Edit by WuBlockchain
This Chapter provides guidance on the ML/TF risks in relation to virtual assets and the AML/CFT regulatory requirements and standards for addressing such risks. These include factors that should be taken into consideration when conducting risk assessments under an RBA, virtual asset-specific requirements in conducting CDD and ongoing monitoring, and requirements in relation to virtual asset transfers and third-party deposits and payments in the form of virtual assets. It also provides elaborations and explanations of existing requirements in this Guideline with respect to their application to virtual asset transactions and activities, and sets out non-exhaustive illustrative risk indicators for assessing ML/TF risks and indicators of suspicious transactions and activities in relation to virtual assets.
Virtual asset businesses are also likely to be used at the second stage of money laundering, i.e. the layering process. These businesses provide a potential avenue which enables the illicit actors or money launderers to dramatically alter the form of funds (i.e. fiat currency) or virtual assets. This not only allows conversion from cash in hand or other funds to virtual assets as well as conversion from one type of virtual asset to another, it also allows conversion from virtual assets derived from illicit activities or associated with illicit sources to cash in hand or other funds after conducting transactions for no other purposes but to further obfuscate the fund flows and the identity of the holder or beneficial owner of the virtual assets. To obfuscate the sources of virtual assets derived from illicit activities, illicit actors or money launderers may move assets across multiple wallet addresses, service providers, types of virtual assets or blockchains. They may exploit virtual asset-specific layering techniques such as peel chains and chain-hopping Virtual assets are sometimes laundered through anonymity-enhancing services such as mixers or tumblers and the use of other anonymityenhancing technologies or mechanisms (e.g. anonymity-enhanced virtual asset or privacy coin, privacy wallet, etc.)
Unhosted wallets , decentralised virtual asset exchanges, peer-to-peer platforms or virtual asset businesses that are unregulated or with lax AML/CFT controls are particularly attractive to illicit actors or money launderers.
Before carrying out a virtual asset transfer involving virtual assets that amount to not less than $8,000, an ordering institution must obtain and record the following originator and recipient information
(a) the originator’s name; (b) the number of the originator’s account maintained with the ordering institution and from which the virtual assets are transferred (i.e. the account used to process thetransaction) or, in the absence of such an account, a unique reference number assigned to the virtual asset transfer by the ordering institution; © the originator’s address 145 , the originator’s customer identification number 146 or identification document number or, if the originator is an individual, the originator’s date and place of birth; (d) the recipient’s name; and (e) the number of the recipient’s account maintained with the beneficiary institution and to which the virtual assets are transferred (i.e. the account used to process the transaction) or, in the absence of such an account, a unique reference number assigned to the virtual asset transfer by the beneficiary institution.
Before carrying out a virtual asset transfer involving virtual assets that amount to less than $8,000, an ordering institution must obtain and record the following originator and recipient information:
(a) the originator’s name; (b) the number of the originator’s account maintained with the ordering institution and from which the virtual assets are transferred or, in the absence of such an account, a unique reference number assigned to the virtual asset transfer by the ordering institution; © the recipient’s name; and (d) the number of the recipient’s account maintained with the beneficiary institution and to which the virtual assets are transferred or, in the absence of such an account, a unique reference number assigned to the virtual asset transfer by the beneficiary institution.
Examples of customers that may present higher ML/TF risk include:
(a) where the origin of wealth is substantially derived from activities that may present higher risks, e.g. initial coin offerings which are known to associate with predicate offences for ML/TF or financial crimes; virtual asset activities conducted via VASPs that are unregulated or with lax AML/CFT controls; (b) a customer who appears to operate as an unregulated VASP on peer-to-peer platforms, particularly when the customer handles or conducts frequent and/or large virtual asset transfers or transactions on behalf of its underlying customer(s), and charges higher service fees compared to other VASPs; © a customer’s wallet(s) used for deposit and withdrawal exhibit(s) patterns of virtual asset transactions associated with the use of anonymity-enhancing technologies or mechanisms (e.g. mixers, tumblers) or peer-topeer platforms; and (d) a customer who is a VASP sets up offices in, or moves offices to, jurisdictions for no apparent business reason or posing a higher risk (especially those that neither prohibit nor regulate virtual asset-related activities or services).
Examples of products, services or transactions173 that may present higher ML/TF risk include: (a) products or services that may inherently favour anonymity or obscure information about underlying customer transactions, especially those involving the use of anonymityenhancing technologies or mechanisms, or that are not supported by any technological solutions adopted for screening of virtual asset transactions and the associated wallet addresses174; (b) deposits from or payments to unknown or unrelated third parties in the form of virtual assets; © virtual assets that have been associated with fraud, market abuse or other illicit activities; (d) the purchase of virtual assets using physical cash; and (e) virtual asset-related products or services funded by payments from or instructions given by unexpected third parties, particularly from jurisdictions posing a higher risk.
(a) A customer who has no discernible reason for using the FI’s services (e.g. a customer has opened an account for virtual asset trading services but only deposits fiat currency or virtual assets and subsequently withdraws the entire balance or a substantial portion of the deposited assets without other activity; or a customer located in a place outside Hong Kong who opens an account with the FI to trade virtual assets that are also available from VASPs located in that place175); (b) Requests by customers for virtual asset trading services or virtual asset transfers where the source of the funds is unclear or not consistent with the customers’ profile and apparent standing; © A customer who enters an FI’s platform and/or initiates transactions from an IP address that may present higher risks, for example: (i) from jurisdictions posing a higher risk; (ii) not in line with the customer’s profile (e.g. IP address from a jurisdiction which is not the customer’s place of residence or principal business); (iii) previously identified as suspicious by the FI; or(iv) associated with a darknet market or software that increases anonymity or allows anonymous communications (e.g. proxies, unverifiable IP geographical location, virtual private networks, The Onion Router (Tor)); (d) A customer and other apparently unrelated customer(s) entering the FI’s platform from the same IP or MAC address; (e) A customer who frequently changes contact information, e.g. email address, phone number, especially when those are disposable or temporary176; and (f) A customer who frequently or over a short period of time, e.g. within a few hours, changes the IP address or device used to enter the FI’s platform and/or conduct transactions.
(a) Buying and selling of virtual assets with no discernible purpose or where the nature, size or frequency of the transactions appears unusual. For example, where a customer repeatedly conducts virtual asset transactions with a particular person or group of persons at a significant profit or considerable loss, which may indicate that the transactions are used to transfer value or obfuscate funds flow as part of a ML/TF scheme, or a potential account takeover; (b) Mirror trades or transactions involving virtual assets used for currency conversion for illegitimate or no apparent business purposes; © Converting virtual assets to fiat currency at a potential loss with no apparent commercial rationale regardless of, for example, the price fluctuations or high commission fees; and (d) Conversion of a large amount of fiat currency or virtual assets into other or multiple types of virtual assets with no logical or apparent reason which obscures the flow of funds.
(a) Placing of buy and sell orders in close chronological sequence for accounts with the same beneficial owner or of connected persons in the same virtual assets which are thinlytraded; (b) Multiple new customers are referred by the same individual to open accounts for trading in the same virtual asset within a short period of time; © A customer engages in prearranged or other non-competitive trading in particular virtual assets; (d) The entry of matching buy and sell orders in specific virtual assets (“wash trading”), creating the illusion of active trading with no change in the beneficial ownership of the virtual assets. Such wash trading does not result in a bona fide market position, which might also provide “cover” for a money launderer; (e) Accumulation of a virtual asset with small increments in price to gradually increase the price of the virtual asset over a period of time; (f) A customer makes large purchases of a virtual asset, particularly a virtual asset which is thinlytraded, within a short period of time, and the size of the transactions is incommensurate with the customer’s profile; and (g) A group of customers sharing the same trading patterns (e.g. purchasing the same virtual asset at the same or similar time or price), particularly in relation to a virtual asset which is thinlytraded, authorise the same person or third party to operate their accounts and/or transfer fiat currency or virtual assets amongst their accounts.
(a) A customer uses an FI to make payments or to hold funds or other property that are rarely used or are not being used to trade in virtual assets, i.e. the account appears to be used as a depositary account or a conduit for transfers; (b) Transfers of positions, funds, virtual assets or other property between accounts of parties that do not appear to be commonly controlled or have an apparent relationship; © Frequent funds, virtual assets or other property transfers or cheque payments to or from third parties that are unrelated or difficult to verify; (d) Transfers of funds or virtual assets to and from financial institutions or VASPs located in jurisdictions posing a higher risk177, or, which are not consistent with the customer’s declared place of residence, business dealings or interests, without reasonable explanation; (e) Transfers of funds or virtual assets to the same person from different parties, or to different persons from the same party without reasonable explanation; (f) Frequent changes of bank account or wallet address details or information for receiving funds or virtual assets; (g) Multiple transactions involving a high value of virtual assets where the nature, frequency or pattern of the transactions appears unusual, e.g. the transactions are conducted in short succession such as within a 24-hour period, or in a staggered and regular pattern followed by a long period of inactivity; transfer of virtual assets to another wallet, particularly a new wallet or wallet that has been inactive for a period of time, which may indicate possibility of ransomware attack or other cybercrimes; (h) Virtual assets are transferred from wallet addresses which are known to hold stolen virtual assets, or are known to associate with holders of stolen virtual assets; (i) Deposits of virtual assets, including those from new customers, are immediately followed by transactions with no apparent legitimate purpose or commercial rationale which incur additional or unnecessary cost or fees (e.g. converting the deposited virtual assets to other or multiple types of virtual assets which obfuscates the trail of transactions, and/or withdrawing all or part of the deposited virtual assets to unhosted wallets immediately); (j) Transfers of virtual assets from multiple wallets in small amounts, in particular, those that are held by third parties, with subsequent transfer to another wallet or conversion of the entire amount to fiat currency; (k) Transactions involving virtual assets that provide higher anonymity such as anonymityenhanced virtual assets (e.g. depositing a virtual asset that operates on a public blockchain and immediately converting it into a virtual asset that provides higher anonymity); (l) A customer uses an FI to convert an unusual amount (in terms of volume or number) of virtual assets from peer-to-peer platforms (e.g. a peer-to-peer platform with lax AML/CFT controls) into fiat currency for no logical or apparent reason; (m) Transfers of virtual assets to or from wallet addresses presenting higher risks, for example, wallet addresses that are directly and/or indirectly associated with illicit or suspicious activities/sources or designated parties (n) Transfers of virtual assets that have been associated with chain-hopping179; (o) Frequent and/or large transactions involving virtual assets from virtual asset automatic teller machines or kiosks, especially those located in jurisdictions posing a higher risk; (p) Information or message transmitted with a virtual asset transfer indicates that the transaction may be used to finance or assist illicit activities; (q) A customer who is a financially vulnerable person and/or has no prior knowledge of virtual assets engages in frequent and/or large transactions (in particular, deposits and withdrawals of funds and/or virtual assets) through an FI, which may be signs indicating money mule or scam victim; (r) Deposits of large amounts of virtual assets followed by conversion to fiat currencies, where the source of the funds is unclear and the size of transactions is not in line with the background of the customer, which may suggest that the deposited virtual assets are stolen assets; (s) A customer’s funds or virtual assets originate from, or are sent to, a financial institution or VASP that (i) is not registered or licensed in the jurisdiction that it operates from (or where the customer to whom it offers products and/or services resides or is located), or (ii) operates from (or the customer to whom it offers products and/or services resides or is located in) a jurisdiction that neither prohibits nor regulates virtual asset-related activities or services; (t) The required information in a virtual asset transfer is inaccurate or incomplete, for example, in the case of an ordering institution, discrepancies were noted between the recipient’s information provided by its customer and the information maintained by the beneficiary institution which may have resulted in a rejection of the virtual asset transfer request or return of the relevant virtual assets by the beneficiary institution, or the information noted from the screening of the recipient’s wallet address associated with the virtual asset transfer (see paragraphs 12.7.2 to 12.7.4 and 12.7.6); (u) A customer with limited or no other assets at the FI receives a transfer of large amounts of thinly-traded virtual assets; and (v) A customer deposits virtual assets and requests to credit them to multiple accounts that do not appear to be related, and to sell or otherwise transfer ownership of the virtual assets.