How To Conduct Crypto and Token Financial Crime Risk Assessments

by Chris Vaughan, explains how firms should carry out risk assessments to understand and mitigate the financial crime risk from cryptoassets and tokens.

Share this post

Cryptocurrencies have exploded in recent years, and criminals have noticed. $3.5 billion was laundered through cryptoassets in 2020, bringing a heightened regulatory focus and new risks for Virtual Assets Service Providers (VASPs) who offer cryptoasset products and services, or any company doing business with one.

In this blog, Chris Vaughan, formerly a financial crime risk manager working in cryptoassets and now Senior Compliance Associate at fscom, explains how firms should carry out risk assessments to understand and mitigate the financial crime risk from cryptoassets and tokens.


Risk assessments: the core of an effective crypto AML strategy

Any compliance professional will tell you that a risk assessment is an essential tool in the fight against financial crime, so this is where a crypto AML strategy should start. An effective risk assessment is the first step in building a framework because it allows companies to identify the risks they face and decide the appropriate controls to mitigate those risks. A risk assessment is particularly useful for VASPs because:

  • The cryptoasset space is still relatively new and each year brings new changes and developments with associated risks and concerns.
  • There is no standardised approach across the sector, so a risk assessment can shed light on the particular risks facing your company.
  • VASPs and companies working with them do not have unlimited resources so they should take a risk-based approach to compliance. A risk assessment helps them to understand where they should focus their resources to tackle areas of highest risk.

As a starting it’s good to ask, what might we want to risk assess? We recommend firms look at four main areas:

  • The cryptoasset tokens themselves

There are many categories of cryptoassets, from payment and exchange tokens like Bitcoin to Non-Fungible Tokens. A token risk assessment should understand what each kind of token does, assess the risk of that token being used as a vehicle for money laundering and terrorist financing, then apply controls to mitigate this risk.

  • Products and services

Crypto products and services are usually classified as on-ramp or off-ramp depending on whether a client is buying or selling assets . A risk assessment should understand the inherent risk factors in each of these areas.

  • VASPs

Firms servicing the cryptoasset sector should risk assess the VASPs they serve as clients and identify their risk factors. This could include a number of factors including the jurisdictions in which the VASP and/or its customers are based, the cryptoassets it offers, the size and nature of its clients, and the extent to which it is regulated.

  • Customers

Customers of VASPs should also be assessed to determine their risk level. This will vary according to the jurisdiction where they live, whether they are a corporation or an individual customer, the services and assets they use and their transaction activity among other factors.


The final stage of a risk assessment: implementing controls

Once a risk assessment has been carried out and the threat level determined, firms then need to decide which controls to implement to best manage and mitigate cryptoasset risk. These will vary according to the level of risk and the type of token, VASP, product or customer being assessed. But there are common controls that firms should consider implementing, including:

  • Know-Your-Customer, Customer Due Diligence and Enhanced Due Diligence: This activity helps firms to test the risks they face for particular customers and third parties and undertake additional due diligence if those risks are high.
  • Ability to freeze funds, or cool-down periods: When suspicious funds are received, it is important that the firm is able to freeze their clients’ assets and activity, to prevent fast onward movement.
  • Travel rule: This is a control that will soon be a regulatory requirement and indeed already is one for many big crypto exchanges. It will allow exchanges to better understand their customers’ transactions to an extent by recording information along with the transaction on who is sending funds and to where.
  • Blockchain monitoring: This helps firms to analyse the provenance and destination of funds sent through their wallets.
  • Transaction monitoring: This involves monitoring transactions for other potentially unusual or suspicious typologies, such as unexpected high velocity or large value transactions.

The crypto industry is not likely to stand still any time soon, and cryptoassets will continue to be a growing target for prospective money launderers. Regulatory focus is only likely to increase, but whatever happens, companies who have carried out an effective risk assessment will be best prepared to manage any new risks that emerge.

Article by fscom

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?