Custody of cryptocurrency in transit or in storage poses some specific risks that differ somewhat from the usual high-value small sized items, like jewelry. Cash in Transit (CIT) service providers will have to adjust security routines to take these differences into account.

By definition, providing transportation or storage of crypto means that it is in “cold” storage, meaning that it is offline — there is an air gap between the crypto and the Internet or some other digital network. Given that cryptocurrencies are always stored in digital files means that access to them is controlled via strongly encrypted “private keys” using 128-bit encryption generated by a “wallet” (a storage file).

Some risks carriers and vaults must take into account for secure custody of crypto include:

1. Items in custody come in small, somewhat fragile packages.

Even if the digital asset is worth millions of dollars, it can reside on a device the size of a thumb drive. The private key may be written on a piece of paper. Obviously, either of these would be easy to slip into a pocket, and neither weighs more than a few ounces. Packaging and handling have to take into account how easily these items can be damaged, as well as maintain an absolute lack of description of the contents to the casual observer.

2. The device is vulnerable.

The digital asset that the CIT or vault provider is responsible for will reside on some kind of electronic device that is capable of memory, and has a way to input the private key. The binary code that describes the asset contains its value, as well as the identity of its private key. Both of these are critical to access the value, and if either is lost, the value is permanently gone—it will be impossible to recover. Devices like this may be vulnerable to electronic or magnetic disruption, either by accident or intention, so CIT services have to be sure the files are not exposed to damaging fields.

3. The identity of the asset owner may be unknown.

Digital currencies were created in the first place to do away with the need for the regulations and controls imposed on fiat currencies like the US dollar. One standard control on ordinary currencies is the Know Your Customer(KYC) requirement. For crypto, where anonymity is a design feature, not a flaw, the custodian has the potentially large liability for criminal or terrorist activity if it does not know something about the identity of the asset owner(s). This information will have to come through procedures, not regulation requirements.

4. The carrier may not know the value of the currency they are responsible for.

Crypto carriers know Anti Money Laundering (AML) requirements, such as suspicious activity reporting, for values of any size. If custodial procedures depend in part on the value of the item, then determining that value is a critical matter. Beyond the ability of an owner to insure the item (whose risks must be known), the custodian is exposed to loss based on the value. This is a precarious situation.

5. Crypto requires unique access procedures that the custodian may need to help facilitate.

Custody of crypto means that there will always be two entities to protect: the digital file containing the currency, and a record of the private key, which may be physical. Since these two items can never be carried or stored in the same place, all of the risks described above apply to two complimentary assets that have to be brought together to access the value in the currency. This in itself creates the need for procedures to coordinate access in a way that ordinary items do not.

 In general, custody of digital currencies takes place outside the financial system framework that regulates business as usual in CIT businesses. For more information about the sources of risks of crypto and policies for addressing them, see our new white paper, Custodial Crypto: Transportation and Storage.

The fundamental risk of cryptocurrency (‘crypto’), aside from market risks, is custody. Simply put, the high value of crypto, with the equivalent of over $100 billion in circulation (at this time), provides ample motivation to steal it.

Hot vs Cold Storage

If the crypto is stored in a “hot” (online) environment, strong encryption is the essential safeguard, but the entire environment must be secured. The digital asset and the private encryption key that accesses it must be stored separately. Since the online account storing the asset is generally known to the public through the blockchain, the biggest risks are hacking attacks on the online storage or theft of the private key. Whoever holds the private key controls the asset.  History has shown that online storage is highly vulnerable to theft.

If the crypto or its private key are held in “cold” storage (offline)—as many experts recommend—then both digital and physical risks exist. As large and more traditional investors choose cryptocurrencies for value stores and transactions, the cold storage option is likely to increase. The need for strong encryption remains, and specific kinds of threats against digital assets, like electromagnetic radiation, have to be mitigated.

That said, once the crypto and its private key are in the physical realm, many of the risks of crypto are similar to those that apply to compact high value objects like gems, bearer bonds and cash. A small cold storage “wallet”—a digital device that might be the size of a thumb drive—can hold and transfer any amount of cryptocurrency. These tiny devices are highly vulnerable to damage or theft, and even if a thief does not get the private key, they can still hold it for ransom.

A second major source of risk to crypto is the very reason it exists: it is outside of any traditional currency ecosystem, without the insurance and security protocols that accompany fiat currencies. No institution is monitoring crypto transactions, and no law enforcement agency is routinely tracking suspicious actors. In fact, the identities of investors in crypto may not be publicly known.

Financial institutions are beginning to evolve private ways to duplicate some of the protections of traditional currencies, like Know Your Customer (KYC) and Anti-Money Laundering (AML) protocols. Cash in Transit providers are building on their experience in cash management to devise secure ways to store and transport crypto.

Crypto is still in the wild west phase. It is growing very rapidly, and a financial system is developing to make it a reasonable option to fiat currencies.

For more information about the risks of crypto, and how to manage them, request a copy of our new white paper Custodial Crypto Transportation and Storage: Understanding and Mitigating the Risks.

The end of the year is a great time to reflect and with that, we like to share our most-read articles of the year. This year’s top articles highlight a strong focus on workplace violence risk management, including active assailant concerns. More than ever, prediction, preparation, and prevention measures are needed to keep each workplace safe. Take some time to read through our top risk management articles from 2016 and plan for a safer and more productive 2017.

1. [Infographic] How to Address the Threat of an Active Assailant Incident in Your Organization

Each and every employee and community member deserves to feel safe. OSHA requires it, labeling it as an organization’s responsibility to provide a safe workplace. Tragically, with a growing number of active assailant incidents happening all around the country, this threat is more relevant than ever before. Over a two-year span, 26 states experienced 40 active assailant incidents, resulting in more than 230 casualties.

Read the full post >

2. Building a Culture of Compliance around BSA/AML – Guidance from FinCEN

In simpler times, the Bank Secrecy Act (BSA) regulated the Anti-Money Laundering (AML) activities of banks, as the name implies. In our globalized and networked world, it has expanded to cover financial institutions ranging from the biggest banks to mom and pop check cashing, or money transfer operations running out of storefronts in a mall. The Financial Crimes Enforcement Network (FinCEN) has launched actions against businesses across this spectrum for violations of BSA/AML requirements.

Read the full post > … Continue reading

In simpler times, the Bank Secrecy Act (BSA) regulated the Anti-Money Laundering (AML) activities of banks, as the name implies. In our globalized and networked world, it has expanded to cover financial institutions ranging from the biggest banks to mom and pop check cashing, or money transfer operations running out of storefronts in a mall. The Financial Crimes Enforcement Network (FinCEN) has launched actions against businesses across this spectrum for violations of BSA/AML requirements.

One thing all these businesses have in common is a culture of compliance with BSA/AML regulations—or not. Enforcement actions have identified a weak culture of compliance as one of the causes of violations, which can result from the actions of employees at virtually any level of an organization.

… Continue reading

If you run a business that facilitates or conducts money transactions, or transactions in other liquid commodities, you are no doubt aware of FinCEN. Rest assured that FinCEN is aware of you, too. And we predict it’s only a short matter of time before their foreshadowing of AML enforcement actions against the cash servicing and transport industry becomes a harsh reality.

The Financial Crimes Enforcement Network (FinCEN) is the arm of the U.S. Treasury charged with investigation and enforcement of Bank Secrecy Act provisions intended to block the financial sources of illegal and terrorist organizations. Traditionally, the BSA applied to common financial institutions like banks and credit unions. But as banks began to offload services to third party vendors and the number of money-related businesses like check cashers and wire transfers proliferated, the BSA has been applied to an ever-wider array of businesses.

Most of these newer businesses are collectively known as Money Service Businesses (MSB). Businesses that transmit money, issue money orders, cash checks, deal in foreign currencies, or a number of other types of transactions, are required to register with FinCEN and maintain an effective Anti-Money Laundering (AML) program. … Continue reading