Regulatory Puzzles in the Digital Era: Assessing Global AML/KYC Standards in the Crypto Sphere

The rapid growth of the technology industry, which is becoming more global and decentralized, conflicts with current national laws that aim to provide legal certainty. The emergence of blockchain technology has the potential to change our understanding of legal norms and challenge traditional concepts of jurisdiction and territoriality. However, the blockchain’s decentralized nature and lack of regulatory principles make it difficult to reconcile with national civil law systems. Crypto assets, such as Bitcoin, have become a significant source of wealth and have attracted the interest of investors and regulated financial institutions. However, the decentralized nature of crypto assets poses challenges in terms of combating money laundering and terrorist financing. Additionally, the lack of liability regimes in technological ecosystems like the blockchain raises questions about who is responsible for damages. Understanding the role of crypto assets in money laundering requires familiarity with the underlying technology of Blockchain.

In this paper, we do our best to first introduce the concepts of Know Your Customer and Anti-Money Laundering principles with the perspective of blockchain technology and crypto assets. Our primary goal with this paper is to help members of the crypto asset community understand what risks and challenges await them.

What is “Know Your Customer”?

In the financial sector, “Know Your Customer” (KYC) is a standard procedure that businesses use to confirm the identity of their clients. Basic personal data like name, date of birth, address, and picture ID are usually gathered and verified as part of the process. In more comprehensive situations, it might also involve financial evaluations, transaction monitoring for anti-money laundering reasons, and background checks.

KYC guidelines are applied as a form of policy by businesses, often in the financial sector, allowing them to avoid money laundering or fraud activities that can take place through the use of their products and services. In the simplest of terms, this is done by knowing who the customer is through a process of their identity.

KYC guidelines came about in the 1980s, however, after a rise in money laundering and terrorist activities, further integrating into the law, KYC rules and guidelines quickly became a standard process.

Recognizing the need to protect the integrity of financial markets, governments, and international organizations resulted in the enforcement of laws requiring financial institutions to know and comprehend their clientele.

The implementation of KYC policies helps verify customer identities, reduces the risks of fraud and illegal financial activities, combats financial crimes, improves compliance with regulatory standards, and refines risk management for financial institutions. Overall, KYC has become essential for creating a secure and trustworthy financial environment.

Importance of KYC Procedures

Financial Crimes

KYC procedures’ main goal is to prevent illicit activities through financial markets. As technology continues to develop and our world becomes more interconnected, even ordinary people are now capable of making international transactions. Since the financial system gets more complicated and interconnected, so do the financial crimes. Therefore, the primary objective of KYC procedures is to combat financial crimes. By verifying the identity of their customers, financial institutions try to prevent criminals from using their financial systems and services to conduct illicit activities such as financing terrorism and anti-money laundering.

Compliance with the Law

As mentioned above, governments and international bodies agree on the need to safeguard the financial systems. In order to do that, many jurisdictions started to pass new bills about this matter. One of the prominent and early adaptations of KYC and Anti Money Laundering (AML) regulation is the U.S. Bank Secrecy Act of 1970, which was later followed by the Money Laundering Control Act of 1986. After which the PATRIOT Act of 2001 was passed. It is important to note that there is a strong connection between the attacks on September 11, 2001 on the World Trade Center and the PATRIOT Act. This terrorist attack led to a heightened focus on combating terrorism and its financing.

The PATRIOT Act was drafted in a way that aims to strengthen law enforcement and intelligence capabilities in the fight against terrorism. In order to accomplish its goals, this new act expanded the KYC requirements for financial institutions. Enhanced KYC regulations were implemented in response to the realization that traditional KYC measures were insufficient to prevent the misuse of the global financial system for money laundering and terrorist financing. Closing gaps that permitted fraudulent or anonymous financial transactions was the aim, as was making financial institutions more responsible for spotting and reporting questionable activity.

Furthermore, all U.S. financial institutions were required by the PATRIOT Act to include formal customer identification programs in their KYC processes. This required careful identity verification of customers, keeping track of the data utilized for identity verification, and, prior to forming partnerships, consulting lists of recognized or suspected terrorist organizations.

Following the events of 9/11, the vulnerabilities in the global financial system that could be used by terrorists were brought to light, which strengthened the implementation of KYC and AML regulations. This change was made possible in large part by the PATRIOT Act, which established strict regulatory guidelines to protect financial transactions from being used for terrorist or other illegal purposes.

Risk Management

KYC is not solely about combating the financing of terrorism or anti-money laundering. By assisting institutions in comprehending the financial habits of their clients, KYC improves risk assessment and management. This is especially crucial when it comes to operational, liquidity, and credit risks. Furthermore, customers are better protected against fraud, identity theft, and unlawful financial activity with the aid of KYC. KYC helps financial institutions detect and intervene in unauthorized sign-ups or transactions via stolen ID.

Challenges that Await KYC

As a result of the need and desire to prevent illicit activities in the financial systems, governmental bodies and international organizations require financial institutions to collect more and more information about their customers and their transactions. The risk of data breaches increases as the amount of data collected regarding natural persons grows. Extensive personal data collection raises the possibility of data breaches and improper use of private client information. Complying with data protection regulations such as the California Consumer Privacy Act (CCPA) in California or the General Data Protection Regulation (GDPR) in the European Union (EU) increases complexity.

Financial institutions may even frequently need customers’ express consent to collect data, so they must make sure they understand what data is being collected and how it will be used.

Secondly, while our financial systems become even more interconnected with each other and cross-border transactions become an ordinary thing to do, the sophisticated technology that is needed to effectively gather, validate, and oversee customer information may require a substantial investment.

Even though technology generally has answers to many of our problems, there are also some risks and concerns regarding technology such as accuracy, privacy, and the possibility of marginalization of those without access to such technology. According to the International Telecommunication Union, there are still 2.6 billion people in the world who do not have internet access. The fact that our technology becomes more dependent on internet access, results in our financial system being unfortunately unavailable to one-third of the entire human population.

Moreover, the technological aspect of these KYC procedures poses some serious cybersecurity risks. Financial institutions, with their vast repositories of personal and financial data, become prime targets for cyber attacks. Unauthorized access to KYC data can lead to identity theft, financial fraud, and significant reputational damage to the institutions involved. Cybercriminals can create sophisticated phishing campaigns using stolen KYC data, fooling victims into clicking on malicious links or disclosing more personal information. Through social engineering, employees who have access to private KYC data may be the target, jeopardizing internal systems. Attackers may encrypt KYC data with ransomware or other malware and demand payment to unlock it. Data breaches may cause non-compliance with the GDPR and other data protection laws, which could result in hefty fines and legal problems.

Thirdly and maybe the most challenging of all, legal compliance and complexity constitute a major challenge for the financial system. There are many new regulations and compliance issues associated with the introduction of KYC requirements. The complexity of putting in place thorough KYC procedures, the dynamic nature of financial regulations, and the nature of international financial operations all contribute to these difficulties.

Financial institutions that operate in various jurisdictions encounter diverse regulatory frameworks. AML and KYC regulations can differ greatly between nations in terms of their enforcement strategies, reporting obligations, and degree of strictness. In reaction to new financial innovations and threats, financial regulations — particularly those pertaining to KYC and AML — are always changing. Staying on top of these changes calls for ongoing awareness and flexibility.

KYC regulations frequently require an approach that is risk-based, meaning that institutions must evaluate each customer’s risk profile and apply due diligence appropriately. In order to effectively classify customers and ascertain the necessary level of scrutiny, this approach requires the development of intricate algorithms and systems, which can be a complex and subtle process.

Strong systems and procedures are needed for institutions to continuously monitor customer transactions for questionable activity. Maintaining accurate records is essential to complying with reporting requirements, which include timely submission of suspicious activity reports (SARs).

What is “Anti Money Laundering”?

Anti-Money Laundering (AML) is a form of policy, a set of rules and regulations. AML rules and regulations are followed in order to prevent entities from disguising illegally obtained money as legitimate income earnings.

AML policies cover various activities such as detecting and reporting money laundering, monitoring customer transactions, and keeping detailed records.

The Bank Secrecy Act of the United States in 1970 first introduced AML policies, however, these rules gained more application ground in the 1980s and 1990s due to concerns about drug trafficking, money laundering, and organized crime. Similarly to KYC guidelines, a rise in terrorist attacks led to even stricter AML regulations worldwide, focusing on combating terrorism financing.

The aim of applying AML policies is to prevent and detect money laundering, combat and fight terrorism and terrorist organization financing, protect financial institutions, and ensure compliance with legal standards and regulations. Therefore, oftentimes AML policies and KYC guidelines can go hand in hand.

Organizations like the Financial Action Task Force (FATF) coordinate global AML efforts, incorporating advanced technologies for better monitoring and analysis of financial transactions.

Consequently, there are four types of potential money laundering activities that can occur through the use of crypto assets. The first type involves frequent withdrawals of large amounts of cash from bank accounts, combined with frequent non-cash receipts of large sums of money into the same accounts, which come from the sale of virtual currencies on the virtual currency exchange. The second type is when a buyer anonymously offers their services online to an unknown seller, and then pays in cash for Bitcoins in a public space, with a high commission fee and no clear legal or economic explanation for the transaction, in an amount that exceeds the seller’s typical needs. The third type is when a buyer or seller uses Bitcoin “mixer” services before or after selling Bitcoins. Lastly, the fourth type involves the owner of illegally obtained Bitcoins investing in NFTs and using multiple cycles of purchasing and selling NFTs to hide the trail of illicit money.

The Blockchain and its Characteristics

Blockchain technology allows for consensus in a decentralized network without the need for external authority. It solves technical issues and addresses societal concerns of trust, authority, and consensus. A blockchain is an immutable chain of hashed blocks where transactions are recorded. This history is stored in a decentralized manner, and network nodes verify and reach consensus on transactions through a proof of work algorithm. This algorithmic consensus eliminates the need for intermediaries and gives blockchain the nickname of a “trust machine”. Transactions occur directly between participants, bypassing financial institutions, and the creation of money is determined by the protocol rather than government intervention. Bitcoin broke the idea that the government needs to manage the money supply, and its creation is built into the code through mining. As a result, various crypto assets and tokens have emerged with innovative ideas and successful ventures.

Mining is a crucial aspect of creating crypto assets, as it involves verifying transactions through a competitive process called proof of work. This process introduces economic dynamics and incentives to deter potential attackers. Miners solve complex computer problems and are rewarded with crypto assets. This also determines the rate at which new crypto assets are created. The consensus reached through this algorithm is not a true agreement but rather an incentive-driven settlement. Public key cryptography ensures secure communication.

Decentralization, a concept integral to network culture, involves the use of distributed systems that are resistant to control, censorship, or interference by any authority. This idea can also be referred to as disintermediation. In technical terms, peer-to-peer systems like Bitcoin consist of network participants who communicate directly with each other. Unlike server-to-client models, where servers hold and deliver content to clients, peer-to-peer networks do not rely on such intermediaries. It is important to note that there is a distinction between decentralization in blockchain network protocols and decentralization as an ethical, political, social, or economic goal or principle, which may or may not be supported by such protocols.

Trust is another important aspect of decentralized and open systems, but it is important to note that these systems are designed to minimize the level of trust required. The goal is to reduce trust as much as possible, even to the point of complete distrust, in order to enhance security. Unlike relationships based on trust, some crypto assets solely rely on verification rather than trust. Openness is a key characteristic of a decentralized system, as it allows individuals to freely join the network without any entity being able to stop them, unlike in traditional institutions. This concept of neutrality is particularly emphasized in decentralized systems.

The immutability of the crypto asset blockchain is essential for it to operate independently from external authorities. It relies on the concept of code that cannot be altered and is executed exactly as written.

Privacy is the ability to communicate anonymously through computer technology, allowing individuals and groups to selectively reveal themselves online using cryptography. This is particularly important in a time when the internet is being used for mass surveillance, limiting freedom. For example, in the case of Bitcoin, the entire network keeps records of transactions instead of a third party, making all transactions public. To maintain privacy in this transparent system, the computers involved remain anonymous.

Anonymity is a concept closely associated with crypto assets. Initially, various crypto assets were thought to be anonymous and gained notoriety as a payment method for illicit online markets. However, it is now possible to track transactions up until the point of exchange and uncover the identities of those involved. To prevent this, coin mixers are utilized to obscure the origin of funds. Additionally, advancements in cryptography and zero-knowledge proofs have led to the creation of more secure and anonymous digital currencies.

Who Has to Complete KYC Procedures?

Businesses subject to KYC compliance are generally banks, insurance companies, virtual asset vendors, gaming and gambling websites, payment solutions, etc. KYC compliance is also required for crypto asset service providers and Non-Fungible Token (NFT) and gaming websites.

In Türkiye, entities who must report to the Turkish Financial Crimes Investigation Board (MASAK) are obliged to perform KYC as of May 01, 2021. This is because crypto-asset service providers (CASPs) are obliged pursuant to Article 2, paragraph 1, clause d of Law №5549 on the Prevention of Laundering Proceeds of Crime. Pursuant to the Law and the applicable legislation, among the obligations of crypto asset service providers are the obligations regarding the recognition of the customer.

KYC and AML for Crypto Asset Service Providers

KYC and AML regulations quickly became relevant for crypto asset service providers and the cryptocurrency industry as of their emergence in the 2010s. This is an expected result of the nature of blockchain technology and crypto assets as there were concerns of illegal activity and money laundering.

The FATF issued guidelines in 2019 that suggested the regulation of crypto asset service providers in line with AML and KYC policies. This brought with it the regulatory compliance of CASPs wherein they are required to perform customer due diligence and monitor transactions that may be deemed suspicious. CASPs have to also keep records of transactions made by customers and report any suspicious activity to the determined authorities.

Following the FATF’s guidelines, there was a surge in applying AML and KYC practices to CASPs and many countries implemented these guidelines into their national legislation. The implementation varied across countries, with some being more proactive than others.

The United States had already been enforcing AML regulations on certain crypto asset businesses, but the FATF’s guidelines expanded and strengthened these regulations. Overall, the FATF’s guidelines marked a significant advancement in the global harmonization and enforcement of AML and KYC regulations for crypto assets that led to widespread adoption in many jurisdictions.

The US’s Approach

The United States has a wide framework of federal laws for AML and KYC regulations and their implementation. As aforementioned, the Bank Secrecy Act (BSA), mandates financial institutions to assist in detecting and preventing money laundering.

The obligations set out include record-keeping and reporting large transactions and suspicious activities by private individuals, banks, and other financial entities. For example, banks are required to report transactions exceeding $10,000 and any suspicious activities that could indicate money laundering, tax evasion, or other criminal endeavors.

This act introduced additional anti-money laundering protocols, including more stringent KYC requirements. As a result, financial institutions are obliged to implement customer identification programs to verify and maintain records of their customers’ identities.

The Anti-Money Laundering Act, which is part of the National Defense Authorization Act (NDAA), broadened the scope of the BSA even further. This act introduced significant reforms, such as enhancing whistleblower rewards establishing national priorities for AML, and countering the financing of terrorism, representing an ongoing commitment to evolving and strengthening AML and KYC efforts in the U.S. financial system.

In the U.S., while the overarching framework for AML and KYC regulations is set by federal mandates, individual states often have their own additional or specific requirements. For example, in New York, financial institutions face stringent regulations enforced by the New York State Department of Financial Services including regulations such as Part 504, which mandates banks to maintain robust transaction monitoring and filtering programs. Additionally, New York requires certain financial institutions to annually certify their compliance with these regulations.

In California, the Money Transmission Act necessitates licensing for businesses involved in specific financial services, including money transmission, and compliance with the state’s AML requirements. These often align with federal standards but may include unique state-specific reporting or operational demands. These state-level regulations often focus on areas such as licensing, compliance certification, and maintaining anti-money laundering programs tailored to the state’s specific financial landscape.

For CASPs, KYC and AML regulations are more complex and involve more than one federal law and different regulatory bodies. Digital assets and who regulates them depend on the type of asset. To summarize briefly, the Financial Crimes Enforcement Network (FinCEN) oversees digital assets for anti-money laundering and countering the financing of terrorism. On the other hand, the Securities and Exchange Commission (SEC) deals with the monitoring of digital assets that it classifies as securities as per the Securities Act and the Securities Exchange Act and the implementation of the Howey Test. Lastly, the Commodity Futures Trading Commission (CFTC) regulates digital assets that are considered commodities or derivatives according to the Commodity Exchange Act.

The Anti-Money Laundering Act expanded on what is defined as a “financial institution”. Financial institutions now include entities involved in exchanging or transmitting value that can be used as currency. This means that entities that engage in digital currencies, i.e. crypto assets, are obligated to comply with the BSA and must also register with either the FinCEN, the SEC, or the CFTC, depending on the type of assets that they are categorized as. Financial institutions are required to perform risk evaluations, establish an AML program that corresponds to the size and nature of the business itself, and establish rules for recordkeeping and reporting. Furthermore, such financial institutions, according to the PATRIOT Act must implement a Customer Identification Program (CIP), which can be called similar to KYC.

To briefly sum it all up, The U.S. Department of Treasury’s FinCEN bureau is crucial to the regulation of cryptocurrency assets for AML purposes. Exchanges and wallet providers, among other providers of crypto asset services, must register as Money Services Businesses (MSBs). These organizations have to put in place AML programs, carry out KYC to confirm the identities of customers, and report any suspicious activity. Customers who pose a greater risk, such as those involved in large transactions or operating in areas recognized to carry greater risk, must undergo enhanced due diligence.

Furthermore, it is mandatory for providers to keep comprehensive documentation of all transactions and client identification details. Through Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs), they are required to report suspicious activities and transactions exceeding specific thresholds to FinCEN.

Besides federal regulations, state-level regulations also contribute to the complexity of operating businesses involved with digital assets. Each state may have its own set of regulations and licensing procedures, which results in varying requirements for crypto asset service providers. This diverse regulatory landscape poses challenges for CASPs to ensure compliance with both federal and state-level requirements.

The EU’s Approach

In recent years, the European Union has strengthened its regulations on KYC standards in order to combat money laundering and terrorist financing. The implementation of the Fifth Anti-Money Laundering Directive in January 2020 has been a key part of these efforts. This directive expanded the rules to include virtual currency platforms (which basically refers to the crypto assets service providers as well) and wallet providers, recognizing the importance of digital currencies in the financial sector. It also required more transparency in the ownership of companies and trusts to prevent their misuse for illegal activities. Public registers were established to make it easier to track the ownership of corporate and legal entities.

The EU introduced the Sixth Anti-Money Laundering Directive (AMLD6) in December 2020, following the AMLD5. AMLD6 expanded the definition of money laundering offenses and increased the range of criminal activities covered. It also made it possible to hold companies, not just individuals, responsible for money laundering and impose harsher punishments.

In addition, these instructions have required financial institutions and other obligated entities to not only perform initial investigations but also to continually monitor their business connections. This ongoing monitoring is crucial for identifying any uncommon or questionable transactions that may take place once a business relationship is established.

Furthermore, the EU has been giving priority to improving collaboration and the exchange of information among its member countries in order to effectively combat financial crimes that occur across borders. A move towards centralizing automated systems for identifying individuals who have bank and payment accounts is a significant step toward achieving this goal.

The EU’s regulatory changes in the KYC framework are part of a worldwide movement towards more transparency and stricter regulation in financial transactions. Financial institutions are now required to have strong systems in place to identify customers, understand their financial activities, and report any suspicious behavior. It is crucial for institutions to comply with these regulations, as non-compliance can lead to severe penalties and harm to their reputation.

It is necessary for any organization operating in the EU’s financial system to stay updated on regulatory changes and understand their significance. The EU’s commitment to fighting financial crime and ensuring the integrity of its financial markets is evident in its active and strict regulatory environment.

Moreover, the AMLD6 aims to strengthen existing laws and regulations by requiring due diligence on customers, transparency of beneficial owners, and regulating anonymous instruments like crypto-assets and crowdfunding platforms.

AMLD6 was created to expand on the 5th Anti-Money Laundering Directive. The new Directive aims to improve supervision at the national level and access to information related to money laundering.

The Directive introduced the creation of the European Anti-Money Laundering Authority (AMLA). The AMLA would be granted powers to supervise and investigate high-risk entities for compliance with anti-money laundering and counter-terrorism financing measures. Banks, asset managers, and real estate agents have to check the identities of their customers and evaluate the potential risks of money laundering and terrorist financing.

This new authority is expected to improve the effectiveness of the efforts to combat money laundering and terrorist financing by creating a system that integrates national supervisors and ensures that entities in the financial sector comply with their obligations.

The authority will also support efforts in non-financial sectors and coordinate financial intelligence units in member states. The Authority will impose financial penalties on obligated entities that repeatedly and seriously violate the requirements, in addition to its supervisory powers, to ensure compliance. The temporary agreement grants AMLA the authority to directly oversee specific credit and financial institutions, such as CASPs, if they are deemed high-risk or operate internationally. AMLA will oversee a group of high-risk credit and financial institutions in multiple member states. They will supervise these entities through joint supervisory teams, conducting assessments and inspections. The agreement allows the AMLA to supervise up to 40 groups and entities in the initial selection process. Supervision for entities not chosen would mainly be done at the national level for anti-money laundering and counter-terrorism financing.

The FATF’s” Travel Rule” which mandates that crypto asset service providers gather and exchange transaction parties’ personal data for transfers exceeding a specific threshold, is also being implemented by the EU.

FATF’s Approach and Travel Rule

The Financial Action Task Force (FATF), an international organization that establishes guidelines for preventing money laundering and the funding of terrorism, has proposed the “Travel Rule”. It is formally known as Recommendation 16 in the FATF’s guidelines. The Travel Rule, which was first implemented for conventional financial institutions, has been modified to encompass the crypto asset industry and their CASPs.

In accordance with the Travel Rule, financial institutions must provide specific details about transactions and the parties involved to the financial institution following them in the transaction chain.

The names, account numbers (if applicable), physical addresses, national identity numbers, dates and places of birth, and originator and beneficiary (recipient) information must be gathered and sent for each transfer of funds that exceeds a predetermined threshold (first set by FATF at $1,000 USD/EUR). In order to help identify and stop money laundering and the funding of terrorism, the rule attempts to increase the transparency and traceability of financial transactions.

Wallet providers, and crypto asset service providers must put in place systems to gather, store, and send the data needed for transactions that exceed a certain threshold. This is a major technological and operational challenge, especially considering that many blockchain transactions are pseudonymous. It is necessary for CASPs to create or incorporate new technologies that can manage the safe and effective transfer of transactional data along with customer information.

In conclusion, the FATF’s Travel Rule’s implementation in the crypto asset ecosystem represents a major step toward increased regulatory oversight and compliance within the sector. Although it seeks to stop financial crimes, it also poses a number of difficulties for companies that provide crypto asset services, such as technological difficulties, privacy issues, and the requirement for international regulatory cooperation.

TÜRKİYE’s Approach

Türkiye has been making efforts in combating money laundering in an attempt to improve its laws and meet international standards, hence money laundering activities are criminalized within the Turkish Penal Code. Turkey’s involvement with international organizations such as the FATF has greatly influenced its anti-money laundering (AML) efforts.

The main focus of Türkiye’s efforts to combat money laundering is Law №5549, which was enacted in 2006 and has since been amended to strengthen its effectiveness. Law №5549 puts forth the responsibilities of financial institutions as well as reporting entities and supervisory bodies.

MASAK is prominent in the efforts to make Türkiye a country safe from money laundering and financing of terrorism. Serving as the main authority in this area, MASAK is responsible for enforcing AML regulations, carrying out investigations, and exchanging information with key parties.

There is a comprehensive legal framework set in place to effectively combat money laundering and terrorist financing within Türkiye. This framework includes several important laws, such as Law №5549 enacted in 2006, which establishes the responsibilities of financial institutions, reporting entities, and supervisory bodies in preventing and detecting money laundering.

The Turkish Penal Code (Law №5237) also criminalizes various forms of money laundering and outlines penalties for those involved. The Banking Law №5411 imposes specific anti-money laundering regulations on the banking sector, including customer due diligence and reporting suspicious transactions.

The Law on the Regulation of Payment Services and Electronic Money Institutions №6493 sets AML obligations for payment services and electronic money institutions. Lastly, Capital Markets Law №6362 addresses money laundering in the securities sector, creating a strong set of regulations to protect Turkey’s financial system from illicit activities.

As aforementioned, it was decided that CASPs have to report to MASAK. Article 3 of Law №5549 states that; “Within the scope of the principles regarding customer identification, obligors are obliged to determine the identities of those who make transactions and those on whose behalf or accounts transactions are made and to take other necessary measures before the transactions are made in the transactions made before them or in the transactions they intermediate.

The Ministry is authorized to determine the types of documents for identification, and the types of transactions requiring identification, their monetary limits, and other procedures and principles regarding the identification of the customer shall be determined by regulation.”

There are also MASAK General Communiqués published by MASAK in this regard. These communiqués are a must-read for details on reporting and compliance. In accordance with the FATF recommendations, it is inevitable for crypto asset service providers to implement KYC and AML practices.

In May of 2021, MASAK released their guidelines for crypto asset service providers titled “Basic Principles for Crypto Asset Service Providers on Obligations Relating to the Prevention of Laundering Proceeds of Crime and the Financing of Terrorism”. The obligations are collected under 4 categories as follows:

(i) the recognition of the customer

(ii) suspicious transaction notice

(iii) maintenance and submission and

(iv) providing continuous information and documents.

This guideline underlines the importance and the obligation of crypto asset service providers to identify their customers under which KYC is set out as a clear obligation.

According to the guideline, if there is a constant business relationship between a crypto assets platform and its users, they can engage in multiple transactions without needing to provide identity information each time. However, if there is no constant business relationship, the platform must verify the identity of the user in certain situations, such as when a suspicious transaction is noticed or when the transaction amount exceeds a certain threshold. It is important to complete the identification process before starting the business relationship or conducting any currency transactions.

For real persons, the information to be obtained is as follows;

a. Name and surname

b. Date of Birth

c. T.R. ID No

d. Type and number of the identity document

e. Address

f. Nationality

g. Father’s and Mother’s name (Only for Turkish Nationals)

h. Place of birth

i. Signature sample

j. Information related to job and profession

k. If any, phone number, fax number, electronic mail address

The accuracy of the information mentioned in paragraphs (a, b, c, and d) will be confirmed for Turkish Nationals through their T.R. identity card, driver’s license, or passport, whilst for non-Turkish nationals; passport, residence document, or another identity document seen appropriate by the Ministry will suffice.

To confirm a constant business relationship, a residence document or invoice issued within the three months prior to the transaction date can be used. This can be a document related to services like electricity, water, gas, or phone, or a document given by a public institution. The Ministry will decide which other documents or methods can be used for confirmation. Once the original or notarized copies of the documents are submitted, a photocopy or electronic image will be obtained or the relevant information will be registered.

Information that will be obtained during the identification of legal entities registered to the trade registry is as follows:

a. Title of the legal entity

b. Trade registry number

c. Activity matter

d. Open address

e. Taxpayer identity number

f. Telephone number and, if available, fax number and e-mail address,

g. The name, surname, place, date of birth, nationality, information on the type and number of identity documents and a signature sample of the person authorized to represent the legal entity and, additionally, mother’s name, father’s name, and T.R identity number will be obtained for Turkish nationals.

The process of identifying foreign legal entities is done by comparing their documents to the equivalent ones required for Turkish legal entities, which have been approved by Turkish consulates or endorsed by the relevant authority of the country that is part of the Convention for Abolishing the Obligation to Certify Foreign Official Documents. Additionally, in cases where necessary, the identity information is verified through notarized translations of these documents, following a risk-based approach.

Crypto asset service providers will determine if a transaction is suspicious by considering the behavior of the customer, their previous information, and the compliance of the transaction with the customer’s financial profile. The responsibility of notifying suspicious transactions lies with the legal representatives of the entity. Multiple transactions can be covered under one notification form. Suspicious transactions must be reported to the MASAK within 10 business days or immediately if the delay is inconvenient.

The information required to be confirmed by MASAK within the scope of identification includes name, surname, date of birth, Turkish ID number (for Turkish citizens), and the accuracy of the information regarding the type and number of identity documents is ensured through the Turkish identity card, Turkish driver’s license or passport for Turkish nationals, and identity documents with the Turkish ID number on it and clearly stated in special laws to be official identity documents, and passport, residence certificate or identity document deemed appropriate by the Ministry for non-Turkish nationals.

A readable photocopy or electronic image is taken after the submission of the original or notarized copies of the identity documents to be presented when requested by the authorities, or information regarding the identity should be recorded.

The accuracy of the address declared in the establishment of a permanent business relationship must be confirmed by means of a certificate of residence, an invoice issued in the name of the relevant person for a service requiring a subscription such as electricity, water, natural gas, telephone, etc. and issued within three months prior to the transaction date, or other documents and methods deemed appropriate by MASAK.

Compliance with KYC/AML Frameworks

The need for strict adherence to global KYC and AML frameworks highlights how interconnected international financial systems are. KYC and AML compliance are crucial for financial institutions, legal entities, and designated businesses. These regulations require thorough customer due diligence, including identity verification, assessments of ownership, and continuous transaction monitoring to prevent illegal financial activities.

These frameworks promote a risk-based approach, allowing entities to customize their compliance protocols based on the level of risk associated with their clients, financial products, or transactions. They emphasize the importance of conducting thorough due diligence when dealing with high-risk situations, such as transactions involving Politically Exposed Persons (PEPs), and the need for continuous monitoring of these individuals on a global level. Maintaining accurate and up-to-date customer information is not only a regulatory requirement but also crucial for internal oversight and external regulatory scrutiny.

Complying with KYC and AML regulations is crucial for maintaining global financial stability and protecting against money laundering and terrorist financing. It not only prevents legal consequences for organizations but also strengthens the international community’s ability to combat these threats. Adhering to strict global standards in KYC/AML demonstrates a shared dedication to creating a secure and transparent global financial system that operates within the law.

KYC/AML Regulations’ Impact on the Crypto Sector

The intersection of KYC/AML regulations with the crypto asset industry involves various legal, technological, and philosophical considerations. The expansion of KYC/AML rules to cryptoasset service providers and exchanges reflects a global trend to address potential risks and illegal financial activities. While the goal is to increase transparency and reduce risks, this shift has sparked debate as it goes against the decentralized and private nature of crypto assets.

The debate is about finding a balance between regulations and preserving the unique aspects of the crypto asset industry. Some people believe that introducing regulations like KYC/AML is important for legitimizing and protecting against illegal activities. However, others argue that these regulations may go against the principles that make crypto assets attractive, such as anonymity and user autonomy.

The global and decentralized nature of crypto assets makes it difficult to regulate them. To effectively enforce regulations, countries need to work together to create coherent frameworks. As the crypto industry continues to grow, it is important to consider the impact of KYC/AML regulations on preventing financial crimes, as well as their potential effects on innovation, user adoption, and the decentralization of crypto assets.

Continuously evaluating how KYC/AML regulations affect the crypto industry highlights the importance of creating flexible and well-informed legal frameworks that encourage compliance while still allowing for the innovative nature of crypto assets. Finding the right balance between regulatory oversight and maintaining the core principles of the crypto ecosystem is essential for the sector’s continued growth and credibility worldwide.

Report Studies- Conclusive Thoughts — Recommendations

Numerous studies have developed various techniques to uncover the users concealed behind Bitcoin addresses. One notable example is BitIodine, an application created by three Italian scholars, which can identify “addresses in clusters that could belong to the same user or group of users, classify these users and their nicknames, and even display complex data extracted from the Bitcoin network”. A team at the University of California has also produced similar results.

Additionally, a study conducted by AgiproNews in collaboration with the Polytechnic University of Milan demonstrated that using Bitcoin for illicit purposes is even riskier than using electronic money or bank transfers. The study emphasized that Bitcoin is one of the most traceable currencies and that every transaction, regardless of legality, can always be viewed at no cost. At the same time, asserting that Bitcoin lacks transparency in tracking exchanges is a denial of how the entire system operates.

All Bitcoin transactions are public and recorded in a freely accessible distributed database. Anyone can verify who sold a specific amount of crypto asset to someone else and trace the history of every transaction. It is not particularly difficult to determine which wallet contains a particular crypto asset or the route a certain amount took to reach a specific destination.

The report cites a 2015 report from HM Treasury and the UK Home Office, which evaluated the risk of cryptocurrencies for money laundering and financing terrorism as “low”. This conclusion was also reached by Elliptic, a company specializing in cryptocurrency risks, and the Centre on Sanctions and Illicit Financing, a program by the Foundation for Defense of Democracies, a non-profit organization focused on foreign policies and national security.

An in-depth analysis of a narrow sample of transactions between 2013 and 2016 revealed that the number of illicit operations involving Bitcoin is quite low, accounting for only around 1% of all transactions on the network. The alleged anonymity that Bitcoin provides to its users, which concerns authorities in various sectors, is more of a myth than a reality.

Bitcoin is not truly anonymous; rather it is pseudonymous. This means that each user is linked to a unique nickname or pseudonym composed of a long string of numbers that forms the address associated with a specific wallet. Consequently, it is possible to identify the originator of a particular operation once their pseudonym is known. Many companies have recently specialized in this area, including those that provide consulting services to law enforcement agencies. Notably, Neutrino S.r.l., an Italian company, evaluates the risk of money laundering for each specific Bitcoin transaction. The Blockchain Intelligence Group in Vancouver is also well-known for conducting similar analyses.

It is fundamentally incorrect to claim that Bitcoin was invented by criminals. Bitcoin originated from a community of computer activists known as Cypherpunks who had been working on a digital money project since the 1990s. These individuals were computer experts who were deeply committed to preserving privacy. Some had university experience while others were already wealthy, thanks to the Internet. For them, anonymity was not a way to evade police control, but rather a means of countering the tyranny of surveillance. There are multiple reasons why many disagree with the considerations outlined above.

Primarily, a careful reading of the various warnings issued by authorities in different sectors reveals that many of them either completely ignore the historical and cultural context in which Bitcoin was created or greatly misunderstand the actual characteristics of this new technology. Therefore, it is not a risky proposition to argue that large criminal organizations still prefer dollars over Bitcoin. This is partly because Bitcoin lacks market liquidity and is not easily used for money laundering purposes.

The report utilizes various computer techniques to identify suspicious Bitcoin movements through Bitcoin forensics and Bitcoin intelligence. The former involves using statistical tools to analyze transactions and identify users, while the latter involves monitoring the blockchain to identify addresses at risk for money laundering and provide a probabilistic estimate of the risk associated with each specific transaction.

LEGAL DISCLAIMER

THE INFORMATION PROVIDED IN THIS PAPER PROVIDES GENERAL INFORMATION AS TO THE POSSIBILITIES IN MULTIPLE JURISDICTIONS. PLEASE KEEP IN MIND THAT LAWS THAT APPLY TO THE SUBJECT HEREIN MAY DIFFER IN EACH JURISDICTION. THUS, NOTHING CONTAINED HEREIN CONSTITUTES ANY LEGAL OPINION OR SUGGESTION OF ANY KIND. PLEASE CONSULT TO LOCAL EXPERTS IN RELEVANT AREAS BEFORE TAKING ANY ACTION BASED ON ANY INFORMATION CONTAINED HEREIN.