1.
AML WORKING COMMITTEE GUIDELINES
1
Anti-Money Laundering Guidelines1
INTRODUCTION
The Digital Asset Transfer Authority (DATA) recognizes the critical importance of
preventing its members’ digital currency products and services from being used for
illicit purposes, including money laundering and terrorist financing. DATA also
recognizes that new technologies may pose qualitatively and functional distinct risks
from traditional financial transactions, and that these products, services, and
corresponding risks will also evolve alongside the technology. The guidelines are
intended to provide a starting point that incorporates the spirit and substance of AML
policies for the digital asset industry based on current state of the industry and existing
regulations. DATA believes that AML guidelines for and adopted by this nascent
industry must be reiterative and continue to evolve to ensure that operationalized
measures intended to fulfill the policy goals of preventing threats to the global
financial network are effective in practice, while maintaining the integrity of other
fundamental rights and values, including civil liberties, financial privacy and
inclusion, transparency and accountability.
Background
Anti-money laundering standards emanate from local, inter-governmental and inter-
institutional bodies, the most prominent of which is the Financial Action Task Force
(“FATF”). The Financial Action Task Force (FATF) is an inter-governmental body
established in 1989 by the Ministers of its Member jurisdictions. The objectives of the
FATF are to set standards and promote effective implementation of legal, regulatory
and operational measures for combating money laundering, terrorist financing and
other related threats to the integrity of the international financial system. The FATF is
therefore a “policy-making body” which works to generate the necessary political will
to bring about national legislative and regulatory reforms in these areas in coordinated
action across the globe.
The FATF has developed a series of Recommendations that are recognized as the
international standard for combating of money laundering and the financing of
terrorism and proliferation of weapons of mass destruction. They form the basis for a
coordinated response to these threats to the integrity of the financial system and help
1
Please consult legal counsel for advice regarding the application of specific regulations, including anti-money
laundering and terrorist financing laws to particular products or services.

2.
AML WORKING COMMITTEE GUIDELINES
2
ensure a level playing field. First issued in 1990, the FATF Recommendations were
revised in 1996, 2001, 2003 and most recently in 2012 to ensure that they remain up to
date and relevant, and they are intended to be of universal application.
Each member nation of the FATF implements its recommendations by enacting laws
and their implementing regulations in each jurisdiction. The FATF then monitors the
progress of its implementation and utilizes an enforcement mechanism of incentives
and sanctions.
The following guidelines developed by DATA’s AML Working Committee are
fundamentally based on the FATF’s Recommendations as well as other FATF research
publications, and are recommended to any company that does business or provides
services with and for the digital currency industry (particularly any company that holds
or manages customer funds), including exchanges, wallets, merchant services,
administrators, miners, equipment sales companies and security service providers
(collectively referred to in these guidelines as Digital Asset Companies).
Although these guidelines specifically reference United States and other regulatory
guidelines, Digital Asset Companies anywhere in the world should focus on the spirit of
the guidelines that, as discussed above, emanates from FATF’s internationally
recognized standards. DATA recognizes that the digital asset industry is still in its
infancy and that any guidelines or best practices should be reiterative and carefully
evaluated to ensure that critical, multifaceted policy goals are effectively balanced and
achieved.
GUIDELINES
1. Digital Asset Companies should implement a basic AML Compliance
Program whether or not required by law.
DATA recognizes that digital currencies and other assets, like other value transfer
systems, have been used by some criminal elements as a form of payment, and that
cross-border value transfer systems are vulnerable to abuse by criminals. DATA
recommends that all Digital Asset Companies implement a risk-based AML
Compliance program, whether or not required by law, which would include the classic
“four pillars” of an AML program:
I. Appointing a knowledgeable Chief Compliance Officer;
II. Training for the organization’s board and employees regarding what money
laundering and illicit financing consists of, how it can be recognized and what
to do if such illicit financial activity is suspected;

3.
AML WORKING COMMITTEE GUIDELINES
3
III. Preparing internal procedures covering
A. Due diligence of major customers, vendors, employees, investors
B. Limits on accounts, transactions, access to data as deterrents to
abuse
C. Steps to take when illicit activity is suspected, including to whom such
activity should be reported, escalation procedures
D. Record-keeping and record retention procedures
E. Reporting and information sharing procedures
IV. An annual independent review of the procedures and program
Digital Asset Companies should also develop and implement a Sanctions Compliance
Program. In the U.S., such a program would be called an OFAC Compliance Program.
The Office of Foreign Assets Control (OFAC) administers and enforces economic and
trade sanctions against targeted foreign countries, terrorism sponsoring organizations
and international narcotics traffickers based on U.S. foreign policy and national
security agenda. OFAC acts under Presidential wartime and national emergency
powers, as well as authority granted by specific legislation, to impose controls on
transactions and freeze foreign assets under U.S. jurisdiction. Many of the sanctions
are based on United Nations and other international mandates, are multilateral in
scope, and involve close cooperation with allied governments.
AML and Sanctions Compliance Programs must be written and well-documented.
Above all, they must be demonstrably effective. Therefore, Digital Asset Companies
are advised to focus both on the formal and substantial, operational aspects of
compliance programs.
The rest of the guidelines refer to key internal procedures that should be in place
as part of any AML and Sanctions Compliance Program.
2. Digital Asset Companies should conduct a thorough risk assessment of
their products and services.
In order to develop a solid risk-based AML Compliance Program, each Digital Asset
Company should take a hard look at their products or services to determine which
product and/or service presents more or less risks, and then tailor its deterrent and
detective controls to the specific risks and tiers of risk identified. A typical risk
assessment considers customer, product and geographic risks.
For example:

4.
AML WORKING COMMITTEE GUIDELINES
4
● Customers that are anonymous, with no known source of funds are higher risk
customers.
● Products that involve high potential values, international usage, or access to
cash are generally considered higher risk products.
● Customers, sales or products linked to domestic geographic locations
designated, in the United States, as High Intensity Drug Trafficking Areas
(HIDTAs) or High Intensity Financial Crime Areas (HIFCAs) would be higher risk.
International locations that are subject to national security-based sanctions,
such as those administered by OFAC in the United States, or identified as
supporting international terrorism, or identified as non-cooperative by the
Financial Action Task Force on Money Laundering (FATF), would all be
considered higher risk.
Once a Digital Asset Company determines which products more or less risk than other
products and/or the norm, appropriate mitigating actions (such as transaction limits,
increased monitoring, or increased customer identification collecting more detailed
information about the individual or business) can then be implemented.
3. Digital Asset Companies should develop risk-based Customer
Identification Procedures.
There is a wide range of possible customer identification procedures that a Digital
Asset Company can implement, depending on the circumstances. Under FinCEN’s
Guidance issued on March 18, 2013, exchanges and administrators are required to
register as “money transmitters,” a category that requires only the collection of
name and address of their customers, and not collection of more sensitive
personal data such as date of birth or social security number.2
Under many
circumstances, the data collected must be stored and must “travel” with the
transaction, but there is no obligation to verify the data.3
Nevertheless, under a risk-
based AML Program, a Digital Asset Company should consider implementing more in-
depth customer identification and verification procedures – especially for customers
and products identified in the risk assessment as high risk.
2
See March 18, 2013 Application of FinCEN's Regulations to Persons Administering, Exchanging, or Using Virtual
Currencies. Please consult legal counsel for advice regarding specific products or services. For example, under US
state, federal and international laws, other categories of financial institutions and corresponding regulations may
apply to a specific Digital Currency Company, based in its specific products and services.
3
Please consult legal counsel for advice regarding the application of specific laws such as the “travel rule” to
particular products or services.

5.
AML WORKING COMMITTEE GUIDELINES
5
4. Digital Asset Companies should develop risk-based due diligence
procedures.
No company is immune to criminal attempts to infiltrate and use its products and
services for illicit purposes. Digital Asset Companies have already been targeted by
some criminal enterprises and therefore must be vigilant when hiring employees,
accepting investments or retaining vendors that provide critical services. In
addition, any customers who routinely ask for non-traditional services, seek waivers of
limits or restrictions, and often submit particularly high-value transactions, should also
be reviewed carefully. As with identification procedures, due diligence can cover a
range of possibilities – everything from simply “googling” the person or company
involved or checking the appropriate government agency for corporate
registration, to requesting banking and other references, to obtaining credit or
business reports, and even obtaining a criminal background check.
5. Digital Asset Companies should monitor their transactions for potentially
suspicious, fraudulent or criminal activity.
Digital Asset Companies are advised to control not only the onboarding stage but the
entire life cycle of a relationship as well. Any payments company that holds or
moves value need to keep an eye on the flow of transactions. It is important to
understand what is “business as usual” and what constitutes a deviation from the
norm. Digital Asset Companies can benefit by working directly with law enforcement
to learn about criminal typologies in their area, and what kinds of activities could be a
sign of criminal misuse. In addition to a monitoring program, there also needs to be
procedures in place regarding what to do if a transaction appears to be suspicious,
fraudulent, criminal in nature, or in violation of nationally-imposed sanctions.
6. Digital Asset Companies should appoint a Chief Compliance Officer who is
independent and works closely with each Company’s Board.
Having an experienced Chief Compliance Officer that reports to the Board and keeps
the Board apprised of potential risks as well as suspicious, fraudulent or criminal
activity is a critical feature for most Digital Asset Companies. In addition to being
experienced and knowledgeable about compliance with AML laws and regulations, it is
important that this person have the standing and resources within the Company to
effectively implement the compliance program and be heard and able to take action if
an issue should arise.

6.
AML WORKING COMMITTEE GUIDELINES
6
7. Digital Asset Companies should train all employees, officers and Board
members about AML risks.
To create a culture of compliance, from the first day an employee begins work, he or
she should be sensitized to the risks of having a digital payment product or service
misused for illicit purposes. The training does not need to be lengthy or onerous. But
basic facts should be shared about what is money laundering, fraud, and illicit
financing, what patterns or behavior to watch out for, and what to do if the
employees sees or hears something that raises a concern. The training should be
given at all levels of the Digital Asset Company, and should be repeated annually.
Records should be maintained showing who was trained, when the training occurred,
and what the training consisted of.
8. Digital Asset Companies should undergo a periodic “Independent Review”
of their AML and Sanctions Program.
Depending on the size and volume of business, the review can be performed by an
internal person or group, provided that person or group does not report into the
Compliance function and can provide the results of the review directly to the Board.
The independent review is intended to ensure that transaction monitoring, risk
assessments, training, customer ID and due diligence activities are occurring as
planned and the controls in place are effective. If no one checks to make sure it is
happening, then it easy for these critical processes to get pushed to the back burner,
or entirely forgotten under the pressure of new business. The annual review should
also involve a meeting with legal counsel to make sure that applicable laws have been
updated, and any compliance activities (e.g., money transmitter licensing renewals;
MSB registration renewals) have been kept up to date.
CONCLUSION
Digital assets and emerging payment technologies are poised to bring enormous
positive benefits to society all over the world. DATA believes that in order for these
emerging technologies to gain legitimacy in the global financial markets, and for Digital
Asset Companies to thrive, the industry needs to adapt, adopt and implement best
practices such as the guidelines described above that adhere to existing standards
and, if necessary, adapt those policy standards in dialogue and collaboration with
public and private stakeholders to address the risks and benefits posed these new
technologies.

7.
AML WORKING COMMITTEE GUIDELINES
7
The protection of the global financial system from abuse is a global societal goal and a
primary policy goal of most nations of the world. Therefore, the careful development of
compliance measures that meet or exceed the effectiveness of AML standards and
regulations currently in force, that also address related policy goals of financial
inclusion, privacy, transparency and accountability, is one of DATA’s key goals for the
industry.
RESOURCES
See below for a partial list of international financial regulation agencies.
Financial Action Task Force - The FATF Recommendations
Africa & Middle East
Kenya – Capital Markets Authority (CMA)
Israel - Israel Securities Authority (ISA)
South Africa
- South African Reserve Bank
- Financial Services Board (South Africa)
United Arab Emirates
- Securities and Commodities Authority - (SCA)
- Dubai Financial Services Authority - (DFSA)
Asia
China
- China Banking Regulatory Commission (CBRC)
- China Securities Regulatory Commission (CSRC)
- China Securities Regulatory Commission (CSRC)
- Ministry of Industry and Information Technology (MIIT)
Hong Kong – Financial Services Authority (FSA)
India
- Reserve Bank of India (RBI)
- Securities and Exchange Board of India (SEBI)
Japan – Financial Services Agency (FSA)
Singapore – Monetary Authority of Singapore (MAS)
South Korea
- Financial Services Commission (FSC)
- Financial Supervisory Service (FSS)

8.
AML WORKING COMMITTEE GUIDELINES
8
Australia
AUSTRAC-Australian Transaction Reports and Analysis Centre
Europe
European Union
- European Commission
- European Banking Authority (EBA)
- FIU.net
Germany – Federal Financial Supervisory Authority (BaFin)
Sweden - Financial Supervisory Authority (Finansinspektionen or “FI”)
United Kingdom
- Financial Services Authority (FCA)
- Prudent Regulation Authority (PRA)
- HM Revenue & Customs
Latin America
Argentina - Comisión Nacional de Valores (CNV)
Brazil
-Banco Central do Brasil (BCB)
-Comissão de Valores Mobiliários (CVM)
Chile - Superintendencia de Valores y Seguros
Mexico - Comisión Nacional Bancaria y de Valores
North America
Canada
- Financial Transactions and Reports Analysis Centre of Canada (FINTRAC)
- Office of the Superintendent of Financial Institutions (OSFI)
United States
- Financial Crimes Enforcement Network (FinCEN)
- Office of Foreign Assets Control (OFAC)
- Securities & Exchange Commission (SEC)
- Commodity Futures Trading Commission (CFTC)
- Federal Reserve System (The "Fed")
- Federal Deposit Insurance Corporation (FDIC)
- Federal Trade Commission (FTC)
- Financial Industry Regulatory Authority (FINRA)
- Office of the Comptroller of the Currency (OCC)
- National Credit Union Administration (NCUA)
- National Futures Association (NFA)
- Consumer Financial Protection Bureau (CFPB)