Posts by: Jeanine P. McGuinness

Non-U.S. Crypto and Other Money Services Businesses: Have Customers in the U.S.? Beware of AML and Sanctions Compliance Risk

Two recent guilty pleas involving a cryptocurrency exchange serve as a reminder to all money services businesses (“MSBs”)—including those ostensibly located outside the United States but that conduct business there—of the importance of implementing anti-money laundering (“AML”) programs and registering as MSBs with the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”). Last week, two founders and executives of BitMEX—a virtual currency derivatives exchange whose parent company was registered in the Seychelles but operated globally, including in the United States—pled guilty to criminal Bank Secrecy Act (“BSA”) violations stemming from the company’s willful failure to establish, implement, and maintain an AML program.[1]

The BitMEX enforcement action also highlights sanctions non-compliance risks. Without a Know Your Customer (“KYC”) program, BitMEX carried out transactions for customers based in Iran, a jurisdiction comprehensively sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”). As OFAC has made clear, sanctions compliance obligations remain the same regardless of whether transactions are denominated in virtual currency or fiat. A focus on sanctions compliance may become even more critical for cryptocurrency companies in the wake of the new far-reaching Russia-related sanctions imposed by the United States, the EU, and the UK, among other governments, in response to Russia’s invasion of Ukraine. OFAC and the New York State Department of Financial Services (“NYSDFS”) have warned that as sanctioned persons and jurisdictions “become more desperate for access to the U.S. financial system,” they are likely to turn to cryptocurrency to minimize the crippling effect of sanctions.

BitMEX Founders’ Guilty Pleas

The two BitMEX founders’ guilty pleas on February 24, 2022 follow the company’s settlement with U.S. regulators in August 2021, which was one of the largest-ever resolutions with a cryptocurrency exchange. While BitMEX was incorporated in the Seychelles, it had connections to the United States, including maintaining offices there and soliciting and accepting orders from U.S. customers. FinCEN and the Commodity Futures Trading Commission found that BitMEX was operating as an unregistered futures commission merchant under the BSA, and that it failed to comply with the BSA’s AML program requirements, including by failing to maintain an adequate customer identification program.  BitMEX resolved the allegations for $100 million, with a $20 million suspended penalty pending the company’s remediation and prevention measures, including ending all operations within the United States and no longer serving any U.S. customers.

The Department of Justice charged four of the company’s founders and executives in October 2020. In announcing that two of them, Arthur Hayes and Benjamin Delo, had pled guilty to willfully violating the BSA, the Department of Justice alleged that these two founders “closely” followed the U.S. regulatory developments and were aware of their BSA obligations due to U.S. customers’ trading on BitMEX. Yet, they allegedly took affirmative steps purportedly designed to exempt BitMEX from the application of U.S. laws like AML requirements and KYC requirements. For example, according to prosecutors, “the defendants caused BitMEX to formally incorporate in the Seychelles, a jurisdiction they believed had less stringent regulation, and from which they could still serve U.S. customers and operate within the United States without performing AML and KYC.” Without “even basic” AML policies in place, BitMEX became “in effect a money laundering platform” and a “vehicle for sanctions violations.”

Takeaways

This development illustrates the significant risks to which foreign-located MSBs expose themselves if they have U.S. customers but fail to comply with the BSA. Incorporating in a “friendlier” jurisdiction, like the Seychelles in the BitMEX case, does not protect an MSB from BSA liability if it operates in the United States. The BSA applies to MSBs “wherever located” if they conduct business “wholly or in substantial part within the United States.” Thus, all MSBs, including those transmitting cryptocurrency—with any U.S. nexus—should take note of the BSA requirements. Those include registering with FinCEN; implementing a written AML program with policies, procedures, and internal controls, including regarding customer identification and verification; and controls to detect and report suspicious activity. The AML programs must be commensurate with the risks posed by the location, size, nature and volume of the services provided by the MSB and be effective in preventing the MSB from being used to facilitate money laundering and the financing of terrorist activities.

An effective AML/KYC program will also help ensure compliance with sanctions regulations. As noted, cryptocurrency exchanges will likely face increased sanctions risks due to the sweeping sanctions recently imposed against Russian banks, entities, and individuals by the United States, EU, UK, and other governments, and additional measures that may be imposed in the coming days or weeks. As such, cryptocurrency exchanges may face, and must address, “unique risks.”

By implementing a KYC program, which includes sanctions screening, cryptocurrency companies can help ensure they do not engage, directly or indirectly, in transactions prohibited by sanctions, such as dealings with blocked persons or property, or engaging in prohibited trade- or investment-related transactions. To ensure compliance, cryptocurrency exchanges should also employ geolocation and IP-address blocking to prohibit access by parties from sanctioned jurisdictions, perform transaction monitoring to detect suspicious activity, and file required reports with FinCEN and OFAC. Exchanges operating outside the United States that do not yet have but want to attract U.S. users should also consider implementing such measures.

[1] Also last week, on February 25, 2022, BitConnect founder Satish Kumbhani was indicted in a cryptocurrency Ponzi scheme, which the government alleges deprived investors worldwide, including in the United States, of over $2 billion. According to the indictment, to avoid regulatory scrutiny and conceal BitConnect’s fraudulent scheme, Kumbhani evaded and circumvented U.S. regulations, including those enforced by the FinCEN. Among other things, BitConnect never registered with FinCEN, as required under the BSA.

Cryptocurrency and OFAC: Beware of the Sanctions Risks

A recent federal criminal action shows the depth of the U.S. government’s concern about the use of cryptocurrency (or virtual currency) to violate economic sanctions laws and the lengths to which it will go to charge such violations. The U.S. government is particularly concerned that sanctioned countries and parties have used cryptocurrency to avoid sanctions designed to isolate them, and to facilitate illicit activities, including money laundering and ransomware attacks. The U.S. Office of Foreign Assets Control of the Treasury Department (OFAC), which administers U.S. economic sanctions programs, indicated recently that it intends to devote more resources to cryptocurrency issues. Over the past year or so, OFAC has issued a number of subpoenas to virtual currency businesses, such as exchanges, regarding possible customers and transactions involving parties in sanctioned countries. OFAC will probably announce its first enforcement actions involving virtual currency at some point this year. In addition, as discussed in Orrick’s recent blog post, the U.S. Commodity Futures Trading Commission, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), and the U.S. Securities and Exchange Commission remain focused on AML risks presented by cryptocurrency.

In an unusual application of economic sanctions law, in November 2019 a U.S. citizen was arrested and charged by the U.S. Attorney for the Southern District of New York with violating U.S. sanctions after he traveled to North Korea and delivered a presentation and technical advice related to the use of cryptocurrency and blockchain technology. In the case, which did not involve cryptocurrency transactions, the U.S. Attorney charged Virgil Griffith, an Ethereum Foundation staff member, with conspiring to violate U.S. sanctions laws that generally prohibit the provision of unlicensed services to North Korea. According to the U.S. Attorney’s Office, Mr. Griffith had traveled to North Korea to attend and speak at the Pyongyang Blockchain and Cryptocurrency Conference, despite the U.S. government’s denial of his request for authorization to attend. The U.S. government alleges that at the conference Mr. Griffith and other attendees discussed how North Korea could use blockchain and cryptocurrency technology to launder money and evade sanctions.

OFAC has issued frequently asked questions emphasizing that compliance obligations remain the same regardless whether transactions are denominated in virtual currency or fiat, and has started to include in its Specially Designated Nationals and Blocked Persons List (SDN List) virtual currency addresses that are linked to sanctioned persons. Sanctions are enforced with the help of U.S. businesses, in particular banks and other financial institutions, which have implemented systems and internal controls to detect the involvement of designated persons or prohibited jurisdictions in transactions. The U.S. government expects a similar level of commitment from entities dealing in cryptocurrency. It is critical that U.S. virtual currency users, exchangers, administrators and other persons engaging in virtual currency transactions with any U.S. nexus take steps designed to ensure that they do not deal with U.S. sanctions targets, which include providing financial or other services to such parties. OFAC has advised technology companies, administrators, exchangers, and users of virtual currencies, and other payment processors, to implement risk-based compliance programs, which generally should include sanctions list screening. This is consistent with OFAC’s recommendations included in A Framework for OFAC Compliance Commitments issued in June 2019.

Because a strict liability standard applies to unauthorized dealings with sanctioned parties and jurisdictions, U.S. persons dealing in cryptocurrency cannot avoid potential liability simply because they do not know the identity of the person with whom they are interacting. And the risk of dealing with sanctioned persons and jurisdictions when conducting virtual currency transactions will likely increase should nations like Iran and Russia further embrace cryptocurrency to try to avoid sanctions. In 2018, Iran reportedly acknowledged cryptocurrency mining as a legitimate industry, and in December 2019, Iran’s President reportedly proposed creation of a Muslim cryptocurrency to decrease reliance on the U.S. dollar. The U.S. government acted in 2018 to prohibit transactions involving Venezuela’s state virtual currency, the “Petro.”

To protect against potential sanctions violations, there are key steps that cryptocurrency users and exchanges can take. Crypto exchanges operating in the United States are required to register with FinCEN as money services businesses, to license themselves in the states in which they operate, and to exclude users in sanctioned jurisdictions and those on OFAC’s SDN List from transacting on the exchange. These exchanges should adopt and implement Know Your Customer procedures, including sanctions screening, to identify parties trading on their exchanges, and can employ geo-IP blocking to prohibit access by parties from sanctioned jurisdictions. They should perform transaction monitoring to detect suspicious activity and file required reports with FinCEN. U.S. persons trading in cryptocurrency should use exchanges committed to complying with U.S. sanctions requirements. If the exchange allows sanctioned parties to participate, a U.S. person could end up unknowingly trading with such a party and thus violating U.S. law. Exchanges operating outside the United States that want to attract U.S. users should also consider implementing such measures, to exclude targets of U.S. sanctions from trading. Non-U.S. exchanges that permit access to certain U.S. sanctions targets may risk imposition of U.S. “secondary sanctions” designed to deter non-U.S. persons from engaging in business with targets of U.S. sanctions.