The distinct characteristics of virtual assets including their anonymity and rapid transactions make it more difficult for financial institutions and reporting entities to detect illicit activities. In October 2018, the FATF revised the application of its Standards to virtual assets activities and VASPs and in June 2019 it provided a further explanation of how to apply FATF requirements to virtual assets activities and VASPs for AML/CFT purposes.1 In its latest report of September 2020,2 the FATF published a number of red flag indicators to make it easier for reporting entities to detect possible ML and TF activities and encourage them to apply a risk-based approach to their Customer Due Diligence (CDD) requirements.

Red flag indicators

Key areas of concern are:
• Transaction type
• Transaction patterns
• Anonymity
• Senders and recipients
• Source of funds
• Geography

1. Transactions

One of the indicators of illicit activities is the size and frequency of transactions. Particularly suspicious are a number of high-value transactions which are made in a short time (usually within 24 hours) or virtual assets transactions structured in such amounts to avoid reporting thresholds. Similarly, virtual assets transferred to VASPs in jurisdictions with insufficient AML/CFT regulations, transactions incurring unnecessary costs, and accepting suspicious funds may suggest an illicit activity channeled through virtual assets.

Other factors to consider may include:

• the regularity of transactions followed by inactive periods;
• authorisations of transactions to a new or previously inactive account;
• withdrawals of virtual assets to a private wallet directly from VASPs.

2. Transaction patterns

An unusual pattern of transactions and lack of a logical business explanation are also red flags. Examples include a new user transferring their entire balance of virtual assets off the platform, or depositing large initial amounts to a VASP where the amount funded does not align with the customer profile. Funding the deposit on the same day and withdrawing or trading the total amount of virtual assets shortly thereafter merits further examination as well.

Other examples of suspicious transaction patterns may include:

• transactions involving multiple virtual assets or accounts;
• transactions taking place frequently and at a certain time;
• transactions in small amounts from unrelated wallets but subsequently transferred to another wallet or exchanged for fiat currency;
• virtual assets - fiat currency exchanges carried out at a loss or for large amounts with no logical business explanation.

3. Anonymity

Anonymity is a distinguishing characteristic unique to virtual assets which enhances the security of transactions. It can also be exploited for criminal purposes.

Examples of potential ML/TF conduct benefiting from the anonymity include transactions involving multiple types of virtual assets, especially virtual assets providing higher anonymity (e.g. anonymity-enhanced cryptocurrency (AEC), privacy coins), transactions transferring virtual assets from transparent blockchains and trading them for AEC or privacy coins, or transactions using mixing and tumbling services in order to make the flow of funds less transparent.

Ongoing criminal activity can be possibly inferred from the usage of bank accounts to carry out transactions on peer-to-peer exchange websites where unregistered or unlicensed VASPs operate as well as the usage of VASP platforms for which the owners cannot be identified, the communication is anonymous and encrypted or KYC and CDD checks are weak or non-existent.

Other factors to consider include:

• possible linkages to suspicious sources or obscure schemes (e.g. Ponzi schemes);
• usage of decentralized wallets to transfer virtual assets across borders or virtual assets wallets operated from the same IP address;
• regular usage of virtual assets ATMs/kiosks in suspicious locations or at higher transaction fees.

4. Senders and recipients

In some circumstances, an unusual profile or behaviour of the sender or the recipient are relevant indicators of potential criminal activity. Suspicious irregularities can occur at any stage of the transaction, including during account creation (e.g. transactions originating from doubtful IP addresses, IP addresses from sanctioned jurisdictions or users having Internet domain registrations outside of the jurisdiction of establishment) as well as during the CDD process (e.g. inadequately performed KYC, insufficient information about the transaction and its source, and falsified documents or photographs presented by the customer).

The profile and behaviour of a customer may require further monitoring if a customer’s account credentials are shared with another account or are frequently changed or if a customer’s virtual assets address is linked to illegal activities on public forums or a customer is known for a past criminal activity. Regular transactions between the customer and the same counterparties at a high profit or loss as well as the language used by the customer in virtual asset messages expressing support for illicit activities or the purchase of illicit goods are relevant.

5. Source of funds or wealth

Transactions which use virtual asset addresses or bank cards linked to known criminal activities can suggest involvement in ML/TF. Equally suspicious are transactions which do not provide satisfactory information about owners of the funds (e.g. where shell companies are engaged or the funds are placed in an ICO with no personal data of investors). If a customer’s wealth comes mainly from investments in virtual assets and ICOs or from VASPs with insufficient AML/CFT checks, the FATF advises reporting entities to have a closer look at the source of a customer’s wealth.

6. Geographical risks

Criminals benefit from the inconsistent implementation of the FATF Standards on virtual assets and VASPs in different jurisdictions. Certain jurisdictions suffer from regulatory gaps in their AML/CFT regimes which may lack registration and licensing requirements or may not adequately cover virtual assets and VASPs. This provides a perfect opportunity for criminals to transfer their illicit funds into such jurisdictions and run their criminal activities with a limited risk of being exposed. It should be noted that there is currently no official list of “high risk” jurisdictions specific to virtual assets.

Looking ahead

The FATF has produced a useful list of indicators which consider the unique features of virtual assets and assist reporting entities with uncovering potential ML and TF conduct involving virtual assets. However, the FATF also warns that red flag indicators are not exhaustive and should be interpreted in context of information from other sources. Simply identifying a red flag does not always indicate wrongdoing and requires further follow-up by a reporting entity.

In parallel, Luxembourg introduced new registration and governance requirements for VASPs. The deadline for VASPs to file a registration application with the Luxembourg CSSF was May 30, 2020. 

As of September 30, 2020, there were no registered VASPs in Luxembourg. There have been exchanges between the CSSF and potential VASP registrants, however, there is not yet a complete registration. Accelerating this process is a key part of supporting the latest FATF report recommendations.

The full FATF report is available below.