Keyword: OFAC

6 Questions Blockchain Founders Should Ask When Launching a Product or Token

, , and

As any founder knows, operating in the blockchain space requires navigating a myriad of regulatory regimes. While every product and token are different, below are 6 key questions that any founder should ask themselves as they launch their product or token:

  1. Are you advertising to the public? If a company advertises to the public, anti-fraud and consumer protection laws are relevant. Regulators in the U.S. from the Federal Trade Commission and the Consumer Financial Protection Bureau, along with state attorneys-general, enforce rules to ensure advertisements and public statements do not contain (among other things) statements or promises that are false, misleading, or deceptive. Companies should screen public messages with their counsel before publishing them.
  2. Where do you plan to launch your product or token? Companies should be aware of sanctions programs in jurisdictions in which they plan to operate. In the U.S., the Office of Foreign Asset Control (“OFAC”) enforces compliance with U.S. sanctions programs. Conducting transactions with sanctioned persons or in a sanctioned jurisdiction is an offense and OFAC may impose penalties on a “strict liability standard.”  This means that OFAC can hold violators civilly liable regardless of whether they knew they participated in a transaction with a sanctioned person or entity. Many companies have policies and internal controls (e.g., customer screening and IP address blocking) meant to prevent prohibited transactions.
  3. Would a person reasonably rely on the Company’s efforts to profit from their purchase? If a blockchain company issues or plans to issue tokens or other digital assets, it is imperative that the company complies with securities laws. The lodestar for determining whether a token is an “investment contract” (one type of security) is the Howey Test. In short, pursuant to the Howey Test, a token is a security if a purchaser could reasonably depend on the efforts of a third party (i.e., the company) to generate a profit. While the interpretation of the Howey Test is more nuanced than that, understanding how consumers are going to think about your token is important in assessing the level of risk that launching the token might impose. The actual application of the Howey Test is fact intensive, and therefore requires comprehensive review and application of the token and the Company’s distribution plans.
  4. Will employees have access to sensitive information that could impact prices? If a company’s employees will have access to material, non-public information regarding prices of the company’s publicly traded digital asset or any other asset trading on a platform controlled by the company, the company should implement policies to prevent employees or other insiders from profiting off of that information (by implementing, for example, insider trading policies). These policies should dictate how and when an employee, consultant, or director is allowed to buy and sell the company’s digital assets or any other asset trading on the company’s platform.
  5. Will the Company transmit someone’s money? Blockchain companies acting as an “administrator” or “exchanger” of “convertible virtual currency” (“CVC”) may be deemed a money transmitter under federal law. In short, if a company has the authority or power to issue, remove, or exchange a cryptocurrency or virtual currency, the company may be required to register as a “money services business” under the federal Bank Secrecy Act, which requires companies to assist the U.S. government in detecting and preventing money laundering. In addition, 49 states also have “money transmission laws.” Each state has different laws with respect to CVC, so a state-by-state analysis will be required to determine where the company should file for money transmission licenses.
  6. Will the Company collect customer information? Consumer data protection has received a sizable amount of attention from both legislatures and regulators over the past several years, including the implementation of GDPR in the EU and the CCPA in California (just to name a couple prominent laws).  Any company that is collecting, storing, or transmitting consumer information should review its online privacy policy and terms of use, as well as its internal policies around how that information is stored and where that information is transmitted.  Even if still under the control of the company, data transferred from one jurisdiction to another may violate applicable data privacy laws.

The 6 questions above will help frame some of the more common regulatory issues that companies in the blockchain space need to pay attention to, but that list is certainly not exhaustive.  With an increased focus on blockchain companies by regulatory agencies, it’s important that founders operate within and understand existing regulations, and also make a plan for how they will adapt as those regulations change.

Digital Assets Executive Order Brings Regulation Closer Than Ever

, , and

President Biden issued a sweeping executive order in 2022 acknowledging the key role digital assets will play in the global financial system. It embraces crypto as the wave of the future – while setting the stage for increased oversight, regulation and enforcement.

What It Means

  • Businesses that have seen themselves in a legal gray area may find themselves subject to many of the same regulations as traditional financial service providers.
  • The order calls for an “unprecedented focus of coordinated action” to address the illicit use of digital assets. This will likely lead to increased criminal enforcement, including holding companies accountable for illegal activity perpetrated through their networks.
  • Numerous agencies are developing policies and regulatory frameworks to protect consumers, investors and businesses in the crypto sphere.
  • The order directs agencies to coordinate with international partners on approaching and responding to risks. That may involve cross-border investigations and prosecutions.

In More Detail: The Executive Order’s Six Priorities

Citing the explosive growth in digital assets, the order makes the case for stronger oversight and increased regulation of cryptocurrencies. It announces six key priorities:

  1. Protecting Consumers, Investors and Businesses
    • The Treasury Department and others will develop recommendations to address the risks and opportunities of digital assets. The Attorney General will report on law enforcement’s role to detect, investigate and prosecute crypto crime and recommend regulatory or legislative action.
  2. Protecting U.S. and Global Financial Stability
    • The Financial Stability Oversight Council will identify economy-wide financial risks digital assets pose and develop proposals to address them and associated regulatory gaps.
  3. Mitigating Illicit Finance and National Security Risks
    • The order emphasizes the growing use of digital assets to facilitate cybercrime, money laundering, terrorist and proliferation financing, fraud, theft, and corruption. It asks agencies to evaluate how regulation can mitigate risk.
    • The plan addresses how investigators can increase compliance with laws against money laundering and financing terrorism, focusing on decentralized financial ecosystems, peer-to-peer payments and obscured blockchain ledgers.
  4. Reinforcing U.S. Leadership in the Global Financial System
    • The Commerce Department will work with other agencies on a framework to drive U.S. competitiveness and leadership in and use of digital asset technologies.
    • The Treasury Department will facilitate international engagement on issues like global compliance and standards.
  5. Promoting Access to Safe, Affordable Financial Services
    • The Treasury Department will report on the future of money and payment services.
  6. Supporting Responsible Innovation
    • Several agencies will support advances in the development, design and implementation of digital asset systems.
    • One goal: Ensuring such technologies emphasize privacy and security, defend against illicit exploitation and reduce negative climate impacts and environmental pollution from cryptocurrency mining.

On the horizon

  • The order puts the “highest urgency” on research and development of a U.S. Central Bank Digital Currency.[1] It says that may support efficient and low-cost transactions and greater access.

Signs of Increased Regulation

  • The Justice Department’s National Cryptocurrency Enforcement Team
    • Biden’s March 2022 executive order came months after the Justice Department announced a National Cryptocurrency Enforcement Team.
    • The team investigates and prosecutes crimes like money laundering, ransomware and extortion schemes, and trading on dark markets for drugs, weapons and hacking tools.[2]
    • The task force’s creation suggests the Justice Department has the resources and will to investigate allegations of crypto wrongdoing.
  • The SEC has eyed regulating crypto trading platforms
    • When asked in January if the SEC will start regulating crypto trading platforms in 2022, Chairman Gary Gensler said “…I sure hope so.”[3]
    • He also said: “To the extent that folks are operating outside the regulatory perimeter, but are supposed to be inside, we will bring enforcement actions.”[4]
    • Gensler has said he sees most cryptocurrencies as securities subject to SEC regulation.[5]
  • Other agencies are also marching toward regulation
    • The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation and Office of the Comptroller of the Currency have conducted interagency “policy sprints” focused on crypto assets.[6]
    • The goal was to analyze if and how existing regulations apply to crypto activities and to establish a road map for the future.
    • They promised to “provide greater clarity on whether certain activities related to crypto-assets conducted by banking organizations are legally permissible” and articulate expectations for compliance with existing laws.
    • Our 2021 Year-End Crypto Roundup details other regulatory initiatives.
  • Regulators are getting more tools – and power
    • Until now, regulators approached crypto misconduct with outdated laws that didn’t always fit. Now regulators are getting more tools and power.
    • Even without a coordinated strategy or crypto-specific regulatory framework, agencies have held companies and people accountable for misconduct.
    • The SEC has brought numerous enforcement actions for fraudulent and unregistered digital asset offerings,[7] and the DOJ recently arrested two people on charges they tried to launder $4.5 billion in stolen cryptocurrency.[8]
    • FinCEN and the Commodity Futures Trading Commission reached a $100 million settlement with cryptocurrency exchange BitMEX last year. The exchange’s founders pleaded guilty to charges stemming from the company’s failure to establish, implement, and maintain an anti-money laundering program.

 

 

[1] See Board of Governors of the Federal Reserve, Money and Payments; The U.S. Dollar in the Age of Digital Transformation (Jan. 2022).
[2] U.S. Dep’t of Justice, Press Release, Deputy Attorney General Lisa O. Monaco Announces National Cryptocurrency Enforcement Team (Oct. 6, 2021).
[3] Jennifer Schonberger, SEC’s Gensler wants crypto exchange regulation in 2022, warns on stablecoin, Yahoo Finance (Jan. 20, 2022).
[4] Id.
[5] Cheyenne Ligon, Gensler’s Crypto Testimony: 6 Key Takeaways, CoinDesk (Oct. 6, 2021).
[6] Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, Joint Statement on Crypto-Asset Policy Sprint Initiative and Next Steps (Nov. 23, 2021).
[7] See U.S. Securities & Exchange Commission, Cyber Enforcement Actions.
[8] U.S. Dep’t of Justice, Press Release, Two Arrested for Alleged Conspiracy to Launder $4.5 Billion in Stolen Cryptocurrency (Feb. 8, 2022).

Non-U.S. Crypto and Other Money Services Businesses: Have Customers in the U.S.? Beware of AML and Sanctions Compliance Risk

, , , and

Two recent guilty pleas involving a cryptocurrency exchange serve as a reminder to all money services businesses (“MSBs”)—including those ostensibly located outside the United States but that conduct business there—of the importance of implementing anti-money laundering (“AML”) programs and registering as MSBs with the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”). Last week, two founders and executives of BitMEX—a virtual currency derivatives exchange whose parent company was registered in the Seychelles but operated globally, including in the United States—pled guilty to criminal Bank Secrecy Act (“BSA”) violations stemming from the company’s willful failure to establish, implement, and maintain an AML program.[1]

The BitMEX enforcement action also highlights sanctions non-compliance risks. Without a Know Your Customer (“KYC”) program, BitMEX carried out transactions for customers based in Iran, a jurisdiction comprehensively sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”). As OFAC has made clear, sanctions compliance obligations remain the same regardless of whether transactions are denominated in virtual currency or fiat. A focus on sanctions compliance may become even more critical for cryptocurrency companies in the wake of the new far-reaching Russia-related sanctions imposed by the United States, the EU, and the UK, among other governments, in response to Russia’s invasion of Ukraine. OFAC and the New York State Department of Financial Services (“NYSDFS”) have warned that as sanctioned persons and jurisdictions “become more desperate for access to the U.S. financial system,” they are likely to turn to cryptocurrency to minimize the crippling effect of sanctions.

BitMEX Founders’ Guilty Pleas

The two BitMEX founders’ guilty pleas on February 24, 2022 follow the company’s settlement with U.S. regulators in August 2021, which was one of the largest-ever resolutions with a cryptocurrency exchange. While BitMEX was incorporated in the Seychelles, it had connections to the United States, including maintaining offices there and soliciting and accepting orders from U.S. customers. FinCEN and the Commodity Futures Trading Commission found that BitMEX was operating as an unregistered futures commission merchant under the BSA, and that it failed to comply with the BSA’s AML program requirements, including by failing to maintain an adequate customer identification program.  BitMEX resolved the allegations for $100 million, with a $20 million suspended penalty pending the company’s remediation and prevention measures, including ending all operations within the United States and no longer serving any U.S. customers.

The Department of Justice charged four of the company’s founders and executives in October 2020. In announcing that two of them, Arthur Hayes and Benjamin Delo, had pled guilty to willfully violating the BSA, the Department of Justice alleged that these two founders “closely” followed the U.S. regulatory developments and were aware of their BSA obligations due to U.S. customers’ trading on BitMEX. Yet, they allegedly took affirmative steps purportedly designed to exempt BitMEX from the application of U.S. laws like AML requirements and KYC requirements. For example, according to prosecutors, “the defendants caused BitMEX to formally incorporate in the Seychelles, a jurisdiction they believed had less stringent regulation, and from which they could still serve U.S. customers and operate within the United States without performing AML and KYC.” Without “even basic” AML policies in place, BitMEX became “in effect a money laundering platform” and a “vehicle for sanctions violations.”

Takeaways

This development illustrates the significant risks to which foreign-located MSBs expose themselves if they have U.S. customers but fail to comply with the BSA. Incorporating in a “friendlier” jurisdiction, like the Seychelles in the BitMEX case, does not protect an MSB from BSA liability if it operates in the United States. The BSA applies to MSBs “wherever located” if they conduct business “wholly or in substantial part within the United States.” Thus, all MSBs, including those transmitting cryptocurrency—with any U.S. nexus—should take note of the BSA requirements. Those include registering with FinCEN; implementing a written AML program with policies, procedures, and internal controls, including regarding customer identification and verification; and controls to detect and report suspicious activity. The AML programs must be commensurate with the risks posed by the location, size, nature and volume of the services provided by the MSB and be effective in preventing the MSB from being used to facilitate money laundering and the financing of terrorist activities.

An effective AML/KYC program will also help ensure compliance with sanctions regulations. As noted, cryptocurrency exchanges will likely face increased sanctions risks due to the sweeping sanctions recently imposed against Russian banks, entities, and individuals by the United States, EU, UK, and other governments, and additional measures that may be imposed in the coming days or weeks. As such, cryptocurrency exchanges may face, and must address, “unique risks.”

By implementing a KYC program, which includes sanctions screening, cryptocurrency companies can help ensure they do not engage, directly or indirectly, in transactions prohibited by sanctions, such as dealings with blocked persons or property, or engaging in prohibited trade- or investment-related transactions. To ensure compliance, cryptocurrency exchanges should also employ geolocation and IP-address blocking to prohibit access by parties from sanctioned jurisdictions, perform transaction monitoring to detect suspicious activity, and file required reports with FinCEN and OFAC. Exchanges operating outside the United States that do not yet have but want to attract U.S. users should also consider implementing such measures.

[1] Also last week, on February 25, 2022, BitConnect founder Satish Kumbhani was indicted in a cryptocurrency Ponzi scheme, which the government alleges deprived investors worldwide, including in the United States, of over $2 billion. According to the indictment, to avoid regulatory scrutiny and conceal BitConnect’s fraudulent scheme, Kumbhani evaded and circumvented U.S. regulations, including those enforced by the FinCEN. Among other things, BitConnect never registered with FinCEN, as required under the BSA.

Cryptocurrency and OFAC: Beware of the Sanctions Risks

, and

A recent federal criminal action shows the depth of the U.S. government’s concern about the use of cryptocurrency (or virtual currency) to violate economic sanctions laws and the lengths to which it will go to charge such violations. The U.S. government is particularly concerned that sanctioned countries and parties have used cryptocurrency to avoid sanctions designed to isolate them, and to facilitate illicit activities, including money laundering and ransomware attacks. The U.S. Office of Foreign Assets Control of the Treasury Department (OFAC), which administers U.S. economic sanctions programs, indicated recently that it intends to devote more resources to cryptocurrency issues. Over the past year or so, OFAC has issued a number of subpoenas to virtual currency businesses, such as exchanges, regarding possible customers and transactions involving parties in sanctioned countries. OFAC will probably announce its first enforcement actions involving virtual currency at some point this year. In addition, as discussed in Orrick’s recent blog post, the U.S. Commodity Futures Trading Commission, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), and the U.S. Securities and Exchange Commission remain focused on AML risks presented by cryptocurrency.

In an unusual application of economic sanctions law, in November 2019 a U.S. citizen was arrested and charged by the U.S. Attorney for the Southern District of New York with violating U.S. sanctions after he traveled to North Korea and delivered a presentation and technical advice related to the use of cryptocurrency and blockchain technology. In the case, which did not involve cryptocurrency transactions, the U.S. Attorney charged Virgil Griffith, an Ethereum Foundation staff member, with conspiring to violate U.S. sanctions laws that generally prohibit the provision of unlicensed services to North Korea. According to the U.S. Attorney’s Office, Mr. Griffith had traveled to North Korea to attend and speak at the Pyongyang Blockchain and Cryptocurrency Conference, despite the U.S. government’s denial of his request for authorization to attend. The U.S. government alleges that at the conference Mr. Griffith and other attendees discussed how North Korea could use blockchain and cryptocurrency technology to launder money and evade sanctions.

OFAC has issued frequently asked questions emphasizing that compliance obligations remain the same regardless whether transactions are denominated in virtual currency or fiat, and has started to include in its Specially Designated Nationals and Blocked Persons List (SDN List) virtual currency addresses that are linked to sanctioned persons. Sanctions are enforced with the help of U.S. businesses, in particular banks and other financial institutions, which have implemented systems and internal controls to detect the involvement of designated persons or prohibited jurisdictions in transactions. The U.S. government expects a similar level of commitment from entities dealing in cryptocurrency. It is critical that U.S. virtual currency users, exchangers, administrators and other persons engaging in virtual currency transactions with any U.S. nexus take steps designed to ensure that they do not deal with U.S. sanctions targets, which include providing financial or other services to such parties. OFAC has advised technology companies, administrators, exchangers, and users of virtual currencies, and other payment processors, to implement risk-based compliance programs, which generally should include sanctions list screening. This is consistent with OFAC’s recommendations included in A Framework for OFAC Compliance Commitments issued in June 2019.

Because a strict liability standard applies to unauthorized dealings with sanctioned parties and jurisdictions, U.S. persons dealing in cryptocurrency cannot avoid potential liability simply because they do not know the identity of the person with whom they are interacting. And the risk of dealing with sanctioned persons and jurisdictions when conducting virtual currency transactions will likely increase should nations like Iran and Russia further embrace cryptocurrency to try to avoid sanctions. In 2018, Iran reportedly acknowledged cryptocurrency mining as a legitimate industry, and in December 2019, Iran’s President reportedly proposed creation of a Muslim cryptocurrency to decrease reliance on the U.S. dollar. The U.S. government acted in 2018 to prohibit transactions involving Venezuela’s state virtual currency, the “Petro.”

To protect against potential sanctions violations, there are key steps that cryptocurrency users and exchanges can take. Crypto exchanges operating in the United States are required to register with FinCEN as money services businesses, to license themselves in the states in which they operate, and to exclude users in sanctioned jurisdictions and those on OFAC’s SDN List from transacting on the exchange. These exchanges should adopt and implement Know Your Customer procedures, including sanctions screening, to identify parties trading on their exchanges, and can employ geo-IP blocking to prohibit access by parties from sanctioned jurisdictions. They should perform transaction monitoring to detect suspicious activity and file required reports with FinCEN. U.S. persons trading in cryptocurrency should use exchanges committed to complying with U.S. sanctions requirements. If the exchange allows sanctioned parties to participate, a U.S. person could end up unknowingly trading with such a party and thus violating U.S. law. Exchanges operating outside the United States that want to attract U.S. users should also consider implementing such measures, to exclude targets of U.S. sanctions from trading. Non-U.S. exchanges that permit access to certain U.S. sanctions targets may risk imposition of U.S. “secondary sanctions” designed to deter non-U.S. persons from engaging in business with targets of U.S. sanctions.