New technologies in the AML/CFT National Risk Assessment

On 17 July 2019 the General Inspector of Financial Information (GIIF) published Poland’s first AML/CFT National Risk Assessment. This document of nearly 450 pages was prepared pursuant to the new Anti Money Laundering and Counter Financing of Terrorism Act, which introduced regulations requiring GIIF to prepare a national assessment and update it periodically.

The document is extremely important for all obligated institutions, which should use it as a basis to review their own risk assessments and consider updating them. It was also approved by the Office of the Polish Financial Supervision Authority (KNF), which stated unequivocally in its communiqué of 24 July 2019 that the compliance of risk assessments prepared by obligated institutions supervised by KNF will be one of the elements examined during oversight activities. The document prepared by GIIF includes references to risks arising out of the use of new technologies such as virtual currencies and crowdfunding. In describing these innovative fields of the economy, GIIF also cited previous publications by our lawyers.

Importance of the national assessment

The AML/CFT National Risk Assessment is divided into two parts: the body of the report, comprising 316 pages, and annexes presenting such items as the methodology used for the assessment, AML/CFT risk scenarios, and an analysis of statistical data. The methodology used to prepare the report is particularly noteworthy, as an analogous approach to risk assessment may be applied by obligated institutions. The description of sample risk scenarios will also be helpful for these institutions. They are divided into specific fields of activity and present concrete opportunities where money laundering could be conducted using such avenues as anonymous prepaid cards, online payment services, and gambling.

The report contains a profile of the current and historical regulations governing this problem, as well as a description of the threats associated with money laundering and financing of terrorism. The document presents specific “predicate offences” through which perpetrators gain assets subsequently used for money laundering. The threats arising from these offences are elaborated in terms of practice. The report not only cites specific statistical data on proceedings initiated in prior years, but also presents sample factual scenarios in cases handled by state authorities. The core of the report for obligated institutions is the description of areas of threat, divided into specific sectors of financial and non-financial markets. This description was drawn up partly on the basis of questionnaires completed by obligated institutions and cooperating units, distributed to them by GIIF in the second half of 2017. Among the market sectors described, some are directly connected with the use of innovative technologies. Two of these sectors are described in particular detail: crowdfunding and virtual currencies.

Virtual currencies in the national assessment

The treatment of virtual currencies in the national assessment is particularly relevant in the context of the recent extension of the definition of an obligated institution to include any entity providing services in the area of virtual currencies (which we analysed here). In describing this sector of the economy, GIIF refers to the definition of virtual currency presented in the FATF Report as well as the definition in the Polish AML/CFT Act. The national assessment also raises the possibility of civil-law classification of virtual currencies presented in our Virtual Currency report, under which virtual currencies constitute an intangible asset which is considered property within the meaning of the Civil Code. In line with the FATF Recommendations, the national risk assessment divides virtual currencies into centralised vs. decentralised and exchangeable vs. non-exchangeable. Among decentralised virtual currencies, GIIF devotes particular attention to cryptocurrencies, describing the technological bases for their operation and providing examples of the most popular currencies on the market, based on data from coinmarketcap.com. The national assessment points to the differences between bureaux de change (including brick-and-mortar ones) and cryptocurrency exchanges, and also provides figures on how many entities of this type operate on the Polish market. The most serious threats identified in connection with cryptocurrencies are the possibility of paying ransom money extorted in cyberspace, and trading in illegal goods and services on the Dark Net. These actions are often linked to ransomware attacks or attempts to convert assets derived from other offences into cryptocurrencies. GIIF gives examples of interventions by the public authorities in situations where cryptocurrencies were used to operate a narcotics business or perpetrate VAT fraud. In the case of using virtual currencies for purposes connected with the financing of terrorism, GIIF indicates that there are very few signals of such activity in Poland.

GIIF also acknowledges the existence of tools for mingling cryptocurrency transactions, known as “anonymisers,” which greatly hinder the tracking of cash flows and identification of the holders. Another danger identified in the report is the activity of groups illegally attempting to exploit growth trends in virtual assets by creating products mimicking cryptocurrencies. Thus the functioning of such private virtual currencies as “Dascoin” or “Onecoin” has been recognised as behaviour that may qualify as fraud against individual investors or as a pyramid scheme. GIIF also reiterates the enumeration of potential risks of investing in virtual currencies contained in the Communiqué of the National Bank of Poland and the Financial Supervision Authority of 7 July 2017.

The national assessment also refers to the use of distributed ledger technologies for gathering funds for various purposes by conducting offers for sale of tokens and coins (primarily initial coin offerings). In this context, the assessment cites the definition of “virtual assets” adopted in the latest FATF publications. GIIF points out that ICO ventures may also be exploited for criminal aims. This occurs most often when funds are collected through fraudulent misrepresentation to investors of the nature of the project for which the funds are raised. This risk is especially high when incomplete information on the project is provided and when there is a limited ability to withdraw invested funds (acquisition of non-exchangeable tokens). According to GIIF, the absence of legal regulations governing ICOs also generates an increased risk of money laundering in ICO ventures, citing risks to investors similar to those described in the KNF warning of 22 November 2017.

GIIF acknowledges that the very level of technological advancement of virtual currencies may hinder many of the activities that must be carried out by obligated institutions pursuant to the AML/CFT Act. This involves in particular analysing transactions, identifying the origin of assets, and halting transactions or blocking accounts where there is a suspicion of money laundering or financing of terrorism. Cryptocurrencies can also complicate the use of specific restrictive measures. However, the national assessment does not address how these difficulties should be resolved or other measures that should be taken by institutions in connection with virtual currencies.

Risks of crowdfunding

Like the European Commission in its supranational assessment of AML/CFT risks in the EU, in the AML/CFT National Risk Assessment, GIIF also devotes a lot of space to analysing issues involving crowdfunding on the internet. The publication attempts to define and appropriately classify crowdfunding activities, and also to present potential regulatory obligations and related threats of money laundering.

In presenting its classification of the specific types of crowdfunding, GIIF relies on the distinctions presented in the report by our lawyers. In line with our report, the national assessment identifies forms and types of crowdfunding such as those based on grants, prizes and advance sales, and equity- vs. credit-based. GIIF also reiterates the conclusions in our report on the lack of regulations directly addressing the phenomenon of crowdfunding, as well as the general treatment of the participants under the civil law as exercising the freedom of contract. For this reason, depending on the model used, the contracts concluded between the parties to crowdfunding may often fall under defined genres of contracts governed by the Civil Code (e.g. a contract of sale, gift or loan).

In order to depict the operations of online platforms, the national assessment cites statistical data and the business models of two Polish platforms: zrzutka.pl and beesfund.com. The document also clearly states that crowdfunding platforms operate under the principle of economic freedom, and are not as such subject to oversight by special regulatory authorities. These platforms also do not constitute obligated institutions for purposes of the AML/CFT Act, so long as they do not provide other additional services (such as payment services or currency exchange services). Thus such platforms are not required to apply financial safety measures or to report to GIIF.

According to GIIF, the features facilitating the exploitation of crowdfunding for money laundering include the lack of legal regulations imposing a direct obligation to identify clients of crowdfunding platforms, as well as the absence of supervision of their activities. This can generate such threats as the mingling of income from legal and illegal sources, transferring criminal proceeds to persons conducting crowdfunding, and legitimating assets through the organisation of sham crowdfunding campaigns.

Other issues related to new technologies

The national assessment also addresses other sectors of the economy employing new technologies. The document devotes great attention to telecommunications services linked with mobile payments. Transactions conducted using special smartphone apps are also described, as well as payments using near-field communication technologies, and fees for services using the Premium SMS model. GIIF also addresses payment methods such as Apple Pay, Google Pay, and the home-grown BLIK, which is currently the most popular mobile payment system in Poland. On the issue of mobile payments, the national assessment also cites the National Bank of Poland’s Assessment of the Functioning of the Polish Payment System in the Second Half of 2018, which contains additional statistical data.

Poland’s AML/CFT National Risk Assessment contains essential information to be analysed by all obligated institutions, but also provides an extensive summary of the state of knowledge across most fields of the economy that may come in contact with money laundering or financing of terrorism. Reading this report may raise more questions than answers for institutions involved in new technologies, but it is certain to point out areas of operations that deserve particular attention. The national assessment also makes extensive reference to scholarly publications and reports by other Polish and European authorities, facilitating a careful analysis of the sources relied on by the General Inspector of Financial Information in preparing the report.

Adam Polanowski

Previous post
CNIL fines insurance broker for online breach of personal data
Next post
Non-obvious regulation of crowdfunding platforms