Strengthening Crypto-Compliance and Monitoring Through Model Risk Management Best Practices
-
May 01, 2025
-
A wave of energy and potential growth has surged in the crypto industry from both users and providers with the changes in the U.S. government’s approach. Recently appointed SEC Acting Chairman Mark T. Uyeda, White House A.I. and Crypto Czar David Sacks, and the launch announcement of a crypto task force1 are several recent moves that indicate an enhanced focus by the U.S. government to develop a more comprehensive and clear regulatory framework for crypto assets.
As the industry continues to mature and regulatory frameworks take shape in the U.S., more organizations are investing in crypto and blockchain-related services and products for consumers and businesses. There is also a growing number of companies utilizing cryptocurrency within their day-to-day operations and as a payment instrument.
The landscape has undergone significant and continuing change. Five years ago, the majority of banks and companies were in a development or initial launch phase of introducing crypto-related products and services.2 As with most new products and startups, product, design, and engineering teams tend to drive initiatives, with compliance often playing catch-up every step of the way.
However, in the past couple years, many companies have transitioned from development and launch stage to a growth, maturity, and expansion stage of their operations surrounding crypto products. During this time, compliance leaders have also been building and implementing compliance-related controls and guardrails in an effort to meet regulatory requirements related to their company’s cryptocurrency activities.
With the growth of cryptocurrency as an accepted form of payment, similar growth in crypto and blockchain compliance standards is imperative. An increasing number of Financial Crime Compliance (“FCC”) programs have implemented and deployed Automated Blockchain Monitoring (“ABM”) and other compliance systems to fulfill regulatory obligations and to combat and detect illicit activity. Various third-party vendor solutions are available in the market to help organizations with pre-transaction risk management, Travel Rule compliance, and surveillance for money laundering, fraud, and other financial crimes by analyzing wallets and blockchain data. These compliance systems are key in automating risk management, detection, and monitoring controls, as long as they have been appropriately designed and implemented, with effective ongoing model risk management (“MRM”) efforts.
Just like any model implementation and development, if not done properly, it can lead to compliance and regulatory headaches, fines, loss of licensure, and loss of access to financial partnerships. While there is much overlap with traditional fiat-based compliance expectations, when offering cryptocurrency payment solutions, there are nuanced elements which need to be addressed within compliance programs.
Below is a catalogue of some of the common gaps that surface when companies do not appropriately design, implement, and perform ongoing MRM efforts for ABM surveillance and third-party vendor solutions (“models”):
- Missing Transactions: Subset of blockchain transactions have not, or are not, feeding into the models as expected and thus go undetected.
- Inherent Risks Not Properly Assessed: A comprehensive coverage assessment or risk review has not been performed to understand all the inherent risks across the various crypto-related products, geographies, types of cryptocurrencies and digital assets, crypto-wallets, customer base, etc., which should drive the model’s design and ongoing monitoring efforts.
- Reliance on Vendor Off-the-Shelf Detection Scenarios: Firms often use the off-the-shelf monitoring scenarios without tailoring them and not taking advantage of any custom scenario build capabilities for more tailored risk detection.
- Reliance on Vendor Default Thresholds and Parameter Setting: Many firms do not perform any underlying data analytics and tuning to appropriately set and support thresholds and parameters, thus relying on the third-party vendor’s default thresholds and parameters.
- Lack of Model Design Rationale: Many firms have not documented and provided supporting qualitative and quantitative rationale as it relates to vendor selection and the model’s selection of rules, scenarios, and parameter settings.
- On- and Off-Ramp Risk Exposure: Many FCC programs have not fully considered and identified the heightened cross functional risks and money movements associated with their users and customers who are able to transfer and convert monies between fiat and non-fiat currencies within the company’s ecosystem — cross functional risk using two or more products and services where one is fiat and the other is non-fiat. In this scenario, different surveillance systems for fiat and non-fiat products are not designed to communicate to one another.
- Gaps In Documentation: Lack of documentation of vendor selection process, vendor evaluations, testing audits, descriptions of how these tools operate, and performance standards.
To help with the above pain points and strengthen FCC crypto and blockchain-monitoring detection capabilities, compliance programs and risk officers should deploy similar efforts to traditional fiat-based compliance transaction monitoring, sanctions, and Know Your Customer (“KYC”) systems and programs. In a March 7 announcement, the Office of the Comptroller of the Currency (“OCC”) Acting Comptroller of the Currency Rodney E. Hood defined their stance going forward, “The OCC expects banks to have the same strong risk management controls in place to support novel bank activities as they do for traditional ones.”3 Such risk management controls involve:
- Perform an ABM/compliance model and data validation
- Utilize customized ABM detection scenarios tailored to observed typologies and the risk assessments
- Conduct regular, risk-based, crypto and digital asset-focused coverage and risk assessments
- Incorporate data analytics to drive coverage and risk assessments
- Appropriately set and tune thresholds aligned with risk appetite and exposure
- Document supporting rationale with qualitative and qualitative factors
- Consider on- and off-ramp cross functional risk exposure
FTI Consulting’s Blockchain & Digital Assets, Financial Services, Model & Data Validation, and Data & Analytics practices have extensive experience working across traditional finance and crypto-native companies to develop and optimize anti-fraud, anti-financial crime, product safety and soundness and third-party vendor assessment programs to ensure organizations are offering trusted products to consumers in the market. Experts include former regulators, in-house crypto-native compliance officers and finance professionals who have led complex engagements across both the digital assets industry and traditional financial firms.
The nuanced elements inherent in blockchain and digital assets products pose significant risks if not implemented properly. FTI Consulting helps to mitigate risk and set organizations up for success in this rapidly developing industry.
Footnotes:
1: “SEC Crypto 2.0: Acting Chairman Uyeda Announces Formation of New Crypto Task Force,” U.S. Securities and Exchange Commission (21 Jan. 2025).
2: Hugh Son, “Bitcoin is coming to hundreds of U.S. banks this year, says crypto custody firm NYDIG,” CNBC - Finance (Wed, May 5 2021).
3: “OCC Clarifies Bank Authority to Engage in Certain Cryptocurrency Activities,” Office of the Comptroller of the Currency (7 Mar. 2025).
Published
May 01, 2025
Key Contacts
Senior Managing Director
Senior Managing Director
Senior Director