With Regulation on the Rise, Congressional Blockchain Caucus Steps Up to Test SEC’s Approach

Posts by: Matthew Moses

With Regulation on the Rise, Congressional Blockchain Caucus Steps Up to Test SEC’s Approach

Lily Becker, Matthew Moses, Radiah Rondon and Caitlin Sheard

Coming quickly on the heels of the Biden Administration’s Executive Order on Digital Assets, the Congressional Blockchain Caucus has signaled it will be watching new regulation closely in line with their belief in a “light touch regulatory approach.” On March 16, 2022, the Caucus issued a letter to SEC Chair Gary Gensler demanding information on SEC “voluntary” requests for documents and information to blockchain, cryptocurrency, digital assets, or other similar entities. Congressional Blockchain Caucus Co-Chair Representative Tom Emmer (R-MN 6^th District) said the letter came in response to complaints from crypto and blockchain firms that the SEC’s requests were “overburdensome,” did not “feel particularly voluntary” and that they are “stifling innovation.” The swell of interest from the executive branch on regulating the industry may be checked by certain legislators determined to ensure the SEC does not hold back continued advancements and innovation in this sector.

As we noted previously, the SEC has expressed a strong interest in regulating crypto trading platforms. The SEC is using its Division of Enforcement to obtain information from blockchain and cryptocurrency firms. The eight congressmen who signed the letter noted that they had reason to believe that the SEC is using investigative powers “to gather information from unregulated cryptocurrency and blockchain industry participants in a manner inconsistent with the Commission’s standards for initiating investigations.”

The Congressional Blockchain Caucus is a bipartisan group of Congressional members and their staff who believe that “a light touch regulatory approach” is the best environment for growth in the blockchain and cryptocurrency sector. To further this goal, members of the Caucus have sponsored numerous bills on blockchain and cryptocurrency technology. For example, two bills introduced by Caucus members include the “Securities Clarity Act” and the “Digital Commodity Exchange Act,” which were meant to clarify and streamline regulation of this industry by making regulatory schemes less complicated and onerous on the industry’s participants.

The letter leverages a mundane law—the Paperwork Reduction Act—to elicit information on whether the SEC’s time is appropriately spent or whether the requests are in fact, “overburdensome.” Themes addressed by the members include:

Volume: Over the last five years, how many voluntary document requests have been issued; what are the average number of questions asked; and what types of businesses received the requests over the last five years;
Costs: What are the total compliance costs imposed on the recipients who comply with requests; what is the average length of time for entities to respond; has the SEC conducted a cost-benefit analysis to determine the value of the information received to the agency versus the fairness and efficacy of requests;
Effects: Are recipients aware that responses are voluntary; what are the consequences (if any) for declining to respond to a request; are recipients made aware if they are under informal investigation; and
Purpose: Are recipients aware of the specific objective of the requests and the SEC’s plan for use of the information collected.

In tweets publicizing the letter, Rep. Emmer acknowledged “the SEC has authority to obtain info from market participants for rulemaking purposes” but noted that “Crypto startups must not be weighed down by extra-jurisdictional and burdensome reporting requirements.” And, in a sign that Rep. Emmer and the Caucus plan to continue exercising their checks and balance power liberally, he declared “[w]e will ensure our regulators do not kill American innovation and opportunities.”

Executive Order on Digital Assets Means Industry-Shifting Regulation Is Closer Than Ever

Lily Becker, Matthew Moses, Radiah Rondon and Caitlin Sheard

On March 9, 2022, Bitcoin prices surged and many in the crypto community celebrated as the Biden administration announced a sweeping executive order that acknowledges the key role digital assets will play in global financial systems. While the Order embraces crypto as the wave of the future, it calls for an intense focus on the industry that will undoubtedly lead to increased oversight and enforcement. Businesses that have believed themselves to be operating in a legal gray area may soon find themselves more explicitly subject to many of the same regulations as traditional financial service providers. The Order provides a simple rationale for aligning the new industry with existing regulatory standards: “same business, same risks, same rules.”

There is no cookie-cutter approach to analyzing how the coming changes will impact a business. We are tracking developments to help our clients look over the horizon and plan ahead. Below are the key takeaways from the Order:

The Order calls for an “unprecedented focus of coordinated action” to address the illicit use of digital assets. This will likely lead to increased criminal enforcement—including holding companies accountable for illegal activity perpetrated through their networks.
Numerous agencies have been tasked with developing policies and regulatory frameworks to protect consumers, investors, and businesses in the crypto sphere, with additional reporting to come as soon as within 90 days.
The administration supports responsible innovation related to digital assets, meaning technological advances that address privacy, security, controls against exploitation, and environmental responsibility.
These directives build on initiatives that have been pursued at the agency level, such as the creation of a DOJ task force to investigate and prosecute crypto crime.

******

The Biden administration’s move towards more digital asset oversight is now directed from the top. President Biden’s March 9 Executive Order calls for an “unprecedented focus of coordinated action” across all government agencies to mitigate the risks posed by the illicit use of digital assets. And this focus is not just domestic; the Order also directs agencies to work with foreign partners to align international frameworks and coordinate responses to risks—which may involve cross-border investigations and prosecution of misconduct. While the Order suggests the government will embrace digital assets in an unprecedented way, there is no doubt that increased criminal and regulatory enforcement will soon follow.

1. The sweeping Order outlines a “whole-of-government approach” to setting policy, establishing regulatory frameworks, and mitigating risks associated with digital assets.

Citing the explosive growth in digital assets, the Order makes the case for stronger oversight and increased regulation of cryptocurrencies. It announces six key priorities:

Protecting Consumers, Investors, and Businesses: The Treasury Department and other agency partners will develop policy recommendations to address the risks and opportunities of digital assets. Additionally, the Attorney General and others will report on the role of law enforcement agencies in detecting, investigating, and prosecuting crypto crime, and recommend appropriate regulatory or legislative actions.
Protecting U.S. and Global Financial Stability: The Financial Stability Oversight Council will identify economy-wide financial risks posed by digital assets and develop proposals to address such risks and any associated regulatory gaps.
Mitigating Illicit Finance and National Security Risks: The Order emphasizes the growing use of digital assets to facilitate cybercrime, money laundering, terrorist and proliferation financing, fraud, theft, and corruption. Building on the Treasury Department’s National Strategy for Combating Terrorist and Other Illicit Financing, a group of agencies will evaluate “opportunities to mitigate such risks through regulation” and develop a coordinated action plan. This plan will, among other things, address the role of law enforcement to increase compliance with AML/CFT, focusing on decentralized financial ecosystems, peer-to-peer payment activity, and obscured blockchain ledgers.
Reinforcing U.S. Leadership in the Global Financial System: The Department of Commerce will work with other agencies on a framework to drive U.S. competitiveness and leadership in, and leveraging of, digital asset technologies. The Treasury Department will similarly work across government to establish a framework for international engagement on issues such as foreign assistance, global compliance, and the promotion of international standards.
Promoting Access to Safe and Affordable Financial Services: The Treasury Department and other relevant agencies will produce a report on the future of money and payment services, recognizing the national interest in ensuring access to safe and affordable financial services.
Supporting Responsible Innovation: Various agencies will study and support technological advances in the responsible development, design, and implementation of digital asset systems. This means ensuring that digital asset technologies include privacy and security in their architecture, integrate controls to defend against illicit exploitation, and reduce negative climate impacts and environmental pollution from cryptocurrency mining.

Additionally, the Order places the “highest urgency” on research and development into the creation of a U.S. Central Bank Digital Currency (CBDC),[1] which it says has the potential to support efficient and low-cost transactions and foster greater access to the financial system. The Treasury Department and other agencies have been tasked with analyzing the potential implications of launching a U.S. CBDC.

2. The Executive Order comes on the heels of a new DOJ task force, the National Cryptocurrency Enforcement Team, aimed at investigating and prosecuting crypto crime.

In October 2021, Deputy Attorney General Lisa Monaco announced the creation of a National Cryptocurrency Enforcement Team (NCET) to “tackle complex investigations and prosecutions of criminal misuses of cryptocurrency,” including money laundering, ransomware and extortion schemes, and trading on dark markets for illegal drugs, weapons, and hacking tools.[2] The NCET is staffed by DOJ prosecutors with backgrounds in cryptocurrency, cybercrime, money laundering, and forfeiture. They work closely with various DOJ sections, U.S. Attorneys’ Offices, and the FBI. According to NCET Director Eun Young Choi, “the NCET will play a pivotal role in ensuring that as the technology surrounding digital assets grows and evolves, the department in turn accelerates and expands its efforts to combat their illicit abuse by criminals of all kinds.”[3] The creation of this task force suggests that the DOJ has both the resources and the will to investigate allegations of wrongdoing in the crypto sphere, and companies must remain vigilant in light of the increased risk of regulatory scrutiny.

3. The SEC has expressed a strong interest in regulating crypto trading platforms, while other agencies have announced a series of “policy sprints” focused on crypto assets.

For the SEC, the question of whether the agency will regulate cryptocurrency exchanges is not a matter of if, but when. When asked by reporters in January whether 2022 will be the year that the SEC starts regulating crypto trading platforms, SEC Chairman Gary Gensler responded: “You shouldn’t put timelines on yourself, but I will say I sure hope so.”[4] He went on to caution: “To the extent that folks are operating outside the regulatory perimeter, but are supposed to be inside, we will bring enforcement actions.”[5] This calls to mind the question of whether cryptocurrencies are securities, which, if answered in the affirmative, brings them well within the reach of the SEC’s Enforcement Division. While the answer may differ depending on the currency, Chairman Gensler has expressed a view that most cryptocurrencies are indeed securities and thus subject to regulation by the SEC.[6]

4. Nearly every relevant agency is marching towards more regulation.

The SEC and the Treasury Department are leaders in this space, but it seems that no agency wants to be left behind when it comes to regulating cryptocurrencies. At the same time that the DOJ and SEC were pursuing their own crypto strategies, the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency conducted a series of interagency “policy sprints” focused on crypto assets.[7] Their goal was to analyze the applicability of existing regulations to crypto activities and establish a road map for further guidance. They promised to “provide greater clarity on whether certain activities related to crypto-assets conducted by banking organizations are legally permissible” and articulate expectations for compliance with existing laws. Other regulatory initiatives being pursued at the agency level, including by the Treasury Department’s Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN), are detailed in our 2021 Year-End Crypto Roundup.

5. Up until now, regulators have had to address misconduct in the crypto market using outdated laws that didn’t always fit. This is about to change—giving regulators more tools (and power) than ever.

Even without a coordinated strategy or crypto-specific regulatory framework, agencies have found ways to hold companies and individuals accountable for crypto-related misconduct. For example, the SEC has brought numerous enforcement actions for fraudulent and unregistered digital asset offerings,[8] and the DOJ recently arrested two individuals in connection with an attempt to launder $4.5 billion in stolen cryptocurrency.[9] Last year, FinCEN and the Commodity Futures Trading Commission (CFTC) reached a $100 million settlement with cryptocurrency exchange BitMEX, and BitMEX founders recently pled guilty to criminal Bank Secrecy Act (BSA) regulations stemming from the company’s willful failure to establish, implement, and maintain an AML program. But despite these efforts, without tailored regulation, illicit activity is bound to fall through the cracks. The current landscape is bound to change dramatically as a result of the Biden administration’s Executive Order, and even companies operating entirely within the law need to be ready to shift how they do business to adapt to changing regulations. Whatever comes next, we are tracking developments closely to help our clients navigate these changes and mitigate regulatory and enforcement risk.

[1] See Board of Governors of the Federal Reserve, Money and Payments; The U.S. Dollar in the Age of Digital Transformation (Jan. 2022).

[2] U.S. Dep’t of Justice, Press Release, Deputy Attorney General Lisa O. Monaco Announces National Cryptocurrency Enforcement Team (Oct. 6, 2021).

[3] U.S. Dep’t of Justice, Press Release, Justice Department Announces First Director of National Cryptocurrency Enforcement Team (Feb. 17, 2022).

[4] Jennifer Schonberger, SEC’s Gensler wants crypto exchange regulation in 2022, warns on stablecoin, Yahoo Finance (Jan. 20, 2022).

[5] Id.

[6] Cheyenne Ligon, Gensler’s Crypto Testimony: 6 Key Takeaways, CoinDesk (Oct. 6, 2021).

[7] Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, Joint Statement on Crypto-Asset Policy Sprint Initiative and Next Steps (Nov. 23, 2021).

[8] See U.S. Securities & Exchange Commission, Cyber Enforcement Actions.

[9] U.S. Dep’t of Justice, Press Release, Two Arrested for Alleged Conspiracy to Launder $4.5 Billion in Stolen Cryptocurrency (Feb. 8, 2022).

Non-U.S. Crypto and Other Money Services Businesses: Have Customers in the U.S.? Beware of AML and Sanctions Compliance Risk

Matthew Moses, Jeanine P. McGuinness, Joseph Perkins, Amy Walsh and Kristina Arianina

Two recent guilty pleas involving a cryptocurrency exchange serve as a reminder to all money services businesses (“MSBs”)—including those ostensibly located outside the United States but that conduct business there—of the importance of implementing anti-money laundering (“AML”) programs and registering as MSBs with the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”). Last week, two founders and executives of BitMEX—a virtual currency derivatives exchange whose parent company was registered in the Seychelles but operated globally, including in the United States—pled guilty to criminal Bank Secrecy Act (“BSA”) violations stemming from the company’s willful failure to establish, implement, and maintain an AML program.[1]

The BitMEX enforcement action also highlights sanctions non-compliance risks. Without a Know Your Customer (“KYC”) program, BitMEX carried out transactions for customers based in Iran, a jurisdiction comprehensively sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”). As OFAC has made clear, sanctions compliance obligations remain the same regardless of whether transactions are denominated in virtual currency or fiat. A focus on sanctions compliance may become even more critical for cryptocurrency companies in the wake of the new far-reaching Russia-related sanctions imposed by the United States, the EU, and the UK, among other governments, in response to Russia’s invasion of Ukraine. OFAC and the New York State Department of Financial Services (“NYSDFS”) have warned that as sanctioned persons and jurisdictions “become more desperate for access to the U.S. financial system,” they are likely to turn to cryptocurrency to minimize the crippling effect of sanctions.

BitMEX Founders’ Guilty Pleas

The two BitMEX founders’ guilty pleas on February 24, 2022 follow the company’s settlement with U.S. regulators in August 2021, which was one of the largest-ever resolutions with a cryptocurrency exchange. While BitMEX was incorporated in the Seychelles, it had connections to the United States, including maintaining offices there and soliciting and accepting orders from U.S. customers. FinCEN and the Commodity Futures Trading Commission found that BitMEX was operating as an unregistered futures commission merchant under the BSA, and that it failed to comply with the BSA’s AML program requirements, including by failing to maintain an adequate customer identification program. BitMEX resolved the allegations for $100 million, with a $20 million suspended penalty pending the company’s remediation and prevention measures, including ending all operations within the United States and no longer serving any U.S. customers.

The Department of Justice charged four of the company’s founders and executives in October 2020. In announcing that two of them, Arthur Hayes and Benjamin Delo, had pled guilty to willfully violating the BSA, the Department of Justice alleged that these two founders “closely” followed the U.S. regulatory developments and were aware of their BSA obligations due to U.S. customers’ trading on BitMEX. Yet, they allegedly took affirmative steps purportedly designed to exempt BitMEX from the application of U.S. laws like AML requirements and KYC requirements. For example, according to prosecutors, “the defendants caused BitMEX to formally incorporate in the Seychelles, a jurisdiction they believed had less stringent regulation, and from which they could still serve U.S. customers and operate within the United States without performing AML and KYC.” Without “even basic” AML policies in place, BitMEX became “in effect a money laundering platform” and a “vehicle for sanctions violations.”

Takeaways

This development illustrates the significant risks to which foreign-located MSBs expose themselves if they have U.S. customers but fail to comply with the BSA. Incorporating in a “friendlier” jurisdiction, like the Seychelles in the BitMEX case, does not protect an MSB from BSA liability if it operates in the United States. The BSA applies to MSBs “wherever located” if they conduct business “wholly or in substantial part within the United States.” Thus, all MSBs, including those transmitting cryptocurrency—with any U.S. nexus—should take note of the BSA requirements. Those include registering with FinCEN; implementing a written AML program with policies, procedures, and internal controls, including regarding customer identification and verification; and controls to detect and report suspicious activity. The AML programs must be commensurate with the risks posed by the location, size, nature and volume of the services provided by the MSB and be effective in preventing the MSB from being used to facilitate money laundering and the financing of terrorist activities.

An effective AML/KYC program will also help ensure compliance with sanctions regulations. As noted, cryptocurrency exchanges will likely face increased sanctions risks due to the sweeping sanctions recently imposed against Russian banks, entities, and individuals by the United States, EU, UK, and other governments, and additional measures that may be imposed in the coming days or weeks. As such, cryptocurrency exchanges may face, and must address, “unique risks.”

By implementing a KYC program, which includes sanctions screening, cryptocurrency companies can help ensure they do not engage, directly or indirectly, in transactions prohibited by sanctions, such as dealings with blocked persons or property, or engaging in prohibited trade- or investment-related transactions. To ensure compliance, cryptocurrency exchanges should also employ geolocation and IP-address blocking to prohibit access by parties from sanctioned jurisdictions, perform transaction monitoring to detect suspicious activity, and file required reports with FinCEN and OFAC. Exchanges operating outside the United States that do not yet have but want to attract U.S. users should also consider implementing such measures.

[1] Also last week, on February 25, 2022, BitConnect founder Satish Kumbhani was indicted in a cryptocurrency Ponzi scheme, which the government alleges deprived investors worldwide, including in the United States, of over $2 billion. According to the indictment, to avoid regulatory scrutiny and conceal BitConnect’s fraudulent scheme, Kumbhani evaded and circumvented U.S. regulations, including those enforced by the FinCEN. Among other things, BitConnect never registered with FinCEN, as required under the BSA.

A “Key” OCC Interpretation – National Banks Can Provide Cryptocurrency Custody Services

Daniel Nathan, Matthew Moses, Matthew Reeder and Brian Bloomer

Banking regulators took a significant step toward the mainstreaming of cryptocurrency recently when the Office of the Comptroller of the Currency (OCC) provided guidance about how a bank can provide custody services for cryptocurrency. In Interpretive Letter #1170, published on July 22, the OCC concludes that “a national bank may provide these cryptocurrency custody services on behalf of customers, including by holding the unique cryptographic keys associated with cryptocurrency.”

The OCC’s Letter arrives at an opportune time, when, according to CipherTrace’s recently published findings, the majority of cryptocurrency transactions are cross-border and, on average, each of the top ten U.S. retail banks unknowingly processes an average of $2 billion in crypto-related transactions per year. Providing custody services might help bring more of these transactions in to the open.

The OCC Interpretive Letter

The Interpretive Letter—which was issued just a few short months after the former Coinbase chief legal officer Brian Brooks became the Acting Comptroller of the Currency—is a breakthrough in terms of bringing cryptocurrency within a regulated environment. The OCC outlined three sources of market demand for banks to provide cryptocurrency custody services: (1) cryptocurrency owners who hold private keys want to store them securely because private keys are irreplaceable if lost—misplacement can mean the loss of a significant amount of value; (2) banks may offer more secure storage services than existing options; and (3) investment advisors may wish to manage cryptocurrencies on behalf of customers and use national banks as custodians.

The OCC recognized that, as the financial markets become increasingly technological, there will likely be increasing need for banks and other service providers to leverage new technology and innovative ways to provide traditional services on behalf of customers. The OCC pointed out that cryptocurrency custody services fit neatly into the long-authorized safekeeping and custody services national banks provide for both physical and digital assets.

With respect to cryptocurrency, the Letter states that national banks may provide fiduciary and non-fiduciary custody services. Non-fiduciary custodial services typically entail providing safekeeping services for electronic keys, which, as discussed above, fit neatly into the types of activities national banks have historically performed. Specifically, the OCC explains that a bank that provides custody for cryptocurrency in a non-fiduciary capacity typically would not involve physical possession of the cryptocurrency but rather “essentially provide safekeeping for the cryptographic key that allows for control and transfer of the customer’s cryptocurrency.” Fiduciary cryptocurrency custody services (such as those where the service provider acts as trustee, administrator, transfer agent, or receiver, or receives a fee for providing investment advice) are permissible if conducted in compliance with the National Bank Act and other applicable laws and regulations (such as 12 CFR Part 9 and 12 U.S.C. Ch. 2). Banks are authorized to manage cryptocurrency assets in a fiduciary capacity just as they manage other types of assets in a fiduciary capacity.

Banks that provide cryptocurrency custody services have to comply with existing policies, laws, and regulations, and conduct its custody services in a safe and sound manner, including having adequate systems in place to identify, measure, monitor, and control the risks of its custody services. In particular, banks should ensure they assess the anti-money laundering (AML) risk of any cryptocurrency custodial services and update their AML programs to address that risk. It would be advisable for AML compliance personnel to be well-integrated in the development of cryptocurrency custodial services. Banks must also implement effective risk management programs and legal and regulatory reporting practices for these services. Cryptocurrency custody services may raise unique issues identified by the OCC, including the treatment of blockchain forks, and consideration of whether technical differences between cryptocurrencies (for example, those backed by commodities, those backed by fiat, or those designed to execute smart contracts) may require different risk management practices.

The OCC Letter points out that different cryptocurrencies may be subject to different regulations and guidance. For example, some cryptocurrencies are deemed securities and therefore are subject to federal securities laws and regulations. In addition, because crypto assets are thought of as offering a greater level of anonymity or as falling beyond the ken of centralized banking systems, they have been associated with illicit activity including money laundering. Consequently, banks must ensure that their AML programs are appropriately tailored to effectively assess customer risk and monitor crypto-related transactions. Just yesterday, the Financial Crimes Enforcement Network published an advisory warning that “[f]inancial institutions dealing in [cryptocurrency] should be especially alert to the potential use of their institutions to launder proceeds affiliated with cybercrime, illicit darknet marketplace activity, and other [cryptocurrency]-related schemes and take appropriate risk mitigating steps consistent with their BSA obligations.”

While there has been limited enforcement of federal law against banks for crypto-currency related activity, earlier this year, the OCC brought its first crypto-related enforcement action, against M.Y. Safra Bank for deficient AML processes for digital asset customers. The OCC concluded that the Bank’s deficiencies included its failure to: (1) appropriately assess and monitor customer activity flowing to or from high-risk jurisdictions; (2) conduct ongoing testing of its due diligence processes; (3) implement sufficient controls for its digital assets customers, including cryptocurrency money service businesses (MSBs); (4) address the risk created by the significant increase in wire and clearing transactions created by the cryptocurrency MSB customers; and (5) notify the OCC of its significant deviation from its previous business plan. In the Matter of M.Y. Safra Bank, SFB, AA-NE-2020-5, Consent Order (Jan. 30, 2020).

The OCC’s Letter should give comfort to many banks that have been bystanders to the growth of the cryptocurrency market. Now banks can offer more cryptocurrency-based financial services with more certainty, although many questions will likely be answered through greater participation. More marketplace involvement by traditional banks will in turn have a beneficial effect. Smaller businesses wishing to engage in cryptocurrency-based transactions now may do so by interacting with large, stable, and well-regulated banking institutions.

OCC’s Consideration of an MSB Regime

OCC’s Interpretive Letter may be part of a broader movement by the OCC to promote greater integration of cryptocurrencies into mainstream financial services. Acting Comptroller of the Currency Brooks announced on a podcast on June 25 that the OCC intends to unveil a new bank charter including a national payments charter that will pave the way for nationwide participation by cryptocurrency payments companies. As contemplated, that charter would be equivalent to FinCEN’s MSB registration process and stand in (under the doctrine of preemption) for individual state-level MSB licensing requirements. It also should answer questions like how the Community Reinvestment Act might apply to banks that do not take deposits and how the OCC will impose capital standards on companies that do not bear credit risk.

FinCEN Sends Message to the Virtual Currency Industry: The Travel Rule Applies to You, Too

Matthew Moses and Christine Hanley

FinCEN Director Ken Blanco addressed this year’s Consensus Blockchain Conference on May 13, 2020. In a set of prepared remarks, Blanco recognized the unprecedented challenges that the COVID-19 pandemic has created for anti-money laundering compliance personnel, particularly in addressing virtual currency transactions. To meet those challenges and combat the increased risk of criminal exploitation of virtual currency markets, Blanco emphasized that U.S. authorities continue to expect that financial institutions comply with the “Travel Rule” – that is, the requirement to transmit certain identifying information regarding transaction counterparties to the next financial institution in the transaction chain – with respect to virtual currency transactions, among others.

Cybercriminals Have Adapted to the Pandemic – You Need to as Well

Blanco recited the principal ways in which cybercriminals have adapted to exploit vulnerabilities created by COVID-19. For example, cybercriminals have taken advantage of security vulnerabilities in remote working applications, including VPNs and remote desktop protocols, that are central to the new work-from-home paradigm. Scams intended to undermine “know your customer” processes, including deep-fake and credential-stuffing attacks, have also increased in recent months, as have scams involving virtual currency payments, extortion, ransomware, fraudulent medical products sales, and initial coin offerings. Blanco expects this illegal conduct to continue to increase during the pandemic, and he advised financial institutions to calibrate their security measures to those threats.

Blanco explained that the “entire AML community has been adapting in real time” to the COVID-19 pandemic and its economic fallout, and he urged financial institutions to stay alert for malicious or fraudulent transactions. FinCEN issued notices on March 16 and April 3 advising financial institutions of their AML obligations during the COVID-19 pandemic and provided a direct contact mechanism to report urgent COVID-19 related issues. Blanco also advised that FinCEN is publishing advisories highlighting common types of fraud, theft, and money laundering activities related to the pandemic. Orrick’s May 27, 2020 Client Alert details steps that the Financial Action Task Force (“FATF”) – the global money laundering and terrorist financing watchdog – has advised that financial institutions consider taking to ensure continued compliance with their AML obligations.

The End of an Era? Regulators Expect to Know Who Is Transacting in Virtual Currencies

Turning to his “primary theme,” Blanco stated that the United States expects financial institutions to comply with the Travel Rule – full stop. There is no exception for virtual currency transactions. The Rule requires institutions processing virtual currency transactions valued at $3,000 or more to pass on and retain certain identifying information – including names, addresses, and account numbers – of both transaction counterparties to the next financial institution in the transaction chain. Blanco praised steps taken by FATF last June to establish international standards that are consistent with the U.S. Travel Rule.

The Travel Rule’s application to virtual currency transactions has been a source of resentment for Blockchain advocates who view the technology’s unique ability to facilitate anonymous transactions as one of its most revolutionary attributes. However, others have embraced the Rule for the role it has played in legitimizing the use of virtual currencies by law-abiding, mainstream actors as a safe alternative to traditional currencies.

Blanco’s comments make clear that FinCEN is firmly in the latter camp and views the Travel Rule as a key enforcement tool to prevent the proliferation of black markets and other illicit uses of Blockchain technology. In his words, “[a]ny asset that allows the instant, anonymized transmission of value around the world with no diligence or recordkeeping is a magnet for criminals, including terrorists, money launderers, rogue states, and sanctions evaders.”

Blanco reported that recordkeeping violations – such as violations of the Travel Rule – are the most common violations that FinCEN’s delegated IRS examiners have found being committed by money services businesses engaged in virtual currency transmission. Nevertheless, he stated that he is optimistic about the growth of cross-sector organizations and working groups focused on improving compliance with the Travel Rule and developing complementary international standards. Blanco stressed the importance of collaboration between government, law enforcement, and private companies, both during the COVID-19 pandemic and beyond. Blanco explained that it is the shared responsibility of the public and private sectors to ensure that virtual currency “technology does not get hijacked by criminals” to become a “conduit for crime, hate, and harm.”

Help Us to Help You

Blanco closed with an invitation to the private sector to strengthen its collaboration with regulators and law enforcement to combat illegal uses of virtual currencies. Since 2013, FinCEN has received nearly 70,000 Suspicious Activity Reports (“SARs”) involving virtual currency exploitation, over half of which came from the virtual currency industry. Those SARs are critical to FinCEN’s and law enforcement’s efforts to combat criminality and FinCEN’s efforts to educate industry participants about trends in illicit virtual currency use through its advisory and FinCEN Exchange programs.

Despite these efforts, Blanco explained that “[r]isks associated with anonymity-enhanced cryptocurrencies, or AECs, remain unmitigated across many virtual currency financial institutions.” FinCEN and its delegated IRS examiners are taking a close look at the AML/CFT controls on transactions in virtual currencies, and Blanco advised his audience to consider whether their controls are adequate to fulfill their duties to maintain risk-based AML programs. Blanco explained that FinCEN is also taking seriously the rise in foreign money services businesses seeking to do business with U.S. persons or operating in the U.S. without complying with U.S. AML regulations. Put simply, “[i]f you want access to the U.S. financial system and the U.S. market, you must abide by the rules.”

Appellate Court – Selling Bitcoin in Florida Requires a Money Services Business License

Matthew Moses

Following a recent opinion by a Florida appellate court, virtual currency dealers who do business in, from, or into Florida – even individuals in the business of selling their own virtual currency for cash – may be required to obtain a “money services business” license from Florida’s Office of Financial Regulation and maintain costly anti-money laundering programs in accordance with Florida and federal law or face criminal penalties.

On January 30, Florida’s Third District Court of Appeal reinstated criminal charges against Florida resident Michell Espinoza for money laundering and “unlawfully engaging in the business of a money transmitter and/or payment instrument seller without being registered with the State of Florida.” State v. Espinoza, No. 3D16-1860, slip op. (Fla. Dist. Ct. App. Jan. 30, 2019). The trial court had previously dismissed the charges against Espinoza, agreeing with his argument that selling Bitcoin does not qualify as “money transmitting” under Florida law because Bitcoin is not “money,” among other reasons. State v. Espinoza, No. F14-2923 (Fl. Cir. Ct. July 22, 2016). The appellate court disagreed and determined that even a person in the business of selling his own Bitcoin for cash is a “money transmitter” and “payment instrument seller” under Florida law and is therefore required to be licensed as a “money services business.”

The charges against Espinoza stem from a sting operation in 2013, in which undercover detectives contacted Espinoza through a Bitcoin exchange site, LocalBitcoins.com. Espinoza posted on that site that he would sell Bitcoins for cash through in-person transactions. Espinoza was not licensed or registered as a “money services business” with Florida or federal regulators. An undercover detective met Espinoza several times and paid him a total of $1500 cash for Bitcoin, earning Espinoza a profit. During those transactions, the undercover detective allegedly made clear his desire to remain anonymous and said he was involved in illicit activity. For example, the undercover detective allegedly told Espinoza that he needed the Bitcoin to buy stolen credit card numbers from Russians.

The Florida appellate court’s determination that Bitcoins are “monetary value” and “payment instruments” under Florida law fits within a line of cases finding that Bitcoin qualifies as “money” for the purposes of money laundering and anti-money laundering laws. For example, in 2014 Judge Rakoff, a United States District Judge for the Southern District of New York, found that Bitcoin clearly qualifies as “money” or “funds” for the purposes of the federal money transmitter statute because “Bitcoin can be easily purchased in exchange for ordinary currency, acts as a denominator of value and is used to conduct financial transactions.” United States v. Faiella, 39 F. Supp. 3d 544, 545 (S.D.N.Y. 2014) (citing SEC v. Shavers, 2013 WL 4028182, at *2 (E.D. Tex. Aug. 6, 2013)). Some states have also codified virtual currency into their anti-money laundering regulations. For example, after the trial court determined that Bitcoin was not a “monetary instrument” that could be laundered under Florida’s money laundering statute, the Florida legislature amended the statutory definition of “monetary instruments” to explicitly include the term “virtual currency.” Fla. Stat. § 896.101(2)(f) (2017). Other states, however, have taken a different approach. Pennsylvania’s Department of Banking and Securities (“DoBS”), for example, recently published guidance that virtual currency, including Bitcoin, is not considered money under Pennsylvania law. “Money Transmitter Act Guidance for Virtual Currency Businesses,” Pennsylvania Department of Banking and Securities (Jan. 23, 2019).

The Florida appellate court found that Espinoza was operating as a “money transmitter” and therefore was a “money services business,” simply by engaging in the business of selling his own Bitcoin for cash and not otherwise acting as a middleman between parties. The trial court had applied the more common and narrow understanding that a “money transmitter” operates “like a middleman in a financial transaction, much like how Western Union accepts money from person A, and at the direction of person A, transmits it to person or entity B,” as explained by the appellate court.

To reach its conclusion, the Florida appellate court looked to the text of Florida’s money services business statute – which the court believes is critically different from federal regulations. Under both federal and Florida state law, a “money services business” is defined to include a “money transmitter.” Compare 31 C.F.R. § 1010.100(ff) with Fla. Stat. § 560.103(22). According to the Florida appellate court, the federal definition of “money transmitter” includes a third-party requirement. Under federal regulations, a “money transmitter” means a person engaged in the “acceptance of currency, funds or other value that substitutes currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means.” 31 C.F.R. § 1010.100(ff)(5(i)(A) (emphasis added). In comparison, the Florida statute defines a “money transmitter” as an entity “which receives currency, monetary value, or payment instruments for the purpose of transmitting the same by any means.” Fla. Stat. § 560.103(23). The Florida appellate court found that, in contrast to the federal regulations, the Florida statute’s “plain language clearly contains no third party transmission requirement in order for an individual’s conduct to fall under the ‘money transmitter’ definition” and, as such “decline[d] to add any third party or ‘middleman’ requirement.”

The appellate court’s interpretation of the text of Florida’s statute is disputable. From a statutory interpretation perspective, the middleman requirement is arguably inherent in the plain meaning of the word “transmit,” which is defined by Merriam-Webster as “to send or convey from one person or place to another.” (Notably, Pennsylvania’s DoBS recently issued guidance interpreting the word “transmitting” in a comparable state statute to include a third-party requirement. See “Money Transmitter Act Guidance for Virtual Currency Businesses,” Pennsylvania DoBS (Jan. 23, 2019) (interpreting statute that “[n]o person shall engage in the business of transmitting money by means of a transmittal instrument for a fee or other consideration with or on behalf of an individual without first having obtained a license from the [DoBS]” to impose a third-party requirement).) It would, therefore, be reasonable to interpret Florida’s statute as consistent with federal regulations. Moreover, the Florida appellate court’s interpretation of the statute could have broad and troubling consequences. Although dicta in the Florida appellate court’s decision make it seem like the court is making a distinction between “merely selling [one’s] own personal bitcoins” and “marketing a business,” the court’s statutory interpretation leaves open the possibility that the mere act of selling one’s own property – without registering as a “money services business” – could be a crime.

While we watch to see whether Espinoza will appeal this decision to the Florida Supreme Court, virtual currency dealers should be aware that selling virtual currency in, from or into Florida may require a money services business license and the maintenance of an anti-money laundering program.