Keyword: OFAC

Executive Order on Digital Assets Means Industry-Shifting Regulation Is Closer Than Ever

On March 9, 2022, Bitcoin prices surged and many in the crypto community celebrated as the Biden administration announced a sweeping executive order that acknowledges the key role digital assets will play in global financial systems. While the Order embraces crypto as the wave of the future, it calls for an intense focus on the industry that will undoubtedly lead to increased oversight and enforcement. Businesses that have believed themselves to be operating in a legal gray area may soon find themselves more explicitly subject to many of the same regulations as traditional financial service providers. The Order provides a simple rationale for aligning the new industry with existing regulatory standards: “same business, same risks, same rules.”

There is no cookie-cutter approach to analyzing how the coming changes will impact a business. We are tracking developments to help our clients look over the horizon and plan ahead. Below are the key takeaways from the Order:

  • The Order calls for an “unprecedented focus of coordinated action” to address the illicit use of digital assets. This will likely lead to increased criminal enforcement—including holding companies accountable for illegal activity perpetrated through their networks.
  • Numerous agencies have been tasked with developing policies and regulatory frameworks to protect consumers, investors, and businesses in the crypto sphere, with additional reporting to come as soon as within 90 days.
  • The administration supports responsible innovation related to digital assets, meaning technological advances that address privacy, security, controls against exploitation, and environmental responsibility.
  • These directives build on initiatives that have been pursued at the agency level, such as the creation of a DOJ task force to investigate and prosecute crypto crime.

******

The Biden administration’s move towards more digital asset oversight is now directed from the top. President Biden’s March 9 Executive Order calls for an “unprecedented focus of coordinated action” across all government agencies to mitigate the risks posed by the illicit use of digital assets. And this focus is not just domestic; the Order also directs agencies to work with foreign partners to align international frameworks and coordinate responses to risks—which may involve cross-border investigations and prosecution of misconduct. While the Order suggests the government will embrace digital assets in an unprecedented way, there is no doubt that increased criminal and regulatory enforcement will soon follow.

1. The sweeping Order outlines a “whole-of-government approach” to setting policy, establishing regulatory frameworks, and mitigating risks associated with digital assets.

Citing the explosive growth in digital assets, the Order makes the case for stronger oversight and increased regulation of cryptocurrencies. It announces six key priorities:

  • Protecting Consumers, Investors, and Businesses: The Treasury Department and other agency partners will develop policy recommendations to address the risks and opportunities of digital assets. Additionally, the Attorney General and others will report on the role of law enforcement agencies in detecting, investigating, and prosecuting crypto crime, and recommend appropriate regulatory or legislative actions.
  • Protecting U.S. and Global Financial Stability: The Financial Stability Oversight Council will identify economy-wide financial risks posed by digital assets and develop proposals to address such risks and any associated regulatory gaps.
  • Mitigating Illicit Finance and National Security Risks: The Order emphasizes the growing use of digital assets to facilitate cybercrime, money laundering, terrorist and proliferation financing, fraud, theft, and corruption. Building on the Treasury Department’s National Strategy for Combating Terrorist and Other Illicit Financing, a group of agencies will evaluate “opportunities to mitigate such risks through regulation” and develop a coordinated action plan. This plan will, among other things, address the role of law enforcement to increase compliance with AML/CFT, focusing on decentralized financial ecosystems, peer-to-peer payment activity, and obscured blockchain ledgers.
  • Reinforcing U.S. Leadership in the Global Financial System: The Department of Commerce will work with other agencies on a framework to drive U.S. competitiveness and leadership in, and leveraging of, digital asset technologies. The Treasury Department will similarly work across government to establish a framework for international engagement on issues such as foreign assistance, global compliance, and the promotion of international standards.
  • Promoting Access to Safe and Affordable Financial Services: The Treasury Department and other relevant agencies will produce a report on the future of money and payment services, recognizing the national interest in ensuring access to safe and affordable financial services.
  • Supporting Responsible Innovation: Various agencies will study and support technological advances in the responsible development, design, and implementation of digital asset systems. This means ensuring that digital asset technologies include privacy and security in their architecture, integrate controls to defend against illicit exploitation, and reduce negative climate impacts and environmental pollution from cryptocurrency mining.

Additionally, the Order places the “highest urgency” on research and development into the creation of a U.S. Central Bank Digital Currency (CBDC),[1] which it says has the potential to support efficient and low-cost transactions and foster greater access to the financial system. The Treasury Department and other agencies have been tasked with analyzing the potential implications of launching a U.S. CBDC.

2. The Executive Order comes on the heels of a new DOJ task force, the National Cryptocurrency Enforcement Team, aimed at investigating and prosecuting crypto crime.

In October 2021, Deputy Attorney General Lisa Monaco announced the creation of a National Cryptocurrency Enforcement Team (NCET) to “tackle complex investigations and prosecutions of criminal misuses of cryptocurrency,” including money laundering, ransomware and extortion schemes, and trading on dark markets for illegal drugs, weapons, and hacking tools.[2] The NCET is staffed by DOJ prosecutors with backgrounds in cryptocurrency, cybercrime, money laundering, and forfeiture. They work closely with various DOJ sections, U.S. Attorneys’ Offices, and the FBI. According to NCET Director Eun Young Choi, “the NCET will play a pivotal role in ensuring that as the technology surrounding digital assets grows and evolves, the department in turn accelerates and expands its efforts to combat their illicit abuse by criminals of all kinds.”[3] The creation of this task force suggests that the DOJ has both the resources and the will to investigate allegations of wrongdoing in the crypto sphere, and companies must remain vigilant in light of the increased risk of regulatory scrutiny.

3. The SEC has expressed a strong interest in regulating crypto trading platforms, while other agencies have announced a series of “policy sprints” focused on crypto assets.

For the SEC, the question of whether the agency will regulate cryptocurrency exchanges is not a matter of if, but when. When asked by reporters in January whether 2022 will be the year that the SEC starts regulating crypto trading platforms, SEC Chairman Gary Gensler responded: “You shouldn’t put timelines on yourself, but I will say I sure hope so.”[4] He went on to caution: “To the extent that folks are operating outside the regulatory perimeter, but are supposed to be inside, we will bring enforcement actions.”[5] This calls to mind the question of whether cryptocurrencies are securities, which, if answered in the affirmative, brings them well within the reach of the SEC’s Enforcement Division. While the answer may differ depending on the currency, Chairman Gensler has expressed a view that most cryptocurrencies are indeed securities and thus subject to regulation by the SEC.[6]

4. Nearly every relevant agency is marching towards more regulation.

The SEC and the Treasury Department are leaders in this space, but it seems that no agency wants to be left behind when it comes to regulating cryptocurrencies. At the same time that the DOJ and SEC were pursuing their own crypto strategies, the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency conducted a series of interagency “policy sprints” focused on crypto assets.[7] Their goal was to analyze the applicability of existing regulations to crypto activities and establish a road map for further guidance. They promised to “provide greater clarity on whether certain activities related to crypto-assets conducted by banking organizations are legally permissible” and articulate expectations for compliance with existing laws. Other regulatory initiatives being pursued at the agency level, including by the Treasury Department’s Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN), are detailed in our 2021 Year-End Crypto Roundup.

5. Up until now, regulators have had to address misconduct in the crypto market using outdated laws that didn’t always fit. This is about to change—giving regulators more tools (and power) than ever.

Even without a coordinated strategy or crypto-specific regulatory framework, agencies have found ways to hold companies and individuals accountable for crypto-related misconduct. For example, the SEC has brought numerous enforcement actions for fraudulent and unregistered digital asset offerings,[8] and the DOJ recently arrested two individuals in connection with an attempt to launder $4.5 billion in stolen cryptocurrency.[9] Last year, FinCEN and the Commodity Futures Trading Commission (CFTC) reached a $100 million settlement with cryptocurrency exchange BitMEX, and BitMEX founders recently pled guilty to criminal Bank Secrecy Act (BSA) regulations stemming from the company’s willful failure to establish, implement, and maintain an AML program. But despite these efforts, without tailored regulation, illicit activity is bound to fall through the cracks. The current landscape is bound to change dramatically as a result of the Biden administration’s Executive Order, and even companies operating entirely within the law need to be ready to shift how they do business to adapt to changing regulations. Whatever comes next, we are tracking developments closely to help our clients navigate these changes and mitigate regulatory and enforcement risk.

[1] See Board of Governors of the Federal Reserve, Money and Payments; The U.S. Dollar in the Age of Digital Transformation (Jan. 2022).

[2] U.S. Dep’t of Justice, Press Release, Deputy Attorney General Lisa O. Monaco Announces National Cryptocurrency Enforcement Team (Oct. 6, 2021).

[3] U.S. Dep’t of Justice, Press Release, Justice Department Announces First Director of National Cryptocurrency Enforcement Team (Feb. 17, 2022).

[4] Jennifer Schonberger, SEC’s Gensler wants crypto exchange regulation in 2022, warns on stablecoin, Yahoo Finance (Jan. 20, 2022).

[5] Id.

[6] Cheyenne Ligon, Gensler’s Crypto Testimony: 6 Key Takeaways, CoinDesk (Oct. 6, 2021).

[7] Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, Joint Statement on Crypto-Asset Policy Sprint Initiative and Next Steps (Nov. 23, 2021).

[8] See U.S. Securities & Exchange Commission, Cyber Enforcement Actions.

[9] U.S. Dep’t of Justice, Press Release, Two Arrested for Alleged Conspiracy to Launder $4.5 Billion in Stolen Cryptocurrency (Feb. 8, 2022).

Non-U.S. Crypto and Other Money Services Businesses: Have Customers in the U.S.? Beware of AML and Sanctions Compliance Risk

Two recent guilty pleas involving a cryptocurrency exchange serve as a reminder to all money services businesses (“MSBs”)—including those ostensibly located outside the United States but that conduct business there—of the importance of implementing anti-money laundering (“AML”) programs and registering as MSBs with the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”). Last week, two founders and executives of BitMEX—a virtual currency derivatives exchange whose parent company was registered in the Seychelles but operated globally, including in the United States—pled guilty to criminal Bank Secrecy Act (“BSA”) violations stemming from the company’s willful failure to establish, implement, and maintain an AML program.[1]

The BitMEX enforcement action also highlights sanctions non-compliance risks. Without a Know Your Customer (“KYC”) program, BitMEX carried out transactions for customers based in Iran, a jurisdiction comprehensively sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”). As OFAC has made clear, sanctions compliance obligations remain the same regardless of whether transactions are denominated in virtual currency or fiat. A focus on sanctions compliance may become even more critical for cryptocurrency companies in the wake of the new far-reaching Russia-related sanctions imposed by the United States, the EU, and the UK, among other governments, in response to Russia’s invasion of Ukraine. OFAC and the New York State Department of Financial Services (“NYSDFS”) have warned that as sanctioned persons and jurisdictions “become more desperate for access to the U.S. financial system,” they are likely to turn to cryptocurrency to minimize the crippling effect of sanctions.

BitMEX Founders’ Guilty Pleas

The two BitMEX founders’ guilty pleas on February 24, 2022 follow the company’s settlement with U.S. regulators in August 2021, which was one of the largest-ever resolutions with a cryptocurrency exchange. While BitMEX was incorporated in the Seychelles, it had connections to the United States, including maintaining offices there and soliciting and accepting orders from U.S. customers. FinCEN and the Commodity Futures Trading Commission found that BitMEX was operating as an unregistered futures commission merchant under the BSA, and that it failed to comply with the BSA’s AML program requirements, including by failing to maintain an adequate customer identification program.  BitMEX resolved the allegations for $100 million, with a $20 million suspended penalty pending the company’s remediation and prevention measures, including ending all operations within the United States and no longer serving any U.S. customers.

The Department of Justice charged four of the company’s founders and executives in October 2020. In announcing that two of them, Arthur Hayes and Benjamin Delo, had pled guilty to willfully violating the BSA, the Department of Justice alleged that these two founders “closely” followed the U.S. regulatory developments and were aware of their BSA obligations due to U.S. customers’ trading on BitMEX. Yet, they allegedly took affirmative steps purportedly designed to exempt BitMEX from the application of U.S. laws like AML requirements and KYC requirements. For example, according to prosecutors, “the defendants caused BitMEX to formally incorporate in the Seychelles, a jurisdiction they believed had less stringent regulation, and from which they could still serve U.S. customers and operate within the United States without performing AML and KYC.” Without “even basic” AML policies in place, BitMEX became “in effect a money laundering platform” and a “vehicle for sanctions violations.”

Takeaways

This development illustrates the significant risks to which foreign-located MSBs expose themselves if they have U.S. customers but fail to comply with the BSA. Incorporating in a “friendlier” jurisdiction, like the Seychelles in the BitMEX case, does not protect an MSB from BSA liability if it operates in the United States. The BSA applies to MSBs “wherever located” if they conduct business “wholly or in substantial part within the United States.” Thus, all MSBs, including those transmitting cryptocurrency—with any U.S. nexus—should take note of the BSA requirements. Those include registering with FinCEN; implementing a written AML program with policies, procedures, and internal controls, including regarding customer identification and verification; and controls to detect and report suspicious activity. The AML programs must be commensurate with the risks posed by the location, size, nature and volume of the services provided by the MSB and be effective in preventing the MSB from being used to facilitate money laundering and the financing of terrorist activities.

An effective AML/KYC program will also help ensure compliance with sanctions regulations. As noted, cryptocurrency exchanges will likely face increased sanctions risks due to the sweeping sanctions recently imposed against Russian banks, entities, and individuals by the United States, EU, UK, and other governments, and additional measures that may be imposed in the coming days or weeks. As such, cryptocurrency exchanges may face, and must address, “unique risks.”

By implementing a KYC program, which includes sanctions screening, cryptocurrency companies can help ensure they do not engage, directly or indirectly, in transactions prohibited by sanctions, such as dealings with blocked persons or property, or engaging in prohibited trade- or investment-related transactions. To ensure compliance, cryptocurrency exchanges should also employ geolocation and IP-address blocking to prohibit access by parties from sanctioned jurisdictions, perform transaction monitoring to detect suspicious activity, and file required reports with FinCEN and OFAC. Exchanges operating outside the United States that do not yet have but want to attract U.S. users should also consider implementing such measures.

[1] Also last week, on February 25, 2022, BitConnect founder Satish Kumbhani was indicted in a cryptocurrency Ponzi scheme, which the government alleges deprived investors worldwide, including in the United States, of over $2 billion. According to the indictment, to avoid regulatory scrutiny and conceal BitConnect’s fraudulent scheme, Kumbhani evaded and circumvented U.S. regulations, including those enforced by the FinCEN. Among other things, BitConnect never registered with FinCEN, as required under the BSA.

Cryptocurrency and OFAC: Beware of the Sanctions Risks

A recent federal criminal action shows the depth of the U.S. government’s concern about the use of cryptocurrency (or virtual currency) to violate economic sanctions laws and the lengths to which it will go to charge such violations. The U.S. government is particularly concerned that sanctioned countries and parties have used cryptocurrency to avoid sanctions designed to isolate them, and to facilitate illicit activities, including money laundering and ransomware attacks. The U.S. Office of Foreign Assets Control of the Treasury Department (OFAC), which administers U.S. economic sanctions programs, indicated recently that it intends to devote more resources to cryptocurrency issues. Over the past year or so, OFAC has issued a number of subpoenas to virtual currency businesses, such as exchanges, regarding possible customers and transactions involving parties in sanctioned countries. OFAC will probably announce its first enforcement actions involving virtual currency at some point this year. In addition, as discussed in Orrick’s recent blog post, the U.S. Commodity Futures Trading Commission, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), and the U.S. Securities and Exchange Commission remain focused on AML risks presented by cryptocurrency.

In an unusual application of economic sanctions law, in November 2019 a U.S. citizen was arrested and charged by the U.S. Attorney for the Southern District of New York with violating U.S. sanctions after he traveled to North Korea and delivered a presentation and technical advice related to the use of cryptocurrency and blockchain technology. In the case, which did not involve cryptocurrency transactions, the U.S. Attorney charged Virgil Griffith, an Ethereum Foundation staff member, with conspiring to violate U.S. sanctions laws that generally prohibit the provision of unlicensed services to North Korea. According to the U.S. Attorney’s Office, Mr. Griffith had traveled to North Korea to attend and speak at the Pyongyang Blockchain and Cryptocurrency Conference, despite the U.S. government’s denial of his request for authorization to attend. The U.S. government alleges that at the conference Mr. Griffith and other attendees discussed how North Korea could use blockchain and cryptocurrency technology to launder money and evade sanctions.

OFAC has issued frequently asked questions emphasizing that compliance obligations remain the same regardless whether transactions are denominated in virtual currency or fiat, and has started to include in its Specially Designated Nationals and Blocked Persons List (SDN List) virtual currency addresses that are linked to sanctioned persons. Sanctions are enforced with the help of U.S. businesses, in particular banks and other financial institutions, which have implemented systems and internal controls to detect the involvement of designated persons or prohibited jurisdictions in transactions. The U.S. government expects a similar level of commitment from entities dealing in cryptocurrency. It is critical that U.S. virtual currency users, exchangers, administrators and other persons engaging in virtual currency transactions with any U.S. nexus take steps designed to ensure that they do not deal with U.S. sanctions targets, which include providing financial or other services to such parties. OFAC has advised technology companies, administrators, exchangers, and users of virtual currencies, and other payment processors, to implement risk-based compliance programs, which generally should include sanctions list screening. This is consistent with OFAC’s recommendations included in A Framework for OFAC Compliance Commitments issued in June 2019.

Because a strict liability standard applies to unauthorized dealings with sanctioned parties and jurisdictions, U.S. persons dealing in cryptocurrency cannot avoid potential liability simply because they do not know the identity of the person with whom they are interacting. And the risk of dealing with sanctioned persons and jurisdictions when conducting virtual currency transactions will likely increase should nations like Iran and Russia further embrace cryptocurrency to try to avoid sanctions. In 2018, Iran reportedly acknowledged cryptocurrency mining as a legitimate industry, and in December 2019, Iran’s President reportedly proposed creation of a Muslim cryptocurrency to decrease reliance on the U.S. dollar. The U.S. government acted in 2018 to prohibit transactions involving Venezuela’s state virtual currency, the “Petro.”

To protect against potential sanctions violations, there are key steps that cryptocurrency users and exchanges can take. Crypto exchanges operating in the United States are required to register with FinCEN as money services businesses, to license themselves in the states in which they operate, and to exclude users in sanctioned jurisdictions and those on OFAC’s SDN List from transacting on the exchange. These exchanges should adopt and implement Know Your Customer procedures, including sanctions screening, to identify parties trading on their exchanges, and can employ geo-IP blocking to prohibit access by parties from sanctioned jurisdictions. They should perform transaction monitoring to detect suspicious activity and file required reports with FinCEN. U.S. persons trading in cryptocurrency should use exchanges committed to complying with U.S. sanctions requirements. If the exchange allows sanctioned parties to participate, a U.S. person could end up unknowingly trading with such a party and thus violating U.S. law. Exchanges operating outside the United States that want to attract U.S. users should also consider implementing such measures, to exclude targets of U.S. sanctions from trading. Non-U.S. exchanges that permit access to certain U.S. sanctions targets may risk imposition of U.S. “secondary sanctions” designed to deter non-U.S. persons from engaging in business with targets of U.S. sanctions.