The RegTech Pulse

Scaling Crypto Compliance Without Slowing Innovation

LexisNexis Risk Solutions

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 20:55

Balancing regulatory expectations with rapid growth in the crypto sector is a core challenge for virtual asset service providers. Regulators are getting sharper on crypto, and the gap between “policy on paper” and “controls in production” is where teams get exposed.In this episode, Azrie Affendie, Financial Crime Compliance Manager at Blockchain.com to unpack what it really takes to scale a global crypto platform while meeting tougher expectations for KYC, AML, sanctions screening, transaction monitoring and fraud controls.

DISCLAIMER: The information provided in this podcast is for informational purposes only and is not intended to and shall not be used as legal advice.  The views and opinions expressed in this podcast are solely those of the speakers and do not necessarily reflect the views or positions of LexisNexis Risk Solutions. LexisNexis Risk Solutions does not warrant that the information provided in this podcast is accurate or error-free.

Welcome And Guest Setup

Chris Foye

Hello and welcome to the Reg Tech Pulse podcast. I'm your host, Chris Foye, Senior Director Market Planning at Lexis Nexis Risk Solutions, and I'm very excited to be joined by Azrie Affendie, Financial Crime Programme Manager at Blockchain.com. Azrie leads Blockchain's global financial crime strategy and played a key role in the MEC authorization and also FCA money laundering reg's registration as well. He's well placed to help us navigate today's topic, which is the pressure on crypto platforms are under to scale at pace, deliver a seamless digital experience, and keep innovating whilst meeting increasing complex expectations around KYC, monitoring, sanction screening and fraud controls. Regulators, as you all know, are getting more confident when it comes to crypto. And they're getting more specific around what good looks like in this space. So we're going to explore how firms can strengthen their compliance

What Blockchain.com Actually Does

Chris Foye

without creating unnecessary friction and why orchestration is becoming such an important part of that conversation. So first of all, welcome, Azrie. To start off, can you give us a quick introduction to blockchain.com and your role there?

Azrie Affendie

Of course. Thank you for having me. Blockchain.com was one of the first blockchain explorers. So we started in 2011 and we've evolved into an exchange. We offer kind of custodial wallets as well as DeFi wallets as well. And we operate globally in APAC, in Africa, in the EU, and in the Americas as well. Amazing.

Chris Foye

Looking at your background, right? Like you've actually gone through Miko authorization and also the FCA registration. So could you kind of give us some insight in what are the top three things you needed to consider as you went through those processes and whether there was any differences?

Azrie Affendie

The top prior, I think, for any compliance team looking to get into those regimes is really understanding the national risk assessment of that regime. You know, for the various kind of EU states, there, whilst their risk appetite and their risk assessment may look similar, there are lots of nuances in how their populations work and how they interact with the financial ecosystem. Using that as a basis for your business-wide risk assessment slash your

MiCA And FCA Approval Lessons

Azrie Affendie

enterprise risk assessment, you know, that will really dictate how you plan your controls to those risks and how you really mitigate those. You know, it's difficult in a very kind of nascent industry where one risk may look very different today as it does next week. You know, with the rise of agentic AI and general AI, there's a lot of risks that we're not very aware of. You know, how people will perceive them or be affected by them as well. The second I would say is how you implement those controls again to the specific populations is quite an important thing. The various kind of regulators will look into that in a lot of detail. You know, we're not an investment bank, so you know, any caseworker can open up a blockchain.com wallet and we're going to go through that onboarding process and see, you know, what controls do we actually have. I can't obviously open up an investment account with JP Morgan or a Morgan Stanley, but the barrier to entry to actually understanding what controls are live versus what you're saying in your policy is a lot less. So you know there's a lot more transparency there as well.

Chris Foye

Yeah, and also because I was just thinking, because I've heard this as well, like you operate in APAC and Africa, so you're everywhere pretty much. And I think in kind of regions like APAC, every country, like the regulator, has slightly different requirements, is kind of what I've heard. I don't know if that's true. So there's different nuances. Does that mean that actually in terms of KYC and how you do onboarding and various other things and your processes, do you actually have to have multiple processes in order to meet all those different kind of regulatory expectations or where you kind of operate? Absolutely.

Azrie Affendie

Yeah, it can be very descriptive as well. Some regulators will look at the metadata, you know, for IDV as an example. They really kind of focus on IP addresses or, you know, device types and device behavior and a lot of stuff that typically you wouldn't really think about as part of your typical kind of KYC process. All of that also then trickles into your transaction monitoring controls on-chain versus, you know, the fiat transaction monitoring wildly differs in in setup and program. How then that trickles down into your compliance monitoring program as well is also very different. And again, a lot of this should be derived from the regulatory kind of national crime assessment and what is very pertinent to the regulator for their country. As an example, the more kind of Eastern European states and members of the EU that at higher risk of exposure to Russia and Belarus and that side of the world, whereas France and Spain will have more of a nexus on drug trafficking because of their proximity to cargo ships and the flow of narcotics as an example. So all of that really has to be articulated quite well in your controls and your policies and your frameworks, and you really have to showcase that you've done the research into what makes something high risk for that regulator.

Chris Foye

Well, so basically the message I get is a ton of complexity, right? So you have to be all aware of the sanctions of Asia and kind of and the different kind of channels for that in terms of, and you mentioned kind of Russia and everything there as well. The other thing I would say with kind of crypto and whether you agree is you have all the kind of traditional financial controls, right? In terms of KYC, you talked about kind of fiat currency, transaction monitoring, but you need to take it a step further, right? Because you're actually looking at crypto transactions as well, right? You've got the things like the travel rule and various other things that you need to implement. So there's additional complexity that you as a business have to manage. Is that kind of correct? And creates a

Regional KYC Nuances And Risk

Chris Foye

big overload, operational overload, I'd imagine.

Azrie Affendie

Yes, it can if it's not set up properly. I would say, you know, on-chain transaction monitoring is I say it's a whole kind of different world because, you know, it's a shift in mentality as well. You know, you can really kind of trace where sanctioned funds are going. Funds related to CSAM or you know, terrorist financing, you know, you can see where you know where they're ending up. Most wallets and you know will have some exposure to sanctions just as a result of the movement of funds. But for most VASPs or or CASPs or exchanges, that should feed into how your transaction monitoring teams or your financial investigation units also operate. You know, just because my wallet has sanctioned funds doesn't mean I'm interacting with a sanctioned individual or entity. It means that the transaction monitoring analyst should really look at the history of those funds. Did the sanctions exposure come from something that happened a thousand hops ago or three years ago? And now those funds have just trickled down into mine. How exchanges also deal with funds can vary. They're going to get collated into a big hot wallet and they're going to distribute it back out. So it's pretty unavoidable to having at least 0.001% exposure to sanctions for every pound that comes through your exchange. But how you deal with that, and then obviously how you then articulate that in your policies and your frameworks back to the regulator needs to be pretty clear-cut. When it comes to uh kind of tuning your thresholds, there are so many different on-chain vendors that help with that with the addition of a gentic AI as well. It can help with making sure that your risks are being controlled in the best way possible. And as per your client kind of psychology as well, their behavior also then should feed into whether or not you have higher thresholds for drug trafficking or darknet markets versus CSAM or terrorist financing.

Chris Foye

Yeah, and I think the other factor there is, and I've heard this, is like enforcement and I think some of the regulators, they actually use the same tools that you have, right, in terms of look at a blockchain analytics. So the expectation is only increasing, right, in terms of what they expect uh organizations like yourself uh to do. I think the other factor as well is just the pace of innovation in your sector, right? So I don't even pretend to understand all the terms, but you have like stablecoins, you have these DeFi wallets, and I think when I looked at your website, it's kind of like someone could have their DeFi wallet, right, and they could have cryptos from other kind of exchanges within that wallet, right? So how do you kind of assess, risk assess these new products, right? And then what's your sense in terms of the regulators? Are they kind of keeping on top of all these innovations and kind of the impact just on kind of managing all of this?

Azrie Affendie

Yeah, I think the regulators are they're very aware of things that are happening in the market. They obviously partner very closely, like you said, with the various kind of blockchain analytics firms in the market. There's a lot of intelligence sharing there. So, you know, the private kind of public partnership side of things has has evolved in a very kind of positive way. I would say you can see the FinCEN changes to the BSA earlier this month, with them really kind of embracing the use of AI because you know it's inevitable, right? There's so many vendors on the market now. Some are more attuned with crypto versus more traditional firms, but these are tools to mitigate risks. In terms of DeFi versus stablecoin, the stablecoin, if you're an issuer, the risks are a little bit more different. You have onus is on you as an issuer to make sure your funds aren't ending up in a sanctioned wallet. And if you're aware that they are, you need to blacklist that wallet and then let every other exchange vast, you know, custodian know that you shouldn't be interacting with this wallet because we've identified that there is some extanctions risk there. From a DeFi perspective, it's

On-Chain Monitoring And Sanctions Exposure

Azrie Affendie

a difficult topic. I would say there's a lot of philosophical kind of debates. You know, it's the kind of antithesis of decentralized finance with, you know, with the travel kind of obligations. Cryptocurrency inherently is meant to be, you know, super, super private. It's decentralized for a reason. When now the obligation to declare, you know, who I'm sending funds to or who I'm receiving funds from comes in, there is obviously a lot of friction with kind of customer psychology and especially the the kind of more OG crypto enthusiasts. There, there is some hesitance there. But at the end of the day, for most VASPs that want to enter the financial ecosystem, you have to abide by the regs. You know, there are rules that you have to play by. And you know, at the end of the day, that's very important to stop things like CSAM, Sancho exposure, terrorist financing.

Chris Foye

Yeah, that makes sense. So then you've got all of this. Obviously, I think your customer friction is a key point as well. So I imagine kind of abandonment rates is quite easy to move from one kind of organ provider to another, right? So you're kind of sensitive to that. So you have all of this kind of pressure and obligations on yourself, but also you want to make that onboarding experience kind of uh seamless as well. You kind of touched on another aspect, which I didn't expect, which is the psychology of it as well, right? And kind of the history of crypto and how it is kind of that privacy as well. How you balance that, but also maybe kind of could you touch on how, and I think I know the answer to this, but how traditional compliance workflows would struggle. Will all of this kind of different kind of factors that you need to contend with on the day-to-day?

Azrie Affendie

Yeah, it's super important to educate your customers very much from the start. You know, there are regs that they might not agree with, but you know, we are obligated to follow things like travel rule. You know, we have to say by our regulatory regime, we have to ask this, or if it's related to financial promotions, there are things that we can do from the offset that make kind of friction or less. In terms of struggling with how kind of innovation is moving, I think most firms at the moment are investing a lot into product compliance, essentially. I see lots of firms now have kind of two set, you know, they have one engineering team for compliance requirements. And it's a very specific kind of niche of you know of engineering that needs to be there. Working with lots of different kind of orchestration tools, you know, like a Lexus Nexus means handling data a lot more differently than you know, payments data or FPNA related data and all your receivables data or you know, or anything like that. So there's a lot of tools, and obviously that orchestration layer helps consolidate all of that. And the end goal is to make sure that the operational load is lessened in some way, depending on the risk appetite of the business. So, you know, when it comes to fiat transaction monitoring, the typology is there, you know, you're looking at the volume of transactions or the speed or rate of certain users from a certain IP address versus on-chain transactions where you're looking at transactions holistically, you're looking at wallets slash addresses holistically, and then you're looking at any sort of kind of behavioral alert. So a good example is gambling, right? There's lots of crypto-led gambling firms now. Inherently, that's not illegal. But in a lot of volume, you know, if a customer is sending a thousand pounds every hour to a gambling firm, whilst it's not illegal, that's a behavioral that we should be very, very aware of. So that would be more akin to kind of traditional transaction monitoring. You know, with that, your two teams have to have separate tools, separate SOPs, separate workflows. And this is where that orchestration layer really helps consolidate all of that. Otherwise, you know, they'll have six tabs open on their screen. It takes them half an hour to two hours to deal with an alert where in this environment that's almost a bit too long with the kind of porosity of transactions coming in.

Chris Foye

So I think what you're saying is it's essential that firms break down the silos, like in terms of the tech stack and

DeFi Stablecoins And The Travel Rule

Chris Foye

the processes, because you don't have the luxury of time. You don't have patient customers who are willing to wait. So you need to be quick, you need to onboard them and serve those customers uh quickly. So you kind of touched on kind of orchestration, and it's a little bit you kind of hear quite a bit in the industry kind of orchestration and stuff. And I think we've kind of alluded to what that is in terms of breaking down silos and not having fragmented tools and stuff. But it'd be good to kind of get your perspective of actually what it means in a compliance context orchestration.

Azrie Affendie

So, you know, you want to automate the low-risk and medium risk transactions or you know, onboardings, right? You want your teams to really spend the time on the higher risk activities that your customers will do. You know, with that, there's a lot of stuff you can automate. At the first pass, we've automated quite a lot with Lexus Nexus. You know, if there's no potential matches on a name, we let that go through automatically. That doesn't need to be resolved by a human in our screening team. That then means they can spend more time looking at false positives and really spending the time in discounting and making sure that their dispositioning analysis is very strong. Everything must be documented. And again, we really want to avoid having our analysts move across different tabs, you know, fat fingeras. You know, it still happens in this day. And where we can mitigate that with leveraging vendors like yourselves to integrate into our customer ecosystem, the more we should be doing that. And obviously, that goes from KYC to sanctions to transaction monitoring to then how you interact with potential fraud. And then, but also from a second line perspective, it's about how we then test those controls. As part of the compliance monitoring program, every quarter, every year we need to analyze, you know, are controls still up to scratch? And orchestration makes that a lot easier because all the data's in one place, all the analysis in one place. So it makes the articulation of how good the controls are a lot easier for us to explain to a regulator, to an auditor, the board as well.

Chris Foye

And to take it to the next level, so I've had kind of firms say that the other thing as well with orchestration is that multiple processes. Like if you do need to vary your processes because of different regulatory expectations, because of markets, you can have that all in kind of one platform and have it orchestrated, right? So it's just another consideration, right? Because there's so much that you need to manage. The more that you can centralize it and simplify it and drive efficiency, obviously, the better it is for everyone. So I'm going to touch on one which I think is an area you're kind of passionate about from our previous discussion. So I know you're keen to educate kind of traditional financial institutions, and I think you mentioned a number of traditional financial institutions are launching

Orchestration To Cut Friction And Load

Chris Foye

crypto type products, right? So if a TradFi wanted to launch and scale a crypto product quickly without losing control of risk, taking into account all the things that we've discussed on this podcast so far, what should they prioritize, you know, over the next 12 to 18 months? What are the top things they should be considering as they go on that journey?

Azrie Affendie

I think most traditional firms are looking to break into the sector. They'll typically partner with infrastructure rails. So, you know, and essentially kind of banking partners, right? To provide them the kind of on and off ramp uh functionalities. With that, it's really understanding what are their expectations to controls. Again, a traditional firm won't have an on-chain analytics program. That is something that can be quite expensive. Training traditional transaction monitoring teams to account for on-chain transactions, it's again, it's a completely different kind of mentality that that needs to be there. There's no false positives because you can, like I said earlier, you know, you can see where the sanctions exposure is coming from. So it's how you articulate that risk appetite, which is another really important factor to it. You know, how OFSI did a report last year, you know, on the kind of recommended amount of hops to look back on, you know, two to five, which is I would say pretty sufficient. But with the different types of typologies and the different types of techniques that these criminals will deploy, things like bridging or splitting then transactions can happen 20 hops before, but the risk is still very evident. So whilst looking back in time is one factor, it's obviously the context of the whole of the whole transaction there.

Chris Foye

Okay, that makes sense. So thank you for that. So a bit of a left field question, I'll end with, which is finally, what do you expect regulators to focus on next?

Azrie Affendie

The use of AI in operations and then the kind of evolution of that into the second line obligations as well. So there's lots of tools at the moment that will do your transaction monitoring, that will disposition name screening alerts for you. Like I said earlier, you know, you know, FinCEN have been very

TradFi Crypto Launch Priorities Plus AI

Azrie Affendie

kind of proactive in making sure that companies are embracing that as much as possible. But you know, operations are only one side of compliance. When you're managing a program, it's about how you keep your policies up to date. Horizon scanning is something that can be done relatively kind of simply with AI, but also again, like testing and you know, making sure that the models don't hallucinate. There needs to be human review at the end of every quarter, twice a year, just to make sure that these tools aren't letting things slip through the cracks.

Chris Foye

Makes sense. I think we could have a whole separate podcast from AI, such uh covers up pretty much every conversation these days. So with that, I'll kind of wrap up. So, first of all, I just wanted to say thank you. I think this has been incredibly useful. I think the listeners enjoyed kind of the topics we covered today. I would say the big takeaways that I took out from this podcast is you talked about kind of focusing on the evidence, right? Make sure that it stands up to regulatory scrutiny. You added the complexity of all the different regulators and especially where you kind of operate, and there's nuances there that you need to manage as well. We talked about kind of customer friction and making sure that that's as seamless as kind of possible. And then we went into kind of how kind of traditional compliance frameworks, you know, sometimes they could struggle because data could be in silos, and actually what you talked about is kind of the necessity in your industry for orchestration, right? To break down those silos because you need to be as efficient as possible, given you've got so many different variables that you need to contend with, and given the pressure to kind of onboard customers and give them a frictionless experience. So, with that,

Key Takeaways And Sign Off

Chris Foye

I'm hoping everyone enjoyed that podcast, and thanks for tuning in to this Reg Tech Pulse podcast. So, thank you.

Head Shot

Julia Thorn

Host