New York - Virtual Currencies Compliance Conference

1. Designing a Compliance Program for Virtual Currencies Virtual Currencies Compliance Conference New York, August 14 , 2013 by Juan Llanos, CAMS

2. Agenda 1. Risk identification Risk areas  Focus on AML 2. Risk mitigation a) Program design tips b) Overview of corporate and product safeguards c) Customer identification and authentication (de-anonymization) 3. SA Detection via Monitoring and Analysis Leveraging the blockchain 4. Unsolicited (contrarian) advice © 2013 JuanLlanos

4. Risk Areas • operational • credit • money laundering • terrorist financing • information loss • liquidity • fraud • Identity Theft Stakeholders • federal agencies • state agencies • investors • consumers • employees • society Goals • safety • soundness • security • privacy • crime prevention • health • integrity Regulation  Inevitable, yet valid Risks & Stakeholders © 2013 JuanLlanos Compliance  Onerous, yet valuable

7. How Can Money be Laundered Through Us? • Identity theft & impersonation •Structuring •Fraudulent acts •Lax controls FRONT OFFICE BACK OFFICE © 2013 JuanLlanos General risks (all FIs)  fake IDs, negligence, incompetence & wrongdoing

8. Main Risk Areas Anti-Money Laundering Anti-Terrorism Financing (CFT) Privacy and Information Security Safety and soundness Consumer protection Main Statutes and Regs BSA, USA PATRIOT Act, Money Laundering Acts USA PATRIOT Act, OFAC Gramm-Leach-Bliley State (via licensing) State (via licensing) + Dodd-Frank / Regulation E (CFPB) Money Transmitter Regulation © 2013 JuanLlanos Focus  AML/BSA + State Compliance

11. RISKS MITIGATORS  Commingling/diversion of funds  Poor cash management, accounting and settlement  Poor document management, reporting and record-keeping  Inadequate policies and procedures  Poor controls  Systems breakdowns  Employee acceptance, monitoring and termination protocols  Employee training and education  Professional financial, operational and compliance management  Dual controls and segregation of duties  Business continuity and disaster recovery planning  Independent auditing and testing  State-of-the-art technology Operational Risks and Mitigators © 2013 JuanLlanos

12. RISKS MITIGATORS  Complicity with agent or foreign counterparty  Complicity with recipient (or sender)  ‘Drip-irrigation’ transfer of illicit funds (O2M recipients, M2O recipient, M2M recipients)  Intra-company structuring  Inter-company structuring (‘smurfing’)  Terrorist financing  Customer acceptance, monitoring and termination protocols  Transaction & behavior monitoring  Lower identity verification thresholds at origin and destination  For cards, maximum loadable amounts, expiration date, and limited number of recipients.  Redundant identity verification procedures at destination  POS training  OFAC screening  Eventually, intercompany transaction monitoring by highly-professional and secure clearing house. This is the only possible antidote against ‘smurfing’. Customer Risks and Mitigators © 2013 JuanLlanos

13. Foreign Counterparty Risks and Mitigators RISKS MITIGATORS  Complicity with sender or agent  Poor cash sourcing, management, accounting and settlement  Poor documentation and record- keeping  Lax policies, procedures and controls  Poor regulatory regime  Credit risk  Systems breakdowns  Foreign counterparty acceptance, monitoring and termination protocols  Selecting reputable partners with proven track record and effective systems and controls  Transaction monitoring  Independent auditing and testing  OFAC screening © 2013 JuanLlanos

14. RISKS MITIGATORS  Assistance in structuring  Complicity with sender or beneficiary  Commingling of funds  Credit risk  Identity theft  Non-compliance with Section 352 of PATRIOT Act  Agent acceptance, monitoring and termination protocols  Transaction monitoring  POS training  Zero tolerance policy  Secret shopping and stress testing  OFAC screening Agent Risks and Mitigators © 2013 JuanLlanos

16. 1. Always understand the flow of DATA and the flow of MONEY. 2. Life-cycle management and the right mix of detective and deterrent techniques, including effective training, are key. 3. Document or perish Program Design Tips © 2013 JuanLlanos

17. 1. Map Flows, and Processes 2. Identify Risks 3. Design Controls 4. Write PPCs 5. Execute and Measure 6. Enhance and Improve Bottom-Up Program Design Spirit of law + Engineering Mindset © 2013 JuanLlanos

19. * AML Program Elements (Section 352 of the USA PATRIOT Act) 1. A designated compliance officer + professional team 2. Written policies and procedures + operational controls: • Licensing, renewal and reporting procedures (S) • Registration, record‐keeping and report‐filing procedures (F) • KY (Know Your…) Subprograms: Acceptance, monitoring, correction and termination • KY…Customer • KY…Agent • KY…Foreign Counterparty • KY…Employee • KY…Vendor • Monitoring, analysis and investigating procedures • OFAC compliance program • Response to official information requests • Privacy and information security protection protocols 3. An on‐going training program • Risk & Compliance Committee 4. An independent compliance auditing function CORPORATE Safeguards* © 2013 JuanLlanos

20. Key Elements of a BSA/AML Program • State Compliance: Licensing, renewal and reporting procedures // Consumer protection disclosures, etc. • Federal Compliance: Registration, record‐keeping and report‐filing procedures (F) • KY (Know Your…) Subprograms: Acceptance, monitoring, correction and termination (Life‐Cycle Management) • KY…Customer • KY…Agent • KY…Foreign Correspondent or Counterparty • KY…Employee • KY…Vendor • SA Detection: Monitoring, analysis and investigating procedures • Information Sharing: Response to information requests • OFAC Compliance Program • Privacy and information security protection protocols (GLBA) © 2013 JuanLlanos

21. PRODUCT Safeguards • Anonymous identification • No value limits • Anonymous funding • No transaction records • Wide geographical use • No usage limits Cash features Anything we do to counter these will mitigate the risk of our product! © 2013 JuanLlanos

22. CUSTOMER Identification © 2013 JuanLlanos Non‐Face to Face  Card not present standards Non-documentary  contacting a customer; independently verifying the customer’s identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source; checking references with other financial institutions; and obtaining a financial statement. Documentary  Review an unexpired government-issued form of identification from most customers. This identification must provide evidence of a customer’s nationality or residence and bear a photograph or similar safeguard; examples include a driver’s license or passport. However, other forms of identification may be used if they enable the bank to form a reasonable belief that it knows the true identity of the customer.

23. Authentication Strength Multifactor authentication: • Something the user knows (e.g., password, PIN) • Something the user has (e.g., ATM card, smart card) • Something the user is (e.g., biometric feature) Authentication methods: • Shared secrets • Tokens (smart card, one-time password generating device) • Biometrics (fingerprint, face, voice, keystroke recognition) • Out-of-band authentication • Internet protocol address (IPA) location and geo-location • Mutual identification Source: FFIEC © 2013 JuanLlanos

24. Agenda 1. Risk identification Risk areas  Focus on AML 2. Risk mitigation a) Overview of corporate and product safeguards b) Customer identification and authentication (de-anonymization) 3. SA Detection via Monitoring and Analysis Leveraging the blockchain 4. Unsolicited (contrarian) advice © 2013 JuanLlanos

25. “What customers do speaks so loudly that I cannot hear what they’re saying.” (Paraphrasing Ralph Waldo Emerson) Customer identification vs. customer knowledge BEHAVIORAL ANALYTICS © 2013 JuanLlanos

26. © 2013 Juan Llanos Machine Learning (AI) Methods SUPERVISED LEARNING: relies on two labeled classes (good vs. bad) Goal  Detect known suspicious patterns 1. Training set: a. Select dataset with clean and dirty cases. b. Classification algorithm to discriminate between the two classes (finds the rules or conditions) c. Probabilities of class 1 and class 2 assignment 2. Run discrimination method on all future purchases. UNSUPERVISED LEARNING: no class labels Goal  Detect anomalies 1. Takes recent purchase history and summarize in descriptive statistics. 2. Measure whether selected variables exceed a certain threshold. (deviations from the norm) 3. Sounds alarm and records a high score. © 2013 JuanLlanos

27. • High amounts • High frequency • Use of multiple locations • Use of multiple identities • Use of untrusted device • Values just below threshold • Immediate withdrawals Examples of Known Behaviors © 2013 JuanLlanos

30. • The entire history of Bitcoin transactions is publicly available. • “Using an appropriate network representation, it is possible to associate many public- keys with each other, and with external identifying information.” • “Large centralized services such as the exchanges and wallet services are capable of identifying and tracking considerable portions of user activity.” An Analysis of Anonymity in the Bitcoin System - Bitcoin is Not Anonymous by Fergal Reid and Martin Harrigan (2011) Link: http://anonymity-in-bitcoin.blogspot.com/2011/07/bitcoin-is-not-anonymous.html

31. The victim woke up on the morning of 13/06/2011 to find a large portion of his Bitcoins sent to1KPTdMb6p7H3YCwsyFqrEmKGmsHqe1Q3jg. The alleged theft occurred on 13/06/2011 at 16:52:23 UTC shortly after somebody broke into the victim's Slush pool account and changed the payout address to 15iUDqk6nLmav3B1xUHPQivDpfMruVsu9f. The Bitcoins rightfully belong to1J18yk7D353z3gRVcdbS7PV5Q8h5w6oWWG.

33. Agenda 1. Risk identification Risk areas  Focus on AML 2. Risk mitigation a) Overview of corporate and product safeguards b) Customer identification and authentication (de-anonymization) 3. SA Detection via Monitoring and Analysis Leveraging the blockchain 4. Unsolicited (contrarian) advice

34. • Get real  WANT vs. MUST vs. CAN • Prevention trumps damage control • Risk MGT  Both reducing downside and increasing upside • Simplicity and common sense • Train for behavior change, not theoretical knowledge • Form-substance continuum  substance • Letter-spirit continuum  focus on spirit (underlying purpose and values) facilitates • Operational synergies (leveraging tech) • Compliance without compromising performance • Flexibility and sustainability © 2013 JuanLlanos

36. “Prosecutors are looking for substantive AML programs (not just paper ones) in determining whether you’re a victim or a suspect.” Former federal prosecutor “A well-written AML program will not by itself be sufficient. It’s the everyday operation, the execution and delivery, that matters.” Wells Fargo MSB Risk Manager © 2013 JuanLlanos

37. Evolution of Regulatory Relations VALUES AND CULTURE REGULATORY RELATIONSHIP Minimum Standards As little as can get away with Unthinking, mechanical Compliance Culture By the book Bureaucratic Beyond Compliance Risk focused, self-policing Ethical business Values-based Spirit, not just letter Focus on prevention Strong learning Policing Enforcement lesson Basic training Supervising / Educating Look for early warnings Themed, focused visits Educating / Consulting Culture development Lighter touch Mature relationship Reinforce best practice Benchmark Reallocate resources to problem firms Source: Financial Services Authority, UK © 2013 JuanLlanos

38. © 2013 Juan Llanos Juan Llanos EVP & Compliance Officer Unidos Financial Services, Inc. 275 Seventh Ave. ‐ 20th Floor New York, NY 10001 Direct: (646) 485‐2264 Mobile: (646) 201‐6217 jllanos@unidosfinancial.com LinkedIn: www.linkedin.com/in/juanllanos Twitter: @JuanLlanos Blog: contrariancompliance.com Thank you!