Institutional Virtual Asset Service Providers and Virtual Assets Risk Assessment Guide

Download the report

The process of identifying crypto-related financial crime red flags within the private sector lacks uniformity. Two centralised cryptocurrency exchanges with similar risk appetites, services and transaction volumes can have different criteria to determine what qualifies as a high-risk transaction. To compound this problem, the institutional risk assessments that crypto businesses create are often proprietary. Publicly available guides on how to successfully assess risks within this fast-paced industry are non-existent. The private sector, including virtual asset service providers (VASPs) and financial institutions (FIs), needs such a guide to assess risk, identify suspicious activity and flag the information to the relevant authorities.

This guide is designed to provide a standardised approach to assessing financial crime risk within the cryptocurrency industry. It documents observed and emerging risks to allow institutions to identify high-risk activities and determine strategies to tackle such risks. Furthermore, the virtual assets risk assessment framework provided will help institutions better understand and define their risk appetite while being aligned to virtual asset laws and regulations.

The guide documents how VASPs and FIs should understand the crypto-related financial crime risks they face through customers, the tokens and services they offer, jurisdictions in which and with which they operate, transactions, delivery channels, fraud, and cyber threats. It further explains how these institutions could assess the inherent risk of these categories by considering the likelihood of the risk materialising based on their business model, alongside any potential impact it would have.

After the inherent risk is evaluated, the institution needs to assess residual financial crime risks. This is achieved by assessing the effectiveness of existing controls in place to tackle inherent risks. Once the institution completes its virtual assets risk assessment, it can then measure its residual risks and decide whether to accept or further mitigate them.