Government Alleges Systemic and Deliberate AML Failures
Filings Describe Tools for CVC Exchanges to Use for Customer Due Diligence and Transaction Monitoring
The Financial Crimes Enforcement Network (“FinCEN”) and the Commodity Futures Trading Commission (“CFTC”) announced on August 10 (here and here) settlements with the operators of the BitMEX cryptocurrency trading platform for alleged anti-money laundering (“AML”) violations under the Bank Secrecy Act (“BSA”), and for allegedly failing to register with the CFTC. More specifically, FinCEN’s assessment of a civil monetary penalty and the CFTC’s consent order both involved the five companies operating the BitMEX platform: HDR Global Trading Limited, 100x Holding Limited, ABS Global Trading Limited, Shine Effort Inc Limited, and HDR Global Services (Bermuda) Limited (collectively, “BitMEX”).
BitMEX will pay regulators up to a combined $100 million civil monetary penalty; perform a “lookback” regarding the potential need to file additional Suspicious Activity Reports (“SARs”); and hire an independent consultant to conduct two reviews of BitMEX’s operations, policies, procedures, and controls, in order to confirm that BitMEX is not operating in the U.S., and that no U.S. customers are able to trade with the BitMEX platform.
According to the government filings, BitMEX is one of the oldest cryptocurrency derivative exchanges, with 1.3 million user accounts and a collection of annual fees in excess of $1 billion. Combined, the government filings allege that for a period of six years between November 2014 and October 1, 2020, BitMEX offered trading of cryptocurrency derivatives to retail and institutional customers in the U.S. and worldwide through BitMEX’s website. Customers in the U.S. placed orders to buy or sell contracts directly through the website and BitMEX was aware that U.S. customers could access the BitMEX platform via virtual private network (“VPN”).
The civil penalty will be split between FinCEN and the CFTC. However, the settlement involves an interesting “carrot” offered by the regulators: $20 million of the penalty is suspended pending the successful completion of the SAR lookback and the two independent consultant reviews.
According to the government’s allegations, BitMEX deliberately ignored for years the most basic AML requirements, resulting in multitudinous violations and inviting – and even encouraging – its customers to launder illicit funds. As we will describe, the government has alleged that BitMEX operated on the announced pretext that it was not subject to the BSA or U.S. commodities laws because it had no U.S. customers or operations, when senior management knew otherwise.
An Alleged Deliberate Refusal to Comply with the BSA
The civil monetary penalty imposed by FinCEN against BitMEX represents the agency’s first enforcement action against a Futures Commission Merchant (“FCM”). According to FinCEN, BitMEX willfully failed to implement and maintain an adequate AML program or a customer identification program (“CIP”), and further failed to file SARs on at least 588 specific transactions.
Most fundamentally, FinCEN alleged that BitMEX never implemented any meaningful AML compliance program, despite the fact that it had U.S. customers and U.S. operations while functioning as both a FCM and a money transmitter required by the BSA to have a AML program. According to FinCEN, “BitMEX’s founders, executive officers, and additional senior leaders at the company were aware of their AML obligations at the beginning of its operations, including specifically how providing services to U.S. Customers could affect the company, as reflected in internal communications regarding licenses and other legal obligations.” Nonetheless, “until at least late 2020, BitMEX continued to operate without establishing and implementing a written AML program approved by senior management with adequate AML policies, procedures, and internal controls.” The refusal to perform the most basic AML functions allegedly stemmed from an “official” position by BitMEX that it did not do business in the U.S. For example, when asked by a U.S.-based convertible virtual currency (“CVC”) exchange to fill out an AML onboarding questionnaire, BitMEX’s co-founder and CEO allegedly stated, “No we don’t do any [Office of Foreign Assets Control] screening. The only country banned from our platform is the USA . . . . we do no other [Know Your Customer] as we are not required to under Seychelles law,” and, “for non-US persons we require only a verified email address.” A different CVC exchange seeking compliance information received a similar answer: “the answer to all AML questions is no.”
Accordingly, the FinCEN assessment alleges that BitMEX violated every core requirement, or “pillar,” of any adequate AML compliance program. For years, there was no compliance chief. The individual designated as responsible for compliance in 2019 failed to ensure compliance with the BSA and did not establish a formal AML program, including any policies, procedures, and internal controls or procedures to identify, detect, and report suspicious activity. BitMEX did not even hire anyone specifically responsible for AML compliance until October 2020. Similarly, BitMEX failed to train its personnel to comply with BSA reporting and recordkeeping requirements, and failed to perform any independent testing of its (non-existent) AML program.
BitMEX also allegedly allowed customers to access its platform and conduct trading activities without appropriate customer due diligence (“CDD”) or transaction monitoring, as evidenced by their unwillingness to collect more than just an email address to verify customer identity. FinCEN found that BitMEX failed to implement appropriate policies, procedures, and internal controls to screen for customers using a VPN access to its service. Consequently, BitMEX did not conduct due diligence to develop customer risk profiles or make risk-based decisions to maintain and update customer information. BitMEX allegedly “actively ignored” signs that U.S. customers traded on the platform. Worse, FinCEN determined that BitMEX senior leadership altered at least some U.S. customer information to obscure customers’ actual location, in part by advising U.S. customers to establish foreign shell companies in order to be able to trade on the platform.
Consistent with the total lack of an adequate AML program, BitMEX allegedly was aware that it had a regulatory obligation to collect and verify customer information, but failed to do so for the majority of its customers. Further, BitMEX refused to implement a CIP unless it came “under significant government pressure.” An internal senior leadership communication in 2014 stated:
If we start getting pressure we institute an account verification process for any accounts with balances over 10,000 USD equivalent of [bitcoin]. The documents we would require would be name, address and address proof, and copy of government ID. We should not implement this policy unless we come under significant government pressure. The stated policy should just be a valid email address.
BitMEX further allegedly facilitated customers seeking anonymity through The Onion Router, or TOR. FinCEN alleged that BitMEX not only failed to identify and mitigate the risks associated with customers employing using IP anonymizers such as TOR, but BitMEX actually deliberately assisted its customers in seeking anonymity by providing them with a TOR webpage to conduct transactions. “While use of TOR in and of itself is not suspicious, transactions through a torrent service may be a strong indicator of potential illicit activity when no additional due diligence is conducted to determine customer identify and whether funds are derived from illegal activity.”
[B]y describing the available tools it expects CVC exchanges and FCMs dealing in cryptocurrency to employ in order to conduct adequate CDD and transaction monitoring, the FinCEN assessment contains language which may be relevant to future enforcement actions.
Finally, by describing the available tools it expects CVC exchanges and FCMs dealing in cryptocurrency to employ in order to conduct adequate CDD and transaction monitoring, the FinCEN assessment contains language which may be relevant to future enforcement actions. According to FinCEN, BitMEX’s failures occurred despite the availability of the following tools:
[C]ertain information about past transactions and counterparties that have transacted with certain CVC wallets can be determined by applying address-clustering tools. These tools can uncover the identity of the transacting parties by linking CVC wallet addresses controlled by the same user based on the information available from the blockchain. Financial institutions utilize public information, transactional information on public, immutable CVC ledgers, and internal customer due diligence information to assist in identifying suspicious activity or patterns of suspicious activity occurring through the financial institution.
Failure to File Required SARs
The alleged lack of CDD, CIP and transacting monitoring by BitMEX inevitably resulted in the alleged failure to file SARs. According to FinCEN, at least $209 million worth of transactions were conducted by, at, or through BitMEX with known darknet markets or unregistered money services businesses, or MSBs, that provided so-called “mixing” services (as noted by FinCEN, darknet marketplaces actively promote mixers as the primary method for obfuscating bitcoin transactions). BitMEX also allegedly conducted transactions with CVC exchanges operating in high-risk jurisdictions with AML/CFT deficiencies, including jurisdictions such as Iran, that have restrictions placed on them by the U.S. and have been the subject of advisories issued by FinCEN and the Financial Action Task Force. Finally, BitMEX allegedly accepted and transmitted CVC for wallets containing the proceeds of potential fraud, including largescale pyramid schemes and elder financial exploitation schemes publicly identified as suspicious.
According to FinCEN, all of these transactions should have been the subject of SAR filings, but were not. To the contrary, “[w]hen directly asked if BitMEX conducted any transaction monitoring or reporting to detect or report potential terrorist financing, the co-founder and CEO stated only ‘if alerted to something from law enforcement we will assist.’”
The Penalties and Future Compliance
The $100 million civil penalty will be split between FinCEN and the CFTC. However, as noted, $20 million of the penalty is suspended pending the successful completion of a SAR lookback and two independent consultant reviews, described below. Also, FinCEN – in what is an arguable “shot across the bow” for future enforcement actions – emphasized the fact that it was able to assess, by statute, an astounding $59,017 for every “willful” violation of AML program, CIP and SAR requirements under the BSA, for each day that an alleged ongoing violation occurred.
FinCEN’s assessment states that it determined the civil monetary penalty after considering the following factors, all of which presumably will inform future enforcement actions:
- Nature and seriousness of the violations, including the extent of possible harm to the public and amounts involved;
- Impact or harm of the violations on FinCEN’s mission to safeguard the financial system from illicit use, combat money laundering, and promote national security;
- Pervasiveness of wrongdoing within an entity, including management’s complicity in, condoning or enabling of, or knowledge of the conduct underlying the violations;
- History of similar violations, or misconduct in general, including prior criminal, civil and regulatory enforcement action;
- Presence or absence of prompt, effective action to terminate the violations upon discovery, including self-initiated remedial measures;
- Financial gain or other benefit resulting from or attributable to the violation;
- Quality and extent of cooperation with FinCEN and other relevant agencies;
- Timely and voluntary disclosure of the violations;
- Systemic nature and duration of violations; and
- Penalties by other government agencies.
The assessment addresses each factor. Interestingly, and relevant to the still-ongoing civil and criminal proceedings against individuals, the assessment later provides that BitMEX “shall truthfully disclose to FinCEN all factual information and provide all data, documents, and materials in its possession, custody, or control, not protected by a valid claim of attorney-client privilege or work product doctrine, with respect to BitMEX and/or the conduct of its current or former directors, officer, employees, agents, affiliated entities or individuals, or others in any matter related to or arising from this matter brought by or on behalf of FinCEN.”
Finally, BitMEX must hire a qualified consultant to conduct a “SAR Lookback Review.” The independent consultant will review all transactions during a six-year period to determine whether activity was properly identified and reported in a SAR. The independent consultant then must deliver a detailed report to FinCEN and BitMEX that summarizes the methodology and findings of its review and identifies transactions that may require a SAR to be filed. Within 30 days of receipt of this report, BitMEX must file with FinCEN SARs regarding all of the transactions identified by the independent consultant. Similarly, BitMEX must hire a qualified independent consultant to review BitMEX’s operations, policies, procedures and controls, to confirm that BitMEX is not operating in the U.S., and that no U.S. customers are able to trade with the BitMEX platform. If there are any negative findings, BitMEX shall remediate them within 30 days.
The CFTC Consent Order
Concurrent with FinCEN’s announcement, the CFTC likewise announced that it had entered into a consent order with the five companies operating the BitMEX platform. The consent order finds that BitMEX allegedly violated the Commodity Exchange Act (“CEA”) by operating a facility to trade or process swaps, in the U.S., without being approved as a Designated Contract Market (“DCM”) or a Swap Execution Facility (“SEF”). BitMEX also allegedly violated the CEA by operating as a FCM, accepting bitcoin to margin digital asset derivative transactions and acting as a counterparty to leveraged retail commodity transactions, without CFTC registration. Further, BitMEX allegedly violated CFTC regulations by failing to implement an adequate AML program, which it was required to do under the BSA because it was a FCM.
Per the consent order, BitMEX has agreed to a permanent injunction against future violations of the CEA, including offering derivatives products in the U.S. or operating a swaps facility without first receiving approval from the CFTC. BitMEX also agreed to block all U.S. persons and unverified persons from trading on the platform, and reducing any U.S. operations to system maintenance or security with no marketing or solicitation of U.S. customers.
Pending Criminal and Civil Charges Against Individuals
Both government filings relate to a complaint filed by the CFTC last October alleging that BitMEX and BitMEX’s co-founders Arthur Hayes, Benjamin Delo and Samuel Reed offered commodity futures, options, and swaps on digital assets to individuals in the U.S. since November 2014 without registering as a FCM or DCM in violation of the CEA. Concurrent with the filing of the CFTC complaint, the U.S. Attorney’s Office for the Southern District of New York obtained an indictment of Hayes, Delo and Reed, as well as company executive Gregory Dwyer, on charges of willfully causing BitMEX to violate BSA and conspiracy to commit that same offense.
The individual defendants were not a party to the settlement agreements, and the civil complaint and criminal indictment remain pending against them. A spokesman for Hayes, Delo and Reed (but not Dwyer) addressed the CFTC’s claims and stated, “As their defense will show, from the company’s earliest days, the co-founders sought to comply with applicable law as it developed over time. The actions against Arthur, Ben, and Sam by the U.S. authorities are unfounded and represent an unwarranted overreach. The co-founders look forward to defending themselves in court.” As noted however, the FinCEN assessment requires BitMEX to cooperate with the government by providing factual information and documents relating to conduct by both the entities and individuals. Further, the government filings indicate that, not surprisingly, the government already has numerous e-mails and other documents relating to the alleged violations.