# FinCEN ## FinCEN Advisory, FIN-2019-A003, May 9, 2019 **[[FinCEN Advisory CVC FINAL 508.pdf]]** - [Source](https://www.fincen.gov/sites/default/files/advisory/2019-05-10/FinCEN%20Advisory%20CVC%20FINAL%20508.pdf) (pdf) ![[FinCEN Advisory CVC FINAL 508.pdf]] ### "Red Flag Indicators of the Abuse of Virtual Currencies" **Darknet Marketplaces** >- A customer conducts transactions with CVC addresses that have been linked to darknet market places or other illicit activity >- A customer's CVC address appears on public fourms associated with illegal activity. >- A customer’s transactions are initiated from IP addresses associated with Tor. >- Blockchain analytics indicate that the wallet transferring CVC to the exchange has a suspicious source or sources of funds, such as a darknet marketplace. >- A transaction makes use of mixing and tumling services, suggesting an intent to obscure the flow of illicit funds between known wallet addresses and darknet marketplaces. **Unregistered or Illicitly Operating P2P Exchangers** >- A customer receive multiple cash deposits or wires from disparate jurisdictions, branches of a financial institution, or persons and shortly thereafter uses such funds to acquire virtual currency. >- A customer receives a series of deposits from disparate sources that, in aggregate, amount to nearly identical aggregate funds transfers to a known virtual currency exchange platform withn a short peried of time. >- Customer's phone number or email address is connected to a known CVC P2P exchange platform advertising exchange services. **Unregistered Foreign-located MSBs** >- A customer transfers or receives funds, including through traditional banking systems, to or from an unregistered foreign CVC exchange or other MSB with no relation to where the customer lives or conducts business. >- A customer utilizes a CVC exchanger or foreign-located MSB in a high-risk jurisdiction lacking, or known to have inadequate AML-CFT regulations for CVC entities, including inadequate KYC or customer due diligence measures. >- A customer directs large numbers of CVC transactions to CVC entities in jurisdictions with reputations for being tax havens. >- A customer that has not identified itself to the exchange, or registered with FinCEN, as a money transmitter appears to be using the liquidity provided by the exchange to execute large numbers of offsetting transactions, which may indicate that the customer is acting as an unregistered MSB. **Unregistered or Illicitly Operating CVC Kiosks** >- A customer operates multiple CVC kiosks in locations that have a relatively high incidence of criminal activity. >- Large numbers of transactions from different customers sent to and from the same CVC wallet address but not operating as a known CVC exchange. **Illicit Activity Leveraging CVC Kiosks** >- Structuring of transactions just beneath the CTR threshold or the CVC kiosk daily limit to the same wallet address either by using multiple machines (i.e., smurfing) or multiple identities tied to the same phone number. **Other Potentially Illicit Activity** >- A customer conducts transactions with CVC addresses that have been linked to extortion, ransomware, sanctioned CVC addresses, or other illicit activity. >- A customer’s transactions are initiated from non-trusted IP addresses, IP addresses from sanctioned jurisdictions, or IP addresses previously flagged as suspicious. >- Use of virtual private network (VPN) services or Tor to access CVC exchange accounts. >- A customer initiates multiple rapid trades between multiple virtual currencies with no related purpose, which may be indicative of attempts to break the chain of custody on the respective blockchains or further obfuscate the transaction. >- A customer provides identification or account credentials (e.g. non-standard password, IP address, or flash cookies) shared by another account. >- A customer conducts transactions or rapidly executes multiple conversions between various types of different CVCs below relevant due diligence, recordkeeping, or reporting thresholds and then transfers the value off of the exchange. >- Discrepancies arise between IP addresses associated with the customer's profile and the IP addresses from which transactions are being initiated. >- A customer significantly older than the average age of platform users opens an account and engages in large numbers of transactions, suggesting their potential role as a CVC money mule or a victim of elder financial exploitation. >- A customer shows limited knowledge of CVC despite engagement in CVC transactions or activity, which may indicate a victim of a scam. >- A customer declines requests for "know your customer" documents or inquiries regarding sources of funds. >- A customer purchases large amounts of CVC not substantiated by available wealth or consistent with his or her historical financial profile, which may indicate money laundering, a money mule, or a victim of a scam. >- A common wallet address is shared between accounts identified as belonging to two different customers. >- Deposits into an account or CVC address significantly higher than ordinary with an unknown source of funds, followed by conversion to currency of legal tender, which may indicate theft of funds. >- Multiple changes to email address and other contact information for an account or customer which may indicate an account takeover against a customer. >- Use of language in CVC message fields indicative of the transactions being conducted in support of illicit activity or in the purchase of illicit goods, such as drugs or stolen credit card information. ## FinCEN Guidance, FIN-2013-G001, March 18, 2013 **[[FIN-2013-G001.pdf]]** - [Source](https://www.fincen.gov/sites/default/files/shared/FIN-2013-G001.pdf) (pdf) ![[FIN-2013-G001.pdf]]