Money Transmitter

Subscribe to Money Transmitter

On August 8, the Office of Foreign Assets Control (“OFAC”) sanctioned “notorious” virtual currency “mixer” Tornado Cash, which allegedly has been used to launder more than $7 billion worth of virtual currency since its creation in 2019.  Tornado Cash is a virtual currency mixer that operates on the Ethereum blockchain.  Tornado Cash receives a variety of transactions and mixes them together before transmitting them to their individual recipients.  The stated purpose of such mixing is to increase privacy, but mixers are often used by illicit actors to launder funds because the process enhances anonymity and makes it very hard to track the flow of funds.  According to the Treasury Department press release, “[d]espite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risk.”  This statement seems to imply that Tornado Cash is run by actual people – an implication that is at the heart of the controversy over these sanctions, as we will discuss.

The sanctions against Tornado Cash have elicited enormous controversy in the crypto world because, some argue, (1) Tornado Cash is not an entity run by actual people, but is merely code; and (2) although OFAC has the legal authority to sanction people and entities, it lacks such authority to sanction code or a technology – or at the very least, such sanctions create many practical problems for innocent actors, including in ways which no one has foreseen fully.  As we discuss,  even a member of the U.S. House of Representatives has waded into the controversy this week, questioning the ability of OFAC to issue the sanctions and demanding answers.  The controversy also reflects that, once again, whether one chooses to focus on the word “privacy” or on the word “anonymity” typically reflects an a priori value judgment predicting one’s conclusion as to whether something in the crypto world is good or bad. 

Indisputably, the Tornado Cash sanctions are, to date, unique and unprecedented.  Although they may turn out to be an outlier experiment by OFAC, public pronouncements by the U.S. Treasury Department strongly suggest that, to the contrary, they represent part of the future of crypto regulation, in which the enormous power of the U.S. government to issue broad sanctions obliterates legal and practical hurdles which could stymie other agencies, such as the Financial Crimes Enforcement Network (FinCEN).  This may be because, ultimately, the government actually agrees that no person is in control of a powerful technology that has easy application for malicious uses, and that is precisely the problem.

Continue Reading  OFAC Sanctions Virtual Currency “Mixer” Tornado Cash and Faces Crypto Backlash

Travel Rule and Beneficiary Information Continues to Challenge Virtual Asset Service Providers

In late October, the Financial Action Task Force issued its long-awaited updated guidance on Virtual Assets and Virtual Asset Service Providers (“FATF Guidance”), an extremely lengthy and detailed document setting forth how virtual asset service providers (“VASPs”) and related virtual asset activities fall within the scope of FATF standards for anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”).  The FATF Guidance is important to VASPs worldwide, as well as the more traditional financial institutions (“FIs”) doing business with them.  Because of its great breadth, we focus here only on its comments regarding implementation of the so-called “Travel Rule” for virtual assets.  This portion of the FATF Guidance is particularly relevant to the U.S. because, as we have blogged, the Financial Crimes Enforcement Network (“FinCEN”) proposed regulations in 2020 – still pending – which would change the Travel Rule by lowering the monetary threshold for FIs from $3,000 to $250 for collecting, retaining, and transmitting information related to international funds transfers, and explicitly would make the Travel Rule apply to transfers involving convertible virtual currencies.

The FATF Guidance has additional relevance to U.S. VASPs and FIs because, this month, the U.S. President’s Working Group on Financial Markets (“PWG”), the Federal Deposit Insurance Corporation (“FDIC”), and the Office of the Comptroller (“OCC”) (together, “the U.S. Agencies”) issued a Report on Stablecoins (the “Report”).  Stablecoins are digital assets designed to maintain stable value as related to other reference assets, such as the U.S. Dollar.  In the Report, the U.S. Agencies delineate perceived risks associated with the increased use of stablecoins and highlight three types of concerns: risks to rules governing AML compliance, risks to market integrity, and general prudential risks.  We of course will focus here on the Report’s discussion of AML risks, particularly because it repeatedly invokes the FATF Guidance, thereby illustrating the increasing efforts by governments to seek a global and relatively coordinated approach to addressing AML/CFT concerns regarding virtual assets.
Continue Reading  Global Developments in AML and Virtual Assets:  FATF Guidance and the Travel Rule, and U.S. Pronouncements on Stablecoins

On October 6, the Department of Justice (“DOJ”) announced the creation of a National Cryptocurrency Enforcement Team (“NCET”).  The DOJ press release is set forth in part below, without further commentary, other than to observe that the NCET’s stated goals are to address issues on which we repeatedly have blogged:  crypto exchangers and their AML

Government Alleges Systemic and Deliberate AML Failures

Filings Describe Tools for CVC Exchanges to Use for Customer Due Diligence and Transaction Monitoring

The Financial Crimes Enforcement Network (“FinCEN”) and the Commodity Futures Trading Commission (“CFTC”) announced on August 10 (here and here) settlements with the operators of the BitMEX cryptocurrency trading platform for alleged anti-money laundering (“AML”) violations under the Bank Secrecy Act (“BSA”), and for allegedly failing to register with the CFTC.  More specifically, FinCEN’s assessment of a civil monetary penalty and the CFTC’s consent order both involved the five companies operating the BitMEX platform: HDR Global Trading Limited, 100x Holding Limited, ABS Global Trading Limited, Shine Effort Inc Limited, and HDR Global Services (Bermuda) Limited (collectively, “BitMEX”).

BitMEX will pay regulators up to a combined $100 million civil monetary penalty; perform a “lookback” regarding the potential need to file additional Suspicious Activity Reports (“SARs”); and hire an independent consultant to conduct two reviews of BitMEX’s operations, policies, procedures, and controls, in order to confirm that BitMEX is not operating in the U.S., and that no U.S. customers are able to trade with the BitMEX platform.

According to the government filings, BitMEX is one of the oldest cryptocurrency derivative exchanges, with 1.3 million user accounts and a collection of annual fees in excess of $1 billion.  Combined, the government filings allege that for a period of six years between November 2014 and October 1, 2020, BitMEX offered trading of cryptocurrency derivatives to retail and institutional customers in the U.S. and worldwide through BitMEX’s website. Customers in the U.S. placed orders to buy or sell contracts directly through the website and BitMEX was aware that U.S. customers could access the BitMEX platform via virtual private network (“VPN”).

The civil penalty will be split between FinCEN and the CFTC.  However, the settlement involves an interesting “carrot” offered by the regulators:  $20 million of the penalty is suspended pending the successful completion of the SAR lookback and the two independent consultant reviews.

According to the government’s allegations, BitMEX deliberately ignored for years the most basic AML requirements, resulting in multitudinous violations and inviting – and even encouraging – its customers to launder illicit funds.  As we will describe, the government has alleged that BitMEX operated on the announced pretext that it was not subject to the BSA or U.S. commodities laws because it had no U.S. customers or operations, when senior management knew otherwise.
Continue Reading  FinCEN and CFTC Reach Groundbreaking $100 Million AML Settlement with BitMEX

Treasury Offers Something for Everyone to Comply With: Trades and Businesses, Banks, Crypto Exchangers and Individuals

On May 21, 2021, the U.S. Department of Treasury (“Treasury”) released its American Families Plan Tax Compliance Agenda (“Agenda”), a comprehensive set of initiatives to increase tax compliance and close the “tax gap” between the amount taxpayers owe and the amount that is actually paid.  While part of the $80 billion plan calls for providing Treasury and specifically the Internal Revenue Service (“IRS”) with additional resources to combat tax evasion, the Agenda also proposes revisions to current regulations and leveraging existing infrastructure to “shed light on previously opaque income sources;” namely, cryptocurrency.  Although the sweeping Agenda obviously focuses on tax compliance, it also has related consequences for Bank Secrecy Act (“BSA”) compliance in areas where the BSA and the tax code overlap as to cryptocurrency.

The Agenda also represents the latest in a string of initiatives by the U.S. government regarding the increasing regulation of the use of cryptocurrency, whether by direct users, exchangers of cryptocurrency, or financial institutions with customers dealing in cryptocurrency.  The Agenda represents both an acknowledgement by the U.S. Treasury that cryptocurrency use has become “normalized,” coupled with a clear signal that its use will be highly scrutinized and regulated.
Continue Reading  As Treasury Eyes Crypto in Tax Compliance Agenda, Reporting Obligations May Increase – Including a Crypto “Form 8300” for Transactions over $10K

In Related Case, Federal Court Holds that Bitcoin-to-Bitcoin “Tumbler” Can Represent “Money Transmission”

On April 27, IRS CI and FBI Special Agents arrested Roman Sterlingov, a dual citizen of Russia and Sweden, for his alleged role as the founder and operator of Bitcoin Fog, a cryptocurrency “tumbler” or “mixer” aimed at concealing the source of funds. The criminal complaint and accompanying Statement of Facts, filed in the District of Columbia, alleges that over the course of 10 years, Bitcoin Fog moved more than 1.2 million bitcoin, valued (at the time of the transactions) at about $335 million. According to the government’s press release, “[t]he bulk of this cryptocurrency came from darknet marketplaces and was tied to illegal narcotics, computer fraud and abuse activities, and identity theft.”

Sterlingov allegedly founded the site while promoting it under the pseudonym Akemashite Omedetou, a Japanese phrase that means “Happy New Year.” In a post on an online Bitcoin forum, Omedetou advertised that Bitcoin Fog “[mixes] up your bitcoins in our own pool with other users,” and “can eliminate any chance of finding your payments and making it impossible to prove any connection between a deposit and a withdraw inside our service.”

Ironically, Sterlingov was identified by investigators using the very same sort of tracing that Bitcoin Fog was meant to forestall. The Statement of Facts outlines in extensive detail how Sterlingov allegedly paid for Bitcoin Fog’s domain using a now-defunct digital currency; it goes on to show a series of transactions recorded to the blockchain that identifies Sterlingov’s purchase of that currency with bitcoin. Based on tracing those financial transactions, investigators were able to identify Sterlingov’s home address and phone number, together with a Google account that hosts a document that describes how to obscure bitcoin payments – that document mirrors closely the methods Sterlingov allegedly employed to purchase the Bitcoin Fog domain.

In addition to thanking various domestic law enforcement agencies, the government’s press release highlights the international nature of the investigation by also thanking Europol and Swedish and Romanian law enforcement agencies. The criminal complaint against Sterlingov is therefore another example of IRC-CI pursuing its simultaneous goals of fighting crypto-related crime and collaborating with foreign law enforcement officials in order to do so.

Notably, this is the second case brought by the Department of Justice, Criminal Division’s Computer Crime and Intellectual Property Section, targeting virtual currency mixer operations. In United States v. Harmon, a case also being prosecuted in the District of Columbia, the defendant has similarly been charged for his alleged role in operating Helix, a bitcoin mixer that sent more than $300 million in bitcoin to designated recipients.
Continue Reading  DOJ Again Charges Crypto “Mixer” Under the BSA and District of Columbia’s Money Transmitters Act

Stated Concern is that Terrorism is Funded Primarily Through Small International Transfers

Proposed Change Would Expand BSA Definition of “Money” to Include Virtual Currency

The Financial Crimes Enforcement Network (“FinCEN”) and the Federal Reserve Board (“Board”) have requested comment on an important proposed new rule that would amend the “Recordkeeping Rule” and “Travel Rule” under the Bank Secrecy Act (“BSA”) and expand them significantly. The proposed regulation would reduce the current $3,000 threshold to only $250 for international transfers, thereby substantially expanding the scope of these rules.

Even by FinCEN’s own estimates, the effect would be broad. According to FinCEN, the new regulation would affect an estimated 5,306 banks, 5,236 credit unions, and 12,692 money transmitters – including exchangers of digital assets, who arguably would be most impacted by the new regulation. Further, FinCEN estimates – likely conservatively – that compliance would require no less than 3.3 million additional hours, annually. FinCEN and the Board strongly suggest that such compliance burdens are worth the effort, given the perceived value to law enforcement in combatting terrorism, which tends to be funded by small international transfers.
Continue Reading  To Fight Terrorism, FinCEN and Federal Reserve Board Request Comment on Proposed Major Expansion of Recordkeeping and Travel Rules for International Transfers

In the past month, the Government Accountability Office (“GAO”), a non-partisan legislative agency that monitors and audits government spending and operations, has issued a series of reports urging banking regulators and certain executive branch agencies to adopt recommendations related to trade-based money laundering (“TBML”) and derisking. These reports underscore (1) the importance of TBML as a key, although still inadequately measured, component of money laundering worldwide, and (2) that the GAO remains interested in assessing how banks’ regulatory concerns may be influencing their willingness to provide services.

Taken together, the GAO’s recent activity signals that even in the face of unprecedented public health and regulatory challenges posed by COVID-19, the GAO still expects banking regulators and agencies alike to fulfill its prior commitments on other, unrelated topics.


Continue Reading  Government Accountability Office Roundup: Recent Activity on Topics Related to Trade-Based Money Laundering and Derisking

Case Sheds Light on Latest Methods to Evade Detection: “Peeling” Chains

On March 2, the U.S. government sanctioned and indicted two Chinese nationals for helping North Korea launder nearly $100 million in stolen cryptocurrency. The indictment, filed in the District of Columbia, charges the defendants with conspiring to commit money laundering transactions designed to both “promote” and “conceal” the underlying crimes of wire fraud (the theft of the cryptocurrency via hacking) and operating as an unlicensed money transmitter — the latter of which is also charged in the indictment as an additional count.

According to the related and detailed civil forfeiture complaint, these funds were only a portion of those stolen in 2018 by state-sponsored hackers for North Korea from a South Korean exchange. These actions, notable in several respects, provide a glimpse at the latest methods of laundering cryptocurrency.

Anyone attempting to launder illicit cryptocurrency faces at least two big challenges. First, due to rigid know-your-customer rules, one cannot simply deposit large amounts of funds at an exchange without raising red flags. Second, because all cryptocurrency transactions are recorded on a blockchain, they can be traced.

To clear these hurdles, the complaint alleges that North Korean hackers used “peeling chains.” In a peeling chain, a single address begins with a relatively large amount of cryptocurrency. A smaller amount is then “peeled” off this larger amount, creating a transaction in which a small amount is transferred to one address, and the remainder is transferred to a one-time change address. This process is repeated – potentially hundreds or thousands of times – until the larger amount is pared down, at which point the amount remaining in the address might be aggregated with other such addresses to again yield a large amount in a single address, and the peeling process goes on.
Continue Reading  Two Chinese Nationals Charged with Money Laundering Over $100 Million in Cryptocurrency for North Korea