Skip to content.

Financial Action Task Force Publishes Report on Red Flag Indicators Associated with Virtual Assets

On September 14, 2020, the Financial Action Task Force[1] (“FATF”) published its report (the “Red Flag Report”) on red flag indicators associated with virtual assets (“VAs”)”, following up on its guidance last year on virtual assets. The FATF defines VAs as digital representations of value that “can be digitally traded, or transferred, and can be used for payment or investment purposes.”

In Canada, businesses dealing in virtual currency are now subject to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act as money services businesses (“Virtual Currency MSBs”). Both Virtual Currency MSBs and other reporting entities engaging in virtual currency transactions will find the Red Flag Report instructive in refining aspects of their anti-money laundering/counter-terrorist financing compliance program relating to dealing with virtual asset transactions.

The Red Flag Report was prepared by the FATF to assist various entities across the public and private sectors in identifying and reporting potential money laundering and terrorist financing activity involving virtual assets. The red flag indicators in the Red Flag Report are based on over one hundred case studies conducted since 2017, literature reviews, and open source research in the public domain relating to the misuse of VAs.

The Red Flag Report groups the red flag indicators associated with VAs into six main categories:

  1. Red Flag Indicators Related to Transactions: Analyzing the size and frequency of VA transactions can be a way to flag suspicious activity. For example, the following are outlined as potential red flags that can indicate suspicious behavior:
    • The structuring of VA transactions, similar to the structuring of cash transactions, in multiple small amounts that are each under the reporting;
    • Making multiple high-value transactions in short succession, in a staggered and regular pattern with long gaps between transactions (particularly common for ransomware transactions) or to new or previously inactive accounts;
    • Transferring VAs immediately to multiple virtual asset service providers (“VASPs”), especially to VASPs registered or operated in another jurisdiction where there is no relation the customer or where there is weaker AML/CFT regulation;
    • Engaging in layering transactions that incur additional fees without a business rationale, such as depositing VAs at an exchange and then often immediately withdrawing the VAs without additional exchange activity to other VAs, or converting the VAs to multiple types of VAs, or withdrawing the VAs from a VASP immediately to a private wallet; and
    • Accepting funds suspected as stolen or fraudulent (such as where the VA addresses have been identified as holding stolen funds or linked to the holders of stolen funds).

Example case studies mentioned in the Red Flag Report include instances where a VA exchange transferred large amounts of stolen funds across multiple VAs and through multiple transfers to foreign virtual asset service providers (VASPs).

  1. Red Flag Indicators Related to Transaction Patterns: The Red Flag Report notes various red flags can be associated with new users who conduct large initial deposits with a VASP that are inconsistent with their respective customer profiles or who trade or withdraw their VAs at or around the same time they create a new account. Transactions which have no logical business explanation and involve the use of multiple VAs with multiple accounts or frequent trading within a certain period of time can also be red flags.
  2. Red Flag Indicators Related to Anonymity: The distinctive technological features of VAs allow for an increase in the anonymity of VA transactions, making it more difficult for reporting entities to identify suspicious activity in a timely manner. VAs that allow for higher anonymity such as anonymity-enhanced cryptocurrency (“AEC”) and privacy coins can be red flags. Customers transacting on unregistered or unlicensed VASPs on peer-to-peer (“P2P”) networks, making use of mixing and tumbling services, or using encrypted communication means instead of a VASP can also indicate suspicious behavior (see AlphaBay and Helix as examples). The use of VA ATMs or kiosks in high risk areas can indicate the presence of mules or scam victims.
  3. Red Flag Indicators about Senders or Recipients: The profile and behavior of the sender or recipient of VAs can also help in identifying suspicious behavior. The Red Flag Report notes how there can be irregularities during account creation such as creating multiple accounts with the same VASP from the same IP address, or a business creating an account using an internet domain that is in a different jurisdiction than which they are based. There can also be irregularities during the customer due diligence process such as when customers provide insufficient KYC information or forged documents as part of the on-boarding process. Other red flags include customer profiles that do not match their VA transactional behavior, and discrepancies between the IP addresses associated with a customer profile and the IP addresses from which the transactions are being initiated. In particular, financially vulnerable people and elderly people not adept at VA technology are susceptible to investment scams and being a VA money mule or victim of elder financial exploitation.
  4. Red Flag Indicators in the Source of Funds or Wealth: These are red flags in which the funds or wealth of the VA transactions originate from sources such as online gambling services, use of multiple credit/debit or prepaid cards linked to a VA wallet, shell companies, funds involved in an initial coin offering (ICO), and third-party mixing services or wallet tumblers. These sources can lack transparency or insufficient information regarding the owner of funds, thus potentially indicating suspicious behavior.
  5. Red Flag Indicators Related to Geographical Risks: The last set of indicators are related to geographical risks and how criminals have tried to exploit gaps in various AML/CFT regimes by moving illicit funds to jurisdictions with non-existent or minimal AML/CFT regulations on VAs and VASPs. The Red Flag Report does not identify or provide a list of “high risk” jurisdictions, but does provide some geographical red flag indicators. An example would be where a customer’s funds may originate from or are sent to an exchange that is not registered in the jurisdiction where the customer is located. A customer may also use a VA exchange or send funds to VASPs in a jurisdiction with no VA regulation or that has not implemented AML/CFT controls. A business may also set up in a jurisdiction with no regulations governing VAs and in which it have no business to conduct.

The Red Flag Report notes that the presence of these indicators is not indicative of criminal activity on its own. Rather, the presence of these indicators should “encourage further monitoring, examination, and reporting where appropriate” and the filing of suspicious transaction reports (STRs) if applicable. The Red Flag Report also notes that these red flag indicators are not exhaustive and should not be viewed in isolation. Rather the report states that “they should be contextualized with information from relevant authorities” and are “best used when applying other contextual information from domestic law enforcement and public sources”.

For more information about our firm’s Fintech expertise, please see our Fintech group’s page.


[1]       The FATF is an inter-governmental body which develops global standards to combat anti-money laundering (AML) and counter-terrorist financing (CFT).



Stay Connected

Get the latest posts from this blog

Please enter a valid email address