Last week, the United States Attorney’s Office for the Southern District of New York unsealed an indictment against global cryptocurrency exchange KuCoin and two of its founders, Chun Gan and Ke Tang, for allegedly conspiring to operate an unlicensed money transmitting business and conspiring to violate the Bank Secrecy Act (“BSA”) by willfully failing to maintain an adequate anti-money laundering (“AML”) program.  KuCoin also was charged with operating an unlicensed money transmitting business and a substantive violation of the BSA. Further, the Commodity Futures Trading Commission (the “CFTC”) filed a complaint on the same day in the United States District Court for the Southern District of New York alleging that KuCoin violated the Commodity Exchange Act (the “CEA”) and related regulations.

The indictment alleges that KuCoin failed to design and implement procedures to prevent it from being used for money laundering and terrorist financing, failed to maintain reasonable procedures for verifying the identity of customers, and failed to file any Suspicious Activity Reports.  When distilled, the indictment alleges that KuCoin had no real BSA/AML compliance program at all, because it pretended to not have any U.S. customers.  This allegation is familiar theme in similar U.S. enforcement actions, including those against Binance.

The CFTC civil complaint specifically alleges that KuCoin illegally dealt in off-exchange commodity futures transactions; solicited and accepted orders for commodity futures and swaps, and leveraged, margined, or financed retail commodity transactions without registering with the CFTC as a Futures Commission Merchant (“FCM”); failed to diligently supervise its FCM activities; operated a facility for the trading or processing of swaps without registering with the CFTC as a swap execution facility or designated contract market; and failed to implement an effective customer identification program.

Failures to Register

KuCoin is one of the largest global cryptocurrency exchange platforms. According to the indictment, it had over 30 million customers in 207 countries and its daily spot trading volume exceeded $2.8 billion. A public ranking as of December 2023 listed it as the fifth largest exchange based on traffic, liquidity, and trading volume. KuCoin solicited and accepted orders for spot trades in cryptocurrencies including Bitcoin, Ethereum, and other coins, as well as futures contracts and other derivatives products. KuCoin offered its customers up to 100 times leverage on trading on margin and derivatives products.

The allegations in the indictment and the civil complaint are fairly egregious. Both actions allege that KuCoin was a “financial institution” covered by the BSA, both as a money transmitter and as a FCM.  Allegedly, KuCoin purposefully served thousands of customers in the U.S., but never registered with the Financial Crimes Enforcement Network (“FinCEN”) or complied with the BSA even though it was operating as both a money transmitter – a kind of money services business (“MSB”) – and as a FCM with its derivatives trading platform.  Although FCMs registered with the CFTC are exempt from the BSA’s definition of a money transmitter, the government alleges that KuCoin did not register either as a FCM with the CFTC or as a MSB with FinCEN.  

No Real AML Compliance Program

According to the government, KuCoin willfully failed to establish, implement, and maintain an adequate and effective AML program, including an adequate customer verification program. KuCoin knew it had many U.S. customers, but it tried to prevent those customers from identifying themselves as U.S.-based to avoid AML and KYC requirements.  KuCoin therefore served as a vehicle for laundering the proceeds of suspicious and criminal activities including sanctions violations, ransomware, and other criminal schemes. The indictment alleges that KuCoin transmitted over $4.09 billion in suspicious and criminally-derived proceeds.

Under the BSA, a covered financial institution (“FI”) generally must establish an AML program that, at a minimum, has “policies, procedures, and internal controls reasonably designed to prevent the financial institution from being used for money laundering or the financing of terrorist activities”; independent compliance testing; ongoing training for appropriate personnel; and “risk-based procedures for conducting ongoing customer due diligence.” As part of its AML program, a FI must also implement a written KYC program that enables the FI to “form a reasonable belief that it knows the true identity of each customer.” At minimum, the FI must collect the name, date of birth, address, and government identification number of each customer prior to account opening, and must take steps to verify that information in a reasonable time. The KYC program also must include procedures for “determining whether a customer appears on any list of known or suspected terrorists or terrorist organizations issued by any Federal government agency.”  KuCoin did none of these things.

Courting U.S. Customers While Pretending to Not Have Any

According to the indictment and complaint, KuCoin deliberately failed to implement a BSA-compliant AML program. Instead, KuCoin engaged in marketing activities directed at U.S. customers, and knew from IP address and login information that many of its customers were based in the U.S. Although it knew it had substantial numbers of U.S. users, KuCoin purposefully failed to register with the CFTC or FinCEN. KuCoin also allowed customers in the U.S. to register and trade without providing sufficient identifying information to allow KuCoin to have a reasonable belief it knew their identity; rather, it allowed customers to trade anonymously as long as they provided just an email address. KuCoin allegedly touted on social media that KYC was not mandatory on KuCoin – including in response to questions from U.S. customers.

KuCoin even went further in avoiding KYC and AML controls, according to the government. For example, KuCoin offered some customers an optional identity verification process that would allow them additional features such as larger daily withdrawals. However, KuCoin excluded the U.S. from the list of countries in the drop-down menu for this identification process to prevent U.S.-based customers from identifying as such.

KuCoin eventually pretended to take steps to engage in AML and KYC compliant behavior but these were woefully insufficient. Once it was notified by an investor and a financial services company that it was under a federal criminal investigation, KuCoin amended its Terms of Use to appear to adopt a KYC program. The new Terms of Use stated that users should not be residents of the U.S. KuCoin nonetheless took no steps to actually prevent existing U.S.-based users from using its platform. Then, in September 2023, KuCoin purported to block U.S. customers from its website, but even that was an alleged sham. When a U.S. IP address visited the KuCoin homepage, a pop-up would notify the individual that “[b]ased on your IP address, we currently do not provide services in your country or region due to local laws, regulations, or policies.” But although there was a pop-up, the users could still log into their accounts.

The cases against KuCoin reiterate a familiar lesson. Entities operating in the U.S. must have real BSA/AML programs.  If they do not, and if the U.S. government believes that it has facts indicating purposeful activities and customers in the U.S., enforcement actions likely will follow — particularly if the entity allegedly takes steps at subterfuge regarding its U.S. activities.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch.  Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.