Over the last several years, there has been an influx of “BTMs” popping up all over the place. According to Coin ATM Radar, at the time of writing, there are over 39,000 Bitcoin ATMs in the world today compared to 14,000 at the end of 2020. Of these, nearly 87% are reportedly located in the United States.
Many of these Bitcoin ATMs (or cryptocurrency kiosks) are not only an innovative technology but make crypto more accessible, particularly to the un- or under-banked.
Learn more about Bitcoin ATMs from our previous blog: What is a bitcoin ATM? What consumers should know
These kiosks, also known by regulators as cryptocurrency money transmitters, may appear to resemble a regular ATM (or at least a close digital cousin), but instead of accepting and dispensing cash by accessing one’s deposit bank accounts, they enable customers to exchange cash for crypto and vice versa using a cryptocurrency wallet of their choosing.
Cryptocurrency money transmitters are required by FinCEN to maintain certain regulatory requirements. These requirements include, maintaining customer and transaction records, filing certain reports (e.g., SARs, CTRs), and ultimately deploying an effective Anti-Money Laundering (AML) compliance program. Since most cryptocurrency companies are considered money transmitters, they are required to register with FinCEN and meet the necessary requirements by having an AML compliance program. Now, one key critical element of a strong AML program is to have an effective Know Your Customer (KYC) policy. Such a policy should identify the specific customer and transaction information collected and recorded, as well as the verification of customer identification and government filings.
Overview of Tier-Based KYC
KYC policies vary among financial institutions (both traditional and crypto). Some, like those of deposit banks, require the prospective customer to complete an onboarding process that consists of providing a host of information, including identification (e.g., driver’s license, passport), taxpayer identification number, and supporting documentation, as well as answer several questions pertaining to their anticipated account activity. All this before initiating a single transaction.
In contrast, cryptocurrency kiosk operators typically deploy a tiered system, based on the transaction amount, to determine the pertinent pieces of information and identification to be collected and verified. The specific line item KYC requirements within each tier are typically a mix of both regulatory requirements (i.e., hard and fast rules from government) and compliance best practices. Based on the transactional amount selected by the prospective customer at the time of transaction, the commensurate KYC requirements and expectations are displayed on the digital screen of the kiosk. The prospective customer must then submit to applied KYC in order to proceed with the transaction itself.
Pros and Cons of Tiered Based Systems
As you might expect, the larger the transaction, the higher the tier, and the more KYC requirements would be requested of the customer. This aligns with the risk-based approach to AML compliance and ultimately seems pretty intuitive. After all, is it really an adequate use of compliance resources to collect the taxpayer identification number (i.e., social security number) and request source of funds documentation from a customer purchasing $200 in bitcoin, which according to Coin ATM Finder, is about the average for a kiosk transaction? Probably not.
Although seemingly commonsensical and otherwise offering a more efficient customer experience, tiered-based KYC is not without its fair share of risks to the kiosk operator and the fitness of their AML program. Less KYC questions and information requirements generally appeals to most people, as it means the transaction process moves much faster and is less tedious.
Types of KYC Avoidance
Many folks may not be exactly excited to share their personal information with an automated machine in a public setting. As a result, customers may be tempted to avoid transacting in a higher tier by “camping” in a lower tier.
Effectively, such a customer would seek to remain and continuously stay within the threshold range for the lower tier by limiting their individual transaction size. Over time, it is quite possible that their aggregate transaction activity could climb into the tens or even hundreds of thousands of dollars. This is why it is critical for kiosk operators to place weekly, monthly, and/or lifetime limits within the lower tiers. These limits can be easily set in the backend software of most kiosk models. When met, the customer would “promote” to the next tier and thus additional KYC requirements would set in.
Additionally, the tiered-based system presents the possibility that customers may “structure” their transactional activities around certain government reporting requirements. For example, one might endeavor to purposely complete multiple transactions that when aggregated would trigger a CTR filing or the furnishing of their taxpayer identification number (e.g., SSN). In addition to setting aggregate limits, operators should establish red flags or alert routines designed to identify any “structuring” activities.
Learn more about Red Flags from our previous blog: 5 Red Flags No Crypto Business Should Ever Ignore
Finally, we here at BitAML have written extensively about scammers sending their victims to cryptocurrency kiosks. These illicit actors have (unfortunately) become quite savvy at understanding the limitations of tiered-based KYC, and are always on the lookout for operators with their guard down. Generally, they seek to direct their victims to kiosks with limited KYC specifications in the lowest tier and/or those ineffectively detecting and investigating large aggregate transaction volume.
Tiered-based KYC may enable cryptocurrency kiosk operators to offer a more frictionless customer experience while simultaneously complying with regulatory requirements and compliance best practices. However, deployment of a tiered-based system cannot be shortsighted and limited to KYC strictly on a per-transaction basis. It is important to keep in mind that customers, whether knowingly or not, can poke holes in your tier-based approach, sometimes as easily as breaking up one large transaction into a series of smaller transactions.
That’s why it’s important for operators to set aggregate limits over various time periods, flag potential “structuring,” and remain vigilant of the illicit actors seeking to exploit any loopholes. It is possible and indeed has been demonstrated that tier-based KYC can be effective in detecting and deterring potentially suspicious and/or unusual activity, while offering customers an efficient and pleasant crypto transactional experience.
If you are running a cryptocurrency business and need help setting up an AML program including KYC policies and practices, contact BitAML today for a free consultation.