On April 6, 2023, the U.S. Department of the Treasury released a report examining vulnerabilities in decentralized finance (“DeFi”), including potential gaps in the United States’ anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”) regulatory, supervisory, and enforcement regimes for DeFi.  The report concludes by making a series of recommendations, including the closing of “gaps” in the application of the Bank Secrecy Act (“BSA”) to the extent that certain DeFi services currently fall outside the scope of the BSA’s definition of a “financial institution” covered by the BSA.  The report cautions that it does not alter any existing legal obligations, issue any new regulatory interpretations, or establish any new supervisory expectations.

Continue Reading  U.S. Treasury Releases Report and Recommendations Regarding Vulnerabilities in Decentralized Finance

The U.S. Department of Justice (“DOJ”) announced on March 15, 2023 that in a coordinated effort between U.S. Federal Bureau of Investigations, Europol, and German police, the darknet cryptocurrency mixing service ChipMixer has been shut down.  The operation involved the U.S. government’s court-authorized seizure of two domains that directed users to the ChipMixer service and one Github account.  In addition, German authorities seized $46 million in cryptocurrency, as well as ChipMixer’s back-end servers used to run the site. 

Further, the U.S. Attorney’s Office for the Eastern District of Pennsylvania filed a criminal complaint against ChipMixer’s suspected founder, Vietnamese national, Minh Quoc Nguyen (“Nguyen”), alleging that Nguyen openly flouted financial regulations and instructed users how to use ChipMixer to evade reporting requirements while obscuring his true name under a series of stolen and fictitious identities. The complaint also alleges that ChipMixer, described as a popular platform for laundering illicit funds gained from unlawful activities like drug trafficking, ransomware attacks (according to Europol, ransomware actors Zeppelin, SunCrypt, Mamba, Dharma, Lockbit have used ChipMixer), and payment card fraud, was used to launder more than $3 billion in cryptocurrency since 2017.  Nguyen has been charged with money laundering, operating an unlicensed money transmitting business, and identity theft in connection with the operation of ChipMixer. 

Continue Reading  Darkweb Cryptocurrency Mixer ChipMixer Shut Down for Allegedly Laundering $3 Billion Worth of Crypto

In its first use of Section 9714(a) of the Combating Russian Money Laundering Act, the Financial Crimes Enforcement Network (“FinCEN”) issued a notice of enforcement order (the “Order”) on January 18, 2023 against the cryptocurrency exchange Bitzlato Limited (“Bitzlato”), which has operated globally and is registered in Hong Kong.  The Order was issued in conjunction with the Department of Justice’s (“DOJ”) arrest of Bitzlato’s founder, Russian national Anatoly Legkodymov.  Bitzlato has processed over four billion dollars in cryptocurrency transactions since 2018.  According to the government, a substantial portion of those transactions involved criminal proceeds.

Legkodymov, who resided in China until his arrest in the United States, has been charged initially, via complaint and warrant, with conducting an unlicensed money-transmitting business under 18 U.S.C. § 1960, although the allegations against Bitzlato appear to extend far beyond mere unlicensed money transmission. Both the Order and the lengthy affidavit in support of the complaint stress that Bitzlato openly touted its intentional lack of any sort of real anti-money laundering (“AML”) program.  For example, “Bitzlato’s website advertised for years (and as recently as March 31, 2022) that the site offered ‘Simple Registration without KYC.  Neither selfies nor passports required.  Only your email needed.’  Similarly, a blog post on Bitzlato’s website stated:  ‘On Bitzlato no KYC is required for you to trade.’”

This post will focus on FinCEN’s Order, which identifies Bitzlato as a “primary money laundering concern,” and prohibits certain money transmission involving Bitzlato by covered financial institutions.  The Order also highlights the threats posed to U.S. national security and the integrity of the U.S. financial sector by Bitzlato’s active facilitation of laundering of Russian illicit finance. However, FinCEN’s press release makes clear that Bitzlato is just one part of a larger ecosystem of Russian cybercriminals, including ransomware attackers, operating with impunity in Russia.

Continue Reading  FinCEN Issues Enforcement Order Against Crypto Exchange Bitzlato in First-Time Use of Section 9714(a)

On October 19, 2022, the U.S. Attorney’s Office for D.C., on behalf of the Financial Crimes Enforcement Network (“FinCEN”), filed a civil complaint against Larry Dean Harmon (“Harmon”), seeking $60 million in civil penalties for alleged violations of the Bank Secrecy Act (“BSA”) in connection with Harmon’s involvement in now-defunct cryptocurrency services Helix and Coin Ninja LLC.  The complaint seeks to obtain a judgment on FinCEN’s 2020 Assessment of Civil Money Penalty against Harmon (“Assessment”), which is attached to the complaint and includes a detailed statement of facts.

As we have blogged, Harmon previously pled guilty to operating an unlicensed money transmitter business.  Harmon’s sentencing hearing in the criminal case has been continued, and he reportedly has been attempting to cooperate with the government.  It appears that the civil complaint may represent something of a formality:  it seeks to reduce the assessment against Harmon to an actual civil judgment, upon which the government can collect in theory, in anticipation of Harmon’s criminal sentencing and any potential additional matters in which he may attempt to cooperate.

According to the complaint, starting in 2014, Harmon operated Helix, a bitcoin “mixing” service, which Harmon allegedly advertised explicitly as a way for customers to conceal their identities from the government.  The statement of facts attached to the Assessment alleged that Harmon “publicly advertised Helix on Reddit forums dedicated to darknet marketplaces, actively seeking out and facilitating high-risk transactions directly through customer service and feedback.”  Such “mixing” services – designed to maximize anonymity – increasingly have drawn the ire of the government, as reflected by the recent and controversial action by the Office of Foreign Assets Control to sanction virtual currency “mixer” – or passive technology – Tornado Cash.  

Continue Reading  DOJ Files Lawsuit for $60 Million in Civil Penalties for Alleged BSA Violations by Crypto “Mixer”

Actions Highlight Risky Mix of Sanctions Law, Inadequate Transaction Monitoring and Dealing with Anonymity-Enhanced Cryptocurrencies

The Office of Foreign Assets Control (“OFAC”) and the Financial Crimes Enforcement Network (“FinCEN”) announced on October 11 simultaneous settlements with Bittrex, Inc. (“Bittrex”), a virtual currency exchange and hosted wallet provider. Under the OFAC settlement, Bittrex has agreed to pay $24,280,829.20 to settle its potential civil liability for 116,421 alleged violations of multiple sanctions programs. Under the FinCEN consent order, Bittrex agreed to pay a civil penalty of $29,280,829.20 for alleged anti-money laundering (“AML”) violations under the Bank Secrecy Act (“BSA”). FinCEN has agreed to credit Bittrex’s payment to OFAC against its penalty because it found that the alleged BSA violations “stem from some of the same underlying conduct”; thus, Bittrex’s total payments to the two regulators come to $29,280,829.20. 

According to the Department of the Treasury dual press release, the two settlements represent the first parallel enforcement actions by FinCEN and OFAC in the virtual currency and sanctions space. Also, it is OFAC’s largest virtual currency enforcement action to date. To further highlight the importance of the settlements, the press release quotes the OFAC Director Andrea Gacki and FinCEN Acting Director Himamauli Das, both sternly warning operators in the same environment as Bittrex to implement effective AML compliance and sanction screening programs.

It is conceivable that Bittrex, for years now, has been on notice that federal and state regulators are closely watching and expecting more comprehensive risk assessment programs and procedures from businesses transacting with virtual currency. As we previously blogged here, in 2019 the New York Department of Financial Services (“NYDFS”) denied Bittrex’s application for a Bitlicense, citing: “deficiencies in Bittrex’s BSA/AML/OFAC compliance program; a deficiency in meeting the Department’s capital requirement; and deficient due diligence and control over Bittrex’s token and product launches.”  In its letter denying Bittrex’s application, NYDFS set forth in detail the deficiencies it found in Bittrex’s BSA/AML/OFAC compliance program, noting that Bittrex’s compliance policies and procedures “are either non-existent or inadequate.”

As we will discuss, the FinCEN consent order highlights Bittrex’s alleged failure to address adequately the overall risk environment in which it operated, including transactions involving anonymity-enhanced cryptocurrencies, or AECs.  The consent order also highlights two repeated themes in enforcement actions: lack of adequate compliance staff, and a seemingly robust written compliance policy that was not matched by an effective day-to-day transaction monitoring system.

Continue Reading  OFAC and FinCEN Settle with Bittrex in Parallel Virtual Currency Enforcements

Indictment Focuses on “High Risk” Transactions Involving Mexico, Bulk Cash, and Zero SAR Filings

On September 13, the United States Attorney’s Office for the Eastern District of New York announced that defendant Hanan Ofer pleaded guilty to “failing to maintain an effective anti-money laundering program.”  Ofer and his co-defendant, Gyanendra Asre, were named in a March 2021 indictment (the “Indictment”) alleging they funneled “hundreds of millions of dollars from high-risk foreign jurisdictions” – primarily, Mexico – from 2014 to 2016, through “small, unsophisticated financial institutions” without implementing an anti-money laundering program as required by the Bank Secrecy Act (“BSA”).  Ofer and Asre were charged with failure to maintain an effective anti-money laundering (“AML”) program, failure to file (any) Suspicious Activity Reports (“SARs”), and the operation of an unlicensed money transmitting business.

As we discuss, it is a little difficult to draw clear lessons from the Indictment.  Although the DOJ press release emphasizes the eye-catching number of $1 billion, neither the press release nor the Indictment actually describe these transactions as “suspicious,” much less as involving specific illicit proceeds.  Rather, and as we discuss, the transactions are described merely as “high risk.” Thus, and although it is entirely possible that the government has access to evidence which it did not reference in the charges, the Indictment appears to rely heavily on a very process-oriented theory of prosecution:  the defendants failed to implement adequate processes to monitor and/or prevent transfers that were “high risk,” but not demonstrably related to illicit funds involving specific underlying criminality.

It is also important to acknowledge the Indictment’s allegations against both defendants for operating, apparently “on the side,” a separate unlicensed money transmitter business of their own.  Here, the allegations are more concretely severe:  the unlicensed money transmitter business “involved the transportation and transmission of funds that were known to the defendants to have been derived from a criminal offense or were intended to be used to promote and support unlawful activity.”  Although it is impossible to know, this charge presumably pressured in part Mr. Ofer to plead guilty to more process-oriented BSA charges involving the $1 billion in “high risk” transfers at other financial institutions.

Continue Reading  AML Compliance “Expert” Pleads Guilty to Failure to Maintain Effective AML Program for Over $1 Billion in High-Risk Transactions

Department Focuses on Transfers of Virtual Currency

On August 8, 2022, the District of Columbia Department of Insurance, Securities and Banking (the Department”) issued a Bulletin on money transmission (the “Bulletin”).  The Department issued the Bulletin to ensure that parties “engaging in or planning to engage in money transmission with Bitcoin or other virtual currency

On August 8, the Office of Foreign Assets Control (“OFAC”) sanctioned “notorious” virtual currency “mixer” Tornado Cash, which allegedly has been used to launder more than $7 billion worth of virtual currency since its creation in 2019.  Tornado Cash is a virtual currency mixer that operates on the Ethereum blockchain.  Tornado Cash receives a variety of transactions and mixes them together before transmitting them to their individual recipients.  The stated purpose of such mixing is to increase privacy, but mixers are often used by illicit actors to launder funds because the process enhances anonymity and makes it very hard to track the flow of funds.  According to the Treasury Department press release, “[d]espite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risk.”  This statement seems to imply that Tornado Cash is run by actual people – an implication that is at the heart of the controversy over these sanctions, as we will discuss.

The sanctions against Tornado Cash have elicited enormous controversy in the crypto world because, some argue, (1) Tornado Cash is not an entity run by actual people, but is merely code; and (2) although OFAC has the legal authority to sanction people and entities, it lacks such authority to sanction code or a technology – or at the very least, such sanctions create many practical problems for innocent actors, including in ways which no one has foreseen fully.  As we discuss,  even a member of the U.S. House of Representatives has waded into the controversy this week, questioning the ability of OFAC to issue the sanctions and demanding answers.  The controversy also reflects that, once again, whether one chooses to focus on the word “privacy” or on the word “anonymity” typically reflects an a priori value judgment predicting one’s conclusion as to whether something in the crypto world is good or bad. 

Indisputably, the Tornado Cash sanctions are, to date, unique and unprecedented.  Although they may turn out to be an outlier experiment by OFAC, public pronouncements by the U.S. Treasury Department strongly suggest that, to the contrary, they represent part of the future of crypto regulation, in which the enormous power of the U.S. government to issue broad sanctions obliterates legal and practical hurdles which could stymie other agencies, such as the Financial Crimes Enforcement Network (FinCEN).  This may be because, ultimately, the government actually agrees that no person is in control of a powerful technology that has easy application for malicious uses, and that is precisely the problem.

Continue Reading  OFAC Sanctions Virtual Currency “Mixer” Tornado Cash and Faces Crypto Backlash

Travel Rule and Beneficiary Information Continues to Challenge Virtual Asset Service Providers

In late October, the Financial Action Task Force issued its long-awaited updated guidance on Virtual Assets and Virtual Asset Service Providers (“FATF Guidance”), an extremely lengthy and detailed document setting forth how virtual asset service providers (“VASPs”) and related virtual asset activities fall within the scope of FATF standards for anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”).  The FATF Guidance is important to VASPs worldwide, as well as the more traditional financial institutions (“FIs”) doing business with them.  Because of its great breadth, we focus here only on its comments regarding implementation of the so-called “Travel Rule” for virtual assets.  This portion of the FATF Guidance is particularly relevant to the U.S. because, as we have blogged, the Financial Crimes Enforcement Network (“FinCEN”) proposed regulations in 2020 – still pending – which would change the Travel Rule by lowering the monetary threshold for FIs from $3,000 to $250 for collecting, retaining, and transmitting information related to international funds transfers, and explicitly would make the Travel Rule apply to transfers involving convertible virtual currencies.

The FATF Guidance has additional relevance to U.S. VASPs and FIs because, this month, the U.S. President’s Working Group on Financial Markets (“PWG”), the Federal Deposit Insurance Corporation (“FDIC”), and the Office of the Comptroller (“OCC”) (together, “the U.S. Agencies”) issued a Report on Stablecoins (the “Report”).  Stablecoins are digital assets designed to maintain stable value as related to other reference assets, such as the U.S. Dollar.  In the Report, the U.S. Agencies delineate perceived risks associated with the increased use of stablecoins and highlight three types of concerns: risks to rules governing AML compliance, risks to market integrity, and general prudential risks.  We of course will focus here on the Report’s discussion of AML risks, particularly because it repeatedly invokes the FATF Guidance, thereby illustrating the increasing efforts by governments to seek a global and relatively coordinated approach to addressing AML/CFT concerns regarding virtual assets.
Continue Reading  Global Developments in AML and Virtual Assets:  FATF Guidance and the Travel Rule, and U.S. Pronouncements on Stablecoins