April 28, 2022
TO: All Virtual Currency Business Entities Licensed under 23 NYCRR Part 200 or Chartered as Limited Purpose Trust Companies under the New York Banking Law
FROM: Adrienne Harris, Superintendent of Financial Services
RE: Guidance on Use of Blockchain Analytics
The purpose of this guidance from the New York State Department of Financial Services (“Department”) is to emphasize to all virtual currency business entities that are either licensed under 23 NYCRR Part 200 or chartered as a limited purpose trust company under the New York Banking Law (collectively, "VC Entities") the importance of blockchain analytics to effective policies, processes, and procedures, including, for example, those relating to customer due diligence, transaction monitoring, and sanctions screening.
Compliance in a Virtual Currency Context
Financial activity involving virtual currency can involve, among other things, different sources, destinations, and types of funds flows than are found in more traditional, fiat-currency contexts. For example, virtual currencies such as Bitcoin and Ether can be transferred peer-to-peer directly from one individual or entity to another pseudonymously, absent the use of a regulated third party (e.g., between non-custodial wallets, or self-hosted wallets that allow users to maintain control of their private keys). Thus, to effectively address compliance requirements under the New York Banking Law and the New York Financial Services Law, as well as federal Bank Secrecy Act/anti-money laundering (“BSA/AML”) and Office of Foreign Assets Control (“OFAC”) requirements, VC Entities must be sure that their compliance programs fully take into account the unique characteristics of virtual currencies.
While such characteristics present compliance challenges, they also present new possibilities for control measures that leverage these new technologies. For example, virtual currencies, by their nature, typically enable provenance tracing (i.e., review of previous transfers or “hops” along the public blockchain ledger, or “on-chain”). Put differently, the blockchain ledger’s immutability typically allows a historical view of a virtual currency transmission between wallet addresses, providing the opportunity for greater visibility into transaction lineage than is typically found with traditional, fiat funds transfers.
A VC Entity’s risk mitigation strategies must take account of the VC Entity’s business profile to assess risk across types of virtual currencies and effectively address the specific characteristics of any particular virtual currency involved. For most virtual currencies, information stored on-chain includes certain identifying information, such as sending and receiving wallet addresses, time and date, and value of the transaction. However, as suggested above, these wallet addresses are typically pseudonymous, with nothing on the face of the transfer tying back to the originator, beneficiary, or underlying beneficial owners. In addition, the effectiveness of existing blockchain analytics tools can vary depending on the particular virtual currency in question.
Control Measures that May Leverage Blockchain Analytics
Given the above-noted characteristics of virtual currencies, the Department emphasizes the importance of blockchain analytics to VC Entities in addressing, for example, anti-money laundering requirements under 23 NYCRR § 200.15, and across a range of BSA/AML and OFAC-related compliance controls,1 including but not limited to:
- Augmenting Know Your Customer (or “KYC”)-related controls
- Conducting transaction monitoring of on-chain activity; and
- Conducting sanctions screening of on-chain activity.
VC Entities can use third-party service providers or internally developed blockchain analytics products and services for additional control measures, whether separately or in combination. To the degree that VC Entities outsource such control functions, the VC Entities must have clearly documented policies, processes, and procedures with regard to how the blockchain analytics activity integrates into the VC Entity’s overall control framework consistent with the VC Entity’s risk profile.
Augmenting Know Your Customer-related controls
As part of their KYC responsibilities, VC Entities must obtain and maintain information regarding, and understand and effectively address the risks presented by, their customers and potential customers.
Potentially useful in this regard are products and services that allow their users to obtain identifying information (e.g., location of a wallet address on a specific exchange for custodial transactions) that ties directly to the pseudonymous on-chain data, particularly in combination with customer-provided information.2 These products and services typically can identify wallet addresses associated with an institution (e.g., a VC Entity) as well as known high-risk wallet addresses such as darknet marketplaces, but such tools may not be able to identify underlying owners, including ultimate beneficial owners, and may have limited attribution capability, absent further “off-chain” verification methods integrating customer-provided data.
For example, VC Entities must have policies, processes, and procedures to assess counterparty exposure for virtual currency funds transfers (e.g., beneficiary institutions for outbound transfers). For example, certain vendor products or internally developed tools provide numerical scores or tiered rankings to represent the risk of the counterparty institution, typically based on on-chain transaction data supplemented with other factors such as strength of the institution’s BSA/AML Program.
Conducting transaction monitoring of on-chain activity
VC Entities must also have in place appropriate control measures to monitor and identify unusual activity tailored to the VC Entity’s risk profile.3 Accordingly, it is important for VC Entities to have policies, processes, and procedures for the tracing of transaction activity for each type of virtual currency the entity supports and the flow of funds through the blockchain for any inbound or outgoing activity (often described as “provenance tracing” or “transaction tracing”). For example, FinCEN recently noted: “It is critical that all financial institutions, including those with visibility into CVC [convertible virtual currency] flows, … identify and quickly report suspicious activity associated with potential sanctions evasion, and conduct appropriate risk-based customer due diligence or, where required, enhanced due diligence.”4 For instance, it is important that VC Entities evidence appropriately tailored transaction monitoring coverage against applicable typologies and red flags, identify deviations from the profile of a customer’s intended purposes, and address other risk considerations as applicable. Relevant typologies related to virtual currency business activity include but are not limited to: assessing whether a virtual currency (1) has substantial exposure to a high-risk or sanctioned jurisdiction; (2) is processed through a mixer or tumbler; (3) is sent to or from darknet markets; (4) is associated with scams/ransomware; and (5) is associated with other illicit activity relevant to the VC Entity’s business model.5
Documentation must describe case management and escalation processes, with clearly delineated roles and responsibilities across the business and compliance functions, including the VC entity’s approach where there are any doubts (e.g., related to source of funds).
Conducting sanctions screening of on-chain activity
The Department also emphasizes the importance of risk-based policies, processes, and procedures to identify transaction activity involving virtual currency addresses or other identifying information associated with sanctioned individuals and entities listed on the SDN List, or located in sanctioned jurisdictions; and, OFAC notes: “Transaction monitoring and investigation software can be used to identify transactions involving virtual currency addresses or other identifying information (e.g., originator, beneficiary, originating and beneficiary exchanges, and underlying transactional data) associated with sanctioned individuals and entities listed on the SDN List or other sanctions lists, or located in sanctioned jurisdictions.”6
Note: This guidance is not intended to limit the scope or applicability of any law or regulation. For further information, please contact your relationship manager or point of contact with the Department.
1 The size, risk, and complexity of the virtual currency business activity are relevant in this context. For example, a VC Entity whose operations are limited to virtual currency custody with design features in place that prohibit or otherwise limit transmission of virtual currencies into or outside of the VC Entity may present significantly different risks (and attendant blockchain analytics possibilities) than a VC Entity with a high volume and value of virtual currencies that allow for customer deposits and withdrawals across permissionless networks.
2 For additional background, refer to FinCEN’s Advisory on Illicit Activity Involving Convertible Virtual Currency (May 9, 2019)
3 See, e.g., 23 NYCRR § 200.15(e)(3) (“Each licensee shall monitor for transactions that might signify money laundering, tax evasion, or other illegal or criminal activity.”) and 3 NYCRR § 504.3 (which requires, among other things, each regulated institution to maintain a transaction monitoring program reasonably designed for the purpose of monitoring transactions after their execution for potential BSA/AML violations and suspicious activity reporting, as well as a manual or automated filtering program, reasonably designed for the purpose of interdicting transactions that are prohibited by OFAC).
4 FinCEN. FinCEN Advises Increased Vigilance for Potential Russian Sanctions Evasion Attempts (March 7, 2022).
5 For additional background, refer to FinCEN’s Advisory on Illicit Activity Involving Convertible Virtual Currency (May 9, 2019), which addresses, among other things, “Red Flag Indicators of the Abuse of Virtual Currencies.” Of note, detection scenario libraries provided as part of blockchain analytics products and services typically include “off-the-shelf” settings aligning to virtual-currency-specific typologies such as ransomware or child sexual abuse material (CSAM). However, these products and services may not address the full set of typologies associated with a VC Entity’s specific risk profile. Accordingly, the VC Entity must have policies, processes, and procedures in place identifying typologies specific to the VC Entity’s risk profile and corresponding monitoring, whether through manual review processes, automated detection scenarios, or a combination of both. See also the Department’s Guidance on Prevention of Market Manipulation and Other Wrongful Activity (February 7, 2018) for additional information related to the required implementation of measures designed to effectively detect, prevent, and respond to fraud, attempted fraud, and similar wrongdoing.
6 OFAC. Sanctions Compliance Guidance for the Virtual Currency Industry (October 2021). See also, 23 NYCRR 200.15(i), which provides: “Each Licensee shall demonstrate that it has risk-based policies, procedures, and practices to ensure, to the maximum extent practicable, compliance with applicable regulations issued by OFAC.”