- Law firms
September 26, 2022 - For many decades, the U.S. government has required financial institutions to take steps to help detect and prevent financial crimes including money laundering and terrorist financing. Federal law requires financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash transactions exceeding $10,000, identify and assess risk of customers (Know Your Customer (KYC) rules) and report suspicious activity that might suggest money laundering, tax evasion, or other criminal activities.
While Congress has repeatedly sought to enhance the anti-money laundering (AML) laws and penalties, federal regulators have played a critical role in updating and enforcing these regulations as they apply to cryptocurrency businesses. States, meanwhile, have also inserted themselves into this regulatory mix. The overlapping jurisdictions of these government regulators coupled with differing interpretations of AML compliance have triggered confusion and criticism from the cryptocurrency industry.
A review of recent enforcement actions, as well as regulators' statements and formal guidance, sharpen the focus of regulatory intent in the cryptocurrency industry. In addition, the growing number of methods and technologies developed to conduct KYC and transaction monitoring help clarify and expand best practices for participants in the industry.
I. The legal and regulatory framework of the crypto industry
Planting its jurisdictional flag in crypto's early days, FinCEN (Financial Crimes Enforcement Network, U.S. Treasury) declared in 2013 that "administrators or exchangers" of virtual currency qualify as money services businesses under the Bank Secrecy Act (BSA) and FinCEN regulations. (FinCEN defined an "exchanger" as a person or entity engaged as a business in the exchange of virtual currency for real currency, funds, or other virtual currency, and an "administrator" as a person or entity engaged as a business in issuing a virtual currency and who has the authority to redeem such currency.)
Further, FinCEN requires that money services businesses register with FinCEN and develop, implement, and maintain an AML compliance program. In the Anti-Money Laundering Act of 2020, Congress made explicit that businesses that exchange or transmit virtual currencies qualify as regulated entities.
In 2019, FinCEN issued guidance that mixer or tumbler service providers must also comply with the BSA. (A cryptocurrency mixing or tumbler service is a service offered to mix potentially identifiable or "tainted" cryptocurrency funds with others, so as to obscure the trail back to the asset's original source.)
In October 2020, FinCEN announced a $60 million civil money penalty against Larry Dean Harmon, the founder, administrator, and primary operator of Helix and Coin Ninja, convertible virtual currency "mixers," or "tumblers," for violations of the BSA and its implementing regulations.
FinCEN has also made clear that AML obligations extend to Decentralized Finance, commonly referred to as DeFi, a blockchain-based form of finance that does not rely on central financial intermediaries such as brokerages, exchanges, or banks. According to FinCEN, DeFi exchanges that use Peer to Peer (P2P) technology are required to comply with the BSA obligations that apply to money transmitters, including registering with FinCEN as a money service business and complying with AML requirements, including filing Suspicious Activity Reports (SARs).
SEC saber-rattling toward the crypto industry has increased dramatically during the Biden administration. Among many dramatic statements, SEC Chairman Gary Gensler warned in April 2022 that regulatory loopholes in the crypto markets could undermine 90 years of securities law. He has also likened the crypto industry to the "Wild West" and cautioned that stablecoins may facilitate those seeking to sidestep AML policy. Similarly, the SEC's Division of Examinations recently made clear that upcoming reviews of broker-dealers engaging in cryptocurrency sales will include a focus on AML compliance.
To date, the SEC has focused primarily on crypto as a security and therefore whether there should be compliance with the U.S. Securities Exchange Act and related laws. Indeed, the SEC has focused crypto enforcement firepower primarily in connection with allegations of unregistered sales of securities. In August 2021, for example, the SEC announced that Poloniex LLC would pay more than $10 million to settle charges for operating an unregistered online digital asset exchange in connection with its operation of a trading platform for digital asset securities. More recently, in February 2022, BlockFi Lending LLC (BlockFi) agreed to settle with the SEC for $100 million for failing to register the offers and sales of its retail crypto lending product.
The CFTC has adopted the view that cryptocurrency amounts to a commodity, and therefore, companies that trade cryptocurrency-related swaps fall within its jurisdictional reach. Likewise, a recent bill proposed by Senators Cynthia Lummis and Kirsten Gillibrand would strengthen the CFTC's jurisdiction over digital assets, although the senators recently announced that the legislation will likely be deferred.
Significant CFTC enforcement actions against the cryptocurrency industry include the August 2021 consent order requiring five companies charged with operating the BitMEX cryptocurrency derivatives trading platform to pay $100 million. The order found that BitMEX violated the Commodities Exchange Act by operating a facility to trade or process swaps without approval and, notably, that the platform had failed to implement AML procedures.
D. State regulators
The New York State Department of Financial Services (DFS) is one of the leading crypto regulators, and New York's regulatory framework remains the most robust among the states. New York State's BitLicense regulation, enacted in 2015, requires companies engaging in virtual currency activities in New York to acquire a license from DFS and to implement a robust AML program.
On Aug. 2, 2022, DFS announced a $30 million settlement with the crypto trading division of Robinhood in connection with AML and cybersecurity compliance shortcomings. In addition, although DFS has not publicly announced any AML-related enforcement actions against Coinbase, in February 2022 Coinbase publicly reported a DFS investigation into the exchange's AML practices.
There is little uniformity among the states with respect to cryptocurrency regulation. Although some states have asserted regulatory jurisdiction over virtual currency businesses, many have not. While New York has appeared bullish on crypto enforcement, for example, Florida legislators recently passed a bill that neutralized an existing Florida law intended to curb money laundering in the crypto industry. Wyoming has passed bills aiming to clarify the regulation of cryptocurrency businesses but has also sought to establish itself as crypto-friendly.
II. AML compliance tools for crypto
While regulatory schemes evolve, multiple firms have emerged on a parallel track with a focus on developing AML compliance solutions for the crypto industry. For guidance, these technology companies look to the AML/BSA roadmap followed by banks in recent years. (Many crypto firms often hire banking compliance veterans to oversee AML compliance operations.)
In a broader sense, these firms face the same questions as banks: What are the inherent risks? What are the controls that can mitigate those risks? Which risks can be tolerated?
While AML rules for banks and crypto are governed by similar laws, AML plays out differently in the two industries. For example, AML laws seek to prevent "layering," a process by which criminal proceeds are moved among multiple financial institutions to obscure their origins. Traditionally, money launderers engaging in layering repeatedly move fiat currency, such as U.S. dollars, into different financial institutions and assets to blur the origins of the criminal proceeds. With crypto, money launderers may move the illicit funds through hundreds of wallets before depositing the funds and cashing out the funds at a crypto exchange. Unlike bank accounts, thousands of wallets may be opened without proof of identity, within seconds.
Tools now exist to assist crypto businesses in determining the origin of potentially illicit funds. These tools may discern, for example, whether the funds originated from a dark web marketplace, regardless of the volume of wallet transfers, and analyze the proximity between a transaction and its ultimate source. In doing so, these tools conduct blockchain analysis to assess the risks associated with a particular wallet holder by, for example, reviewing the risk associated with others with whom the wallet holder has transacted. These tools also take into account whether the customer has conducted transactions on questionable exchanges.
Many of these tools, such as those offered by Elliptic and Chainalysis, initially were created to assist law enforcement. Over time, these tools have expanded from a focus on the origin of and parties associated with transactions to other traditional areas of AML/BSA compliance, including a focus on the nature of transactions and whether transactions comport with the profile of the wallet holder.
Cryptocurrencies undoubtedly will be subject to increased regulation in the future. Likewise, current trends point to increased AML regulation by multiple government agencies in the near future. While regulatory gray areas and safe harbors abound, regulators continue to establish oversight over this growing industry. Regulated cryptocurrency business that fail to engage in basic AML compliance — such as conducting KYC on new customers, monitoring transactions, and investigating suspicious transactions — may find themselves in the crosshairs of federal and state regulators.