Making a Sectoral Virtual Asset Risk Assessment: Challenges and Approaches

In June 2024, the Financial Action Task Force (FATF) – the international standard setter for anti-financial crime measures – reported that 29% of jurisdictions had yet to conduct a virtual asset (VA) risk assessment.1 Furthermore, based on FATF’s expectations, 75% of jurisdictions had not conducted adequate VA risk assessments.2 In view of the centrality of the risk assessment process to the effective application of a risk-based approach – that is, the method of assessing risk exposure and tailoring mitigation controls – FATF’s concerns should not be overlooked.

A sectoral VA risk assessment – evaluating sector-specific risks – is key for jurisdictions to understand their financial crime risk exposure. This information can be relayed to the private sector and supervisors so they can effectively implement a risk-based approach. If carried out in a robust manner, this process points the jurisdiction in a more informed direction and allows it to prioritise where and in what order vulnerabilities need to be addressed. However, as can be seen in FATF’s finding, challenges persist for authorities responsible for leading the VA risk-assessment process.

To compound the challenge, criminal networks and state actors constantly adapt their approaches and exploit emerging avenues in the VA industry. This problem requires jurisdictions to update a sectoral VA risk assessment regularly to take account of new threats. By taking this initiative, jurisdictions can work towards a safer environment for the VA industry and consequently the whole financial system.

This policy brief, written for authorities responsible for the risk-assessment process, aims to offer insight on five key challenges that jurisdictions face with a sectoral VA risk assessment, and suggests potential considerations for overcoming these barriers. These problems, which have to do with development of the methodology, data collection and risk mitigation, are outlined, along with responses to each.

The features of a sectoral VA risk assessment identified in this policy brief are based on the expert observations of the authors, supplemented by a review of grey literature published between October 2021 and July 2024. These documents include guidance from international organisations, reports from government institutions and published sectoral VA risk assessments.

The VA industry brings extensive opportunities for jurisdictions to improve monitoring of their financial crime risk, such as data-led supervision and the traceability of transactions. However, jurisdictions also need to ensure that hostile actors are not able to exploit the industry, thereby increasing the financial crime risk to the jurisdiction.

Authorities still struggle to identify the vast scope of VA activity that applies to their jurisdiction, and the associated risk exposure. As jurisdictions race to conduct a risk assessment for the sector and check the box for FATF, they may not realise the range of risks to which their jurisdiction is exposed.

To ensure jurisdictions understand how to approach a sectoral VA risk assessment, this policy brief outlines key challenges that jurisdictions face with this process, along with responses on how to overcome these barriers and ensure a high-quality and risk-based output.

Challenge 1: Confusion About Methodology

The number of methodologies for undertaking a sectoral VA risk assessment published by various international institutions means that jurisdictions can get overwhelmed by the task of pinpointing the best one.

Jurisdictions approach the process of defining a methodology differently; some may cleave to one international institution’s methodology, while others define their own approach by integrating features applicable to their current regulatory environment. For jurisdictions that are contemplating this process for the first time or updating a previous version, the following institutions have available methodologies or guidance for VA-specific risk assessments:

• The Council of Europe.
• The European Commission.
• The World Bank.
• The IMF.

Alternatively, jurisdictions may develop their own methodology, whether taking components from the approaches noted above or defining their own. For example, the Slovak Republic took a hybrid approach with an adapted version of the European Commission methodology, as the country had not yet established a central institution for a separate virtual asset service providers (VASPs) licensing process at the time of the assessment. Its approach included a comprehensive questionnaire distributed to registered VASPs in the jurisdiction. In Luxembourg, the Ministry of Justice used a hybrid approach to focus solely on inherent risk by analysing threats and sectoral vulnerabilities, acknowledging that no entity had completed the registration process at the time, and that therefore an assessment of mitigating controls and residual risk would be premature. This highlights the importance of identifying a methodology that is flexible and appropriate for the state of VA regulation within the jurisdiction at the time of assessment.

Notably, when updating a sectoral VA risk assessment, jurisdictions do not need to use the same methodology for each round. In fact, as years pass, a jurisdiction should have access to more data on VAs in response to its regulatory approach, and further understanding of risk exposure. This may require a different approach to the methodology – for example, an initial risk assessment might identify whether a registration and/or licensing regime is needed, whereas a second risk assessment may be more fine-tuned to legal obligations for VASPs.

Challenge 2: Limited Data

The second challenge for jurisdictions stems from the fact that responsible authorities get stuck on one of the key elements needed for a risk assessment – identifying sources of information to use to assess the threats. Jurisdictions can overlook the plethora of information available and assume that they must rely solely on suspicious activity reports from the private sector. However, authorities can take a more expansive approach to gathering data when defining exposure to the industry and what percentage of that activity ties to illicit means. Other useful sources of information may include:

• Consumer complaints from a variety of agencies for fraud-related matters.
• Threats identified by international organisations, government bodies, the private sector and civil society.
• Online activity promoting VA products.
• Work by intelligence agencies inside the jurisdiction.
• Company registration records.
• Prosecutions and convictions.
• Tax information.
• Data from blockchain analytic tools.
• Data from customs agencies that detect undeclared imported VA mining equipment.
• Mutual legal assistance requests.

As an example of good practice, when identifying data in Estonia, that country’s financial intelligence unit (FIU) assessed the number of requests from foreign law enforcement from 2017 to October 2021. Further analysis of these requests in the country’s sectoral risk assessment found that in 2021, the requests predominately linked to the movement of illicit proceeds from fraud to VASPs licensed in Estonia. In addition, the risk assessment accounted for mutual legal assistance requests from foreign law enforcement agencies from 2019 to 2021, and analysed the associated financial crime type. This data within the sectoral VA risk assessment supported the jurisdiction with risk mitigation.

Furthermore, jurisdictions also need to consider in their assessments the VA risk exposure of financial institutions and designated non-financial businesses and professions (DNFBPs). Importantly, VAs are an additional vehicle for moving funds and therefore – as with all forms of money value transfer – illicit actors can misuse them if proper controls are not implemented by obligated entities. The VA risk assessment of Mauritius includes consideration of the risks to financial institutions and DNFBPs, identifying at the time of the assessment that no legal restrictions existed to prevent individuals from accessing virtual betting platforms that allow payments in VAs. Furthermore, the assessment found that for existing licensing criteria, internal control mechanisms did not evaluate the capacity of financial institutions to ‘effectively deal with unlicensed VASPs’.

Another key point is that the sectoral VA risk assessment should not rely solely on institutional VA risk assessments carried out by VASPs, although these can be a useful input as part of broader evidence gathering. Within the VA industry, the private sector often supports the public sector by training authorities on how to identify risk and investigate activity, but authorities need to understand the threats from a wider vantage point. VASPs should therefore also be able to use the information from the jurisdiction’s risk assessment in their own consideration of the risks. In this way, authorities and the VASP industry can collaborate to better understand the threats and mitigations.

Finally, jurisdictions that decide to ban the VA industry need to consider how they can identify and monitor their exposure to VA-related risks in the absence of the significant amounts of data that other countries can obtain from industry or regulators. One way in which they can attempt to do this is through monitoring sources of information such as online promotion of activities in their jurisdiction. In Jordan’s 2023 assessment, authorities provided a case study that involved a number of reports identifying that ‘suspects had received frequent money transfers in high amounts from … e-wallets’ and withdrawn cash shortly after receiving funds. The investigation found that the suspects were registered on Facebook pages that promoted VA trades, including for investment in Dagcoin in Jordan.

Challenge 3: Not Accounting for Sanctions Evasion Activity

In 2024, the UN Panel of Experts on North Korea recommended that member states conduct VA risk assessments that account for North Korean activity. This guidance stems from the fact that entities linked to North Korea continue to exploit this industry, with early 2024 estimates noting that the country was being investigated for stealing $3 billion-worth of VAs between 2017 and 2023.

For authorities, the identification of proliferation finance exposure for their jurisdiction is already difficult. These complex sanctions circumvention networks consist of multiple front companies and bank accounts that, at authorities’ first glance, might be assumed to be normal business operations. With the addition of the misuse by such cyber-criminals of VAs as a vehicle for moving illicit proceeds, authorities face larger obstacles to detecting the North Korean sanctions-evasion risk exposure specific to their jurisdiction.

To overcome this challenge, authorities should consider proliferation finance-linked revenue-generation methods and sanctions-circumvention techniques. For example, jurisdictions must not omit cybercrime from their assessment of inherent risk. This is a critical component, as criminal networks and state actors can gain access to a network through exploitation of vulnerabilities, which can result in the loss of millions of dollars’ worth of VAs. Critically, if a jurisdiction develops a working group for the sectoral VA risk assessment process, the cyber security division of law enforcement must be included to ensure such crime is captured efficiently.

Next, authorities need to grasp how the VA industry integrates into old-school sanctions evasion techniques that occur across multiple jurisdictions, which proliferators continue to implement. To take an example, a North Korean-linked individual listed in a US indictment instructed over-the-counter (OTC) VA traders to move assets tied to sanctions evasion and eventually purchase goods such as communication devices. In a circumvention case listed in the indictment, an individual known as ‘Jammy Chen’ sent VAs to an address specified by an OTC trader known as Wu, who later provided a payment confirmation to Chen showing that fiat currency had been sent from a front company’s account with a Hong Kong bank to a bank account in Bangkok to purchase an item.

Through consideration of this information in a sectoral VA risk assessment, authorities can mitigate the risk of sanction evaders exploiting their jurisdictions to launder criminal proceeds.

Challenge 4: Disregarding Key Risks in Authorisations

A final part of the risk-assessment equation that the assessment may not consider, or may be unable to consider due to the relative immaturity of the industry, is control effectiveness at the sectoral level.

Central to the application of a risk-based approach at a sectoral level is the authorisation process for VA companies. This allows a jurisdiction to ensure that VASPs operating there are subject to an appropriate level of regulatory oversight and have in place appropriate controls. The process can be an effective tool in preventing VASPs with poor practices from being established. Jurisdictions should consider any potential gaps in this control: for example, a lack of capacity within authorities to process applications, or pressure on authorities to approve firms quickly. This may lead to extra work for supervisory teams if a VASP’s financial crime controls have not been thoroughly reviewed in the authorisation process and the supervisor has to work with the firm to enhance them.

Alternatively, the framework may be set up so that the authorisation process is efficient and thorough, but there are no sector-specific guidelines about how to meet anti-financial crime requirements. As an example of good practice, the Monetary Authority of Singapore issues guidance to VA-specific service providers to support implementation of necessary measures, such as limiting consumer harm. Meanwhile, Dubai’s Virtual Assets Regulatory Authority provides a detailed overview of the licence application process for clarification.

According to FATF, jurisdictions should next consider risks associated with offshore VASPs, that is, those ‘not incorporated or physically based in their jurisdiction’. These offshore VASPs can potentially have limited anti-financial crime compliance measures and can pose challenges to authorities attempting to recover virtual assets tied to illicit activity. FATF states that appropriate risk mitigation measures linked to risks associated with offshore VASPs need to be incorporated when jurisdictions develop a licensing or registration framework.

Challenge 5: Narrow Perspective on How to Mitigate Identified Risk

A sectoral VA risk assessment allows a jurisdiction to acknowledge the risk, determine the preferred response and share the assessment with the sector, so that entities can reflect the identified risks within their institutional risk assessments accordingly.

Importantly, the assessment can also support a country with the initial decision on how to approach the industry: allow VASPs to operate in the country and work to minimise the risk of the exploitation of the industry; restrict some VA activities; or ban the VA industry entirely. This policy brief does not direct jurisdictions in which approach to take, but details the options below.

First, for those jurisdictions that allow VASPs to operate, the jurisdiction needs to understand the threats and implement risk mitigation strategies. A failure to address the vulnerabilities within a jurisdiction linked to the VA industry can leave the door open to exploitation by criminals and can result in VA companies knowingly or unknowingly facilitating sanctions violations, ransomware payments and fraud schemes. Poor controls at the country level can impact the level of risk to which a national financial system is exposed.

Second, a jurisdiction can restrict some VA activities. For example, some jurisdictions do not allow payment processors operating with VAs, but still allow people to access exchanges that make use of payment providers regulated by another jurisdiction. The regulating jurisdiction must then take full responsibility for ensuring that the processor operating with VAs has appropriate and effective anti-financial crime measures.

Third, jurisdictions can ban the industry completely. However, even in a country where VASPs are ‘banned’, other reporting entities, including banks, can still have exposure to them. Furthermore, users within the jurisdiction will still be able to access the VA industry through irregular means over which authorities may not have oversight. Authorities within jurisdictions where VAs are banned can still analyse data to determine gaps in monitoring or enforcement. In Jordan, for example, a designated assessment team developed the country’s 2023 sectoral VA risk assessment despite the Central Bank stressing a ban on dealing with VAs. This type of analysis is crucial to ensuring that the jurisdiction monitors the threat appropriately. Fighting financial crime in the VA industry in jurisdictions that turn a blind eye to the industry completely is an impossible feat.

When the first of these three options is chosen, new considerations arise about how to detail an action plan for successfully achieving this goal. A jurisdiction may hold workshops or discussions with the relevant entities to determine proper and effective policy responses to the risk assessment. These engagements can account for the following information.

First and foremost, a jurisdiction may reflect on implementation of VA-focused legislation to outline the licensing or registration of VASPs, and other matters connected to VAs. A useful reference point for jurisdictions that decide to consider this approach is the Commonwealth Model Law on Virtual Assets.

Next, anti-money-laundering and counterterrorist-financing supervisors can define how to draw the line from the results of a country’s sectoral risk assessment to a candid assessment of the effectiveness of their regulatory and supervisory frameworks, as well as discussing how they can demonstrate that they are effectively mitigating VA-related risks. Blockchain analytic tools are useful here as a verification tool to determine the effectiveness of such frameworks and discern where the risk is displaced. Additionally, as noted by the Caribbean Financial Action Task Force (CFATF), ‘these tools can help supervisors in identifying high-risk firms based on their activity’.

Supervision of VAs and VASPs is an essential part of mitigating the inherent risks posed to a jurisdiction. Supervisors can potentially assume that inherent risks associated with the sector will be mitigated simply through the controls applied by the VA companies themselves. However, this approach is not always reliable. Until the sector evolves to have consistent and robust anti-financial crime controls, jurisdictions need to do more to understand where the risks are arising and find additional ways to address them.

Furthermore, authorities need to consider resources and capacity during the authorisation process. For example, some jurisdictions have designed regulatory frameworks with a specific time limit within which authorisations must be provided to the VA companies. As noted above, this approach – trying to meet a deadline, rather than having a thorough assessment of the entity – can potentially expose the jurisdiction to the risk of authorising VA companies with poor or incomplete anti-financial crime controls. This challenge can occur in particular where the public sector has limited resources and expertise relating to the VA industry. Notably, a dedicated timeline is valuable and appreciated for a VASP, but a balanced approach needs to be taken to ensure that the authorising authority has the capacity and resources to verify the information provided. If feasible, the CFATF notes that ‘it’s important to consider [VASP supervisors’] technical knowledge and supervisory experience’, as some ‘may lack the necessary combination of skills needed to effectively oversee [virtual assets] and VASPs’.

Finally, a clearly written strategy resulting from a risk assessment – that is, developing a risk-based approach – allows supervisors to pace the rate for review of VASP applications, to understand the jurisdiction’s risk appetite and the resources needed to effectively supervise the VA industry. It also gives a clear direction to both financial institutions and VA companies on the approach to VAs within the jurisdiction, so that they can decide whether they want to offer VA products and services there, or seek opportunities in another jurisdiction.

Authorities responsible for developing a sectoral VA risk assessment need to have a comprehensive understanding of the potential vulnerabilities within their jurisdiction and the ways in which they can address those vulnerabilities. If a jurisdiction has poor understanding of the risks at the sectoral level, high-risk VA companies can operate with relative impunity. This policy brief has set out considerations for jurisdictions when contemplating a sectoral VA risk assessment.

Importantly, jurisdictions need to remember that the risk assessment process is not a one-time exercise. With innovation, the VA industry continues to grow, and along with the benefits this can bring, there is the risk that criminals can be quick to exploit emerging avenues, as criminals always adapt, here as with all industries. Therefore, it is critical that the analysis is repeated regularly, to mitigate gaps. Criminal networks and state actors always adapt their approaches to evade detection in response to enhanced regulatory measures. As a result of these constant alterations, jurisdictions in turn must update their risk assessments to further understand emerging risk exposure.

© 2024 The Royal United Services Institute for Defence and Security Studies.

The views expressed in this Policy Brief are the authors’, and do not represent those of RUSI or any other institution. For terms of use, see Website Ts&Cs of Use.