Counterproliferation Financing for Virtual Asset Service Providers

This guidance paper aims to advise VASPs on best-practice compliance when dealing with proliferation financing risk, and directs compliance officers towards relevant publications that may assist in their work.

Since at least 2014, North Korea has shown increasing cybercrime expertise and interest, more recently expanding into VAs. Throughout 2020 and 2021, the US Department of Justice indicted a series of individuals for laundering VAs on behalf of North Korea. Yet, while most North Korean VA activity involves large-scale hacks, such as the $49 million 2019 Upbit hack or the $275 million stolen from KuCoin in 2020, the regime has also shown interest in ransomware attacks and VA mining. Overall, North Korea is highly advanced in the cybercrime realm and seems increasingly interested in applying these skills to cryptocurrency activities. Similarly, although not the core focus of this guidance paper, Iran has reportedly begun to use VA mining to evade sanctions and export oil, with a huge share of global VA mining taking place in the country. With global compliance and regulation lacking in many jurisdictions, VASPs can present an easy target for these actors.

The paper will be particularly helpful to those VASPs who have not previously thought about proliferation financing or the implementation of targeted financial sanctions related to proliferation as a distinct financial crime or sanctions risk.

While this guidance uses proliferation case studies, mostly focusing on North Korea, much of it draws from typologies, red flags and best practice that can be found in other types of VA crime, especially when illicit activities are conducted by large criminal organisations that might have comparable expertise and funding to a sanctioned country.

The guidance follows the general structure of the compliance cycle, beginning with pre-requirements before client interaction, then moving to the onboarding process, followed by ongoing monitoring throughout the client relationship. After going through the cycle, the guide touches on high-risk indicators and red flags that could lead to enhanced due diligence or exiting of the client and concludes with reporting requirements following any flagged suspicious activity.