transactions are inherently categorized as high-risk. This elevation in AML/CTF risk significantly impacts the overall risk profile of the business relationship.

When considering quantitative criteria, it is essential for the bank to gain a comprehensive understanding of CASPs and individual users’ activities within the blockchain ecosystem. This understanding enables the bank to maintain a holistic view of the client’s activities and associated risks. To achieve this, banks must establish processes capable of encompassing and capturing risks stemming from both on-chain and off-chain data.

Central to blockchain technology is its on-chain component, wherein transactions are recorded on a decentralized digital ledger. These on-chain transactions offer transparency, immutability, and traceability while affording users a degree of anonymity. In contrast, off-chain data pertains to activities occurring outside the blockchain network, often involving transactions within Centralized Exchanges and conventional financial procedures like customer due diligence.

The inherent nature of on-chain crypto transactions presents opportunities for activities that may elude detection by traditional monitoring methods. The pseudonymous and decentralized characteristics of blockchain mean that, despite stringent off-chain controls, individuals or entities can engage in transactions that are not easily traceable. Consequently, even if a crypto service provider complies with all off-chain regulatory requirements, there remains a risk associated with activities such as money laundering or terrorist financing through the on-chain mechanisms.

Hence, it is imperative for banks to comprehensively address both on-chain and off-chain aspects in their risk assessment and monitoring processes to mitigate potential risks effectively.

Examples of the application of on–chain and off-chain data that can be utilized during the onboarding process of the client and the business relationship can be found in 1 below. 

Table 1: Example of On-Chain and Off-Chain data

Customer acceptance activity	Off-Chain	On-Chain
Identity and UBO Verification	Copy of passport and address details.	Cryptographic verification of wallet ownership and UBOs.
Sanction screening	Screening of the client within publicly available data.	Integration of blockchain analysis for any interaction with blockchain addresses that are subject to Sanctions screening.
High-risk jurisdictions	Assessment if the client has operation and/or is associated with high-risk/ offshore jurisdictions.	Analysis of transactions and blockchain addresses wallet activities that are available through CASPs operating in high-risk jurisdictions or are Decentralized.
Nature and purpose of relationship	Assessment of client’s economic profile onboarding provided information with the client’s ongoing activity.	Linking wallet information to customer data for deeper analysis and comparing the data with client’s economic profile.
Source of wealth	Assessment of the documentation and or clarification provided by the user’s economic profile.	Advanced analyzes of the source of funds and assets on the blockchain and compare the data with client’s economic profile.
Source of funds	Assessment of the documentation and or clarification provided by the user’s economic profile.	Advanced analysis of the source of wealth and assets on the blockchain and compare the data with the client’s economic profile.
Customer risk assessment	Assessment of transaction the client performs within the financial institution and compare with the client’s economics.	Suspicious activity and red flags relating to the user interaction with the blockchain and assessment of transaction the client performs within the blockchain.

The innovative on-chain analytical tools with blockchain wallet analysis and transaction pattern recognition provide an additional layer of security and insight. These tools allow financial institutions to monitor transactions and activities on the blockchain, helping to identify risky or suspicious activities that may not be covered by traditional methods.

The integration of these two approaches improves the overall effectiveness of risk management and provides a holistic view of customer activities. The chapter discusses how such integration can be achieved, the challenges involved, and the benefits for both crypto service providers and traditional financial institutions. By combining the strengths of on-chain and off-chain methods, financial institutions can better meet regulatory requirements while adapting to the new realities of digital finance.

1.2 Information and documentation

Taking into account all the information listed above, it’s crucial to ensure that the below information is requested by the banks following the onboarding and during the ongoing business relationship with CASPs:

• Information relating to the UBOs and senior management shall also include information relating to qualified holdings and their jurisdiction and whether they have adequate experience relating to the operation of a regulated financial entity and if not who are the key individuals that would be responsible for the CASPs compliance with the regulatory requirements; 
• Enhance assessment of the policies that the financial institution has in place relating to its compliance with the regulatory requirements including the requirements mentioned within the Wolfsberg Questionnaire.
• Relating to the Geographic location of activities the assessment shall also include the interaction of the end – users with decentralized financed and centralized exchanges that are operating from high-risk jurisdictions, this information shall be available through on–chain assessment of the CASPs wallets by the bank. 
• Information and processes the CASP maintains relating to the segregation and safeguarding of end users’ assets;
• Assessment of the implementation of the CASP’s practices for compliance with the AML/CTF Applicable Regulation through an on-chain assessment of the CASP’s on-chain exposure, which shall also include proof of wallet ownership. This assessment shall be made on the blockchain wallets the CASP utilizes for its operations and the client’s accounts.  

1.3 Bank’s clients purchasing or selling crypto assets

Regretfully the proposed action mentioned in the relevant segment of the Guidelines can only be achieved for clients that maintain one account in CASPs that are operating a close loop ecosystem, namely the user deposits fiat and trades in Virtual Assets in one CASP and then withdrawals its fiat profit to the bank, which is rarely the case. 

Taking into account the recent bankruptcies, violation of the legal framework, and security breaches of the key players on Blockchain Technologies and Virtual Assets, such FTX, Binance, Gemini, etc the majority of clients are moving away from Centralized Finance to Decentralized Finance to mitigate any counterparty risk and or maintain an account with several Centralized Exchange to ensure diversification.  

To this end, a simple report from a Centralised Exchange does not depict the accurate picture of the client’s source of wealth and certainty of the risk derived by the client. To this end, a more holistic analysis shall be made by banks on a risk-based approach that also includes the client’s self-hosted wallets and their interaction with Decentralized Finance and other Centralised Exchange and/or accounts that the client maintains in other Centralised Exchange to ensure that the banks accurately calculate the user’s Source of Wealth and AML/CTF risk. 

Who we are

We are CENSE AG, a Swiss company that originated as a spin-off from Glassnode AG. Our specialization lies in the development of on-chain solutions tailored for Financial Institutions, aimed at achieving compliance with the provisions of the AML/CTF Applicable Regulations. Our approach is rooted in the principles and practices of the Traditional Financial Sector, leveraging on-chain data sourced from existing vendors to meet the evolving compliance needs of our clients.