Recent headlines have highlighted significant risks associated with investments in cryptocurrency. For instance, in recent months, we have seen the price of various cryptocurrencies plummet, creating a “crypto winter” (though prices have recently been swinging back up, demonstrating the volatility risk associated with cryptocurrency). As well as fraudulent schemes and scams associated with (or allegedly associated with) crypto investments.
And there is the swift collapse of the cryptocurrency exchange FTX—including its bankruptcy, its failures related to the company’s risk management and governance practices and the arrest of its founder for securities fraud and embezzlement (he has pleaded not guilty). Not to mention the fact that there are real cybersecurity risks associated with digital assets. More than $14 billion in cryptocurrency was lost to cybercrimes in 2021 alone.
Alongside these headlines, there are repeated pronouncements from, and disagreements between, various regulators on whether and how cryptocurrencies should be regulated. Needless to say, investments in cryptocurrencies are not for the faint of heart.
Know your customers
One aspect of the digital currency industry has gotten a substantial amount of focus, and that is know your customer (KYC) obligations. Financial institutions have implemented KYC programs as a part of their anti-money laundering (AML) procedures for many years. These programs essentially gather information about customers to identify and verify the customer as a part of the institution’s onboarding process. This allows the financial institution to assess the customer’s risk profile. KYC serves as an important part of a financial institution’s AML program to prevent criminals from depositing or transferring funds derived from illicit activities and to prevent financing terrorism, human trafficking, and other crimes.
For several years, there were no KYC obligations related to digital currency markets or exchanges. Really, there were no regulations at all, as this space was essentially the wild west. The lack of KYC regulations was a natural consequence of the fact that many digital currency customers desired (or still desire) to remain anonymous and to keep their personal information hidden. As a result, many crypto firms did not know who their customers were.
This viewpoint is actually very common in the decentralized finance space. DeFi generally refers to a growing segment of financial products and services that relies on cryptocurrency and blockchain technology to manage transactions. DeFi is premised on the concept of removing the centralized systems and governing bodies that have historically dominated U.S. financial markets. Instead, DeFi aims to democratize finance by creating peer-to-peer financial transactions for everything from mortgages, insurance and auto loans to checking/savings accounts and stock trading. By allowing users to interact directly with financial products or services—without intermediaries—DeFi has leveraged blockchain technology to both existing and entirely new financial products and services accessible to everyone, often doing so anonymously.
This brings us back to KYC regulations. There has been growing regulatory pressure for crypto firms to implement KYC procedures. In 2019, financial regulators, including the Commodity Futures Trading Commission, the Securities and Exchange Commission (SEC), and Financial Crimes Enforcement Network (FinCEN), issued a joint statement classifying cryptocurrency exchanges as financial institutions and, therefore, subject to AML requirements. Specifically, the joint statement reminded firms that participate in the digital asset space that AML obligations “apply to entities that the Bank Secrecy Act (BSA) defines as ’financial institutions,’ such as futures commission merchants and introducing brokers obligated to register with the CFTC, money services businesses as defined by FinCEN, and broker-dealers and mutual funds obligated to register with the SEC.” Particularly noteworthy in the joint statement was the definition of “digital assets,” which included instruments that may qualify under applicable U.S. laws as securities, commodities, and security- or commodity-based instruments such as futures or swaps, but also noted that:
“We are aware that market participants refer to digital assets using many different labels. The label or terminology used to describe a digital asset or a person engaging in or providing financial activities or services involving a digital asset, however, may not necessarily align with how that asset, activity or service is defined under the BSA, or under the laws and rules administered by the CFTC and the SEC. For example, something referred to as an ‘exchange’ in a market for digital assets may or may not also qualify as an ‘exchange’ as that term is used under the federal securities laws. As such, regardless of the label or terminology that market participants may use, or the level or type of technology employed, it is the facts and circumstances underlying an asset, activity or service, including its economic reality and use (whether intended or organically developed or repurposed), that determines the general categorization of an asset, the specific regulatory treatment of the activity involving the asset, and whether the persons involved are ‘financial institutions’ for purposes of the BSA.”
The effect of the joint statement was to clarify that cryptocurrency exchanges are “financial institutions” for purposes of the BSA, and therefore must put in place AML programs (including KYC obligations).
Regulatory actions increasing
Following this statement, numerous crypto exchanges have been the target of regulatory actions. One such action in 2021 required a crypto exchange to pay $100 million to resolve regulatory violations, including the lack of effective KYC safeguards.
In particular, the violator was “one of the oldest and largest convertible virtual currency derivatives exchanges.” In announcing the action, FinCEN noted that, “[i]t is critical that platforms build in financial integrity from the start, so that financial innovation and opportunity are protected from vulnerabilities and exploitation.” FinCEN found that the company: “[F]ailed to implement and maintain a compliant anti-money laundering program and a customer identification program, and it failed to report certain suspicious activity. These willful failures expose financial institutions to an increased risk of conducting transactions with money launderers and terrorist financiers, including noncompliant exchanges in high-risk jurisdictions, ransomware attackers, and darknet marketplaces.”
These developments have resulted in numerous crypto exchanges, crypto wallet providers, and other firms dealing in digital assets, implementing KYC programs and complying with the Bank Secrecy Act in order to prevent sanctions from FinCEN, the Office of Foreign Assets Control, or other regulatory bodies.
However, application of AML regulations to digital currency firms is not always a straightforward proposition. For example, while crypto exchanges are most often operated by a legal entity (i.e., an entity that is subject to regulation, fines and legal suits), other firms providing services related to digital currencies are not offered by a single entity, but rather, are decentralized. Regulators have struggled to implement regulations covering all of these entities.
For example, a recent bill in this area, the Digital Asset Anti-Money Laundering Act of 2022, was a bipartisan legislative proposal, following the collapse of FTX, that proposed that FinCEN reclassify crypto entities as “money services businesses” and therefore bring all such businesses under the regulations of the BSA. The intent of the proposal was to “clos[e] loopholes in the existing anti-money laundering and countering of the financing of terrorism (AML/CFT) framework and bring the digital asset ecosystem into greater compliance with the rules that govern the rest of the financial system.” In the press release issued alongside the bill, Senator Elizabeth Warren, D-Mass., said:
“Rogue nations, oligarchs, drug lords and human traffickers are using digital assets to launder billions in stolen funds, evade sanctions and finance terrorism[.] The crypto industry should follow common-sense rules like banks, brokers and Western Union, and this legislation would ensure the same standards apply across similar financial transactions.”
As proposed, the Digital Asset Anti-Money Laundering Act of 2022 would have applied to digital asset wallet providers, miners, validators, and other network participants that may act to validate, secure or facilitate digital asset transactions. It would also have closed the gap allowing “unhosted” digital wallets to bypass AML and sanctions checks. There have also been a variety of other legislative proposals relating to specific aspects of digital currencies, such as proposed legislation relating to stablecoins and the tax implications of digital assets. It remains to be seen what, if any, legislation will ultimately pass.
While we are awaiting additional legal and regulatory requirements, some crypto firms are anticipating that they will see mandatory KYC requirements in the future and are beginning to implement programs into their operations. (Some are even using the implementation of KYC programs as a competitive advantage). Firms that are innovating in this way are doing so by a variety of mechanisms, including using internal KYC programs that look similar to those of traditional financial institutions or relying on third-party identity providers who verify ownership and “whitelist” a wallet address.
As prospective investors consider dipping a toe into cryptocurrency markets, they should evaluate whether the firms with whom they are engaging have implemented a comprehensive KYC program. This certainly is not the only measure of the worthiness of a crypto firm (and is not a panacea for many of the other fraud-based, legal, contractual and regulatory risks associated with potential crypto transactions), but it can be an indicator of whether the firm emphasizes legal and regulatory compliance. It can also assist in preventing any association with a firm accused of illicit activities like financing terrorism, human trafficking or other crimes.
Moreover, many believe that in the coming years (or even this year), we will see an unprecedented number of additional regulations affecting cryptocurrencies. It will be important to monitor these legal and regulatory developments as potential investors evaluate their participation in digital asset markets.
Finally, banking institutions should expect a continued regulatory focus on cryptocurrencies not only from the BSA/AML perspective but also more broadly as they begin (or continue) to offer related services.
Several prominent banks have begun offering crypto-related services such as custody, wealth management offerings, trading, and research. Many banks have also invested in companies operating in the blockchain or digital currency sectors. As banks continue to expand offerings in these areas, they will need to closely monitor regulatory developments as well as commentary from prudential banking regulators. For instance, in February of this year, as a result of the recent events, the Federal Reserve, FDIC, and OCC issued a statement warning banks to be alert for liquidity risks regarding to cryptocurrency-related investments and clients.
While the statement noted that no new requirements were being imposed, it did advise banks to have robust tools in place to monitor crypto-related activities. Such concerns over cryptocurrency, and in particular its volatility, are likely to increase in the future. Banks will need to closely monitor these developments to ensure regulatory compliance.
Matthew G. White, CIPP/US, CIPP/E, CIPT, CIPM, PCIP, is the co-chair of Baker Donelson’s Financial Services Cybersecurity and Data Privacy Team. He regularly advises clients on a wide range of cybersecurity and data privacy matters, including compliance, policies and procedures, training, incident response, regulatory investigations, and litigation. Matt also provides strategic advice to his clients concerning blockchain technology, smart contracts, cryptocurrencies, and other digital assets, including non-fungible tokens (NFTs).