After a quarter-century in the U.S. Secret Service, few people understand the financial crime landscape better than Jeremy Sheridan. Now he’s taken a lifetime of experience and expertise into the crypto space, serving as Vice President of Regulatory Affairs at Prime Trust, a company that provides financial infrastructure APIs for fintech and digital asset companies. We’re pleased to welcome him for this Q&A session as part of our thought leadership series with industry experts and regulators.
GeoComply: During your tenure at the Secret Service, you saw firsthand how bad actors exploit the U.S. financial system for illicit purposes. As you’ve transitioned to the private sector, what are the first lines of defense you recommend businesses should take to guard against financial crimes?
Jeremy: I spent 25 years in the United States Secret Service, executing the integrated mission of protecting our nation’s leaders and investigating complex, cyber-enabled fraud. In this latter role, I served as the Assistant Director for the Office of Investigations, wherein I had strategic and operational oversight of the Secret Service’s global investigative mission. This encompassed more than 160 offices and 3,000 personnel around the world.
Throughout my investigative career, I was frequently asked about best practices, cyber defensive strategies, and preventative measures to deploy against adversaries. Naturally, there are technical, operational, and logistical approaches to steel an organization or network against intrusion. Explaining these tactics always felt cliché and didactic to me. Everyone seems to understand the need for MFA, password protection, software updates, and the like. Reiterating them often felt like I was met with an eye roll or vapid head nod.
Instead, I think the most significant recommendations I can provide relate to people and culture. The overwhelming majority of intrusions or cyber incidents are the result of human interaction and error. As such, it is imperative for businesses to commit themselves to their personnel and build them as the first line of defense. This goes to obvious areas such as training, cybersecurity awareness, and cyber hygiene policies, but these are often the “givens” that are implemented. More often, intrusions occur because personnel were not empowered and weren’t made to feel as if they were the most essential cog of the cyber defense apparatus. Employees must be given the authority to alert the organization to a cyber event and must not be castigated when they inevitably click on the phishing link.
Beyond creating a culture of empowerment and collective cybersecurity, the primary recommendation I can provide is to practice the cyber-incident response plan. It is of no use to have a strategy that is codified but not rehearsed.
The final element related to people involves relationships outside of one’s own organization. It is imperative to establish partnerships with law enforcement and private security firms prior to an issue arising. Law enforcement is essential to a business’ response plan as they bring additional resources and expertise to help contain the event. Additionally, they will deliver consequences to perpetrators and carry the weight of the law to gather potentially essential, legally protected information from third parties involved in the incident.
GeoComply: Sanctions evasion continues to be a critical concern, particularly in light of the conflict in Ukraine. In your experience, what are the top indicators – key data points – that could indicate potential sanctions violations?
Jeremy: Sanctions violations can involve a multitude of indicators, the core of which involve nontraditional business transactions. While technical indicators are certainly important, being able to identify deviations in behavior, pattern, or practice is imperative. This analysis and assessment must be the backbone of any technical screening program.
As most sanctions screening and identification involves automated processes, it is also essential to ensure sanctions screening software incorporates updates to the SDN List or SSI List; includes pertinent identifiers such as SWIFT Business Identifier Codes for designated, blocked, or sanctioned financial institutions; and accounts for basic identification capabilities, such as alternative spellings of prohibited countries or parties. It is also important to consider insider threats – existing employees who willfully and intentionally obfuscate sanctioned entities.
Allow me to take this opportunity to debunk the common narrative surrounding digital assets and sanctions. While Russia and North Korea have demonstrated a tendency to use cryptocurrency to evade some sanctions on low levels, this is not a methodology that can be used on a national scale. It is widely recognized that it is impossible to deal with the amount of cash needed to operate a national economy utilizing cryptocurrency, and it has been consistently established that there is no evidence of Russia using cryptocurrency to evade current sanctions related to the war in Ukraine.
GeoComply: In its virtual currency guidance for sanctions compliance, OFAC highlighted geolocation tools and IP address blocking controls as a sanctions compliance best practice. What role do you think these tools serve in helping FIs and crypto companies meet their AML (Anti-Money Laundering) and sanctions obligations?
Jeremy: For private companies such as Prime Trust, we employ a diligent and extensive compliance program. This involves rigorous AML (Anti-Money Laundering), KYC, and sanction screenings when onboarding a client and throughout the relationship. This rigor extends to our fiat and crypto transaction monitoring processes. These systems involve a variety of manual and automated tools.
For the crypto industry as a whole, geolocation and IP address-blocking tools are invaluable assets related to sanctions controls and meeting sanctions obligations. They are foundational elements for determining the location of potentially sanctioned actors and constitute the first steps for sanction decisions. It is hard to imagine having a thorough sanction program without these fundamental tools present.
Interested in taking your crypto compliance program to the next level?
Check out our white paper: “How Virtual Currency Companies Can Raise the Compliance Bar”