The Prudential Authority issued a guidance note to banks that implicitly criticised them for discontinuing banking services to crypto asset service providers. It suggested, instead, that this should only be done after careful due diligence and consideration.
The Prudential Authority became aware that certain banks in South Africa have decided to discontinue the provision of banking services to crypto asset service providers by closing their accounts.
This discontinuation was an approach to crypto risk management to combat money laundering and financing of terrorism by the banks.
In response, the Prudential Authority issued a guidance note to inform banks of practices related to the effective implementation of adequate anti-money laundering and counter-financing of terrorism controls relating to crypto assets and crypto asset service providers.
According to Angela Itzikowitz – an executive in ENSafrica’s banking and finance department – the note implicitly criticises the actions of certain banks as being short-sighted and an inadequate approach to crypto risk management.
She added that while banks must have policies to combat money laundering, terrorist financing, and proliferation financing, this does not mean that banks should avoid any risk entirely by, for example, closing accounts.
The Prudential Authority has noted that this approach goes against the spirit and practice of a risk-based approach.
Itzikowitz said that if a bank intends to close an account of a customer simply because the customer is a crypto asset service provider, the customer may challenge the bank’s right to terminate the account because it goes against public policy.
The right approach
Itzikowitz noted that banks should decide whether to close accounts or not to offer banking services only after careful due diligence and consideration.
Much like the Financial Intelligence Centre (FIC) adopts a risk-based approach to regulation, banks must have comprehensive policies such as risk-management processes and procedures to combat terrorist financing.
Banks are required to document and update these policies regularly, and training on money laundering and terrorist financing must be provided on an ongoing basis.
In this regard, avoiding the potential risks of crypto assets by simply closing accounts is not a good risk management approach.
Itzikowitz says an appropriate approach should enable banks to understand the direct and indirect exposure to risks that a crypto asset service provider may present by accessing what elements drive or reduce money laundering, terrorist and proliferation financing.
She added that banks’ risk management and compliance programmes need to be tailored and cater to varying levels of risk that a crypto asset service provider poses.
Appropriate risk assessment involves a consideration of various factors, including:
- The type of services, products, and transactions involved.
- Customer risk.
- Geographical factors.
- The kind of crypto assets involved or exchanged.
When a crypto asset service provider seeks a relationship with a bank, it should ascertain if the provider has documented and implemented appropriate money laundering, terrorist and proliferation financing risk management policies that the bank follows in respect of its own activities and product offerings.
Where higher risks present themselves, banks should undertake enhanced due diligence. A “one size fits all” approach in dealing with crypto assets may result in inadequate risk understanding and measures.
Banks need relevant technical expertise to assess the risks of crypto assets and crypto asset service providers.
Itzikowitz suggested that if the transactional activity of a crypto asset service provider is not in line with the initial profile the bank has of its customer, it should file a suspicious or unusual activity report with the FIC.
It will help banks develop appropriate detection and monitoring mechanisms to mitigate any money laundering risks or terrorist financing that may be introduced through crypto assets.
In due course, crypto asset service providers will become accountable institutions. They will have to comply with all the obligations imposed on responsible institutions, which may give banks some added comfort, at least as to the underlying clients of the crypto asset service providers.
Until then, Itzikowitz says the legislation is risk-based and not rule-based. Therefore, banks should revisit their risk appetite for crypto asset clients and effect the necessary changes to their policies and compliance manual.