Back to list
Preparing for skinny accounts: a guide for crypto companies
Systemic Debanking: Operational Guide for VASPs
TL;DR
Systemic debanking is a key operational risk for Virtual Asset Service Providers (VASPs). This guide offers a step-by-step plan for building a resilient financial infrastructure through diversification of banking partners, implementation of risk-based AML/CFT compliance, and preparation for new regulatory requirements.
Recommendations are applicable for crypto exchanges, wallets, OTC platforms, and payment providers operating in jurisdictions with developed regulation (e.g., the EU) and apply to the specifics of companies with US licenses (including the NY BitLicense).
Introduction
The denial of banking services (debanking) is a systemic risk for the crypto industry. At the same time, regulators such as the US Federal Reserve (Fed) are creating new, albeit complex, pathways for accessing financial infrastructure through skinny master accounts. This article presents an operational plan to help minimize account blocking risks, build robust compliance, and strategically prepare for future opportunities.
Target Scope and Limitations:
- VASP Types: Recommendations are focused on crypto exchanges, custodial wallets, OTC platforms, and crypto payment gateways (PSPs).
- Jurisdictions: The plan assumes the company holds a license in a jurisdiction with developed regulation (e.g., VASP in the EU, license in the UAE or Singapore).
- Exclusions: This guide does not cover specific requirements for companies with US licenses (e.g., BitLicense in New York State), which impose different, more stringent obligations.
30, 90, and 180-Day Action Plan
| Period | Tasks | Responsible Party | Estimated Resources | Definition of Done |
|---|---|---|---|---|
| 30 days | - Internal Audit and Systematization:<br> - Audit current KYC/AML policy for FATF compliance.<br> - Retrospective AML screening of corporate wallets for 6 months.<br> - Collection and systematization of a full package of legal and corporate documents. | AML Officer, Chief Risk Officer (CRO) | - Startup: 20–40 man-hours.<br>- Growing Company: 50–80 man-hours. | Report prepared with 3–5 key vulnerabilities and a remediation plan. Documents collected in a single data room with controlled access. |
| 90 days | - Infrastructure Strengthening:<br> - Submit applications for account opening at 2–3 new banks/EMIs.<br> - Pilot launch and integration of an AML transaction monitoring tool.<br>- Documentation Preparation:<br> - Form a complete compliance package for banks. | CEO/CFO (bank negotiations), CTO/AML Officer (integration) | - Startup: $5,000–$15,000 (legal, integration).<br>- Growing Company: $15,000–$40,000 (legal, software license, integration). | Applications submitted to at least two financial institutions. AML tool integrated; basic rules and escalation thresholds configured. |
| 180 days | - Strategic Resilience:<br> - Activation of at least one reserve bank account.<br> - Formalization and testing of the Business Continuity Plan (BCP).<br> - Obtaining a legal opinion on readiness for a skinny master account application. | CFO/COO, CRO, External Legal Consultant | - Startup: $10,000–$20,000 (legal).<br>- Growing Company: $25,000–$50,000+ (legal opinion for the Fed). | Reserve account is fully operational. BCP plan approved and tested. Legal opinion obtained regarding company compliance with Fed criteria. |
1. Diversification of Banking Partners
Do not rely on a single bank. The optimal strategy is at least three accounts:
- Primary operational account for daily payments.
- Reserve operational account in a different bank and/or jurisdiction for rapid flow switching.
- Reserve custody account in a high-reliability bank, not used for frequent operations.
Prioritization of Jurisdictions for Account Opening:
- Payment Flows: Alignment with the geography of your primary clients and counterparties.
- Regulation: Presence of clear rules for VASPs (e.g., Switzerland, Singapore, UAE, EU countries under the MiCA regime).
- Bank Reputation: The bank's experience working with crypto companies and transparent risk management policies.
Alternatives to Traditional Banks (Plan B)
If banks refuse, consider the following options:
- EMI (Electronic Money Institutions): More flexible than banks, but often with higher fees and volume limits.
- Payment Service Providers (PSP): Suitable for accepting payments, but not for storing large sums.
- Banking-as-a-Service (BaaS): Platforms providing banking infrastructure via API. Require technical integration.
Legal and Tax Risks in Diversification
Opening an account abroad creates risks. Work through them with lawyers before starting operations.
Typical Scenarios and Their Consequences:
- Permanent Establishment (PE): The presence of a local manager with signing authority or an office in the bank's country may create tax obligations for the entire company in that jurisdiction.
- Controlled Foreign Companies (CFC): Profits of a subsidiary opened to maintain an account may be taxed in the parent company's country.
Checklist of Questions for a Lawyer:
- Does opening and maintaining an account in [Jurisdiction] create a risk of a permanent establishment (PE)?
- What are the reporting requirements under CFC rules in our primary jurisdiction?
- Does our business model require obtaining a local VASP license in [Jurisdiction]?
- How will the Automatic Exchange of Information (CRS) affect the data privacy of our beneficiaries and reporting?
2. Preparation of the Document Package
Your compliance package must be flawless and ready for submission upon request.
Document Package Checklist
| Status | Document | Description and Requirements |
|---|---|---|
| Mandatory | 1. AML/KYC Policy | Detailed description of procedures: CDD/EDD, risk scoring, transaction monitoring, SAR filing procedure. The document should reference FATF recommendations and local legislation. |
| Mandatory | 2. AML Officer Contact Details | Full name, position, professional certifications (e.g., CAMS), and direct contact information. |
| Mandatory | 3. Corporate Documents | Certificate of registration, articles of association, current ownership structure diagram (UBO) indicating ownership stakes and source of wealth. |
| Mandatory | 4. Business Model Description | Detailed description of sources of funds, geography of operations, typical customer profile, and fiat/crypto flow diagrams. |
| Recommended | 5. Transaction Reports | Statements for the last 6–12 months with explanations for the largest or non-typical transactions. |
| Recommended | 6. Legal Opinion | Opinion from a reputable law firm regarding the compliance of your activities with legislation. |
| Optional | 7. External Audit Report | Report from independent auditors (e.g., Big4) or certifications (SOC 2, ISO 27001) confirming the reliability of internal controls. |
3. Transaction Monitoring and Risk Management
Implement an automated Risk-Based Approach.
Examples of AML Monitoring Rules
Set up triggers for automatic transaction verification:
- Chain-hopping: A user rapidly exchanges one asset for another through several transactions to obfuscate the trail.
- Interaction with Mixers/Sanctioned Addresses: Direct or indirect (within 1–2 "hops") links to addresses on sanctions lists (OFAC) or associated with the darknet.
- Rapid Inbound/Outbound Spikes: A large deposit followed almost immediately by a withdrawal to multiple addresses.
Escalation Process (Decision Tree)
Automatic flag (rule triggered) → L1 Analyst (checklist review, 1–4 hours) →
(If risk is confirmed) →
AML Officer/L2 Analyst (deep analysis, requesting documents from the client, 4–24 hours) →
(If suspicions are justified) →
Decision making (transaction rejection, account blocking) and SAR preparation.
Requirement: All steps, decisions, and collected data must be logged for submission to the regulator and used as evidence. Data retention — at least 5 years.
Key Metrics (KPIs) for Compliance Assessment
| Metric | Formula / Methodology | Target Values (Benchmark) |
|---|---|---|
| False Positive Rate (FPR) | False Positives / (False + True Positives) | - Startup: < 15%<br>- Mature Company: < 5% |
| Average Case Resolution Time | Average time from alert generation to closure. Calculated separately for cases of different priority (low, medium, high). | - High Priority: < 8 hours<br>- Medium Priority: < 24 hours |
| SAR Filing Rate | Number of SARs filed / Number of high-risk cases | Depends on risk appetite, but an abnormally low value (< 1%) may raise questions from the regulator. |
Choosing AML Tools
When choosing a provider (Chainalysis, Elliptic, etc.), conduct a pilot project.
Provider Evaluation Criteria:
- SLA on Data Updates: How quickly are new sanctioned addresses added to the database?
- Customization Capabilities: Can you create custom rules and risk scores?
- API Latency: What is the API response delay when checking a transaction?
- Retrospective Analysis: Does the tool support scanning historical data?
Step-by-Step Pilot Project Plan:
- Define Scope: Select 1–2 key risk scenarios for testing (e.g., inbound transactions > $1,000).
- Test on Historical Data: Upload data for the last 3 months and evaluate the number and quality of alerts.
- Evaluate FPR and Accuracy: Compare results with your current system or manual checks.
4. Preparing for a Skinny Master Account
Access to Fed accounts is a strategic goal for mature companies, requiring an impeccable reputation and compliance with strict criteria.
Estimated list of documents for filing with the Fed:
- Business plan for 3–5 years with financial projections.
- Detailed description of the AML/BSA program, including policies, procedures, and independent audit reports.
- Information security policies, Business Continuity Plans (BCP), and Disaster Recovery Plans (DRP), confirmed by audit reports (e.g., SOC 2 Type II, ISO 27001).
- Audited financial statements for the last 3 years confirming sufficient capital.
- Legal opinion from a reputable US firm confirming compliance with requirements.
- Biographies and proof of qualification for key executives (regulator's questionnaire format).
Stages and Timelines: The process from application submission to a decision can take 12–24 months and requires significant investment in lawyers and auditors.
5. Data Protection and GDPR Compliance
AML requirements (data collection) and GDPR (data minimization) often conflict. A balance must be found.
- Data Protection Impact Assessment (DPIA): Conduct a DPIA for all processes related to the processing of personal data of clients (KYC, transaction monitoring).
- User Consent: Clearly state in the privacy policy what data is collected for AML purposes, how long it is stored, and to whom it may be transferred.
- Data Minimization for Travel Rule: When transferring transaction information to another VASP, use secure channels (e.g., TRP protocol) and transfer only the minimum necessary amount of personally identifiable information (PII) required by law.
6. Business Continuity Plan (BCP) and Debanking Runbook
Develop and regularly test a detailed action plan.
| Runbook Element | Description |
|---|---|
| Roles and Responsibilities | - CFO: Activation of the reserve account, communication with banks.<br>- AML Officer: Collection of evidence for disputed transactions.<br>- Head of Payments: Technical switching of payment gateways.<br>- Legal Department: Preparation of official inquiries and claims. |
| Key Metrics | - RTO (Recovery Time Objective): Target time to restore operational activity — no more than 4 hours.<br>- RPO (Recovery Point Objective): Maximum allowable data loss — 0 (all transactions must be accounted for). |
| Activation Procedure | 1. (T+0 min): Detection of the problem, informing responsible persons.<br>2. (T+15 min): Sending an official inquiry to the bank to clarify reasons.<br>3. (T+30 min): Decision to activate the reserve account (CFO).<br>4. (T+1 hour): Technical switching of flows to the reserve bank (Head of Payments).<br>5. (T+2 hours): Notifying key partners about possible delays. |
| Testing Checklist | - Quarterly: Conduct a test payment through the reserve account.<br>- Every six months: Conduct a simulation of a full operational flow switch. |
| Incident Report Template | Includes date, incident description, timeline of actions, financial losses, lessons learned, and a plan to prevent recurrence. |
7. Practical Case Studies (Anonymized)
Case 1: Successful Diversification
- Situation: Crypto Exchange "A" from the EU proactively opened operational accounts in Swiss and UAE banks in addition to its primary account in Lithuania.
- Incident: The Lithuanian bank froze the account due to a change in its policy on working with crypto-assets, citing high risk.
- Result: The company switched all operational flows to the Swiss account within 3 hours. Financial losses were minimal, and there was no reputational damage.
Case 2: Compliance Failure
- Situation: Payment Provider "B" used a simplified AML policy and did not conduct deep on-chain analysis.
- Incident: The partner bank discovered several transactions associated with mixers and immediately closed the account, filing a SAR with the regulator.
- Result: The company lost its only banking channel. Due to a negative reputation and weak AML documentation, other banks refused to open an account for 4 months, leading to a de facto halt of the business.
Conclusion: Three Priority Steps
To build a resilient financial infrastructure, act proactively:
- Conduct an internal audit and prepare documents (see Section 2). Evaluate current AML/KYC processes and assemble a flawless compliance package. This is your foundation.
- Diversify banking partners (see Section 1). Open at least one reserve account in another jurisdiction, having previously assessed legal and tax risks with the help of consultants.
- Automate monitoring and planning (see Sections 3 and 6). Implement an AML solution for transaction screening and develop a detailed emergency action plan. Test it regularly.
After completing the 180-day plan, evaluate readiness for a skinny master account application by engaging external legal consultants and auditors specializing in US banking regulation.
Glossary
- VASP (Virtual Asset Service Provider): Provider of services in the sphere of virtual assets.
- SAR (Suspicious Activity Report): A report on suspicious activity filed with a financial regulator.
- UBO (Ultimate Beneficial Owner): The final beneficial owner.
- Travel Rule: FATF recommendation requiring VASPs to collect and transfer information about transaction participants.
- Skinny Master Account: A specialized account at the US Fed providing direct access to the country's payment system.
- RTO/RPO (Recovery Time/Point Objective): Target indicators for recovery time and point after a failure.
Useful Resources
- Guidelines for Evaluating Account and Services Requests (Federal Reserve) (Published: 08/15/2022) — Official Fed explanations on access to master accounts.
- FATF Guidance for a Risk-Based Approach to Virtual Assets and VASPs (Updated: 10/28/2021) — International FATF standards.
- Bank Secrecy Act (BSA) Information (FinCEN) (Current as of 2023) — Key AML/CFT rules for companies operating in the US.
Tags
systemic debanking
virtual asset service providers
crypto compliance
aml cft
skinny master accounts
banking risk management