| Customer Identification (ID) Indicators |
Customer Behaviour Indicators |
A customer:
- provides ID information that is false, misleading, vague, or
cannot be verified
- is identified in open-source information or adverse media as
known to law enforcement
- has sources of funds or sources of wealth that are inconsistent
with their profile
- refuses or is reluctant to provide ID information or
documents
- frequently changes their ID information, including email
addresses, IP addresses or financial information which may also
indicate an account takeover
|
A customer:
- makes an unusual enquiry about whether they report to
government authorities and/or
- their activity is the subject of law enforcement enquiries
- seems nervous, overly defensive, or evasive when
questioned
- is unwilling to or cannot provide reasonable explanations for
exchanges of virtual assets that have no economic rationale
|
| Money Laundering Indicators |
A customer:
- accepts transfers from an unregistered and/or unregulated
virtual asset service ("VAS") provider, over-the-counter
("OTC") broker, P2P network, cryptocurrency mixer or
tumbler services, or higher-risk decentralised exchanges
- makes rapid conversions or exchanges from one virtual asset to
another, or a chain of rapid exchanges with no economic
rationale
- makes rapid conversions between fiat currencies and stablecoins
with no economic rationale
- transfers virtual assets to or from wallets that show previous
patterns of activity associated with an unregistered VAS provider,
OTC brokers, P2P platforms, cryptocurrency mixer/tumbler services,
or higher-risk decentralised exchanges
- uses virtual asset ATMs or kiosks, with no concern for higher
transaction fees
- makes deposits into their account that are significantly higher
than normal, with an unknown or unexplained source of funds,
followed by conversion to fiat currency
- conducts 'u-turn' transactions both domestically and
internationally, with a portion of those funds being returned
- conducts 'u-turn' transactions, buying into virtual
assets and then withdrawing in rapid succession
- makes multiple deposits to their account via different crypto
ATM/kiosks, including where the ATM or kiosk location is
inconsistent with their profile
- makes virtual asset transactions that originate from or are
destined to online gambling services
- structures a deposit into their fiat currency account as
multiple smaller payments rather than a single transaction
- structures a virtual asset transaction as multiple smaller
transactions rather than a single transaction
- makes multiple high value transactions in a short time period
using an account that was recently created, or has been dormant for
a significant period of time
- regularly conducts virtual asset-fiat currency exchange at a
potential loss that has no economic rationale
- converts a large amount of fiat currency into virtual assets,
or a large amount of one type of virtual asset into other types of
virtual assets, with no economic rationale
- has an account that is accessed from a number of different IP
addresses simultaneously, or in a short period of time
- has funds originating from, or sent to, an exchange that is not
registered in the jurisdiction where either the customer or the
exchange is located
- funds their trading account by deposits from third parties
|
| Cyber and Digital Indicators |
| Darknet Marketplace Transaction
Indicators |
Ransomware Indicators |
A customer:
- makes transactions that are linked via blockchain analysis to
darknet clusters, child exploitation clusters, mixers or
higher-risk exchanges
- has a wallet address that appears to show exposure to
higher-risk conversion services or darknet marketplaces
- owns an account that appears to indicate use of, access to, or
donations to darknet explorers, including platform-enabling and
anonymised internet access, and possible illicit purchases on
darknet marketplaces
|
A customer:
- increases any transaction limits on their account and then
quickly sends funds to a third party
- appears anxious or impatient with the time taken to make a
large payment from their account
- appears overly concerned with the speed of a transaction and or
withdrawal approvals
- has sent funds from their digital currency address to an
identified ransomware address
- who is newly on-boarded wants to make an immediate and large
purchase of digital currency, followed by an immediate withdrawal
to an external digital currency address
- states that their transaction is in response to a
cyber-attack
- is evasive when asked about the reason for a transaction
- is identified in the media as being subject to a ransomware
attack
- mentions an 'adviser' or that they are being assisted
to purchase cryptocurrency
- that you would not normally expect to transact in digital
currency attempts to do so
- has operations that appear to have changed significantly,
inconsistent with their profile
|
| Cyber-crime Indicators |
A customer:
- provides a verification document that is a photograph of data
on a computer screen
- appears to operate multiple accounts by the exchange or
service, as indicated by their IP address/es
- uses language, grammar or syntax that does not match their
demographic
- presents ID or images with a file name that apparently
indicates it was generated from a social media platform
- information indicates that the customer uses an email account
from a high-privacy email service provider
- has inconsistent identification details
- attempts to create an account with fraudulent identification
documents
- keeps images of their identification document/s in a physical
plastic wallet, which may indicate the ID document is altered or
fraudulent
- has accounts that appear to have the characteristics of a mule
account, such as: multiple accounts linked to the same contact
details, addresses shared under different names, or customers
stating they are transacting for someone else
- provides an address that is not a residential address, such as
an office, carpark or vacant lot
- appears to use a virtual private network
- uses or trades only in privacy coins, inconsistent with their
profile
- makes payments to online infrastructure services used for
cyber-offending, mixers, cyber threat actors, or darknet
marketplaces or forums
- receives virtual assets from addresses identified with
cyber-crime activity
|
| Serious Financial and Organised Crime
Indicators |
| Scams Indicators |
Tax Evasion Indicators |
A customer:
- is linked to a higher-risk jurisdiction for scams via their IP
address
- receives deposits from multiple bank accounts in different
names, inconsistent with their profile
- makes transactions that are inconsistent with their
profile
- advises they are using their digital currency to participate in
an investment opportunity
- demonstrates limited digital currency knowledge during
on-boarding, but quickly purchases digital currency and sends it to
another digital currency address
- appears coached or rehearsed when answering personal and
on-boarding questions
- advises they are employed to purchase digital currency on
behalf of another individual or company
- advises they are sending funds to a friend or family in a
higher-risk jurisdiction for scams
- reports fraud or scam activity against themselves, or their
account
|
A customer:
- uses services in a manner that has no commercial or economic
rationale
- enquires about avoiding tax reporting obligations
- enquires if personal or transaction information will be shared
with the Australian Taxation Office
- requests to hide or delete transactions
- sends or receives fiat currency to a wide range of related
personal or business accounts at different institutions
|
|
Child Exploitation Indicators |
|
A customer:
- transfers virtual assets to other wallets that are directly, or
indirectly linked to child abuse materials
- has multiple small value same-day and/or consecutive-day
payments (generally under $500 per transaction)
- uses privacy coins inconsistent with their profile
|
| Terrorism, National Security and
International Crime Indicators |
| Terrorism Financing Indicators |
Proliferation Financing Indicators |
A customer:
- transacts with sanctioned wallet addresses or people of
interest listed on government websites, such as the Office of
Foreign Assets Control or the Department of Foreign Affairs and
Trade Consolidated List
- is matched through screening against an Australian or
international sanctions list
- transacts with social media, communication applications,
crowdfunding or online fundraising campaigns linked to extremist
forums
- transfers to or from international exchanges with less
stringent customer identification processes, including those owned
or hosted in higher-risk jurisdictions for TF
- receives multiple small deposits, which are immediately
transferred to private wallets, inconsistent with their
profile
- has transacted with websites or wallet addresses considered to
be higher risk for TF, as indicated by blockchain analysis
|
Proliferation financing is when a person makes available an
asset, provides a financial service or conducts a financial
transaction that is intended to facilitate the proliferation of
weapons of mass destruction, regardless of whether the activity
occurs or is attempted.
Some indicators of circumstances that could be suspicious include a
customer:
- who is matched through screening against an Australian or
international sanctions list
- who transacts through jurisdictions of proliferation financing
concern
|
