Risk based approach to banking Crypto Asset Service Providers
Background to the guidance
Events in the local market and guidance from FATF were both factors that influenced this note from the Prudential Authority. In the South African market, we had seen a very public “de-risking” by some banks, terminating banking arrangements with CASPs. This came just as the crypto exchange market in particular was achieving scale, and made life difficult for these businesses. At the same time, the growing arbitrage market has been becoming increasingly organised and automated, giving rise to concerns about the real nature of some of these transactions and the associated banking relationships.
Globally, FATF’s message has been consistent over time. In March 2021, FATF published guidance for supervisors of a risk based approach, including a review of how several countries were dealing with issues specific to VASPs (Virtual Asset Service Providers; equivalent to Crypto Asset Service Providers as the SA regulators refer to them). It includes the following: “For sectors involving fast-paced changes in technology and or changes in the market environment (e.g., the VASP sector), authorities could engage with industry bodies or self-regulating bodies to understand the technology and adapt its data collection accordingly.” In October 2021, FATF published updated guidance for a risk based approach to VAs and VASPs, which emphasised the need for a properly applied RBA, and includes: “It is important that FIs apply the RBA properly and do not resort to the wholesale termination or exclusion of business relationships within the VASP sector without an appropriately-targeted risk assessment.”
Key Points from the Guidance Note
The Executive Summary to the Guidance Note is excerpted below (highlights added):
Regulation 36 (17) of the Regulations relating to Banks (the Regulations) requires that every bank and every controlling company shall have in place board approved policies and comprehensive risk-management processes and procedures, which policies, processes and procedures include comprehensive and robust know- your-customer standards that inter alia include robust customer identification, verification and acceptance requirements throughout the banking group, contribute to the safety and soundness of the reporting bank or controlling company, and prevent the bank or controlling company from being used for any money laundering or other unlawful activity.
Regulation 38(4) of the Regulations provides that when the Prudential Authority (PA) is of the opinion that a bank’s policies, processes, and procedures relating to its risk assessment are inadequate; or its internal control systems are inadequate; etc., the PA may, among other things, require the bank to strengthen its risk management policies, processes or procedures; or to strengthen the bank’s internal control systems.
Applied to CASPs, the requirements are (with paragraph references in brackets):
- Banks must “be able to risk categorise CA/CASP related clients”. (1.11)
- Banks must have the ability to make “a comprehensive ML/TF/PF risk assessment” for CASPs. (3.1)
- Must be able to “evidence an understanding of what elements are driving or reducing ML/TF/PF risk within CASPs” (3.2)
- Banks should have “documented policies, procedures and internal controls [which are] tailored and cater for the varying levels of risk that CASPs and CAs … may pose” (3.5)
- “The implemented controls must be robust and flexible” (3.5), and “…documented and updated as often as may be required.” (3.7)
- “Where higher risks present themselves … enhanced due diligence should be undertaken.” (3.10)
- “Banks should also assess AML/CFT/CPF controls of the CASP” (3.11)
- Banks should “conduct regular risk assessments and amend their risk profiles and risk management programmes in accordance with the emerging risks”. (3.12)
- “Banks should ensure that they have the relevant and requisite technical expertise to adequately assess the risks stemming from CASPs and CAs” (3.13)
Our View on the Implications of this Guidance Note
The PA’s intention is consistent with that of FATF: that banks must not push CASPs into the shadows; rather that they need to be kept within the system. In particular:
- There is a clear message that the bank must have in place rigorous KYC processes, and that these should be applied to CASPs. The guidance note also points out very explicitly the PA’s right to require banks to strengthen their risk management and control systems.
- To be able to effectively assess the risks of their clients, banks need to build capabilities, and need to understand CASP business models. This will probably require a programme of knowledge building, particularly in compliance and risk teams.
- Banks need a clear and documented CASP risk assessment framework, which will need to derive from a clear understanding of the sector, and should be updated from time to time.
- Banks will themselves become CASPs as they issue crypto wallets etc. and will thus be able to learn first hand. The blockchain / crypto teams in banks should therefore be working closely to share knowledge with risk and compliance teams.
- There may be an opportunity in taking on some of these risk management processes for CASP clients, in a similar way that insurance companies try to mitigate the risks they are exposed to, e.g. by doing risk assessment or KYC as a service.
If you would like to contact BMA to discuss the issues raised here, or anything else of interest, please contact us via the contact page on our site.