Over the past few years, continued advancements in the payments industry and financial services technology have significantly expanded the way money financial transactions are processed and managed. Banks and payment and technology firms are accelerating efforts to innovate and adapt financial services alternatives to meet the growing demand of customers and consumers. These market advancements, however, are accompanied by increased risks, both legal and reputational, which are catching the attention of regulators.
Cryptocurrency and blockchain technology continues to be an area of enormous promise but also risk, if not managed properly. Cryptocurrency accounts for the identity of its users both at the beginning and end of transactions through digital wallets. Tokens are stored in electronic wallets instead of bank accounts. Only the wallet-owner has access to their wallet. The owner can send and accept tokens from one wallet to another by providing the identification code of their wallet to the other side of the transaction. The code itself acts as a key, eliminating the need for names or other types of identification. As such, the transaction itself is seemingly anonymous.
Cryptocurrency (also known as virtual currency) represents one application of blockchain technology. Blockchain technology, a decentralized or distributed ledger, is essentially a cryptographic ledger comprised of a digital log of transactions that can be shared across a public or private network. They can be used for a wide variety of uses: such as a means to complete equity / debt offerings, settle and maintain a record of credit default swaps, revolutionize mortgage lending and title insurance, manage correspondent banking relationships, and accelerate clearing and reduce counterparty costs.
To date, some of the attention directed toward Bitcoin and other cryptocurrencies has focused on its use as a preferred payment method by criminal enterprises because it allows users to transact pseudonymously. But Bitcoin and other cryptocurrencies offer more than just pseudonymity. It is a fast, low-cost, and secure payment solution that can also be used for many legitimate purposes, as noted above.
As investment and interest in the blockchain technology has grown, the pseudonymous nature of Bitcoin transactions heightens Bank Secrecy Act / Anti-Money Laundering (BSA / AML) compliance risks, making it especially challenging for these new businesses to establish banking relationships and comply with regulatory requirements.
FinCEN Guidance and Interpretations and BSA / AML Requirements
In 2013, the Financial Crimes Enforcement Network (“FinCEN,” a bureau of the U.S. Department of Treasury) issued interpretive guidance that defined the participants in a virtual currency arrangement, using the terms “user,” “exchanger,” and “administrator.”(1)
A user is a person who obtains virtual currency to purchase goods or services. An exchanger is a person engaged as a business in the exchange of virtual currency for real currency, funds, or other virtual currency. An administrator is a person engaged as a business in issuing a virtual currency and who has the authority to redeem such virtual currency.
Designation as a money transmitter or money service business (an “MSB”) can be a significant regulatory burden because such entities are subject to the full panoply of anti-money laundering regulations and must maintain an effective Office of Foreign Assets Control (“OFAC”) compliance program.(2)
Notably, in 2014, FinCEN further clarified that “a person is an exchanger and a money transmitter if the person accepts convertible virtual currency from one person and transmits it to another person as part of the acceptance and transfer of currency, funds, or other value that substitutes for currency.”(3) Prior to this guidance, virtual currency exchangers often argued that they were acting as payment processors and not providing money transmission related services – an argument rejected by FinCEN.
A company registered as an MSB is required by law to have a BSA / AML compliance program. Anti-Money laundering laws and regulations require financial institutions (“FIs”) to maintain policies, procedures, and controls in place to identify the source of funds and have a reasonable understanding of the identity of the customer.
In addition, all companies – including FIs – need to ensure that they conduct adequate screening to identify individuals and companies owned or controlled by certain sanctioned countries for individuals, groups, and entities that have been designated on OFAC’s Specially Designated National list.
Certain Fintech companies, such as those that qualify as MSBs, are subject to the same BSA / AML laws and regulations as other FIs as well as enforcement actions by FinCEN and OFAC.
But even Fintech companies whose products fall outside the scope of current AML requirements should review their products and services for potential AML (and other) risks and implement compliance management programs designed to address that risk.
ICOs as MSBs
Recently, on February 13, 2018, in a letter to U.S. Senator Ron Wyden, FinCEN clarified its role as a regulator of virtual currencies by confirming that developers and exchangers involved in the sale of Initial Coin Offerings (“ICOs”) coins and tokens must register as an MSB and therefore comply with the full panoply of BSA/AML requirements.(4) This letter raises major licensing questions for “ICOs”, as FinCEN made clear that generally “a developer that sells convertible virtual currency, including in the form of ICOs or tokens, in exchange for another type of value that substitutes for currency” is an MSB subject to BSA/AML requirements.
However, FinCEN also noted that “ICO arrangements vary” and that “[t]o the extent that an ICO is structured in a way that it involves an offering or sale of securities or derivatives, certain participants in the ICO could fall under the authority of the SEC, which regulates brokers and dealer in securities, or under the authority of the CFTC, which regulates merchants and brokers in commodities [italics added].” Thus, the FinCEN letter/guidance appears to suggest that, where cryptocurrency developers / sellers are functioning as issuers, or broker-dealers, of securities, they are subject to the jurisdiction of the SEC or CFTC, which includes their BSA / AML regulations.(5)
FinCEN acknowledged that “[t]he application of AML / CFT obligations to participants in ICOs, including issuers, will depend on the nature of the financial activity involved in any particular ICO.” By stating that it is working closely with the SEC and CFTC to “clarify and enforce” the AML / CFT obligations of businesses involved in ICO activities, FinCEN left open the question or dividing line between when a cryptocurrency developer or seller of virtual currency must register as an MSB versus being subjected to applicable SEC or CFTC jurisdiction.
That said, FinCEN’s own regulations provide that MSBs do not include “[a] person registered with, and functionally regulated or examined, by the SEC or the CFTC,” e.g., broker-dealers registered with the SEC and futures commissions merchants registered with the CFTC.
For its part, the SEC has taken the position that ICOs involving the issuances of securities must be registered or be offered in reliance upon an exemption from registration under the Securities Act of 1933.(6)
Based on the above, recent FinCEN guidance, Bitcoin exchanges, ATM operators, and payment processors should register with FinCEN as MSBs.
It could be necessary for a wallet provider to also register with FinCEN should they allow the exchange of real currency for virtual currency.
State registration and licensing requirements vary by state and are currently very fluid. A thorough understanding of both the federal and state-by-state rules and regulations of MSBs and virtual currency companies is paramount for any FIs entering into a relationship with a Bitcoin-related business.
The Department of Justice has prosecuted operators of cryptocurrency exchanges(7) for a failure to register with FinCEN as an MSB and FinCEN has brought civil enforcement proceedings against such exchanges for alleged failures to maintain adequate AML programs and file required Suspicious Activity Reports (“SARs”), among other violations.
For example, in May 2015, FinCEN assessed a $700,000 civil money penalty against Ripple Labs, a digital currency operator, for its failure to register as an MSB and its failure to implement and maintain an adequate AML program.
Although Ripple Labs began selling digital currency in August 2013, it did not fully implement its AML compliance program until nearly a year after it began its sales. During that year, Ripple Labs engaged in a series of transactions for which it failed to generate SARs as required by FinCEN regulations.
As part of the settlement between Ripple Labs and the Justice Department and FinCEN, the company agreed to build analytical transaction monitoring tools for monitoring transactions. While not a regulatory requirement, a transaction-monitoring program would benefit from some level of automation, either rules-based or statistical profile-based, identifying potentially suspicious transactions that might require a more detailed manual review. A rules-based automated program would identify transactions that meet certain predefined criteria while a statistical profile-based program would identify transactions that appear unusual given the transactional history. Once a program is in place, it should be periodically evaluated to determine its effectiveness and efficiency and then enhanced to address any deficiencies.
More recently, in July 2017, FinCEN assessed a $110 million fine against BTC-e a/k/a Canton Business Corporation, a foreign-based entity and one of the largest virtual currency exchanges by volume in the world, for willfully violating U.S. AML laws.
Among other violations, BTC-e failed to obtain required information from customers beyond a username, a password, and an e-mail address. Regardless of its ownership or location, the company was required to comply with U.S. AML laws and regulations as a foreign-based MSB – including maintenance of an AML compliance program, MSB registration, suspicious activity reporting, and record-keeping requirements.
This was the second supervisory enforcement action FinCEN has taken against a business that operates as an exchanger of virtual currency and the first it has taken against a foreign-based MSB doing business in the United States.
U.S. / OFAC Sanctions and Cryptocurrency
While not directly a BSA / AML issue, cryptocurrency companies should be aware that OFAC monitoring is currently a major challenge for Bitcoin-related businesses. Digital currency companies are covered by OFAC-administered sanctions like any other U.S. company.
Since only a public key is needed to send a transaction to another party, knowing where and to whom a transaction is being transmitted can be challenging. The Bitcoin protocol isn’t currently designed to collect and provide this type of information for transactions. Companies operating in this area are developing and contemplating solutions to address this issue, and FIs should continue to monitor and understand what these companies are doing to ensure OFAC compliance, such as IP address tracking and identification.
Cryptocurrency investors should also be wary of potential sanctions violations.
More recently, following Venezuelan President Maduro’s announcement the government of Venezuela planned to launch a digital currency that would carry rights to receive commodities in specified quantities at a later date, OFAC revised its FAQs and stated that currency with these characteristics “would appear to be an extension of credit to the Venezuelan government,” and thus prohibited by Executive Order 13808 issued on August 24, 2017.(9)
That news should be viewed in conjunction with comments from U.S. Treasury Secretary Steven Mnuchin, who expressed concerns that Bitcoin wallets could potentially become the modern equivalent of the anonymous bank account.(10) FinCEN also noted in its recent letter to Senator Wyden that “. . . a virtual currency money transmitter that is a U.S. person must, like all U.S. persons, comply with all Office of Foreign Assets Control financial sanctions obligations.”(11)
OFAC prohibits U.S. persons and entities (including their non-U.S. branches and in some cases their non-U.S. subsidiaries) from dealing with individuals and entities that are subject to list-based and country-based sanctions.
Much like the use of omnibus accounts by securities intermediaries and the lack of transparency regarding beneficial owners underlying certain transactions, the anonymity of individuals involve in cryptocurrency transactions can make compliance with such sanctions challenging.
As cryptocurrencies continue to gain wider acceptance, particularly in the e-commerce platform space, businesses will need to determine which measures and due diligence practices are needed to protect against the risks of a sanctions violation, which can result in very significant fines and even criminal penalties.
For instance, while it has become standard practice for U.S. businesses to implement screening procedures for non-U.S. customers and counterparties, U.S. businesses will need to adopt additional policies and procedures (or tailor existing ones) to ensure that cryptocurrency payment screen transactions are being screened appropriately.
Cryptocurrencies carry the promise of allowing for fast, low-cost, and secure payment transactions. However, its pseudo-anonymous structure also brings with it a number of risks, including the facilitation of money laundering and illegal transactions, that need to be effectively managed.
If acting as money transmitters, cryptocurrency companies must register with FinCEN as an MSB and comply with their BSA / AML obligations, accordingly.
Shaswat Das is a senior attorney with Hunton Andrews Kurth LLP. He counsels clients on compliance and enforcement matters before the Securities and Exchange Commission, Public Company Accounting Oversight Board, Office of Foreign Assets Control, and the federal banking regulators.
Richard Garabedian is counsel with Hunton Andrews Kurth LLP, representing banks, savings institutions, credit unions and holding companies on regulatory matters, as well as mergers and acquisitions.