Why Does the Crypto Industry Need to Understand Indirect Risk Exposure?

With the crypto regulatory scrutiny increasing around the world and the increasingly complex illicit activities in the space, industry players — from crypto businesses to financial institutions (FIs) to regulators — are struggling to keep up with the pace of change. Criminals are taking greater steps to obfuscate their source of funds. To that end, it is essential for crypto industry players to stay one step ahead in order to fulfill their regulatory obligations. When it comes to blockchain transaction monitoring, that means utilizing all the information available in order to more accurately detect risk without becoming overloaded with information.
In crypto transactions, risk exposure refers to the amount of risk that originates from interactions between the target address and those addresses which can be linked to illicit and suspicious activities. By definition, direct risks are risks that have been identified at the beginning of a one-hop analysis. Indirect risks are risks identified beyond one hop. The criminals have found new ways to detach themselves from direct risks by disconnecting from known and flagged addresses. Therefore, it is essential for crypto businesses and financial institutions to look beyond direct risk exposure and also analyze indirect exposure to increase their risk visibility beyond the first hop.

Direct & indirect crypto exposure in traditional finance

FIs are delving into the crypto space both directly and indirectly — both of which require an understanding of risk exposure. Firstly, indirect exposure, FIs are either launching their own blockchain-based currency or cryptocurrency-based divisions. For instance, the U.S.-based custodian bank State Street started a new unit called State Street Digital, which seeks to expand the digital outreach of the bank by turning its electronic trading platform, GlobalLink, into a multi-asset digital trading system. Secondly, even if the financial institutions do not launch their own blockchain-based currency or platform, they can still be exposed to indirect risks if they allow the crypto businesses to open bank accounts with them. For instance, Metropolitan Commercial Bank has permitted crypto exchange Coinbase to open a business bank account with it. In this case, even though the bank doesn’t hold any crypto assets it would still be exposed to indirect risks.

Regulators around the world are now expecting crypto businesses and FIs to develop and implement comprehensive AML compliance programs that include crypto-related risks. Even as early as 2018, FinCEN and other U.S. financial regulators issued a joint statement directing institutions to either put in place or enhance “innovative internal financial intelligence units devoted to identifying complex and strategic illicit finance vulnerabilities and threats.” And on 23 December 2020, the US Treasury’s Financial Crime Enforcement Network (FinCEN) released a Notice, requiring banks to identify and report suspicious activities relating to virtual asset transactions.

The price of non-compliance

On 30 January 2020, the U.S. Office of the Comptroller of Currency (OCC) issued a cease and desist order to Safra Bank as it allowed Money Service Businesses (MSBs) that facilitate crypto asset trading to open and operate Federal Deposit Corporation-insured cash accounts without paying heed to the increased risks that they present. Furthermore, Safra Bank did not take sufficient measures to meet the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program requirements.

As the cryptocurrency and traditional financial industries continue to merge, it is imperative for the industry to understand the standards for reporting and compliance obligations that are required of traditional FIs. Crypto businesses should look at the Safra Bank case as a cautionary tale and strictly adhere to the compliance standards laid down by regulators. Crypto businesses looking to work with financial institutions should have effective risk management controls — including AML controls — in place that take into consideration both direct and indirect risks.


How Merkle Science can help


Merkle Science’s recent multi-hop release equips users to investigate both direct and indirect risks by auto-analyzing all the addresses listed by the users on the platform. This intuitive feature facilitates the investigation of all the transactions between identified entities within a five-hop radius. Once an indirect risk is located, the compliance officer is free to investigate addresses either up to five hops or until an identified entity is detected and find out which entity actually transferred funds to the address in question.
With the addition of the multi-hop feature, Merkle Science’s proprietary Behavioral Rule Engine becomes even more powerful. It enables users to design separate rules to detect direct and indirect risk exposures and assign each rule to different risk levels, allowing for simpler and more efficient analysis. Multi-hop analysis saves compliance officers valuable time and makes it easier to identify which address(es) to focus on without getting lost in a pool of transactions.


With a more comprehensive view of their crypto risk exposures, businesses save time and resources so that they may effectively operate with leaner compliance teams.