5 Risks the CIT Industry Faces in Crypto Transportation

By Lowers & Associates,

Custody of cryptocurrency in transit or in storage poses some specific risks that differ somewhat from the usual high-value small sized items, like jewelry. Cash in Transit (CIT) service providers will have to adjust security routines to take these differences into account.

By definition, providing transportation or storage of crypto means that it is in “cold” storage, meaning that it is offline — there is an air gap between the crypto and the Internet or some other digital network. Given that cryptocurrencies are always stored in digital files means that access to them is controlled via strongly encrypted “private keys” using 128-bit encryption generated by a “wallet” (a storage file).

Some risks carriers and vaults must take into account for secure custody of crypto include:

1. Items in custody come in small, somewhat fragile packages.

Even if the digital asset is worth millions of dollars, it can reside on a device the size of a thumb drive. The private key may be written on a piece of paper. Obviously, either of these would be easy to slip into a pocket, and neither weighs more than a few ounces. Packaging and handling have to take into account how easily these items can be damaged, as well as maintain an absolute lack of description of the contents to the casual observer.

2. The device is vulnerable.

The digital asset that the CIT or vault provider is responsible for will reside on some kind of electronic device that is capable of memory, and has a way to input the private key. The binary code that describes the asset contains its value, as well as the identity of its private key. Both of these are critical to access the value, and if either is lost, the value is permanently gone—it will be impossible to recover. Devices like this may be vulnerable to electronic or magnetic disruption, either by accident or intention, so CIT services have to be sure the files are not exposed to damaging fields.

3. The identity of the asset owner may be unknown.

Digital currencies were created in the first place to do away with the need for the regulations and controls imposed on fiat currencies like the US dollar. One standard control on ordinary currencies is the Know Your Customer(KYC) requirement. For crypto, where anonymity is a design feature, not a flaw, the custodian has the potentially large liability for criminal or terrorist activity if it does not know something about the identity of the asset owner(s). This information will have to come through procedures, not regulation requirements.

4. The carrier may not know the value of the currency they are responsible for.

Crypto carriers know Anti Money Laundering (AML) requirements, such as suspicious activity reporting, for values of any size. If custodial procedures depend in part on the value of the item, then determining that value is a critical matter. Beyond the ability of an owner to insure the item (whose risks must be known), the custodian is exposed to loss based on the value. This is a precarious situation.

5. Crypto requires unique access procedures that the custodian may need to help facilitate.

Custody of crypto means that there will always be two entities to protect: the digital file containing the currency, and a record of the private key, which may be physical. Since these two items can never be carried or stored in the same place, all of the risks described above apply to two complimentary assets that have to be brought together to access the value in the currency. This in itself creates the need for procedures to coordinate access in a way that ordinary items do not.

 In general, custody of digital currencies takes place outside the financial system framework that regulates business as usual in CIT businesses. For more information about the sources of risks of crypto and policies for addressing them, see our new white paper, Custodial Crypto: Transportation and Storage.

The Role of FinCEN in BSA/AML

By Mark Lowers,

anti money laundering

The Financial Crimes Enforcement Network (FinCEN) works to ensure that the Bank Secrecy Act (BSA) / Anti Money Laundering (AML) program of your financial institution is in compliance.

In order to get to the role of FinCEN, you need to understand the legal and operational context of which it is part. For convenience, we refer to the entire system as BSA or BSA/AML requirements, but in fact there are a number of moving parts that are interlocked.

Laws authorizing programs to combat the use of financial institutions to commit or enable crimes or terrorist activity go back to at least 1970. In that year, Congress passed the Currency and Foreign Transactions Reporting Act, a.k.a. the Bank Secrecy Act (BSA), which required financial institutions to record and report currency and other transactions, identify the parties involved, and maintain a paper trail. The aim was to help Federal agencies investigate and prosecute uses of the financial system to finance or cover up illegal activities, including criminal, tax and regulatory violations, and money laundering.

Over time this same basic approach has been strengthened in response to weaknesses in the system and to events in the environment, e.g., terrorism. Of special note is the Money Laundering Control Act of 1986 which made it illegal to use the financial system in ways designed to avoid the BSA (e.g., via 3rd parties) and for the first time made financial institutions responsible for documenting compliance with BSA/AML regulations. This latter point is important because much of the more recent enforcement activity has been directed toward evaluating institutions’ compliance programs to determine if they are capable of timely and accurate reporting on a risk-adjusted basis.

After 9/11, Congress enacted the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act). Though this law tortured the English language to get the right acronym, it has a very important point:  BSA/AML enforcement has become firmly embedded in our national security effort, with all of the heightened surveillance that brings. The PATRIOT Act extended BSA/AML requirements to cover virtually all financial institutions, including banks, credit unions, and non-bank financial services such as cash-in-transit providers, with stronger penalties for non-compliance.

Enforcement of BSA/AML Requirements: FinCEN

Numerous Federal government agencies play a role in implementing BSA regulations. The Treasury, Federal banking agencies such as the Federal Reserve, Federal Deposit Insurance Corporation, National Credit Union Administration, and the Office of the Comptroller of the Currency, as well as international agencies are involved in the enforcement of BSA/AML requirements.

The U.S. Department of the Treasury is at the heart of the U.S. effort. And within it, FinCEN is the bureau charged with the administration of BSA activities. The agency’s role is summarized in this statement:

FinCEN’s mission is to safeguard the financial system from illicit use and combat money laundering and promote national security through the collection, analysis, and dissemination of financial intelligence and strategic use of financial authorities.

The word “network” in FinCEN’s name is a clue to its role at the center of BSA/AML enforcement because it is the location where regulations and enforcement guidelines emerge, coordination with banking agencies that initiate enforcement actions occurs, and civil legal actions are initiated if needed. In this capacity, the agency monitors and records financial transactions, supplies information to law enforcement agencies, and coordinates with similar agencies in other countries. Throughout, FinCEN descriptions emphasize its role in national security.

When necessary, FinCEN will initiate legal actions, usually in coordination with or support of other agencies, to enforce BSA requirements. A long list of enforcement actions can be found on its website, including actions against “depository institutions,” “securities and futures,” “money services businesses,” and “casinos.”

Financial services businesses may never directly encounter FinCEN, at least if they remain in compliance. Yet the risk-based compliance approach recommended by banking agencies and the Office of Foreign Assets Control (OFAC — also a Treasury bureau) is rooted in a common approach stemming from FinCen efforts. With its emphasis on anti-terrorist efforts, FinCEN is a potent financial regulator of which all participants in the financial services circle need to be aware.

3 Essential Loss Prevention Controls for Cash Service Vendors

By Lowers & Associates,

In today’s integrated financial services system, Cash-in-Transit (CIT) service providers face new challenges in theft and fraud prevention. Traditional approaches to internal controls may leave risky gaps where CIT vendors and their banking customers intersect. Upgrading—and redesigning—these controls so that partners interpret outcomes accurately, and in the same way, is necessary to raise the adequacy of protections against theft and fraud risks.

The Office of the Comptroller of the Currency (OCC) has made it clear that banking institutions are ultimately responsible for the risk management performance of the third party cash vendor services they purchase. Banks cannot simply offload risks to vendors when they outsource traditional banking services. … Continue reading

Cash Auditing and Compliance in a New World

By Lowers & Associates,

The banking industry has undergone significant and historic change since the financial crisis of 2008. The Dodd Frank Wall Street Reform and Consumer Protection Act created heightened expectations and new regulations for financial institutions.

This, in turn, has created the need for additional levels of oversight within the financial institution itself. However, it isn’t just financial institutions that are feeling the impact. Third party service providers of financial institutions, including armored carriers, are being impacted as well.

Historically, by outsourcing cash vault operations to CIT companies, financial institutions were able to pass along many of their risks and cost burdens. Today, the Office of the Comptroller of the Currency (OCC) makes clear that banks are expected to practice effective risk management “whether the bank performs the activity internally or through a third party” and goes on to say that “A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner in compliance with applicable laws.”

Furthermore, the OCC has identified significant potential for gaps in risk mitigation and compliance, which has brought more focus on auditing procedures. … Continue reading

Understanding the Relationships in the Cash Industry

By Lowers & Associates,

cash management industry

Stop for a minute and think about the flow of cash in the American economy.  You almost certainly have some in your pocket or purse right now, and at some point in the day, or the near future you will use it to buy something. Even if you rely mainly on plastic, you will sometimes tap an ATM for cash. Billions upon billions of cash dollars circulate every single day. Most importantly, you, and all parties concerned can easily access just the right amount of cash for their needs.

This miraculous flow of cash does not happen by accident. The Cash-in-Transit (CIT) system—a.k.a. the cash management industry—has evolved to manage cash efficiently and securely. This huge system is ubiquitous, yet many people have never heard of anything beyond “armored cars.” The system actually includes a large assortment of cash management businesses, some of them specialized and others offering a fully integrated package of services that help to keep commercial and retail markets liquid.

The CIT system serves banks, including the Federal Reserve, by providing the transportation, storage, processing, accounting, and other services that financial institutions need to ensure the right amounts of cash get to where they are needed. With the extensive geographic dispersion of branch banks and ATMs, it is no longer cost effective for each and every bank to provide all the cash management services it needs. Today, third party businesses in the cash management system can support multiple banks, including providing a level of risk management the industry demands. … Continue reading