Tax and AML KYC
In the last decade, there has been significant momentum for governments globally to clamp down on tax evasion and tax avoidance. This has taken the form of regimes such as the US Foreign Account Tax Compliance Act (FATCA) and the OECD Common Reporting Standard (CRS) involving the automatic exchange of financial account information.
“Crypto assets currently do not fall within the definition of financial assets but all that could change given the regulators are considering how to bring these assets within scope of FATCA and CRS later this year or early 2022”.
These measures create obligations on financial institutions to collect tax residency information from customers, validate and report financial account information when the beneficial owners are US persons or tax resident in a reportable country outside of the country in which they hold a financial account. Crypto assets currently do not fall within the definition of financial assets, but all that could change given the regulators are considering how to bring these assets within scope of FATCA and CRS later this year or early 2022.
VASPs and KYC
Depending on the stage of authorisation or registration, the AML program of a VASP can vary from one exchange/wallet provider to another.
“This means that the amount and type of KYC they may have initially collected on their first cohort of users may be vastly different from what VASPs are starting to obtain now that they have been welcomed into the regulated AML arena”.
And those programs are likely to have evolved as the business has scaled over time. And unlike conventional financial institutions, many of them began their operations in a non-regulated environment. This means that the amount and type of KYC they may have initially collected on their first cohort of users may be vastly different from what VASPs are starting to obtain now that they have been welcomed into the regulated AML arena.
I’ve seen firms adopt a variety of tactics to try and deal with these disparities. But the impetus often seems to come from a planned regulatory visit, questions raised by the local AML supervisor about their registration application or banking partners who insist that measures be taken, otherwise the accounts provided to the VASP may need to be closed.
This recent (over the last 2.5 years) push by the IRS provides a great illustration about the importance of VASPS being pro-active in resolving these KYC disparities.
The Tax Man Comes Calling
Two well-known VASPs have received these John Doe summons. We’ll call them VASP 1 and VASP 2. Both started up before VASP activities were regulated for AML purposes and have scaled rapidly over the last few years.
In the summons, both VASPS were asked to provide the IRS with information about transactions and the individual users of their services. Specifically, they requested information so that they could verify whether certain customers were US taxpayers and should have declared the gains they’d made on their cryptocurrency trading activity.
This is no easy task for the IRS. And that’s largely due to the fact that folks who’ve invested in crypto do not transact the same way people did with a conventional bank account 20 years ago. Crypto owners will often have accounts with more than one VASP exchange and/or wallet provider. In one case being investigated, an individual had undertaken transactions involving close to 10 different exchanges. So, following the money becomes a wild goose chase.
“It is not all that uncommon for Crypto owners to use aliases, false addresses, fictitious entity names, tumblers and so forth, either to maintain their privacy or for more nefarious reasons”.
And it’s not enough for the IRS to simply obtain the name, address and date of birth (DOB) and taxpayer ID. While that might indicate that an individual with an offshore bank account is a US person for tax purposes, that does not quite do the trick when it comes to crypto. The IRS has noted that it is not all that uncommon for Crypto owners to use aliases, false addresses, fictitious entity names, tumblers and so forth, either to maintain their privacy or for more nefarious reasons.
“There were over 150 cases in which account data did not include a name, 170 in which a pseudonym was given, over 500 instances where there was no DOB and 1000 or so instances where no physical address information has been recorded”.
The summons issued to VASP 1 had mixed results. The VASP couldn’t provide taxpayer ID numbers for more than 1% of its users. There were over 150 cases in which account data did not include a name, 170 in which a pseudonym was given, over 500 instances where there was no DOB and 1000 or so instances where no physical address information has been recorded. After some “consultation”, the VASP is reported to have returned the population with missing addresses from 1000 to 650 and missing DOBs to just under 500 individuals. But the VASP could not provide the missing taxpayer ID numbers because it simply had not included it as one of the data points it requested as part of the onboarding process for certain types of accounts.
The IRS subsequently used other information sources and managed to identify another 530 US taxpayers from the VASP’s customer base information, but a further 750 remain unidentifiable because of the missing KYC. The reason why it was missing? The VASP admitted that it had not been collecting some of this information on its older accounts.
VASP 2 was asked to provide similar KYC information. It, however, had a more developed AML programme and adopted a risk-based approach that determined how much KYC information new customers (referred to as ‘users’) had to provide. It requires all users to provide their name, DOB, physical address along with the user’s email address and telephone number. However, it does not require a taxpayer ID for their most basic product. But for the most complex product, VASP 2 essentially undertakes an Enhanced Due Diligence collection process where the user is asked for additional KYC information including employment, net worth, source of funds, purpose of account, deposit/withdrawal information and expected trading activities.
So, what was the problem here? Well again another simple answer: Data aggregation and retrieval.
“But VASP 2 did not have its user data configured to be searched based on address information. Instead, it designed that system around a user’s email address, IP address and telephone number.”
While VASP 2 collected basic KYC data from all users, and that data would have really helped the IRS to determine whether that user was a US person (even without the tax ID). But VASP 2 did not have its user data configured to be searched based on address information. Instead, it designed that system around a user’s email address, IP address and telephone number. VASP 1 was also unable to interrogate its user data based on the tax ID. This meant that without the Tax ID, the IRS could not determine whether the people they had identified really were US taxpayers.
And here’s how it all ties together. Because of the way their data was aggregated and retrieved, VASP 2 missed one of the oldest KYC red flags out there: when a customer’s activity is inconsistent with their known risk profile.
Two examples given by the IRS in court documents illustrate this:
Taxpayer 1 claimed in a prior tax return to have an income equivalent to a minimum wage paying job. However, two years after filing that return, Taxpayer 1 was involved in more than $39 MILLION crypto-related transactions, trading via legal entities.
“Taxpayer 4 then engaged in approximately $5.6MILLION in crypto transactions. As the IRS said in one of the court documents, ‘This reflects a disconnect between reported income and financial status’.
Taxpayer 4 filed a tax return similar to that of Taxpayer 1. Taxpayer 4 then engaged in approximately $5.6MILLION in crypto transactions. As the IRS said in one of the court documents, “This reflects a disconnect between reported income and financial status”. I would tend to agree.
The collection and analysis of IP address information as part of a user’s KYC details also proving to be an essential source to detect possible tax evasion, and specifically the misuse of offshore exchanges. The IRS are leveraging data obtained from offshore VASPs to detect whether an individual is attempting to conceal income gained from these transactions from the US tax authorities, particularly those which do not require a user to provide their tax ID number.
While VASPS start to get their AML/CFT compliance programs off the ground, they’d do best to remember that the work does not stop there.
VASPS will also need to verify whether they are also obliged to comply with the CRS and FATCA requirements. And that involves determining whether their business falls within the regulatory definition of a financial institution.
If they do, and they are likely to, they will need to implement procedures to comply with these complex regulations. And the requirements under these are hinged on the KYC information that must be collected and verified under the AML regulatory requirement. So, VASPs will need to be prepared to deal with the regulator knocking on the door for KYC and it’s the tax man.
Similarly, crypto assets pose a particular conundrum for taxpayers because the regulations in most countries do not specifically prescribe for the tax treatment in relation to these investments and returns;
There’s much need for regulatory clarity and guidance to ensure tax payer obligations are clear. But until that takes place, jurisdictions such as the United States are taking action and expect that VASPs can search, extract and report the KYC data now required to be held and verified. There’s no grandfathering on the AML/CFT requirements, so VASPS may be looking at some back book KYC remediation in the months to come.
 The IRS tries to match three specific alternative KYC data points, such as date of birth, residential address, email address etc, to positively link an account to a taxpayer.