Once the exclusive domain of so-called tech geeks, cryptocurrencies such as bitcoin have fueled explosive public interest in the last year, generating heated debate over their role in society. Are they a tool for criminal activity? An unchecked fad reminiscent of the 17th century Dutch tulip craze? Or can cryptocurrencies become a truly transformative, sustainable and efficient way to exchange value? Whatever the answer to the last question might be depends, at least in part, on how well the cryptocurrency market is regulated and the financial crime controls in place within the cryptocurrency and banking industries.
Limited Oversight of Cryptocurrencies
Early on, the U.S. recognized the need for creating accountability and stability in the market by regulating cryptocurrencies. The U.S. Department of Treasury, through the Financial Crime Enforcement Network (FinCEN), issued guidance in March 2013 specifically stating that the Bank Secrecy Act (BSA) applied to virtual currency administrators and exchangers, which would be considered money services businesses (MSBs). Additional guidance from FinCEN, provided in a January 2014 administrative ruling, declared that transferring virtual currencies to third parties at the behest of sellers, creditors, owners or counterparties involved in certain transactions could potentially constitute money transmission under the BSA, thereby subjecting the transmitter to federal registration, reporting and compliance requirements. Most recently, in March 2018, FinCEN outlined its intent to regulate entities that transmit newly-issued digital coins and tokens derived from initial coin offerings (ICOs) as money transmitters subject to BSA requirements. U.S. Treasury Secretary Steve Mnuchin further reminded an audience during a moderated discussion that, “under our laws, if you have an electronic wallet to own bitcoins, that company has the same obligation as a bank to know your customer (KYC).”
Despite these actions, the BSA’s regulation of MSBs (and by extension, cryptocurrency exchanges) is more limited than for banks and other entities that FinCEN has deemed “covered financial institutions.” For example, in May 2018, FinCEN began requiring covered financial institutions to identify and verify the identity of the ultimate beneficial owners (UBOs) of companies at the time of account opening, a measure that is not applicable to MSBs. A bad actor or sanctioned party could therefore establish a complex, multilayered legal structure to hide its ultimate beneficial ownership and then obtain a bitcoin wallet from a cryptocurrency exchange MSB through intermediaries. If the exchange does not voluntarily apply the new customer due diligence (CDD) rules to identify the UBO of a legal entity, the bad actor—whether a money launderer or sanctioned party—could freely transact in this space without detection.
Further, the BSA is silent on how to regulate new technologies associated with cryptocurrencies. For example, criminals transacting in cryptocurrencies can use so-called mixing services to prevent anyone from determining the true source of the transactional payment. Mixers scramble transactions on the blockchain—the electronic ledger that records all transactions—and redistribute the funds among cryptocurrency wallets. They obscure the chain of transactions by linking all transactions in the same bitcoin address and sending them together so that they appear to come from another address, thereby obscuring the recipient of the user’s outgoing funds.
Although the majority of mixing services process legal transactions of individuals and entities who wish to maintain privacy, the services’ lack of transparency also make them an excellent tool for money laundering, terrorist financing and sanctions evasion. Yet regulators have not addressed these services or how businesses should formulate controls around the surrounding technologies for mixers or other services that could shield illicit activities.
Mitigating Financial Crimes Risks
Until regulation inevitably arrives, start-ups and established businesses handling cryptocurrency accounts would be well-advised to:
- Voluntarily adopt the BSA’s new CDD rules on UBOs, which will necessitate digging deeper into the customer’s profile during the account-opening process, asking more questions of the customer about beneficial ownership or control of the entity, verification of ownership identities, research of incorporation and other documents and engaging in additional due diligence as appropriate. As outlined in 31 CFR 1010, 1020, 1023, 1024 and 1026, these actions may require, among other things, revisions to policies and procedures related to the customer identification and due diligence, additional training for personnel, costs associated with vetting, as well as IT reconfiguration.
- Consider placing customers who use mixing services in a higher financial crime risk category and treat the mere use of a mixing service as a red flag. These classifications will necessitate additional due diligence on the customer and the customer’s transactions, as well as more frequent updates on the customer’s KYC profile. As part of this process, among other things, companies will need to revise policies and procedures related to CDD, conduct additional training for personnel, and, potentially, incur costs associated with additional investigations. The investigations might be quite technical in nature.
- Consider an annual, independently conducted assessment of their financial crimes compliance (FCC) program by a third party with expertise in financial crime controls as they relate to the cryptocurrency sector.
These types of enhancements have upfront costs, but they serve to mitigate an enormous downside. Most obviously, tightening and validating controls lessens the likelihood of violating the BSA, Office of Foreign Assets Control sanctions, and other applicable U.S. laws and regulations. Perhaps more importantly, the banking industry has traditionally been reluctant to open accounts for cryptocurrency businesses because of their perceived financial crime risks, leading such firms to smaller banks with more limited services. If financial technology firms handling cryptocurrencies develop robust financial crime controls, large, well-established banks inevitably begin to view them in a new, more positive light. If, through due diligence, larger banks view cryptocurrency businesses that have enhanced their financial crime controls as less risky potential customers, they will be more likely to onboard them.
Just as importantly, banks that process payments in fiat currency for cryptocurrency exchanges should, in turn, engage in extensive due diligence of the exchanges at the time of on-boarding. Due diligence information should also be refreshed at least once per year, and more frequently if certain trigger events occur—e.g., negative news linking the cryptocurrency exchange to money laundering, fraud or sanctions violations, or if the bank detects and reports suspicious activity. Due diligence should at a minimum involve: (i) a review of financial crime compliance policies and procedures; (ii) screening the exchange, its owners and principals for derogatory information and possible sanctions exposure; and (iii) an on-site meeting at the exchange’s place of operation, attended by the exchange’s senior management and its chief compliance officer. The purpose of the meeting would be to confirm that the exchange appears to be a legitimate operation, assess management’s commitment to FCC compliance and to secure an understanding regarding the implementation of the exchange’s FCC program.
Additional industry controls, much less those that are self-imposed, seem antithetical to the free-flowing, deregulated spirit associated with cryptocurrencies. But without them, bitcoin, a current competitor or some future player cannot become a truly legitimate, widely accepted and routine method of conducting worldwide commerce on reputable platforms. Cryptocurrencies could easily deteriorate into favored instruments for criminals or serve to bolster the argument that they are a speculative curiosity, enriching a lucky few who had the foresight to sell their coins at the peak of popularity, but ultimately going the way of Beanie Babies and pet rocks. In short, comprehensive, effective regulation and controls might be a cryptocurrency purist’s scourge, but they are the cryptocurrency industry’s savior.