Know Your Customer (KYC)

Last week, the United States Attorney’s Office for the Southern District of New York unsealed an indictment against global cryptocurrency exchange KuCoin and two of its founders, Chun Gan and Ke Tang, for allegedly conspiring to operate an unlicensed money transmitting business and conspiring to violate the Bank Secrecy Act (“BSA”) by willfully failing to maintain an adequate anti-money laundering (“AML”) program.  KuCoin also was charged with operating an unlicensed money transmitting business and a substantive violation of the BSA. Further, the Commodity Futures Trading Commission (the “CFTC”) filed a complaint on the same day in the United States District Court for the Southern District of New York alleging that KuCoin violated the Commodity Exchange Act (the “CEA”) and related regulations.

The indictment alleges that KuCoin failed to design and implement procedures to prevent it from being used for money laundering and terrorist financing, failed to maintain reasonable procedures for verifying the identity of customers, and failed to file any Suspicious Activity Reports.  When distilled, the indictment alleges that KuCoin had no real BSA/AML compliance program at all, because it pretended to not have any U.S. customers.  This allegation is familiar theme in similar U.S. enforcement actions, including those against Binance.

The CFTC civil complaint specifically alleges that KuCoin illegally dealt in off-exchange commodity futures transactions; solicited and accepted orders for commodity futures and swaps, and leveraged, margined, or financed retail commodity transactions without registering with the CFTC as a Futures Commission Merchant (“FCM”); failed to diligently supervise its FCM activities; operated a facility for the trading or processing of swaps without registering with the CFTC as a swap execution facility or designated contract market; and failed to implement an effective customer identification program.

Continue Reading  KuCoin and Founders Charged with Operating Illegally as Money Transmitter and Futures Commission Merchant

Recently, the Industrial and Commercial Bank of China Ltd. (“ICBC”) entered into two consent orders. The first consent order is with the New York State Department of Financial Services (the “NYDFS”) for alleged deficiencies in the bank’s Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) and Office of Foreign Assets Control (“OFAC”) compliance screening programs over the past several examination cycles, as well as alleged violations of sharing confidential supervisory information. As we will discuss, the NYDFS consent order finds that ICBC violated New York banking law by backdating internal certifications – not themselves required by statute or regulation – and then not immediately disclosing these “false entries” to the NYDFS.

ICBC also entered into an Order to Cease and Desist (“C&D Order”) with the Board of Governors of the Federal Reserve (the “Federal Reserve”) for the alleged improper disclosure of confidential supervisory information, or CSI.  Generally, CSI is information relating to a regulatory examination or investigation, which cannot be disclosed without the agreement of the financial institution’s examining regulator – which here, of course, is the Federal Reserve.  As noted above, the NYDFS consent order also contains allegations of improper disclosure of CSI, which is also protected as confidential under New York banking law.  Ironically, the alleged disclosure of CSI was to the bank’s foreign regulator.

This is not the first time ICBC has had issues involving alleged BSA/AML deficiencies. In 2018, ICBC entered into a consent Cease and Desist Order with the Federal Reserve for similar BSA/AML deficiencies at its New York branch, about which we blogged here. Despite ICBC’s noted efforts in enhancing BSA/AML and OFAC compliance programs and promptly reporting the unauthorized disclosure of confidential supervisory information to the regulators, the bank was subjected to a $30 million civil money penalty from the NYDFS and another $2.4 million civil money penalty from the Federal Reserve.

Continue Reading  ICBC Agrees to Two Consent Orders for Alleged BSA/AML Deficiencies and Disclosure of Confidential Supervisory Information

A Huge Monetary Penalty for Sprawling Allegations – But Will Zhao Receive a Prison Sentence?

As the world now knows, Binance Holdings Limited, doing business as Binance.com (“Binance” or the “Company”), has entered into a plea agreement with the U.S. Department of Justice (“DOJ”).  

Binance is registered in the Cayman Islands and regarded as the world’s largest virtual currency exchange. It agreed to plead guilty to conspiring to willfully violating the Bank Secrecy Act (“BSA”) by failing to implement and maintain an effective anti-money laundering (“AML”) program; knowingly failing to register as a money services business (“MSB”); and willfully causing violations of U.S. economic sanctions issued pursuant to the International Emergency Economic Powers Act (“IEEPA”). Despite the plea agreement, Binance will continue to operate.

Changpeng Zhao, also known as “CZ,” also pleaded guilty to violating the BSA by failing to implement and maintain an effective AML program. Zhao is Binance’s primary founder, majority owner, and – until now – CEO. As part of his plea agreement, Zhao has stepped down as the CEO, although he apparently will keep his shares in Binance.

As part of its plea agreement, Binance has agreed to forfeit $2,510,650,588 and to pay a criminal fine of $1,805,475,575 for a total criminal penalty of $4,316,126,163. Binance also entered into related civil consent orders with the Financial Crimes Enforcement Network (“FinCEN”), the Commodity Futures Trading Commission (“CFTC”), and the Office of Foreign Assets Controls (“OFAC”). Zhao also entered into a consent order with the CFTC.

The allegations are vast and detailed, and much digital ink already has been spilled regarding this matter. Our discussion therefore will be relatively high-level. Distilled, the government alleges that Binance – under the direction of Zhao – tried to hide the fact that it operated in the U.S., purposefully avoided any meaningful AML compliance, and consequently laundered many millions of dollars’ worth of cryptocurrency involving extremely serious criminal conduct, including terrorism, child pornography, and U.S. sanctions evasion.

As for Zhao, and as we will discuss, whether he will go to prison – and if so, for how long – is an open and very interesting question. His sentencing currently is scheduled for February 23, 2024.

Continue Reading  Binance Settles Criminal and Civil AML and Sanctions Enforcement Actions for Multiple Billions – While its Founder, Owner and Former CEO Zhao Pleads Guilty to Single AML Crime

Complex Civil and Criminal Cases Converge

On August 17, 2023, Judge Robert Pitman of the federal district court for the Western District of Texas issued an Order granting summary judgment for the U.S. Treasury Department (“Treasury”) in a lawsuit brought by six individuals, and denying the cross-motion for summary judgment filed by the individuals. The lawsuit alleged that Treasury overstepped its authority by imposing sanctions on the coin mixing service Tornado Cash.  Deciding for the government, Judge Pitman determined that Tornado Cash is a “person” that may be designated by OFAC sanctions.  Specifically, the regulatory definition of “person” includes an “association,” and Tornado Cash is an “association” within its ordinary meaning.

Shortly thereafter, on August 23, 2023, the U.S. Department of Justice (“DOJ”) unsealed an indictment returned in the Southern District of New York against the alleged developers of Tornado Cash, Roman Storm (“Storm”), a naturalized citizen residing in the U.S., and Roman Semenov (“Semenov”), a Russian citizen.  The indictment charges them with conspiring to commit money laundering, operate an unlicensed money transmitting business, and commit sanctions violations involving the International Emergency Economic Powers Act, or IEEPA.  When the indictment was unsealed, Storm was arrested and then released pending trial.  Treasury simultaneously sanctioned Semenov, who remains outside of the U.S., adding him to OFAC’s Specially Designated Nationals and Blocked Persons (“SDN”) List.

These are very complicated cases raising complicated issues.  They are separate but obviously related.  As we will discuss, the factual and legal issues tend to blend together, and how a party characterizes an issue says a lot about their desired outcome:  has the government taken incoherent action against a technology, or has it pursued a group of people attempting to hide behind tech?

Continue Reading  All Roads Lead to Roman: Alleged Tornado Cash Co-Founders Roman Storm Arrested and Roman Semenov Sanctioned, Days After Treasury Defeats Lawsuit Challenging OFAC

The Office of Foreign Asset Control (“OFAC”) announced on June 20 that Swedbank Latvia AS (“Swedbank Latvia”), a subsidiary of Swedbank AB (“Swedbank AB”) headquartered in Riga, Latvia, agreed to pay $3,430,900 to settle its potential civil liability for 386 “apparent” violations of OFAC sanctions involving Crimea.  Specifically, Swedbank Latvia allegedly allowed a client to initiate payments from Crimea through an e-banking platform that ultimately were processed by a U.S. correspondent bank. The settlement amount reflects OFAC’s determination that Swedbank Latvia’s conduct was “non-egregious” – but not voluntarily self-disclosed.

Although unrelated to this OFAC action, Swedbank Latvia was the topic of a 2019 internal investigation report commissioned by Swedbank AB revealing that from before 2007 through 2016, Swedbank Latvia (and Swedbank Estonia) actively pursued certain high-risk customers as a business strategy.  This conduct, related to the Danske Bank scandal and its now-notorious Estonian Branch, resulted in Swedish and Estonian authorities ordering Swedbank AB in 2020 to pay a record 4 billion Swedish Krona (then, approximately $38 million) in anti-money laundering related penalties.

This OFAC enforcement action involves alleged conduct which occurred even before Russia’s 2022 unprovoked invasion of Ukraine, the ensuing host of expanded U.S. sanctions, and the recent drive by U.S. regulators and prosecutors to combat the attempted evasion of Russia sanctions and export controls.  The enforcement action reflects how OFAC can learn of potential sanctions violations through other financial institutions.  It also emphasizes, once again, some of the risks inherent in providing correspondent bank services to foreign banks, and the need for good communication between U.S. and foreign banks.  It further reflects the need for a financial institution (or any company) to integrate customer data into a sanctions compliance program, keep up to date on evolving sanctions, and pursue potential red flags of non-compliance – including in the face of customer representations of compliance.

Continue Reading  Swedbank Latvia Settles with OFAC for Apparent Crimea Sanctions Violations

On June 5, 2023, the SEC filed an extensive civil complaint against Binance Holdings Limited, its assorted affiliates and its beneficial owner and CEO, Changpeng Zhao, alleging multiple violations of the Securities Act of 1933 and the Securities Exchange Act of 1934.  The Binance suit, as all of SEC’s enforcement efforts in the crypto space, arises from the hotly contested and frequently litigated predicate categorically asserted by the SEC that at least some cryptocurrencies are “securities” under, and therefore subject to, the federal securities laws.  The Binance case demonstrates how, from that premise, the SEC takes a utilitarian approach to the crypto industry, essentially overlaying the functions and participants in the traditional securities industry against their counterparts in crypto.

Although the Binance enforcement action obviously focuses on securities law, it is relevant to anti-money laundering concepts because the action focuses on Know-Your-Customer (“KYC”) requirements, as a predicate to discussing the securities laws.  The Binance enforcement action is similar to the enforcement action against Bitmex and other entities, which rested on the allegation that the entity attempted to pretend that it did not have U.S. customers — even though it in fact had such customers, as it allegedly well knew and despite efforts to obfuscate such U.S. contacts.  This post therefore will focus on the KYC and customer identification issues presented by the Binance complaint.

Continue Reading  SEC’s Suit Against Binance Demonstrates Scope of Its Crypto Enforcement Efforts

On June 16, 2023, Michael J. Hsu, Acting Comptroller of the Currency made remarks to the American Bankers Association (“ABA”) Risk and Compliance Conference in San Antonio, Texas. In his remarks, Hsu discussed both the benefits and risks of artificial intelligence (“AI”) and tokenization. The core of Hsu’s remarks is that, given the rapid innovation of AI and tokenization in banking, banks should closely work with regulators to manage technological risks.

Hsu’s remarks came at the right time. Five days later, and as we discuss below, Google Cloud announced the launch of an AI anti-money laundering program. Early results seem promising, but only time will tell whether Hsu’s remarks concerning AI’s risks prove prophetic.

Continue Reading  Building the Engine Alongside the Brakes: Acting Comptroller Hsu’s Remarks Discuss Impact of Artificial Intelligence and Tokenization in Banking

We are pleased to offer the latest episode in Ballard Spahr’s Consumer Finance Monitor podcast series, A Look at the Treasury Department’s April 2023 Report on Decentralized Finance or “DeFi.” 

In this episode, we follow up and expand upon our blog post regarding the U.S. Department of the Treasury’s April 6, 2023 report examining vulnerabilities

On April 13, the State of Wyoming took the extraordinary step of filing a request for permission to intervene in the ongoing dispute between Custodia Bank, Inc. (“Custodia”) and the Board of Governors of the Federal Reserve System (“the Fed”) and the Federal Reserve Bank of Kansas City.  This dispute involves a complaint (now amended) filed by Custodia – a state-chartered special purpose depository institution (“SPDI”) based in Cheyenne, Wyoming – against the Fed and the Federal Reserve Bank of Kansas City, alleging that the defendants improperly denied Custodia’s application for a “master account” with the Fed. Generalizing greatly, having a master account allows financial institutions to operate in the normal course as a custodial bank in the U.S.  Having a Fed master account is therefore critical to any institution looking to operate in the U.S. financial system.

In a nutshell, Wyoming’s request to intervene critiques the defendants because of their “view of perceived inadequacies in Wyoming’s laws and regulations for SPDIs, [which are] partially responsible” for the denial of Custodia’s master account application.  More specifically, Wyoming accuses the defendants of seeking to treat Wyoming SPDIs in an inequitable manner, thereby “treating state-chartered non-federally regulated banks as second-class banks ineligible to compete with federally-regulated ones.”

This blog post focuses on an important issue referenced seemingly in passing in Wyoming’s request for permission to intervene, which is clearly motivating in part the filing by Wyoming:  on March 24, 2023, the Fed made public its January 27, 2023  Order Denying Application for Membership (the “Order”) by Custodia, which had requested the Fed’s approval under Section 9 of the Federal Reserve Act to become a member of the Federal Reserve System.  According to Wyoming, the Fed’s decision to deny Custodia’s application has the effect of preventing Custodia and other Wyoming SPDIs from ever being able to attain the status of federal regulation.  We focus here on the Order because of its much broader anti-money laundering (“AML”) and sanctions implications for any banks which are contemplating targeted services for the digital asset industry.  The 86-page Order is very detailed, and often also discusses safety and soundness concerns, as well as other issues.

As we discuss, the Order suggests that any bank will have a hard time convincing the Fed that crypto-heavy banking services can comply with the requirements of the Bank Secrecy Act (“BSA”) and U.S. sanctions law.  Likewise, the Fed has expressed its skepticism in the Order that blockchain analytics services, even when applied skillfully and with the best of intentions, actually can satisfy the BSA and U.S. sanctions law due to limitations inherent in crypto transactions relating to knowing with confidence who is actually conducting the transactions.  This same issue was also noted by the recent report by the U.S. Treasury regarding perceived AML and sanctions vulnerabilities in decentralized finance providers.

Continue Reading  State of Wyoming Wades Into Custodia Bank Dispute with Federal Reserve — In Wake of Fed’s Rejection of Bank Due to Crypto-Related AML and OFAC Concerns

On April 6, 2023, the U.S. Department of the Treasury released a report examining vulnerabilities in decentralized finance (“DeFi”), including potential gaps in the United States’ anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”) regulatory, supervisory, and enforcement regimes for DeFi.  The report concludes by making a series of recommendations, including the closing of “gaps” in the application of the Bank Secrecy Act (“BSA”) to the extent that certain DeFi services currently fall outside the scope of the BSA’s definition of a “financial institution” covered by the BSA.  The report cautions that it does not alter any existing legal obligations, issue any new regulatory interpretations, or establish any new supervisory expectations.

Continue Reading  U.S. Treasury Releases Report and Recommendations Regarding Vulnerabilities in Decentralized Finance