Back to Resources

Bulletproof Your Crypto KYC/AML and Sanctions Compliance Programs with Geolocation

  • Blog
  • Financial Services

We are pleased to welcome crypto leader Chia Hock Lai, Co-chairman of the Blockchain Association Singapore and Co-founder of the Global Fintech Institute, for this Q&A session as part of our thought leadership series with industry experts and regulators.

Q: Many types of financial crime, most recently ransomware, have been linked to cryptocurrency. Why is this?

A: The speed of transfer, cross-border and pseudonymous nature of cryptocurrency have made it a popular choice for criminals. In addition, the increasing mainstream adoption and the improved liquidity of cryptocurrency – especially bitcoin – make it easier to convert to fiat currencies. Finally, the availability of tools to spoof identity and location online makes it more difficult to identify and locate the criminals.

Q: What are the limitations of IP addresses in meeting KYC/AML requirements and stopping financial crime?

A: IP addresses can be faked using a variety of methods and tools, including VPNs, DNS proxies, Tor, data centers, Xcode simulation, emulators, jailbroken devices and fake location apps. Criminals often spoof their identity and location to perpetrate illegal activities such as laundering ill-gotten cryptocurrency through exchanges – especially those with weak KYC/AML controls.

Q: What location data points are better than IP addresses in properly identifying customers and mitigating crime?

A: Collecting multiple sources of geolocation data, such as GPS, GSM triangulation and Wi-Fi, is key. All these data points – plus IP addresses – should be checked for accuracy and legitimacy. They can then be aggregated to provide a holistic assessment of customers’ true identity and location, to more accurately identify customers and mitigate crime.

Q: Which jurisdictions are leading the way when it comes to recognizing geolocation as essential to KYC, authentication, etc.?

A: The Financial Action Task Force (FATF) recently highlighted the importance of geolocation data for enhanced authentication of customers.

The United Kingdom’s Financial Conduct Authority (FCA) has mentioned using geolocation data for enhanced authentication, due to the rise in cybercrime during COVID-19. The Monetary Authority of Singapore (MAS) also cited IP anonymizers as a risk factor during risk assessments. More interestingly, the Mexican government has mandated banks to collect real-time geolocation data of customers accessing online financial digital services.

Overall, we see that regulators have recognized the importance of geolocation data for strengthening KYC/AML and sanctions compliance.

Q: How can geolocation improve the customer experience, such as reducing friction when making trades?

A: Crypto exchanges typically use multi-factor authentication (MFA) to mitigate fraudulent trades, such as requiring both one-time passwords (OTP) from email and SMS when making trades – a cumbersome user experience. Multi-source geolocation data analytics, which enhances the proper identification of customers and their location, could help reduce the need for MFA and improve the customer experience, especially for low-value trades.

Q: How can the crypto industry and regulators work together to combat crime facilitated by using digital assets?

A: First, an ongoing dialogue would help educate regulators on the latest trends of criminal behaviors (e.g., rise of romance scams involving crypto), while the industry could learn about regulators’ key concerns and priorities.

Second, the industry could provide feedback to regulators on upcoming changes in crypto regulations. This is important as some proposed regulatory changes might be sound in theory but not practical to be implemented in whole.

Finally, industry and regulators could conduct joint public awareness and education programs to consumers on typical digital assets crime and how to protect oneself from such crimes.

Q: The new OFAC Sanctions Compliance Guidance for the Virtual Currency Industry specifically recommends the use of geolocation tools and IP blocking controls as a best practice for an effective sanctions compliance program.

What is the greatest value these tools have in helping financial institutions develop their sanctions or KYC/AML compliance programs?

A: OFAC is the latest regulatory organization to identify the importance of geolocation in KYC/AML and sanctions compliance, and to specify the use of geolocation tools as an industry best practice. Given the rapid adoption of virtual assets around the world, I wouldn’t be surprised that eventually the use of geolocation tools might become law for financial institutions, including virtual asset companies. To minimize their regulatory risk, these organizations should prioritize compliance by implementing these tools – including location data and IP blocking controls – now.

As the OFAC guidance indicates, geolocation tools enable virtual asset companies to identify and block IP users from sanctioned jurisdictions. And, as I mentioned earlier, using multi-source geolocation data is essential to establishing a customer’s true identity and location. These measures are crucial to avoid regulatory enforcement and prevent illicit actors from exploiting the crypto industry to perpetrate crime.

Check out the previous articles in our thought leadership series: