Many PayCryptos clients choose this solution since it is a software, which means  there is no third-party compliance and controller above the payment flow. 

However, in practice, AML procedures turn out to be useful, first of all, for the merchant, since they allow to subsequently avoid finding their company on a blacklist or becoming a victim of fraud. 

For ease of understanding, the AML procedures in most businesses are divided into 2 areas: KYC (Know your customer) and KYT (Know your transaction). 

Next, we will look at the threats of working without compliance and tools for organizing it. 

Who and why benefits from your lack of compliance? Cases

Let us consider the most frequent cases where merchants with no compliance, in the end, incur losses or lose their business. 

Cryptocurrency run-through via merchant accounts

Perhaps, it is the most common fraud pattern where a merchant is an intermittent link in someone’s complex scheme. As a rule, when cryptocurrency is stolen already, it should be “whitewashed” somehow, i.e. make sure that it is transferred to a clean address and from there goes to the next address.

A web service is a decent solution for this scheme. For instance, crypto casinos. A fraudster makes a deposit, they can even spend 10-20% on games, and then requests withdrawal. Obviously, whoever is behind the attack is always ready to pass the verification. But if the company has an established scheme for carrying out KYС and KYT, then, probably, some of such schemes can be prevented.

This scenario may also imply a modification where a client reports loss of the access to the address from which the deposit has been made. After that, they seek the right to withdraw funds to another address. It is more complex to build the AML procedure here, that is why you need to adhere to a zero tolerance policy, i.e. do not make allowances for any factors if there is a suspicion of a “scam” or the client has been with you for a long time.

Draining of “tainted” crypto in exchange for goods

If a merchant is not a service, but sells material/virtual goods, you can also become a victim. A product is purchased with “tainted” cryptocurrency, which is then resold at a discount, and all losses from the received “dubious” cryptocurrency fall on the merchant.

“Mixer” cryptocurrency

It is possible that a deposit comes from an address to which cryptocurrency has come from a crypto mixer (this can be indirectly understood by tens or hundreds of incoming small transactions in a short time). This is a sure sign that it is better to return the deposit and cancel the transaction.

How to build compliance in your company?

Globally, you will need to debug the KYC and KYT areas. The first will be a little easier to set up than the second.

Verify your client

A two-level verification system is to be implemented to verify clients: 

• Automated checking in databases.
• Manual check using the stop list, in accordance with the written methodology.

The following services will be suitable for the manual verification: 

• Trulioo;
• Onfido;
• ID.me; 
• Pipl;
• Signifyd. 

During the manual verification stage, it is important to check that there are no modifications in a user’s photo, documents, as well as to correlate facts, and, perhaps, make a phone call for a “live” verification. 

It is important to find the balance. If you make a live verification too meticulous, each client will be too expensive. 

Verifying transactions

Incoming and outgoing transaction verification must be conducted on several levels as well. 

The automatic AML procedure is built, in most cases, by services, analyzing the blockchain history for connection between addresses. The services can be following:

• Chainalysis;
• Crystal;
• Irisium;
• Elliptic;
• CipherTrace. 

Such services check transactions very quickly and send an alert to the compliance officer in real time if problems are identified. The problem could be: connection with stolen money, illegal exchange offices, services for selling prohibited goods, etc.

Similar services are quite useful, since a merchant, without them, can end up in one payment chain with a “grey” address which can cause withdrawal issues later. 

In a manual or semi-manual mode, it is recommended to check the transaction specifics, how frequently does it repeat, are there any patterns of sending the same amount, relation to suspicious scenarios in an account and dubious peculiarities in the KYC verification, and so on. It is recommended to create a full checklist on your own according to your business characteristics. 

While establishing your compliance policy, treat it like a long-term process. You cannot set everything up in one day. 

Practicing customer service will continually improve your AML procedures.