Introduction

‍

Reliance on traditional identifiers from banks and financial institutions, such as IBANs and account details, has proven inadequate for addressing the complexities in payments related to virtual assets. Due to their volatility and the risk of being tied to illicit activities, virtual assets require diligent strategies for transaction screening to ensure compliance and mitigate risks.

‍

This article explores the importance of accurately identifying and monitoring payments involving virtual asset service providers (VASPs). It highlights the limitations of current practices and outlines the approaches required to enhance payment screening.

‍

Regulatory requirements and risks

‍

The volatility of virtual assets, their risk of being tied to illicit funds and the direct correlation between crypto fraud-related wire transfers and asset prices have prompted global regulators to require banks and financial institutions to identify and monitor their direct and indirect exposure to these assets.

‍

Examples of such exposure include where firms offer virtual asset services, provide financial services to VASPs and where their customers conduct payments with VASPs.

‍

Client due diligence and payment screening

‍

While customer due diligence can identify customers offering virtual asset services and those expected to transact with VASPs, payments flagged as involving VASPs can provide deeper insights into the purpose of the bank account and the account holder’s nature of business. This process also assists in determining transactional activity within a firm’s customer base.

‍

Generally, such payments may be undertaken as the entry point, or on-ramp, for those looking to purchase virtual assets. Crypto exchanges are the most common gateway, with users depositing fiat money into their exchange accounts using traditional payment methods, including bank transfers. Conversely, crypto off-ramps facilitate the conversion of virtual assets into fiat currency, essentially withdrawing digital assets as fiat.

‍

While most payments are likely legitimate and informed, scammers will direct their victims to utilise unregulated or poorly supervised VASPs with weak anti-money laundering, counter-terrorist financing and anti-fraud controls. Therefore, banks and other financial institutions should ensure their payment screening tools can accurately identify the risk level of payments involving VASPs while also minimising false positives or negatives to avoid unnecessary disruptions to legitimate transactions.

‍

Challenges in identification

‍

Relying solely on trading and brand names to identify payments to or from VASPs is inadequate. Fuzzy matching of names, which accounts for phonetic or spelling similarities, can result in inaccuracies and misidentifications.

‍

Similarly, IBANs and account numbers do not provide evidence of identity; they are subject to change and can be obfuscated through intermediaries. VASPs can hold multiple accounts in various countries and frequently use FinTech platforms to ease cross-border and multi-currency transactions. Such measures may include:

‍

• ‍Virtual IBANs (vIBANs) are account identifiers used to make or receive bank payments. Functionally, vIBANs operate much like virtual sub-accounts for a master bank account, simplifying the collection or dispersal of funds. vIBANs can make cross-border payments more efficient by reducing delays, fees, errors and rejected payments. They are often simple to create, and while IBANs are matched to a unique bank account, you can have multiple unique vIBANs, all routing a payment to the same underlying pooled account. It can be difficult, if not impossible, to associate the vIBAN with a specific bank account. It has been noted by the European Banking Authority (EBA) that vIBANs may misrepresent the country of the account holder, and the supervision of vIBANs and their issuers is inconsistent.‍
• Payment service providers (PSPs), e-money institutions (EMIs) and other agents handle payments for many different clients. As such, a single account number or IBAN associated with a PSP or EMI could be used for payments involving various entities, not just a specific VASP.  

‍

Sanctions screening and VASPs

‍

Sanctions screening is undertaken on the ordering and beneficiary customers or institutions (the debtor or creditor and their respective agents) as present in a payment message. Given the previously mentioned vulnerabilities in using account details to identify unique transactors in a payment, the fields used for sanctions screening should be used to determine whether a counterparty in a payment is a VASP. This ensures a more accurate identification of potentially high-risk payments.

‍

VASPnet has identified and continues to monitor the legal entities of a growing list of over 46,000 service providers globally that are offering or permitted to offer virtual asset services. This entity resolution, coupled with VASPnet’s VASPdata service, provides comprehensive insights into the risk factors associated with each entity, including their regulatory footprint and the quality of supervision to which each VASP is subjected.

‍

Through accurate identification of payments to VASPs, false positives may be reduced, allowing for firms’ compliance and operations teams to apportion effort in undertaking risk assessments more effectively.

‍

Conclusion

‍

Relying on an account number to assess whether a transaction involves a VASP yields inaccurate, incomplete and misleading results. By coupling our extensive knowledge of VASPs globally and identification of VASPs to their legal entity, VASPnet enhances transaction screening. VASPnet assists financial institutions in developing a more complete profile of their customers and in making informed, risk-based decisions about whether to proceed with transactions. This approach helps lower the risk of fraud by reducing the likelihood of misdirected payments and transactions being sent to fraudulent accounts while ensuring secure payments to well-regulated VASPs.